Skip to product information
1 of 5

PayPal, credit cards. Download editable-PDF & invoice In 1 second!

GB/T 32921-2016 English PDF (GBT32921-2016)

GB/T 32921-2016 English PDF (GBT32921-2016)

Regular price $105.00 USD
Regular price Sale price $105.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 32921-2016 to get it for Purchase Approval, Bank TT...

GB/T 32921-2016: Information security technology -- Security criterion on supplier conduct of information technology products

This Standard specifies the basic guidelines that information technology product suppliers shall abide by, so as to protect user-related information and maintain user information security in the process of providing information technology products. This Standard applies to the management of supplier behavior in the supply, operation or maintenance of information technology products. It can also provide a basis for the research and development, operation and maintenance, and evaluation of information technology products.
GB/T 32921-2016
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Security criterion on
supplier conduct of information technology products
ISSUED ON: AUGUST 29, 2016
IMPLEMENTED ON: MARCH 01, 2017
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Supplier code of conduct and safety ... 6
Bibliography ... 10
Information security technology - Security criterion on
supplier conduct of information technology products
1 Scope
This Standard specifies the basic guidelines that information technology product suppliers shall abide by, so as to protect user-related information and maintain user information security in the process of providing information technology products.
This Standard applies to the management of supplier behavior in the supply, operation or maintenance of information technology products. It can also provide a basis for the research and development, operation and maintenance, and evaluation of information technology products.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T 25069-2010 as well as the followings apply.
3.1 information technology product
hardware, software, systems and services with the functions of collecting, storing, processing, transmitting, controlling, exchanging, and displaying data or information
NOTE: Information technology products include computers and their auxiliary equipment, communication equipment, network equipment, automatic control equipment, operating systems, databases, application software and services and so on.
3.2 information technology product supplier
an organization that provides information technology products
NOTE: Information technology product suppliers include manufacturers, sellers, agents, integrators, and service providers.
3.3 user related information
information related to natural or legal persons and data defining and describing such information
NOTE: User related information includes user identity information, as well as user- generated documents, programs, multimedia materials, user communication content, address, time, product configuration, operation and location data, and logs generated during system operation, and so on.
3.4 expressed consent
the user information subject clearly authorizes consent and retains evidence 3.5 remote control
control activities implemented on user products through remote connection NOTE: Remote control activities include realizing product start and stop, changing product configuration, changing product operating status, popping up dialog boxes, automatic remote upgrades, and pushing business data, and so on.
3.6 national critical information infrastructure
basic information networks and important information systems related to the national economy and people's livelihood; when these networks or systems are attacked and damaged, they will harm national network security, economic security, public interests, public safety, and so on
4 Supplier code of conduct and safety
4.1 General
In principle, information technology product supplier shall not collect, store, and process user-related information, and remotely control the products that have been provided to users and the information systems where the products are located. When really necessary, the principles of express authorization, minimum sufficient usage, minimum authority, safety and credibility shall be followed.
4.2 Safety guidelines for the collection and processing of user related information
with foreign laws.
4.3 Safety guidelines for remotely controlling user products
When the supplier remotely controls the user's product:
a) Before the user purchases and uses the product, the user shall be clearly informed of the purpose and usage of the remote-control behavior;
b) Before the user purchases and uses the product, a method to prohibit remote control shall be provided. The user shall be informed of the missing features of the product after the remote control is prohibited;
c) The user's product can be controlled remotely only after the user's
expressed consent. Display prompt information when remotely controlling the user's product;
d) The remote control activities shall be used only for the purpose and use agreed by the user. Strictly limit the frequency of remote control activities and the range of product systems involved;
e) No hidden interface shall be set in the product. Components that can disable or bypass security mechanisms shall not be loaded;
f) There shall be no unspecified functional modules in the product;
g) Users shall be informed to test or maintain the interface. Provide users with a way to close the test or maintain the interface;
h) Necessary technical and management measures shall be taken to ensure the safety of the remote control process. Provide security features that can only be accessed using a specific account within a limited time
window;
i) Record all input and output data of remote control. Log the remote control activities implemented for future audits;
j) It shall provide detection and verification methods for remote control of user products and data interaction between products and suppliers. If
encryption technology is used, information such as encryption algorithm shall be provided during the inspection and verification of the third-party organization. The port and protocol used by the third-party organization shall be notified.
4.4 Other behavioral safety guidelines
The supplier:

View full details