CN116738449A - DSMM-based data security management and control and operation system - Google Patents

DSMM-based data security management and control and operation system Download PDF

Info

Publication number
CN116738449A
CN116738449A CN202310345117.2A CN202310345117A CN116738449A CN 116738449 A CN116738449 A CN 116738449A CN 202310345117 A CN202310345117 A CN 202310345117A CN 116738449 A CN116738449 A CN 116738449A
Authority
CN
China
Prior art keywords
data
asset
unit
management
subunit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310345117.2A
Other languages
Chinese (zh)
Inventor
刘光雄
马成
张迎峰
王菁
吴仲维
张倩瑜
穆雪峰
苏秋冬
何幸松
张炜东
党飞
彭宇成
戚世杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unicom Guangdong Industrial Internet Co Ltd
Original Assignee
China Unicom Guangdong Industrial Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unicom Guangdong Industrial Internet Co Ltd filed Critical China Unicom Guangdong Industrial Internet Co Ltd
Priority to CN202310345117.2A priority Critical patent/CN116738449A/en
Publication of CN116738449A publication Critical patent/CN116738449A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a DSMM-based data security control and operation system, which comprises: the asset management module consists of an asset discovery unit, an asset carding unit and an asset inventory unit; the safety equipment management and control module consists of a safety equipment management unit and a safety strategy management unit; the analysis and judgment module consists of an original log, an original alarm unit, an index management unit, an alarm model unit, an alarm treatment unit, a risk management unit and an event management unit; the safety operation module consists of an emergency plan unit, an operation knowledge base unit, a work order management unit and a partner evaluation unit. The invention refers to the national standard data security capability maturity model (DSMM), designs the functions of platform type data security products, provides a data security control and operation system, is used for automatically discovering sensitive data, intelligent collaborative nano-tube data security devices and daily data security operation, and plays a great role in data security compliance construction.

Description

DSMM-based data security management and control and operation system
Technical Field
The invention relates to the field of data security management, in particular to a DSMM-based data security management and operation system.
Background
In recent years, various security laws such as data security laws and personal information protection laws are implemented successively, and strict compliance requirements are put on information security. With large-scale circulation, summarization storage and analysis of big data, various big data technical architectures, supporting platforms and big data software are widely used, so that the safety of the data is well protected by using various devices on the aspects of multi-dimension and full flow, such as data classification and classification devices, database auditing devices, API monitoring devices, terminal management and control devices and the like. Accordingly, the country has also issued data security construction standards, such as data security capability maturity model (DSMM).
However, the technical protection capability provided by data security products in the market is basically single point capability, and the data is mobile and easy to spread, so that a single product cannot form effective protection. After a plurality of data security protection devices are purchased by a plurality of manufacturers, the manufacturers do not know how to cooperatively manage the data security protection devices, and a perfect security operation system is difficult to form by utilizing the security devices.
The data is used as a center, a safety management and protection system is built for the full life cycle of the data, a plurality of data safety technologies are fused to realize the data safety platform (system) product of the platform data safety protection, the data safety system is a new direction focused on the development of the data safety field, and few related products exist at present. Through investigation, the data security platform on the market is good and bad in the design of the functional module.
Disclosure of Invention
The invention aims to overcome at least one defect of the prior art, provides a DSMM-based data security management and operation system, and aims to solve the problem that a complete data security platform product based on a national standard data security capability maturity model (DSMM) is lacking in the prior art.
The technical scheme adopted by the invention comprises the following steps:
the invention provides a DSMM-based data security control and operation system, which comprises: the asset management module consists of an asset discovery unit, an asset carding unit and an asset inventory unit; the asset discovery unit is used for performing registration of data assets and providing a data asset registration mechanism; the asset carding unit is used for sorting the whole condition of the data asset and providing a data classification grading standard or data asset management tool; the clear production inventory unit is used for providing an indexable and inquired data asset inventory; the safety equipment management and control module consists of a safety equipment management unit and a safety strategy management unit; the security equipment management unit is used for managing the third party security tool; the security policy management unit is used for tracking policy operation effects of third party security tools such as data classification and grading and continuously improving policy configuration of the security tools; the analysis and judgment module consists of an original log unit, an original alarm unit, an index management unit, an alarm model unit, an alarm treatment unit, a risk management unit and an event management unit; the original log unit is specifically used for standardizing, collecting and displaying data operation logs or other log information collected by the third-party security equipment; the original alarm unit is used for displaying alarm information generated by the safety control equipment due to own rules or strategies. The method comprises the steps of carrying out a first treatment on the surface of the The index management unit is used for monitoring high-risk operation or event of the data by adopting a method combining automatic audit and manual audit; the alarm model unit performs unified processing and analysis on logs of various data access and operation, and quantifies data security risks caused by the data access and operation; the alarm handling unit, the risk management unit and the event management unit uniformly manage the security events possibly generated on the basis of the content association analysis of the alarm model on the logs, the flow and the like. The method comprises the steps of carrying out a first treatment on the surface of the The safety operation module consists of an emergency plan unit, an operation knowledge base unit, a work order management unit and a partner evaluation unit; the emergency plan unit is used for providing data security policy planning data and materials; the operation knowledge base unit is used for providing a data security compliance database for inquiry; the work order management unit is used for providing a flow mechanism, an evaluation mechanism and an approval mechanism for each system; the partner evaluation unit is used for performing compliance audit and analysis on behaviors of the data service provider and the data user at the upstream and downstream of the data supply chain.
The invention provides a DSMM-based data security control and operation system, which is used for perfecting the function of a platform-type data security product by referring to the national standard data security capability maturity model (DSMM), and providing a data security control and operation system for automatically discovering sensitive data, intelligent collaborative nano-tube data security devices and daily data security operation. The DSMM standard surrounds the data declaration period, defines the data security capability requirement of multiple layers, relates to 4 capability dimensions of organization construction, system flow, technical tools and personnel capability, and utilizes an asset management module, a safety equipment management module, an analysis and judgment module and a safety operation module to realize most of the requirements in the DSMM national standard.
Further, the asset discovery subunit is specifically configured to discover data assets, host assets and API assets according to a preset period, and store the data assets, the host assets and the API assets in a list form to form an asset discovery list; the asset discovery list is used to store and present asset discovery information and provides asset claim functionality.
Further, the asset combing unit comprises an asset relationship visualization subunit, an account authority management subunit, an asset reporting subunit and a classification grading subunit; the resource relation visualization subunit is used for presenting the connection among the network asset, the data asset, the API asset, the related personnel and the resource related account number in the form of an undirected graph; the account authority management subunit is used for visually presenting the authority and the sensitive state of the managed account in a plurality of different modes; the asset reporting subunit is used for providing a mode of actively collecting information to a subordinate specific asset responsibility department for a superior manager; the classification and grading subunit is used for configuring classification and grading tasks in the unit, transmitting the tasks to a third-party classification and grading tool in a butt joint mode, and automatically synchronizing classification and grading results after classification and grading are completed.
Further, the asset inventory unit comprises a data source subunit, a metadata subunit, an API interface subunit, an application asset subunit, a host asset subunit and an account asset subunit; the data source subunit is used for displaying at least the total number of data sources, the number of related host assets, the number of related application systems, the number of related personnel, the number of carded data sources and the number of uncombined data sources, and displaying the data source type distribution in the form of a graph or a table; the metadata subunit is configured to display at least a total number of data sources, a total number of sensitive data sources, a total number of data tables, a total number of sensitive data sources, a total number of data columns, a number of sensitive data columns, and a total number of sensitive data columns, and display distribution of data sources with different sensitive levels in a form of a graph or a table. Entering any library table archive page can check detailed description information of each data item in the table; the API interface subunit is used for displaying at least the total number of interfaces, the number of related application systems, the number of related accounts, the number of sensitive interfaces and the duty ratio thereof, the number of zombie interfaces and the duty ratio thereof, and displaying the frequency trend of the access interfaces in the form of a graph or a table; the application asset subunit is used for at least displaying the total number of service application systems, the number of high-risk systems and the proportion thereof, the number of medium-risk systems and the proportion thereof, the number of low-risk systems and the proportion thereof, the number of risk-free systems and the proportion thereof; the host asset subunit is configured to at least display a host asset count, a high risk asset count and its duty cycle, a medium risk asset count and its duty cycle, a low risk asset count and its duty cycle, and a no risk asset count and its duty cycle; the account asset subunit is used for displaying at least account numbers, active account numbers, high-risk account numbers and the proportion thereof, medium-risk account numbers and the proportion thereof, low-risk account numbers and the proportion thereof, risk-free account numbers and the proportion thereof, and displaying account type distribution in the form of a chart or a table; the personnel asset subunit is configured to display at least a total number of personnel, a high risk number of personnel and a ratio thereof, a medium risk number of personnel and a ratio thereof, a low risk number of personnel and a ratio thereof, and a no risk number of personnel and a ratio thereof.
Further, the metadata subunit is further configured to perform navigation viewing on metadata on a metadata list page by using data classification, sharing attribute, open attribute, data field, topic classification and update period as advanced screening items; the metadata subunit is further configured to automatically discover a data source and extract metadata information in the asset discovery subunit using the deployed asset discovery device; introducing metadata information in a new or batch mode on the page; and uploading metadata information by using the asset reporting subunit and other accounts.
Further, the security device management unit is specifically configured to display information of all current access security devices; the security policy management unit is specifically configured to support analysis of an execution effect of a policy of any device, and complete adjustment of the policy according to an analysis result.
Further, the original log unit is specifically used for standardizing, collecting and displaying data operation logs or other log information acquired by the third-party security equipment; the original alarm unit is specifically used for displaying alarm information generated by security management and control equipment deployed in each life cycle of data due to own rules or strategies; the index management unit is specifically used for performing filtering on any log data item, grouping and aggregating according to any object in a time window to generate a statistical time sequence index, and setting an index label and an index description; the alarm model unit is specifically used for creating a plurality of alarm models, uniformly processing and analyzing logs of various data access and operation by utilizing the alarm models, and identifying data security risks caused by the data access and operation; the alarm handling unit is specifically used for displaying an alarm record of the original log hit alarm model of the platform; the risk management unit is specifically used for displaying risks generated by alarm manual judgment, risks manually filled in and risks reported by other system interfaces; the event management unit is specifically configured to display the risk generated by the alarm manual determination, the risk manually filled, and the event reported by other system interfaces.
Further, the alarm model created by the alarm model unit comprises a rule model, a correlation model, a statistical model and an AI model; the rule model is used for setting content matching rules of complete matching, regular expression, equation operation or inequality operation after filtering any journal data item; the association model is used for simultaneously combining time sequence and logic of any two log setting rules; the statistical model is used for setting equation operation or inequality operation for any established time sequence index; the AI model is used for configuring an ARIM, exponential smoothing, periodic Gaussian estimation, characteristic point deviation, emerging entity and other abnormal detection algorithms for any established time sequence index.
Further, the emergency plan unit comprises a plan management subunit and a drilling management subunit; the plan management subunit is used for displaying and managing the published emergency plan; the exercise management subunit is configured to perform immediate exercises and management for each plan support.
Further, the operation knowledge base unit is used for displaying and managing data security compliance data; the work order management unit is used for storing the found problems and/or related matters and the processing results thereof in a work order form and managing the generated work order; the partner evaluation unit is used for displaying the total number of the partners and the high, medium and low risk quantity of the partners, and supporting the inquiry of the information of the partners.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a DSMM-based data security management and operation system, which is designed to be suitable for a 4-big functional module of a national standard of data security capability maturity model (DSMM) according to most of regulations of the DSMM national standard, and comprises an asset management module, a security equipment management module, an analysis and judgment module and a security operation module, wherein the subdivided unit under each module is designed according to each specific DSMM national standard, 4 capability dimensions related to organization construction, system flow, technical tools and personnel capability in the DSMM standard can be well met, the DSMM-based data security management and operation system has great value in data security compliance construction, is a data security platform product for constructing a security management and protection system facing to a data full life cycle and integrating multiple data security technologies to realize platform data security protection.
Drawings
FIG. 1 is a schematic diagram of the module components of a system according to an embodiment of the present invention.
FIG. 2 is a schematic diagram of a display interface for an asset discovery list according to an embodiment of the invention.
FIG. 3 is a schematic diagram of an interface of the asset relationship visualization subunit 1021 according to an embodiment of the present invention.
Fig. 4 is an interface schematic diagram of the account rights management subunit 1022 according to an embodiment of the present invention.
Fig. 5 is a schematic diagram illustrating an interface of the data source subunit 1031 according to an embodiment of the invention.
Fig. 6 is an interface diagram of the metadata subunit 1032 according to an embodiment of the present invention.
Fig. 7 is an interface diagram of the API interface subunit 1033 according to an embodiment of the invention.
Fig. 8 is a schematic diagram of an interface of an application asset subunit 1034 in an embodiment of the invention.
Fig. 9 is a schematic diagram illustrating an interface of a host asset subunit 1035 according to an embodiment of the invention.
Fig. 10 is an interface diagram of account asset subunit 1036 in an embodiment of the invention.
Fig. 11 is a schematic interface diagram of a human asset subunit 1037 in accordance with an embodiment of the invention.
Fig. 12 is another interface diagram of the metadata subunit 1032 according to an embodiment of the present invention.
FIG. 13 is a schematic diagram of an interface of a system administrator asset in an embodiment of the present invention.
FIG. 14 is an interface diagram of a system for managing an organization structure in a tree structure according to an embodiment of the present invention.
Fig. 15 is an interface schematic diagram of the security device management unit 201 according to an embodiment of the present invention.
Fig. 16 is an interface schematic diagram of the security device management unit 201 in the embodiment of the present invention for displaying various types of statistical information at the current stage.
Fig. 17 is an interface schematic diagram of the security device management unit 201 displaying data desensitizing tool information according to an embodiment of the present invention.
Fig. 18 is a schematic diagram of an interface of the security device management unit 201 according to an embodiment of the present invention.
Fig. 19 is an interface schematic diagram of the original alarm unit 301 according to an embodiment of the present invention.
Fig. 20 is a schematic diagram of a configuration page of the index in the original alarm unit 301 according to an embodiment of the present invention.
Fig. 21 is an interface schematic diagram of the alarm handling unit 304 according to an embodiment of the present invention.
Fig. 22 is an interface schematic diagram of the risk management unit 305 according to an embodiment of the present invention.
Fig. 23 is an interface schematic diagram of the event management unit 306 according to an embodiment of the invention.
Fig. 24 is an interface diagram of a new security event in the event management unit 306 according to an embodiment of the present invention.
Fig. 25 is an interface schematic diagram of the plan management subunit 4011 and the exercise management subunit 4012 according to an embodiment of the invention.
Fig. 26 is an interface diagram of the operation knowledge base unit 402 according to an embodiment of the invention.
Fig. 27 is a schematic diagram of an audit interface of the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 28 is an interface schematic diagram of a general work order in the work order management unit 403 according to an embodiment of the present invention.
FIG. 29 is a schematic diagram of an interface to an asset claim worksheet in worksheet management unit 403 in accordance with an embodiment of the present invention.
Fig. 30 is a schematic diagram of an interface of an asset report worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 31 is a schematic diagram of an interface of an alarm, risk, event handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 32 is an interface schematic diagram of a high-risk vulnerability handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 33 is an interface schematic diagram of a high-risk port handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 34 is an interface schematic diagram of the illegal external connection handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
FIG. 35 is a diagram illustrating an interface of the weak password handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 36 is an interface diagram of a DSMM/DSG problem handling worksheet in the worksheet management unit 403 according to an embodiment of the present invention.
Fig. 37 is an interface schematic diagram of the current status display of the work order in the work order management unit 403 according to the embodiment of the present invention.
Fig. 38 is a schematic diagram of an interface for displaying personnel information in the partner evaluation unit 404 according to an embodiment of the present invention.
FIG. 39 is a diagram of an interface of the partner evaluation unit 404 showing a list of partner systems according to an embodiment of the present invention.
FIG. 40 is a diagram illustrating an interface of a custom list field function in an embodiment of the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the invention. For better illustration of the following embodiments, some parts of the drawings may be omitted, enlarged or reduced, and do not represent the actual product dimensions; it will be appreciated by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
Example 1
As shown in fig. 1, the present embodiment provides a data security management and operation system based on DSMM, which includes the following modules: asset management module 100, security device management module 200, analysis and judgment module 300, and security operation module 400.
Based on the security requirements of the DSMM in the "data asset management" and "data sort ranking" process domains, asset management module 100 is comprised of asset discovery unit 101, asset grooming unit 102, and asset inventory unit 103.
The subunits under the three units are respectively used for meeting a plurality of specific DSMM standard requirements.
The asset discovery unit 101 is used for performing registration of data assets and providing a data asset registration mechanism; the asset grooming unit 102 is used for quantifying the overall condition of the data asset and providing a data classification grading standard or data asset management tool; the inventory unit 103 is used to provide an indexable and queriable inventory of data assets.
Specifically, in the DSMM standard, in the data asset management process domain, the standard requirements of data security maturity level 3 or more: "registration of data asset should be performed by technical means, automatic attribute identification (bp.23.10) of data asset is achieved".
Based on this, the asset discovery unit 101 is specifically configured to discover data assets, host assets, and API assets at preset periods, and save them in the form of a list, forming an asset discovery list. In particular embodiments, the asset discovery unit 101 operates based on third party asset discovery probes (devices), including both active discovery and passive discovery. Active discovery is to get a list of assets using the built-in scanning functionality of the platform. And the passive discovery is to compare asset information reported by other safety equipment in a safety log with a platform asset list to find newly added assets. The asset discovery unit 101 includes an "update immediately" function, which can immediately discover the current type of asset, and can also set up scanning tasks for 1 hour, 3 hours, 6 hours, 12 hours, 24 hours for a total of 5 cycles. Each selection triggers an immediate scan (sync) and then the asset discovery unit 101 updates the asset information at regular intervals.
After each synchronization is completed, the information of the assets is stored in the current page in the form of a list, and the formed asset discovery list is used for storing and displaying the asset discovery information. As shown in fig. 2, the list-presented information includes, but is not limited to: asset name, asset subdivision type, system to which it belongs, host port, asset source, asset discovery time, operational options, etc.
In the DSMM standard, in the data asset management process domain, the standard requirements of data security maturity level 3 or more are: "should define the data asset registration mechanism, define the data asset management scope and attributes, ensure that there is a defined manager or responsibility department (bp.23.08)" for important data assets within an organization.
Based on this, the asset discovery list provides asset claim functionality. As shown in fig. 2, the asset acceptance has two portals, one is that the current user directly claims to warehouse entry. Clicking the claim button directly on the asset discovery list would require the current user to register the department to which the asset belongs and the system to which the asset belongs, and the claim would register as the responsible person for the asset. Secondly, other personnel are led to claim the asset by distributing a work order. And selecting an asset claim type work order when the work order is newly added, and designating the work order attributes such as a receiving department, a receiving person, an auditing department, an auditing person, a deadline and the like. And when the receiver accounts for the platform, the receiver receives the asset claim notification, and after the receiver finishes the asset registration, the receiver enters a work order auditing flow, and when the auditor accounts for the platform, the auditor receives the auditing notification. The user initiating the work order may then track the work order progress through the work order management unit 403.
In the DSMM standard, in the data asset management process domain, the standard requirements of data security maturity level 4 or more are: "the overall situation of organizing the internal data assets, including but not limited to the data volume of the data assets, the distribution situation of the data assets of each level, etc., should be quantified by the data asset management system, thereby facilitating the statistics (bp.23.16) of the current situation of organizing the overall data assets by the data asset management personnel". Based on this, the present system designs asset carding unit 102, with four subunits located down in the unit, providing three different asset quantification modes, respectively.
The asset carding unit 102 includes an asset relationship visualization subunit 1021, an account rights management subunit 1022, an asset reporting subunit 1023, and a classification ranking subunit 1024.
The asset relationship visualization subunit 1021 is configured to present the associations between host assets, data assets, API assets, resource-related personnel, resource-related accounts in the form of undirected graphs. In a specific embodiment, as shown in fig. 3, the asset relationship visualization subunit 1021 may automatically present the connection between the host asset, the data asset, the API interface, the personnel, and the account number in the form of an undirected graph through matching of the attributes of the affiliated department, the IP, the security responsible person, the data field, the tag, the alarm information, and the like. For the relationship graph, the screenable view scope, options include: all, only physical assets, only relevant persons. The default value is 'all', and only the data source, the application system and the host asset type are reserved when 'only the entity asset is seen' is selected; selecting "see only relevant people" then retains only the accounts directly associated with the central node and the people associated with those accounts. From a risk level perspective, it may also be selected to view only sensitive or high risk assets. For a certain asset node, the name, the department, the category, the host IP, and other basic information of the asset can be selected to be checked. And supporting the retrieval of a certain asset and a relation diagram thereof through keywords such as account numbers, asset names, affiliated departments, host addresses, labels and the like. The whole subunit is used for helping an administrator to clear asset relations, defining a safety risk influence range and providing decision basis for the next safety construction and optimization work.
The account rights management subunit 1022 is operable to visually present the rights and sensitive status of the managed accounts in a number of different manners. In a specific embodiment, as shown in fig. 4, the account rights management subunit 1022 has 3 manners of visual presentation, specifically:
account authority statistics: and the account numbers of the departments are presented in a bar graph. The abscissa is the department, and the ordinate is the number of accounts opened by the department; the thermodynamic diagram is used for presenting the conditions of the high-weight accounts of all departments, the abscissa is the departments, the ordinate is the number of the high-weight accounts, and the thermal power (color depth) is used for presenting the duty ratio of the high-weight accounts of the departments.
Account rights matrix: and identifying different authority levels of each account in a coordinate system in a scattered point mode. The abscissa is the number of sensitive tables related to the account number, and the ordinate is the total number of authority items owned by the account number. And according to the relative positions of the account numbers in two dimensions, equally dividing the coordinate system into three matrix sections of high, medium and low. The sensitivity level of the account authority number can be intuitively displayed.
Account number association map: searching data resources by database or by unit department is supported. When searching according to the database, displaying the account corresponding to the association with the database as the center; when searching according to the unit departments, the database and the database account numbers corresponding to the association centering on the unit departments are displayed. The basic information displayed by the database nodes is a database name, a database type and a database address, and the nodes display the difference of the number of the subordinate accounts of the database by different colors, for example, when the number of the subordinate accounts of the database is 2 or more, the color of the nodes is dark, and when the number of the subordinate accounts of the database is 2 or less, the color of the nodes is light; the account node displays the name, the personnel, the unit departments, the associated data table, the fields and the operation authorities corresponding to the fields, and the node displays the difference of the account authority numbers by different colors, for example, when the authority number of a certain account is larger than the average number of all account authority items subordinate to the data resource, the node is dark. And vice versa has a light color.
The asset reporting subunit 1023 is configured to provide a means for the superior manager to actively collect information to the inferior specific asset liability department. In particular embodiments, asset reporting subunit 1023 is intended to provide a way for an upper manager to proactively collect information to a particular asset liability department at a lower level. The manager can create an instant reporting task or a periodical reporting task, and ask the subordinate to review and report the asset information which is responsible for the task. The information configurable for the instant reporting task is shown in table 1.
TABLE 1
The periodic reporting task can periodically put forward reporting requirements to the lower stage, and the task can be configured as shown in table 2.
TABLE 2
The reporting task sponsor can view all asset reporting tasks in the form of cards or lists. The information displayed comprises: task name, task type, task status, time of initiation, initiator, task acceptors, asset reporting type, task description, audit status, change type, and filler. And can perform a delete operation on a particular reporting task.
The report task is sent to the acceptors in the form of a work order, the acceptors handle the work order, namely the report task is executed, and the specific handling mode of the work order is seen in a safe operation module-work order handling part of the specification.
In the DSMM standard, for a data classification grading process domain, the standard requirement of the data security maturity is above level 3: the data classification and classification marking or data asset management tool is established to realize functions (BP.01.09) of automatic classification and classification identification, identification result release, auditing and the like of the data, based on which, a classification and classification subunit 1024 of the system is used for configuring classification and classification tasks in units, issuing the tasks to a butted third-party classification and classification tool, and automatically synchronizing classification and classification results after classification and classification are completed.
In a specific embodiment, the task requirements of a data source, a running period, whether to ignore empty tables, whether to sample detection, full-scale scanning or data scanning of unclassified classification only and the like can be specifically configured when the classification task is created, and the result is specified to approve a user. After classification grading is finished, the approval step is carried out, after the approval user logs in the system, the approval user receives the classification grading approval work order, the work order is added with classification grading results, the approval user can choose to confirm or reject the work order, and revising comments can be added during reject.
All classification and classification tasks are stored in a list form on the page. The information displayed by the list comprises information such as a data source name, a host port, a department, an application system, an execution period, a state, a latest execution time, a creation time and the like, and the tasks in the list can be immediately executed, checked, edited, deleted and the like.
In the DSMM standard, in the data asset management process, the standard requirements of data security maturity level 3 or more are: "a data asset inventory should be built for ease of indexing and querying, and data asset related information (bp.23.11) can be updated in time", based on which the asset inventory unit 103 is designed to include a data source subunit 1031, a metadata subunit 1032, an API interface subunit 1033, an application asset subunit 1034, a host asset subunit 1035, and an account number asset subunit 1036. In the asset list unit 103, data sources, metadata, API interfaces, application assets, host assets, account assets and personnel asset subunits are arranged in the unit, detail lists of various assets are respectively displayed, and operations such as adding, deleting, checking, importing and exporting the assets can be completed in each subunit.
The data source subunit 1031 is configured to display at least a total number of data sources, a number of related host assets, a number of related applications, a number of related personnel, a number of data sources that have been carded, a number of data sources that have not been carded, and a distribution of data source types in the form of a graph or table. In a particular embodiment, as shown in FIG. 5, the data is pie-chart showing a data source type distribution, which may include mysql, mongodb, etc. of a particular database product. Where the definition of "carded" is a data source that has completed classification grading. Each specific data source is listed in a card form, and the information displayed by the card comprises the data source name, the data source type, a host port, the affiliated department, the affiliated application system, a label and other information, and the relevant information of alarms, such as the number of alarms related to the data source, can be quickly checked by hovering a mouse. Card operations include viewing detailed archives, editing, deleting. Alternatively, the data sources may be presented in a list containing information consistent with the card containing information. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
The metadata subunit 1032 is configured to display at least a total number of data sources, a total number of sensitive data sources, a total number of data tables, a total number of sensitive data sources, a total number of data columns, a number of sensitive data columns, and a total number of sensitive data columns, and display distribution of data sources with different sensitive levels in a form of a graph or a table. As shown in fig. 6, the data shows the distribution of data sources for different sensitivity levels in pie charts (sensitivity levels from classification ranking results). The specific data sources are listed below in the form of cards, and the information displayed by the cards comprises the information such as the name of the data source, the name of a table, the type of the data source, a host port, the department to which the data source belongs, the application system to which the data source belongs, the data field, the theme label, the sensitivity level and the like. The number of alarms, the number of sensitive columns and other alarms and sensitive related information related to the data source can be quickly checked by hovering a mouse. Card operations include viewing detailed archives, editing, deleting. The entry into any library table archive page may view detailed description information of each data item in the table, including column name, data type, whether empty, default, primary key, whether sensitive, sensitivity level, classification result, identification field, etc.
The metadata may alternatively be presented in a list containing information consistent with the card containing information. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
The API interface subunit 1033 is configured to display at least the total number of interfaces, the number of related application systems, the number of related accounts, the number of sensitive interfaces and their duty ratio, the number of zombie interfaces and their duty ratio, and display the trend of the number of times of accessing the interfaces in the form of a graph or a table. As shown in fig. 7, the data show the trend of the number of access interfaces for nearly 7 days in a line graph, and the ring ratio of the number of accesses for the day to the previous day is clearly marked. The specific API interfaces are listed below in the form of cards, and the information displayed by the cards comprises interface names, departments to which the cards belong, systems to which the cards belong, interface addresses, registration sources, theme classification, application fields, labels and the like. The mouse hovers over the card to quickly view the interface alarm related information, including the total number of alarms, the today's newly added alarms, the unhandled alarms and the disposed alarms. Card operations include viewing detailed archives, editing, deleting. Entering any asset details page may view the asset and its associated other various types of assets in the form of a relationship graph that presents effects consistent with the relationship graph in the asset relationship visualization subunit 1021. Alternatively, the interface may be presented in a list, the list containing information consistent with the card containing information. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
The application asset subunit 1034 is configured to expose at least a total number of business applications, a number of high risk systems and their duty cycles, a number of medium risk systems and their duty cycles, a number of low risk systems and their duty cycles, a number of risk-free systems and their duty cycles. The value of the alarm level of the system is derived from alarms in host assets, interface assets and data assets associated with the system, wherein the highest level in the alarm level is high risk as long as the highest level is high; the highest alarm level is the middle alarm risk; the highest alarm level is low and the risk is low; no alarm is given, so that no risk exists. The alarm reference range is an alarm generated by an analysis and judgment center of the system. The alarm level is determined by the user when the relevant alarm rules and strategies are set. As shown in fig. 8, the specific systems are listed below in the form of cards, and the information displayed by the cards includes the system name, the department to which the card belongs, the level of protection, the area name and the protection condition. Wherein the type of protection case includes the number of safety guards not reported or of the system. The statistical range of the protective equipment is as follows: cloud web application firewall, database audit, log audit, comprehensive vulnerability scanning, host security, tamper resistance, operation and maintenance audit, situation awareness and the like. The mouse hovers over the card to quickly view the number of associated assets and the number of associated work orders of the system. The associated assets include host assets, data assets, interface assets. The worksheets comprise hidden danger worksheets and time worksheets. Card operations include reporting, details, editing, deleting. Entering any asset details page may view the asset and its associated other various types of assets in the form of a relationship graph that presents effects consistent with the relationship graph in the asset relationship visualization subunit 1021. Alternatively, the system may be presented in a list, the list containing information consistent with the card containing information. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
Host asset subunit 1035 is operable to expose at least a network asset count, a high risk asset count and its duty cycle, a medium risk asset count and its duty cycle, a low risk asset count and its duty cycle, a no risk asset count and its duty cycle. Host assets that incorporate statistics include, but are not limited to 1. Host classes: windows, nix;2. network class: routers, switches, VPN, load balancing, fire protection; 3. an Quanlei: gatekeepers, intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS), unified Threat Management (UTM), next generation firewalls, web Application Firewalls (WAFs), traffic monitoring devices, web page tamper resistance, DDoS resistance systems, antivirus systems, spy protection systems, anti-disclosure systems, mail audit systems, identity management systems, traffic cleaning systems, database audit systems, web audit systems, operation and maintenance audit systems, internet surfing behavior audit systems, unified audit gateways, log audit systems, security management systems, honeypot systems, application scanners, network scanners, host scanners, APT, host security management Systems (EDRs); 4. application class: the system comprises a WEB server, a database server, a mail server, a storage server, an FTP server, an application server, a virtualization device and a DNS server; 5. audit component: windows audit agent, nix audit agent, WMI audit agent, collector, communication server and correlation engine; 6. other: a network printer. The value of the alarm level of the asset is derived from the alarm risk level matched with the equipment IP of the asset, the value is the highest level in all alarms, if the highest level is high, the asset is a high-risk asset, the middle-risk asset is a medium-risk asset, the low-risk asset is a low-risk asset, and the risk-free asset is a risk-free asset. The alarm reference range is an alarm generated by an analysis and judgment center of the system. The alarm level is determined by the user when the relevant alarm rules and strategies are set. As shown in fig. 9, specific assets are listed below in the form of cards, and the information displayed by the cards includes asset names, affiliated departments, affiliated systems, device IPs, device types and tags. Card operations include viewing detailed archives, editing, deleting. Entering any asset details page may view the asset and its associated other various types of assets in the form of a relationship graph that presents effects consistent with the relationship graph in the asset relationship visualization subunit 1021. Alternatively, the assets may be presented in a list, the list containing information consistent with the card containing information. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
The account asset subunit 1036 is configured to display at least an account number, an active account number, a high risk account number and its duty cycle, a medium risk account number and its duty cycle, a low risk account number and its duty cycle, a no risk account number and its duty cycle, and display an account type distribution in a form of a graph or a table. As shown in fig. 10, the data shows the account type distribution in a pie chart. Wherein the definition of the active account number is that the account number has an access record (including today) for the last 7 days; the account types comprise database accounts, application system accounts, host accounts, VPN accounts and fort machine accounts; the value of the alarm level of the account is derived from the alarm risk level matched with the account, the value is the highest level in all alarms, for example, if the highest level in the alarms is high, the account is a high risk account, and no risk is a risk-free account. The rule of matching the two accounts is that the ip, the system port and the account names of the account related assets are equal at the same time, namely, the account names are matched. The alarm reference range is an alarm generated by an analysis and judgment center of the system. The alarm level is determined by the user when the relevant alarm rules and strategies are set. The specific account numbers are listed below in the form of cards, and the information displayed by the cards comprises information of the affiliated departments, users, account types, association types, risk grades and the like. Card operations include viewing detailed archives, editing, deleting. Entering any asset details page may view the asset and its associated other various types of assets in the form of a relationship graph that presents effects consistent with the relationship graph in the asset relationship visualization subunit 1021. In addition, the account numbers can be selectively displayed in a list form, and the information contained in the list is consistent with the information contained in the card. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
The personnel asset subunit 1037 is configured to display at least a total number of personnel, a high risk number of personnel and its duty cycle, a medium risk number of personnel and its duty cycle, a low risk number of personnel and its duty cycle, a no risk number of personnel and its duty cycle. The value of the risk level of the person is derived from the highest alarm level of all accounts associated with the user, for example, if the highest alarm level is high, the person is a high risk person, and no alarm is a risk-free person. The alarm level is automatically managed by the user when the user sets the relevant alarm rules and strategies, and the association relation between the personnel and the account number is automatically determined, so that the system provides two managing modes of online newly-added personnel-account number asset mapping and importing mapping tables. As shown in fig. 11, specific personnel are listed below in the form of a card, and the information displayed by the card includes name, gender, job status, number of associated accounts, affiliated departments, personnel types, personnel positions, mobile phones, risk levels and the like, wherein the personnel types include sensitive users, high-authority users, remote access users and the like, and can be customized. Card operations include viewing detailed archives, editing, deleting. Entering any asset details page may view the asset and its associated other various types of assets in the form of a relationship graph that presents effects consistent with the relationship graph in the asset relationship visualization subunit 1021. In addition, the specific personnel can be selectively displayed in a list form, and the information contained in the list is consistent with the information contained in the card. The in-cell support imports this type of asset in tabular form. The system provides an import form template, and the user updates the current asset list after filling in template information and uploading the template information. The templates are consistent with the list table structure.
In a specific embodiment, the standard requirements of the data security maturity level 3 or more in the metadata management process field are required to be satisfied in the DSMM standard: the metadata management tool should support navigation and searching of the data table, provide table blood relationship, field information, use description and other associated information, and facilitate the user to use the data table (bp.25.07) ", so the metadata subunit 1032 is further configured to perform navigation viewing on the metadata in the metadata list page with data classification, sharing attribute, open attribute, data field, subject classification and update period as advanced screening options. The host name, table name, and classification may be used in the manifest page to perform a fuzzy search on the metadata. As shown in fig. 12, the basic information of the metadata is shown on a metadata archive detail page, including table names, table aliases, data source names, affiliated departments, host IPs, affiliated systems, creation time, development attributes, sharing attributes, update periods, topic classifications, data fields and usage descriptions; and alarm statistics of the metadata, including total risk, present newly increased, untreated, treated, and high, medium, and low risk distributions are displayed with pie charts; and field information of the data table, including information of a field name, a table name, whether to comb, type, identification rule, identification field, whether to be sensitive, classified, length, whether to be null, default value, whether to be a primary key, and the like of each field.
In a specific embodiment, in the DSMM standard, the standard requirements of more than level 4 of data security maturity in the metadata management process domain are required to be satisfied: "should possess the ability to realize metadata unified management, for example, establish a unified metadata management system of organization, provide metadata of each business (bp.25.11) towards organization inside through centralized system", therefore, metadata subunit 1032 is also used for automatically discovering data sources and extracting metadata information in asset discovery subunit by using deployed asset discovery devices; introducing metadata information in a new or batch mode on the page; and uploading metadata information by using the asset reporting subunit and other accounts. Metadata within the subunits provides unified management functions of querying, editing, deleting. The editable content comprises a table name, a table alias, an affiliated data source, a data source name, an affiliated system, development attributes, sharing attributes, an update period, topic classification, a data field, a use instruction and a label. Wherein the querying function is described in detail in the previous section.
In a specific embodiment, the standard requirements of the data security maturity level 3 or more in the metadata management process field are required to be satisfied in the DSMM standard: the metadata access control strategy and the audit mechanism are required to be established, and the traceability (BP.25.08) of metadata operation is ensured, so that a system super administrator has the authority of creating an account, when the account is created, the range of metadata access and the operation authority (adding, deleting, inquiring and editing) on the metadata of a newly built account can be regulated according to the information such as the affiliated department, affiliated system, development attribute, sharing attribute, data field, database, table name and the like of the metadata, and the created account can only view the metadata information in the authority range after logging in the system. And the user performs new, deletion, inquiry, editing and other management work operation logs on the metadata in the system, uniformly stores the operation logs in a system internal management module of the system, and a super administrator can audit the operation logs according to the operation implementation account number and the operation object to trace the metadata operation.
In a specific embodiment, the DSMM standard is required to meet the standard requirements of data security maturity above level 3 in the process domain of organization and personnel management: "the human resource management flow (bp.21.28) related to data security should be realized by the automation of the technical tool", and thus, the system provides online addition or deletion of personnel in addition to the personnel asset inventory function. The newly added personnel information comprises names, sexes, identity cards, mobile phones, fixed phones, common mailboxes, affiliated departments, personnel positions, personnel states (the value fields are in the incumbent, off-job, preparation of off-job, vacation and off-job), personnel types (the value fields are in the focus of users, off-job users, third party users, remote access users, sensitive users, high-authority users, (quasi) off-job users and custom), personnel attribution (first party personnel and partner personnel), uploading head images, personnel labels, remarks, extension information (partner company names, partner contacts and partner contact modes), associated account names and associated assets. Wherein the personnel attribution and the extension information field are linked: prompting to fill in three fields of a company name, a contact person of the partner and a contact way of the partner when the partner person is selected, and hiding the filling of the three fields if the partner person is selected.
As shown in FIG. 13, supporting the use of form importers 'assets, form templates may be downloaded prior to importer's, template fields substantially consistent with the information filled by newly added personnel; and supporting the exporting personnel list, and supporting the exporting personnel list after filtering according to the condition. The personnel detail page firstly displays personnel basic information including names, sexes, personnel states, positions, personnel attributions, personnel labels, personnel types, affiliated departments, identification numbers, common mailboxes, fixed telephones, mobile telephones, descriptions, company names, contact persons of the cooperation and contact ways of the cooperation, wherein the contact ways are subjected to desensitization treatment; and displaying all the accounts associated with the current personnel, the assets associated with the accounts, the asset types and departments to which the assets belong in a card form at the lower left. I.e., person associated accounts, account associated assets. Asset types include database, application service, host; and displaying the daily access times of the subordinate accounts of the person by using a line diagram at the lower right, and counting the access times of all accounts of the current person by default to support the statistics of the access times of a single account. The statistical range was approximately one week, excluding the day.
As shown in fig. 14, the system supports managing an organization architecture in a tree structure. Additional nodes are used to augment the organization, and the additional organization information includes organization names, organization acronyms, organization codes, superior organization names, area names, organization addresses, organization contacts, organization contact, organization labels, notes. Wherein the names of the upper level organizations are automatically filled when nodes are newly added; when the organization architecture is deleted, the first level is not allowed to be deleted, the organization structure with child nodes under the nodes is not allowed to be deleted, and only the last level is allowed to be deleted. Departments with asset association are not allowed to be deleted, and specific assets such as associated data assets, application assets, interface assets and the like are canceled according to actual condition prompts; editing organization information is supported, which can be consistent with newly added organization. The method also supports the structure of using the form to import the organization, and can download the form template before importing, the template field is basically consistent with the information filled by the newly added organization; and supporting the exporting personnel list, and supporting the exporting personnel list after filtering according to the condition. Basic information is displayed when the organization architecture is checked, including organization names, short names, organization codes, superior organization names, regional names, organization addresses, contacts, contact ways and labels.
The security device management module 200 is composed of a security device management unit 201 and a security policy management unit 202. The security device management unit 201 is configured to manage a third party security tool; the security policy management unit 202 is configured to track the operational effectiveness of data classification hierarchy identification or other third party security tool policies to help to continuously improve policy schemes. .
For data collection security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, a plurality of security process domains under 6 data life cycles, and terminal data security, authentication and access control process domains, the system suggests users to use third party security tools to realize security requirements in each specific process domain, and the currently suggested tools include: asset management system, API risk monitoring system, data security hierarchical domain risk assessment system, database audit system, database desensitization system, database encryption system, operation management and control system, fort machine, network DLP system, VPN system. As shown in fig. 15, the present system presents information of all access devices currently including, but not limited to, device brands, protection fields, online time, tool IP, resource consumption, etc., in the secure device management unit 201; the device has functions of adding, deleting, editing information and searching and viewing. The unit can jump to the equipment console from the platform at a single point, so as to support a user to develop and maintain specific safety protection work.
In the DSMM standard, the standard requirements of more than 5 grades of data security maturity in the data classification and classification process are required to be met: "technical tool (bp.01.14) that should track the effect of data classification and classification identification, continuously improving data classification and classification"; in the data transmission encryption process, the standard requirements of the data security maturity of more than 4 levels are as follows: the implementation effect and cost of encryption of sensitive data and encryption of a data transmission channel are comprehensively quantized, and the implementation scheme (BP.05.15) of the encryption of the data is periodically checked and adjusted, so that in the data desensitization process, the standard requirement of the data security maturity is more than 5 levels: "new requirements for services, new techniques and best practices for data desensitization, new changes for compliance, etc., should be continuously tracked," data desensitization rules and means (bp.10.22) should be continuously improved, "and besides the above requirements, DSMM puts forward requirements of" continuous optimization, continuous improvement "for technical protection of multiple process domains. Based on this, the security policy management unit 202 is specifically configured to support the addition, modification, and deletion of any device policy, and is further configured to present the policy running state of the related security tool and the operation data visualization in the form of a card according to the data security life cycle (TAB page form). For example, the data desensitization tool needs to be configured for the new policy as shown in the information in table 3. The user can continuously optimize the strategy configuration according to the indexes such as the strategy hit rate and the like.
TABLE 3 Table 3
For each stage of the life cycle, the page first displays various types of statistical information under the current stage, specifically as shown in table 4, and the display effect is as shown in fig. 16:
TABLE 4 Table 4
Information of each third party security tool is listed in a card form under the statistical information, and the displayed information is different according to the types of the security tools, for example, the displayed information of the classification and grading tools is shown in table 5:
TABLE 5
The information displayed by the data desensitizing tool is shown in table 6, and the display effect is shown in fig. 17:
TABLE 6
Fields/graphs Interpretation of the drawings
Safety tool ip The security tool ip of the security tool management menu
Secure tool port The security tool port of the security tool management menu
Safety tool type The security tool type of the security tool management menu
Safety tool manufacturer Safety tool manufacturer of the safety tool management menu
Policy total Policy total for the security tool policy list
Number of enabled policies The number of enabled policies of the security tool policy list
Number of deactivated policies The number of deactivated policies of the security tool policy list
Number of abnormal policies Abnormal policy number of the security tool policy list
Number of desensitized completion tables The sum of the number of tables completed by the structured desensitization task of AiMask
Desensitization data The sum of the data sizes completed by the structured desensitization task of AiMask
Desensitization task data flow profile Displaying the duty cycle of four data streams for structured data desensitization through a ring graph
Policy list Clickable entry policy list
As shown in fig. 18, for any particular security tool, a jump may be made from the card to the "security policy" list page. The page displays all the security policies of the tool in a list form, so that the user is helped to know the detail of the tool policies. The list field includes: policy name, policy type, IP segment, number of services, enablement status, creation time, update time, operation.
Based on the security requirements of the DSMM in the "monitor and audit" and "security event emergency" process domains, the analysis and judgment module 300 is composed of an original log unit, an original alarm unit 301, an index management unit 302, an alarm model unit 303, an alarm handling unit 304, a risk management unit 305 and an event management unit 306.
The original log unit is used for standardizing and collecting data operation logs or other log information collected by the third-party security equipment; the original alarm unit 301 is configured to display alarm information generated by security management and control devices deployed in each life cycle of data due to own rules or policies; the method comprises the steps of carrying out a first treatment on the surface of the The index management unit 302 is used for monitoring high-risk operation or event of data by adopting a method combining automatic and manual audit; the alarm model unit 303 performs unified processing and analysis on logs of various types of data access and operation, and quantifies data security risks caused by the data access and operation; the alarm handling unit 304, the risk management unit 305 and the event management unit 306 collectively manage security events that may be generated based on analysis of the content association of the alarm model to logs, traffic, and the like.
Based on the standard requirements of the data security maturity level 3 or more in the data legal use process domain: the method comprises the steps of arranging safety management and control equipment in each life cycle of data, synchronously collecting log information (including data operation logs) collected by each safety base equipment, standardizing and displaying the log information in an original log in a list form. The list-displayed log information comprises a log name, a source IP, a destination port, a transmission protocol, an application protocol, a device type, a device name, a source city, a resolved product name, an allocated IP address and a destination DNS domain. The user-defined list field function is provided, any field in the original log can be freely selected as a part of log information, and the field is displayed in the current page list. As shown in the figure 40 of the drawings,
list operation functions include conditional search, export, publication, visualization; the visualized histogram is used for showing the statistical information of all specific values of any data item of all log information, and the statistical range is the data in the list (can be the result after screening). Specifically, any log field may be selected on the X-axis, and the statistical functions provided on the Y-axis include average, count, deduplication count, maximum, minimum, and summation. The logs in the list support to view log details, and the displayed content comprises messages, object classification, event classification, behavior classification, equipment classification and the like in addition to general information. The information in the details will vary depending on the type of log.
Based on the standard requirements of more than 3 stages of data security maturity in the monitoring and auditing process domain: the log monitoring technical tool for data access and operation is established, the alarm for data abnormal access and operation is realized, the access and operation of highly sensitive data and privileged account to the data are brought into the important monitoring range (BP.27.09), the security management and control equipment is deployed in each life cycle of the data, the alarm information generated by each security basic equipment due to own rules or strategies is synchronously collected, and the alarm information is displayed in a list form in the original alarm unit 301. The list-displayed alarm information comprises the acquisition unit receiving time, alarm name, source IP, destination IP, alarm equipment and equipment type, and provides a custom list field function, and any field in the original log can be freely selected as a part of the alarm information to be displayed in the current page list. As shown in fig. 19, the list operation function includes conditional search, export, release, visualization; the visualized histogram is used for displaying statistical information of all specific values of any data item of all alarm information, and the statistical range is data in a list (can be a result after screening). Specifically, any log field may be selected on the X-axis, and the statistical functions provided on the Y-axis include average, count, deduplication count, maximum, minimum, and summation. The alarm support in the list checks the alarm details, and the displayed content comprises message information and physical addresses besides general information. The information in the details will vary depending on the type of alarm.
Based on the standard requirements of more than 3 stages of data security maturity in the monitoring and auditing process domain: the index management unit 302 is specifically configured to provide a time sequence index creation function, perform filtering on any log data item (filtering operation is optional), aggregate according to any object group in a time window (1 minute, 10 minutes, 30 minutes, 1 hour, 6 hours, 1 day, etc.), generate a statistical time sequence index, and may set an index tag and an index description. The provided packet aggregation functions include, but are not limited to: mean, sum, median, mode, minimum, maximum, non-repeat count, variance. The index configuration page is shown in fig. 20.
The created index is displayed in a list form in the index management unit 302, and the displayed information includes but is not limited to: index name, data source, index grouping object, statistical method, time window, index description, related data table, creator, creation time, whether to save results, whether to run, etc. The listing operation provides a search query on the listing or editing information for a certain metric, turning on or off, viewing details, viewing results. The index details which can be checked or edited comprise index IDs, index names, index labels, index descriptions, data sources and statistical configuration conditions. And providing an index detail page for displaying visual display index description, index configuration, historical maximum and minimum values, index discount maps and index overviews.
The functions specifically provided by the line graph include:
1) Curve marking: for explaining the meaning represented by the curves in the curve timing diagram, respectively, and clicking on the annotation here can directly filter the annotated object, which is only displayed in the curve timing diagram.
2) Timing diagram operation column: this area is mainly used for the operations of the timing diagram, and can scale, rollback and reset the timing diagram.
3) Timing diagram and information details: the mouse will show the time node when it is stopped in the time chart, and the numerical value of the object shown in the time chart. The timing diagram mainly displays the data values of objects in the default grouping and the custom grouping.
4) Time axis: for showing the time frame of the timing diagram at this time.
The general overview shows the specific value distribution proportion of the index in the data items of source IP, destination IP, source user, destination port, inflow byte, transmission protocol and the like in the form of a pie chart. The data items of a particular overview will vary from index to index.
In the monitoring and auditing process, the standard requirements of the data security maturity level 4 or more are as follows: the technical tool can perform unified processing and analysis on logs of various data access and operation, quantify data security risks caused by the data access and operation, and realize overall perception of the data security risks (BP.27.13). The alarm model unit 303 is specifically configured to create a plurality of alarm models, perform unified processing and analysis on logs of various data accesses and operations by using the alarm models, and quantify data security risks caused by the data accesses and operations.
The models that the alert model unit 303 can create are classified into rule models, association models, statistical models, AI models.
Rule model: this function may set content matching rules for perfect matching, regular expressions, equality operations, or inequality operations after filtering (filtering operation optional) is performed on any of the journal data items. Multiple data item matching rules under the same log can be set as logical relations with or. The content matching rules of the plurality of data items and the logical relationship between them form an alert rule. In addition, detailed rule information such as alarm names, threat levels, alarm descriptions, treatment suggestions and the like can be configured. When the log content hits the alarm rule, a corresponding alarm is generated.
Correlation model: the function can set rule models for any two logs at the same time, and can carry out time sequence and logical association on the two rules except all functions of setting rule models. The timing correlation includes: the "A, B rule hits simultaneously", "A, B rule hits successively", "a hits and B misses", "a hits n more times and re-hits B events". And sets a time window in which the time series combination occurs in units of minutes. Logical associations include equal to, unequal to, inclusive of, and not inclusive of. In addition, detailed rule information such as alarm names, threat levels, alarm descriptions, treatment suggestions and the like can be configured. When the two alarm rules meet the set time sequence association relation, corresponding alarms are generated.
Statistical model: this function may set a statistical threshold model of either an equality operation or an inequality operation for any of the created timing metrics. When in use, the time window can be set for the index again, so that the statistical value of the index in the time window can be checked by the threshold value. In addition, detailed rule information such as alarm names, threat levels, alarm descriptions, treatment suggestions and the like can be configured. And when the time sequence index meets the threshold condition, a corresponding alarm is generated.
AI model: this function may configure the anomaly detection algorithm for any of the created timing metrics, ARIM, exponential smoothing, periodic Gaussian estimation, feature point bias, emerging entities, etc. In addition, detailed rule information such as alarm names, threat levels, alarm descriptions, treatment suggestions and the like can be configured. And when the algorithm detects an abnormal result, a corresponding alarm is generated.
Any of the above models can be used to configure the model to output the alarm types of alarms when being created, and the alarm types are divided into two stages, as shown in Table 7
TABLE 7
The alarms analyzed based on the different security tool logs are automatically attributed to different data survival phases. The mapping relation between the security tool and the data survival stage is shown in Table 8
TABLE 8
In order to meet the standard requirements of the data security maturity level 3 or more in the security event emergency process domain: "a unified security event management system should be built, and the content such as the log, the traffic, etc. is subjected to association analysis (bp.30.08), and the alarm handling unit 304, the risk management unit 305, and the event management unit 306 constitute the security event management system, and specific functional designs are as follows.
The alarm handling unit 304 displays alarms generated by the model in a list form based on the correlation analysis of the alarm model on the log and the flow. As shown in fig. 21, the list presentation field includes: alarm name, alarm type, start time, security alarm threat level, source IP, destination IP, and disposal status. And meanwhile, a self-defined list field function is provided, any field in the original log can be freely selected and can be displayed in the current page list as a part of the alarm record. The list operation includes: searching and filtering according to date, name, grouping and value of a certain field, and deriving an alarm record according to the current list field. Clicking on the alert name may enter the alert details page to handle a certain alert. The basic information presented by the detail page includes source IP, destination IP, original ID, treatment advice, and the like. The alert related log information is presented in a tabular or json format. The marking function may mark the alert as four states of "untreated", "treated", "treatment completed" or "false alarm";
and the alarm handling unit may perform a risk generating operation or an event generating operation on any alarm as a basis of event management. The function of generating risk can generate an alarm as risk, enter a risk creation page after clicking, assign the alarm name to the risk name, and assign the starting time to the discovery time; the event generating function may generate the alarm as an event, click the event, enter a creation page of the event, assign the alarm name to a time name, start time to a discovery time, assign the destination IP to the destination object IP, assign the destination port to the destination object port, assign the source IP to the source IP, and assign the source port to the source port.
The risk management unit 305 presents, as part of the unified event management system, the risk generated by the alert manual decision, the risk manually filled, and the risk reported by other system interfaces in a list. The list presentation field includes: risk name, department to which they belong, risk level, discovery time, data source (alert generation, manual reporting, docking data), treatment status. The list operation includes: searching and filtering according to the value of a certain field, deriving risk records according to the field of the current list, sorting by time, checking risk details and the like. As shown in fig. 22, the risk detail page displays basic information such as risk name, risk level, target object IP, asset name, target object port, risk type (value range: operation violation, data disclosure, data tampering, data disclosure, illegal access, system damage, data abuse, operation violation, other risks), target object URL, affiliated department, discovery time, ending time, filler, filling time, and the like, and displays all original json of the piece of data, where json supports downloading file packages in txt format. The risk management unit 305 supports manual creation of a new security risk, and can configure the name, risk level, target object IP, risk type, target object port, discovery time, target object URL, end time, and affiliated department of the risk at the time of creation, and upload files or pictures as attachments. And executing notification treatment on any risk, and clicking to jump to a work order newly added page of the security operation module.
The event management unit 306 presents, as part of a unified event management system, the risk generated by the alert manual decision, the risk manually filled, and the events reported by other system interfaces in the form of a list. As shown in fig. 23, the list presentation field includes: event name, affiliated department, event type (value range: operation violation event; system damage event; data security event: data tamper event, data impersonation event, data disclosure event, data steal event, data interception event, data abuse event, data loss event, data error event, data poison event, other data security event; violation operation event: rights abuse event, rights falsification event, behavior repudiation event, fault violation operation event, misoperation event, personnel availability breach event, unauthorized use event, other violation operation event; abnormal behavior event: access exception event, flow exception event, other abnormal behavior event; other event), subclass, event class, occurrence event, disposal status (value range: non-notified, notified and completed rectification), data source (value range: alarm generation, manual report, docking data); the list operation includes: searching and filtering according to the value of a certain field, deriving risk records according to the field of the current list, sorting by time, checking risk details and the like. The event detail page displays event name, data source, discovery time, event type, event category code, event level, discovery time, source IP, target object IP, source port, target object port, asset name, target object URL, affiliated department, application system, filler time, and evidence information.
As shown in fig. 24, the event management unit 306 supports manually adding a security event, and the name of the configurable risk at the time of creation, event name, event level, discovery time, event description, source IP, target object IP, source port, target object URL, event type, subtype, remark, evidence information, description information, original event, and can upload a file or a picture as an attachment. And executing notification treatment on any event, and clicking to jump to a work order newly added page of the safety operation module.
Based on the security requirements of DSMM in the process domains of data security policy planning, compliance management and the like. The system of the invention designs a safe operation module 400, wherein the safe operation module 400 consists of an emergency plan unit 401, an operation knowledge base unit 402, a work order management unit 403 and a partner evaluation unit 404.
Wherein the emergency plan unit 401 is configured to provide data security policy planning data and materials; the operation knowledge base unit 402 is configured to provide a data security compliance database for query; the work order management unit 403 is used for providing a flow mechanism, an evaluation mechanism and an approval mechanism for each system; the partner evaluation unit 404 is used to conduct compliance audits and analyses of the behavior of data service providers and data users upstream and downstream of the data supply chain.
Specifically, in the process of planning a data security policy, the standard requirements of the data security maturity level 3 or more are as follows: "a system for setting up a data security policy plan, through which interpretation materials of the policy plan are issued to staff of an organization so as to facilitate landing advance (bp.20.12) of the policy plan", based on which the emergency plan unit 401 specifically includes a plan management subunit 4011 and a exercise management subunit 4012. As shown in fig. 25, the plan management subunit 4011 uniformly issues or exercises emergency plans and exercise schemes formulated for various accidents and dangerous sources at different levels, and specifies responsibilities of related departments and related personnel in each process of advance, incident, in-process and post-process, and in combination with worksheet management, tracks and handles problems that cannot finish exercise or affect exercise effects in the exercise process. The page displays the published emergency plan in the form of a list, and the list field comprises: plan name, exercise period, number of exercises done, latest exercise time, creation time, creator. The list operation comprises searching and filtering according to the value of a certain field, deriving an emergency plan, sorting by time, checking the details of the plan, and the like. And supporting new plans, and supporting configuration plan names, plan contents, drilling periods and uploading plan attachments when the new plans are added.
The exercise management subunit 4012 performs operations of immediately exercise, viewing details, deleting, and the like for single-plan support. The system can issue task work orders according to tasks related to the drilling tasks, problems existing in the drilling process, participants can report the problems through drilling summary, a drilling initiator can check specific progress of drilling in a time axis manner, and correction of finding problems can be completed in the form of task work orders according to feedback problems.
Specifically, in the process of compliance management, the standard requirements of the data security maturity above level 3 are: "the data security compliance database should be built, related personnel can query compliance requirements (bp.22.12)" through the database, the operation knowledge base unit 402 displays the content according to the existing category, and the user can quickly query the corresponding material to perform compliance learning. As shown in fig. 26, the page presents the uploaded knowledge material in the form of a list, the list fields including: file name, file source, category label, file description, file type, upload time. The list operation includes searching, filtering, deriving material in batches, sorting in time, checking the details of the plan, etc. according to the values of certain fields. Wherein the class label is selectable: laws and regulations, national standards, corporate regulations, industry standards, and may be customized. The choice of viewing details or deleting for a knowledge material. And the checking details enter a material original text checking page. And the deletion is carried out, and then the recovery station is entered.
Specifically, in the process fields of data classification and classification, data source identification and recording, data proper use, etc., the enterprise unit is required to have a relevant system flow, an evaluation mechanism or an approval mechanism in the process field many times, and the work management unit 403 is specifically configured to support the unit to formulate and execute the relevant system flow. And the problems or related matters found by the platform are followed in a work order mode in the unit, and corresponding processing results are obtained, so that the problems found by the platform and the matters needing to be processed can be tracked and related contents can be completed.
The detailed functional design of the job management unit 403 is as follows:
1. creating a worksheet
1) And creating in each business function page. The creation step:
(1) Entering a corresponding function page
(2) Selecting a particular object
(3) Creating a worksheet
(4) Configuring corresponding work order content of service
(5) Confirming dispatch
Specifically, the asset management module 100 supports creation of a release asset claim worksheet, an asset report worksheet; the analysis and judgment module 300 supports creation of an issue alert handling worksheet, a risk handling worksheet, an event notification worksheet, a user behavior handling worksheet, a high-risk vulnerability handling worksheet, a high-order port handling worksheet, an illegal external connection handling worksheet, and a weak password handling worksheet; the secure operation module 400 supports creation of a published DSMM problem correction worksheet, a DSG problem correction worksheet, and an emergency exercise worksheet.
2) Created at the job management unit 403. The creation step:
(1) Entering worksheet management page
(2) Creating a worksheet
(3) Selecting a worksheet type
(4) Configuring the corresponding work order content of the type of service
(5) Confirming dispatch
The created work order types comprise an asset claim work order, an asset report work order, an alarm disposal work order, a risk disposal work order, an event disposal work order, a user behavior disposal work order, a high-risk vulnerability disposal work order, a high-order port disposal work order, an illegal external connection disposal work order and a weak password disposal work order; DSMM problem correction work order, DSG problem correction work order, emergency exercise work order and general work order.
The work order information configurable when creating the utility work order is shown in table 9:
TABLE 9
When creating other business corresponding worksheets, besides filling in the general worksheet content, the relevant objects need to be selected, each business corresponding relevant object is shown in table 10, and the user can form own business flow and approval mechanism by means of relevant configuration items such as acceptors, approvers and transcriber in the worksheet, so as to perform online safe operation:
table 10
2. Work order operation
For a certain work order, more operations can be performed besides the details can be checked, and the executable operations are determined according to the personnel attribute (role) of the current account number in the work order and the work order state. Specifically, table 11 shows the results.
TABLE 11
Personnel attributes Status of More operations
Sponsor(s) To be treated Editing, withdrawing, deleting
In the process of -
Completion of processing Deletion of
Has been withdrawn Reassignment, deletion
Pass of audit is not passed Deletion of
Has been closed Deletion of
Acceptors To be treated Processing, assigning
In the process of Processing, assigning
Completion of processing -
Has been withdrawn -
Pass of audit is not passed Reprocessing, assigning
Has been closed -
Audit person To be checked Auditing method
Pass of audit is not passed Auditing details
Has been closed -
Shoveling person To be treated -
In the process of -
Completion of processing -
Has been withdrawn -
Has been closed -
3. Disposal work order
After receiving the work order task, the acceptors can execute treatment operation, and the treatment mode is different according to different work order types, and the specific steps are as follows:
1) General work order: as shown in fig. 28, "processing result" (no processing or processed), "processing description", and "upload attachment" are filled in.
2) Asset claim worksheets: as shown in FIG. 29, "claim status" (claim complete or not), "process description" and "upload attachment" are filled in.
3) Asset reporting work orders: as shown in fig. 30, "whether there is a change" (yes or no), "process description", and "upload attachment" are filled. If the asset has a change, the asset list is uploaded according to the asset type template of the current task. The template is basically consistent with the import template of each asset in the asset list, and only one more column of data items of 'change type'.
4) Alarming, risk, event handling worksheets: as shown in fig. 31, the "processing result" (false alarm, processed, or not processed) "processing instruction" and "upload attachment" are to be filled.
5) High-risk vulnerability handling worksheet: as shown in fig. 32, the following is required: "processing results" (not found, repaired or not processed at all), "processing instructions" and "upload attachments".
6) High-risk port disposal worksheet: as shown in fig. 33, the following steps are selected: "treatment results" (not found, blocked or not treated at all), "treatment instructions" and "upload attachments".
7) Illegal external connection treatment work order: as shown in fig. 34, "processing results" (not found, repaired or not processed at all), "processing description", and "upload attachment" are filled.
8) Weak password handling worksheets: as shown in fig. 35, "processing result" (not found, modified or temporarily modified), "processing description", and "upload attachment" are to be filled.
9) DSMM/DSG problem handling worksheets: as shown in fig. 36, "processing result" (modified or not processed), "processing description", and "upload attachment" are to be filled.
4. Work order status
Each role involved in the work order can check the current state of the work order at any time, and the work order processing progress is followed. The display of the current state will vary depending on the operation to which the work order is subjected, as shown in fig. 37.
Based on the standard requirements of the data security maturity level 4 or more in the data supply chain security process domain: "compliance review and analysis of data service provider and data consumer behavior upstream and downstream of the data supply chain" (bp.24.13); "should be based on the relevant records of the data supply chain, and the technical tools are used to perform security audits and analyses (bp.24.14) on the relevant parties upstream and downstream of the data supply chain", the total number of parties and the number of high, medium and low risks of the manufacturer are first shown in the party assessment unit 404. Wherein the risk level is taken to be the highest risk level of the person associated with the manufacturer, as shown in fig. 38, for example, if a high risk alarm exists on a certain account of a certain employee, the manufacturer is at high risk. The alarm reference range is an alarm generated by an analysis and judgment center of the system. The alarm level is determined by the user when the relevant alarm rules and strategies are set. The association logic between the accounts is as follows: message type = account system type, destination IP = account system IP, destination port = account system port, message account name = account name of account.
Each partner is listed under the statistical information in the form of a card, and the information displayed by the card comprises: vendor name, service status, vendor abbreviation, affiliated office entity, vendor type, vendor contact, vendor label. Wherein the service status is determined according to the relationship between the current time and the service time range. If the current time is within the service time range, the current time is 'in service'. If the current time is outside the service time range, the service is ended. "end of service" will display a prompt: and after the business cooperation is finished, requesting to urge the cooperation party to close the data interface in time according to the contract convention and deleting the data. "card operations include viewing detailed archives, editing, deleting. In addition, the specific personnel can be selectively displayed in a list form, and the information contained in the list is consistent with the information contained in the card. Support searching vendors with tree structure index or information such as office department, vendor name, vendor type, vendor contacts, vendor labels, etc.
The vendor detail file page firstly displays basic information of a vendor, including vendor name, service state, vendor label, vendor abbreviation, vendor type, management unit contact, unified social credit code, belonging area, vendor service time, vendor contact mode, creation time, vendor official network, vendor detailed address and secret protocol.
As shown in fig. 39, a system list of the partners is shown, including the departments of each system, the level of protection, the protection, and the statistics of the systems of different risk levels. And then displaying an associated personnel list which comprises names, incumbent states, personnel types, personnel positions, contact modes of all the personnel and statistical values of the personnel with different risk levels. And displaying personnel change records in a time axis form below the personnel list, wherein the information displayed by each change node comprises the number of newly added personnel, the number of the personnel to be returned, the number of the current personnel, the names of operators and the operation time.
Based on the circulation condition of data in the organization service in a big data environment, DSMM surrounds the data life cycle, and multi-level data security capability requirements are defined. DSMM involves organization construction, institutional procedures, technical tools, personnel capabilities, 4 capability dimensions, resulting in the need to complete construction from multiple aspects with multiple technical tools.
The data security platform (system) which integrates various data security technologies to realize the security protection of the platform data is a newer design concept of data security products in recent years. Based on DSMM, each function of the platform type data security control and operation system is designed, a method for realizing DSMM standard is provided, and a direction is provided for the design of the platform type data security product.
The scheme provides a specific platform type implementation method for most of requirements in DSMM national standards, and according to the scheme, a data security platform (system) can be conveniently developed, and a system user can realize related DSMM requirements in a system by means of the developed platform (system). This effect will play a great value in the construction of data security compliance.
It should be understood that the foregoing examples of the present invention are merely illustrative of the present invention and are not intended to limit the present invention to the specific embodiments thereof. Any modification, equivalent replacement, improvement, etc. that comes within the spirit and principle of the claims of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. A DSMM-based data security management and operation system, comprising:
The asset management module consists of an asset discovery unit, an asset carding unit and an asset inventory unit; the asset discovery unit is used for performing registration of data assets and providing a data asset registration mechanism; the asset combing unit is used for arranging the whole condition of the data asset and providing a data classification grading marking or data asset management tool; the clear production inventory unit is used for providing an indexable and inquired data asset inventory;
the safety equipment management and control module consists of a safety equipment management unit and a safety strategy management unit; the security equipment management unit is used for managing the third party security tool; the security policy management unit is used for tracking the data classification identification effect and continuously optimizing the accuracy of the data classification;
the analysis and judgment module consists of an original log unit, an original alarm unit, an index management unit, an alarm model unit, an alarm treatment unit, a risk management unit and an event management unit; the original log unit is used for standardizing and collecting data operation logs or other log information collected by the third-party security equipment; the original alarm unit is used for displaying alarm information generated by safety control equipment deployed in each life cycle of the data due to own rules or strategies; the index management unit is used for monitoring high-risk operation or event of the data by adopting a method combining automatic audit and manual audit; the alarm model unit performs unified processing and analysis on logs of various data access and operation, and quantifies data security risks caused by the data access and operation; the alarm processing unit, the risk management unit and the event management unit form alarm information on the basis of the content association analysis of the alarm model on logs, flow and the like, and form unified management of risks and events by combining the manual checking and confirming operation;
The safety operation module consists of an emergency plan unit, an operation knowledge base unit, a work order management unit and a partner evaluation unit; the emergency plan unit is used for recording a system emergency plan system and a drilling record tracking; the operation knowledge base unit is used for providing a data security compliance database for inquiry; the work order management unit is used for providing a flow mechanism, an evaluation mechanism and an approval mechanism for each system; the partner evaluation unit is used for performing compliance audit and analysis on behaviors of the data service provider and the data user at the upstream and downstream of the data supply chain.
2. The DSMM based data security management and operation system of claim 1,
the asset discovery unit is used for discovering data assets, host computer assets and API assets according to a preset period, and storing the data assets, the host computer assets and the API assets in a list form to form an asset discovery list;
the asset discovery list is used to store and present asset discovery information and provides asset claim functionality.
3. The DSMM based data security management and operation system of claim 2,
the asset combing unit comprises an asset relationship visualization subunit, an account authority management subunit, an asset reporting subunit and a classification grading subunit;
The resource relation visualization subunit is used for presenting the relation among host assets, data assets, API assets, related personnel and resource related accounts in the form of undirected graphs;
the account authority management subunit is used for visually presenting the authority and the sensitive state of the managed account in a plurality of different modes;
the asset reporting subunit is used for providing a mode of actively collecting information to a subordinate specific asset responsibility department for a superior manager;
the classification and grading subunit is used for configuring classification and grading tasks in the unit, transmitting the tasks to a third-party classification and grading tool in a butt joint mode, and automatically synchronizing classification and grading results after classification and grading are completed.
4. The DSMM-based data security management and operation system according to claim 2 or 3, wherein,
the asset inventory unit comprises a data source subunit, a metadata subunit, an API interface subunit, an application asset subunit, a host asset subunit, an account asset subunit and a personnel asset subunit;
the data source subunit is used for displaying at least the total number of data sources, the number of related host assets, the number of related application systems, the number of related personnel, the number of carded data sources and the number of uncombined data sources, and displaying the data source type distribution in the form of a graph or a table;
The metadata subunit is used for displaying at least the total number of data sources, the total number of sensitive data sources, the total number of data tables, the total number of sensitive data sources, the total number of data columns, the number of sensitive data columns and the total number of sensitive data columns, and displaying the distribution of the data sources with different sensitive levels in the form of a graph or a table;
the API interface subunit is used for displaying at least the total number of interfaces, the number of related application systems, the number of related accounts, the number of sensitive interfaces and the duty ratio thereof, the number of zombie interfaces and the duty ratio thereof, and displaying the frequency trend of the access interfaces in the form of a graph or a table;
the application asset subunit is used for at least displaying the total number of service application systems, the number of high-risk systems and the proportion thereof, the number of medium-risk systems and the proportion thereof, the number of low-risk systems and the proportion thereof, the number of risk-free systems and the proportion thereof;
the host asset subunit is configured to at least present the network asset count, the high risk asset count and its duty cycle, the medium risk asset count and its duty cycle, the low risk asset count and its duty cycle, and the no risk asset count and its duty cycle;
the account asset subunit is used for displaying at least account numbers, active account numbers, high-risk account numbers and the proportion thereof, medium-risk account numbers and the proportion thereof, low-risk account numbers and the proportion thereof, risk-free account numbers and the proportion thereof, and displaying account type distribution in the form of a chart or a table;
The personnel asset subunit is configured to display at least a total number of personnel, a high risk number of personnel and a ratio thereof, a medium risk number of personnel and a ratio thereof, a low risk number of personnel and a ratio thereof, and a no risk number of personnel and a ratio thereof.
5. The DSMM based data security management and operation system of claim 4,
the metadata subunit is further used for performing navigation viewing on metadata by taking data classification, sharing attribute, opening attribute, data field, theme classification and updating period as advanced screening items on a metadata list page;
the metadata subunit is further configured to automatically discover a data source and extract metadata information in the asset discovery subunit using the deployed asset discovery device; introducing metadata information in a new or batch mode on the page; and uploading metadata information by using the asset reporting subunit and other accounts.
6. The DSMM based data security management and operation system of claim 1,
the security device management unit is specifically used for displaying the information of all the current access security devices;
the security policy management unit is specifically configured to support addition, modification and deletion of any device policy, and is further configured to display, in a card form, an operation state, resource consumption, policy operation condition, and operation data visualization of a related security tool according to a data security life cycle (TAB page form).
7. The DSMM based data security management and operation system of claim 1,
the original log unit is used for standardizing, collecting and displaying data operation logs or other log information acquired by the third-party security equipment;
the original alarm unit is specifically used for displaying alarm information generated by security management and control equipment deployed in each life cycle of data due to own rules or strategies;
the index management unit is specifically used for performing filtering on any log data item, grouping and aggregating according to any object in a time window to generate a statistical time sequence index, and setting an index label and an index description;
the alarm model unit is specifically used for creating a plurality of alarm models, uniformly processing and analyzing logs of various data access and operation by utilizing the alarm models, and quantifying data security risks caused by the data access and operation;
the alarm handling unit is specifically used for displaying an alarm record of the original log hit alarm model of the platform;
the risk management unit is specifically used for displaying risks generated by alarm manual judgment, risks manually filled in and risks reported by other system interfaces;
the event management unit is specifically configured to display the risk generated by the alarm manual determination, the risk manually filled, and the event reported by other system interfaces.
8. The DSMM based data security management and operation system of claim 7,
the alarm model created by the alarm model unit comprises a rule model, an association model, a statistical model and an AI model;
the rule model is used for setting content matching rules of complete matching, regular expression, equation operation or inequality operation after filtering any journal data item;
the association model is used for simultaneously combining time sequence and logic of any two log setting rules;
the statistical model is used for setting equation operation or inequality operation for any established time sequence index;
the AI model is used for configuring an ARIM, exponential smoothing, periodic Gaussian estimation, characteristic point deviation, emerging entity and other abnormal detection algorithms for any established time sequence index.
9. The DSMM based data security management and operation system of claim 1,
the emergency plan unit comprises a plan management subunit and a drilling management subunit;
the plan management subunit is used for displaying and managing the published emergency plan;
the drill management subunit is configured to perform immediate drill and drill problem tracking management for each plan support.
10. The DSMM based data security management and operation system of claim 9,
the operation knowledge base unit is used for displaying and managing data safety compliance data;
the work order management unit is used for storing the found problems and/or related matters and the processing results thereof in a work order form and managing the generated work order;
the partner evaluation unit is used for displaying the total number of the partners and the high, medium and low risk quantity of the partners, and supporting the inquiry of the information of the partners.
CN202310345117.2A 2023-03-31 2023-03-31 DSMM-based data security management and control and operation system Pending CN116738449A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310345117.2A CN116738449A (en) 2023-03-31 2023-03-31 DSMM-based data security management and control and operation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310345117.2A CN116738449A (en) 2023-03-31 2023-03-31 DSMM-based data security management and control and operation system

Publications (1)

Publication Number Publication Date
CN116738449A true CN116738449A (en) 2023-09-12

Family

ID=87915842

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310345117.2A Pending CN116738449A (en) 2023-03-31 2023-03-31 DSMM-based data security management and control and operation system

Country Status (1)

Country Link
CN (1) CN116738449A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117195183A (en) * 2023-09-28 2023-12-08 四川赛闯检测股份有限公司 Data security compliance risk assessment system
CN117574424A (en) * 2023-11-09 2024-02-20 湖北清江水电开发有限责任公司 Intelligent power data pushing management system and method based on big data
CN118509337A (en) * 2024-07-18 2024-08-16 中孚信息股份有限公司 Data asset identification method, system, device and readable storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117195183A (en) * 2023-09-28 2023-12-08 四川赛闯检测股份有限公司 Data security compliance risk assessment system
CN117195183B (en) * 2023-09-28 2024-04-16 四川赛闯检测股份有限公司 Data security compliance risk assessment system
CN117574424A (en) * 2023-11-09 2024-02-20 湖北清江水电开发有限责任公司 Intelligent power data pushing management system and method based on big data
CN118509337A (en) * 2024-07-18 2024-08-16 中孚信息股份有限公司 Data asset identification method, system, device and readable storage medium

Similar Documents

Publication Publication Date Title
US11036674B2 (en) Data processing systems for processing data subject access requests
US11036771B2 (en) Data processing systems for generating and populating a data inventory
US20190266529A1 (en) Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US20190050596A1 (en) Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
CN113486351A (en) Civil aviation air traffic control network safety detection early warning platform
US10454973B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
CN116738449A (en) DSMM-based data security management and control and operation system
US20100050264A1 (en) Spreadsheet risk reconnaissance network for automatically detecting risk conditions in spreadsheet files within an organization
US9697352B1 (en) Incident response management system and method
US10438017B2 (en) Data processing systems for processing data subject access requests
US11038925B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10509920B2 (en) Data processing systems for processing data subject access requests
US20100049746A1 (en) Method of classifying spreadsheet files managed within a spreadsheet risk reconnaissance network
US20100049745A1 (en) Method of implementing an organization's policy on spreadsheet documents monitored using a spreadsheet risk reconnaissance network
US11228620B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US20100049565A1 (en) Method of computing spreadsheet risk within a spreadsheet risk reconnaissance network employing a research agent installed on one or more spreadsheet file servers
US10803200B2 (en) Data processing systems for processing and managing data subject access in a distributed environment
US11070593B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US20210141932A1 (en) Data processing systems and methods for managing user system access
US10848523B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US20100049723A1 (en) Spreadsheet risk reconnaissance network for automatically detecting risk conditions in spreadsheet documents within an organization using principles of objective-relative risk analysis
US11222309B2 (en) Data processing systems for generating and populating a data inventory
US20100050230A1 (en) Method of inspecting spreadsheet files managed within a spreadsheet risk reconnaissance network
Khurshid et al. Big data-9vs, challenges and solutions
US11438386B2 (en) Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination