Insights into China’s Network Data Security Risk Assessment Implementation Guidance
Charles Feng, Yifan Lu, and Lian Xue of Tahota (Beijing) Law Firm explain the evolving regulations concerning data security in China and suggest how enterprises can stay on top of the compliance requirements
Since 2020, China’s National Information Security Standardisation Technical Committee (the Technical Committee) has issued many network security standard practical guidelines.
The guidelines have included:
The Mobile Internet Application (App) Personal Information Protection Frequently Asked Questions and Disposal Guideline (September 2020);
The Network Data Classification and Grading Guidelines (December 2021);
The Technical Specifications for Certification of Personal Information Cross-border Processing Activities V1.0 (June 2022); and
The Technical Specifications for Certification of Personal Information Cross-border Processing Activities V2.0 (December 2022).
These provide technical protection specifications for information that is highly sensitive and has a large scope of attention and influence, such as personal information data and network data.
On April 14 2023, the Technical Committee published the Network Security Standards Practical Guidelines – Network Data Security Risk Assessment Implementation Guidance (Draft for Comments) (the Implementation Guidance), providing data processors with the idea of, and information on, a network data security risk assessment and procedure guidance, and how to assess network data security risk. This guidance can be applied by data processors to carry out a security self-assessment and provides reference standards and practical technical guidelines.
Carrying out a data security risk assessment is of great importance to the data management and data business operation of an enterprise. With increasing national regulation of network data, it is necessary for enterprises to pay attention to their compliance obligations in network data security management. The Implementation Guidance is highly detailed and provides practical guidelines for enterprises to carry out risk assessments.
This article will introduce the main contents of the Implementation Guidance and provide suggestions to enterprises.
I. The significance of network data security risk assessments
A data security risk assessment can help enterprises to:
Fully understand the distribution of their data assets;
Grasp the current situation regarding data security protection;
Identify their data security problems and shortcomings;
Understand their data security protection needs; and
Establish an internal data security management system for the enterprise in a targeted manner.
Because of its reliance on digital technology and network platforms, network data poses more challenges for enterprises in data management than traditional data does. Enterprises need to prevent data leakage caused by external threats such as malware, remote access, and server and supply chain disruptions, as well as security incidents caused by improper technical operations by internal personnel. The more extensively enterprises use digital technologies, the higher the risk of network and technology is, and thus there is a greater the need for a network data risk assessment.
A network data security risk assessment is of more realistic significance for enterprises with cross-border data transmission needs. It helps enterprises to:
Sort out their data assets in a timely manner;
Clarify the data classification and grading situation;
Sort out data with a consideration of stringent legal responsibilities set forth by laws and regulations, such as important data, core data, and personal information data; and
Undertake subsequent data compliance obligations.
For instance, according to Article 30 of the Data Security Law of China, processors of important data shall regularly carry out a risk assessment of their data processing activities and submit risk assessment reports to the relevant regulatory authorities in accordance with the provisions.
II. Objectives and scope of a network data security risk assessment
The Implementation Guidance is a clear technical guidance document for enterprises, especially internet enterprises, to carry out a self-assessment of network data security risks. Relevant enterprises can carry out a self-assessment practically based on the material in the guidance, which provides an important resource for enterprises to:
Carry out data compliance and data management;
Grasp the overall situation regarding data security;
Identify data security risks; and
Propose suggestions on data security management and technical protective measures to enhance the enterprise’s anti-attack, anti-damage, anti-theft, anti-leakage, and anti-abuse capabilities in data security management.
For a network data security risk assessment, the Implementation Guidance provides eight main sections and two appendices. The eight main sections cover:
A definition of terms;
A risk assessment overview;
Comprehensive analysis; and
An assessment summary.
The appendices feature examples of data security risks and assessment report templates for reference.
III. How to define ‘network data’
The ‘network data’ that the Implementation Guidance is intended to apply to refers to a variety of electronic data collected, stored, transmitted, processed, and generated through the network. This is basically consistent with the definition of network data in Article 73 of the Network Data Security Management Regulations (Draft for Comments).
IV. Network data security risk assessment ideas and procedure
The Implementation Guidance sets up a directly applicable whole-procedure network data security risk assessment concept for enterprises – namely, data processors – covering pre-assessment preparation, information research, risk assessment, comprehensive analysis, and assessment summary, and provides working key points, assessment contents, and formation documents based on the above ideas, so that enterprises can obtain clear guidance to follow.
The enterprise data security risk assessment mainly focuses on the following categories for assessment and analysis.
Data security management
Data processing activities security
Data security technology
Data using and processing
Network security protection
Identification and access control
Classification and grading
Personal information protection
Monitoring and early warning
Notification and consent
Cooperative outsourcing management
Complaints and report
Personal information processing
Sensitive personal information protection
Large network platform
Data leakage prevention
Development, operation, and maintenance
Basic situation of the data processor
Business and information system
Data asset situation
Data processing activities situation
Protective security measures
In terms of procedure, enterprises need to follow the steps of pre-assessment preparation, information research, risk assessment, comprehensive analysis, and assessment summary to carry out a network data security risk assessment internally.
1. Pre-assessment preparation
Pre-assessment preparation is the first step for enterprises to carry out a security risk assessment of the network data they collect and process, and an important step to solidify the foundation as a whole.
In this phase, enterprises need to focus on:
Identifying the security risk assessment’s objectives and scope;
Forming assessment teams for the objectives and carrying out preliminary paperwork preparation, such as drafting work plans and proposed assessment material;
Collecting the legal basis (including laws and regulations, network data security regulations and normative documents, local data security policies and regulatory requirements, relevant national technical standards, and industrial standards); and
Establishing an assessment document, and formulating targeted assessment plans.
In this phase, the enterprise will make a practicable research form and an assessment plan to be used later as documentation.
2. Information research
Enterprise research focuses on five aspects; namely, the basic situation regarding:
Business and information systems;
Data processing activities; and
Protective security measures.
The Implementation Guidance provides key points for reference in these areas. Through research, enterprises will generally form a list summarising the basic situation regarding the above five aspects, and have a clear grasp of their own business scenarios regarding network data collection and processing. Network data assets, data processing activities, and protective measures are the core and key of the work, and enterprise data management is a prerequisite, including the identification of network data types, storage locations, data magnitude, and storage methods. Data processing activities (collection, storage, use, processing, transmission, provision, disclosure, cross-border transmission, etc.) involving the network data in various business scenarios are identified on this basis, so that the security risks that may be created by different network data processing activities in each business scenario can be analysed.
3. Risk assessment and method
The Implementation Guidance requires enterprises to focus on risk assessment in four areas:
Network data security management;
Data processing activities;
Data security technology; and
Personal information processing.
Enterprises are provided with the key point of assessment in each field.
For the assessment of the above four areas, enterprises can comprehensively select the following methods of assessment.
Personnel interviews – assessors verify whether network data security regulations, protective measures, and security responsibilities are effectively implemented through discussions and enquiries with data processing-related personnel. In this respect, personnel who are most familiar with the business and data flow process are usually selected to be interviewed.
Document inspection – the assessors check the documents related to network data security to assess whether the institutional documents related to network data security management meet the standards and are implemented. Usually, in the preparation phase of the assessment, the assessed enterprise is required to prepare documents for the assessors’ review. Through this method, documentary evidence materials are usually prepared to support the assessment conclusions.
Security verification – the assessors ascertain whether the network data systems, devices, and protective measures are effective by viewing demonstrations of network data processing scenarios and checking the applications, systems, and networks of the data, including the data collection interface, the data display interface, the data storage interface, and the data operation log.
Technical testing – the assessors consider the network data assets processing situation and whether the network data monitoring and protective measures are effective by testing the applications, systems, and networks of network data and analysing the results.
The final two methods are usually used to verify the technical protective measures involved in the entire cycle of network data. Such methods are more direct and illustrative, and the assessment results are more in line with the actual situation. Network data often relies on various systems, applications, and other technological carriers to be stored and processed, and therefore in a network data security risk assessment certification, these two methods are more applicable, have a wider range of applications, and are especially common in assessing data processing in the businesses of internet and technology enterprises.
In the risk assessment phase, enterprises usually create viewing record of documents, personnel interview records documents, security verification records documents, and technical test reports, etc.
4. Comprehensive analysis
A risk assessment analysis is usually based on the assessment obtained from the aforementioned areas, and uses a combination of quantitative and qualitative analysis.
According to the assessment standards, the assessment objectives and plans formulated in advance, and the experience of the assessor, the quantitative calculation of an enterprise’s network data security risks is generally completed by grading the existing risk element and then assigning values to each of the existing risks of the subordinate items of the four areas in turn.
In this process, enterprises need to use the list of problems identified in the assessment phase as a basis on which to provide suggestions for rectification, and complete the rectification in accordance with the suggestions to solve the problems in network data security management and technology.
In this phase, enterprises usually form a list of data security problems, major security risks, and suggested countermeasures.
5. Assessment summary
Based on the assessment situation, the assessor compiles a report to summarise the content and conclusions of the assessment, any identified network data security risks, and rectifying suggestions. In this phase, the final assessment report is generated, and based on the report, the enterprise is required to complete the rectification within a specified period to ensure that the network data is effectively protected.
V. Suggestions for enterprises
As we enter the era of big data, network data has become an important production factor for many enterprises, and often needs to be collected and processed in large quantities. While the processing of this data enhances enterprise business intelligence, it also brings challenges in data security management. Therefore, the question of how to guarantee a minimisation of risk in network data processing and compliance in processing activities becomes an unavoidable issue for every network data processing enterprise.
Tahota recommends that enterprises establish a network data security management system as early as possible and regularly conduct network data security risk monitoring and assessment, with reference to the following suggestions.
1. Create a clear enterprise data security management structure
The eight network security predictions released by Gartner, the technological research and consulting firm, in 2023 mention that enterprises will continue to pay more attention to network security, and by 2026, more than 70% of enterprises will have a senior manager with network security expertise on their board of directors.
In current practices, work on network data security within enterprises is often divided among multiple departments. The Implementation Guidance explicitly requires enterprises to conduct an assessment of their data security organisational structure, focusing on assessing the data security management arms and functions, and the involvement of the data security manager and senior executives in data security decisions.
With the strengthening of national supervision of enterprise network data security, enterprises setting up a special management organisation for data security, clarifying the manager, and having a senior executive as the data manager is an important indication of carrying out the requirements of the Implementation Guidance to establish data security management organisations and strengthen the participation of senior executives in data security decisions. This is an important development trend in enterprise data compliance.
2. Focus on the identification of ‘important data’ and ‘core data’
According to the Data Security Management Measures, ‘important data’ refers to data that may directly affect national security, economic security, social stability, and public health and safety if leaked, such as data concerning undisclosed government information, large areas of the population, genetic health, and geographical and mineral resources information. According to the provisions of the Data Security Law, data related to national security, the lifeblood of the national economy, important people's livelihood, and significant interests is the national ‘core data’, which requires the implementation of a more stringent management system.
Laws and regulations set stricter regulation and compliance obligations for important data and core data. Identifying important data and core data is a prerequisite for enterprises to identify their data compliance obligations.
According to Article 12 of the Data Security Management Measures in Industry and Information Technology, data processors in the field of industry and information technology shall file a catalogue of important data and core data to the industry regulatory authorities in the region.
If important data is involved in cross-border transmission, enterprises also need to declare a data cross-border security assessment to the Cyberspace Administration of China. Therefore, identifying whether there is important data and/or core data in the enterprise’s data is a key data compliance task for enterprises, and is an important element for enterprises conducting a network data security risk assessment.
3.Strengthen the enterprise’s normalised network data security risk mechanism
Enterprises establishing a network data security management system, carrying out normalised network data security monitoring, creating an early warning and notification mechanism, implementing a data security system in daily businesses, and responding to security risks involving network data in a timely manner improves the efficiency of enterprises for a network data security risk assessment and facilitates easier responses to the supervision of industry regulatory authorities.
Enterprises can carry out risk monitoring and emergency response mechanisms through the following measures:
Regularly carry out risk monitoring of network data activities throughout the entire cycle, regularly monitor control points such as the network data flow and data access where risks may occur, and regularly check the operation of data security protective measures; and
Establish emergency response mechanisms and plans within the enterprise, conduct regular drills in accordance with the plans, and promptly report to users and regulatory authorities once network data security risk incidents occur.
Data security risk assessments in China: final thoughts
Carrying out a data security risk assessment is the starting point of enterprise data security management. Establishing a data security management system with continuous improvement and development based on the idea of risk control is beneficial for enterprises in creating the most cost-efficient means of achieving the goal of data compliance, protecting data assets, and minimising the loss and impact of security incidents.
With the development of information technology, the collection and processing of network data by enterprises has become more and more popular.
As China continues to strengthen the regulation of internet information, it is necessary for enterprises to take the lead in conducting a self-assessment of network data security risks in various business scenarios with reference to the Implementation Guidance, to identify the data assets situation and risks, solve any problems in a timely manner, clarify the compliance requirements, and fulfil network data compliance obligations in accordance with the laws, regulations, and industry-specific rules, so that the operation of enterprises can be carried out smoothly.