1
/
von
8
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 40660-2021 English PDF (GBT40660-2021)
GB/T 40660-2021 English PDF (GBT40660-2021)
Normaler Preis
$185.00 USD
Normaler Preis
Verkaufspreis
$185.00 USD
Grundpreis
/
pro
Versand wird beim Checkout berechnet
Verfügbarkeit für Abholungen konnte nicht geladen werden
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 40660-2021
Historical versions: GB/T 40660-2021
Preview True-PDF (Reload/Scroll if blank)
GB/T 40660-2021: Information security technology - General requirements for biometric information protection
GB/T 40660-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - General requirements of
biometric information protection
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Basic principles for biometric information protection ... 6
5 Collection of biometric information ... 6
6 Storage of biometric information ... 7
7 Use of biometric information ... 9
8 Rights of biometric information subject ... 10
9 Entrusted processing, sharing, transfer and public disclosure of biometric information
... 11
10 Handling of biometric information security incidents ... 11
11 Requirements for biometric information security management ... 12
Bibliography ... 14
Information security technology - General requirements of
biometric information protection
1 Scope
This document stipulates the basic principles and security requirements that various
types of biometric information controllers shall follow when conducting biometric
information processing activities such as collection, storage, use, entrusted processing,
sharing, transfer, public disclosure and deletion.
This document applies to the regulation of biometric information processing activities
carried out by various types of biometric information controllers, as well as the
evaluation of biometric information processing activities carried out by third-party
organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this
document and are indispensable to its application. For dated references, only the version
corresponding to that date is applicable to this document; for undated references, the
latest version (including all amendments) is applicable to this document.
GB/T 25069, Information security technology - Glossary
GB/T 35273-2020, Information security technology - Personal information security
specification
3 Terms and definitions
Terms and definitions determined by GB/T 25069 and GB/T 35273-2020, as well as the
following ones are applicable to this document.
3.1 Biometric original information
Analog or digital representations of physical, biological or behavioral characteristics of
natural persons obtained through acquisition, preprocessing, etc.
Note: e.g., samples, images.
3.2 Biometric comparison information
Information – obtained through technical processing of the biometric original
information – that is used for comparison during the identification process.
3.3 Biometric information
Personal information – obtained through technical processing of a natural person’s
physical, biological or behavioral characteristics – that can be used for identifying the
natural person either alone or in combination with other information.
Note 1: Biometric information includes personal facial recognition features, irises,
fingerprints, genes, voice prints, gait, palm prints, auricles, eye prints, etc.
Note 2: Biometric information includes biometric original information and biometric
comparison information.
3.4 Biometric information subject
Natural person identified by or associated with biometric information.
3.5 Biometric information controller
Organization or individual that has the ability to determine the purpose and method of
processing biometric information.
3.6 Revoke
Prevent specific biometric comparison information and corresponding identity-related
information from being verified.
Note: A biometric information subject may be rejected because it has been added to a
revoke list.
3.7 Irreversibility
A characteristic that the corresponding biometric original information cannot be
deduced from the biometric comparison information.
3.8 Unlinkability
An attribute that two or more biometric comparison information cannot be linked to
each other.
Note: With unlinkability, a user can use different programs, resources and services
multiple times, and others cannot link these uses together through biometric
comparison information.
c) Collection of biometric information that does not belong to the biometric
information subject – including biometric original information – shall be avoided.
d) Obtaining information from non-biometric information subjects by indirect means
shall be avoided.
e) The biometric information subject who cannot finish the information collection
shall be informed of the subsequent alternative processing procedures available.
f) When collecting biometric information in accordance with relevant national laws
and regulations, etc., the biometric information subject shall be informed of the
relevant requirements and the type of biometric information collected.
g) The risk of presented interference and attacks shall be fully considered.
Considerations include but are not limited to different attack forms such as
physical and virtual, different attack materials such as paper and plastic, and
different attack environments such as presentation angles and light conditions.
6 Storage of biometric information
The requirements for the biometric information controller are as follows.
a) The biometric information and the identity-related information of the biometric
information subject shall be stored by means of technical isolation.
Note 1: Isolation methods include logical isolation, physical isolation, etc.
b) When biometric information is stored, its irreversibility shall be ensured.
c) In principle, the biometric original information shall not be stored directly, and
the measures that can be taken include but are not limited to:
1) storing only the summary information of the biometric information;
2) realizing functions such as identification and authentication by directly using
biometric information in the collection terminal;
3) deleting the biometric original information after using facial recognition
features, fingerprints, palm prints, iris, etc. to realize functions such as identity
recognition and authentication.
Note 2: Summary information is usually irreversible.
Note 3: Except for situations related to the fulfillment of obligations stipulated
by laws and regulations by the biometric information subject.
d) A diversification process shall be used to support the generation of updatable and
revocable biometric comparison information:
1) The biometric comparison information generated during the diversification
process shall be irreversible;
2) The biometric comparison information of the same biometric information
subject generated through the diversification process shall be unlinkable.
Note 4: The diversification process refers to transforming single or multiple
biometric original information of a biometric information subject into multiple
independent biometric comparison information, which is used for updating
biometric comparison information or providing independent biometric
comparison information for different applications.
e) When storing biometric comparison information, the risk of data breath shall be
fully considered and safe processing shall be carried out. Mechanisms that can be
used include but are not limited to:
1) Carry out security protection through logical and physical means, by storing
biometric comparison inf...
Get QUOTATION in 1-minute: Click GB/T 40660-2021
Historical versions: GB/T 40660-2021
Preview True-PDF (Reload/Scroll if blank)
GB/T 40660-2021: Information security technology - General requirements for biometric information protection
GB/T 40660-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - General requirements of
biometric information protection
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Basic principles for biometric information protection ... 6
5 Collection of biometric information ... 6
6 Storage of biometric information ... 7
7 Use of biometric information ... 9
8 Rights of biometric information subject ... 10
9 Entrusted processing, sharing, transfer and public disclosure of biometric information
... 11
10 Handling of biometric information security incidents ... 11
11 Requirements for biometric information security management ... 12
Bibliography ... 14
Information security technology - General requirements of
biometric information protection
1 Scope
This document stipulates the basic principles and security requirements that various
types of biometric information controllers shall follow when conducting biometric
information processing activities such as collection, storage, use, entrusted processing,
sharing, transfer, public disclosure and deletion.
This document applies to the regulation of biometric information processing activities
carried out by various types of biometric information controllers, as well as the
evaluation of biometric information processing activities carried out by third-party
organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this
document and are indispensable to its application. For dated references, only the version
corresponding to that date is applicable to this document; for undated references, the
latest version (including all amendments) is applicable to this document.
GB/T 25069, Information security technology - Glossary
GB/T 35273-2020, Information security technology - Personal information security
specification
3 Terms and definitions
Terms and definitions determined by GB/T 25069 and GB/T 35273-2020, as well as the
following ones are applicable to this document.
3.1 Biometric original information
Analog or digital representations of physical, biological or behavioral characteristics of
natural persons obtained through acquisition, preprocessing, etc.
Note: e.g., samples, images.
3.2 Biometric comparison information
Information – obtained through technical processing of the biometric original
information – that is used for comparison during the identification process.
3.3 Biometric information
Personal information – obtained through technical processing of a natural person’s
physical, biological or behavioral characteristics – that can be used for identifying the
natural person either alone or in combination with other information.
Note 1: Biometric information includes personal facial recognition features, irises,
fingerprints, genes, voice prints, gait, palm prints, auricles, eye prints, etc.
Note 2: Biometric information includes biometric original information and biometric
comparison information.
3.4 Biometric information subject
Natural person identified by or associated with biometric information.
3.5 Biometric information controller
Organization or individual that has the ability to determine the purpose and method of
processing biometric information.
3.6 Revoke
Prevent specific biometric comparison information and corresponding identity-related
information from being verified.
Note: A biometric information subject may be rejected because it has been added to a
revoke list.
3.7 Irreversibility
A characteristic that the corresponding biometric original information cannot be
deduced from the biometric comparison information.
3.8 Unlinkability
An attribute that two or more biometric comparison information cannot be linked to
each other.
Note: With unlinkability, a user can use different programs, resources and services
multiple times, and others cannot link these uses together through biometric
comparison information.
c) Collection of biometric information that does not belong to the biometric
information subject – including biometric original information – shall be avoided.
d) Obtaining information from non-biometric information subjects by indirect means
shall be avoided.
e) The biometric information subject who cannot finish the information collection
shall be informed of the subsequent alternative processing procedures available.
f) When collecting biometric information in accordance with relevant national laws
and regulations, etc., the biometric information subject shall be informed of the
relevant requirements and the type of biometric information collected.
g) The risk of presented interference and attacks shall be fully considered.
Considerations include but are not limited to different attack forms such as
physical and virtual, different attack materials such as paper and plastic, and
different attack environments such as presentation angles and light conditions.
6 Storage of biometric information
The requirements for the biometric information controller are as follows.
a) The biometric information and the identity-related information of the biometric
information subject shall be stored by means of technical isolation.
Note 1: Isolation methods include logical isolation, physical isolation, etc.
b) When biometric information is stored, its irreversibility shall be ensured.
c) In principle, the biometric original information shall not be stored directly, and
the measures that can be taken include but are not limited to:
1) storing only the summary information of the biometric information;
2) realizing functions such as identification and authentication by directly using
biometric information in the collection terminal;
3) deleting the biometric original information after using facial recognition
features, fingerprints, palm prints, iris, etc. to realize functions such as identity
recognition and authentication.
Note 2: Summary information is usually irreversible.
Note 3: Except for situations related to the fulfillment of obligations stipulated
by laws and regulations by the biometric information subject.
d) A diversification process shall be used to support the generation of updatable and
revocable biometric comparison information:
1) The biometric comparison information generated during the diversification
process shall be irreversible;
2) The biometric comparison information of the same biometric information
subject generated through the diversification process shall be unlinkable.
Note 4: The diversification process refers to transforming single or multiple
biometric original information of a biometric information subject into multiple
independent biometric comparison information, which is used for updating
biometric comparison information or providing independent biometric
comparison information for different applications.
e) When storing biometric comparison information, the risk of data breath shall be
fully considered and safe processing shall be carried out. Mechanisms that can be
used include but are not limited to:
1) Carry out security protection through logical and physical means, by storing
biometric comparison inf...
Share
