• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
SafeBreach Enters Into Strategic Partnership with Microsoft

How to Manage IT Compliance Requirements in China

January 13, 2021
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

February 23, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

February 22, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

February 22, 2021
8×8 makes raft of updates to platform

Indonesian Mobile Operator Selects NTT for Microsoft Security Project

February 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

NTT completes Microsoft security project for Indonesian mobile operator

February 19, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Data insights without limit, security without compromise

February 18, 2021
8×8 makes raft of updates to platform

What Is Object Storage?

February 17, 2021
Microsoft To Open Azure Cloud Data Center Region In Spain

EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

February 17, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Azure Firewall Premium now in preview

February 17, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Thursday, February 25, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    Innovative solutions for IT workers at home

    ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

    A moment of reckoning: the need for a strong and global cybersecurity response

    ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

    Innovative solutions for IT workers at home

    SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

    8×8 makes raft of updates to platform

    Indonesian Mobile Operator Selects NTT for Microsoft Security Project

    Microsoft To Build New Azure Cloud Data Centers In Greece

    NTT completes Microsoft security project for Indonesian mobile operator

    A moment of reckoning: the need for a strong and global cybersecurity response

    Data insights without limit, security without compromise

    8×8 makes raft of updates to platform

    What Is Object Storage?

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Firewall Premium now in preview

    Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

    Global Industrial Cybersecurity Market By Offering Type, By Security Type, By End User, By Region, Industry Analysis and Forecast, 2020 – 2026

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

    Microsoft To Open Azure Cloud Data Center Region In Spain

    EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Engineer at VillageMD

    Innovative solutions for IT workers at home

    How to Sync On-Premise Active Directory Passwords with Office 365 and Google Apps in Real-Time

    Microsoft Azure Forms Collaboration to Enhance AI in Healthcare

    Azure Defender is now available for all IoT and OT devices

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Google and Microsoft ID Group Targeting Security Researchers

    Innovative solutions for IT workers at home

    Microsoft Releases Application Guard for Office, Plus Azure Security Center and Azure Defender for IoT Products

    Microsoft spins off security, compliance bits from Microsoft 365’s priciest plan for E3 customers

    Show your HR backups the back door

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    The Hack Roundup: Biden Orders Intel Assessment of Suspected Russian Malfeasance

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News

How to Manage IT Compliance Requirements in China

by AZURE SECURITY NEWS EDITOR
January 13, 2021
in News
0
SafeBreach Enters Into Strategic Partnership with Microsoft
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

IT compliance in China is complex and requires a combination of legal and technical assessment due to a combination of factors. We discuss the major challenges, compliance requirements, and solutions for foreign businesses.

Companies with operations in China often find that they need to build and operate their own localized IT infrastructure or websites due to multiple reasons.

For example, slow international internet access has become one big obstacle for utilizing existing IT infrastructure outside of China to server the users or client in China. Building new IT infrastructure in China or speeding up the access to overseas systems is the popular solution on IT decision maker’s table.

Besides, with business process automation now an unstoppable trend in Asian countries, more and more companies operating in China are rapidly digitizing their financial, tax, and HR processes to transition to the far more productive and effective ways of administering their back office functions.

However, complex compliance requirements will prop up during the process, which needs a combination of legal and technical expertise to deal with.

IT compliance in China: What are the requirements?

China has in recent years continued to develop its cyber security regime by drafting, revising, and releasing relevant laws and regulations, resulting in a growing number of ever more complex and changing requirements in IT planning and compliance. Here we list some common compliance requirements that foreign companies must consider.

ICP filing

An Internet Content Provider (ICP) filing is a mandatory requirement for any website or system, which is to be publicly accessible through the internet in China, whether for internal or external use. It also covers the situation where CDN or other “proxy” servers are used to speed up the access to overseas sites. Without proper ICP filing, the internet service providers (ISPs) will block the access to the system or website.

An ICP license is usually referred to as a B25 information service type permit. However, there is also the possibility of another type of permit needed, such as for B21 online data processing and transaction processing services.

The key point to judge whether an ICP license is needed is to confirm whether the website is “commercial” or not.

A type of analysis that should be conducted involves assessing the company’s business nature, business model, what kind of content will be showed in website, and what is the pathway adopted to interact with the user through the website. For example, allowing third-party vendors to do e-business on the company’s website will require an ICP license, but selling  the company’s own product/service online and receiving money via Alipay or WeChat pay might not need the ICP license.

Considering that an ICP license is not applicable for wholly foreign owned enterprise, it is critical to do the analysis of ICP license’s applicability as early as possible when planning to enter into the China market. Foreign investors may need to find a Chinese partner if the ICP license does apply to their business model.

Data localization

As stipulated by the Cyber Security Law, the operator of a critical information infrastructure (CII) system shall store personal information and important data collected and generated during its operation within the territory of China. A prior approval is needed if the cross-border transfer of the above mentioned data is necessary. This can impose a major challenge to companies which utilize the existing IT system of their HQ.

MLPS 2.0

The Multi-Level Protection Scheme (MLPS) is a set of national standards first introduced by China in 2004, then adopted into the Cyber Security Law (CSL) in 2017 and few national standards in 2019, and updated within what is now the MLPS 2.0 framework.

MPLS 2.0 gives more pressure to companies to maintain compliance, with five levels of regulated security protections. Level 1 is the least sensitive, while Level 5 is the most sensitive. Companies, as the network operators, are expected to verify their own systems to understand which of those levels they fall into, and which corresponding security control measures they are expected to adhere to.

For level 2 or above for example, an on-site evaluation of in-place security control measures must be performed by a government-designated “security auditing” firm.

Privacy

China has also paid increasing attention to personal information protection in recent years. Several campaigns were launched in 2019 to address the illegal collection of personal information in China, which spawned a range of standards that stipulate detailed requirements for privacy compliance.

Unlike Europe’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA), however, China does not yet have a single universal law on privacy so companies must refer to multiple regulations and instructions from different authorities.

China’s Personal Information Protection Law has just been included in the National People’s Congress’s 2020 legislative plan. Until this evolves, it will remain a significant challenge for companies operating in China which, for now, must refer to multiple regulations and instructions from different authorities, making compliance rather complex.

In March 2020, China released a new national standard on personal information, the GB/T35273-2020 Information Security Technology – Personal Information Security Specification (the Standard), which took effect on October 1, 2020.

Besides claiming that it holds similar principles like Europe’s General Data Protection Regulation (GDPR), the Standard gives a wider definition of personal information. For example, a wider scope of information is treated as sensitive personal information, which requires stronger protection, such as the financial information, the bank account information, the transaction and consumption records, etc.

Moreover, the Standard gives very specific requirements, such as defining how many mouse-clicks is allowed when users locate related privacy-related settings on website, the format and layout of privacy notice’s interface, etc.

Companies are suggested to pay attention to the new requirements imposed by the Standard.

WeChat ban

In the context of the escalated US-China trade tensions, the US administration issued an executive order in August to prohibit Americans and US firms from “any translation that is related to WeChat”, which was supposed to take effect starting from September 20, 2020.

Although this was blocked by a judge with a preliminary injunction on September 19 temporarily, it is time to seriously think of a “Plan B” for the US companies in China that use WeChat official accounts to promote their services or products.

A WeChat official account is not allowed to change the “account owner” directly. But simply abandoning this promotion channel that has a large size of fans is not a good idea, either. Luckily, the WeChat official account can be transferred to a different company owner with all history data, and more importantly, fans.

So, transferring the “ownership” of the WeChat official account to a trustworthy partner would be one suitable temporary option for keeping the channel live and meeting government’s request.

Some tips to manage compliance challenges

To deal with the IT compliance challenges, it is important to combine the forces of IT technical and legal expertise together within compliance processes. Pure legal advice often lacks practical input from genuine IT experience, and can be very hard to apply in the real world.

On the other hand, pure IT advisory tends to focus on the IT aspects and may have a low awareness or sensitivity to legal compliance requirements. Working with both technical and legal professionals would be the most suitable option.

With this concept in mind, the following approaches can help to mitigate the potential risk of cyber security and non-compliance:

1. Zero-trust strategy

Under a traditional security strategy, a security perimeter can be defined with users inside the perimeter designated as being within a “trust” zone. Any users in locations outside the perimeter are designated as being within the “distrust” zone.

The people or devices in the trust zone have looser security controls while any access from the distrust zone is controlled more strictly. However, in practice what tends to happen is that attacks from inside the trust zone have become more and more prevalent, with larger associated risks.

An alternative to this methodology is the zero-trust strategy, which means never trust anyone or any device by default. This approach is getting more and more popular to meet complex security challenges.

Each access from any device and any person at any location needs to be evaluated with multiple factors before access control is granted or declined. This is usually achieved with an artificial intelligence-based security control system.

2. Centralized platform with DLP and information protection

To meet the challenge regarding cyber security and compliance, one important suggestion is to implement one centralized platform, which covers all business needs, in which all business related data could be stored and managed under the control of the company.

Additionally, all data saved on devices (data at rest) should be encrypted, for example, enabling BitLocker encryption on laptop, in case the devices are lost at some point.

All data in transmission should be exchanged with secure protocols, such as HTTPS/TLS connection. Role-based access control (RBAC) and other access control methods should be applied for any data in use.

In addition, the company should consider deploying data loss prevention (DLP) measures to prevent sensitive business data being transferred out of the organization accidentally or intentionally. For very important data, further information protection measures, such as Azure information protection, should be considered and applied on a document level to expand the security control outside of the organization, wherever the document is.

One example of such a platform is the Microsoft365 platform, which combines email, file, message, meeting, and productivity tools to meet all business requirements, while all data is saved within the same platform with centralized control.

3. IAM protection

Identification and Access Management (IAM) protection is suggested to be used to provide stronger protection to user accounts, considering the most common and effective ways of user account attacks are through spoofing, trojans, and malwares.

One simple way to achieve this is to implement Multiple Factor Authentication (MFA) for user accounts, which can prevent the illegitimate access to systems even if the users’ account and password are compromised. It will be even better if the IAM solution is AI-based, such as the Azure AD Security, which can provide additional control for conditional access.

Finally, companies are also suggested to provide regular training to their staff to increase the security awareness as users are the final important defense line for security threats. An internal spoofing penetration check can be very helpful to identify the most vulnerable users, to be followed up with relevant training to those users on security awareness topics.

Reference: https://www.china-briefing.com/news/it-compliance-in-china-how-to-manage-requirements/


Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

by AZURE SECURITY NEWS EDITOR
February 24, 2021
0

Native integration with ZEDEDA’s orchestration solution for the distributed edge enables end-to-end remote management of the entire Azure IoT Edge...

A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

by AZURE SECURITY NEWS EDITOR
February 24, 2021
0

ZEDEDA announced an integration with Microsoft Azure IoT services that provides customers with full lifecycle management capabilities (edge hardware, OS, Azure IoT Edge...

Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

by AZURE SECURITY NEWS EDITOR
February 23, 2021
0

In December, the disclosure of the supply chain attack against SolarWinds sent shockwaves throughout federal agencies responsible for the security...

A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

by AZURE SECURITY NEWS EDITOR
February 23, 2021
0

Microsoft has reconfirmed that the "Solorigate" advanced persistent threat attackers saw some of its source code, although "only a few individual files...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In