Research On Security Assessment Of Important Data Of Banking Critical Information Infrastructure Leaving The Country

Important data collected and generated by operators of critical banking information infrastructure within the territory of the People’s Republic of China may affect China’s national security or public interests.In principle,it should be stored within the territory of China.If it is necessary to leave the country for business,the data exit security assessment system should be applied.The People’s Bank of China has not published the list of the scope and the list of the important data of the critical information infrastructure of the banking industry,which is the object of the exit security assessment.The financial assets registration and custody system and other six types of systems stipulated in the Work Plan for the Overall Supervision of Financial infrastructure should belong to the critical information infrastructure of the banking industry.In addition,since "non-financial third-party payment institutions" are closely related to the operation of banks,they should refer to the criteria in 2017 "Critical Information Infrastructure Identification Guide(Trial)" to identify whether they belong to the critical information infrastructure of the banking industry.The scope of important data of critical information infrastructure of the banking industry should be based on the C3-C1 data specified in the 2020 Technical Specification for Personal Financial Information Protection,and according to the 2020 Financial Data Security Data Security Classification Guide,the affected objects and degree of the damaged data should be judged as important data.In terms of the content of exit safety assessment,when evaluating the necessity of exit of important data of critical information infrastructure in the banking industry,the "self-assessment report" submitted to the network information department can be elaborated from the aspects of laws and regulations,national or industry standards,business necessities,industry practices,alternative standards and so on.When evaluating the degree of exit desensitization of important data of key information infrastructure of banking industry,the network and information technology department should focus on evaluating whether the desensitization technical means of important data can effectively guarantee the exit safety of important data and whether the desensitized important data can be recovered,so as to retain the commercial value of important data on the basis of ensuring the exit safety of important data.The ability assessment of the overseas recipients of important data of the critical information infrastructure of the banking industry can be comprehensively judged from the four dimensions of the organization construction,system process,technical tools and personnel ability of the data security protection work of the overseas data recipients according to the 2020 Information Security Technology Data Security Capability Maturity Model.At the same time,for overseas data receivers with stable political and legal environment,a comprehensive assessment should be carried out when important data is first transmitted to the country,but when important data is again transmitted to the country,only the policy and environment of the data receiver with significant changes can be evaluated.For risk assessment of important data of critical information infrastructure of banking industry after exit,the probability of re-transfer of important data and the basic situation of the receiver to be re-transferred of important data should be clearly stated in the "self-assessment report".Based on national security and public safety and other factors,unless important data is re-transferred within the overseas recipient group,Otherwise,any further transfer to third parties shall be restricted.