Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 37988-2019 English PDF (GBT37988-2019)

GB/T 37988-2019 English PDF (GBT37988-2019)

Regular price $905.00 USD
Regular price Sale price $905.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 37988-2019 to get it for Purchase Approval, Bank TT...

GB/T 37988-2019: Information security technology -- Data security capability maturity model

This standard provides the maturity model architecture of the organization data security capabilities; specifies the maturity level requirements for data collection security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, general security. This standard applies to the assessment of the organization and #39;s data security capabilities. It can also be used as a basis for the organization to develop data security capabilities.
GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 8
5 DSMM architecture ... 9
5.1 Maturity Model Architecture ... 9
5.2 Security capability dimensions ... 10
5.3 Capacity maturity level dimension ... 11
5.4 Data security process dimension ... 14
6 Data collection security ... 16
6.1 PA01 data classification and grading ... 16
6.2 PA02 Data collection security management ... 18
6.3 PA03 Data source authentication and recording ... 21
6.4 PA04 Data quality management ... 23
7 Data transmission security ... 25
7.1 PA05 data transmission encryption ... 25
7.2 PA06 Network availability management ... 28
8 Data storage security ... 29
8.1 PA07 storage media security ... 29
8.2 PA08 Logic storage security ... 31
8.3 PA09 Data backup and recovery ... 34
9 Data processing security ... 38
9.1 PA10 data desensitization ... 38
9.2 PA11 Data analysis security ... 41
9.3 Proper use of PA12 data ... 44
9.4 PA13 Data processing environment security ... 46
9.5 PA14 Data import and export security ... 49
10 Data exchange security ... 52
10.1 PA15 Data sharing security ... 52
10.2 PA16 Data release security ... 55
10.3 PA17 Data interface security ... 57
11 Data destruction security ... 59
11.1 PA18 Data destruction and disposal ... 59
11.2 Destruction and disposal of PA19 storage media ... 61
12 Generic security ... 64
12.1 PA20 Data security policy planning ... 64
12.2 PA21 Organization and personnel management ... 67
12.3 PA22 Compliance management ... 72
12.4 PA23 Data asset management ... 76
12.5 PA24 Data supply chain security ... 78
12.6 PA25 Metadata management ... 81
12.7 PA26 Terminal data security ... 83
12.8 PA27 Monitoring and audit ... 85
12.9 PA28 Authentication and access control ... 88
12.10 PA29 Requirement analysis ... 91
12.11 PA30 Security incident response ... 93
Appendix A (Informative) Description of capability maturity level and GP ... 96 A.1 Overview ... 96
A.2 Capability maturity level 1 - Informal execution ... 96
A.3 Capability maturity level 2 - Plan tracking ... 97
A.4 Capability maturity level 3 - Fully defined ... 99
A.5 Capability maturity level 4 - Quantitative control ... 101
A.6 Capability maturity level 5 - Continuous improvement ... 102
Appendix B (Informative) Reference method for evaluation of capability maturity level ... 104
Appendix C (Informative) Assessment process of capability maturity level AND model usage method ... 105
C.1 Assessment process of capability maturity level ... 105
C.2 How to use the capability maturity model ... 107
References ... 109
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's data security capabilities; specifies the maturity level requirements for data collection security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, general security.
This standard applies to the assessment of the organization's data security capabilities. It can also be used as a basis for the organization to develop data security capabilities.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246- 2017, as well as the following terms and definitions apply to this document. 3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices, such as establishing metadata management specifications, establishing metadata access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security goal.
Example: Establish a list of data assets, to carry out classified and graded management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice. 3.12
Data desensitization
A data protection method, in which raw data is processed through a series of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of the data security system, the capability levels are differentiated based on the following aspects:
a) The clarity of the authorization and approval process for key control nodes in the data life cycle;
b) The standardization of the formulation, release, revision of related process systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are used by the organization to carry out data security work, the capability level is differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as well as the capability to deal with the security risks of the entire data life cycle;
b) The capability to use technical tools for automatic support of data security work, as well as the capability to implement solidified implementation of the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the organization, the capability level is differentiated according to the following aspects:
a) Whether the data security skills possessed by data security personnel, can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional capabilities of data security);
b) Data security awareness of data security personnel AND the training of data security capabilities for employees in critical data security positions. 5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels, as shown in Table 1.
The data life cycle security process area includes the following 6 processes: a) Data collection security PA (PA01 ~ PA04) includes 4 PA: Data
classification and grading, data collection security management, data
source identification and recording, data quality management;
b) Data transmission security PA (PA05 ~ PA06) includes 2 PA: data
transmission encryption, network availability management;
c) Data storage security PA (PA07 ~ PA09) includes 3 security PA: storage media security, logical storage security, data backup and recovery;
d) Data processing security PA (PA10 ~ PA14) includes 5 security PA: data desensitization, data analysis security, data proper use, data processing environment security, data import and export security;
e) Data exchange security PA (PA15 ~ PA17) includes 3 security PA: data sharing security, data release security, data interface security;
f) Data destruction security PA (PA18 ~ PA19) includes 2 security PA: data destruction disposal, storage media destruction disposal.
The generic security process area (PA20 ~ PA30) includes 11 PA: data security policy planning, organization and personnel management, compliance
management, data asset management, data supply chain security, metadata management, terminal data security, monitoring and audit, authentication and access control, demand analysis, security incident response.
5.4.2.2 Coding rules
The rules for coding the data security PA are as follows:
a) Each PA has a corresponding number, which is represented by increasing numbers 01, 02, ..., respectively.
Example 1: PA01, stands for PA "Data classification and grading".
b) Each PA is composed of some BP. BP is numbered by BP.XX.XX, wherein
the first group of codes represents the serial number of the PA where it is located, the second group of codes represents the serial number of the
specific BP. The serial number of the specific BP is represented by
increasing values 01, 02, ...
Example 2: BP.01.01 represents the first BP in the process area PA01 "Data classification and grading".
c) For each level of each PA, it is necessary to meet the requirements of this level AND all BPs below that level at the same time, to achieve the
1) It shall clearly define the principles, methods, operation guidelines of data classification and grading (BP.01.05);
2) The organization's data shall be identified and managed, by
classification and grading (BP.01.06);
3) Establish corresponding security management and control measures,
such as access control, data encryption and decryption, data
desensitization, for different types and levels of data (BP.01.07);
4) The change approval process and mechanism for data classification
and grading shall be clarified; through this process, ensure that the
change operation of data classification and grading as well as its results meet the requirements of the organization (BP.01.08).
c) Technical tools: Data classification and grading marking OR data asset management tools shall be established, to realize the functions of
automatic identification of data classification and grading, release of identification results, review (BP.01.09).
d) Personnel capability: The person in charge of this work shall understand the compliance requirements of data classification and grading; be able to identify which data is sensitive data (BP.01.10).
6.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows: Technical tools:
a) It shall record the difference BETWEEN the automatic classification and grading results AND the classification and grading results after manual review; regularly analyze and improve the classification and grading
identification tools; improve the accuracy of tool processing (BP.01.11); b) The operation and change process of data classification and grading shall be recorded and analyzed. The change operation audit shall be carried
out regularly, through technical means such as log analysis. The data
classification and grading shall be traceable (BP.01.12).
6.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows: a) System process: The specifications and rules of data classification and grading shall be reviewed regularly, considering whether the content
completely covers the current business; meanwhile it shall implement
2) The core business shall clearly state the purpose, method and scope
of personal information collection, with the consent of the person being collected (BP.02.04).
6.2.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows: a) Organization construction: The organization shall set up data collection security management positions and personnel, that are responsible for
formulating relevant data collection security management systems,
promoting the implementation of relevant requirements and processes,
providing consultation and support for the risk assessment of specific
businesses or projects ( BP.02.05).
b) System process:
1) It shall clarify the organization's data collection principles; define the business data collection process and methods (BP.02.06);
2) It shall clarify the channels for data collection and external data sources; confirm the legality of external data sources (BP.02.07);
3) It shall clarify the scope, quantity and frequency of data collection, to ensure that personal information and important data, that are not
related to the provision of services, are not collected (BP.02.08);
4) It shall clarify the risk assessment process for organizing data collection; carry out the risk assessment, for the collected data source, frequency, channel, method, data range and type (BP.02.09);
5) It shall clarify the scope of knowledge of personal information and
important data, during the data collection process, as well as the control measures that need to be taken, to ensure that the personal information and important data, during the collection process, are not leaked
(BP.02.10);
6) It shall clarify the scope of automatic data collection (BP.02.11).
c) Technical tools:
1) It shall, according to a unified data collection process, build the data collection-related tools, to ensure the consistency of the organization's data collection process. At the same time, the relevant system shall
have a detailed logging function, to ensure a complete record of the
data collection authorization process (BP.02.12);
6.3 PA03 Data source authentication and recording
6.3.1 PA description
Authenticate and record the identity of the data source that generates the data, to prevent data counterfeiting and data forgery.
6.3.2 Level description
6.3.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No effective management of the collected data sources of any business, there are only temporary records of collected data sources, based on temporary needs or personal experience (BP.03.01).
6.3.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows: a) Organizational construction: The relevant personnel of the business team shall be responsible for data source authentication and recording
(BP.03.02);
b) System process: For the online data collection of the core business
system AND the external third-party collection, it shall establish a
corresponding mechanism, to perform the authentication and recording of the data source (BP.03.03);
c) Technical tools: The core business shall have technical tools, to support the authentication and recording of data sources (BP.03.04).
6.3.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows: a) Organizational construction: The relevant personnel of the business team shall be responsible for authenticating and recording data sources
(BP.03.05).
b) System process: It shall clarify the system of data source management, to authenticate and record the data sources, which are collected by the organization (BP.03.06).
c) Technical tools:
1) It shall, oriented to the update of the system and process, continuously improve the service capability of the tool in data identification, recording, traceability (BP.03.14);
2) It shall participate in the formulation of international, national or industry-related standards. Share best practices in the industry AND
become an industry benchmark (BP.03.15).
6.4 PA04 Data quality management
6.4.1 PA description
Establish an organizational data quality management system, to ensure the accuracy, consistency, completeness of the data collected/generated in the data collection process.
6.4.2 Level description
6.4.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No mature and stable data quality management or monitoring has been established in any business; it only consider the data quality management, based on temporary needs or based on personal
experience (BP.04.01).
6.4.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows: a) Organization construction: Data quality management shall be carried out by relevant personnel of the business team, according to business
requirements (BP.04.02).
b) System process: Data quality management or monitoring shall be used as a necessary link in the core business (BP.04.03).
6.4.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows: a) Organizational construction: The organization shall set up data quality management positions and personnel, that are responsible for formulating unified data quality management requirements; clarify the responsible
departments or personnel for the management and monitoring of data
quality (BP.04.04).
personnel of various business teams; can continuously and timely
improve data quality management work (BP.04.12).
b) Technical tools:
1) It shall establish the technical indicators of data quality; evaluate the level of data quality management, through the relevant management
system (BP.04.13);
2) It shall participate in the formulation of international, national or industry-related standards. Share best practices in the industry AND
become an industry benchmark (BP.04.14).
7 Data transmission security
7.1 PA05 data transmission encryption
7.1.1 PA description
According to the internal and external data transmission requirements of the organization, adopt appropriate encryption protection measures, to ensure the security of transmission channels, transmission nodes, transmission data; prevent data leakage during transmission.
7.1.2 Level description
7.1.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No mature and stable data transmission security and key management mechanisms have been established in any business;
only temporary encryption protection measures are adopted, for transmission channels, transmission nodes or data, based on individual business needs and compliance requirements (BP.05.01).
7.1.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows: a) Organizational construction: The relevant personnel of the business team shall be responsible for the encryption of the transmission channel
(BP.05.02).
...

View full details