Introduction to On August 27, the interpretation of the "Data Security Law" and the online live broadcast of Alibaba Cloud's three major compliance programs ended perfectly. Li Na, a senior security consulting expert at Alibaba Cloud, made a comprehensive interpretation of data security-related laws and regulations. She pointed out that data security compliance can’t just look at a one-sided view. It requires an overall view of data security. If you know what is happening, you must know why. From passive compliance to active strategic risk control.
1. As a basic law, what are the more important data security requirements of the "Cyber Security Law"?
1) Article 21: The state implements a hierarchical network security protection system. Prevent network data from leaking or being stolen or tampered with.
Key points: This article explains that the Equal Guarantee 2.0 evaluation also includes data security related content.
2) Article 31: The state’s protection of important industries and fields, and other critical information infrastructures that may seriously endanger national security, national economy, people’s livelihood, and public interest once they are damaged, lost function, or data leaked, shall be protected by the cyber security level protection system. On the basis of the implementation of key protection.
Focus: This article explains that data leakage related to critical information infrastructure needs key protection on the basis of equal protection, including but not limited to commercial cryptographic application security assessment, data security review, cloud computing assessment, etc. .
3) Article 37: The personal information and important data collected and generated by the operators of key information infrastructures in the country shall be stored in the country. If it is really necessary to provide it overseas, a security assessment shall be carried out in accordance with the measures formulated by the State Cyberspace Administration of China in conjunction with relevant departments of the State Council.
key points: This article explains that the provision of data overseas requires evaluation by the network information department before leaving the country.
4) Article 76: The term network security includes the ability to ensure the integrity, confidentiality, and availability of network data.
focus: This article shows that the integrity, confidentiality, and availability of network data are the basic capabilities of network security and need to be included in the scope of basic security protection capabilities.
2. The legislative process of the "Data Security Law" is very rapid. Why?
This should be viewed from the legislative background of the "Data Security Law":
1) At the level of social and economic development, the digital economy is developing rapidly, and data has become a "national basic strategic resource". The protection of these data requires legal basis;
2) At the level of data development and utilization, data has been transformed from a production factor to productivity, and a legal basis is needed to promote the rational development and utilization of data.
In view of the urgency of the above two requirements, the data security law is very rapid from legislative planning to formal promulgation, and it has been specifically applied in other administrative regulations in a timely manner.
3. What is the scope of application of the "Data Security Law"?
1) Carrying out data processing activities and safety supervision in China;
2) Where data processing activities are carried out overseas that harm national security, public interests, or the legitimate rights and interests of citizens or organizations, they shall be investigated for legal responsibility in accordance with the law;
focus: here it is clarified that data security territorial jurisdiction is the main priority, and protective jurisdiction is supplemented.
4. What are the key points of each chapter of the "Data Security Law"?
1) Chapter 1 General Provisions , the main technical requirements include the establishment of a data security governance system and the main supervision is the national network information and industry supervisors. Among them, data security governance is more important, including data combing, data security risk analysis, classification and classification, monitoring and early warning, data security planning, etc., which are all covered in the scope of data security consulting services.
2) Chapter 2 Data Security and Development , which mainly includes supporting data security assessment and certification, establishing a data transaction management system, etc.
Plan key points: First, data security assessment and certification may become a means of inspection for the implementation of digital security law like security and confidential evaluation; second, establish a data transaction management system instead of a data transaction system, focusing on the management of data transactions .
3) Chapter 3 Data Security System , including the most concerned data classification and classification, data security review and data export control,
4) Chapter 4 Data Security Protection Obligation , which mainly includes three parts: data security management, risk monitoring and disposal, and data processing and services.
Key points: The verification and recording of data sources in data processing is mainly aimed at the ownership of data sources in data transaction scenarios, not the traditional data security access traceability and evidence collection scenarios. The most important thing in this chapter is that data is not available outside the country without approval.
5) Chapter V Security and Openness of Government Affairs Data focuses on the development of an open catalogue of government affairs data by the state, and the establishment of a unified, standardized, interconnected, secure and controllable government affairs data open platform.
Key points: It is recommended that all units follow relevant standards and regulations and do not develop data catalogs on their own, which may cause difficulties in interconnection and intercommunication.
6) Chapter VI Legal Liability , to put it simply, multiple penalties, including in addition to fines, can also be ordered to suspend business for rectification, and related business licenses or business licenses can be revoked.
Key points: The criminal responsibility of the person directly responsible can be investigated in accordance with the law.
7) Chapter Seven Supplementary Provisions , the Data Security Law will be implemented on September 1 this year.
5. What provisions of the "Data Security Law" need to be focused on?
1) Data classification and classification in Article 21 of the Data Security Law. First, the state establishes a data classification and hierarchical protection system to implement classified and hierarchical protection of data. The National Data Security Work Coordination Mechanism coordinates relevant departments to formulate important data catalogs. All regions and departments shall determine the specific catalogs of important data in their respective regions, departments, and related industries and fields in accordance with the data classification and hierarchical protection system.
**a) Focus on the classification and classification of national ministries or industries, try to use the existing data classification standards or catalogs, and it is not recommended to develop a special classification and classification system to avoid affecting the exchange and sharing of data sets due to different data catalogs.
b) Data classification is to better distinguish management objects, and classification is to implement different degrees of protection. Data classification must be oriented to a certain management goal and supervision method, and it cannot be summed up. **
2) Article 18 of the "Data Security Law" refers to the state's support for the development of data security testing, evaluation and certification services.
**a) Key points: The standard 37988 data security capability maturity model can be used as a starting point for the implementation of the data security law. This standard has been established in ISO and may become an international data security standard;
b) Levels 1-5 of the standard 37988 data security capability maturity model cannot have a simple correspondence relationship with such guarantees. The company needs to determine its own data security capability level according to the actual situation of the pre-assessment. If the capability is not available, it blindly pursues high The level may be difficult to rectify. **
3) Article 27 of the "Data Security Law" emphasizes the entire process of data security management, covering the eight core capabilities of data security, including classification and classification of data security lifecycle, transmission encryption, storage security, data desensitization, and data assets Management, terminal data security, monitoring and auditing, data authentication and access control. These core technical capabilities plus data management capabilities and operation and maintenance capabilities are the core technical capabilities of DSMM evaluation and certification inspections. If DSMM evaluation and certification inspections are met, the technical requirements proposed by the Data Security Law are basically met.
6. What is the relationship between the "Data Security Law" and the "Network Security Review Measures"?
The newly revised "Cyber Security Review Measures" incorporates data security into the scope of cyber security review.
Comparison of the "Network Security Review Measures" before and after revision:
1) Article 2: Critical information infrastructure operators and data processors who carry out data processing activities that may affect national security will undergo a cyber security review.
Key points: Data processing activities are the key standard objects
2) Article 6: Operators who have more than 1 million users’ personal information added to go to foreign markets must apply to the Cyberspace Administration of China for security review.
Key points: a quantitative description of 1 million data operators.
3) Article 4: The China Securities Regulatory Commission has been added to the review unit;
4) Article 10: Cybersecurity review and evaluation content adds data processing activities and overseas listing scenarios , among which the key national security risks are Core data, important data or a large amount of personal information are stolen, leaked, damaged, or illegally used or used. Exit risk, the risk that key information infrastructure, core data, important data, or a large amount of personal information after a foreign listing is affected, controlled, or maliciously used by foreign governments.
focuses on: The cyber security review adds data processing activities and overseas listings as evaluation content, and the focus is on data security.
5) Article 13: Extend the time for network security review from 45 working days to 3 months.
6) The first article is the most critical. In order to ensure the safety of critical information infrastructure, the law enforcement basis has been added in addition to the National Security Law and the Cyber Security Law, and the Data Security Law; Article 16 violates the provisions of these Measures If the penalty basis is added, the "Data Security Law" is added.
Key points: These two articles show that the "Data Security Law" is listed as the basis for review and punishment.
Therefore, as a whole, data security not only has relevant data security capability assessment and certification as a starting point, but also network security review as a means of inspection and punishment.
7. The official implementation of the data security law is imminent, how should we view data compliance?
Key points: Data security must be transformed from passive compliance to active strategic
First of all, in the overall view of national security, cyber security is one of the 16. From the security concept of the National Security Law to the cyberspace sovereignty of the "Cyber Security Law" to the specific provisions of the "Data Security Law", the content is the same. Currently related to data security are the "Personal Information Protection Law", the Civil Code Law, the Criminal Law Amendment (11) and other laws, all covering relevant content.
Secondly, the implementation of laws, regulations and policies related to data security is undergoing a process of gradual improvement of regulatory means and enhancement of regulatory capabilities. "Let the law grow teeth" . At present, the country is not only solving the problem of "there is a law to follow", but also In solving the problem of "violating the law must be investigated".
Under this circumstance, companies cannot have a one-sided understanding of data security compliance, and even have the fluke mind of not checking and not penalizing. They need to increase the risk of data security compliance to business risks, or even corporate risks, and actively adopt corporate legal affairs and security compliance. The opinions of the regulatory team, or hiring a professional security consulting team to solve problems, ensure that they are sufficiently sensitive and forward-looking to policy trends, from passive data security compliance to active strategic control 1613b108b6ca3d.
two
Copyright Statement: content of this article is contributed spontaneously by Alibaba Cloud real-name registered users, and the copyright belongs to the original author. The Alibaba Cloud Developer Community does not own the copyright, and does not bear the corresponding legal responsibility. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。