For smart car data, a safety risk assessment is carried out
CaamBio issued the Guidelines for Data Security Assessment of Intelligent and Connected Vehicles (Draft for Solicitation of Comments)
Text/Figure Yangcheng Evening News reporter Qi Yaoqi
A few days ago, the China Automobile Association recently issued the "Guidelines for Data Security Assessment of Intelligent and Connected Vehicles (Draft for Comment)". It is reported that there are three types of data security assessment of intelligent and connected vehicles: data security risk assessment, data security compliance assessment and data outbound security assessment. The document is applicable to the data security assessment work carried out by relevant organizations of intelligent and connected vehicles on their own, and can also provide reference for the competent departments, third-party evaluation agencies and other organizations to carry out data security inspection, evaluation and supervision of intelligent connected vehicles.
It is worth noting that the document details the data, such as "personal information" refers to various information recorded electronically or otherwise related to the identified or identifiable owner, driver, passenger, person outside the car, etc., excluding anonymized information. "Sensitive personal information" refers to personal information that, once leaked or illegally used, may result in discrimination against the owner, driver, passenger, person outside the vehicle, etc., or seriously endanger the safety of persons and property, including information such as vehicle trajectory, audio, video, images, and biometric features. "Important data" includes geographic information, personnel flow, vehicle traffic and other data in important sensitive areas; data reflecting economic operation such as vehicle traffic and logistics; operation data of automobile charging networks; off-the-car video and image data containing face information and license plate information; and personal information involving more than 100,000 people of personal information subjects, etc. The leakage of these important data will pose a threat to national security and public interests.
Therefore, for data, it is necessary to conduct a security risk assessment, analyze the importance of digital assets, threats and vulnerabilities, and evaluate the enterprise data security risks; also conduct a data security compliance assessment, determine whether it meets the relevant laws, regulations, standards and management requirements for the data processing activities of intelligent networked vehicles, and evaluate the reasonable and effective process of enterprise data security management measures.
The treatment of risks generally includes acceptance, reduction, transfer, avoidance, etc. Safety rectification is a commonly used risk reduction method in risk management, and the risk assessment needs to put forward safety rectification suggestions. Safety rectification suggestions should be comprehensively considered according to the severity of the safety risk, the difficulty of implementing the reinforcement measures, the urgency of the time to reduce the risk, the personnel force invested and the cost of funds. For security risks that are very serious, need to be reduced immediately, and are easy to implement with reinforcement measures, it is recommended that the assessed enterprise take immediate security rectification measures.
According to the risk assessment report, the enterprise organization should formulate a corresponding risk treatment plan, clarify the risk treatment method, and determine the risk treatment measures to avoid the corresponding data security risks. At the same time, the risk assessment work should be recorded, and the assessment and verification work should be carried out regularly to determine whether the risk treatment measures are effective and whether there are new risks, and the assessment work and treatment measures should be continuously improved.