Read“Legal compliance points of Cyberspace Asset mapping Business”
The definition of cyberspace asset mapping
Cyberspace has become the second type of living space for human production and life, and the hardware and software systems, information and data contained therein are important strategic resources for the country, so it is also considered to be the “fifth space” representing national cyber sovereignty after land, sea, air and sky.
Cyberspace mapping is different from cyberspace asset mapping. According to the group standard “Security Requirements for Information Security Technology Cyberspace Asset Mapping” (standard number T/COSOCC 007-2024) issued and implemented by China Society for Optimization of Capital Construction on April 10, 2024, Cyberspace asset mapping refers to obtaining the relevant attributes of cyberspace assets such as cyberspace infrastructure, users and services by means of network detection, collection, processing and analysis, and drawing these attributes in the form of logical graphs, so as to intuitively and real-time reflect the status and development trend of each attribute of the current cyberspace assets.
According to the “Information Technology Cyberspace Mapping System Structure” (draft for Comment) issued and implemented on March 14, 2024, cyberspace mapping is based on cyberspace coordinate system, takes cyberspace map as the goal, and obtains the location and attribute information of cyberspace resources through network measurement means under the unified space-time benchmark and resource definition of cyberspace. To achieve a multi-scale and multi-dimensional panorama of cyberspace.
It can be seen from the above concepts that there are conceptual differences between cyberspace mapping and cyberspace asset mapping. Cyberspace mapping is a broader concept, and the goal of cyberspace mapping is to create a holographic map of cyberspace that includes not only the location and properties of cyber assets, but also their relationships and topologies in cyberspace. Cyberspace asset mapping is more focused on the assets themselves, including their discovery, identification, assessment and risk control, and how these asset data can be linked to security risks to improve the timeliness of emergency response. In general, cyberspace mapping provides a macro perspective covering all aspects of cyberspace, while cyberspace asset mapping focuses more on detailed analysis and application at the asset level.
In practice, enterprises usually use automated tools and technologies to carry out cyberspace asset mapping services, such as network scanners, port scanners, vulnerability scanners and passive DNS services, etc., to explore the asset information of the global Internet (including Internet Protocol version 4(IPV4), Internet Protocol version 6(IPV6), and publicly registered domain names on the wide area Internet. And all information services carried, involving hardware devices, cloud hosts, operating systems, International Internet protocol (IP) addresses, ports, certificates, domain names, Web applications, business applications, middleware, frameworks, institutional public accounts, small programs, application programs (apps), application programming interfaces (apis), source code, etc.), Perform asset and vulnerability impact scope analysis, application distribution statistics, and application popularity situational awareness.
Introduction to the practice of cyberspace asset mapping business
(1) Introduction of mainstream products
Although the difference between cyberspace asset mapping and cyberspace mapping has been clearly defined in the above analysis, the names of relevant products in current practice are not differentiated. The current mainstream websites and tools related to cyberspace (asset) mapping include but are not limited to the following products:
1. Network Asset Mapping and Analysis System (D01 for short) designed by the First Research Institute of the Ministry of Public Security
The system works by collecting Internet asset data and fingerprints (“fingerprints” refers to a collection of characteristic information that can be used to uniquely describe and identify devices or services in the network. The fingerprint characteristics of cyberspace assets include but are not limited to hardware devices, cloud hosts, operating systems, IP addresses, ports, certificates, domain names, Web applications, business applications, middleware, frameworks, etc.), realize the retrieval, analysis and monitoring of cyberspace assets, and carry out vulnerability statistical analysis in combination with threat intelligence such as vulnerabilities and vendor information. It aims to provide a comprehensive network asset security posture for national key industries and departments.
2.360 QUAKE Network space mapping system
Developed by the core system of 360 Security Brain-Mapping Cloud, it can continuously detect global IPv4 and IPv6 addresses, sense all types of assets in global cyberspace in real time and discover their security risks.
3. Qianxin Network Mapping Platform (referred to as Eagle Map platform)
Through technical means, geographical space, social space and cyberspace are mapped to each other, and cyberspace maps are drawn to realize the searchability and positioning of Internet assets, and help customers solve the problem of combing the exposed surface of Internet assets.
4.FOFA
The cyberspace asset search engine launched by White Hat helps researchers or enterprises quickly match cyberspace assets by mapping cyberspace assets, such as vulnerability impact scope analysis and application distribution statistics.
5.Shodan
Shodan is a network space search engine that can search for networked devices such as servers, cameras, routers, and provide detailed device information and port data.
6.ZoomEye (Zhong Kui's Eye)
The cyber space radar system provides data support for the security supervision and management of cyber space assets and the establishment of active defense attack systems for government, enterprises and military units.
(2) Introduction to the application scenarios of cyberspace asset mapping business
Scenarios where cyberspace asset mapping products can be applied in different industries include, but are not limited to:
1. Power energy industry: Through active detection and passive flow monitoring, conduct comprehensive mapping of business systems and industrial control equipment in the power industry, help build wall chart combat asset base map, and identify hidden assets.
2. Industrial Internet field: Through the collaborative discovery and fusion analysis of multi-point linkage, a cross-regional and cross-industry map of industrial Internet resources is formed to help the competent authorities understand the base number and security status of industrial Internet resources.
3. Smart city construction: Put into operation in urban industrial projects, provide comprehensive visual data and technical support, continuously monitor network security incidents, and provide important basis and support for urban network security management.
4. Public security system: Provide cyberspace asset detection system for the Public Security Bureau, help regulatory units to comprehensively understand the asset information of critical information infrastructure, quickly respond to security incidents, and provide scientific decision-making and command and dispatch basis.
5. Enterprise asset management: Network asset mapping products help enterprises to find out their family background, real-time monitoring of security vulnerabilities, timely disposal of security threats, build a network security defense line, and promote the continuous improvement of the full-scene in-depth defense system.
The above scenarios partly show the wide application of cyberspace asset mapping products in different industries. They provide relevant industries with comprehensive identification, risk assessment, security management and response capabilities of network assets, and are important tools for maintaining network security.
Key points of legal compliance for cyberspace asset mapping business
Enterprises operating cyberspace asset mapping business should not only actively fulfill the general legal compliance requirements of network platforms and network products, but also pay attention to the specific legal obligations of the cyberspace asset mapping industry, ensure the stable and compliant development of enterprises, and avoid potential civil litigation, administrative penalties and criminal risks.
(1) General legal compliance requirements
According to the requirements of the Cyber Security Law, the Data Security Law, the Personal Information Protection Law and other laws and regulations, the actual operation of cyberspace asset mapping business involves the collection, storage, processing, transmission and other data processing links of a large amount of data, and operators have the following compliance obligations, including but not limited to:
1. Develop internal security management system and operating procedures, determine the person in charge of network security, and implement the responsibility for network security protection.
2. Take technical measures to prevent computer viruses, network attacks, network intrusion and other harmful behaviors of network security.
3. Take technical measures to monitor and record network operation status and network security events, and keep relevant network logs for not less than six months in accordance with regulations.
4. Take measures such as data classification, backup and encryption of important data.
5. Malicious programs shall not be set up, and when it is found that there are security defects, vulnerabilities and other risks in its network products and services, it shall immediately take remedial measures, inform users in a timely manner and report to the relevant competent authorities in accordance with regulations.
6. Shall provide continuous security maintenance for its products and services; The provision of security maintenance shall not be terminated within the time limit prescribed or agreed upon by the parties.
7. Emergency plans for network security incidents/data security incidents/personal information protection incidents should be formulated to deal with risks such as system vulnerabilities, computer viruses, network attacks, network intrusion, data leakage and personal information leakage in a timely manner; In the event of an incident endangering the security of the network/data/personal information, immediately start the emergency plan, take appropriate remedial measures, and report to the relevant competent authorities in accordance with regulations.
8. Do not engage in activities that endanger network security such as illegally intruding into others' networks or interfering with the normal functions of others' networks. Collect data in a lawful and legitimate manner, and do not steal or obtain data in other illegal ways.
9. The data security management system of the whole process shall be established and improved, and corresponding technical measures and other necessary measures shall be taken to ensure data security.
10. The collection of personal information shall follow the principles of legality, legitimacy, necessity, integrity and openness, and ensure the legal compliance of personal information collection, use and other processing processes.
11. Personal information protection/data security/network security related laws and regulations and business training should be carried out regularly.
(2) Specific legal compliance requirements for the cyberspace asset mapping industry
According to the group standard "Security Requirements for Information Security Technology Cyberspace Asset Mapping" (standard number T/COSOCC 007-2024), which came into effect on April 10, 2024, and other provisions, operators of cyberspace asset mapping business have the following compliance obligations:
1. [Data storage] Personal information and other important surveying and mapping data collected during asset surveying and mapping in the territory of the People's Republic of China shall be stored in the territory, and domestic storage equipment shall be used. Ensure the security of the storage environment. Physically disconnect the network when necessary.
2. [Data analysis] The data analysis of cyberspace assets shall be carried out under the authorization of the data owner, and the obtained cyberspace asset data shall be subject to sensitive detection, hierarchical processing, and limited association analysis.
3. [Sensitive Data processing] If the data obtained during the mapping activities of cyberspace assets involve high-value sensitive data such as customer data, technical data, and personal information, the mapping activities shall be stopped in time and reported to the regulatory authority for the record, and the sensitive data obtained shall be sealed or destroyed in time. For the asset information that the user refuses to be disclosed, the mapping and collection shall be stopped.
4. [Desensitization] Necessary sensitive data obtained in the mapping of cyberspace assets shall be processed. For example, the database hides the user's mobile phone number, communication address, network identity, service record and other fields that need to be desensitized.
5. [Traceability processing] Have cyberspace asset information traceability rules, provide relevant technical measures for cyberspace asset information traceability, establish a record log, and the archiving time of traceability information is not less than 6 months.
6. [Data destruction] Asset surveying and mapping data shall be destroyed at the explicit instruction of the data owner, etc., to ensure that the data cannot be recovered and used for unauthorized purposes, and to prevent the disclosure of sensitive information.
7. [Review process] Foreign business or cyberspace asset mapping activities supported by data obtained from cyberspace asset mapping activities, shared data for data rental and sale, and realized data asset realization should go through the necessary review process to ensure that the provided and shared asset data is legal and compliant.
8. [Security mechanism] Implementation agencies and individuals of cyberspace asset mapping activities shall regularly conduct risk assessment, reporting, information sharing, monitoring and early warning mechanism construction and implementation of surveying and mapping data, and file with the relevant regulatory authorities.
9. [Service operation] Establish illegal information, bad information database and abnormal behavior user list, and maintain and update regularly; Conduct regular cyberspace asset updates, operational risk assessments, and system supply chain security reviews.
Opinions on compliance for operators of cyberspace asset mapping business
Combined with the current business practice and the specific requirements of laws and regulations, it is recommended that operators of cyberspace asset mapping enhance their awareness of legal compliance and take the following measures to improve corporate compliance governance.
(1) Establish data life cycle security management: enterprises should establish a security management system covering the collection, storage, use, processing, transmission, provision, disclosure, deletion and other links of the mapping data of cyberspace assets to ensure that the data continues to be effectively protected and legally utilized.
(2) Data classification and classification: Enterprises should classify and classify the mapping data of cyberspace assets, and clarify the security protection requirements corresponding to different categories and levels of data.
(3) Data storage and management in China: Enterprises should store the surveying and mapping data of cyberspace assets in China, and choose domestic storage equipment.
(4) Establishment of compliance management system: It is recommended that enterprises establish, operate, maintain and improve compliance management system with reference to ISO27001 and ISO27701, so as to improve compliance management ability.
(5) Data security awareness and training: Enterprises should enhance employees' awareness of data security, and let employees understand the importance and operational norms of cyber space asset mapping data security through training.
Through the above measures, the operators of cyberspace asset mapping business can, to a certain extent, not only make the business operate within the legal framework, effectively protect data security, but also promote the sustainable development of the business. In addition, enterprises should pay close attention to changes in relevant laws and regulations and adjust their behavior in a timely manner to meet the latest compliance requirements.
Recommended Information
-
UpdatesDehe Crime Research Institute study tour to Dehehantong Chengdu office exchange learning activities successfully ended2024-08-21
-
UpdatesIn the name of volunteer, write youth chapter | Dehehantong lawyer went to the west2024-08-21
-
UpdatesDehehantong "Construction engineering Compliance Manual" summary meeting was a complete success2024-08-19
-
ArticlesInterpretation of the latest judicial practice of“Judicial Identification of Overtime Work and distribution of burden of Proof”2024-08-16
-
ArticlesThe Shenzhen version of the “guardian angel”came to prop up a day for the plight of minors2024-08-14