Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 37973-2019 English PDF (GBT37973-2019)

GB/T 37973-2019 English PDF (GBT37973-2019)

Regular price $315.00 USD
Regular price Sale price $315.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 37973-2019 to get it for Purchase Approval, Bank TT...

GB/T 37973-2019: Information security technology -- Big data security management guide

This Standard puts forward the basic principles of big data security management; specifies big data security requirements, data classifying and grading, security requirements for big data activities, and assessment of big data security risks. This Standard applies to various organizations for data security management; can also be used as a reference for third-party assessment agencies.
GB/T 37973-2019
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Big data security management guide
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of big data security management ... 7
4.1 Goals of big data security management ... 7
4.2 Main content of big data security management ... 8
4.3 Roles and responsibilities of big data security management ... 8
5 Basic principles of big data security management ... 10
5.1 Clear responsibilities ... 10
5.2 Security compliance ... 10
5.3 Quality assurance ... 11
5.4 Data minimization ... 11
5.5 Responsibilities not transferring with data ... 11
5.6 Minimum authorization ... 12
5.7 Ensure security ... 12
5.8 Auditability ... 12
6 Big data security requirements ... 13
6.1 Confidentiality ... 13
6.2 Integrity ... 13
6.3 Availability ... 14
6.4 Other requirements ... 14
7 Data classifying and grading ... 14
7.1 Principles of data classifying and grading ... 14
7.2 Process of data classifying and grading ... 15
7.3 Data classifying methods ... 16
7.4 Data grading methods ... 16
8 Big data activities and security requirements ... 16
8.1 Main activities of big data ... 16
8.2 Data collection ... 17
8.3 Data storage ... 18
8.4 Data processing ... 19
8.5 Data distribution ... 20
8.6 Data deletion ... 21
9 Assessment of big data security risks ... 22
9.1 Overview ... 22
9.2 Asset identification ... 22
9.3 Threat identification ... 23
9.4 Vulnerability identification ... 23
9.5 Confirmation of existing security measures ... 24
9.6 Risk analysis ... 24
Appendix A (Informative) Example of data classifying and grading in the telecom industry ... 25
Appendix B (Informative) Examples of life science big data risk analysis ... 28 Appendix C (Informative) Big data security risks ... 30
Bibliography ... 32
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and grading, security requirements for big data activities, and assessment of big data security risks.
This Standard applies to various organizations for data security management; can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document. For the dated references, only the editions with the dates indicated are applicable to this document. For the undated references, the latest edition (including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and GB/T 35274-2017 and the following ones apply to this document.
3.1
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new problems faced by the confidentiality, integrity and availability of data in the big data environment; analyze the influence that big data activities may have on national security, social impact, public interest, personal life and property safety, etc.; clarify the requirements for data security to address these problems and impacts.
b) Data classifying and grading. The organization shall first classify and grade the data. According to different data gradings, select appropriate security measures.
c) Clarify the security requirements for big data activities. The organization shall understand the characteristics of major big data activities, the data operations that may be involved; clarify the security requirements of each big data activity.
d) Assess big data security risks. In addition to carrying out information system security risk assessments, the organization shall also assess the big data security risks, in terms of the potential system vulnerabilities, malicious use, consequences and other unfavorable factors in the big data environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational structure. According to the scale of the organization, the data volume of the big data platform, business development and planning, etc., it shall also clarify different roles and their responsibilities, including at least the following roles: a) Big data security manager: The individual or team responsible for the organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links; b) Allocate data access permissions and mechanisms for parties authorized by big data security managers;
c) Cooperate with big data security managers to handle security incidents; d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as organization's mission, data scale and value, organizational business, the organization shall specify the person or department, which plays the role of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts. It is responsible for the security of the organization's data and its
applications.
b) Clarify the role?€?s security responsibilities. The organization shall clarify the security responsibilities of big data security managers, big data security executors, big data security auditors, and other roles related to data
security.
c) Clarify the implementation subject of the main activities. The organization shall clarify the implementation subject and security responsibilities of the main big data activities.
5.2 Security compliance
The organization shall formulate strategies and procedures, to ensure that all data activities meet compliance requirements. The organization shall:
data security responsibilities;
d) Take effective measures, to ensure that the security incident responsibility after data transfer can be traced.
5.6 Minimum authorization
The organization shall control data access permissions in big data activities, to ensure that permissions are minimized on the basis of meeting business needs. The organization shall:
a) Grant the minimum operation authorization and minimum data set to the data activity subject;
b) Develop a data access authorization approval process; formulate an
application and approval process for changes in the data operation
authorization and scope of the data activity subject;
c) Recover expired data access permissions in a timely manner.
5.7 Ensure security
The organization shall take appropriate management and technological
measures to ensure data security. The organization shall:
a) Classify and grade data; implement appropriate security protection
measures for data with different security levels;
b) Ensure that the security control measures and strategies of the big data platform and business are effective; protect the integrity, confidentiality and availability of the data; ensure the security of the data life cycle; c) Resolve the security risks and vulnerabilities found in risk assessment and security inspections; take responsibility for security incidents caused by improper security protection measures.
5.8 Auditability
The organization shall implement data audits on the big data platform and all aspects of the business. The organization shall:
a) Record information about various operations in big data activities; ensure that the records cannot be forged and tampered with;
b) Take effective technological measures, to ensure that all operations on big data activities can be traced.
6.3 Availability
The availability requirements in the big data environment shall consider the following aspects:
a) Anti-attack capabilities of big data platform;
b) Security analysis capabilities based on big data, such as security
intelligence analysis, data-driven misuse detection, security incident
detection, etc.;
c) Disaster tolerance capabilities of big data platform.
6.4 Other requirements
For big data security, in addition to considering the confidentiality, integrity and availability of information systems, according to the characteristics of big data, the organization shall also analyze security requirements from other aspects of big data activities, including but not limited to:
a) Compliance with laws and regulations, national strategies, standards, etc.; b) Possible social and public security impacts, and cultural inclusiveness; c) Data sharing between cross-organizations;
d) Cross-border data flow;
e) Intellectual property protection and data value protection.
7 Data classifying and grading
7.1 Principles of data classifying and grading
Data classifying and grading shall meet the following principles:
a) Scientificity. According to the multi-dimensional characteristics of the data and the logical associations between them, scientifically and
systematically classify the data. According to the big data security
requirements, determine the data security level.
b) Stability. Based on the most stable characteristics and attributes of the data, the classifying and grading scheme shall be formulated.
c) Practicality. Data classifying shall ensure that there are data under each category; no meaningless categories are set. The classification of data categories must conform to the general understanding of data classifying. 7.3 Data classifying methods
The organization shall classify data according to Clause 6 of GB/T 7027-2002. It can be classified according to different attributes such as data subject, subject, and business.
7.4 Data grading methods
The organization shall grade the existing data or newly-collected data. The data grading needs to be jointly determined by the organization's supervisors, business experts, and security experts. For the grading of government data, in accordance with the provisions of GB/T 31167-2014, 6.3, it shall classify non- secret-involved data into public and sensitive data. For personal information and personal sensitive information, it shall refer to Appendix A and Appendix B in GB/T 35273-2017.
The processing, storage, transmission, and utilization of secret-involved information shall be implemented in accordance with national secrecy
regulations.
According to laws and regulations, business, organizational strategy, market demand, etc., the organization may further grade sensitive data, to provide appropriate security management and technological measures.
For different levels of data, in accordance with the provisions of Clause 4 to Clause 6 of GB/T 35274-2017, the organization shall select appropriate
management and technological measures to implement effective security
protection for data.
8 Big data activities and security requirements
8.1 Main activities of big data
In the data life cycle, the organization may participate in one or more stages of the data form. The collection of operational tasks that the organization may implement on data, that is, activities are divided into: data collection, data storage, data processing, data distribution, data deletion, etc.:
a) Data collection. Data enters the organization's big data environment. The data can come from other organizations or generated by itself.
b) Data storage. Store data persistently on storage media.
c) Data processing. Through this activity, perform the duties of the
organization or achieve the goals of the organization. The processed data b) Follow compliance principles, to ensure the legality, legitimacy and necessity of data collection;
c) Follow the principle of data minimization. Only collect the minimum data required by the business;
d) Follow the principle of quality assurance. Formulate data quality
assurance strategies, procedures and requirements;
e) Follow the principle of ensuring security. Classify, grade and mark the collected data. And implement corresponding security management
strategies and safeguard measures for different types and levels of data. Take necessary security control measures for the data collection
environment, facilities and technology.
8.3 Data storage
8.3.1 Concept of data storage activity
Data storage refers to the static storage of data on the big data platform. The stored data includes collected data, result data analyzed and processed, etc. The storage system can be a relational database, a non-relational database, etc. It shall support the storage of different types and formats of data. And it shall provide a variety of data access interfaces, such as file system interfaces, database interfaces, etc. Until the data is completely deleted, the stored data shall be provided with appropriate security protection by the organization. The organization shall fully consider the security risks of using third-party data storage platforms to store data. Due to intellectual property rights, laws and regulations and other reasons, even if an organization can effectively control the data in the storage system, such as personal information or health data, it may not be the owner of the data. The organization still needs to bear the responsibility of data storage management.
The main operations of data storage activity include but are not limited to: data coding and decoding, data encryption and decryption, graded storage of cold and hot data, data archiving and persistent storage, data backup, data update, data access, etc.
8.3.2 Security requirements
When an organization carries out data storage activity, it shall:
a) Separately store data of different categories and levels; adopt a physical or logical isolation mechanism.
a) Follow the principle of responsibilities not transferring with data. b) When personal information, important data, etc. have a situational need, in accordance with relevant laws, regulations, policy documents and
standards, a situational security assessment shall be carried out.
c) Before data distribution, it shall conduct risk assessment on the data, to ensure that the risk after data distribution is bearable. And through the contract, it shall clarify the data protection responsibility of the data recipient.
d) Before data distribution, the sensitivity of the data is evaluated. Based on the evaluation results, the sensitive information, which needs to be
distributed, is desensitized.
e) Follow the principle of auditability. Record the related information such as time, distributing data, data recipient.
f) Evaluate the transmission security risks in data distribution, to ensure the security of data transmission.
g) Provide an effective data security sharing mechanism.
h) Establish a review system for data release; strictly review whether the released information meets the requirements of relevant laws and
regulations. Clarify the content and scope of data release. Conduct
regular review of released data.
8.6 Data deletion
8.6.1 Concept of data deletion activity
Data deletion activity refers to the organization's deletion of data and copies of its own or leased big data platforms. If the data comes from an external real- time data stream, the link with the real-time data stream shall also be disconnected.
The reasons for data deletion include but are not limited to:
a) In order to reduce the risk of data leakage. Avoid inappropriate distribution or processing of data.
b) Delete irrelevant or incorrect data. The data is no longer relevant to the original purpose of use; or the data is incorrect.
c) Data deletion processing after business completion. The data business completes the service goal and no longer needs to save relevant data.
e) Big data processing framework, such as stream processing framework,
interactive processing framework, offline processing framework;
f) Big data storage framework, such as distributed file system, non-relational database, etc.;
g) Big data platform computing resource (such as CPU, memory, network,
etc.) management framework, etc.
9.3 Threat identification
When an organization carries out threat identification, it shall pay attention to the characteristics of threats in the big data environment, including but not limited to:
a) Potential adverse factors:
- The resources, technological capabilities, motivations, etc. of the
potential attacker. Common attackers include individuals, organizations, countries, etc.;
- The intention of potential attackers to steal, use and misuse data;
- The resources required for big data access, storage and processing;
- The risk of direct access to data or theft of data;
- The costs and benefits of launching attacks and malicious use of big data. b) Malicious use of the required scientific expertise and skills:
- The skills and expertise required for data and result analysis;
- The technology and equipment required for data use and result analysis; - The skills, technology, and knowledge required to take advantage of
system vulnerabilities.
c) Threat of data exit.
9.4 Vulnerability identification
When an organization carries out vulnerability identification, it shall pay attention to the specific vulnerabilities in the big data environment, including but not limited to:
a) The vulnerability of basic software and infrastructure such as big data storage and processing;

View full details