1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 37973-2019 English PDF (GB/T37973-2019)
GB/T 37973-2019 English PDF (GB/T37973-2019)
Regular price
$320.00
Regular price
Sale price
$320.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 37973-2019: Information security technology - Big data security management guide
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 37973-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37973-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37973-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Big data security management guide
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of big data security management ... 7
4.1 Goals of big data security management ... 7
4.2 Main content of big data security management ... 8
4.3 Roles and responsibilities of big data security management ... 8
5 Basic principles of big data security management ... 10
5.1 Clear responsibilities ... 10
5.2 Security compliance ... 10
5.3 Quality assurance ... 11
5.4 Data minimization ... 11
5.5 Responsibilities not transferring with data ... 11
5.6 Minimum authorization ... 12
5.7 Ensure security ... 12
5.8 Auditability ... 12
6 Big data security requirements ... 13
6.1 Confidentiality ... 13
6.2 Integrity ... 13
6.3 Availability ... 14
6.4 Other requirements ... 14
7 Data classifying and grading ... 14
7.1 Principles of data classifying and grading ... 14
7.2 Process of data classifying and grading ... 15
7.3 Data classifying methods ... 16
7.4 Data grading methods ... 16
8 Big data activities and security requirements ... 16
8.1 Main activities of big data ... 16
8.2 Data collection ... 17
8.3 Data storage ... 18
8.4 Data processing ... 19
8.5 Data distribution ... 20
8.6 Data deletion ... 21
9 Assessment of big data security risks ... 22
9.1 Overview ... 22
9.2 Asset identification ... 22
9.3 Threat identification ... 23
9.4 Vulnerability identification ... 23
9.5 Confirmation of existing security measures ... 24
9.6 Risk analysis ... 24
Appendix A (Informative) Example of data classifying and grading in the telecom
industry ... 25
Appendix B (Informative) Examples of life science big data risk analysis ... 28
Appendix C (Informative) Big data security risks ... 30
Bibliography ... 32
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and
grading, security requirements for big data activities, and assessment of big
data security risks.
This Standard applies to various organizations for data security management;
can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and
GB/T 35274-2017 and the following ones apply to this document.
3.1
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new
problems faced by the confidentiality, integrity and availability of data in
the big data environment; analyze the influence that big data activities may
have on national security, social impact, public interest, personal life and
property safety, etc.; clarify the requirements for data security to address
these problems and impacts.
b) Data classifying and grading. The organization shall first classify and
grade the data. According to different data gradings, select appropriate
security measures.
c) Clarify the security requirements for big data activities. The organization
shall understand the characteristics of major big data activities, the data
operations that may be involved; clarify the security requirements of each
big data activity.
d) Assess big data security risks. In addition to carrying out information
system security risk assessments, the organization shall also assess the
big data security risks, in terms of the potential system vulnerabilities,
malicious use, consequences and other unfavorable factors in the big data
environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational
structure. According to the scale of the organization, the data volume of the big
data platform, business development and planning, etc., it shall also clarify
different roles and their responsibilities, including at least the following roles:
a) Big data security manager: The individual or team responsible for the
organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links;
b) Allocate data access permissions and mechanisms for parties authorized
by big data security managers;
c) Cooperate with big data security managers to handle security incidents;
d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and
object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and
their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as
organization's mission, data scale and value, organizational business, the
organization shall specify the person or department, which plays the role
of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts.
It is responsible for the security of the organization's data and its
applications.
b) Clarify the role’s security responsibilities. The organization shall clarify the
security responsibilities of big data security managers, big data security
executors, big data security auditors, and other roles related to data
security.
c) Clarify the implementation subject of the main activities. The organization
shall clarify the implementation subject and security responsibilities of the
main big data activities.
5.2 Security compliance
The organization shall formulate strategies and procedures, to ensure that all
data activities meet compliance requirements. The organization shall:
data security responsibilities;
d) Take effective measures, to ensure that the security incident responsibility
after data transfer can be traced.
5.6 Minimum authorization
The organization shall control data access permissions in big data activities, to
ensure that permissions are minimized on the basis of meeting business needs.
The organization shall:
a) Grant the minimum operation authorization and minimum data set to the
data activity subject;
b) Develop a data access authorization approval process; formulate an
application and approval process for changes in the data operation
authorization and scope of the data activity subject;
c) Recover expired data access permissions in a timely manner.
5.7 Ensure security
The organization shall take appropriate management and technological
measures to ensure data security. The organization shall:
a) Classify and grade data; implement appropriate security protection
measures for data with different security levels;
b) Ensure that the security control measures and strategies of the big data
platform and business are effective; protect the integrity, confidentiality
and availability of the data; ensure the security of the data life cycle;
c) Resolve the security risks and vulnerabilities found in risk assessment and
security inspections; take responsibility for security incidents caused by
improper security protection measures.
5.8 Auditability
The organization shall implement data audits on the big data platform and all
aspects of the business. The organization shall:
a) Record information about various operations in big data activities; ensure
that the records cannot be forged and tampered with;
b) Take effective technological measures, to ensure that all operations on big
data activities can be traced.
6.3 Availability
The availability requirements in the big data environment shall consider the
following aspects:
a) Anti-attack capabilities of big data platform;
b) Security analysis capabilities based on big data, such as security
intelligence analysis, data-driven misuse detection, security incident
detection, etc.;
c) Disaster tolerance capabilities of big data platform.
6.4 Other requirements
For big data security, in addition to considering the confidentiality, integrity and
availability of information systems, according to the characteristics of big data,
the organization shall also analyze security requirements from other aspects of
big data activities, including but not limited to:
a) Compliance with laws and regulations, national strategies, standards, etc.;
b) Possible social and public security impacts, and cultural inclusiveness;
c) Data sharing between cross-organizations;
d) Cross-border data flow;
e) Intellectual property protection and data value protection.
7 Data classifying and grading
7.1 Principles of data classifying and grading
Data classifying and grading shall meet the following principles:
a) Scientificity. According to the multi-dimensional characteristics of the data
and the logical associations between them, scientifically and
systematically classify the data. According to the big data security
requirements, determine the data security level.
b) Stability. Based on the most stable characteristics and attributes of the
data, the classifying and grading scheme shall be formulated.
c) Practicality. Data classifying shall ensure that there are data under each
category; no meaningless categories are set. The classification of data
categories must conform to the general understanding of data classifying.
7.3 Data classifying methods
The organization shall classify data according to Clause 6 of GB/T 7027-2002.
It can be classified according to different attributes such as data subject, subject,
and business.
7.4 Data grading methods
The organization shall grade the existing data or newly-collected data. The data
grading needs to be jointly determined by the organization's supervisors,
business experts, and security experts. For the grading of government data, in
accordance with the provisions of GB/T 31167-2014, 6.3, it shall classify non-
secret-involved data into public and sensitive data. For personal information
and personal sensitive information, it shall refer to Appendix A and Appendix B
in GB/T 35273-2017.
The processing, storage, transmission, and utilization of secret-involved
information shall be implemented in accordance with national secrecy
regulations.
According to laws and regulations, business, organizational strategy, market
demand, etc., the organization may further grade sensitive data, to provide
appropriate security management and technological measures.
For different levels of data, in accordance with the provisions of Clause 4 to
Clause 6 of GB/T 35274-2017, the organization shall select appropriate
management and technological measures to implement effective security
protection for data.
8 Big data activities and security requirements
8.1 Main activities of big data
In the data life cycle, the organization may participate in one or more stages of
the data form. The collection of operational tasks that the organization may
implement on data, that is, activities are divided into: data collection, data
storage, data processing, data distribution, data deletion, etc.:
a) Data collection. Data enters the organization's big data environment. The
data can come from other organizations or generated by itself.
b) Data storage. Store data persistently on storage media.
c) Data processing. Through this activity, perform the duties of the
organization or achieve the goals of the organization. The processed data
b) Follow compliance principles, to ensure the legality, legitimacy and
necessity of data collection;
c) Follow the principle of data minimization. Only collect the minimum data
required by the business;
d) Follow the principle of quality assurance. Formulate data quality
assurance strategies, procedures and requirements;
e) Follow the principle of ensuring security. Classify, grade and mark the
collected data. And implement corresponding security management
strategies and safeguard measures for different types and levels of data.
Take necessary security contr...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 37973-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37973-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37973-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Big data security management guide
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of big data security management ... 7
4.1 Goals of big data security management ... 7
4.2 Main content of big data security management ... 8
4.3 Roles and responsibilities of big data security management ... 8
5 Basic principles of big data security management ... 10
5.1 Clear responsibilities ... 10
5.2 Security compliance ... 10
5.3 Quality assurance ... 11
5.4 Data minimization ... 11
5.5 Responsibilities not transferring with data ... 11
5.6 Minimum authorization ... 12
5.7 Ensure security ... 12
5.8 Auditability ... 12
6 Big data security requirements ... 13
6.1 Confidentiality ... 13
6.2 Integrity ... 13
6.3 Availability ... 14
6.4 Other requirements ... 14
7 Data classifying and grading ... 14
7.1 Principles of data classifying and grading ... 14
7.2 Process of data classifying and grading ... 15
7.3 Data classifying methods ... 16
7.4 Data grading methods ... 16
8 Big data activities and security requirements ... 16
8.1 Main activities of big data ... 16
8.2 Data collection ... 17
8.3 Data storage ... 18
8.4 Data processing ... 19
8.5 Data distribution ... 20
8.6 Data deletion ... 21
9 Assessment of big data security risks ... 22
9.1 Overview ... 22
9.2 Asset identification ... 22
9.3 Threat identification ... 23
9.4 Vulnerability identification ... 23
9.5 Confirmation of existing security measures ... 24
9.6 Risk analysis ... 24
Appendix A (Informative) Example of data classifying and grading in the telecom
industry ... 25
Appendix B (Informative) Examples of life science big data risk analysis ... 28
Appendix C (Informative) Big data security risks ... 30
Bibliography ... 32
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and
grading, security requirements for big data activities, and assessment of big
data security risks.
This Standard applies to various organizations for data security management;
can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and
GB/T 35274-2017 and the following ones apply to this document.
3.1
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new
problems faced by the confidentiality, integrity and availability of data in
the big data environment; analyze the influence that big data activities may
have on national security, social impact, public interest, personal life and
property safety, etc.; clarify the requirements for data security to address
these problems and impacts.
b) Data classifying and grading. The organization shall first classify and
grade the data. According to different data gradings, select appropriate
security measures.
c) Clarify the security requirements for big data activities. The organization
shall understand the characteristics of major big data activities, the data
operations that may be involved; clarify the security requirements of each
big data activity.
d) Assess big data security risks. In addition to carrying out information
system security risk assessments, the organization shall also assess the
big data security risks, in terms of the potential system vulnerabilities,
malicious use, consequences and other unfavorable factors in the big data
environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational
structure. According to the scale of the organization, the data volume of the big
data platform, business development and planning, etc., it shall also clarify
different roles and their responsibilities, including at least the following roles:
a) Big data security manager: The individual or team responsible for the
organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links;
b) Allocate data access permissions and mechanisms for parties authorized
by big data security managers;
c) Cooperate with big data security managers to handle security incidents;
d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and
object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and
their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as
organization's mission, data scale and value, organizational business, the
organization shall specify the person or department, which plays the role
of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts.
It is responsible for the security of the organization's data and its
applications.
b) Clarify the role’s security responsibilities. The organization shall clarify the
security responsibilities of big data security managers, big data security
executors, big data security auditors, and other roles related to data
security.
c) Clarify the implementation subject of the main activities. The organization
shall clarify the implementation subject and security responsibilities of the
main big data activities.
5.2 Security compliance
The organization shall formulate strategies and procedures, to ensure that all
data activities meet compliance requirements. The organization shall:
data security responsibilities;
d) Take effective measures, to ensure that the security incident responsibility
after data transfer can be traced.
5.6 Minimum authorization
The organization shall control data access permissions in big data activities, to
ensure that permissions are minimized on the basis of meeting business needs.
The organization shall:
a) Grant the minimum operation authorization and minimum data set to the
data activity subject;
b) Develop a data access authorization approval process; formulate an
application and approval process for changes in the data operation
authorization and scope of the data activity subject;
c) Recover expired data access permissions in a timely manner.
5.7 Ensure security
The organization shall take appropriate management and technological
measures to ensure data security. The organization shall:
a) Classify and grade data; implement appropriate security protection
measures for data with different security levels;
b) Ensure that the security control measures and strategies of the big data
platform and business are effective; protect the integrity, confidentiality
and availability of the data; ensure the security of the data life cycle;
c) Resolve the security risks and vulnerabilities found in risk assessment and
security inspections; take responsibility for security incidents caused by
improper security protection measures.
5.8 Auditability
The organization shall implement data audits on the big data platform and all
aspects of the business. The organization shall:
a) Record information about various operations in big data activities; ensure
that the records cannot be forged and tampered with;
b) Take effective technological measures, to ensure that all operations on big
data activities can be traced.
6.3 Availability
The availability requirements in the big data environment shall consider the
following aspects:
a) Anti-attack capabilities of big data platform;
b) Security analysis capabilities based on big data, such as security
intelligence analysis, data-driven misuse detection, security incident
detection, etc.;
c) Disaster tolerance capabilities of big data platform.
6.4 Other requirements
For big data security, in addition to considering the confidentiality, integrity and
availability of information systems, according to the characteristics of big data,
the organization shall also analyze security requirements from other aspects of
big data activities, including but not limited to:
a) Compliance with laws and regulations, national strategies, standards, etc.;
b) Possible social and public security impacts, and cultural inclusiveness;
c) Data sharing between cross-organizations;
d) Cross-border data flow;
e) Intellectual property protection and data value protection.
7 Data classifying and grading
7.1 Principles of data classifying and grading
Data classifying and grading shall meet the following principles:
a) Scientificity. According to the multi-dimensional characteristics of the data
and the logical associations between them, scientifically and
systematically classify the data. According to the big data security
requirements, determine the data security level.
b) Stability. Based on the most stable characteristics and attributes of the
data, the classifying and grading scheme shall be formulated.
c) Practicality. Data classifying shall ensure that there are data under each
category; no meaningless categories are set. The classification of data
categories must conform to the general understanding of data classifying.
7.3 Data classifying methods
The organization shall classify data according to Clause 6 of GB/T 7027-2002.
It can be classified according to different attributes such as data subject, subject,
and business.
7.4 Data grading methods
The organization shall grade the existing data or newly-collected data. The data
grading needs to be jointly determined by the organization's supervisors,
business experts, and security experts. For the grading of government data, in
accordance with the provisions of GB/T 31167-2014, 6.3, it shall classify non-
secret-involved data into public and sensitive data. For personal information
and personal sensitive information, it shall refer to Appendix A and Appendix B
in GB/T 35273-2017.
The processing, storage, transmission, and utilization of secret-involved
information shall be implemented in accordance with national secrecy
regulations.
According to laws and regulations, business, organizational strategy, market
demand, etc., the organization may further grade sensitive data, to provide
appropriate security management and technological measures.
For different levels of data, in accordance with the provisions of Clause 4 to
Clause 6 of GB/T 35274-2017, the organization shall select appropriate
management and technological measures to implement effective security
protection for data.
8 Big data activities and security requirements
8.1 Main activities of big data
In the data life cycle, the organization may participate in one or more stages of
the data form. The collection of operational tasks that the organization may
implement on data, that is, activities are divided into: data collection, data
storage, data processing, data distribution, data deletion, etc.:
a) Data collection. Data enters the organization's big data environment. The
data can come from other organizations or generated by itself.
b) Data storage. Store data persistently on storage media.
c) Data processing. Through this activity, perform the duties of the
organization or achieve the goals of the organization. The processed data
b) Follow compliance principles, to ensure the legality, legitimacy and
necessity of data collection;
c) Follow the principle of data minimization. Only collect the minimum data
required by the business;
d) Follow the principle of quality assurance. Formulate data quality
assurance strategies, procedures and requirements;
e) Follow the principle of ensuring security. Classify, grade and mark the
collected data. And implement corresponding security management
strategies and safeguard measures for different types and levels of data.
Take necessary security contr...
Share
