JR/T 0197-2020 English PDF (JRT0197-2020)
JR/T 0197-2020 English PDF (JRT0197-2020)
Regular price
$955.00 USD
Regular price
Sale price
$955.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click JR/T 0197-2020
Historical versions: JR/T 0197-2020
Preview True-PDF (Reload/Scroll if blank)
JR/T 0197-2020: Financial data security -- Guidelines for data security classification
JR/T 0197-2020
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
Financial data security - Guidelines for data security
classification
ISSUED ON: SEPTEMBER 23, 2020
IMPLEMENTED ON: SEPTEMBER 23, 2020
Issued by: People’s Bank of China
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Objectives, principles and scope ... 8
5 Data security grading ... 10
6 Identification of important data ... 21
Appendix A (Informative) Reference rules for data grading ... 22
Appendix B (Informative) Changes in data security level ... 79
Appendix C (Informative) Important data ... 80
References ... 82
Financial data security - Guidelines for data security
classification
1 Scope
This standard gives the objectives, principles and scope of financial data
security classification, as well as the elements, rules and classification process
of data security classification.
This standard applies to financial institutions to carry out electronic data security
classification work; provides a reference for third-party evaluation agencies and
other organizations to carry out data security inspection and evaluation.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 4754-2017 Industrial classification for national economic activities
GB/T 5271.1-2000 Information technology - Vocabulary - Part 1:
Fundamental terms
GB/T 25069-2010 Information security technology - Glossary
GB/Z 28828-2012 Information security technology - Guideline for personal
information protection within information system for public and commercial
services
GB/T 35273-2020 Information security technology - Personal information
security specification
JR/T 0158-2018 Data classification guidelines for securities and futures
industry
JR/T 0171-2020 Personal financial information protection technical
specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
System execution of data manipulation.
Examples: Mathematical operations or logical operations of data, data
merging or classification, program assembly or compilation, or text
operations, such as editing, classification, merging, storage, retrieval,
display or printing.
Note 1: The term "data processing" cannot be used as a synonym for
"information processing".
Note 2: Rewrite GB/T 5271.1-2000, definition 2.01.01.06
3.6
Confidentiality
The features of keeping the information from leaking to unauthorized
individuals, physical entities, processes, or features that are not exploited.
[GB/T 25069-2010, definition 2.1.1]
3.7
Integrity
The property of protecting assets is accurate and complete.
Note: Rewrite GB/T 25069-2010, definition 2.1.42.
3.8
Availability
The characteristics of data and resources that an authorized entity can
access and use as soon as needed.
[GB/T 25069-2010, definition 2.1.20]
3.9
Security level
Regarding the level of sensitive information access, which, plus the security
category, can more finely control the access to data.
[GB/T 25069-2010, definition 2.2.1.6]
3.10
Data hierarchical management is the basic work for establishing a unified and
complete data lifecycle security protection framework, which can provide
support for financial institutions to formulate targeted data security control
measures. The financial industry includes currency and financial services,
capital market services, insurance, etc., as shown in GB/T 4754-2017. The
"financial institutions" mentioned in this standard refer to the relevant
institutions engaged in the aforementioned financial industries.
4.2 Principles of data security grading
Data security grading follows the following principles:
a) The principle of legal compliance: Meet national laws and regulations and
relevant regulations of industry authorities.
b) The principle of enforceability: Avoid too complicated data grading rules to
ensure the feasibility of data grading work.
c) Timeliness principle: The data security level has a certain validity period;
financial institutions should adjust the data level in time according to the
level change strategy.
d) The principle of autonomy: According to the data management needs of
financial industry institutions (such as strategic needs, business needs,
risk acceptance, etc.), the data security level is determined independently
under the framework of this standard.
e) The principle of difference: Divide different data security levels according
to the type and sensitivity of the organization's data; distribute the data to
different levels. It should not divide all data into several levels in a
centralized manner.
f) The principle of objectivity: The data grading rules are objective and
verifiable, that is, the data can be judged by its attributes and grading rules,
meanwhile the data grading can be reviewed and checked.
4.3 Scope of data security classification
In the process of financial data security grading, non-electronic financial data
shall be implemented in accordance with relevant management regulations
such as archives and documents; financial data involving state secrets shall be
implemented in accordance with relevant national laws and regulations, which
is not within the scope of this standard. The data security classification of the
securities industry can be implemented with reference to JR/T 0158-2018.
Among them, the financial data involved in the security grading work includes
but not limited to:
financial institutions, including national security, public rights, personal privacy,
legal rights of enterprises. The determination of affected objects mainly
considers the following:
- The situation where the affected object is national security, which generally
refers to the damage of data security that may affect the stability of national
power, territorial sovereignty, national organization, social and financial
market stability, etc.
- The situation where the affected object is the public rights and interests,
which generally refers to the destruction of data security that may influence
the social order of production and operation, teaching and research,
medical and health, public transportation, the public’s political rights,
personal freedom, economic rights, etc.
- The situation where the affected object is personal privacy, which generally
refers to the breach of data security that may affect the personal information,
private activities and private domains of personal financial information
subjects.
- The situation where the affected object is the legitimate rights and interests
of the enterprise, which generally refers to the destruction of data security
that may affect the production, operation, reputation and image, credibility
of a certain enterprise or other organization (which may be a financial
institution or other industry institutions).
5.1.3 Degree of influence
The degree of influence refers to the magnitude of the impact after the data
security of financial institutions is damaged. From high to low, it is divided into <...
Get QUOTATION in 1-minute: Click JR/T 0197-2020
Historical versions: JR/T 0197-2020
Preview True-PDF (Reload/Scroll if blank)
JR/T 0197-2020: Financial data security -- Guidelines for data security classification
JR/T 0197-2020
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
Financial data security - Guidelines for data security
classification
ISSUED ON: SEPTEMBER 23, 2020
IMPLEMENTED ON: SEPTEMBER 23, 2020
Issued by: People’s Bank of China
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Objectives, principles and scope ... 8
5 Data security grading ... 10
6 Identification of important data ... 21
Appendix A (Informative) Reference rules for data grading ... 22
Appendix B (Informative) Changes in data security level ... 79
Appendix C (Informative) Important data ... 80
References ... 82
Financial data security - Guidelines for data security
classification
1 Scope
This standard gives the objectives, principles and scope of financial data
security classification, as well as the elements, rules and classification process
of data security classification.
This standard applies to financial institutions to carry out electronic data security
classification work; provides a reference for third-party evaluation agencies and
other organizations to carry out data security inspection and evaluation.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 4754-2017 Industrial classification for national economic activities
GB/T 5271.1-2000 Information technology - Vocabulary - Part 1:
Fundamental terms
GB/T 25069-2010 Information security technology - Glossary
GB/Z 28828-2012 Information security technology - Guideline for personal
information protection within information system for public and commercial
services
GB/T 35273-2020 Information security technology - Personal information
security specification
JR/T 0158-2018 Data classification guidelines for securities and futures
industry
JR/T 0171-2020 Personal financial information protection technical
specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
System execution of data manipulation.
Examples: Mathematical operations or logical operations of data, data
merging or classification, program assembly or compilation, or text
operations, such as editing, classification, merging, storage, retrieval,
display or printing.
Note 1: The term "data processing" cannot be used as a synonym for
"information processing".
Note 2: Rewrite GB/T 5271.1-2000, definition 2.01.01.06
3.6
Confidentiality
The features of keeping the information from leaking to unauthorized
individuals, physical entities, processes, or features that are not exploited.
[GB/T 25069-2010, definition 2.1.1]
3.7
Integrity
The property of protecting assets is accurate and complete.
Note: Rewrite GB/T 25069-2010, definition 2.1.42.
3.8
Availability
The characteristics of data and resources that an authorized entity can
access and use as soon as needed.
[GB/T 25069-2010, definition 2.1.20]
3.9
Security level
Regarding the level of sensitive information access, which, plus the security
category, can more finely control the access to data.
[GB/T 25069-2010, definition 2.2.1.6]
3.10
Data hierarchical management is the basic work for establishing a unified and
complete data lifecycle security protection framework, which can provide
support for financial institutions to formulate targeted data security control
measures. The financial industry includes currency and financial services,
capital market services, insurance, etc., as shown in GB/T 4754-2017. The
"financial institutions" mentioned in this standard refer to the relevant
institutions engaged in the aforementioned financial industries.
4.2 Principles of data security grading
Data security grading follows the following principles:
a) The principle of legal compliance: Meet national laws and regulations and
relevant regulations of industry authorities.
b) The principle of enforceability: Avoid too complicated data grading rules to
ensure the feasibility of data grading work.
c) Timeliness principle: The data security level has a certain validity period;
financial institutions should adjust the data level in time according to the
level change strategy.
d) The principle of autonomy: According to the data management needs of
financial industry institutions (such as strategic needs, business needs,
risk acceptance, etc.), the data security level is determined independently
under the framework of this standard.
e) The principle of difference: Divide different data security levels according
to the type and sensitivity of the organization's data; distribute the data to
different levels. It should not divide all data into several levels in a
centralized manner.
f) The principle of objectivity: The data grading rules are objective and
verifiable, that is, the data can be judged by its attributes and grading rules,
meanwhile the data grading can be reviewed and checked.
4.3 Scope of data security classification
In the process of financial data security grading, non-electronic financial data
shall be implemented in accordance with relevant management regulations
such as archives and documents; financial data involving state secrets shall be
implemented in accordance with relevant national laws and regulations, which
is not within the scope of this standard. The data security classification of the
securities industry can be implemented with reference to JR/T 0158-2018.
Among them, the financial data involved in the security grading work includes
but not limited to:
financial institutions, including national security, public rights, personal privacy,
legal rights of enterprises. The determination of affected objects mainly
considers the following:
- The situation where the affected object is national security, which generally
refers to the damage of data security that may affect the stability of national
power, territorial sovereignty, national organization, social and financial
market stability, etc.
- The situation where the affected object is the public rights and interests,
which generally refers to the destruction of data security that may influence
the social order of production and operation, teaching and research,
medical and health, public transportation, the public’s political rights,
personal freedom, economic rights, etc.
- The situation where the affected object is personal privacy, which generally
refers to the breach of data security that may affect the personal information,
private activities and private domains of personal financial information
subjects.
- The situation where the affected object is the legitimate rights and interests
of the enterprise, which generally refers to the destruction of data security
that may affect the production, operation, reputation and image, credibility
of a certain enterprise or other organization (which may be a financial
institution or other industry institutions).
5.1.3 Degree of influence
The degree of influence refers to the magnitude of the impact after the data
security of financial institutions is damaged. From high to low, it is divided into <...