Enterprise data security management capability evaluation method, system, device and storage medium
By deploying lightweight security probes on the evaluated side, the security characteristics of data throughout its entire lifecycle are collected and evaluated in real time, the data security capability index is calculated, and access permissions are dynamically adjusted. This solves the problems of insufficient technical depth and monitoring blind spots in existing data security assessment technologies, and enables accurate evaluation and dynamic control of data security, thereby improving security in the supply chain environment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HAOFU CIPHER DETECTION TECH (CHENGDU) CO LTD
- Filing Date
- 2026-05-13
- Publication Date
- 2026-07-03
AI Technical Summary
Existing enterprise data security assessment technologies lack technical depth, are unable to detect the correctness of key management and random number generation, have blind spots in data security monitoring, and lack automated alignment methods for fingerprint-based external behavior monitoring and classification and grading strategies, making it difficult to meet the data utilization and management needs in complex supply chain environments.
By deploying lightweight security probes on the evaluated side, real-time data on the security operation characteristics of the entire data lifecycle is collected. Based on security management policies, in-depth assessments are conducted, a data security capability index is calculated, and access permissions are dynamically adjusted through a data exchange gateway.
It enables real-time monitoring and dynamic management of data security, improves the accuracy and depth of risk identification, ensures that data compliance and classification are aligned, constructs a dynamic risk circuit breaker closed loop, and enhances the security level in the supply chain collaborative environment.
Smart Images

Figure CN122339821A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data security technology, and in particular to methods, systems, equipment and storage media for assessing enterprise data security management capabilities. Background Technology
[0002] With the deepening development of digital transformation and supply chain collaboration, core enterprises (Party A) frequently need to share sensitive assets such as R&D data, order information, and customer data with suppliers and partners (Party B) in business transactions. According to relevant national standards, Party A's responsibility for security control over Party B is becoming increasingly prominent. Currently, assessments of supply chain data security mainly rely on static methods such as manual questionnaires, on-site audits, or reviewing screenshots of security qualification certificates, combined with the deployment of basic encryption, firewalls, and DLP security products on the Party B's side, attempting to establish a preliminary trust mechanism through compliance reviews.
[0003] However, existing assessment technologies have multiple shortcomings in practical applications: First, the verification methods lack technical depth, only able to identify the name of the cryptographic algorithm but unable to detect the correctness of key management or random number generation, which easily leads to "document compliance but technical fragility"; Second, there are blind spots in data security monitoring, lacking automated alignment methods for monitoring and classifying and grading strategies based on fingerprint-based external behavior, and the assessment of emergency response capabilities is merely a formality, lacking effective verification of backup and recovery scripts and alarm channels, making it difficult to meet the refined regulatory needs of data utilization and management in complex supply chain environments. Summary of the Invention
[0004] The main purpose of this application is to provide a method, system, device and storage medium for assessing enterprise data security management capabilities, aiming to solve the technical problem of low data security in relevant enterprises.
[0005] Firstly, to achieve the above objectives, this application provides a method for assessing an enterprise's data security management capabilities, the method comprising: The security management policy is transmitted online in encrypted form to a lightweight security probe deployed on the evaluated side; The security operation characteristic data of the evaluated side is collected through a lightweight security probe throughout the entire data lifecycle, and the security operation characteristic data is evaluated based on the security management strategy to obtain the security evaluation results. Calculate the data security capability index of the evaluated side based on the security assessment results; Data access permissions to the evaluated side are dynamically adjusted based on the data security capability index.
[0006] In one embodiment, the steps of performing a security assessment on security operation characteristic data based on a security management strategy to obtain the security assessment results include: The first assessment result is determined by assessing the password protection coverage and compliance of the protection passwords throughout the entire lifecycle of the test data. The code configuration files and storage space of the evaluated side are scanned to check the correctness of the key and random number configuration and determine the second evaluation result. The correctness of the configuration includes the correctness of the key type, the correctness of the key lifecycle, the correctness of the encryption working mode, and the correctness of the random number usage.
[0007] In one embodiment, the data sent to the evaluated side includes a data fingerprint. The step of performing a security assessment on the security operation characteristic data based on a security management policy and obtaining the security assessment result further includes: Monitor the data sending behavior of the evaluated side. If the evaluated side is detected to be attempting to send data containing data fingerprints to unauthorized external storage media or to send data through non-whitelisted channels, then monitor the DLP system logs of the evaluated side. The third evaluation result is determined based on the generation of corresponding alarm logs in the DLP system log of the evaluated side.
[0008] In one embodiment, the step of performing a security assessment on security operation characteristic data based on a security management strategy and obtaining the security assessment result further includes: Obtain metadata tags for the data assets being evaluated; The metadata tags are matched with the corresponding standard data tags by hash value to determine the fourth evaluation result.
[0009] In one embodiment, the step of calculating the data security capability index of the evaluated side based on the security assessment results includes: Based on the first, second, third, and fourth assessment results, a data security capability index is determined using a weighted algorithm.
[0010] In one embodiment, the step of dynamically adjusting data access permissions to the evaluated side based on the data security capability index includes: If the data security capability index is higher than the first preset threshold, then the plaintext data interface will be opened through the data exchange gateway; If the security capability index is not higher than the first preset threshold but higher than the second preset threshold, the data to be transmitted will be sent after dynamic desensitization processing. If the security capability index is lower than the second preset threshold, then the data exchange gateway will be used.
[0011] Secondly, to achieve the above objectives, this application further provides an enterprise data security management capability assessment system, the system comprising: The policy deployment module is used to transmit security management policies online in encrypted form to lightweight security probes deployed on the evaluated side; The security assessment module is used to collect security operation characteristic data of the assessed side throughout the data lifecycle using a lightweight security probe, and to conduct a security assessment of the security operation characteristic data based on the security management strategy to obtain the security assessment results. The result determination module is used to calculate the data security capability index of the evaluated side based on the security assessment results. The access control module is used to dynamically adjust data access permissions for the evaluated side based on the data security capability index.
[0012] Thirdly, to achieve the above objectives, this application further provides an enterprise data security management capability assessment device, the device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of an enterprise data security management capability assessment method.
[0013] Fourthly, to achieve the above objectives, this application further provides a storage medium, which is a computer-readable storage medium, and stores a computer program thereon. When the computer program is executed by a processor, it implements the steps of the enterprise data security management capability assessment method as claimed in any one of claims 1 to 6.
[0014] One or more technical solutions proposed in this application have at least the following technical effects: This application achieves real-time collection of data security operation characteristics throughout its entire lifecycle by deploying lightweight security probes, effectively overcoming the shortcomings of traditional manual assessment methods, such as lag and strong subjectivity. By introducing deep password correctness verification, data fingerprint outbound monitoring, and metadata tag consistency hash comparison technologies, it not only improves the accuracy and depth of risk identification but also ensures the compliant use and classification alignment of data on the assessed side. By combining the data security capability index generated by the weighted algorithm with the data exchange gateway to achieve technical linkage, a dynamic risk circuit breaker closed loop of "assessment-early warning-blocking" is constructed. This loop can automatically adjust the data anonymization strength and access permissions according to the real-time security situation, greatly improving the intrinsic security level in the supply chain collaborative environment while ensuring efficient data sharing. Attached Figure Description
[0015] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0016] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the accompanying drawings used in the description of the embodiments or related technologies will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0017] Figure 1 This is a flowchart illustrating an example of the enterprise data security management capability assessment method for this application.
[0018] Figure 2 This is a schematic diagram of the structure of the enterprise data security management capability assessment system for this application.
[0019] Figure 3 This is a schematic diagram illustrating the results of the assessment of the data security management capabilities of the applicant company.
[0020] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0021] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.
[0022] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.
[0023] The main solution of this application embodiment is: by transmitting the security management strategy online to a lightweight security probe deployed on the evaluated side, the probe collects security operation characteristic data throughout the entire data lifecycle, and conducts in-depth security assessments on password protection coverage and correctness, external compliance based on data fingerprints, and consistency of metadata tags. Based on the assessment results, the data security capability index of the evaluated side is quantitatively calculated, and the data access permissions or desensitization intensity are dynamically adjusted through the data exchange gateway using this index, thereby achieving accurate evaluation and dynamic control of data utilization risks in supply chain collaboration scenarios.
[0024] Based on this, the embodiments of this application provide a method for assessing enterprise data security management capabilities, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the enterprise data security management capability assessment method of this application.
[0025] In this embodiment, the method for assessing enterprise data security management capabilities includes steps S10 to S40: Step S10: The security management policy is transmitted online in encrypted form to the lightweight security probe deployed on the evaluated side; Step S20: Collect security operation characteristic data of the evaluated side throughout the entire data lifecycle using a lightweight security probe, and conduct a security assessment of the security operation characteristic data based on the security management strategy to obtain the security assessment results; Step S30: Calculate the data security capability index of the evaluated side based on the security assessment results; Step S40: Dynamically adjust the data access permissions for the evaluated side based on the data security capability index.
[0026] Specifically, in the supply chain collaboration process, core enterprises (Party A) need to share sensitive data such as R&D data, order information, and customer data with suppliers and partners (Party B, i.e., the evaluated party). With the implementation of relevant laws and national standards for data classification and grading, Party A's responsibility for the data security management of Party B is becoming increasingly heavy.
[0027] In this embodiment, the security assessment and management platform on the client side first performs online encryption processing on the preset security management policy and sends it to the lightweight security probe deployed on the assessed side to ensure the consistency of audit standards and the confidentiality of the transmission process. By transforming the client's management intentions, such as data classification and grading standards and cryptographic algorithm baselines, into executable technical instructions, a compliance benchmark is laid for subsequent automated monitoring.
[0028] Subsequently, a lightweight security probe residing in the environment being evaluated collects real-time security operation characteristics data throughout the entire lifecycle of data, including transmission, storage, use, and destruction. By hooking into system APIs or analyzing configuration information, the probe not only verifies the compliance of cryptographic algorithms but also deeply examines the correctness of key management and encryption modes. Simultaneously, it monitors external behavior based on data fingerprints and compares the consistency of metadata tags. By comparing the collected operational characteristics with the policies issued in step S10, the system can objectively obtain security assessment results and effectively identify substantial security risks where "documents are compliant but technology is weak."
[0029] Following this, the platform receives the aforementioned security assessment results and uses a pre-defined weighted algorithm to perform comprehensive analysis, calculating a data security capability index that reflects the true security level of the assessed party. This index transforms abstract security management capabilities into quantifiable technical indicators, eliminating the subjective bias of traditional manual audits and providing core enterprises with an intuitive profile of their partners' security creditworthiness.
[0030] Finally, the calculated data security capability index is fed back to the data exchange gateway in real time, dynamically adjusting data access permissions for the evaluated side. By establishing a linkage mechanism between the index and access control, if the security capability of the evaluated side meets the standard, normal data sharing is maintained; if the index drops and triggers a risk threshold, the gateway will automatically perform de-identification processing or block the download interface. This dynamic permission adjustment based on real-time assessment results achieves risk circuit breaking for data interaction in supply chain collaboration, ensuring that sensitive data always flows to a trusted environment with appropriate protection capabilities.
[0031] In one feasible implementation, step S20 includes steps A10 to A60: Step A10: Detect the password protection coverage and compliance of the protection password throughout the entire data lifecycle to determine the first assessment result.
[0032] Step A20: Scan the code configuration file and storage space of the evaluated side to check the correctness of the key and random number configuration and determine the second evaluation result; the correctness of the configuration includes the correctness of the key type, the correctness of the key lifecycle, the correctness of the encryption working mode, and the correctness of the random number usage.
[0033] Step A30: Monitor the data transmission behavior of the evaluated side. If the evaluated side is detected to be attempting to send data containing data fingerprints to unauthorized external storage media or to send data through non-whitelisted channels, then monitor the DLP system logs of the evaluated side.
[0034] Step A40: Determine the third evaluation result based on the generation of the corresponding alarm log in the DLP system log of the evaluated side.
[0035] Step A50: Obtain the metadata tags of the data assets on the evaluated side.
[0036] Step A60: Match the hash values of the metadata tags with the corresponding standard data tags to determine the fourth evaluation result.
[0037] Step S30 includes step B10: Step B10: Based on the first, second, third, and fourth evaluation results, determine the data security capability index using a weighted algorithm.
[0038] Step S40 includes steps C10 to C30: Step C10: If the data security capability index is higher than the first preset threshold, then open the plaintext data interface through the data exchange gateway. Step C20: If the security capability index is not higher than the first preset threshold but higher than the second preset threshold, then the data to be transmitted is sent after dynamic desensitization processing. Step C30: If the security capability index is lower than the second preset threshold, then proceed through the data exchange gateway.
[0039] Furthermore, this embodiment also provides an offline management mechanism to avoid the scenario where the above-mentioned online mechanism fails in extreme cases. Specifically, for the five Internet scenarios, the method also adopts steps D10 to D50: Step D10: Generate a one-time random number (Nonce) and store it as a challenge value in the offline toolkit to prevent replay attacks.
[0040] Step D20: Deploy the offline toolkit on the evaluated side and execute step S30 to package the security assessment results into a security evidence package.
[0041] Step D30: Use the private key built into the offline toolkit to digitally sign the secure evidence package and the one-time random number to obtain the signature file.
[0042] Step D40: After obtaining the security evidence package and signature file, verify the validity of the signature and the random number matching using the corresponding public key, and determine whether to import it into the evaluation database based on the matching result.
[0043] Specifically, this implementation method refines step S20 to construct a multi-dimensional technical verification matrix. In step A10, the system first macroscopically reviews whether the evaluated side has implemented cryptographic protection for sensitive data throughout its entire lifecycle, including transmission, storage, use, and destruction, and verifies whether the algorithm used complies with national cryptographic standards and other compliance benchmarks, thus forming the first evaluation result. In step A20, the system further delves into the underlying technical details, performing a micro-audit on the correctness of key and random number configurations by scanning code configuration files and storage space. This includes verifying whether the key type matches the application scenario, whether key lifecycle management includes regular rotation, whether the encryption working mode avoids known weak modes such as ECB, and whether the random number generator has sufficient entropy. The resulting second evaluation result effectively addresses compliant but vulnerable technical vulnerabilities.
[0044] To address the risk of data loss of control during data transfer, steps A30 and A40 establish a collaborative mechanism for behavior monitoring and capability verification. When the assessed party attempts to transfer sensitive assets containing data fingerprints through non-whitelisted channels or to unauthorized storage media, the system does not immediately make a definitive judgment. Instead, it simultaneously retrieves the logs of its internally deployed DLP system. By comparing whether the vendor's own defense system generates corresponding alarms, the system determines whether its data transfer control capabilities are truly effective, thus deriving a third assessment result reflecting the level of proactive defense. Simultaneously, steps A50 and A60 extract metadata tags from the assessed party's data assets and match them with the standard data tags issued by the client using privacy-preserving hash values. This ensures that highly sensitive data is not arbitrarily downgraded after being transferred to the vendor's side, forming a fourth assessment result to verify the consistency of classification and grading.
[0045] In the quantitative assessment and control linkage phase, step B10 scientifically weights the assessment results of the above four dimensions to calculate a data security capability index that comprehensively reflects the security level of Party B. This index directly determines the permission allocation logic of steps C10 to C30: when the index is higher than the first preset threshold, the system determines that the environment is highly trustworthy and opens the plaintext data interface; if the index drops to between the two thresholds, dynamic desensitization processing is automatically triggered to reduce interaction risks according to the principle of minimum necessary use; and once the index falls below the second preset threshold, the gateway will implement strict access restrictions or block downloads according to the policy of step C30, thereby achieving instantaneous circuit breaking of risks at the technical level.
[0046] To ensure comprehensive regulatory coverage, steps D10 to D50 in this implementation provide a reliable offline management method for scenarios without internet access or physical isolation. By pre-setting a one-time random number (Nonce) as a challenge value in step D10, the system can effectively resist replay attacks targeting offline reports. After performing the evaluation and generating a secure evidence package in the offline environment, step D30 uses the private key built into the offline toolkit to digitally sign the evidence package and the challenge value, ensuring the integrity and immutability of the evidence during physical transfer. Finally, in step D40, the client verifies the signature using the public key and checks the random number matching. Only after confirming the authenticity and validity of the evidence can it be imported into the database for subsequent index calculations and management decisions, achieving a dual-mode complementarity of online real-time monitoring and offline lightweight verification.
[0047] For ease of understanding, the following implementation examples further illustrate this application: This example provides an enterprise data security utilization and management capability assessment system for supply chain collaboration. The system adopts a cloud-edge-device collaborative architecture and supports both online real-time monitoring and offline lightweight verification modes. The system includes a security assessment and management platform deployed on the client's side, a lightweight security probe deployed on the vendor's side (online mode), and an offline verification toolkit (offline mode).
[0048] The specific execution flow of the system is as follows: The platform defined a data classification, grading, and labeling system and a baseline for cryptographic algorithms (including algorithm type, key length, working mode, random number requirements, etc.).
[0049] The strategy is generated into an encrypted configuration file and sent to the vendor's security probe via a secure channel.
[0050] The strategy is embedded into an "offline verification toolkit," which includes the client's public key and a time synchronization mechanism. The toolkit is then distributed to the vendor via physical media or QR codes.
[0051] Automated lifecycle cryptographic compliance and correctness testing by vendor probes or offline toolkits performs the following tests through system API hooking, static configuration scanning, or traffic analysis: Identify and detect whether data is password protected throughout its entire lifecycle.
[0052] It is necessary to determine whether the cryptographic algorithms used are compliant and whether the products and services are compliant.
[0053] Scan the code configuration files and storage space to detect the presence of plaintext keys and random numbers.
[0054] Analyze the encryption configuration to detect whether an insecure working mode (such as ECB mode) is being used, and force the use of authentication or randomization modes such as CBC / GCM.
[0055] Monitor the usage of initialization vectors and random number generators, and detect whether there is reuse or random number entropy through statistical tests.
[0056] Verify whether the verification key is rotated regularly and whether the expired key has been destroyed by a secure command.
[0057] It covers all stages, including transmission, storage, use, and destruction. The test results generate structured logs, marking "compliant but incorrect" risk items.
[0058] When the B party's terminal inserts a removable storage medium, hardware fingerprint recognition, encryption status detection, and content sensitivity level scanning (matching the A party's data fingerprint) are performed. If highly sensitive data is detected attempting to be copied to an unauthorized plaintext medium, it is automatically blocked and logged.
[0059] The vendor's probes deploy traffic analysis engines at the network boundary and terminal application layer: When the client distributes data, it embeds invisible digital watermarks or generates data fingerprints. The probes monitor outbound traffic (HTTP / HTTPS, SMTP, IM protocols, etc.) to identify whether the traffic contains the client's data fingerprints. They also monitor the process behavior of common outbound channels. If traffic containing the client's data fingerprints attempts to be sent through a non-whitelisted channel, it is determined to be unauthorized outbound behavior. The probes also monitor the DLP system logs deployed by the vendor. If the probes detect outbound risks but the vendor's DLP does not generate an alert, the vendor's outbound control capabilities are deemed to be ineffective.
[0060] The probe extracts metadata tags from the vendor's data assets. To prevent leakage of the vendor's data content, the system calculates hash values for both the client's standard tags and the vendor's actual tags. The hash values are then compared. If a field marked as "core data" by the client has a hash match result of "general data" on the vendor's side, it is determined to be "inconsistent in classification."
[0061] For scenarios such as those without network access, small and medium-sized enterprises, or construction sites, Party A's platform generates a one-time random number (Nonce) as a challenge value. Party B's offline toolkit must include the Nonce in the detection report to prevent replay attacks. The toolkit automatically executes the detection logic, packaging the detection results, system log screenshots, and configuration snapshots into a security evidence package. The toolkit uses its built-in private key or a key generated based on device hardware characteristics to digitally sign the security evidence package and the Nonce. Party B delivers the security evidence package and signature file to Party A via an encrypted USB drive, QR code, or offline CD. Upon receiving the evidence package, Party A's platform verifies the signature validity and Nonce matching using the corresponding public key. After successful verification, the data is imported into the evaluation database.
[0062] Furthermore, in this example, the probe can automatically read the vendor's backup system logs, calculate the hash value of the backup data, and compare it with the source data to verify whether the backup is complete and undamaged. In the isolated sandbox environment, a data recovery script is automatically triggered, recording the recovery time to execution (RTO) to verify the script's executableness and error-free nature. The system periodically sends simulated security event signals to check whether the vendor receives notifications via SMS, email, or API alarm interfaces within a set time. An emergency response capability index is generated based on backup availability, recovery time, and alarm arrival rate.
[0063] The supplier (Party B) uploads compliance documents for the security product. The system uses OCR combined with digital signature verification technology (verifying the issuing authority's signature) to parse the product model, serial number, validity period, and issuing authority in the document. The system calls the public API interface of the issuing authority (such as the State Cryptography Administration or CNAS) to verify the authenticity and status (revocation) of the compliance document. If the verification is successful, the system binds the security product's serial number to the data flow path of Party B processing Party A's data. For data flows passing through verified compliant products, the system gives a "compliance trust bonus" when calculating the security capability index. For example, if the data is processed by an encryption machine that has passed the national cryptographic level 2 certification, the weight of the "cryptographic compliance rate" of that part of the data is automatically increased.
[0064] The platform receives the aforementioned test data and calculates the Data Security Capability Index (SCI) using a weighted algorithm. It is represented as: SCI = w1 × Password Compliance Accuracy Rate + w2 × Media Control Score + w3 × Hierarchical Consistency Score + w4 × Outbound Risk Rate + w5 × Emergency Response Score + w6 × Product Compliance Trust Score Risk event deduction points For offline mode, a data timeliness coefficient is introduced; the longer the offline time, the lower the coefficient.
[0065] The platform will synchronize the SCI scores to the data exchange gateway in real time.
[0066] If SCI > Threshold A: The gateway opens the plaintext / high-privilege data interface.
[0067] If Threshold B < SCI ≤ Threshold A: The gateway forces the data to be dynamically desensitized or adds digital watermarks.
[0068] If SCI ≤ Threshold B: The gateway automatically blocks the data download interface and only allows online preview.
[0069] Automatic recovery: When Party B repairs the vulnerability and the SCI score rebounds, the system automatically restores the original permissions.
[0070] The application scenarios of this example are as follows: Scenario 1: There is a system scenario (online real-time monitoring) Scenario description: Party B is a large supplier with a complete ERP system and a stable network environment. The device is connected to it through a communication interface. Implementation process: Deployment: The security assessment device issues an installation package of "lightweight security probes" to Party B's server through the Internet.
[0071] Collection: The probe hooks Party B's database and network interfaces, and real-time collects password call logs, outbound traffic characteristics, and backup system status, and uploads them to the device through the communication interface.
[0072] Verification: The device processor analyzes the data and finds that although Party B uses the SM4 algorithm, a hard-coded key (correctness defect) is detected in the code, and the backup recovery script execution fails (emergency defect).
[0073] Decision: The device automatically calculates that the SCI score drops, and sends an instruction to the data gateway through the communication interface to downgrade the data interface permission for this Party B from "plaintext download" to "online preview".
[0074] Recovery: After Party B repairs the key management and verifies the recovery script, the probe reports normally, and the device automatically restores the permissions.
[0075] Scenario 2: Offline scenario (construction site / device without network) Scenario description: Party B is the project department of a construction site, uses a single computer to process drawings, has no Internet connection, and the device is connected to it through a physical data import interface. Implementation process: Tool generation: The security assessment device generates an "offline verification toolkit" embedded with the current timestamp and a random number (Nonce), and copies it to an encrypted USB flash drive through the physical data import interface (such as a USB port).
[0076] On-site execution: Party B runs the toolkit on the single computer at the construction site. The toolkit locally detects the password configuration, medium usage, and classification and grading labels, and generates a "security evidence package".
[0077] Signature solidification: The toolkit uses the local private key to digitally sign the evidence package and the Nonce, preventing offline tampering.
[0078] Physical transfer: Party B will bring the USB flash drive back to Party A's site and insert it into the physical data import interface of the safety assessment device.
[0079] Signature verification and data entry: The device processor verifies the validity of the signature and the matching of the nonce (to prevent replay). After confirming that there are no errors, the data is imported and the SCI score is calculated.
[0080] Application of results: If the score is qualified, the device generates a "data unlock code", which the client can use to decrypt and view the drawings on a standalone machine; if the score is unqualified, the device does not generate an unlock code, and the data cannot be used.
[0081] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the method for assessing the enterprise data security management capabilities of this application. Any simple modifications based on this technical concept are within the scope of protection of this application.
[0082] This application also provides an enterprise data security management capability assessment system; please refer to [reference needed]. Figure 2 The enterprise data security management capability assessment system includes: Project Determination Module 10 is used to determine the security evaluation items for the cryptographic product to be tested; The model building module 20 is used to build a safety measurement model; the output value of the safety measurement model is a safety quantification value, which is determined based on the sum of the input parameters of the safety measurement model. The input parameter determination module 30 is used to determine the input parameters based on the measurement uncertainty of the cryptographic operation component of the cryptographic product under test under various security evaluation items. The detection module 40 is used to determine the weight of each input parameter of the security measurement model, fill the input parameters into the security measurement model, and obtain the security quantification value of the cryptographic product under test as the evaluation result of the enterprise data security management capability of the cryptographic product under test.
[0083] The enterprise data security management capability assessment system provided in this application, employing the enterprise data security management capability assessment method described in the above embodiments, can solve the technical problem of low data management security in relevant enterprises. Compared with related technologies, the beneficial effects of the enterprise data security management capability assessment system provided in this application are the same as those of the enterprise data security management capability assessment method described in the above embodiments, and other technical features of the enterprise data security management capability assessment system are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.
[0084] This application provides an enterprise data security management capability assessment device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to perform the enterprise data security management capability assessment method described in the above embodiment.
[0085] The following is for reference. Figure 3 The diagram illustrates a structural schematic of an enterprise data security management capability assessment device suitable for implementing embodiments of this application. The enterprise data security management capability assessment device in this application may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), and in-vehicle terminals (e.g., in-vehicle navigation terminals), as well as fixed terminals such as digital TVs and desktop computers. Figure 3 The enterprise data security management capability assessment device shown is merely an example and should not impose any limitations on the functionality and scope of application of the embodiments in this application.
[0086] like Figure 3As shown, the enterprise data security management capability assessment device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.), which can perform various appropriate actions and processes according to programs stored in read-only memory 1002 (ROM) or programs loaded from storage device 1003 into random access memory 1004 (RAM). The random access memory 1004 also stores various programs and data required for the operation of the instructional video generation device. The processing unit 1001, read-only memory 1002, and random access memory 1004 are interconnected via bus 1005. Input / output interface 1006 (I / O interface) is also connected to bus 1005. Typically, the following systems can be connected to the input / output interface 1006: input devices 1007 including, for example, a touchscreen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; output devices 1008 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1003 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows the instructional video generation device to communicate wirelessly or wiredly with other devices to exchange data. Although instructional video generation devices with various systems are shown in the figure, it should be understood that it is not required to implement or possess all the systems shown. More or fewer systems can be implemented alternatively.
[0087] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from read-only memory 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.
[0088] The enterprise data security management capability assessment device provided in this application, employing the enterprise data security management capability assessment method described in the above embodiments, can solve the technical problem of low data management security in relevant enterprises. Compared with related technologies, the beneficial effects of the enterprise data security management capability assessment device provided in this application are the same as those of the enterprise data security management capability assessment method provided in the above embodiments, and other technical features of the enterprise data security management capability assessment device are the same as those disclosed in the method of the previous embodiment, and will not be repeated here.
[0089] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.
[0090] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0091] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, the computer-readable program instructions being used to execute the enterprise data security management capability assessment method described in the above embodiments.
[0092] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems or devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.
[0093] The aforementioned computer-readable storage medium may be included in the enterprise data security management capability assessment equipment; or it may exist independently and not be assembled into the enterprise data security management capability assessment equipment.
[0094] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, and conventional procedural programming languages such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0095] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0096] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.
[0097] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described enterprise data security management capability assessment method, thereby solving the technical problem of low data management security in related enterprises. Compared with related technologies, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the enterprise data security management capability assessment method provided in the above embodiments, and will not be repeated here.
[0098] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the enterprise data security management capability assessment method described above.
[0099] The computer program product provided in this application can solve the technical problem of low data security in relevant enterprises. Compared with related technologies, the beneficial effects of the computer program product provided in this application are the same as those of the enterprise data security management capability assessment method provided in the above embodiments, and will not be repeated here.
[0100] The above are only some embodiments of this application and do not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.
Claims
1. A method for assessing an enterprise's data security management capabilities, characterized in that, The method includes: The security management policy is transmitted online in encrypted form to a lightweight security probe deployed on the evaluated side; The lightweight security probe collects security operation characteristic data of the evaluated side throughout the data lifecycle and performs security assessment on the security operation characteristic data based on the security management strategy to obtain security assessment results. Calculate the data security capability index of the evaluated side based on the security assessment results; The data access permissions of the evaluated side are dynamically adjusted based on the data security capability index.
2. The enterprise data security management capability assessment method as described in claim 1, characterized in that, The step of performing a security assessment on the security operation characteristic data based on the security management strategy and obtaining the security assessment result includes: The first assessment result is determined by assessing the password protection coverage and compliance of the protection passwords throughout the entire lifecycle of the test data. The code configuration files and storage space of the evaluated side are scanned to check the correctness of the key and random number configuration and determine the second evaluation result; the correctness of the configuration includes the correctness of the key type, the correctness of the key lifecycle, the correctness of the encryption working mode, and the correctness of the random number usage.
3. The enterprise data security management capability assessment method as described in claim 2, characterized in that, The data sent to the evaluated side includes a data fingerprint. The step of performing a security assessment on the security operation characteristic data based on the security management policy and obtaining the security assessment result further includes: Monitor the data transmission behavior of the evaluated side. If the evaluated side is detected to be attempting to send data containing the data fingerprint to an unauthorized external storage medium or to send data through a non-whitelisted channel, then monitor the DLP system log of the evaluated side. The third evaluation result is determined based on the generation of corresponding alarm logs in the DLP system log of the evaluated side.
4. The enterprise data security management capability assessment method as described in claim 3, characterized in that, The step of performing a security assessment on the security operation characteristic data based on the security management strategy and obtaining the security assessment result further includes: Obtain the metadata tags of the data assets on the evaluated side; The hash values of the metadata tags are matched with the corresponding standard data tags to determine the fourth evaluation result.
5. The enterprise data security management capability assessment method as described in claim 4, characterized in that, The step of calculating the data security capability index of the evaluated side based on the security assessment results includes: Based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result, the data security capability index is determined by a weighted algorithm.
6. The enterprise data security management capability assessment method as described in claim 5, characterized in that, The step of dynamically adjusting data access permissions for the evaluated side based on the data security capability index includes: If the data security capability index is higher than the first preset threshold, then the plaintext data interface is opened through the data exchange gateway; If the security capability index is not higher than the first preset threshold but higher than the second preset threshold, then the data to be transmitted is sent after dynamic desensitization processing. If the security capability index is lower than the second preset threshold, then the data exchange gateway will be used.
7. A system for assessing enterprise data security management capabilities, characterized in that, The system includes: The policy deployment module is used to transmit security management policies online in encrypted form to lightweight security probes deployed on the evaluated side; The security assessment module is used to collect security operation feature data of the assessed side throughout the entire data lifecycle through the lightweight security probe, and to conduct a security assessment on the security operation feature data based on the security management strategy to obtain the security assessment result. The result determination module is used to calculate the data security capability index of the evaluated side based on the security assessment results. The access control module is used to dynamically adjust the data access permissions of the evaluated side based on the data security capability index.
8. A device for assessing enterprise data security management capabilities, characterized in that, The device includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the enterprise data security management capability assessment method as described in any one of claims 1 to 6.
9. A storage medium, characterized in that, The storage medium is a computer-readable storage medium, and a computer program is stored on the storage medium. When the computer program is executed by a processor, it implements the steps of the enterprise data security management capability assessment method as described in any one of claims 1 to 6.