Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in the present description and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a condition or event is determined" or "if a condition or event is detected" may be interpreted in the context to mean "upon determination" or "in response to determination" or "upon detection of a condition or event, or" in response to detection of a condition or event.
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
Traditional data security risk assessment focuses on security control in the technical level, such as firewall, encryption measures and the like, but factors such as management flow of data in the whole life cycle are not considered sufficiently, so that the data security risk assessment is inflexible when facing large-scale and changeable environments, and is difficult to quickly adapt to organization changes.
In order to solve the above problems, the embodiment of the application provides a data security risk assessment method based on an inspection assessment table. In the method, the security requirements of the internal user information are known by acquiring the fed back checking and evaluating table, the basic security states of all departments and roles in the organization are revealed, and the security protection expectations of all links and responsibilities are identified. Based on the collected internal user information, analysis is carried out to construct a comprehensive safety control measure set; and further analyzing according to the internal user safety requirement information, optimizing the safety control measure set, and determining a data safety control strategy. Finally, systematic detection and evaluation are carried out on the data security risks according to the data security control strategy, the data security risks are flexibly and rapidly adapted to the change of the security demands of organizations and are closely attached to the actual demands, and the potential risks are effectively managed and prevented.
The data security risk assessment method based on the inspection assessment table provided by the embodiment of the application can be applied to the terminal equipment, and the terminal equipment is the execution subject of the data security risk assessment method based on the inspection assessment table provided by the embodiment of the application, and the embodiment of the application does not limit the specific type of the terminal equipment.
For example, the terminal device may be, but is not limited to, a desktop computer, a smart large screen, a smart television, a handheld device with wireless communication capabilities, a computing device, a computer, a laptop computer, etc.
In order to better understand the data security risk assessment method based on the inspection assessment table provided by the embodiment of the present application, an exemplary description is provided below of a specific implementation procedure of the data security risk assessment method based on the inspection assessment table provided by the embodiment of the present application.
Fig. 1 is a schematic flowchart of a data security risk assessment method based on an inspection evaluation table according to an embodiment of the present application, where the data security risk assessment method based on the inspection evaluation table includes:
S100, acquiring a fed-back check evaluation table; the checking and evaluating table comprises internal user information and internal user safety requirement information, wherein the internal user information reflects basic safety conditions of different departments and roles in an organization, and the internal user safety requirement information is used for reflecting specific safety protection requirements of the departments and the roles.
It will be appreciated that the audit assessment table is a table containing internal user information and security requirement information for recording and feeding back the security status and requirements of various departments and roles within the organization. The internal user information reflects basic security conditions of different departments and roles in the organization, and the security requirement information of the internal user is used for reflecting specific security protection requirements of the departments and roles. The information is collected through the feedback checking evaluation table, so that the internal safety status can be known, potential security holes and requirements can be identified, and a basis is provided for subsequent security policy establishment. By comprehensively collecting and arranging the information, a detailed safety current map can be established through an algorithm, and targeted safety control measures are formulated according to the requirements of different departments and roles, so that the accuracy and effectiveness of overall safety management are improved.
S200, analyzing based on the internal user information, and making a safety control measure set.
It will be appreciated that the analysis based on internal user information is to formulate a comprehensive set of security control measures. The security dimension refers to different aspects or fields for guaranteeing information security, and the security dimension can be divided into a plurality of sub-dimensions. The internal user information reflects information of basic security conditions of different departments and roles within the organization, and the internal user information comprises a plurality of security dimensions, and each dimension comprises a plurality of sub-dimensions. The safety control measure set is a series of safety measures formulated according to analysis results. The importance degree of each sub-dimension can be determined by analyzing the internal user information, and corresponding safety control measures are formulated according to the importance degree. The importance of each sub-dimension can be assessed by determining its distribution. Then, the most important sub-dimension of each security dimension is identified and determined as the key sub-dimension. According to the key sub-dimensions, the weights of all the security dimensions are distributed and adjusted to finally form a complete security control measure set, so that the scientificity and pertinence of security measures are ensured, and various security requirements and risks can be effectively met.
Illustratively, the security dimensions may include confidentiality, integrity, availability, etc.:
confidentiality (Confidentiality)
Sub-dimension:
Data Encryption (Data Encryption): protecting confidentiality of data in transmission and storage.
Access Control (Access Control): who can access the data.
Data classification (Data Classification): classification and protection is based on the sensitivity of the data.
Integrity (Integrity)
Sub-dimension:
data integrity (DATA INTEGRITY): ensuring that the data is not modified without authorization.
System integrity (SYSTEM INTEGRITY): ensuring that the system software and configuration is not tampered with.
Audit and log (Audit and Logging): access and modification of data and systems is recorded and monitored.
Availability (Availability)
Sub-dimension:
Disaster recovery (Disaster Recovery): ensuring that the system can recover after a disaster.
Systematic redundancy (System Redundancy): the usability of the system is improved by the redundancy design.
Service continuity (Business Continuity): ensure that the business process can continue after interruption.
In one possible implementation, referring to fig. 2, the internal user information includes a plurality of security dimensions including a plurality of sub-dimensions; s200, analyzing based on the internal user information, and formulating a safety control measure set, wherein the safety control measure set comprises the following steps:
s210, determining distribution conditions of all the sub-dimensions based on the internal user information, and obtaining importance degrees of all the sub-dimensions.
It will be appreciated that the distribution of the sub-dimensions is determined based on internal user information, thereby evaluating the importance of each sub-dimension. By analyzing the security requirements of different departments and roles, it can be identified which sub-dimensions occupy key positions in the overall security system. The importance of each sub-dimension can be quantified and defined by analysis through classification and statistics of the data. The final result provides basic data support for subsequent security policy formulation, ensures that resources and security measures can be concentrated in the most needed places, and improves the overall security protection effect. The individual sub-dimensions of the security control may be explicitly divided in advance, for example: access rights management, password strength and update frequency, physical security, network security actions (e.g., mail usage habits, web browsing actions), compliance, etc. And the user information is mapped in a classified mode according to the defined sub-dimension. For example, the user's access log is categorized under the "access rights management" sub-dimension, and the password change record is categorized under the "password strength and update frequency" sub-dimension. And carrying out statistical analysis on the usage data in each sub-dimension, such as calculating statistics of average value, median, standard deviation and the like, and carrying out distribution statistics to know the performance of each sub-dimension. The distribution ratio is used as the importance degree of each sub-dimension.
S220, identifying the sub-dimension with the highest importance degree in each security dimension, and determining the sub-dimension as a key sub-dimension.
It will be appreciated that the most important sub-dimension of each security dimension can be identified and determined to be the critical sub-dimension. By carrying out statistical analysis and comprehensive evaluation on the importance degree of each sub-dimension, the sub-dimension plays a key role in a security system. The impact of each sub-dimension on overall security can be analyzed in detail by statistical data and its priority determined. Finally, the determined key sub-dimension becomes a core basis for making safety control measures, so that the most important safety requirements are ensured to be met preferentially, and the effectiveness of overall safety management is improved.
S230, distributing weights for each safety dimension according to each key sub-dimension, adjusting the weights of the safety dimensions, and formulating a safety control measure set.
It will be appreciated that each security dimension is assigned a weight based on each key sub-dimension, and the weights of the security dimensions are adjusted to formulate a comprehensive set of security control measures. Firstly, the reference weight of each security dimension is obtained, and the security benefit is evaluated according to the key sub-dimension. If a certain key sub-dimension has positive security benefit, the weight of the security dimension is correspondingly reduced, and the weight of other security dimensions is increased. Through the weight distribution and adjustment, the safety control measures can effectively cover all important safety dimensions, a scientific and comprehensive safety strategy set is formed, and the overall safety protection level is improved.
Optionally, referring to fig. 3, in step S230, a weight is assigned to each security dimension according to each key sub-dimension, and the weights of the security dimensions are adjusted, including:
S231, acquiring the reference weight of each safety dimension, and evaluating the safety benefit of the key sub-dimension according to each key sub-dimension.
It will be appreciated that the reference weights for each security dimension may be obtained and the security benefit assessed in accordance with each key sub-dimension. The reference weight refers to weight distribution of each safety dimension under the initial condition, and is determined based on historical data, industry standards, expert evaluation and the like, preset in a database or a data table and can be acquired at any time. Then, these weights are adjusted according to the security benefit of the key sub-dimension. The process of security benefit assessment includes analyzing the impact of key sub-dimensions on overall security, determining its contribution to risk reduction and security improvement. Specific indexes for measuring the safety benefit can be set, and the accident rate reduction percentage, the safety violation number reduction, the effective response number increase of a safety system, the staff safety awareness improvement proportion, the safety investment return Rate (ROI) and the like can be set. The selection of the metrics should be based on the specific security objectives of the organization and the standards of the industry. And designing and quantifying a complete evaluation value through indexes, and determining the safety benefit of the key sub-dimension through the value. Through the process, the organization can scientifically adjust the weight of each safety dimension, and the effectiveness and rationality of the safety control measures are ensured. The data of the reference period (such as the last year) and the current period can be compared, and the increase and decrease conditions of the safety benefit can be calculated, such as 10% decrease of accident rate, 20 decrease of safety violations, and the like. The security benefit of each key sub-dimension is analyzed to identify which measures or strategies are most effective and which fields have room for improvement. And adjusting the reference weight of each safety dimension according to the evaluation result of the safety benefit. For example, if employee training is found to significantly raise security awareness, the weights of the corresponding sub-dimensions may need to be adjusted up.
S232, if the key sub-dimension has positive safety benefit, the weight of the safety dimension is reduced, and the weight of other safety dimensions is correspondingly improved.
It will be appreciated that the weight of the security dimension is adjusted according to the security benefit of the key sub-dimension. If a key sub-dimension has positive security benefits, the weight of that security dimension may be reduced appropriately, while the weights of other security dimensions need to be increased accordingly. This adjustment process aims at optimizing resource allocation, ensuring that important security dimensions are adequately focused and protected. Through the dynamic weight adjustment mechanism, organizations can more flexibly cope with various security requirements and risk changes, the response capability and adaptability of the overall security policy are improved, and the security measures are ensured to be always in the optimal state. A dynamic weight adjustment model, such as a weighted average based on risk assessment and benefit analysis, may be designed to ensure that adjustments are made according to the magnitude of the security benefit change in the model, with a changing weight being set for each magnitude of the security benefit change.
Optionally, referring to fig. 4, in step S230, a set of security control measures is formulated, including:
s233, corresponding basic security measures are determined according to the key sub-dimensions.
It will be appreciated that the corresponding base security measures may be determined based on the key sub-dimensions. These basic security measures are specific security countermeasures and technical means that point to the design of each key sub-dimension. By analyzing the characteristics and the requirements of key sub-dimensions, the most appropriate security measures can be determined through a preset mapping relation table, so that the specific security challenges can be effectively met. For example, if a key sub-dimension relates to data encryption requirements, then the corresponding underlying security measures may include enhancing encryption algorithms, increasing key management levels, and so forth. By means of the method, safety measures can be formulated and implemented in a targeted manner, and effectiveness and pertinence of safety protection are improved. Specific information about each key sub-dimension can be collected through a mapping relation table through a mode of pre-investigation, historical data analysis, risk assessment and the like. Based on the collected information, the specificity of each key sub-dimension, such as the sensitivity of the data, the stability requirement of the operating system, the complexity of the network architecture, etc., is analyzed, and a relevant mapping relationship is defined for each sub-dimension to associate corresponding basic security measures.
S234, combining the basic security measures according to the weight of each security dimension to form a plurality of security policy options.
It will be appreciated that the underlying security measures may be combined to form a variety of security policy options depending on the weight of each security dimension. By identifying the base security measures corresponding to each key sub-dimension, the core elements in each base security measure can be matched with the set of alternative measures. Through this matching and combining, a variety of security policy options are formed. These policy options are optimized and adjusted according to the weight of the security dimension, ensuring that a variety of viable security policies can be provided for selection. Finally, these security policy options will be evaluated and compared to determine the security policy most suited to the needs, ensuring flexibility and adaptability of the security measures.
For example, referring to fig. 5, S234, combining the basic security measures according to the weights of the security dimensions to form a plurality of security policy options includes:
S2341, identifying basic security measures corresponding to the key sub-dimensions.
It is understood that the critical sub-dimension is the most important security sub-dimension. The basic security measures corresponding to each key sub-dimension can be found out according to each key sub-dimension. For each key sub-dimension, its corresponding base security measure is determined. And identifying recommended basic security measures according to the established mapping table. These measures are categorized for subsequent combination and selection. For example, for access control key sub-dimensions of network security, basic security measures such as firewall installation, access right setting and the like are identified. And the key sub-dimensions can be ensured to be supported by effective basic safety measures, and the safety protection effect is improved.
S2342, matching the core elements in each basic security measure with the alternative measure group; wherein the core element is used for reflecting the protection direction of the basic security measures.
It will be appreciated that the core element is a key component in the base security measure, reflecting the direction of protection of the base security measure. An alternative set of measures are other security measures that may replace or supplement the core element. Each base security measure may be analyzed for its core element, and an alternative measure set determined from the core element and matched. The purposes of matching the core elements and matching the replaceable measure groups can be achieved by pre-establishing a set of derivative mapping tables of the basic security measures, defining the directivity characteristics such as interfaces, compatibility and the like as the core elements and carrying out derivative mapping based on similar phases to obtain a plurality of replaceable measures with the same directivity characteristics. For example, for firewall installations, the core element is network traffic monitoring (directivity characteristics), and the alternative set of measures may be intrusion detection systems or traffic analysis tools. Matching the core elements in each base security measure with the set of alternative measures can provide a flexible combination of security measures, ensuring effective security protection in different situations.
S2343, configuring the core elements and the alternative measure groups according to the weight of the security dimension to form a plurality of security policy options.
It will be appreciated that the security policy options are security measures schemes of different combinations. The core elements and the set of alternative measures may be configured according to weights to form a plurality of security policy options. And forming a plurality of security policy options for subsequent evaluation and selection according to the adjusted security dimension weight, different core elements and alternative measure groups. And according to the weight of the security dimension, prioritizing the core elements and the corresponding alternative measure groups. The core elements and alternatives of the security dimension with higher weight should be given higher priority. For each security dimension, a set of basic security policies is designed based on the core elements. For example, the basic policy of the data protection dimension may include a standard application of the core element "encryption technology". Multiple extension policies are designed for each security dimension according to an alternative set of measures. For example, the extended policies of the data protection dimension may include a combination of "encryption technology+data desensitization", "encryption technology+data lifecycle management", and the like, and in network security, firewall and intrusion detection system combinations are selectively installed according to weights to form different security policy options, thereby providing multiple choices to ensure that the finally selected security policy best meets the actual requirements and resource allocation.
S235, evaluating each security policy option to determine the expected security effect of each security policy option.
It will be appreciated that the desired safety effect is the desired protective effect after the safety measures are implemented. Through simulation, effect evaluation can be carried out on each security policy option, and the expected security effect of each option is recorded for subsequent selection. For example, performing a simulated attack test on three different network security policies, evaluating the influence of each security policy on the system performance, including processing speed, resource occupancy rate and potential interference on normal service operation, defining a quantized value of an expected security effect of each security policy option according to a specific influence degree, and determining the expected security effect of each security policy option according to the magnitude of the quantized value. The core of evaluating each security policy option is to ensure that the selected security policy is not only effective against the actual security threat, but also achieves the best effect within budget and resource constraints. Through comprehensive evaluation, an optimal safety strategy can be selected, so that the overall safety protection level is improved.
S236, comparing the expected safety effect of the safety strategy options with the set safety standard, screening out the safety strategy options meeting the standard, and taking the safety strategy options as a safety control measure set.
It can be appreciated that the expected security effect of the security policy options can be compared with the predetermined security standard, and the security policy options meeting the standard can be screened out as the final security control measure set. Through such comparative analysis, it can be ensured that the selected security policy is not only theoretically valid, but also meets the security standards and specifications in actual operation. The comparative analysis ensures that the final selected security measures provide reliable protection and function in the actual application. Through strict screening and comparison, the high efficiency and reliability of safety control measures can be ensured, and the overall safety management level is improved.
S300, analyzing according to the internal user safety requirement information, optimizing a safety control measure set, and determining a data safety control strategy.
It can be appreciated that the analysis is performed according to the internal user security requirement information, the generated security control measure set is optimized, and the data security control policy is finally determined. The specific security requirements of each department and role can be identified by detailed analysis of the security requirements of the internal users. By optimizing the safety control measures, it is ensured that it can meet the latest safety requirements and standards. Finally, based on the analysis results, a comprehensive data security control strategy is determined to ensure the security and integrity of the data. The safety control measures are always matched with the requirements of users and the risk environment, and the effectiveness of overall safety management is improved.
In one possible implementation, referring to fig. 6, S300, the analyzing, optimizing the set of security control measures, and determining the data security control policy according to the internal user security requirement information includes:
s310, performing frequency analysis according to the internal user security requirement information, and determining the priority of the basic security measures.
It can be appreciated that the priority of the underlying security measures can be determined by frequency analysis based on the security requirement information of the internal user. A count may be assigned to each type of security event and the number of times it occurs is recorded. The coding is based on the degree of impact of the event (e.g., low, medium, high risk) to take into account its importance in the analysis. The occurrence frequency of various security events can be counted by using Excel, SPSS or Python tools. Simple counting methods, or more advanced statistical methods such as poisson distribution analysis, can be used to evaluate whether the frequency of events is abnormal. And determining the change trend of various security events along with time through time sequence analysis, and carrying out priority ordering by using a multi-attribute decision analysis method (such as an Analytic Hierarchy Process (AHP)), so as to finally generate a priority list of basic security measures.
S320, acquiring a cost report of each basic security measure.
It will be appreciated that a cost report for each base security measure may be obtained. These reports include the costs required to implement and maintain each security measure, including expenditures in hardware, software, personnel, and training. The cost report may be data that is preset in a database and can be directly extracted. Through detailed cost analysis, the economic impact of each security measure can be known, and reasonable budget and resource allocation schemes can be formulated accordingly. The cost report provides important economic basis for decision making, and ensures that the safety benefit is maximized under the condition of limited resources. By comprehensively considering the cost and effect of the security measures, an economical, reasonable and efficient security policy can be formulated.
S330, evaluating the actual effect of each safety control measure set.
It will be appreciated that the actual effectiveness of each set of safety control measures may be evaluated, including obtaining periodic inspection and evaluation data for the implemented safety measures, and counting their performance in actual operation. The simulation attack test can be carried out on the safety control measure set, the influence of each safety strategy on the system performance is evaluated, the influence comprises processing speed, resource occupancy rate and potential interference on normal business operation, the quantized value of the expected safety effect of each safety strategy option is defined according to the specific influence degree, and the expected safety effect intensity of the safety control measure set is determined according to the magnitude of the quantized value. By collecting and analyzing the relevant actual data, the actual effectiveness of each security measure can be known and possible problems and deficiencies identified. The evaluation process also includes user feedback and analysis of security events to ensure that security measures can effectively address the actual security challenges. Through continuous effect evaluation, security measures can be continuously optimized and improved, and the level of overall security management is improved.
S340, comprehensively scoring the safety control measure sets based on the priority of the basic safety measures, the cost report of each basic safety measure and the actual effect, and determining the safety control measure set with the highest comprehensive score as a data safety control strategy.
It will be appreciated that the set of security control measures is comprehensively scored based on the priority of the underlying security measures, the cost report, and the actual effectiveness. The comprehensive scoring process includes a multi-aspect assessment of each safety measure to ensure that it is best suited for practical use. And determining the safety measure set which is optimal in terms of priority, cost and actual effect through comprehensive scoring, and taking the safety measure set as a final data safety control strategy. The priority, cost report and actual effect of the basic security measures of each security control measure set can be quantitatively evaluated in a statistical analysis and clustering algorithm mode, and finally a comprehensive score is determined to define the comprehensive score of the security control measure set, so that the selected security policy meets the economic requirements, reliable security protection can be provided, and comprehensive guarantee is provided for data security. For example, the dimensions of the score may be defined, including in this example, priority (P), cost (C) and actual effect (E). Each dimension is assigned a weight according to the security policies, financial conditions, and risk management preferences of the organization. For example, assume that the priority weight is 0.4, the cost weight is 0.3, and the actual effect weight is 0.3. The priority is converted to a numerical value, which may be a rating score of 1-5, where 5 represents the highest priority. The total cost of each measure is calculated, including initial investment, operational maintenance costs, etc., and normalized, such as converted to a cost-effectiveness ratio (effect/cost) or direct cost score. Based on the results of previous evaluations, each measure is given an effect score that may be based on percent reduction of security events, compliance achievement, etc. For each security control measure, a single score is calculated based on its performance in each dimension and the corresponding weight. For example, if a measure has a priority score of 4 (in a 5 point system), a cost efficiency score of 0.8 (high efficiency), and an actual effect score of 3.5, then the single score is: single score = P weight x P score + C weight x C score + E weight x E score = 0.4 x 4+0.3 x 0.8+0.3 x 3.5. After the single scores of all the safety control measures are calculated, ranking the safety control measures, wherein the safety control measure set with the highest comprehensive score is the first choice. The average score or total score for each measure set may be further calculated as a final composite score indicator. Sensitivity analysis can be performed to investigate the influence of different weight allocations on the final score, and robustness of strategy selection is ensured. Depending on the analysis results and the specifics of the organization, the weights are adjusted or certain measures are reconsidered appropriately to achieve an optimal balance.
In one possible implementation, referring to fig. 7, the internal user security requirement information includes data access frequency information; after determining the data security control policy, the method further comprises:
S510, determining a data protection period according to the data security control strategy and the data access frequency information; the data protection period is used for reflecting the data effective protection time of the data security control strategy.
It will be appreciated that the data protection period may be determined based on the data security control policy and the data access frequency information. The data protection period may be determined by evaluating the data security time of the data security control policy, analyzing the access pattern duty cycle in the data access frequency information, and identifying the primary access frequency. The data protection period is the effective data protection time under the data security control strategy. By this analysis, the data protection period is determined, ensuring that the data can be effectively protected in a reasonable time. The determination of the data protection period is based on the actual condition of data access, so that security measures can cover all important accesses and operations, and the comprehensiveness and effectiveness of data protection are improved.
Optionally, referring to fig. 8, S510, determining a data protection period according to the data security control policy and the data access frequency information includes:
s511, evaluating the data security time of the data security control strategy; wherein the data retention time is used to reflect the length of time that the data is protected.
It will be appreciated that the data retention time in the data security control policy may be evaluated. The data security time refers to the time period for which data is protected in the system, and the validity and applicability of the existing strategy can be known by evaluating the security time. The evaluation process comprises the steps of analyzing factors such as the life cycle of the data, the importance and the risk level of the data and the like, and ensuring the scientificity and rationality of the data preservation time setting. Through data analysis, the most suitable data security time can be determined, the data can be effectively protected in the whole life cycle, and the risks of data loss and leakage are reduced.
S512, determining the access mode duty ratio in the data access frequency information according to the data access frequency information, and identifying the main access frequency in the data access frequency information; wherein the access pattern duty cycle is used to reflect the statistical distribution of the different data access patterns.
It will be appreciated that the access pattern duty cycle is determined from the data access frequency information and the primary access frequency is identified. And analyzing the access conditions of different users and roles to the data through a statistical algorithm, and determining which access modes occupy the main proportion. Frequency statistics may be performed for each access pattern. Statistics can be made using SQL queries, data processing frameworks (e.g., APACHE SPARK, pandas) or specialized data analysis tools (e.g., tableau, power BI), and the ratio of the frequency of each access pattern to the total access frequency is calculated. The formula is: access pattern duty ratio = certain pattern access frequency/total access frequency x 100%. The access mode duty ratio provides an important basis for subsequent security policy formulation. By identifying the primary access frequency, it is possible to know which data and systems need to be protected with emphasis and adjust security measures accordingly. This process ensures that the security policy can improve the pertinence and effectiveness of security management for the actual access needs and patterns.
S513 matches a preset security inspection period based on the primary access frequency in the data access frequency information.
It can be appreciated that the predetermined security audit period is matched based on the primary access frequency in the data access frequency information. The security inspection period is a preset security inspection time set value with a mapping relation of the main access frequency, and the most appropriate inspection period is determined through the matching of the main access frequency, so that the security measures can timely respond to the change and the requirement in the data access. The setting of the security audit period is based on the frequency and pattern of data accesses, ensuring that the frequency of detection and evaluation can cover all important access activities. By matching with a preset security inspection period, continuous security monitoring and risk management can be maintained, the overall security protection capability is improved, and the security of data and a system is ensured.
S514, determining a data protection period according to the data security time and the matched security inspection period.
It will be appreciated that the data protection period is determined based on the data retention time and the matching security audit period. This process includes comprehensively considering the data security time and the security audit period, and ensuring the rationality and validity of the data protection period. Through the comprehensive analysis, the most suitable data protection period is determined, and the data can be effectively protected in the whole life period. The determination of the data protection period is based on actual access requirements and risk assessment, so that the full coverage and timely response of the security measures are ensured, and the comprehensiveness and effectiveness of data protection are improved.
S520, identifying the most frequent data access mode according to the data access frequency information;
It will be appreciated that the most frequent data access patterns are identified based on the data access frequency information. Data access patterns are the overall manifestation of the manner and frequency with which different users or roles access data, represented by statistical features. By analyzing the data access frequency information in detail, it is determined which access patterns are most frequent. This information provides an important basis for the formulation of targeted security measures. By identifying the most frequent access patterns, it is possible to know which data and systems need to be protected with emphasis and adjust security measures accordingly. This process ensures that the security policy can improve the pertinence and effectiveness of security management for the actual access needs and patterns.
Optionally, referring to fig. 9, S520, identifying the most frequent data access mode according to the data access frequency information includes:
S521, according to the data access frequency information, determining the distribution condition of the data access.
It can be understood that the access condition of different users and roles to the data is analyzed through a statistical method, and the overall distribution of the data access is known. The frequency of access for each type of data, each time interval, each user group may be calculated using a statistical tool or programming language (e.g., pandas library of Python, R language). And displaying the data access frequency of different time points or time periods by using a heat map, wherein the color shade represents the access frequency. And analyzing the overall distribution of the data access frequency by using the histogram, the box diagram or the density diagram, and identifying a high-frequency access period, a low-frequency access period and an abnormal access mode. Clustering algorithms (e.g., K-means) are applied to cluster access patterns to identify users or datasets having similar access frequency characteristics. The distribution of data access provides basic data support for subsequent security policy formulation. Through detailed data access analysis, the centralized point and the distribution rule of access are determined, security measures are ensured to cover all important access activities, and the comprehensiveness and the effectiveness of security management are improved.
S522, identifying the most frequent data access mode according to the distribution condition of the data access; the data access mode is used for reflecting the statistical characteristics of access to the data by different users and roles.
It will be appreciated that by analyzing the concentration points and distribution rules of data accesses, it is determined which access patterns are most frequent in the system. This information provides an important basis for the formulation of targeted security measures. By identifying the most frequent access patterns, it is possible to know which data and systems need to be protected with emphasis and adjust security measures accordingly. This process ensures that the security policy can improve the pertinence and effectiveness of security management for the actual access needs and patterns.
S530, matching a preset access frequency safety interval according to the most frequent data access mode.
It will be appreciated that by this matching, the most appropriate security interval is determined, ensuring that security measures can respond in time to changes and demands in data access. The upper limit of the normal access frequency of different time periods, different users or IP addresses and different resources can be set according to the historical data and the service demands. Such as the maximum number of accesses allowed per minute, hour, or day. The security interval should not be constant, but the access frequency threshold should be dynamically adjusted according to actual conditions (such as workday, holiday, and special event period) to more accurately reflect the actual access pattern. The safety interval can be divided into a plurality of layers, such as a normal access interval, a warning interval and an emergency intervention interval, and a matching method is applied to match the most frequent data access mode with a preset access frequency safety interval. The setting of the security interval may be based on the frequency and pattern of data accesses, ensuring that the frequency of detection and evaluation can cover all important access activities. By matching with a preset access frequency safety interval, continuous safety monitoring and risk management can be kept, the overall safety protection capability is improved, and the safety of data and a system is ensured.
S540, determining the execution frequency of the data security control strategy according to the data protection period and the matched access frequency security interval.
It can be appreciated that the execution frequency of the data security control policy is determined according to the data protection period and the matched access frequency security interval. By comprehensively considering the data protection period and the access frequency safety interval, the most suitable execution frequency is determined, and the effectiveness and timeliness of the safety measures are ensured. And (3) carrying out weight presetting according to the data protection period and the matched access frequency safety interval, defining an additional fault tolerance value, obtaining a result through the data protection period and the matched access frequency safety interval and the weight, and calculating the product of the result and the fault tolerance value to obtain the execution frequency of the data security control strategy. This weight presetting process includes analyzing the lifecycle, access patterns, and risk assessment results of the data, ensuring that the impact of weight presetting on the execution frequency can cover all important security requirements. The determination of weights may be based on historical security events, threat intelligence, and compliance requirement configurations. The fault tolerance value can be set based on past experience to set acceptable false alarm rate and false alarm rate, and the fault tolerance range is set based on the acceptable false alarm rate and false alarm rate. Through the comprehensive analysis, the most suitable execution frequency of the data security control strategy is determined, the security of data and a system is ensured, and the level of overall security management is improved.
S400, detecting and evaluating the data security risk according to the data security control strategy.
It will be appreciated that after the data security control policy is determined, the data security risk may be detected and assessed in accordance with the data security control policy. Including security detection, identification and assessment of potential security risks through data security control policies. By implementing the data security control strategy, various security threats can be timely found and processed. The detection and evaluation process comprises various technical means such as vulnerability scanning, intrusion detection, log analysis and the like, so that the full coverage and timely response of the security measures are ensured. Through continuous risk detection and evaluation, the safety risk can be effectively reduced, and the safety and the integrity of data are ensured.
In one possible implementation, S400, according to a data security control policy, detects and evaluates a data security risk, including:
S410, detecting and evaluating the data security risk according to the execution frequency of the data security control strategy according to the data security control strategy.
It will be appreciated that the detection and assessment of data security risk is performed according to the data security control policy, including the periodic detection and assessment of security of the system and data according to a predetermined security policy frequency, according to the execution frequency of the data security control policy. The API of the security control strategy can be integrated with the automation tool by setting an API interface for the data security control strategy, and the setting of interface calling logic can be completed through a programming or configuration interface by selecting or customizing the automation security tool, such as a SIEM system, an automation scanning tool, a DLP system and the like according to security requirements. And automatically calling an API according to a preset frequency, executing policy check, realizing automatic execution of the data security control policy and continuous detection of data, automatically generating a data log based on the detected data, and finally continuously evaluating through the log. By such periodic detection, it is ensured that new security threats and risks can be discovered and handled in time. The setting of the execution frequency is based on the requirements of the data security control strategy, ensuring that the frequency of detection and evaluation can effectively cover all potential risks. By continuously executing the data security control strategy, continuous security monitoring and risk management can be maintained, and the overall security protection capability is improved. The comprehensive evaluation, dynamic adjustment, multi-level safety measure combination, frequency analysis and period matching, comprehensive detection and evaluation and other aspects are innovatively realized, so that scientific, comprehensive and efficient safety management is realized, the method is flexible, the method is rapidly adapted to the change of the safety requirements of the organization, and the overall safety level of the organization is improved.
Corresponding to the data security risk assessment method based on the inspection assessment table in the above embodiment, the embodiment of the present application further provides a data security risk assessment device based on the inspection assessment table, where each unit of the device may implement each step of the data security risk assessment method based on the inspection assessment table. Fig. 10 is a block diagram of a data security risk assessment device based on an inspection assessment table according to an embodiment of the present application, and for convenience of explanation, only a portion related to the embodiment of the present application is shown.
Referring to fig. 10, the data security risk assessment apparatus based on the inspection assessment table includes:
An acquisition unit for acquiring the fed-back inspection evaluation table; the inspection evaluation table comprises internal user information and internal user safety requirement information, wherein the internal user information reflects basic safety conditions of different departments and roles in an organization, and the internal user safety requirement information is used for reflecting specific safety protection requirements of the departments and the roles;
a setting unit for analyzing based on the internal user information and setting a safety control measure set;
the strategy unit is used for analyzing according to the internal user safety requirement information, optimizing the safety control measure set and determining a data safety control strategy;
And the evaluation unit is used for detecting and evaluating the data security risk according to the data security control strategy.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit module may exist alone physically, or two or more unit modules may be integrated in one unit, where the integrated unit may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above device may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The embodiment of the application also provides a data security risk assessment device based on the inspection assessment table, and fig. 11 is a schematic structural diagram of the data security risk assessment device based on the inspection assessment table according to an embodiment of the application. As shown in fig. 11, the data security risk assessment apparatus 6 based on the inspection assessment table of this embodiment includes: at least one processor 60 (only one is shown in fig. 11), at least one memory 61 (only one is shown in fig. 11), and a computer program 62 stored in the at least one memory 61 and executable on the at least one processor 60, the processor 60, when executing the computer program 62, causes the inspection evaluation table-based data security risk assessment device 6 to implement the steps of any of the various inspection evaluation table-based data security risk assessment method embodiments described above, or causes the inspection evaluation table-based data security risk assessment device 6 to implement the functions of the various elements of the apparatus embodiments described above.
Illustratively, the computer program 62 may be partitioned into one or more units that are stored in the memory 61 and executed by the processor 60 to complete the present application. The one or more units may be a series of computer program instruction segments capable of performing a specific function for describing the execution of the computer program 62 in the inspection evaluation table based data security risk assessment device 6.
The data security risk assessment device 6 based on the inspection assessment table may be a desktop computer, a smart large screen, a smart television, a handheld device with wireless communication capabilities, a computing device, a computer, a laptop computer, etc. The data security risk assessment device based on the inspection assessment table may include, but is not limited to, a processor 60, a memory 61. It will be appreciated by those skilled in the art that fig. 11 is merely an example of the inspection-table-based data security risk assessment device 6 and is not intended to limit the inspection-table-based data security risk assessment device 6, and may include more or fewer components than illustrated, or may combine certain components, or may be different components, such as may also include input-output devices, network access devices, buses, and the like.
The Processor 60 may be a central processing unit (Central Processing Unit, CPU), the Processor 60 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may in some embodiments be an internal storage unit of the data security risk assessment device 6 based on an inspection evaluation table, for example a hard disk or a memory of the data security risk assessment device 6 based on an inspection evaluation table. The memory 61 may in other embodiments also be an external storage device of the inspection evaluation table based data security risk evaluation device 6, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like, which are provided on the inspection evaluation table based data security risk evaluation device 6. Further, the memory 61 may also include both the internal storage unit and the external storage device of the inspection evaluation table-based data security risk evaluation device 6. The memory 61 is used for storing an operating system, application programs, boot loader (BootLoader), data, other programs, etc., such as program codes of the computer program. The memory 61 may also be used for temporarily storing data that has been output or is to be output.
Embodiments of the present application also provide a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of any of the various method embodiments described above.
The embodiments of the present application provide a computer program product for causing a terminal device to carry out the steps of any of the respective method embodiments described above when the computer program product is run on the terminal device.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a terminal device, a recording medium, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a U-disk, removable hard disk, magnetic or optical disk, etc.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/method for evaluating data security risk based on an inspection evaluation table may be implemented in other manners. For example, the above-described embodiment of the apparatus/device for evaluating data security risk based on an inspection evaluation table is merely illustrative, for example, the division of the units is merely a logical functional division, and there may be other division manners in actual implementation, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.