GB/T 37973-2019 English PDF (GBT37973-2019)
GB/T 37973-2019 English PDF (GBT37973-2019)
Regular price
$320.00 USD
Regular price
Sale price
$320.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 37973-2019
Historical versions: GB/T 37973-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 37973-2019: Information security technology -- Big data security management guide
GB/T 37973-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Big data security management guide
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of big data security management ... 7
4.1 Goals of big data security management ... 7
4.2 Main content of big data security management ... 8
4.3 Roles and responsibilities of big data security management ... 8
5 Basic principles of big data security management ... 10
5.1 Clear responsibilities ... 10
5.2 Security compliance ... 10
5.3 Quality assurance ... 11
5.4 Data minimization ... 11
5.5 Responsibilities not transferring with data ... 11
5.6 Minimum authorization ... 12
5.7 Ensure security ... 12
5.8 Auditability ... 12
6 Big data security requirements ... 13
6.1 Confidentiality ... 13
6.2 Integrity ... 13
6.3 Availability ... 14
6.4 Other requirements ... 14
7 Data classifying and grading ... 14
7.1 Principles of data classifying and grading ... 14
7.2 Process of data classifying and grading ... 15
7.3 Data classifying methods ... 16
7.4 Data grading methods ... 16
8 Big data activities and security requirements ... 16
8.1 Main activities of big data ... 16
8.2 Data collection ... 17
8.3 Data storage ... 18
8.4 Data processing ... 19
8.5 Data distribution ... 20
8.6 Data deletion ... 21
9 Assessment of big data security risks ... 22
9.1 Overview ... 22
9.2 Asset identification ... 22
9.3 Threat identification ... 23
9.4 Vulnerability identification ... 23
9.5 Confirmation of existing security measures ... 24
9.6 Risk analysis ... 24
Appendix A (Informative) Example of data classifying and grading in the telecom
industry ... 25
Appendix B (Informative) Examples of life science big data risk analysis ... 28
Appendix C (Informative) Big data security risks ... 30
Bibliography ... 32
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and
grading, security requirements for big data activities, and assessment of big
data security risks.
This Standard applies to various organizations for data security management;
can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and
GB/T 35274-2017 and the following ones apply to this document.
3.1
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new
problems faced by the confidentiality, integrity and availability of data in
the big data environment; analyze the influence that big data activities may
have on national security, social impact, public interest, personal life and
property safety, etc.; clarify the requirements for data security to address
these problems and impacts.
b) Data classifying and grading. The organization shall first classify and
grade the data. According to different data gradings, select appropriate
security measures.
c) Clarify the security requirements for big data activities. The organization
shall understand the characteristics of major big data activities, the data
operations that may be involved; clarify the security requirements of each
big data activity.
d) Assess big data security risks. In addition to carrying out information
system security risk assessments, the organization shall also assess the
big data security risks, in terms of the potential system vulnerabilities,
malicious use, consequences and other unfavorable factors in the big data
environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational
structure. According to the scale of the organization, the data volume of the big
data platform, business development and planning, etc., it shall also clarify
different roles and their responsibilities, including at least the following roles:
a) Big data security manager: The individual or team responsible for the
organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links;
b) Allocate data access permissions and mechanisms for parties authorized
by big data security managers;
c) Cooperate with big data security managers to handle security incidents;
d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and
object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and
their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as
organization's mission, data scale and value, organizational business, the
organization shall specify the person or department, which plays the role
of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts.
It is responsible for the security of the organization's data and its
applications.
b) Clarify the role’s security responsibilities. The organization shall clarify the
security responsibilities of big data security managers, big data security
executors, big data security auditors, and other roles related to data
security.
c) Clarify the implementation subject of the main activities. ...
Get QUOTATION in 1-minute: Click GB/T 37973-2019
Historical versions: GB/T 37973-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 37973-2019: Information security technology -- Big data security management guide
GB/T 37973-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Big data security management guide
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of big data security management ... 7
4.1 Goals of big data security management ... 7
4.2 Main content of big data security management ... 8
4.3 Roles and responsibilities of big data security management ... 8
5 Basic principles of big data security management ... 10
5.1 Clear responsibilities ... 10
5.2 Security compliance ... 10
5.3 Quality assurance ... 11
5.4 Data minimization ... 11
5.5 Responsibilities not transferring with data ... 11
5.6 Minimum authorization ... 12
5.7 Ensure security ... 12
5.8 Auditability ... 12
6 Big data security requirements ... 13
6.1 Confidentiality ... 13
6.2 Integrity ... 13
6.3 Availability ... 14
6.4 Other requirements ... 14
7 Data classifying and grading ... 14
7.1 Principles of data classifying and grading ... 14
7.2 Process of data classifying and grading ... 15
7.3 Data classifying methods ... 16
7.4 Data grading methods ... 16
8 Big data activities and security requirements ... 16
8.1 Main activities of big data ... 16
8.2 Data collection ... 17
8.3 Data storage ... 18
8.4 Data processing ... 19
8.5 Data distribution ... 20
8.6 Data deletion ... 21
9 Assessment of big data security risks ... 22
9.1 Overview ... 22
9.2 Asset identification ... 22
9.3 Threat identification ... 23
9.4 Vulnerability identification ... 23
9.5 Confirmation of existing security measures ... 24
9.6 Risk analysis ... 24
Appendix A (Informative) Example of data classifying and grading in the telecom
industry ... 25
Appendix B (Informative) Examples of life science big data risk analysis ... 28
Appendix C (Informative) Big data security risks ... 30
Bibliography ... 32
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and
grading, security requirements for big data activities, and assessment of big
data security risks.
This Standard applies to various organizations for data security management;
can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and
GB/T 35274-2017 and the following ones apply to this document.
3.1
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new
problems faced by the confidentiality, integrity and availability of data in
the big data environment; analyze the influence that big data activities may
have on national security, social impact, public interest, personal life and
property safety, etc.; clarify the requirements for data security to address
these problems and impacts.
b) Data classifying and grading. The organization shall first classify and
grade the data. According to different data gradings, select appropriate
security measures.
c) Clarify the security requirements for big data activities. The organization
shall understand the characteristics of major big data activities, the data
operations that may be involved; clarify the security requirements of each
big data activity.
d) Assess big data security risks. In addition to carrying out information
system security risk assessments, the organization shall also assess the
big data security risks, in terms of the potential system vulnerabilities,
malicious use, consequences and other unfavorable factors in the big data
environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational
structure. According to the scale of the organization, the data volume of the big
data platform, business development and planning, etc., it shall also clarify
different roles and their responsibilities, including at least the following roles:
a) Big data security manager: The individual or team responsible for the
organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links;
b) Allocate data access permissions and mechanisms for parties authorized
by big data security managers;
c) Cooperate with big data security managers to handle security incidents;
d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and
object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and
their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as
organization's mission, data scale and value, organizational business, the
organization shall specify the person or department, which plays the role
of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts.
It is responsible for the security of the organization's data and its
applications.
b) Clarify the role’s security responsibilities. The organization shall clarify the
security responsibilities of big data security managers, big data security
executors, big data security auditors, and other roles related to data
security.
c) Clarify the implementation subject of the main activities. ...