Strengthen data security management and promote bank data assets to create value

Challenges and Opportunities for Implementing Regulations such as the Data Security Law

1. Provisions of the “Data Security Law” on the data security protection of commercial banks

For commercial banks, the “Data Security Law” and other regulations are based on the actual data security work, focus on prominent issues in the field of data security, and establish basic data classification and classification management, data asset management and control, data security risk assessment, monitoring and early warning, and security review. requirements, clarifying the data security protection obligations of relevant subjects. The implementation of the “Data Security Law” requires commercial banks to collect data in a legal and proper way, use data reasonably in accordance with the law, ensure the establishment and improvement of a full-process data security management system when carrying out data processing activities, and take corresponding technical measures to ensure data security. For the processing of important data, it is necessary to clarify the person in charge of data security and the management organization, and to implement the responsibility for data security protection. The “Data Security Law” establishes a data classification and classification protection system and defines the scope of important data, which will further stimulate commercial banks to take the initiative to carry out data asset inventory in compliance with regulations, establish a full-process data security management system, and give full play to the power of the value of data elements.

2. Challenges to commercial banks by implementing the Data Security Law

As a data-intensive institution, commercial banks store a large amount of basic financial data. The implementation of the “Data Security Law” has brought challenges to the data management of commercial banks. Independent but closely related, the roles and responsibilities of the data production department, data user department, data management department, and security management department are difficult to clearly define, personnel security awareness is not balanced, and there are also difficulties in the construction of current data classification and important data catalogs. Ultimately, data security protection and flow control will become more difficult, and data security compliance management costs will be high.

3. Opportunities for commercial banks to implement the Data Security Law

While regulating data activities, the “Data Security Law” insists on paying equal attention to both security and development, and makes corresponding provisions on promoting the openness and utilization of government data, promoting the free flow of transaction data, and ensuring the security of data exiting the country, so that data security can be legally abided by, There are rules to follow, which provides strong support for the safe and healthy development of the digital economy, as well as opportunities for commercial banks. First, the “Data Security Law” advocates the balanced development of data security and value creation, coordinates development and security, insists on promoting data security through data development and utilization and industrial development, encourages and supports the innovative application of data in various industries and fields, and vigorously promotes The security and openness of government data provides a policy basis for commercial banks to deepen “government-bank” data cooperation, promote internal and external data sharing and the orderly flow of data elements, activate the value of data elements, and accelerate digital transformation. Second, the “Data Security Law” advocates and encourages data development and application and research on new technologies, encourages technology promotion and business innovation in the fields of data development and utilization and data security, and promotes data security for commercial banks through artificial intelligence and blockchain technology innovation. Management provides a good guiding effect.

Discussion on the methods of implementing the “Data Security Law” and other regulations

Faced with the above challenges and opportunities, commercial banks should establish a data security closed-loop management system from the levels of organization, system and technology, and promote the effective use of financial data on the basis of comprehensively ensuring data security.

1. Do a good job in the top-level design of commercial bank data security management

First, a commercial bank should establish a leading organization for data security management at the top level. The head office and branches at all levels should set up a leading department for data security management. Each data application department is the main responsible department for the group’s data security management work. Each institution should be responsible for data security management. Under the guidance of the leading organization, the Group closely cooperates and cooperates to carry out the data security management of the group. The second is to establish and improve the data security management system covering the whole range and the whole cycle, and clarify the data security management requirements for each link and the whole scene, such as data collection, storage, transmission, processing, and destruction. The third is to build a data security closed-loop management system and promote the continuous improvement of the data security governance system.

2. Establish and improve the data classification and classification management system and process control mechanism

First, commercial banks should identify and classify existing sensitive business data, establish a unified data classification management system and important data catalog, clarify the elements and principles of data security classification, and adopt different control methods for data with different data security levels. . The second is to establish and improve the data asset security attribute registration mechanism, clarify the responsibilities of the data generation department, data application department, data management department, and system research and development department, and deeply embed data security management and control into the entire process of system requirements, research and development, and application to prevent security loopholes. Implement data security measures in systems, systems, processes and management.

3. Improve data security management capabilities and shared application capabilities

Use emerging technologies such as machine learning, artificial intelligence, and big data analysis to automatically identify and label sensitive data, perform differentiated algorithm encryption for different types of sensitive data, and actively research digitalization including federated learning, multi-party secure computing, and blockchain. technology, promote the improvement of data security management capabilities, and improve the level of data compliance sharing.

4. Strengthen data security talent training and cultural change

One is to increase the cultivation of talents and culture. Continue to carry out full-time and part-time data security management personnel and technical personnel training, and build a data security talent system. Do a good job in the publicity and implementation of data security culture within the group, improve confidentiality awareness, and build a strong data security defense line. The second is to carry out data security inspections and assessments, clarify data security audit tasks, conduct regular inspections of bank data security work, and do a good job in data security problem investigation, so as to find and solve problems as soon as possible. The third is to carry out data security capability model assessment, and comprehensively improve the bank’s data security capability in terms of organization, platform, and system.

Based on the above data security management concepts of commercial banks, the following data security management framework is summarized (see Table 1).

Table 1 Data security management framework of commercial banks

ICBC Data Security Management Practice

In recent years, ICBC has been striving to explore the theory of data security compliance management, vigorously carry out relevant practices, and accumulated some effective practical results.

1. Improve the organizational structure of data security management

According to the “Data Security Law”, “Guidelines” and other legal requirements, ICBC has established a group-wide data security management system with the Fintech Development Committee as the decision-making level, the Head Office’s Management Information Department and the Fintech Department taking the lead, and the headquarters and branches at all levels cooperating with the implementation. Organizational structure, and clarified the work responsibilities of agencies at all levels, and formed a management mechanism with clear powers and responsibilities, and effective cooperation.

2. Improve the data security management system and mechanism

ICBC relies on the construction of a big data service cloud platform to achieve compliance and effective sharing of various types of information, and has issued the “Big Data Service Cloud Data Management Measures”, “Data Sharing Work Rules”, “Big Data Service Cloud Business Emergency Plan” and other systems The method clarifies the data security management requirements for data collection, storage, processing, transmission, and application, and establishes management processes and supporting mechanisms for data integration, authorization, and application.

3. Carry out data classification and asset ownership confirmation

In 2020, ICBC started the construction of the data asset management project, established a data asset catalog, standardized the data asset registration process, and carried out the sorting out of data asset security attributes and departmental authority confirmation. In order to improve the comprehensiveness, effectiveness and accuracy of data security management, ICBC has formulated and released the “Data Security Classification and Classification Specification” in accordance with the “Guidelines for Financial Data Security Classification” of the People’s Bank of China, which clarifies the classification and classification of financial data security across the bank. Objectives, principles, scope, elements and rules, and on this basis, provide references for classification and classification of various financial data, laying a foundation for sorting out data assets and implementing effective data classification and classification management.

4. Strengthen data usage management

In advance, in accordance with the use principle of “necessary for knowledge and minimum authorization”, ICBC has established a cloud data authorization management system for big data services, using a “two-level authorization” method to manage the data authorization of institutions and users, and according to “territorial authorization”. Control the scope of data access based on the principle of During the incident, ICBC took measures such as shielding, desensitization, and encryption to strengthen security management of important information items, and set user access policies by classification and classification to strengthen the protection of key data access. After the incident, ICBC established a systematic user behavior monitoring model, established a data outgoing verification mechanism and a dynamic monitoring mechanism through emails, USB flash drives and other channels to ensure compliance with laws and regulations and data security.

5. Promote the full sharing of group data

In order to promote the circulation of data in the group and standardize the management of information sharing and application within the group, ICBC has established a working mechanism for sharing customer information within the group covering demand submission, application, review, feedback, and effect evaluation. “On the basis of supervision and group consolidated management, it is necessary to promote the sharing and application of information within the group to give full play to the value of data.

At present, although ICBC has made some progress in data security management, there is still a long way to go to fully implement the “Data Security Law” and other regulatory requirements, strive to promote the creation of value from data asset elements, and fully realize the development goals of digital transformation. to go.

The Links:   BSM30GP60 NL6448BC20-18