Data Security Governance Practices at Zhongyuan Bank: Framework, Management System, Technical Architecture, and Future Planning

Zhongyuan Bank, a top‑10 Chinese city commercial bank with assets exceeding 1.2 trillion CNY, has been advancing a digital‑intelligence transformation that emphasizes a robust data security governance system.

Four main parts of the presentation:

Background and objectives of data security construction.

Data security management system construction.

Data security technical system construction.

Data security system planning.

1. Background and objectives

The 2018 EU GDPR sparked data‑security compliance discussions in China. Subsequent laws such as the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and sector‑specific guidelines (e.g., Financial Data Security Guidelines) have created a strict regulatory environment. High‑profile breaches, such as the MEDIBANK incident, illustrate the financial and reputational risks of data loss.

Data security aims to prevent external attacks, internal misuse, and ensure traceability of incidents. The bank aligns its objectives with information‑security principles, treating data as the carrier of valuable information.

Protection objects include:

Raw user‑basic information (ID numbers, phone numbers, etc.).

Structured data stored in databases.

Preview/visualization data provided to internal staff and customers.

Deep‑wisdom data generated by mining and modeling.

2. Data security management system

The bank established a multi‑layered organizational structure (strategic, decision, management, execution, supervision) with clear responsibilities for data‑security committees, data stewards, and risk‑audit teams.

Key management mechanisms:

Security awareness training for executives and all staff, including phishing simulations and certification exams.

Approval workflows for data usage, ensuring that data extraction, transmission, and access are authorized.

Technical controls such as double‑firewall, IDS/IPS, WAF, DDoS protection, and internal DLP for email and endpoint leakage prevention.

Endpoint restrictions (no removable media, secure USB issuance) and network segmentation (production > test > office > internet).

Regular security supervision checks, including asset inventory, permission audits, and log‑sensitive‑information scans.

3. Data security technical system

The technical framework covers the entire data lifecycle: collection, transmission, storage, usage, and destruction. Highlights include:

Encryption components for end‑to‑end data transmission.

Data classification and automated grading using keyword rules and machine‑learning models, with manual review for high‑risk items.

Five‑level data security grading (1 = public, 5 = critical) aligned with national standards and the Financial Data Security Guidelines.

Network access control that prohibits internal‑to‑internet traffic, with controlled exceptions via whitelists and virtual desktops.

VPN + virtual‑desktop solution ("cloud‑stack" platform) to support secure remote work and file exchange.

Data security intelligent analysis and monitoring platform based on UEBA, combining rule‑based and machine‑learning detection of abnormal data‑access behaviors.

4. Data security system planning

The bank conducts periodic maturity assessments, risk evaluations, and gap analyses to refine its governance, processes, and technical capabilities. Future work includes expanding asset‑management coverage, enhancing team training, and tightening controls for data‑destruction and legacy‑data handling.

Q&A Highlights

Terminal‑sensitive‑information checks are performed annually or on a longer cycle, focusing on high‑risk devices.

Data‑classification results are synchronized to the data‑asset platform, automatically influencing table‑level security levels and access authorizations.

Full‑field data masking is achieved via a unified masking platform for standard fields and manual review for passwords or keys.

Automated masking tools support bulk data export to third parties and test environments.

The presentation concludes with a thank‑you from the speaker, Wang Ran, Information Security Engineer at Zhongyuan Bank.