Data security practice guide - data collection security practice - data classification and classification

Data collection safety practices

• Data classification
• Data collection safety management
• Data source identification and recording
• Data quality management

Data classification

• Data classification can make data information centralized , Clustering , So as to make the data play a greater value , Provide more accurate and effective basic samples for data analysis technology .
• Data classification can ensure that different sensitive levels of data are under access control , Data protection measures play the value of corresponding security measures , So as to ensure the security and integrity of data , It also ensures the data availability capability under the minimum permission .

Establish functional departments for data classification and classification

• At the company level, let the highest authority establish functional departments with data classification and classification , And recruit relevant staff , Basic security principles and operation guidelines should be followed in data classification and classification , Establish an approval mechanism for data classification and classification , Identify and manage classification and classification , Desensitize the identified sensitive data , Audit and record important operations in data classification and grading , Try to assign special personnel for special posts .

Clarify the ability requirements of data classification and classification posts

• Have good data security risk awareness .
• Familiar with national network security laws and regulations .
• Policies and regulatory requirements of the industry to which the organization belongs .
• The data classification and grading process can be strictly in accordance with 《 Network security law 》,《 Personal information security code 》 And other relevant laws, regulations and industrial norms .
• Individuals need to have a good foundation for data classification and classification .
• Understand the company's internal asset scope and organizational structure , It can accurately identify which data belongs to sensitive data
• Be familiar with the compliance requirements of data classification and classification , Master data security measures .
• Experience in specifying standardized processes or systems .
• Formulate data classification and grading principles according to the actual situation , Operation guide , Management system and list, etc , And promote the implementation of relevant requirements and systems .

Data classification and grading post construction and personnel ability evaluation methods

Organization construction of data classification and classification posts and evaluation of personnel's actual execution ability , Through internal audit and external audit, research and interview can be conducted , The questionnaire survey , Process observation , Document access , Technology detection and other methods .

• 1. Research interview

• Face to face conversation between people , By reaching out to the respondents , The respondents answered the questions to be investigated , The investigator shall record the questions and answers during the investigation in detail .
• Survey and interview at the stage of data classification and grading , It mainly includes interviews with personnel from the data classification and classification departments and business departments .
• The interview contents of data classification and classification departments are as follows ：

• Confirm whether they have sufficient data security risk awareness .
• Whether it can be implemented according to laws and regulations such as network security law and data security law .
• Confirm the protection requirements for classified and classified data based on the principle of data classification and classification , Establish a data classification and hierarchical approval process , Whether the classification of data classification and classification list is reasonable .
• Whether the developed data classification and hierarchical management system and operation guide conform to the real environment of the company .
• Whether the coverage of the company's data assets meets expectations .
• Based on the above results, observe and confirm whether the relevant personnel of the post are competent for the occupation .

• The interview contents of the business department are as follows ：

• Whether the standards and operation methods formulated by the business department for the data classification and classification departments meet the needs of each business scenario .
• Whether it is really implemented and observed in each business unit .
• Whether there are obvious differences or deficiencies between the implementation and expectations .
• Whether the corresponding differences and deficiencies are within the acceptable range of the business environment .
• The false alarm rate of the classified data , Whether the under reporting rate is within the acceptable range of the business environment .
• According to the above, we can confirm whether the relevant requirements and systems of data classification and classification have been really implemented .

• 2. The questionnaire survey

• The questionnaire can be more detailed , Complete and easy to control , The advantages mainly lie in standardization and low cost , Questionnaires need to be standardized and measurable , Generally, the personnel of the company's business department are investigated .
• The questionnaire survey at the stage of data classification and grading is usually carried out in the form of volume , The main contents include whether the principles of data classification and classification have been formulated , List scope , Operation method , Approval process , Relevant systems and methods including protection requirements , Whether the relevant systems and methods formulated are effective within the company , coverage , Underreporting rate , Whether the false positive rate is within the acceptable range , Whether the Department has taken effective security management and control measures for the detected sensitive data .

• 3. Process observation

• It means that the members of the implementation team observe the production situation at the production site of the enterprise , Look for possible improvements and problems , And record the contents of the whole process .
• Process observation of data classification and grading stage , It mainly observes the workflow of the data classification and hierarchical management team and the business team , Find out possible problems and improvement points .
• Observe the work flow of relevant personnel of the company's data classification and classification departments from a neutral perspective , Including when formulating the overall data classification and grading principles for the company , Whether the process is standard , Whether the requirements and system design in the scheme are reasonable .
• Whether the data is graded according to the importance , Whether to classify the data according to different sources .
• Whether to maximize the coverage of the company's internal data assets .
• When classifying and grading data , Whether the data is labeled according to the principle of data classification and grading .
• Whether the audit analysis mechanism is set .
• After data classification and grading , Whether data protection schemes have been formulated for different categories and levels of data .
• Whether the corresponding management mechanism has been established , For example, desensitize sensitive data , Access control of important data , Encrypt and decrypt other data .

• 4. Technical testing

• According to the specified evaluation standards and specifications , Test the output of actual data , And compare the measured characteristic value with the specified value , And make judgment and evaluation , It is used to determine whether the actual treatment measures and methods for the tested object meet the requirements , Technical detection of data classification and grading stage , Technical tools are needed , Actually confirm whether there are errors in the classification and classification of existing data , Whether it is consistent with the system design , Whether the dark data is not normally classified .

Clarify the purpose of data classification

• In the current big data era , With continuous development and innovation , Illegal data collection , There is a contradiction between data openness and privacy protection , And extensive “ One size fits all ” Management methods, etc , This over protection of big data resources is not conducive to the healthy development of big data applications , The classified and hierarchical security control of data can avoid this “ One size fits all ” The problems brought about by , Classify and grade the data , It can realize the fine management and protection of data resources , Ensure effective balance between big data application and data protection .

Establish data classification and grading principles

• The principle of data classification and classification shall be scientific , stability , Principles of practicality and expansibility .
• scientific


• According to the multidimensional characteristics of data , And the objective logical connection between them , Carry out scientific and systematic classification and grading operation .


• 
  
• stability


• According to the actual situation , Based on the most stable characteristics and attributes of the data , Specify the scheme of data classification and grading .


• 
  
• practical


• Data classification and grading need to ensure that there is data under each category , Do not set up meaningless categories .


• 
  
• Extensibility


• The data classification and grading scheme should be general and inclusive , It can realize the classification of various types of data , To meet possible data types in the future .


• 
  

Formulate methods and rules for data classification and grading

• Common methods of data classification ： Categorize by relationship , Business based ( source ), Based on content , Based on supervision, etc .
• Common methods of data classification ： Classification by characteristics , Based on value ( Open , Inside , Important core, etc ), Based on sensitivity ( Open , Secret , confidential , Top secret, etc ), Based on the scope of judicial influence ( Within the mainland , Trans regional , Cross border, etc ).
• Common methods of public data classification ： Important data , Personal and corporate information , Business data .


• Important data ： Once leaked, it may endanger national security , Or endanger the public interest , life , Property safety or endangering key national facilities , Or disrupt the market order , Or state secrets and other data can be deduced .
• Personal and corporate information ： Contains direct personal information , Recorded electronically or otherwise , All kinds of information about the personal identity of natural persons or enterprises that can be identified alone or in combination with other information .
• Business data ： It includes the business activities or routine social management functions of enterprises or public organizations , Storable data generated by a series of activities such as transaction processing .


• 
  
• First classify and then grade


• Enterprises can use classification and grading policies based on public data , Combined with the actual situation of their own business and compliance needs , Plan a data classification and grading method suitable for the enterprise itself , Establish data classification principles and methods suitable for the organization itself , Classify the data according to their importance , Then, on the basis of data classification, it is classified according to the impact and loss of data security on the organization , It is suitable for the actual situation , If you can't make a completely fine-grained distinction at one time , Can be realized in multiple steps , Step by step , Don't set up too complicated plans at the beginning .


• 
  

Develop security policies for data classification and classification

• After the classification and classification of data are completed, data protection requirements should be formulated , Set different access permissions , Encrypted storage and transmission of important data , Desensitize sensitive data , Audit records and analysis of important operations .
• With reference to the above ideas, the data classification and classification security strategy can be formulated as follows ：


• Non sensitive data level 1 （ Completely open ） No protection is required .
• The second level of non sensitive data needs to ensure that it is only disclosed when necessary , To avoid over disclosure , At the same time, it is necessary to ensure that only internal personnel can access and use , Identity based access control can be used .
• The third level of sensitive data needs to ensure that only the data that has passed the audit can be disclosed , The punishment measures for unauthorized disclosure and relevant rules and regulations are attached , Access to level 3 data , Clear identity based access control permissions need to be set , Ensure that only specific employees who do have actual needs can use sensitive data .
• Level 4 of sensitive data is completely prohibited from being disclosed , At the same time, the access of internal personnel is strictly restricted , Only a few specific people are allowed to contact in the form of white list , And formulate relevant data leakage prevention policies , And have the corresponding technical ability of data leakage prevention .
• Confidential data does not belong to the scope of data security governance , Its treatment and use shall comply with relevant national laws and regulations .


• 
  

Implement the change review mechanism

• In the work of data classification and grading , There is an audit and approval mechanism for the operation process of the Department that needs to clarify the relevant contents , Ensure that the data classification and grading work conforms to the organization's classification and grading principles and system requirements , In principle, the data that has been clearly classified and graded , Its level can only be upgraded but not downgraded , To prevent the leakage of secrets , And approval needs to be controlled by multiple people , Including data owners , Data classification, hierarchical management and administration .

Use technical tools

• The premise of using technical tools is that there are clear data classification methods and strategies within the organization , It is the classification rules , From a technical point of view , Data classification involves data discovery , The current data types can be divided into two types , One is structured data , for example ： Business data , Database etc. .

Classification technology based on metadata type

• Content aware classification


• Such methods rely on automatic analysis of unstructured data content to determine classification , There are many technologies involved , Including but not limited to regular expressions , perfect match , Partial or complete fingerprint recognition , Machine learning, etc .


• 
  
• Situational awareness classification


• This method relies on the ready-made classification knowledge base that can be coded in the data classification tool , Because this method uses a wide range of scenarios ( Context ) attribute , Therefore, this classification method is applicable to static data , for example ： Taken by the hospital X A light slice can simply classify the scenes it produces , It can also be classified according to the suffix , Classify the suffix as sensitive information .


• 
  

Classification technology based on actual application scenarios

• Data classification based on actual application scenarios the technical means actually used may cover a variety of different methods in content aware and scenario aware classification methods .
• Tag library


• The tag library here is based on the classification and grading rules , It can be a static library , You can also customize the configuration directly in the marking tool or system background , You can create a label library according to different file format types , You can also define multiple tags from a large class to a small class according to the business type .
• Based on tourism , Can be established , business , tourism , Tag library of user information .
• In addition to the file suffix, you can also use the keyword , Regular expressions and other methods to set label rules .


• 
  
• Structured data marking


• Because it's structured data , Therefore, users can directly set field labels when creating tables , Database based permission model , Control the column permissions of the underlying data table , Traversal to read the table name of the database , Name , Column content , Combined with the rules set in the tag library , Table name found , Column names classify data at a finer granularity .


• 
  
• Marking unstructured data


• This should be referred to naturallanguageprocessing , data mining , Techniques like machine learning , The content needs to be identified , And match with the features related to the tag library , So as to classify unstructured data .


• 
  
• mark


• The first choice is to manually classify a batch of documents , Used as a training set , Then use the machine learning algorithm , After a period of study , According to the learning results, there are , Mass marking of other data .


• 
  
• Training


• The computer digs out some rules that can effectively classify these documents , Generating classifiers , Is the rule set summarized .


• 
  
• classification


• Apply the generated classifier to the document collection to be classified , Get the classification results of documents , Because the actual citation effect in the field of machine learning methods and text classification is still acceptable , So these methods have become the mainstream in this field .


• 
  
• Grading refers to classification , According to the sensitivity of the data , The range of influence and its own value are used to grade the data

Use objectives and workflow of technical tools

• The rules of data classification and classification are flexibly configured and dynamically adjusted , Because the data is always in the state of real-time dynamic change .
• Rules of classification according to the definition , Tools can automatically scan structured and unstructured data sources , Grading and marking . The scanned object is the data source , Not single data , During the scanning process, the classification and grading of the data in the scanned data source are completed , Automatically label the classified data after scanning .
• Rules of classification according to the definition , Tools can automatically identify sensitive data , In the process of automatic classification and grading of data , Tools can also automatically discover sensitive data in data sources , The definition of sensitive data should not only comply with relevant national standards, but also depend on the actual situation within the organization .
• The tool automatically classifies and classifies the data , It can be approved and adjusted manually , The tool can rely on the rule feature library defined manually in advance , Machine learning can also be used to learn and recognize , So there are still some errors in the classification results , Finally, it is necessary to intervene the results manually .
• The tool can record the detailed process information of each data classification and grading operation , The operations and relevant information involved in each step of the data classification and grading operation need to be recorded in detail , Including but not limited to authorization information , Time information , Data source information , Intermediate process record information , Error information, result information, etc .
• The tool can display the results of data classification and grading in a friendly way , The result of the tool running is finally for people to see , Therefore, the means to display the results need to be intuitive , Easy to understand , The results can be displayed by combining the currently mature visualization technology and reporting technology , There should be a variety of ways to save and export results .

Confused life , It needs constant effort , Only then can we see clearly the vague ambition in the distance ！