The Cyberspace Administration of China released the "Digital China Development Report (2022)" in May this year, which showed that China's data output last year reached 81ZB, a year-on-year increase of 227%, accounting for 105%, ranking second in the world. In April 2020, the Communist Party of China issued the "Opinions on Building a More Perfect System and Mechanism for Market-oriented Allocation of Factors"."Data" as a new factor of productionWritten to a ** file for the first time.
China became the first country in the world (at the level of national policy) to establish data as a factor of production. As data security rises to the national strategic level, the classification and grading of data has become a necessary topic for enterprise data security governance.
This paper integrates and sorts out the relevant data on data classification and classification, and provides the promotion path of enterprise data classification and classification, hoping to provide reference for you.
Extension:Data Security Governance: A guide to the classification and grading of data.
Why do we need to do data classification and grading?
Meet legal compliance requirements
The Cybersecurity Law issued in 2017 proposes that network operators should adopt security protection measures for data classification, and the Data Security Law issued in 2021 establishes a data security management system.
Article 21 of the Data Security Law stipulates that: "The State shall establish a system of categorical and hierarchical protection of data, based on the importance of data in economic and social development, and once it has been tampered with, destroyed, leaked or illegally obtained."The degree of harm caused to the public interest or the lawful rights and interests of individuals and organizations is to be protected by classification and grading. ”It is clarified that the basis of data classification and grading is the importance of data and the degree of harm when data security is compromised, and it is also proposed to strengthen the protection of important data and implement a stricter management system for core data.
The Regulations on the Management of Network Data Security (Draft for Comments) further clarifies that the state divides data into **, which are general data, important data and core data, and adopts different protection measures for different levels of data. At the same time, the regulations also stipulate the key protection of personal information and important data, and implement stricter protection of core data.
In addition, Article 51 of the Personal Information Protection also requires personal information processors to classify and manage personal information, and the Personal Information Protection also puts forward stricter requirements for sensitive personal information, with the aim of implementing different levels of protection. Therefore, classification and grading are necessary for data compliance.
Reduce data security risks
After the data is classified and graded, enterprises can scientifically and reasonably divide resources and support corresponding security risk control measures to protect data security and personal privacy while releasing the value of data resources.
By identifying important sensitive data in the organization, you can grasp the classification, classification, and distribution of sensitive data assets in the organization, as well as the usage scenarios of various types of data. In addition, effective protective measures can be formulated to balance the contradiction between data flow and data security, and reduce the security risks of enterprise business. Finally, the refined management and control of data assets is realized, and the dynamic flow of sensitive data is effectively monitored, so that data use and data sharing behaviors are "visible and controllable".
Meet your business needs
Improving data quality can help business departments formulate more reasonable strategies in business scenarios involving data processing activities, improve business operation capabilities, provide accurate data services for organizations, and promote the healthy and sustainable development of the organization's business. Moreover, the refined management of data assets will surely become the driving force or breakthrough point of enterprise business optimization, and it is also one of the competitiveness of enterprises.
What is data classification and grading?
As defined in GB T 38667-2020 Information Technology – Big Data – Data Classification GuidelinesData classification is to distinguish and classify data according to certain principles and methods according to its attributes or characteristics, so as to better manage and use data。There is no unique classification method for data classification, and a variety of different classification systems will be formed according to the management objectives, protection measures, and classification dimensions of the enterprise.
Data classification is the first step in data asset management. Whether it is cataloging and standardizing data assets, confirming and managing data rights, or providing data asset services, effective data classification is its top priority. Data classification is more considered from the perspective of business or the direction of data management, including industry dimension, business domain dimension, data dimension, sharing dimension, data openness dimension, etc. At the same time, according to these dimensions, data with the same attributes or characteristics are classified according to certain principles and methods.
Data grading is based on the importance and impact of the data, ensuring that the data is protected at a level that is appropriate to its importance and impact. The objects of influence are generally three types of objects, namely, social and public interests, corporate interests (including business impact, financial impact, reputation impact), and user interests (user property, reputation, living status, physiological and psychological impact).
It is recommended that the highest impact level in the impact level be selected as the importance sensitivity of the data object. At the same time, data rating can be upgraded or downgraded according to data changes, such as data downgrade and downgrade caused by changes in data content, data aggregation and integration, and national or industry competent requirements. Data classification is essentially the classification of data in sensitive dimensions.
At any given time, the classification of data is inseparable from the classification of data. Therefore, in the field of data security governance or data asset management, the classification and grading of data are put together, collectively referred to as data classification and grading.
At present, industries such as finance, industry, telecommunications, medical and automotive have issued targeted data classification and grading guidelines or technical specifications (**Industry standards are mainly landmarks and are not listed yet).
Taking the financial industry as an example, the data classification and grading methods in the financial field are mainly reflected in the "Financial Data Security Data Security Classification Guide" (JR T0197-2020) and the "** Industry Data Classification and Grading Guidelines" (JR T0158-2018), in which the former divides the data into three categories: customer data, business data, and operation and management data, and customer data is divided into individual customers and unit customers, and business data is subdivided according to different business lines. Operation management, technical management, general management (employee, financial, administrative, organizational information), etc. (as shown in the table below).
In particular, data classification doesn't have to be complicated, in fact, the best data classification practice is to divide data into 3 or 5 levels according to the degree of sensitivity or impact, and when enterprises use overly complex or arbitrary data classification methods, data management often falls into an increasingly chaotic situation.
Principles and processes for data classification and grading
Enterprises generally follow the following principles when carrying out data classification and grading work:
Scientific Principles:The classification should be carried out scientifically and systematically according to the multi-dimensional characteristics and logical associations of the data, and the classification rules should be relatively stable and should not be changed frequently
Applicability Principle:Meaningless categories or levels should not be set, and the results of classification and grading should be in line with general knowledge;
Principle of Flexibility:Before aggregating and sharing data, each department shall complete the classification and grading of data according to business needs;
On the principle of high strictness:For example, if a dataset contains multiple levels of data items, the dataset is graded according to the highest level of the data item
Principle of dynamic adjustment:The classification level of data may change due to time changes, policy changes, security incidents, sensitivity changes in different business scenarios, or relevant industry rules, so it is necessary to regularly review and adjust the classification and classification of data.
Principle of least impact:The classification and grading work should have as little impact on the normal operation of the system as possible, and should not have an impact on the ongoing operation and the normal provision of the business
Principle of confidentiality:The data, process data and results of the customer contacted in the implementation shall be kept strictly confidential, and shall not be disclosed to any unit or individual without authorization, and shall not use this data to infringe on the information security of the customer.
The general process of enterprise data classification and grading is covered in a number of standard documents, and it is also roughly similar, such as determining the data security project team, sorting out data assets, determining standards and principles, classifying data, delineating security levels, and formulating data security protection strategies (the specific implementation steps are shown in the figure below).
How to classify and grade data for enterprises
The general process of enterprise data classification and grading has been mentioned above, and this section further expands on the key content for the technical implementation part involved in the process.
Disk assets (data asset combing).
Data assets are the basis of data classification and grading, and when classifying and grading, it is necessary to sort out and inventory the assets in the enterprise to form an asset list. Data classification and grading is a long-term process, and a clear asset inventory can help enterprises do a good job in the implementation planning of classification and grading.
The data asset security management platform can automatically conduct a dragnet inventory of the structured and unstructured data sources of the enterprise, draw a map of data assets in the form of an asset catalog, and intuitively and vividly depict the distribution, quantity, size, attribution and other details of data assets, helping enterprises find out the data assets within the organization.
Criteria (development of classification and grading methods and strategies).
Before classifying and grading data, enterprises need to formulate classification and grading standards and specifications. At present, the classification and grading standards that have been promulgated by the state include GB T 35273-2020 "Information Security Technology Personal Information Security Specification" for personal informationAt the same time, various industries and organizations have also launched implementation guidelines for data classification and grading, such as JR T0158-2018 "Guidelines for Classification and Grading of Industry Data", JR T0197-2020 "Financial Data Security - Data Security Classification Guide", YDT3813-2021 "Data Classification and Grading Methods for Basic Telecom Enterprises", etc.
Enterprises can refer to the above-mentioned implementation guidelines for classification and grading, and formulate classification and grading standards for enterprise use based on their own business, management, data protection and other needs (the following figure takes the financial industry as an example).
Labeling (automatic identification and manual verification by tools).
Tagging refers to the labeling of data assets with data classification and data classification. Enterprises can confirm the data classification and data classification of data assets through information such as data content, data attributes, data**, and data context.
The data asset security management platform has a rich built-in general data feature database and industry rule library, and supports automatic data classification and grading through various technologies such as machine learning, regular Xi, fingerprint, keyword, and data dictionary. Then, through the process of manual verification, the rules are fine-tuned according to the actual situation and needs of customers, so as to fundamentally ensure the accuracy of data marking. After the rules and configurations are saved, the subsequent new business data can be entered into the system to achieve fully automated classification and grading marking.
Do control (formulate security protection policies based on classification and grading results).
The data asset security management platform can help organizations comprehensively, deeply and systematically sort out the status quo of data assets within the organization, discover and locate sensitive data, automatically complete classification and grading, form a data asset catalog, help users build a data security protection system, and adopt different data security protection strategies for different categories and levels of data. At the same time, through the standardized API interface, the platform can output the classification and grading information of data assets, and carry out in-depth linkage with data security technical tools (such as data encryption, data desensitization, watermarking, firewalls, etc.), and formulate refined and targeted data security policy control in key business scenarios and nodes, so as to fully realize data protection and prevent data leakage.
Wrapping up
Data classification and grading is the basic link of enterprise data security governance, and it is also an important means for enterprises to balance data protection and data circulation. Data classification and grading not only protect important data assets by ensuring that users with a lower level of trust cannot access sensitive data, but also avoid excessive and unnecessary security measures for unimportant data. Data classification and grading can also help improve the operational efficiency of enterprises, and data classification based on business perspectives can better meet the use of business and the management of data assets, help enterprises refine the management of internal data assets, and continue to empower businesses.
*: Guomai data assets.