Data Security Governance: Motivation, Technical Objectives, Classification, and Management Practices

Why We Need Data Security Governance

As our business expands rapidly, the volume of data and the complexity of scenarios increase, leading to higher risks of data leakage. Uncontrolled data can cause public trust crises, business termination, financial loss, and legal disputes.

For example, in 2018 Facebook’s data of over 87 million users was illegally collected by Cambridge Analytica for large‑scale analysis, resulting in a $5 billion settlement and an average breach cost of $347 million per incident.

Regulations in the online education sector are tightening, including China’s Cybersecurity Law, Personal Information Security Specification, Ministry of Education’s notice on harmful apps, and the National Internet Information Office’s rules on children’s personal data protection.

Technical Goals of Data Security Governance

Establish security capabilities for each stage of the data lifecycle—collection, transmission, storage, processing, exchange, archiving, and destruction—so that data is used reasonably and legally while creating business value.

Specific objectives per stage:

Data collection: asset acquisition, quality monitoring, classification, and operation management.

Data transmission: integrity checks, security review, monitoring, and device availability detection.

Data storage: backup and recovery, media management, usage standards, and configuration scanning.

Data processing: anonymization, analysis, and log management.

Data exchange: publishing, interface filtering, access auditing, and cross‑domain access.

Data archiving: backup and tiered adjustment.

Data destruction: hard and soft destruction techniques.

Basic Elements of Data Security Governance

1. Common Enterprise Data Classification

Customer data (C): personal information such as name, ID, bank card, address, biometric data, as well as course and transaction data.

Business data (S): data required for external business operations, e.g., behavior data and derived analytics.

Company data (B): financial, management, and operational data, including business plans, unpublished patents, M&A plans, employee personal data, and system/account credentials.

Derived data: any data or documents generated from the above.

2. Common Enterprise Data Grading

Data is graded based on organizational impact, confidentiality, and legal jurisdiction (e.g., GDPR). Labels L1–L3 are applied, with L2 and L3 considered sensitive. When classifications overlap, the stricter label applies.

Default security levels: Customer data → C2 (customer privacy); Business data → S2 (business confidential); Company data → B2 (company confidential).

3. Data Tagging Methods

Tagging indicates the data owner, nature, and required protection measures.

4. Data Usage Approval

Data Owner: the department head or business manager responsible for the data, legally accountable for its security.

Data User: the individual who analyzes or processes the data.

Default maximum usage per level is 50,000 records; exceeding this requires approval at the next higher level.

5. Network Security Measures for Data Use

Production Network (D3): strict port control, no external non‑service access, authorized internal access, security‑reviewed applications, timely vulnerability patches, and audit of critical operations.

Office Network (D2): limited external ports, authorized external management, no public services, and audit of critical actions.

Trusted External Network (D1): IP‑bound ports, whitelist access, security‑reviewed applications, and audit of critical actions.

Internet (D0): any computer not meeting the above criteria is considered uncontrolled.

6. Data Usage Security Management Specifications

External Access: first login requires domain account or certificate; each login must use VPN, domain credentials, gesture password, or device password.

Internal Access: similar first‑login verification.

Content Display: L2/L3 data must not be shown without permissions.

Data Storage: report data cannot be stored on mobile devices; caches must be cleared on exit.

Data Distribution: page displays and data exports must include watermarks.

Audit: comprehensive logging, permission, process, and management audits are required throughout the data lifecycle, with periodic security audits by the audit department.