《CSA GCR:2023全球数字契约建议书(英文版)(11页).pdf》由会员分享,可在线阅读,更多相关《CSA GCR:2023全球数字契约建议书(英文版)(11页).pdf(11页珍藏版)》请在三个皮匠报告上搜索。
1、OverviewDigital development is a global trend.With the rapidly progress and spreading of thedigital technology,more and more peoples lives and work relies on digitaltechnology.As an important part of digital development,digital security significantlyensures the security and stability of the digital
2、environment.The Global DigitalContract is a framework,providing all international cooperations with a commonprinciple for an open,free and secure digital future.Digital security is a significantpart of the Global Digital Contract,with the purpose to ensure the security of thedigital environment,the
3、protection of privacy,and the sustainable development ofdigital technologies.CSA GCR proposed a digital security framework and released a global digitalsecurity report,and the report provided recommendations in four directions:standards,cooperation,rights and interests,and applications.CSA GCR recom
4、mends toestablish globally unified digital security standards,improving the system ofcompliance and regulatory rules for the whole process of globally recognized data,and strengthening cooperation among countries to jointly deal with human digitalrisks.Meanwhile,it is necessary to build a system to
5、protect the rights and interests ofdata owners,enabling the using of data on globalling in the legal and compliantmethods,and promoting the application of digital technology safely.Table of ContentsOverviewChapter 1|Global Digital Security Framework Top-levelArchitecture1.1|Definition of digital sec
6、urity1.2|REE digital security frameworkChapter 2|Digital Security and Data Protection Domain Core Principles andKey Actions2.1|One unified global digital security standard to maintain the consistency,complementarity,and interoperability of digital security2.2|Strengthen international cooperation to
7、address common digital risks2.3|Establish the basic data protection system to protect the rights and interests ofdata owners,and enable the legitimated use of data globally2.4|Establish a secure,controllable,and resilient data governance system to promotethe application of digital technologies secur
8、elyChapter 3|Introduction to Cloud Security Alliance Greater China Region3.1|CSA release standards3.2|CSArelease coursesChapter 1|Global Digital Security Framework Top-levelArchitecture1.1|Definition of digital securityDigital security refers to the collection of all security elements,behaviors and
9、statesrelated to digitalization in the Digital Times,including not only the security of thedigital economy,but also the use of digital technology in the field of security.Digitalsecurity takes digital identity as the core and native security as the base,coveringinformation security,network security,
10、data security,privacy protection and otherfields or scenarios,and can be extended(such as Metaverse security).In addition,digital security also includes the use of digital technology to ensure the physicalsecurity of digital infrastructure.Although digital security pays more attention todigital econ
11、omy and digital technology,it is also similar to Cybersecurity whichemphasizes national cyber sovereignty in terms of law,standard and technology.Thedefinition of digital security is shown in figure 1:The Principle of Zero Trust:zero trust is the highest digital security strategy,through the digital
12、 security technology stack used to protect the safety of data inthe digital world.Cyber Security:to ensure the security of the hardware and software of thenetwork system,responsible for CSO、CTO etc.Information Security:to ensure the security of all valuable information,responsible for CISO、CIO etc.D
13、ata Security:to ensure the security and compliance of data throughout the lifecycle,responsible for CDO、CIO、CISO、CSO etc.Privacy Protection:protect users privacy and personal information,responsiblefor CPO,DPO etc.Metaverse Security:to ensure the security of parallel universes which are bornand blen
14、ded by virtual and real carried in digital form,and it is also the mainexpansion field of digital security in the future.Digital Identity:as a base for connecting security and business,it providesdigital identification,authentication and access lifecycle management for allpeople,digital people,objec
15、ts,devices,etc.Native Security:native security includes the native security of systems involvedin cloud computing,big data,AI,5G/6G,IoT,blockchain,quantum computingand other emerging technologies.It is the base of digital security and needs thesupport of hardware trust roots.1.2|REE digital security
16、 frameworkREE Digital Security FrameworkRegulation Layer:The rule layer is the strategic guidance of the digital securityframework,whichmainlyincludesdigitalsecuritylaw,digitalsecuritygovernance,digital security standards and so on.This layer needs to solve theproblems of digital security laws,regul
17、ations,rules,policies,supervision andstandards,so as to provide strategic guidance for the digital security constructionand compliance governance of the organization.Execution Layer:the enforcement layer covers all the resources/tools neededfor the landing of the rule layer and the specific actions
18、for the use of theseresources/tools,including the implementation of digital security technology,digital security solutions/products,digital security services,digital securityeducation and so on.This layer needs to solve the problems such as the researchand progress of digital security technology,the
19、 development and application ofdigital security solutions/products,the development of digital security services(such as security consulting,security operations,etc.),the cultivation of digitalsecurity talents,and so on.It is the core for an organization to achieve its digitalsecurity goals.Evaluatio
20、n Layer:the evaluation layer evaluates,verifies and examines thedigital security maturity of the organization,including digital security awards,digital security ranking,digital security certification,digital security cases and soon.This layer needs to continuously evaluate the digital security capab
21、ility of theorganization through security certification/audit/evaluation,so as to promotecontinuous improvement and improvement,and achieve a security closed loopfrom rules,implementation,evaluation to improvement.In addition,relevantmarket promotion and guidance is carried out through digital secur
22、ity awards,digital security rankings/quadrants and digital security excellent cases sharing,so as to promote the development of digital security industry.Chapter 2|Digital Security and Data Protection Domain Core Principles and Key Actions2.1|One unified global digital security standard to maintain
23、theconsistency,complementarity,and interoperability of digital securityRecommendation for actions:Governments should adopt a comprehensive framework at the national level tomanage various country-level digital security risks,and strengthen them togetherin a managed way.The framework and implementati
24、on policy should betransparent,and the digital security framework provided by the CSAGCR will beareliablereferencefordevelopingthecomprehensiveframework.Awell-established and transparent government digital security framework shouldbe regularly reviewed by any authorized stakeholders from within and
25、outside thecountry,and it can be improved based on experience and best practices,and it canbe benchmarked and measured by one international standard where its possibleBased on that,the United Nations should provide a platform to show the status ofdifferent countres digital security risk assessment,a
26、nd ensure it will be wellbalanced among different competing policy objectives.International rules and digital technology standards in data flow,data security,certification,evaluation,and digital currency should be formulated or revisedaccording to the Global Digital Compact2.2|Strengthen internation
27、al cooperation to address common digitalrisksRecommendations forAction:If countries need to perform data forensics services across borders for lawenforcement,they should resolve it through international judicial assistancechannels or other relevant multilateral and bilateral agreements.The conclusio
28、n of bilateral agreements on cross-border data collection betweencountries must not infringe upon the judicial sovereignty and data security of anythird country.Take coordination and cooperation on managing challenges and threats to globalinformation security and data security.Take measures to preve
29、nt and manage the use of information technology forcybercrime and terrorist activities at the national,regional and global levels2.3|Establish the basic data protection system to protect the rightsand interests of data owners,and enable the legitimated use of datagloballyRecommendations forAction:It
30、 is recommended that the United Nations takes the lead in establishing a secureand well-managed mechanism for cross-border data transfer.The UN should takea great effort to improve the globally consistent authorization mechanism forprotecting rights to public data,enterprise data,and personal inform
31、ation data.The UN should notice the trend in which data as a new productive factor could betransferred and even trade globally in the future,but the international norm in thisarea is scarce.In the future,the UN should play a central role in carrying outinternationalexchangesandcooperationindatainter
32、action,businessinteroperability,mutual recognition of supervision,and service sharing,andpromoting the construction of cross-border digital trade infrastructure.Countriesshouldrespectthesovereignty,jurisdictionanddatasecuritymanagement of other countries,and shall not directly access data located in
33、 othercountries from enterprises or individuals without the permission of the laws ofother countries.Its not allowed to misuse information technology to destroy critical infrastructureor steal important data from other countries,as well as the use of informationtechnology to engage in acts that enda
34、nger the national security and publicinterests of other countries.All countries undertake to take measures to prevent and stop the use of theInternet to infringe on personal information,and oppose the misuse ofinformation technology to engage in large-scale surveillance against othercountries and th
35、e illegal collection of personal information of citizens of othercountries.2.4|Establish a secure,controllable,and resilient data governancesystem to promote the application of digital technologies securelyRecommendations forAction:Improve the compliance and regulatory system in which the whole data
36、 lifecycleprocess is globally recognized.Information technology products and service suppliers shall not have backdoorsin products and services to illegally obtain user data,control or manipulate usersystems and equipment.Information technology enterprises should not take advantage of users loyalty
37、toproducts to seek improper benefits,and force users to upgrade systems or replacethem.The product supplier undertakes to inform partners and users of thesecurity defects or vulnerabilities of the product in a timely manner and proposeremedial measures.Supply chain security is the foundation for the
38、 stable operation of global digitalnetworks and key facilities,and is of decisive significance for promoting networkinterconnection and benefit.Network security vulnerabilities are an importantrisk to supply chain security,and the vulnerability management of general andbasic network applications sho
39、uld be considered as a global public product,andthe network risk of security vulnerabilities should be reduced through acoordinated manner,overall rather than partial,universal rather than different.Chapter 3|Introduction to Cloud Security Alliance GreaterChina RegionCloud Security Alliance(CSA),an
40、international technical standards organization inthe field of network security,was formally established in 2009,and is committed todefining and improving the industrys understanding of the best practices of cloudcomputing and next-generation digital technology security,and promoting thedevelopment o
41、f digital technology and security industry.The International Cloud Security Alliance Greater China Region(CSA GCR),as oneof the four global regions of CSA(the other regions are the Americas,Asia-Pacificand Europe-Africa regions),was officially registered in Hong Kong in 2016,andregistered and landed
42、 in 2021 with the support of the Ministry of Industry andInformation Technology of China,the Ministry of Public Security and the Office ofInternet Information Technology.It is the first and only international NGO registeredand registered in China in the field of network security.The CSA Institute is
43、 the core competitiveness of CSA to maintain its leading andauthoritative position,and its research agility,professionalism and integrity have beenrecognized by the industry.The Institute has 83 research working groups to carry outcomprehensive research on cloud computing and next-generation digital
44、 technologysecurity.The Institute outputs more than 500 research results,more than 60000registered experts and 130000 community professionals.There are 12 research working groups of CSA GCR,which have output more than100 industry guides in the direction of cloud security,Internet of Things security,
45、datasecurity,zero trust,privacy technology,and more than 1000 registered experts inChina,including academicians,professors,public institution experts,scientificresearchers,enterprise technology executives,security experts and other experts whohave worked for more than 10 years.The CSA SECtember is t
46、he largest international conference on cloud security.CSAGCR Congress,EMEA Congress and APAC Congress are important conferences inall regions.3.1|CSArelease standardsNo.Standard NameStandard Type1Cloud Controls Matrix(CCM)International Standard2CloudComputingSecurityTechnologyRequirements(CSTR)Indus
47、try standard3CloudSecurityCapabilityMaturityModelIntegration Assessment Guidance(CS-CMMI)Industry standard4Software-Defined Perimeter(SDP)SpecificationInternational Standard5CloudApplicationSecurityTechnology(CAST)SpecificationIndustry standard6CloudNativeSecurityTechnology(CNST)SpecificationIndustr
48、y standard7Internet of Things(IOT)Security SpecificationIndustry standard8Basic Information Security Test Benchmark ofIndustry standardMobile App9Smart Contract Security Technical SpecificationIndustry standard10Zero Trust Maturity ModelIndustry standard3.2|CSArelease coursesCertificate ofCloud Secu
49、rity Knowledge(CCSK)Advanced Cloud Security Expert(ACSE)Certified Cloud Penetration Test Professional(CCPTP)Advanced Cloud Security Practitioner(ACSP)Certificate of CloudAuditing Knowledge(CCAK)Certified Cloud Security Management Professional(CCSMP)Certified Zero Trust Professional(CZTP)Certified Bl
50、ockchain Professional(CBP)Certified Data Security Professional(CDSP)Certified Data Protection Officer(CDPO)GDPR Lead AuditorAcknowledgementAmandeep Singh Gill,The Under-Secretary-General of The United Nations andSpecial Envoy for Science and Technology of the Secretary-General,supported andguided th
51、e CSA GCR to participate in this work.Peter Major,Chairman of theCommission on Science and Technology for Development and Honorary President ofthe United Nations Digital Security Alliance,supported and guided the CSA GCR tocarry out digital security work.Chen Zhimin,Deputy Director of the CPPCC Soci
52、aland Legal Committee and Chairman of the ChinaAssociation for Friedship,supportedand guided the CSA GCR to carry out data security research.CyberspaceAdministration of China,the Ministry of Industry and Information Technology,TheMinistry of Public Security of the Peoples Republic of China and the l
53、eaders ofrelevant departments supported and guided the development of the CSAGCR,and themember units and experts of the Alliance actively participated in and stronglysupported the research work of the CSAGCR.Members of the editorial board of the Proposal for the Global Digital Compact:Li Yuhang,Lv Lixiao,Jia Liangyu,Guo Pengcheng,Xu Mudi,Chen Benfeng,ZhangMiao,Yuan Hao,Gu Wei,Ou Jianjun,Shi Yuhang,Wang Yumeng,Ye Xiaoqian,Zhang Wenjuan