Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 37972-2019 English PDF

Q: How long will the true-PDF of English version of GB/T 37972-2019 be delivered?

Upon your order, we will start to translate GB/T 37972-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 37972-2019_English with my colleagues?

Yes. The purchased PDF of GB/T 37972-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$439.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37972-2019: Information security technology - Operation supervision framework of cloud computing service
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 37972-2019	439	Add to Cart	4 days	Information security technology - Operation supervision framework of cloud computing service	Valid

Similar standards

GB/T 37988 GB/T 37956 GB/T 37985 GB/T 37964 GB/T 37962

Basic data

Standard ID: GB/T 37972-2019 (GB/T37972-2019)
Description (Translated English): Information security technology - Operation supervision framework of cloud computing service
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 22,240
Date of Issue: 2019-08-30
Date of Implementation: 2020-03-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 37972-2019: Information security technology - Operation supervision framework of cloud computing service

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Operation supervision framework of cloud computing service ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Cloud computing service operation supervision framework 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration

Foreword Ⅰ Introduction Ⅱ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Cloud computing service operation supervision purpose and framework 1 4.1 Operational supervision purpose 1 4.2 Operational regulatory framework1 4.3 Roles and Responsibilities of Operational Supervision 2 5 Supervision of safety control measures 3 5.1 Security control measures 3 5.2 Safety control measures supervision link 3 6 Change management supervision 3 6.1 Change management content 3 6.2 Change management supervision link 4 7 Emergency Response Supervision 4 7.1 Emergency response content 4 7.2 Emergency response supervision link 4 8 Implementation of Cloud Computing Service Operation Supervision 4 8.1 Overview 4 8.2 Artificial mechanism 4 8.3 Automatic mechanism 5 Appendix A (informative appendix) Operational supervision deliverable template 6 Appendix B (informative appendix) Safety control measures operation supervision list 10 Reference 18

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. Sichuan University, China Electronics Standardization Institute, Beijing Anxin Tianxing Technology Co., Ltd., Beijing Information Security Full Evaluation Center, Huawei Technologies Co., Ltd., Alibaba Cloud Computing Co., Ltd., Tencent Cloud Computing Co., Ltd., China Mobile Research Institute, Guangzhou Saibao Certification Center Service Co., Ltd., Xi’an Future International Information Co., Ltd., Shaanxi Provincial Information Engineering Research Institute, China National Electronic Technology Network Information Security Co., Ltd. The main drafters of this standard. Chen Xingshu, Luo Yonggang, Li Xiang, Liu Xiaoyin, Shangguan Xiaoli, Zhong Jinxin, Zhao Zhangjie, Ge Long, Wang Wei, Wang Yongxia, Zhang Lei, Shen Xiyong, Yang Silei, Ge Xiaoyu, Wang Huilai, Bai Yang, Wang Qixu, Hu Ying.

Introduction

With the vigorous development of cloud computing technology, government departments and key industries have a large demand for the adoption of cloud computing services. To ensure that customers use cloud computing services safely, ensure that the security capabilities of cloud service providers meet the requirements of relevant national standards, and ensure that all cloud computing services The relevant parties can effectively grasp the operational quality and security status of cloud computing services in real time and formulate a regulatory framework for cloud computing services operation. This standard is based on GB/T 31167-2014 "Information Security Technology Cloud Computing Service Security Guidelines", based on GB/T 31168-2014 The "Information Security Technology Cloud Computing Service Security Capability Requirements" is a requirement that regulates the use of cloud computing services by government department cloud service customers. During the process, the related responsibilities and supervision content of cloud service providers and operation supervisors proposed the operation supervision framework, process and methods. At the same time, this standard Provide guidance for cloud service providers to support cloud computing service operation supervision activities, and provide guidance for operation supervisors to carry out operation supervision. Information Security Technology Cloud computing service operation supervision framework

1 Scope

This standard establishes the regulatory framework for cloud computing service operations, and specifies security control measures supervision, change management supervision and emergency response supervision The content and supervision activities of the company provide suggestions for the implementation of operational supervision. This standard applies to the operation and supervision of cloud computing services used by government departments, and can also be used by key industries and other enterprises and institutions. Refer to when using cloud computing services.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 31167-2014 Information Security Technology Cloud Computing Service Security Guidelines GB/T 31168-2014 Information Security Technology Cloud Computing Service Security Capability Requirements

3 Terms and definitions

The following terms and definitions defined in GB/T 31167-2014 apply to this document. 3.1 Operation Supervisor Independent of the relevant parties of cloud computing services, and have professional technical capabilities, an organization that conducts operation supervision.

4 Cloud computing service operation supervision purpose and framework

4.1 Purpose of operation supervision The purpose of conducting cloud computing service operation supervision is to ensure. a) Cloud computing services continue to meet relevant national laws and regulations, administrative orders, policies and standards; b) Cloud computing service related parties can timely and effectively grasp the operating quality and security status of the cloud computing platform; c) The security risks of cloud computing services are controllable; d) The security capabilities of cloud computing services continue to meet requirements. So as to ensure the main objectives of operation supervision proposed in 8.1 of GB/T 31167-2014. 4.2 Operational regulatory framework The cloud computing service operation supervision framework is based on the operation supervision in the national standards GB/T 31167-2014 and GB/T 31168-2014 In accordance with the request. The cloud computing service operation supervision framework is shown in Figure 1. Figure 1 Operational regulatory framework Cloud service providers shall implement management and technical measures such as security control, change management, and emergency response for cloud computing services, and provide Supervisors provide supporting materials that have implemented relevant management and technical measures to form deliverables (any actual evidence that supports supervisory activities) Body, including but not limited to various documents, pictures, audio, video, physical objects, data, etc., and are effectively stored in paper, electronic, etc.), Appendix A The reference template of the operation supervision deliverables is given, and Appendix B is the operation supervision list of safety control measures. The operation supervisor conducts supervision activities such as analysis, review, evaluation and verification of the deliverables of the cloud service provider, and forms the supervision result to inform the cloud computing service If necessary, relevant parties should give reasonable opinions and suggestions based on the results of supervision. 4.3 Roles and responsibilities of operation supervision 4.3.1 Role of Operation Supervision The operational regulatory framework consists of two main roles. a) Cloud service provider. Cloud service providers that have passed the national cybersecurity review and provide services to government departments. b) Operation supervisor. Management department of cloud service customers (e.g. government information security management department, competent department of cloud service customers Etc.) The designated or commissioned operation supervisor. 4.3.2 Responsibilities of cloud service providers Cloud service providers should ensure. a) The security control measures in the cloud computing platform continue to be effective; b) The risk of major changes in the cloud computing platform is controllable; c) The emergency response in the cloud computing platform is timely and adequate; d) Submit the required deliverables for operation supervision to the operation supervision party in accordance with the agreed content, form, frequency, manual or automatic mechanism, and ensure The deliverables are authentic and reliable; e) Rectify relevant management and technical measures based on the supervision results fed back by the operation supervisor. So as to fulfill the responsibility of cloud service providers in operation supervision specified in 8.2.3 of GB/T 31167-2014. 4.3.3 Responsibilities of the operation supervisor The operation supervisor shall. a) Operational supervision of the security control measures, major changes and emergency response of cloud computing services; b) Negotiate with the cloud service provider to operate the supervision interface, that is, the content, form, frequency and manual or automatic mechanism of the delivery; c) Ensure the security of deliverables submitted by cloud service providers, and do not include deliverables and materials involving cloud service providers’ intellectual property and trade secrets Provide to third parties; d) Analysis and review of deliverables submitted by cloud service providers; e) Evaluate the security capabilities of cloud computing services based on the analysis and audit results, and conduct random checks, verifications, and tests when necessary Verify the content in the deliverable; f) Based on the evaluation and verification conclusions, an evaluation report is formed and notified to the relevant parties of the cloud computing service, and rectification opinions and suggestions should be given when necessary. So as to help cloud service customers to fulfill the customer's responsibility in operation supervision activities specified in 8.2.2 of GB/T 31167-2014.

5 Supervision of safety control measures

5.1 Contents of safety control measures The main content involved in security control measures includes but not limited to. a) System development and supply chain security; b) System and communication protection; c) access control; d) Configuration management; e) maintenance; f) Emergency response and disaster preparedness; g) audit; h) Risk assessment and continuous monitoring; i) Security organization and personnel; j) Physical and environmental safety. 5.2 Safety control measures supervision link The regulatory aspects of safety control measures include. a) The operation supervisor formulates safety control supervision strategies and plans, clarifies the purpose and requirements of supervision, supervision methods and means, and refines safety The supervision content, delivery type, format and frequency of the control measures; b) The cloud service provider shall implement the security status of the cloud computing platform in accordance with the security control measures and supervision strategies and plans formulated by the operation supervisor. Implement continuous monitoring and submit relevant deliverables related to the effectiveness of safety control measures; c) The operation supervisor analyzes and reviews the security control measures of the cloud computing platform based on the deliverables submitted by the cloud service provider. At the time, the effectiveness of security control measures should be evaluated, and the results should be notified to the relevant parties of cloud computing services.

6 Change management supervision

6.1 Change management content The main content involved in change management includes but is not limited to (see 8.4.2 Major Change Supervision in GB/T 31167-2014). a) Identification (including identification and data source identification) and changes in access control measures; b) Changes in data storage implementation methods; c) Changes to the backup mechanism and process; d) Change of network connection with external service provider; e) Changes in safety control measures; f) Changes to deployed commercial software and hardware products; g) Changes in cloud computing service subcontractors, such as PaaS and SaaS service providers replacing IaaS service providers; h) Changes to the operating entity of cloud computing services; i) Changes in the software version of the cloud computing platform; j) Changes to cloud computing platform infrastructure; k) Changes to the IT structure of the system. 6.2 Change management and supervision The supervision of major changes is as follows. a) The operation supervisor formulates a change management supervision strategy and plan, and clarifies the supervision purpose and requirements, methods and means, deliverables, etc.; b) Before implementing major changes, cloud service providers should conduct a security impact analysis on the changes, and test the changes when necessary. Verify and submit relevant deliverables related to the safety of major changes in accordance with the format, content, and time agreed with the operation supervisor; c) The operation supervisor analyzes and reviews the changes to the cloud computing platform based on the deliverables submitted by the cloud service provider, and responds if necessary The security of the changed items is evaluated and verified, and the results are notified to the relevant parties of the cloud computing service.

7 Emergency response supervision

7.1 Emergency response content The main content involved in emergency response includes, but is not limited to (see 8.4.3 Security Incident Supervision in GB/T 31167-2014). a) Unauthorized access events, such as unauthorized logical or physical access to business systems, data or other computing resources under the cloud computing platform Visit etc.; b) A security attack event occurs, such as a denial of service attack; c) Malicious code infection, such as cloud computing platform infected by viruses, worms, Trojan horses and other malicious codes; d) Cloud computing platform is down; e) Discovery of major security threats; f) Major safety information leakage. 7.2 Emergency response supervision The supervision of emergency response is as follows. a) The operation supervisor formulates emergency response supervision strategies and plans, clarifies the purpose and requirements of supervision, supervision methods and means, and refines emergency response The regulatory content, delivery type, format, etc. of the response; b) The cloud service provider detects that it may cause the business interruption of the cloud service customer or the confidentiality and integrity of the cloud service customer data When there is a threatening security incident, carry out and record emergency response activities, form emergency response deliverables and submit them to the operation supervisor in time; c) The operation supervisor shall analyze and evaluate security incidents and emergency response activities based on the deliverables submitted by the cloud service provider. When necessary, The adequacy of emergency response activities shall be evaluated and verified, and the relevant parties of cloud computing services shall be informed of the results.

8 Implementation methods of cloud computing service operation supervision

8.1 Overview The operation supervisor shall obtain information and deliverables related to the security of the cloud computing platform in an effective, accurate, and timely manner, so that the cloud computing Computing service security capabilities to carry out analysis, evaluation, review, verification and other regulatory activities. The implementation methods for obtaining operation supervision information and deliverables include. Manual mechanism and automatic mechanism. 8.2 Artificial mechanism According to the content and frequency agreed with the operation supervisor, the cloud service provider submits the support operation to the operation supervisor in a determined non-online way For the relevant deliverables of supervision activities, please refer to Appendix B for the list of deliverables. 8.3 Automatic mechanism 8.3.1 Main content The main content of automatic mechanism supervision includes but not limited to. a) Restrict access to various media and audit media access; b) Centralized management, application and verification of configuration item parameters; c) Detect new unauthorized software, hardware or firmware components added to the cloud computing service platform; d) Maintain a list of information system components; e) Support the incident handling process; f) Support the incident reporting process; g) Improve the availability of incident response support resources; h) Integrate the review, analysis and reporting process to support the investigation and response to suspicious activities; i) Compare the vulnerability scan results at different times to determine the trend of information system vulnerabilities; j) Update the malicious code protection mechanism; k) Management account; l) Monitor and control remote access sessions to detect network attacks and ensure that remote access policies are implemented; m) Check the components after defect repair; n) Quasi real-time analysis of attack events; o) Temperature and humidity control. 8.3.2 Requirements Consider when implementing automatic mechanisms. a) Comply with relevant national laws, administrative orders, directives, policies, regulations, standards and guidelines; b) Use open specifications, standards, technologies and protocols; c) Extract information from various information sources; d) Provide interoperability with other tools; e) Able to integrate and format the information in the process of safety control, change management and emergency response. ......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 37972-2019_English be delivered?

Answer: Upon your order, we will start to translate GB/T 37972-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 37972-2019_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 37972-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.