Data security is mainly constructed and protected from the aspects of organization personnel, data classification, classification and compliance evaluation

Mobile application data security management The basic requirements include agency personnel 、 Institutional safeguards 、 Classification and grading 、 Compliance assessment 、 Rights management 、 Security audit 、 Partner management 、 Emergency response 、 Complaint handling 、 Education and training .

Agency personnel

By clarifying the data security management Responsible department , Clarify the scope of responsibilities , It is conducive to the landing and implementation of specific work . That is, from a strategic height , Start with top-level design , Step down , Put it into practice . Different industries , Different companies , According to their own conditions , Define what meets the needs of the enterprise's own development Data security Responsible management department . For clearer explanation , Here are the practices of an Internet enterprise , For reference . For example, an Internet enterprise has set up a data asset management committee , Within the leading enterprise Data security Management work ; The members of the committee are led by the person in charge of the enterprise, such as CEO or CTO To take the lead , Data principals of all business and functional departments ; At the same time, it defines and clarifies the specific responsibilities of the committee ： First, formulate the company's important data security rules and regulations , Second, the company data Safety technology Ability to make clear requirements , The third is to conduct regular compliance evaluation and inspection on the implementation of the company's data security related systems , Fourth, emergency disposal of major events related to data security . Clarify the responsibilities of the data security management department , The implementation and landing of these responsibilities need to be carried out by each department in the enterprise . Again , Different industries , Different companies , According to their own conditions , Divide the management responsibility and implementation responsibility into different departments . here , Continue to list the practices of an Internet enterprise , To illustrate .
for example , The specific data security management work of the data asset management committee is carried out by the security department , The internal control department of laws and regulations shall undertake . The executive departments of each work include , But not limited to, ： Data management business department , Data user department , System operation and maintenance department . Responsibilities of the security department , Build enterprise data security protection system , Provide technical support in various activities of data security . Responsibilities of the internal control department , Conduct compliance inspection on the operation behavior of business departments in all links of the data life cycle , According to laws and regulations and formulated by the company , Accountability for illegal operations . Other departments implement the relevant data security specifications of the company in their daily work , Actively cooperate with data audit and compliance work .
After clarifying the division of responsibilities of the Department , The specific data security management work needs to be implemented by the specific responsible person , Enterprises can set up data security posts in responsible departments and executive departments , The personnel of this position shall undertake the corresponding work . alike , Different industries , Different companies , According to their own conditions , Assign or divide responsibilities to different people

Institutional safeguards

Enterprises should establish a complete data security management system , Cover data security policies 、 Management system 、 Operating procedures 、 Record forms, etc . Guide enterprise managers and operators to implement various data security activities , Make the data security management work in the enterprise have rules to follow . The data security management system includes but is not limited to ： Data classification and hierarchical management 、 Data access rights management 、 Data security compliance assessment 、 Data Lifecycle Management 、 Data partner management 、 Data backup and recovery 、 Data security emergency response, etc .

Classification and grading

Regularly sort out the list of enterprise data assets , Including collecting through legal means 、 Produced , Stored in Computer information System or other storage medium Middle user Personal information , Including but not limited to user related data 、 Biometric information, etc .
stay 《 Financial data security Data security classification guide 》 The grading goal of data security in 、 Data security classification principle 、 The range of data security rating is explained , It also gives a detailed description of how to carry out data security classification , Each enterprise can refer to its own situation .
Around the whole life cycle of data , Take targeted security measures , The following safety assurance measures for each link , Provide some safety advice , For enterprises to combine their own reality , Make appropriate security .
Data collection needs to be fully authorized by users , The data transfer And storage needs to ensure data encryption , Data use process for minimum authorization , A large number of or high-risk operations need to be approved , Data exchange The compliance audit shall be conducted by the regulation and internal control department , Data destruction shall be carried out according to the company's system . For special data requirements , Such as data exit , It needs to be reported to the competent department for approval .
All data related operations , All need to be marked and recorded , Facilitate future audits

Compliance assessment

The enterprise shall be based on 《 Network security Law 》,《 Network security Class protection The basic requirements 》、《 Telecom and Internet users Personal information Protection specifications 》、《 Information Safety technology personal Information security standard 》 And other laws and regulations to carry out data security compliance evaluation .（1） Enterprises should take data security compliance assessment as an important content and starting point of data security management , according to “ Who operates 、 Who is in charge of 、 Who is responsible for ” Principles , From organization building 、 Institutional process 、 Technical tools 、 Carry out the evaluation of the overall data security protection level of the enterprise in terms of personnel ability and form an evaluation report . The evaluation report should include the basic information of the evaluation object 、 Assessment process 、 Benchmarking of evaluation points 、 Allocation of safeguard measures and description of supporting materials 、 Problem analysis and improvement measures .（2） The content of data security compliance evaluation includes but is not limited to the construction of data security system 、 Data classification 、 Data security incident emergency response level , And the compliance processing of key business and system data 、 Allocation of data security measures 、 Data security protection level of the partner .（3） Enterprises follow the data security system , Carry out data security compliance assessment of key businesses on an annual basis and form an assessment report . Focus on evaluating the implementation of relevant systems and norms in business data processing activities 、 Allocation of data security protection measures . Realize the new online business 、 The evaluation of key stock businesses covers , When the business data processing mode changes, it should be dynamically tracked and evaluated .（4） Enterprises follow the data security system , Carry out the core data processing activity platform system data security compliance assessment on an annual basis and form an assessment report . Focus on evaluating the implementation of internal management measures 、 Configuration of data security protection measures of platform construction and operation Department and partners .

Refer to data security for more information
Xintong hospital Data infrastructure white paper 2019
Xintong hospital Research Report on data security technology and industrial development -2021 year
Xintong hospital Data security governance practice guide -1.0
Xintong hospital Research on data security risk analysis and Countermeasures -2022 year
Xintong hospital Database Development Research Report