Joke Collection Website - Public benefit messages - How to solve the security problem of enterprise telecommuting network?

How to solve the security problem of enterprise telecommuting network?

Common problems and suggestions of enterprise telecommuting network security

Release date: March 6, 2020 1 1: 46: 28.

Authors: Ning, Wu Han, etc.

Source: King's Wood Institute.

Share to: WeChat Sina Weibo QQ Space

At present, it is a critical period for prevention and control in novel coronavirus, and the whole country is united to fight the epidemic. In order to strengthen prevention and control, since the beginning of February, the governments of major cities such as Beijing, Shanghai, Guangzhou and Hangzhou have made public statements or issued notices, and enterprises have carried out remote collaborative office and home office through information technology [1]. On February 9, 2009, the Ministry of Industry and Information Technology issued the Notice on Using Next Generation Information Technology to Support Epidemic Prevention and Control and Resumption of Production. Faced with the serious impact of the epidemic on small and medium-sized enterprises to resume production, we support the use of cloud computing to vigorously promote enterprises to go to the cloud, focusing on online working methods such as telecommuting, home office, video conferencing, online training, collaborative research and development and e-commerce [2].

Faced with the appeal of the state and local governments, enterprises all over the country actively responded to the call. According to the online survey launched by Southern Metropolis Daily in mid-February, 47.55% of the respondents are working at home or attending classes online [3]. Facing the huge demand of telecommuting in a special period, the remote collaboration platform also actively undertakes social responsibilities. As early as the end of 1, the 2 1 product of 17 enterprise announced that its remote writing platform software would be open to all social users or specific institutions for free [4].

Telecommuting through information technology, whether it is network layer, system layer or business data, will face a more complex network security environment. In order to achieve a safe and effective return to work and reduce the impact of the epidemic on the business development of enterprises, enterprises should establish or appropriately adjust the corresponding network and information security strategies in light of the actual situation.

I. Types of telecommuting systems

With the in-depth development of Internet, cloud computing, Internet of Things and other technologies, all kinds of enterprises, especially Internet companies, law firms and other professional service companies, have been promoting the realization of remote collaborative office within enterprises, especially the application of basic functions such as teleconference and document management. From the perspective of functional types, telecommuting systems can be divided into the following categories: [5]

Comprehensive collaboration tools, that is, to provide a comprehensive office solution, including instant messaging and multi-party communication meetings, document collaboration, task management, design management, etc. , representing software companies including enterprise WeChat, Nail, Flybook, etc.

Instant Messaging (that is, instant messaging or IM) and multi-party communication conference are tools that allow two or more people to transmit text and files in real time through the network and conduct voice and video communication. Representative softwares include Webex, Zoom, Slack, Skype, etc.

Document collaboration can provide cloud storage and online * * * appreciation, modification or review of documents for many people. The representative software includes Tencent document, Jinshan document, Evernote and so on.

Task management can realize the functions of enterprise office automation (office automation or OA) such as task flow, attendance management, personnel management, project management, contract management, etc., and the representative software includes Trello, Tower, Pan Micro, etc.

Design management can systematically carry out design R&D management activities according to users' requirements, such as the management of materials, tools and galleries. Representative software includes maker stickers, canvases and so on.

Second, the main body responsible for network security under different telecommuting modes.

The Network Security Law mainly regulates network operators, namely network owners, managers and network service providers. Network operators shall bear the responsibilities of network operation security and network information security stipulated in the Network Security Law and its supporting regulations.

As far as telecommuting system is concerned, the main body responsible for network security (that is, network operators) is very different under different system operation modes. According to the operation mode of telecommuting system, enterprise telecommuting system can be roughly divided into three categories: self-owned system, cloud office system and integrated system. Enterprises should clearly distinguish the responsibility boundary between themselves and platform operators, so as to clearly judge the network security measures they should take.

(1) own system

In this mode, the enterprise's telecommuting system is deployed on its own server, and the system is independently developed, outsourced or used by the third-party enterprise-level software architecture. The development cost of this kind of system is relatively high, but the security risk is low because there is no data flowing to the third-party server. Common types of enterprises include state-owned enterprises, banks and other enterprises and institutions in important industries, as well as large enterprises with strong economic ability and high requirements for security and privacy.

Whether it is an enterprise self-developed system or not, because the system architecture is owned by the enterprise and managed independently, the enterprise constitutes the network operator of the relevant office system and undertakes the corresponding network security responsibility.

(2) Cloud office system

This office system is usually SaaS system or APP, and the platform operator directly provides the registered and ready-to-use system remote collaboration software platform or APP service to the enterprise on the server controlled by it for the use of enterprise users and individual (employee) users. The construction cost of this kind of system is relatively economical, but it can only meet the specific needs of enterprises. Enterprises usually have no right to develop or modify systems, and enterprise data are stored in third-party servers. The common enterprise type of this model is relatively flexible small and medium-sized enterprises.

Because the network, database and application server of cloud office system (SaaS or APP) are operated and managed by platform operators, the operators of cloud office system constitute network operators, which are usually responsible for the network operation security and information security of SaaS and APP.

In practice, the platform operators will transfer some network security supervision obligations to enterprise users through legal texts such as user agreements. For example, enterprise users are required to strictly abide by the account usage rules, and they are required to be responsible for the information uploaded to the platform by themselves and their employees.

(3) Integrated system

This system is deployed on enterprise-owned servers and third-party servers, integrating enterprise-owned systems and cloud office. The operation of the system is not completely controlled by enterprises, and it is mostly used in multinational enterprises with many local server requirements.

Cloud office system providers and enterprises themselves may constitute network operators, so they should take the network system operated and managed by them as the boundary and bear corresponding network security responsibilities for their respective networks.

For enterprises, in order to clarify the responsibility boundary between themselves and platform operators, enterprises must first confirm which "networks" are owned or managed by enterprises alone. In the telecommuting scenario, enterprises should consider comprehensively identifying various factors, including but not limited to the following:

Whether the servers, terminals and network equipment of the office system are all owned or managed by the enterprise and its employees;

Whether the office system used by the enterprise has the highest administrator authority;

Whether the data generated during the operation of the office system is stored in the server owned or managed by the enterprise;

Whether there is a clear agreement between the enterprise and the platform operator on the authority and management of the office system or related data.

Of course, considering the complexity and diversity of system construction, platform operators and enterprises may inevitably manage the same network system in the integrated system of remote collaborative office, and both parties, as network operators, bear the security responsibility for this network. However, enterprises should still fix their respective management responsibilities and ownership of the network system as much as possible through contracts. Therefore, in the case of * * * managing and operating the remote collaborative office service platform, the enterprise and the platform operator should specify the system modules managed and operated by both parties, their respective network security responsibilities for the system modules managed by them and the ownership of the platform in the user agreement.

Third, telecommuting involves network security issues and countermeasures

Let's review some recent network security hot events related to telecommuting, make a brief risk assessment of the network security issues involved, and make preliminary suggestions for enterprises.

1. The surge in user traffic led to the "short-term collapse" of the telecommuting platform. Do platform operators need to bear the responsibility of network operation security?

Event review:

On February 3, 2020, as the first working day after the Spring Festival holiday, most enterprises require employees to work from home. Although the platform operator of telecommuting system has prepared the response plan in advance, the huge demand for concurrent response still exceeds the expectation of the platform operator, and various online office software has short-term failures such as "information transmission delay", "video jam" and "system crash" [6]. After the fault occurred, the platform operator quickly adopted measures such as network current limiting and server capacity expansion, which improved the bearing support capacity and stability of the platform, and at the same time, the fault also produced a certain degree of diversion. In the end, although all the telecommuting platforms have resumed their normal operation in a relatively short period of time, they have been vomited by many users.

Risk assessment:

According to Article 22 of the Network Security Law (hereinafter referred to as the Network Security Law), network products and services should meet the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; When it is found that there are risks such as security defects and loopholes in its network products and services, it shall immediately take remedial measures, inform users in a timely manner according to regulations, and report to the relevant competent departments. Network products and service providers should provide continuous security maintenance for their products and services; The provision of safety maintenance shall not be terminated within the time limit stipulated or agreed by both parties.

Operators of telecommuting platforms, as operators of platforms and related networks, should be responsible for the safety of network operation. For short-term system failure, whether the platform operator should bear the corresponding legal responsibility or breach of contract responsibility needs to be comprehensively judged by combining the causes of the failure, the harmful results of the failure, the responsibility agreement in the user agreement and other factors.

For the above incidents, based on the information we learned from public sources, although many cloud office platforms failed to respond, which brought inconvenience to users' remote work, the platforms themselves did not expose obvious risks such as security flaws and loopholes, nor did they appear substantial harmful results such as network data leakage. Therefore, it is very likely that all platforms will not bear the legal responsibility for network security.

Respond to suggestions:

In the special period of the epidemic, the mainstream telecommuting platform products are free and open, so each platform will have a large number of new customers. For the platform operators, a good emergency plan and a better user experience will definitely help the platform to retain these new user groups after the outbreak.

In order to further reduce the risks of platform operators and improve the user experience, we suggest that platform operators can:

Consider the surge of user traffic as an emergency of the platform, and formulate corresponding emergency plans, for example, specify the trigger conditions of the surge of traffic, the conditions for server expansion, and deploy temporary standby servers in the emergency plan;

Monitor user traffic in real time and allocate platform resources in time;

Establish a user notification mechanism and voice template to inform users of the reasons for the delay in system response and the estimated recovery time in time;

In the user agreement or other legal texts signed with customers, try to make clear the responsibility arrangement for the delay or collapse of such systems.

2. In the telecommuting environment, phishing attacks with epidemic as the theme frequently occur. How can enterprises reduce the risk of external network attacks?

Event review:

During the epidemic, a network security company found that some overseas hacker organizations used coronavirus-themed emails to send malware, phishing and fraud. For example, hacker organizations disguise their identities (such as the National Health and Family Planning Commission) and use information related to "epidemic prevention and control" as bait to launch phishing attacks. These phishing attacks are disguised as credible sources, and the contents of the emails are closely related to the hot events concerned by the broad masses of the people, which is extremely deceptive. Once the user clicks it, it may lead to the host being controlled, and important information and systems being stolen and destroyed [7].

Risk assessment:

According to the provisions of Article 2 1 and Article 25 of the Network Security Law, network operators should fulfill the following security protection obligations according to the requirements of the network security level protection system, protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered with: (1) Formulate internal security management system and operating procedures, determine the person in charge of network security, and implement the responsibility of network security protection. (two) to take technical measures to prevent computer viruses, network attacks, network intrusions and other acts that endanger network security; (three) to take technical measures to monitor and record the network operation status and network security incidents, and keep the relevant network logs for not less than six months in accordance with the regulations; (4) Take measures such as data classification, important data backup and encryption; (5) Other obligations stipulated by laws and administrative regulations. At the same time, network operators should also formulate emergency plans for network security incidents to deal with security risks such as system vulnerabilities, computer viruses, network attacks and network intrusions in a timely manner; In the event of an incident that endangers network security, immediately start the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities as required.

The realization of telecommuting means that the internal network needs to respond to the external network access request of employee mobile terminals. Employees living in different network security environments, whether accessing the network or the mobile terminal itself, are more likely to become targets of network attacks. On the one hand, untrusted networks such as public WiFi and network hotspots may be used as network access points for employees. These networks may have no security protection, and there are many common network vulnerabilities that are easy to be attacked, which are easy to become transit points for cyber criminal organizations to invade corporate intranets. On the other hand, some employees' mobile terminal devices may have installed apps or network plug-ins with malicious programs, and employees may also click disguised phishing attacks or blackmail emails inadvertently, which seriously threatens the security of the internal network of enterprises.

In network security incidents such as computer virus or external network attack, although the attacked enterprise is also a victim, if the enterprise fails to take necessary technical preventive measures and emergency plans in advance in accordance with the requirements of the Network Security Law and related laws, resulting in network data leakage or theft, tampering, and losses to enterprise users, it is likely that it still needs to bear corresponding legal responsibilities.

Respond to suggestions:

For enterprises, in order to comply with the network security obligations stipulated in the Network Security Law and related laws, we suggest that enterprises can review and improve the security of office networks from the aspects of network security incident management mechanism, mobile terminal equipment security, data transmission security, etc.

(1) An enterprise shall formulate an appropriate network security incident management mechanism according to the actual situation of its operating network or platform and the overall network security awareness of its employees, including but not limited to:

Formulate emergency plans for network security incidents, including data leakage;

Establish organizational structure and technical measures to deal with network security incidents;

Monitor the latest phishing websites and email blackmail events in real time;

Establish an effective notification mechanism with all employees, including but not limited to email, corporate WeChat and other notification methods;

Make an information security training plan suitable for employees;

Set appropriate reward and punishment measures and require employees to strictly abide by the company's information security strategy.

(2) Enterprises should take the following measures according to the existing information assets to further ensure the security of mobile terminal equipment:

According to the authority level of employees, different security management schemes are formulated for mobile terminal equipment, for example, senior managers or personnel with higher database authority can only use office-specific mobile terminal equipment configured by the company;

Formulate the office management system of mobile terminal equipment, and put forward clear management requirements for employees to use their own equipment for office work;

A system for regularly updating and scanning office-specific mobile terminal equipment;

On the terminal equipment, identity access authentication and security protection are carried out for the terminal;

Focus on monitoring the remote access portal, adopt a more proactive security analysis strategy, take preventive measures in time when discovering suspected network security attacks or viruses, and contact the information security team of the enterprise in time;

Conduct special training for employees on information security risks of mobile office.

(3) In order to ensure the security of data transmission, the security measures that enterprises can take include but are not limited to:

Use encrypted transmission methods such as HTTPS to ensure the security of data transmission. Whether it is the data interaction between mobile terminals and intranet or between mobile terminals, it is advisable to use encryption methods such as HTTPS for data communication links to prevent data from being leaked during transmission.

Deploy a virtual private network (VPN) through which employees can connect to the intranet. It is worth noting that in China, VPN services (especially cross-border VPN) are regulated by telecommunications, and only enterprises with VPN service qualifications can provide VPN services. When foreign trade enterprises and multinational enterprises need to cross-border networking through special lines for office reasons, they should rent them from basic operators with corresponding telecom business licenses.

3. Internal employees enter the company intranet through VPN and destroy the database. How should enterprises guard against "internal ghosts" and ensure data security?

Event review:

On the evening of February 23rd, the SaaS business service of Wei Meng Group, the head service provider of WeChat, suddenly collapsed, and the production environment and data were severely damaged, resulting in the failure of the business of millions of businesses and heavy losses. According to a statement issued by Wei Meng at noon on 25th, the accident was caused by human factors. He Mou, the core operation and maintenance personnel of the operation and maintenance department of Wei Meng R&D Center, logged on the springboard of the company's intranet on the evening of February 23rd 18: 56, and maliciously damaged Wei Meng's online production environment due to personal spirit, life and other reasons. At present, he has been criminally detained by the Public Security Bureau of Baoshan District, Shanghai, and admitted the facts of the crime [8]. Due to the serious database damage, Wei Meng has been unable to provide e-commerce support services to cooperative businesses for a long time, and accidents here will inevitably bring direct economic losses to cooperative businesses. As a Hong Kong listed company, Wei Meng's share price also fell sharply after the accident.

As can be seen from Wei Meng's announcement, one of the contributing conditions of the employee's deletion of the library in Wei Meng is that "the employee, as the core operation and maintenance personnel of the operation and maintenance department, has the right to delete the library by logging into the company's intranet through personal VPN". This incident is worthy of reflection and introspection for both SaaS service providers and ordinary enterprise users.

Risk assessment:

According to the provisions of Article 2 1 and Article 25 of the Network Security Law, network operators should fulfill the following security protection obligations according to the requirements of the network security level protection system, protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered with: (1) Formulate internal security management system and operating procedures, determine the person in charge of network security, and implement the responsibility of network security protection. (two) to take technical measures to prevent computer viruses, network attacks, network intrusions and other acts that endanger network security; (three) to take technical measures to monitor and record the network operation status and network security incidents, and keep the relevant network logs for not less than six months in accordance with the regulations; (4) Take measures such as data classification, important data backup and encryption; (5) Other obligations stipulated by laws and administrative regulations. At the same time, network operators should also formulate emergency plans for network security incidents to deal with security risks such as system vulnerabilities, computer viruses, network attacks and network intrusions in a timely manner; In the event of an incident that endangers network security, immediately start the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities as required.

Information leakage by internal employees has always been one of the main causes of data leakage accidents in enterprises, and it is also a typical behavior pattern of "crime of infringing citizens' personal information". In telecommuting environment, enterprises need to provide access to intranet and related databases for most employees, which further increases the risk of data leakage or even destruction.

Unlike the "short-term collapse" of the system caused by the surge of user traffic, the occurrence of the "micro-alliance deleting database" incident may be directly related to the internal information security management of the enterprise. If the cooperative merchants in the platform have direct economic losses, it is not excluded that the platform operators may have to bear legal responsibilities related to network security.

Respond to suggestions:

In order to effectively prevent employees from maliciously destroying and leaking company data and ensure the data security of enterprises, we suggest that enterprises can take the following preventive measures:

Formulate a management system for telecommuting or mobile office, distinguish between office-specific mobile devices and employee-owned mobile devices, and carry out classified management, including but not limited to strictly managing the reading and writing rights of office-specific mobile devices, the system rights of employee-owned mobile devices, especially the management rights of enterprise databases;

Establish a data classification management system, such as establishing appropriate access and rewriting rights according to the sensitivity of data, and prohibiting employees from operating or processing the data in the core database through remote login;

Evaluate, review and restrict employees' data access and processing rights according to the principle of work needs and necessity, for example, prohibit employees from downloading data to any user-owned mobile terminal equipment;

Establish an emergency management plan for data leakage, including a monitoring and reporting mechanism for security incidents and a response plan for security incidents;

Formulate the operation specification of telecommuting, the management specification of using documents and materials, and the approval process of application software installation;

Set up a team with the ability of remote security service, which is responsible for real-time monitoring the operation behavior of employees on core databases or sensitive data and the security of databases;

Strengthen the safety awareness education of employees in telecommuting.

4. During the epidemic, for the public interest, do enterprises need employee authorization to collect information about the epidemic online through the system? What should be done with the collected employee health information after the outbreak?

Example of scenario:

During telecommuting, in order to strengthen the employment management, ensure the health and safety of the workplace and formulate relevant epidemic prevention and control measures, the enterprise will continue to collect all kinds of epidemic information from employees, including the health status of individuals and family members, recent location, current address, flights or train shifts, etc. Collection methods include email, OA system reporting, questionnaire survey, etc. The enterprise will make statistics and monitor the collected information, and report the overall situation of employees to the regulatory authorities when necessary. If a suspected case is found, the enterprise will also report it to the relevant disease prevention and control institutions or medical institutions in time.

Risk assessment:

On June 20, 2020, 65438 novel coronavirus was listed as a Class B infectious disease by National Health Commission in the Law on the Prevention and Control of Infectious Diseases in People's Republic of China (PRC), and measures were taken to prevent and control Class A infectious diseases. Article 31 of the Law of People's Republic of China (PRC) on the Prevention and Control of Infectious Diseases stipulates that when any unit or individual discovers an infectious disease patient or a suspected infectious disease patient, it shall promptly report to the nearby disease prevention and control institution or medical institution.

On February 9, the Central Network Information Office issued the Notice on Doing a Good Job in Personal Information Protection and Using Big Data to Support Joint Prevention and Control (hereinafter referred to as the Notice). All localities and departments should attach great importance to the protection of personal information, except that the health department of the State Council is based on the Cyber Security Law of the People's Republic of China, the Law of People's Republic of China (PRC) on the Prevention and Control of Infectious Diseases and the Emergency Regulations for Public Health Emergencies. Where laws and administrative regulations provide otherwise, such provisions shall prevail.

Normative documents on epidemic prevention have been issued in various places. Taking Beijing as an example, according to the Decision of the Standing Committee of Beijing Municipal People's Congress on Preventing and Controlling novel coronavirus by Law and Resolutely Winning the Battle of Epidemic Prevention and Control, organs, enterprises, institutions, social organizations and other organizations within the administrative area of this Municipality should do a good job in epidemic prevention and control in their own units according to law, and establish and improve the responsibility system and management system for prevention and control. Equipped with necessary protective articles and facilities, strengthen the health monitoring of the personnel of the unit, and urge those who return to Beijing from areas with severe epidemic situation to carry out medical observation or home observation in accordance with the relevant provisions of the government, report any abnormal situation in time as required and take corresponding prevention and control measures. In accordance with the requirements of the local people's government, actively organize personnel to participate in epidemic prevention and control.

According to the provisions of the Notice and the above-mentioned laws, regulations and normative documents, we understand that during the epidemic period, under the provisions of the Law of People's Republic of China (PRC) on the Prevention and Control of Infectious Diseases and the Emergency Regulations for Public Health Emergencies, enterprises should be able to collect health information related to the epidemic within the authorized scope with the authorization of the health department of the State Council, without obtaining the authorization of employees. If the above exceptions cannot be met, the enterprise should still obtain the authorization and consent of the user before collection in accordance with the provisions of the Network Security Law.

The notice clearly stipulates that personal information collected for epidemic prevention and disease prevention shall not be used for other purposes. No unit or individual may disclose personal information such as name, age, ID number, telephone number and home address. Without the consent of the person being collected, except for joint defense and desensitization. Institutions that collect or hold personal information shall be responsible for the safety protection of personal information and take strict management and technical protection measures to prevent it from being stolen or leaked. For details, please refer to our recent article "Interpretation of Notice on Doing a Good Job in Personal Information Protection and Using Big Data to Support Joint Epidemic Control".

Respond to suggestions:

During the remote period, if the enterprise wants to collect personal information related to the employee epidemic through the remote office system, we suggest that the enterprise:

Formulate the text of privacy statement or user authorization notice, and obtain the employee's authorization consent before the employee submits relevant information for the first time;

According to the principle of minimum necessity, formulate information collection strategies, including the type, frequency and granularity of information collected;

Follow the principle of purpose limitation, manage the personal information related to epidemic prevention and control separately, and avoid merging with the employee information previously collected by the enterprise;

When showing the overall health status of the enterprise or disclosing suspected cases, desensitize the relevant information of employees;

Establish an information deletion management mechanism to delete relevant employee information in time after reaching the prevention and control objectives;

Establish a targeted information management and protection mechanism, protect the collected personal information related to employees' epidemic situation as personal sensitive information, strictly control employees' access rights, and prevent data leakage.

5. During telecommuting, in order to effectively supervise and manage employees, enterprises hope to properly monitor employees. How can they be legal and compliant?

Example of scenario:

In the process of telecommuting, in order to effectively supervise and manage employees, enterprises have formulated measures such as regular reporting, sign-in and clock-in, video monitoring and so on according to their own conditions, requiring employees to actively cooperate to achieve the purpose of telecommuting monitoring. When employees complete the report and sign in and punch in through the system, they are likely to repeatedly submit their personal basic information such as name, phone number, email address and city to verify the identity of employees.

At the same time, when using the remote OA system or App, the office system will automatically record the employee's login log, such as IP address, login geographical location, user basic information, daily communication information and other data. In addition, if employees use office terminal equipment or remote terminal virtual machine software distributed by enterprises to carry out their work, monitoring plug-ins or software may be pre-installed in the terminal equipment and virtual machine software, and under certain conditions, records of employees' operation behaviors and online records on the terminal equipment will be recorded.

Risk assessment:

In the above scenario example, the enterprise will collect personal information of employees through 1) voluntary provision by employees, and 2) automatic or triggered collection by office software, which constitutes the personal information collection behavior under the Network Security Law. An enterprise shall, in accordance with the requirements of the Cyber Security Law and relevant laws and regulations, follow the principles of legality, justice and necessity, publicly disclose the collection and use rules, clearly state the purpose, manner and scope of information collection and use, and obtain the consent of employees.

For the use of video monitoring and system monitoring software or plug-ins, if the operation is improper and the employee's authorization is not obtained in advance, it is likely to infringe the privacy of employees, and enterprises should pay special attention to it.

Respond to suggestions:

During telecommuting, especially when employees are still adapting to these working modes, it is justified for enterprises to take appropriate supervision and management measures according to their own conditions. We suggest that enterprises can take the following measures to ensure the legal compliance of management and monitoring behavior:

Evaluate whether the company's original employee contract or employee personal information collection authorization can meet the monitoring requirements of telecommuting. If the authorization is flawed, the way to obtain supplementary authorization should be designed according to the actual situation of the enterprise, including pop-up window of authorization notice text, email notice, etc.

According to the collection scenario, evaluate the necessity of collecting employee personal information item by item. For example, whether there is repeated information collection, whether it is necessary to monitor the working state through video, and whether the monitoring frequency is appropriate;

For system monitoring software and plug-ins, design a separate information collection strategy to balance employee privacy protection and company data security;

Abide by the principle of purpose limitation, and the collected employee data shall not be used for purposes other than work monitoring without the authorization of employees.

Fourth, summary.

In this epidemic, digital technologies represented by big data, artificial intelligence, cloud computing and mobile Internet have played an important role in epidemic prevention and control, and further promoted the development of business models such as telecommuting and online operation. This is not only the result of the digital and intelligent transformation forced by the epidemic, but also represents the new productivity and new development direction in the future [9]. After the "sudden national telecommuting craze", telecommuting and online operation will become more and more popular, and offline office and online office will also form a better unity, truly achieving the purpose of improving work efficiency.

Accelerating the digital and intelligent upgrade is also an urgent need to promote the modernization of the national governance system and governance capacity. The Fourth Plenary Session of the 19th CPC Central Committee made major arrangements to promote the modernization of the national governance system and governance capacity, emphasizing the need to promote the construction of digital government, strengthen data enjoyment, and establish and improve administrative systems and rules by using the Internet, big data, artificial intelligence and other technical means [10].

In order to steadily accelerate the development of digital intelligence and conform to the concept of modern government governance, enterprises must comprehensively sort out and improve the existing network security and data compliance strategies to prepare for the new era of intelligent management.