1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 37988-2019 English PDF (GBT37988-2019)
GB/T 37988-2019 English PDF (GBT37988-2019)
Regular price
$910.00 USD
Regular price
Sale price
$910.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 37988-2019
Historical versions: GB/T 37988-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 37988-2019: Information security technology -- Data security capability maturity model
GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 8
5 DSMM architecture ... 9
5.1 Maturity Model Architecture ... 9
5.2 Security capability dimensions ... 10
5.3 Capacity maturity level dimension ... 11
5.4 Data security process dimension ... 14
6 Data collection security ... 16
6.1 PA01 data classification and grading ... 16
6.2 PA02 Data collection security management ... 18
6.3 PA03 Data source authentication and recording ... 21
6.4 PA04 Data quality management ... 23
7 Data transmission security ... 25
7.1 PA05 data transmission encryption ... 25
7.2 PA06 Network availability management ... 28
8 Data storage security ... 29
8.1 PA07 storage media security ... 29
8.2 PA08 Logic storage security ... 31
8.3 PA09 Data backup and recovery ... 34
9 Data processing security ... 38
9.1 PA10 data desensitization ... 38
9.2 PA11 Data analysis security ... 41
9.3 Proper use of PA12 data ... 44
9.4 PA13 Data processing environment security ... 46
9.5 PA14 Data import and export security ... 49
10 Data exchange security ... 52
10.1 PA15 Data sharing security ... 52
10.2 PA16 Data release security ... 55
10.3 PA17 Data interface security ... 57
11 Data destruction security ... 59
11.1 PA18 Data destruction and disposal ... 59
11.2 Destruction and disposal of PA19 storage media ... 61
12 Generic security ... 64
12.1 PA20 Data security policy planning ... 64
12.2 PA21 Organization and personnel management ... 67
12.3 PA22 Compliance management ... 72
12.4 PA23 Data asset management ... 76
12.5 PA24 Data supply chain security ... 78
12.6 PA25 Metadata management ... 81
12.7 PA26 Terminal data security ... 83
12.8 PA27 Monitoring and audit ... 85
12.9 PA28 Authentication and access control ... 88
12.10 PA29 Requirement analysis ... 91
12.11 PA30 Security incident response ... 93
Appendix A (Informative) Description of capability maturity level and GP ... 96
A.1 Overview ... 96
A.2 Capability maturity level 1 - Informal execution ... 96
A.3 Capability maturity level 2 - Plan tracking ... 97
A.4 Capability maturity level 3 - Fully defined ... 99
A.5 Capability maturity level 4 - Quantitative control ... 101
A.6 Capability maturity level 5 - Continuous improvement ... 102
Appendix B (Informative) Reference method for evaluation of capability maturity
level ... 104
Appendix C (Informative) Assessment process of capability maturity level AND
model usage method ... 105
C.1 Assessment process of capability maturity level ... 105
C.2 How to use the capability maturity model ... 107
References ... 109
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's
data security capabilities; specifies the maturity level requirements for data
collection security, data transmission security, data storage security, data
processing security, data exchange security, data destruction security, general
security.
This standard applies to the assessment of the organization's data security
capabilities. It can also be used as a basis for the organization to develop data
security capabilities.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246-
2017, as well as the following terms and definitions apply to this document.
3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The
process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND
the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same
security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices,
such as establishing metadata management specifications, establishing metadata
access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security
goal.
Example: Establish a list of data assets, to carry out classified and graded
management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice.
3.12
Data desensitization
A data protection method, in which raw data is processed through a series
of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of
the data security system, the capability levels are differentiated based on the
following aspects:
a) The clarity of the authorization and approval process for key control nodes
in the data life cycle;
b) The standardization of the formulation, release, revision of related process
systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are
used by the organization to carry out data security work, the capability level is
differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as
well as the capability to deal with the security risks of the entire data life
cycle;
b) The capability to use technical tools for automatic support of data security
work, as well as the capability to implement solidified implementation of
the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the
organization, the capability level is differentiated according to the following
aspects:
a) Whether the data security skills possessed by data security personnel,
can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional
capabilities of data security);
b) Data security awareness of data security personnel AND the training of
data security capabilities for employees in critical data security positio...
Get QUOTATION in 1-minute: Click GB/T 37988-2019
Historical versions: GB/T 37988-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 37988-2019: Information security technology -- Data security capability maturity model
GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 8
5 DSMM architecture ... 9
5.1 Maturity Model Architecture ... 9
5.2 Security capability dimensions ... 10
5.3 Capacity maturity level dimension ... 11
5.4 Data security process dimension ... 14
6 Data collection security ... 16
6.1 PA01 data classification and grading ... 16
6.2 PA02 Data collection security management ... 18
6.3 PA03 Data source authentication and recording ... 21
6.4 PA04 Data quality management ... 23
7 Data transmission security ... 25
7.1 PA05 data transmission encryption ... 25
7.2 PA06 Network availability management ... 28
8 Data storage security ... 29
8.1 PA07 storage media security ... 29
8.2 PA08 Logic storage security ... 31
8.3 PA09 Data backup and recovery ... 34
9 Data processing security ... 38
9.1 PA10 data desensitization ... 38
9.2 PA11 Data analysis security ... 41
9.3 Proper use of PA12 data ... 44
9.4 PA13 Data processing environment security ... 46
9.5 PA14 Data import and export security ... 49
10 Data exchange security ... 52
10.1 PA15 Data sharing security ... 52
10.2 PA16 Data release security ... 55
10.3 PA17 Data interface security ... 57
11 Data destruction security ... 59
11.1 PA18 Data destruction and disposal ... 59
11.2 Destruction and disposal of PA19 storage media ... 61
12 Generic security ... 64
12.1 PA20 Data security policy planning ... 64
12.2 PA21 Organization and personnel management ... 67
12.3 PA22 Compliance management ... 72
12.4 PA23 Data asset management ... 76
12.5 PA24 Data supply chain security ... 78
12.6 PA25 Metadata management ... 81
12.7 PA26 Terminal data security ... 83
12.8 PA27 Monitoring and audit ... 85
12.9 PA28 Authentication and access control ... 88
12.10 PA29 Requirement analysis ... 91
12.11 PA30 Security incident response ... 93
Appendix A (Informative) Description of capability maturity level and GP ... 96
A.1 Overview ... 96
A.2 Capability maturity level 1 - Informal execution ... 96
A.3 Capability maturity level 2 - Plan tracking ... 97
A.4 Capability maturity level 3 - Fully defined ... 99
A.5 Capability maturity level 4 - Quantitative control ... 101
A.6 Capability maturity level 5 - Continuous improvement ... 102
Appendix B (Informative) Reference method for evaluation of capability maturity
level ... 104
Appendix C (Informative) Assessment process of capability maturity level AND
model usage method ... 105
C.1 Assessment process of capability maturity level ... 105
C.2 How to use the capability maturity model ... 107
References ... 109
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's
data security capabilities; specifies the maturity level requirements for data
collection security, data transmission security, data storage security, data
processing security, data exchange security, data destruction security, general
security.
This standard applies to the assessment of the organization's data security
capabilities. It can also be used as a basis for the organization to develop data
security capabilities.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246-
2017, as well as the following terms and definitions apply to this document.
3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The
process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND
the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same
security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices,
such as establishing metadata management specifications, establishing metadata
access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security
goal.
Example: Establish a list of data assets, to carry out classified and graded
management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice.
3.12
Data desensitization
A data protection method, in which raw data is processed through a series
of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of
the data security system, the capability levels are differentiated based on the
following aspects:
a) The clarity of the authorization and approval process for key control nodes
in the data life cycle;
b) The standardization of the formulation, release, revision of related process
systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are
used by the organization to carry out data security work, the capability level is
differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as
well as the capability to deal with the security risks of the entire data life
cycle;
b) The capability to use technical tools for automatic support of data security
work, as well as the capability to implement solidified implementation of
the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the
organization, the capability level is differentiated according to the following
aspects:
a) Whether the data security skills possessed by data security personnel,
can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional
capabilities of data security);
b) Data security awareness of data security personnel AND the training of
data security capabilities for employees in critical data security positio...
Share
![GBT37988-2019 Page 1](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.1.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 2](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.2.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 3](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.3.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 4](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.4.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 5](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.5.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 6](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.6.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 7](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.7.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 8](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.8.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 9](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.9.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 10](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.10.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 11](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.11.jpg?v=1697292837&width=1445)
![GBT37988-2019 Page 12](http://www.chinesestandard.us/cdn/shop/products/GBT37988-2019EN.12.jpg?v=1697292837&width=1445)