没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
25页
在中国开展业务或与中国相关的组织面临着越来越多的数据安全风险和法规。安全和风险管理领导者必须采用风险优先的数据安全计划和投资,以响应监管要求,以增强数据驱动的数字创新能力。 跨组织职能的分散的数据安全举措和不协调的利益相关者责任阻碍了组织实现企业规模的一致数据安全治理(DSG)。 数据发现和分类是 DSG 的基础,并且在大多数组织中都是通过手动流程实施的。然而,这既不具有可扩展性,也不有效。 随着组织数据处理活动的动态发展,时间点数据风险评估(DRA)通常不足以满足风险识别和处理方面多样化且不断变化的合规要求。 本地和云中应用程序和数据存储之间的数据移动不断增加,导致安全和风险管理 ( SRM )领导者难以实现统一的数据可见性和安全控制。
资源推荐
资源详情
资源评论
Gartner, Inc. | G00775485
Page 1 of 17
Security and Risk Management Leaders’ Guide to
Data Security in China
Published 27 March 2024 - ID G00775485 - 21 min read
By Analyst(s): Anson Chen, Jie Zhang
Initiatives: Digital Technology Leadership for CIOs in China; Security of Applications and
Data
Organizations doing business in or related to China face increasing
data security risks and regulations. Security and risk management
leaders must adopt risk-prioritized data security programs and
investment in response to regulatory requirements to empower
data-enabled digital innovation.
Overview
Key Findings
Recommendations
Security and risk management leaders in China responsible for data security must:
Dispersed data security initiatives and uncoordinated stakeholders’ responsibilities
spanning across organizational functions has impeded the organization to realize
an enterprise-scale consistent data security governance (DSG).
■
Data discovery and categorization is fundamental to DSG and has been
implemented through manual processes in most organizations. However, this is
neither scalable nor effective.
■
Point-in-time data risk assessments (DRAs) are generally not sufficient to fulfill
diverse and evolving compliance requirements on risk identification and handling as
organizations’ data processing activities develop dynamically.
■
Increasing data movement across applications and data storages on-premises and
in the cloud results in security and risk management (SRM) leaders struggling to
enable unified data visibility and security controls.
■
This research note is restricted to the personal use of liuyang17@qianxin.com.
Gartner, Inc. | G00775485
Page 2 of 17
Strategic Planning Assumptions
By 2025, 50% of large multinational corporations with business in China or related to
China would have a dedicated data security role with local legal expertise and language
skills for addressing Chinese-market-related data protection needs; from less than 10%
today.
By 2025, 30% of organizations processing important business data or personal data in
China will have adopted automation technologies for data discovery and classification
due to the pent-up demand for higher levels of data security and the rapid increase in
product capabilities.
Establish an enterprise-scale DSG and management function by forming a data
security steering committee (DSSC) and identifying key stakeholders. This DSSC can
select and build a fit-for-purpose DSG framework, which defines a set of data
security policies that will mitigate the security risks to an agreed level of mitigation.
■
Streamline data discovery and classification processes that operate across
structured and unstructured platforms by adopting modern classification
approaches (e.g., metadata enrichment) and automated data classification tools
featured with machine learning, natural language processing (NLP) and computer
vision.
■
Apply DRAs to assess the implementation of data security policies. Review
compliance assessment (such as full-scope data risk compliance assessment,
sector-specific data risk assessment, data outbound transfer security assessment)
as lasting and continuing tasks by leveraging automation technologies or third-party
services.
■
Enforce consistent data security policies across disparate data security products by
adopting a consolidation approach to integrate siloed data security products into
data security platforms (DSPs).
■
This research note is restricted to the personal use of liuyang17@qianxin.com.
Gartner, Inc. | G00775485
Page 3 of 17
Introduction
Organizations doing business in China now face unprecedented data security risks
resulting from malicious activities and compliance obligations (such as the China Data
Security Law (DSL) and China Personal Information Protection Law (PIPL)) than ever
before. While the local regulators continue to issue new guardrails for cyber and data
security, there has been a powerful digital business innovation atmosphere in China (see
Leadership Vision for 2023: CIOs and Their Teams in China). Competitions in exploring
data for new digital products and services continue to drive investment and new business
behaviors in China.
At the same time, concerns of mishandling and misuse of data are rising. The heavily
regulated sectors (e.g., government, finance, healthcare and telecommunication) have
been obliged to comply with the industry-specific standards and guidance from the
industry regulators for several years. They still need to keep up with the evolving
regulatory requirements on data security and usage. Many organizations outside these
sectors find themselves in a similar position.
1
They are just starting their journey and
need to catch up quickly. While there are data security frameworks, standards and
technologies available in the market, finding the right combination of frameworks,
processes, technologies and skillful talents to achieve compliance and better data security
remains a challenge for many SRM leaders.
Organizations need to rapidly formalize data security programs that align to business
innovation appetites as well as established frameworks. What are the required steps to
plan and set up data security programs? This research note introduces a structured,
iterative and risk-based approach (see Figure 1). SRM leaders can apply tips and
resources to formalize their DSG and management function; prioritize data security risks
and investments; and implement a coherent set of security controls.
This research note is restricted to the personal use of liuyang17@qianxin.com.
Gartner, Inc. | G00775485
Page 4 of 17
Figure 1: A Risk-Based Approach for Data Security Programs Set Up
Analysis
Establish Enterprise-Scale DSG and Management Function
While the opportunities to leverage data to render insights for business innovation,
decision making, automated decisions and augmentation of human performance are
growing, the associated business and compliance risks are also expanding. DSG enables
organizations to assess and prioritize business risks arising from data security, data
residency and privacy issues and establish data security policies that address the
identified business risks and support business outcomes.
This research note is restricted to the personal use of liuyang17@qianxin.com.
Gartner, Inc. | G00775485
Page 5 of 17
Effective DSG and management requires cross-collaboration among the chief information
security officer, the chief data and analytics officer (CDAO), the data privacy officer (DPO)
and business leaders to break down barriers of communication and solicit clear
responsibilities and objectives of data security programs. Such collaboration can be
formalized within the organization by establishing a DSSC.
To ensure business risks are manifestly identified, articulated and aligned with data risks,
diverse representation from business units with sufficient seniority must be included in
DSSC to allow them to make most decisions during committee meetings without circling
back to their superiors. Although each organization may structure DSSC variously, below
key stakeholders (see Table 1) or equivalent functions shall be considered as
indispensable members of DSSC in your organization.
Once DSSC is institutionalized, the chairperson of DSSC can refer to the best practice of
running a DSSC (see Use a Data Security Steering Committee to Realize Data Security
Governance Objectives) to maintain a stable and effective operation of DSSC. Note that in
most situations, the chief information security officer will be the chair of the DSSC and
oversee stakeholder perspectives and contributions and guide the creation of data
security policies that will mitigate business risks at a level acceptable and approved by
the business leaders.
This research note is restricted to the personal use of liuyang17@qianxin.com.
剩余24页未读,继续阅读
资源评论
lurenjia404
- 粉丝: 2507
- 资源: 138
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- pod-tomcat.yaml
- This module implements the Requests API.
- Delphi 12 控件之unidac-10.2.1-d29pro.exe
- keyword.other.package.java
- Apple//DTD PLIST 1.0//EN
- comment.block.documentation.rust
- there is no way to distinguish perfectly
- 数据库管理工具:dbeaver-ce-24.0.2-x86-64-setup.exe
- Objective-C.tmLanguage
- 数据库管理工具:dbeaver-ce-24.0.2-macos-x86-64.dmg
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功