According to the support of national policies, DSMM certification is also well known to more enterprises, but for the evaluation application process and related content of DSMM certification, enterprises still know little or even do not understand, so let's take you to understand some of the evaluation process of DSMM certification.
Introduction to DSMM
DSMM is the abbreviation of Data Security Capability MaturityModel, which is called Data Security Capability Maturity Model in Chinese.
Information Security Technology - Data Security Capability Maturity Model (GB T 37988-2019) is a national standard of the People's Republic of China implemented on March 1, 2020, which is under the umbrella of the National Information Security Standardization Technical Committee.
Information Security Technology - Data Security Capability Maturity Model (GB T 37988-2019) provides a maturity model architecture for organizational data security capabilities, and specifies the maturity level requirements for data collection security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, and general security. This standard is applicable to the assessment of an organization's data security capabilities, and can also be used as a basis for organizations to build data security capabilities.
Assessment process
Review and evaluate the applicationThe applicant shall provide the application form for data security capability maturity assessment and other necessary attachments, and the market personnel shall receive the application form and review the certification application and related materials submitted by the applicant according to the requirements of the certification basis and procedures to determine:
1. The basic information required is provided (especially the completeness of the self-assessment information);
2. Any known differences in understanding between the Company and the Applicant are eliminated;
3. The company has the ability and ability to implement the certification activities applied for;
4. Whether the content of the application is within the scope of assessment;
5. Whether the information filled in the application form is complete;
6. The applicant's place of operation, the expected time required to complete the audit and any other factors affecting the certification activities;
7. If the service agreement is signed after approval, the applicant shall be notified in writing of the application that is not accepted.
Contract signingFor the evaluation applications that have passed the review, the service agreement will be signed in accordance with the company's contract signing process.
The meaning and value of DSMM
The DSMM standard provides a tiered approach to data protection at different stages of an organization's approach. By implementing a DSMM assessment, you can:
1. Promote organizations to understand and improve their own data security level, and carry out data security assurance work from the perspective of data life cycle and in combination with the security needs embodied in the development of various data businesses;
2. Ensure the secure exchange and sharing of data between organizations, give full play to the value of data, and create a safer big data application environment.
So what is the value of certified DSMM for enterprises?
Asset protection: Enterprises can establish and improve the data security system through data security certification, formulate comprehensive and reasonable data security system processes and management measures, improve the awareness of enterprise data security protection, and ensure the security of enterprise data assets.
Risk prevention and control: The construction of the data security capability system not only has the ability to protect against data risks, but also prevents and controls risks from the source and reduces the probability of data security accidents.
Compliance requirements: The Data Security Law, Personal Information Protection and other relevant laws and regulations have been promulgated, which put forward requirements for the construction of enterprise data security, and data security certification can help enterprises meet the requirements of relevant laws and regulations and implement their responsibilities and obligations.
Policy support: With the improvement of relevant laws and regulations, all regions** encourage local enterprises and organizations to establish data security compliance systems and provide policy support.
Publicity and promotion: Through data security certification, combined with the experience of data security system construction, the organization can form industry best practices, expand industry visibility, and promote the development of the industry.
Core competitiveness: Enterprises that have passed data security certification can serve as highly trusted data owners and data service providers to enhance their core competitiveness and provide secure data services for enterprise customers.
DSMM
The DSMM architecture consists of four security capability dimensions, seven security process dimensions, and five security capability levels.
Four dimensions of security capabilities: organizational construction, system processes, technical tools, and personnel capabilities;
Seven security process dimensions: data acquisition security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, and general security, a total of 30 process domains;
Five levels of security capability: 1 to 5 from low to high.
How many levels can you apply for for a DSMM for the first time
The level of application is mainly judged according to the actual situation of the enterprise, and there is no rigid restriction on the level of initial application.
Most organizations are suitable for DSMM2, DSMM3 is suitable for organizations with a high level of data security practices, DSMM4 is suitable for organizations with leading construction in the field of data security, and DSMM5 is not open for application.
What departments do companies need to be involved and what are they prepared for?
The relevant departments involved mainly include the data security management department, the information security department, the information technology department, the data management department, the business line department (business supervisor, business processing), the risk management department, the legal department, the human resources department, the internal control and compliance department, the audit department, etc.
How can enterprises carry out the work of implementing standards?
There are three phases of preparation:
1) Gap analysis: According to the relevant requirements of the capability level standards, sort out the relevant information of the enterprise's data management system, implementation process documents, data management platforms and tools, conduct gap analysis, and formulate a construction and improvement work plan.
2) Capacity building: Improve the data management organization, improve the data management system, optimize the data management platform and tools, and carry out benchmarking self-assessment.
3) Quantitative assessment: Set up an assessment team, submit a formal assessment application, carry out a third-party assessment, obtain the assessment results and improve the rectification opinions.