On July 28, at the 9th Internet Security Conference (ISC 2021), the ISC-Cyberspace Security Governance Frontier Summit, co-hosted by the Information Security Professional Committee of the China Information Association and the ISC Internet Security Conference, was successfully held. Numerous experts in attendance provided their own insights into cyberspace security and data governance.
At the meeting, Zuo Xiaodong, Vice President of China Information Security Research Institute, gave a speech on “Research Progress of “Guidelines for Identification of Important Data”, introducing the progress and main points of the work of “Guidelines for Identification of Important Data” in the formulation of Chinese national standards.
Based on Zuo Xiaodong’s speech and media interviews, the reporter summarized several issues of concern to the industry regarding the identification of important data.
Why develop a Guide to Identifying Important Data?
Zuo Xiaodong: The formulation of the “Important Data Identification Guidelines” standard is a very important task. In short, the country should use this standard as a norm to clarify the management objects, that is, what is important data. This is the basis for a series of safety supervision systems for important national data.
With so much data, what data should we focus on protecting? Many requirements in laws, regulations and policy documents often fall into important data. The concept of important data first came from the Cybersecurity Law. Article 37 refers to the domestic storage of personal information and important data and the exit security assessment system, which is the first time to propose the concept of important data from the legal level. Article 21 of the “Data Security Law” officially passed on June 10 this year pointed out that the state should formulate a catalog of important data and strengthen the protection of important data. To a certain extent, I think this is the only specific work of the current national data classification and classification system. Article 27: The processor of important data shall specify the person in charge of data security and the management organization, and implement the responsibility for data security protection. This is a requirement for specific legal liability obligations. Articles 30 and 31 both impose legal and regulatory requirements on important data processors.
In addition, the cyber security review system that everyone has been paying close attention to recently, Article 9 mentions how to judge the national cyber security risks, one of which is the risk of important data being stolen, leaked, or damaged. In addition, Article 15 of the Draft for Comments on the Data Security Management Measures mentions that if network operators collect important data or sensitive personal information for business purposes, they should file with the local network information department. We can see that more and more laws and regulations are putting forward requirements for the processing of important data. In the next step, the country will establish a complete set of important data security supervision and management systems. If all kinds of data processors in the society are involved in the processing of important data, they will be required to implement many important data protection responsibilities and obligations. This is a must pay attention to. The unavoidable legal responsibility of all of them is to clarify what is important data. Therefore, the formulation of the “Guidelines for the Identification of Important Data” is a very urgent and important task.
Is the concept of important data unique to China?
Zuo Xiaodong: Many people ask me that there is no important data management abroad, why did China propose this system, and what is the basis?
First of all, important data is indeed not an international term, and most countries have not made a unified requirement as a major category, but it does not mean that foreign countries only care about personal information and regardless of important data. Foreign countries not only manage non-personal information, but also have clear exit control systems.
For example, the NIST800-60 standard in the United States divides the federal government information system into three levels: low, medium and high from the perspective of confidentiality, integrity and availability, and then puts forward security requirements for the federal government information system. In addition to classifying information systems, data is also classified into three levels. Through the classification of systems and data, it is determined which level of security requirements the information system applies to.
In addition, the United States has a system for managing classified information. The then US President Barack Obama signed Executive Order No. 13556, which clarified the “Controlled Unclassified Information” (CUI) management system, which clarified the definition of CUI, and divided CUI into 20 categories and 124 sub-categories. Although CUI is not secret information, it is controlled, which is also an important data. NIST in the United States has been formulating security protection requirements for controlled unclassified information. Assessment of Information Security Requirements, SP 800-171B, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High-Value Assets. The scope of 800-171B extends to non-federal agencies, such as federal government contractors are associated with the federal government, and the resulting data reaches the social domain, and non-federal agencies must implement the security requirements for these data.
What are the basic principles of important data identification?
Zuo Xiaodong: According to the requirements of the relevant higher-level departments, the National Information Security Standards Committee approved the research project “Guidelines for Identification of Important Data” in 2019, and the project was officially established last year. Currently, this work is in the draft stage.
There are six principles for identifying important data.
The first is to focus on the security field. Important data is identified from the perspectives of national security, economic operation, social stability, public health and safety, etc. Data that are only important or sensitive to the organization itself are not important data, such as data related to the production, operation and internal management of an enterprise. In addition, personal information is an important object of the regulatory system, but there is already a clear management system for personal information protection, so there is no need to entangle personal information protection work with important data protection work.
The second is to facilitate the flow of data. Clarify the focus of security protection and supervision objects, standardize the development and utilization of data, and promote the safe and orderly flow of data. The protection and supervision objects are clearly defined, and there is no need to implement some stricter requirements if they are not within the scope.
The third is to link existing regulations. Fully consider the existing local management requirements and industry characteristics. Where localities and departments have formulated and implemented relevant data management policies and standards, they should be closely linked with them when identifying important data. Establishing a data classification and grading system is the guiding ideology of the country. Each industry formulates data classification and grading standards with its own industry characteristics, and when carrying out data security protection work, it is necessary to clarify important data, but the important data at this time must be consistent with the definition of the country. Consistent.
The fourth is to comprehensively consider risks. According to the different uses of the data and the threats faced, comprehensively consider the risks of data being tampered, destroyed, leaked, illegally obtained, or used illegally, and identify the importance of data from the perspectives of confidentiality, integrity, availability, authenticity, and accuracy. . A piece of data identified as important data is not only required for confidentiality, some data such as meteorological data are public, but it has strict release channels and requirements for authenticity and accuracy. This means that the attributes of important data are directly related to regulatory measures. This issue is still under discussion, and risks should be comprehensively considered.
The fifth is the combination of quantitative and qualitative. Identify important data in a combination of qualitative and quantitative methods, and adopt different identification methods according to specific data types. Some data is naturally important, and some data reaches a certain amount, and it will become important data from quantitative change to qualitative change, so it needs to be combined quantitatively and qualitatively according to the actual situation.
The last is dynamic identification review. Regularly review the identification results of important data, and re-identify important data when data usage, sharing methods, sensitivity, etc. change.
What are the characteristics of important data?
Zuo Xiaodong: The currently drafted “Important Data Identification Guide” divides the characteristics of important data into “7+1″ categories. The seven clear categories are: related to economic operation, related to population and health, related to natural resources and environment, related to science and technology, related to security protection, related to application services, related to government activities, and 1 ” other”. This is not a classification of important data, but a description of the characteristics of important data from multiple aspects, hoping to be as clear as possible.
The description method of important data is given in the guide, because the catalog of important data is formulated by various industries and places. At this time, there needs to be a unified description method to standardize the reporting and processing of important data, otherwise it will be various after summarizing. First of all, the classification of data should be listed in the catalog, and the specific classification standards can be determined by each industry itself. Second, organizations describe the regulatory requirements for data in their industry, as well as existing governance policies that apply. Third, to describe the importance, including the impact on national security, the main security threats faced, and the timeliness of the importance. Finally, describe the generation, use and protection of data, including data sources, uses, sharing and exchange, and security measures. After forming a general description of important data, submit it according to the procedures. The identification process is also proposed in the standard. In the future, it is not excluded that various industries will formulate further industry rules and more specific declaration processes based on this standard.
What other questions need to be asked about important data?
Zuo Xiaodong: The first is the time limit of important data. Once identified as important data, is it always important? State secrets have a confidentiality period. How long should the timeliness of important data be? When important data becomes unimportant, how to connect? Are there any long-term situations that are important data?
Second, what does important data have to do with personal information? In principle, important data does not include personal information. It is not that personal information is unimportant, but as mentioned above, there are other management systems for personal information, but statistical data and derived data based on batches of personal information may be important data. From this perspective, important data and personal information are not completely separated.
Third, is it necessary to formulate the “Guidelines for Identification of Important Data” from the perspective of industry classification? The industry classification of important data at the national standard level may affect the autonomy of the industry, and it is difficult to accurately reflect the actual situation of the industry. Important data is important not because it naturally belongs to a certain industry, but because of its impact on national security. However, if the concept of “classification” is not introduced at all, the definition of important data will be very macro, resulting in poor standard operability and certain difficulties in management. In the future, industries and regions must formulate their own important data catalogs, so this is a dilemma.
Fourth, what is the difference between important data and state secret information? Secret information is secret information, important data is important data, and the core data mentioned in the Data Security Law is not state secret information. In terms of sensitivity, important data is weaker than state secret information, but in many cases it is not appropriate to disclose it. In terms of protection, the focus of national secret protection is to strictly limit the scope of information, and the protection of important data must prevent data leakage, prevent data tampering, and maintain data authenticity. In addition, important data needs to consider the security risks after data aggregation, integration and analysis more than state secret information. In addition to confidentiality, important data also has high requirements for integrity and availability.
Fifth, how is the important data distributed? In the future, the management scope of important data needs to be analyzed in detail. For example, the macroeconomic data of government agencies, financial supervision data, population resource data, etc. must be available, and social public service agencies such as hospitals and universities cannot be exempted. Authoritative professional institutions such as geography, earthquake, astronomy, meteorology, etc., scientific research institutions, Internet companies, and various product and service providers may all be within the management scope of important data.