Data Security Governance Practices and Frameworks: A Comprehensive Overview

Introduction – The talk, presented by Zhou Ruiqun, Marketing Director of Qihoo 360, shares practical experiences in data security governance throughout the data lifecycle.

Policy Timeline – Highlights key national policies from 2017 to 2021 that elevated data to a strategic production factor, culminating in the Data Security Law (2021) which formalized a comprehensive governance framework.

Two‑Session Proposals – Emphasizes top‑level planning, synchronized security measures for government big‑data projects, and the launch of specialized data security capabilities.

National Legal Foundations – Summarizes the National Security Law (2015), Cybersecurity Law (2017), and Data Security Law (2021) as the legal backbone for data protection.

Recent Security Incidents – Lists notable breaches in 2020‑2021, including Wuhan return‑traveler data leaks, large‑scale social‑media data sales, Facebook and Google privacy violations, and ransomware attacks on critical infrastructure, illustrating the urgency of robust governance.

Current Status and Needs – Identifies five major gaps: unclear data assets, insufficient protection mechanisms, lack of granular security policies, missing traceability, and unknown risk exposure.

Three‑Piece Governance Model – Recommends integrating database auditing, data firewalls, encryption, watermarking, and masking; deploying a platform for lifecycle management and traceability; and maintaining continuous operations, policy refinement, and risk assessment.

Governance Philosophy – Advocates scenario‑driven, data‑centric governance that unifies organization, processes, technology, and operations within a comprehensive control platform.

Workflow – Outlines four steps: data identification (asset discovery, classification, grading), centralized control (policy orchestration, lifecycle management), risk detection (monitoring, modeling, analysis), and security operations (continuous assurance and compliance).

Real‑World Case Study – Describes a local data bureau’s workflow: extracting data from agencies, cleaning and mining it into thematic libraries, and securely sharing results.

Data Classification & Grading – Explains the three‑step process (asset discovery, data identification, classification/grading) and the need to tailor levels to industry‑specific sensitivity.

Emerging Security Concepts – Introduces zero‑trust security (identity‑centric, dynamic authorization, fine‑grained access) and the “data‑never‑lands” principle using trusted data vaults, online watermarking, and strict offline data handling.

Q&A Highlights – Discusses the basis for classification standards, granularity per industry, and the role of automated scanning tools combined with expert validation.

Conclusion – Summarizes the importance of a holistic, scenario‑based, and continuously evolving data security governance approach.