数据资产测绘与分类分级服务

参考所属企业、行业、地区、国家的标准与规范，建立适合组织的完整有效的分类分级标准，制定可行的数据分级保护方案和管理办法，为数据治理提供基础输入。数据分类分级服务以人工为主，产品与平台辅助的交付方式，对数据进行自动分类分级标识，形成数据分类分级目录，并对数据分类变化和安全等级变化进行线上周期性更新、审核，提高公司数据分类分级的覆盖率和准确率，实现公司数据分类分级目录的智能化管理，强化数据合规管理能力提升，助力组织数字化转型并满足《数据安全法合规要求》；预期目标如下：l  全面识别数据资产1.   明确组织拥有哪些数据：数据分类分级服务能够广泛识别发现企业内部的数据资产，包括业务系统正在使用的核心数据资产以及在业务运营中被忽视的其它数据资产。这些数据资产经过数据分类分级的过程形成清晰的分类树，让各个部门清楚自己拥有哪些数据。2.   建立数据资产发现机制：经过数据分类分级服务后，企业可将服务中使用的数据识别方法及工具固化到业务部门的日常运营中，并将新产生或识别的数据按照数据分类分级表对其数据类别与级别进行划分。3.   明确组织数据类别：将组织内部纷乱复杂的数据依据其责任归属以及数据本身属性形成数据分类树，使责任划分清晰明了，数据描述简单准确。4.   明确组织数据级别：使组织内部各部门明确数据的级别，提升各部门对数据的理解，避免对数据的不当使用，为企业进行整体数据安全管控提供重要依据。5.   构建企业总体数据资产视图：数据资产表勾勒出了企业整体的数据资产情况，经过可视化手段处理，或将IDR对接相关数据平台，可以将企业整体数据资产以可视化的方式展示，为企业决策提供极具价值的信息。l  定义数据管控单元1.   明确数据管控最小单元：经过分类的最小数据集将是数据安全控制手段落地的最小对象单元，同一数据集的数据内容具备相同的安全属性，解决了企业无法对海量数据字段进行管理的困境。l  支撑数据安全运营1.   数据安全风险评估必要素材：数据的分级结果为数据安全风险评估提供了关键的必要素材，只有明确了数据的安全级别，才能合理的评估企业数据安全保护的状态。2.   数据分级管控策略落实：根据数据的不同类别与级别，可对不同级别的数据采取不同级别的控制措施，保证高级别数据安全可控，降低低级别数据管控成本。3.   促进数据流通与使用：数据分级管控策略能够为数据流通提供完善的指导，避免了“一刀切”的管理方式。同时企业级的数据分类树能够让业务部门了解自己所需的数据在哪个地方，通过申请与审批，在保证安全可控的前提下，合规合理的获取所需的数据。

By referring to the standards and specifications of the corresponding enterprise, industry, region and country, establish complete and effective classification and grading standards tailored to the organization, and formulate feasible data grading protection plans and management measures to provide basic inputs for data governance. The data classification and grading service adopts a delivery model that is primarily manual, supplemented by products and platforms. It automatically classifies, grades and tags data, develops a data classification and grading catalog, and conducts online periodic updates and audits for changes in data classification and security levels. This improves the coverage and accuracy of the company's data classification and grading work, realizes intelligent management of the company's data classification and grading catalog, strengthens the improvement of data compliance management capabilities, supports the organization's digital transformation, and meets the compliance requirements of the Data Security Law. Expected objectives are as follows: - Comprehensively identify data assets 1. Clarify the data owned by the organization: The data classification and grading service can extensively identify and discover all data assets within the enterprise, including core data assets used by business systems and other data assets overlooked during business operations. These data assets are organized into a clear classification tree through the data classification and grading process, enabling each department to clearly understand the data they possess. 2. Establish a data asset discovery mechanism: After using the data classification and grading service, the enterprise can embed the data identification methods and tools used in the service into the daily operations of business departments, and classify newly generated or identified data into corresponding categories and levels in accordance with the data classification and grading table. 3. Clarify the data categories of the organization: The chaotic and complex internal data of the organization will be sorted into a data classification tree based on their responsibility attribution and inherent attributes, ensuring clear responsibility division and simple, accurate data descriptions. 4. Clarify the data levels of the organization: Enable all departments within the organization to clearly understand the data levels, enhance their understanding of data, avoid improper data usage, and provide an important basis for the enterprise's overall data security management and control. 5. Build the overall enterprise data asset view: The data asset inventory outlines the overall data asset status of the enterprise. Through visualization processing or docking IDR with relevant data platforms, the enterprise's overall data assets can be displayed visually, providing highly valuable information for enterprise decision-making. - Define data governance units 1. Clarify the minimum unit of data governance: The classified minimum data set will be the minimum target unit for implementing data security control measures. Data content within the same data set shares the same security attributes, solving the dilemma that enterprises face when managing massive data fields. - Support data security operations 1. Necessary materials for data security risk assessment: The data grading results provide key and essential materials for data security risk assessment. Only by clarifying the security level of data can the enterprise reasonably evaluate the status of its data security protection. 2. Implement data grading management and control strategies: According to different categories and levels of data, different levels of control measures can be applied to data at various levels, ensuring that high-level data is secure and controllable, and reducing the management and control costs of low-level data. 3. Promote data circulation and utilization: The data grading management and control strategy can provide comprehensive guidance for data circulation, avoiding the "one-size-fits-all" management approach. Meanwhile, the enterprise-level data classification tree allows business departments to locate the data they need, and obtain the required data legally and reasonably under the premise of ensuring security and controllability through application and approval procedures.