GB/T 39335-2020 PDF EnglishUS$380.00 · In stock · Download in 9 seconds
GB/T 39335-2020: Information security technology - Guidance for personal information security impact assessment Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 39335-2020: Information security technology - Guidance for personal information security impact assessment---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT39335-2020 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Guidance for personal information security impact assessment Issued on. NOVEMBER 19, 2020 Implemented on. JUNE 01, 2021 Issued by. State Administration for Market Regulation; Standardization Administration of PRC. Table of ContentsForeword... 3 1 Scope... 4 2 Normative references... 4 3 Terms and definitions... 4 4 Assessment principle... 5 4.1 Overview... 5 4.2 The value of conducting an assessment... 5 4.3 Purpose of assessment report... 6 4.4 Subjects responsible for assessment... 8 4.5 Basic principles of assessment... 8 4.6 Elements to be considered in the assessment implementation... 9 5 Implementation process of assessment... 11 5.1 Analysis of assessment necessity... 11 5.2 Assessment preparation... 13 5.3 Data mapping analysis... 17 5.4 Identification of risk sources... 18 5.5 Analysis of the impact of personal rights... 23 5.6 Comprehensive analysis of security risks... 24 5.7 Assessment report... 25 5.8 Risk treatment and continuous improvement... 25 5.9 Development of report release strategy... 26 Appendix A (Informative) Examples of evaluative compliance and assessment points... 27 Appendix B (Informative) Examples of high-risk personal information processing activities... 31 Appendix C (Informative) Commonly used tools for personal information security impact assessment... 34 Appendix D (Informative) Reference method for personal information security impact assessment... 37 References... 431 ScopeThis standard provides the basic principles and implementation process, of personal information security impact assessment. This standard applies to various organizations, to carry out personal information security impact assessment on their own. At the same time, it can provide reference for the supervision, inspection, assessment of personal information security, by the competent regulatory authorities, third-party assessment agencies and other organizations.2 Normative referencesThe following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) is applicable to this standard. GB/T 20984 Information security technology - Risk assessment specification for information security GB/T 25069-2010 Information security technology - Glossary GB/T 35273-2020 Information security technology - Personal information security specification3 Terms and definitionsThe terms and definitions as defined in GB/T 25069-2010 and GB/T 35273- 2020, as well as the following terms and definitions, apply to this document. 3.1 Personal information Various information, which is recorded electronically or in other ways, which can identify a specific natural person alone OR in combination with other information OR reflect the activities of a specific natural person. 3.2 Personal sensitive information Personal information which, once leaked, illegally provided, or misused, may endanger personal and property safety; easily lead to damage to personal reputation, physical and mental health, or discriminatory treatment. 3.3 Personal information subject The natural person, which is identified or associated with the personal information. 3.4 Personal information security impact assessment Regarding personal information processing activities, the process of testing its legal compliance degree, judging the various risks of damage to the legal rights and interests of personal information subjects, evaluating the effectiveness of various measures used to protect personal information subjects.4 Assessment principle4.1 Overview Personal information security impact assessment aims to discover, dispose, continuously monitor the risks of adverse effects, on the legal rights and interests of personal information subjects, in the process of personal information processing. 4.2 The value of conducting an assessment The implementation of personal information security impact assessment can effectively strengthen the protection of the rights and interests of personal information subjects; help organizations to demonstrate their efforts to protect personal information security; enhance transparency; prompt the trust of personal information subjects. It includes. 4.3 Purpose of assessment report The content of the personal information security impact assessment report mainly includes. the business scenarios covered by the assessment, the specific personal information processing activities involved in the business scenarios, the responsible and participating departments and personnel, the identified risks, the list of adopted and proposed security control measures, residual risks, etc. Therefore, the purpose of the personal information security impact assessment report includes but is not limited to. 4.4 Subjects responsible for assessment The organization designates the responsible department or person responsible for personal information security impact assessment, who is responsible for the formulation, implementation, improvement of the personal information security impact assessment work process, AND is responsible for the quality of the personal information security impact assessment work results. 4.5 Basic principles of assessment The basic principle of personal information security impact assessment is as shown in Figure 1. 4.6 Elements to be considered in the assessment implementation 4.6.1 Assessment scale The scale of personal information security impact assessment often depends on the scope, number and extent of the affected personal information subjects. Generally, when organizations implement this type of personal information security impact assessment, the type, sensitivity, quantity of personal information, the scope and number of personal information subjects involved, the range of people who can access personal information, will all become important factors that affect the scale of the assessment. 4.6.2 Assessment method The basic assessment methods, which are used in the assessment implementation process, include but are not limited to the following three. 4.6.3 Work form of assessment From the perspective of implementation subjects, personal information security impact assessment is divided into two forms. self-assessment and inspection assessment.5 Implementation process of assessment5.1 Analysis of assessment necessity 5.1.1 Overview Personal information security impact assessment can be used for compliance gap analysis; it can also be used for compliance AND to further enhance its own security risk management capabilities and security level. Therefore, the necessity of starting the personal information security impact assessment, depends on the organization's personal information security goals. The organization can select the business scenarios, which need to start the assessment, according to actual needs. 5.1.2 Assessment of compliance gap 5.1.2.1 Overview When the personal information security goal, which is defined by the organization, is to comply with the baseline requirements of relevant laws, regulations or standards, THEN, the main purpose of personal information security impact assessment is to identify the security control measures, that have been taken for the specific personal information processing activities to be assessed, as well as the gap between the specific requirements of the relevant laws, regulations, standards, such as sharing personal information with a third party in a certain business scenario, whether it obtains the express consent of the subject of personal information. 5.1.2.2 Overall compliance analysis The organization can analyze the gap, BETWEEN all the personal information processing activities involved in a specific product or service AND the applicable rules, in accordance with applicable laws, regulations, policies and standards, which are related to the protection of personal information. 5.1.2.3 Partial compliance analysis The organization can analyze the gap, BETWEEN some personal information processing activities involved in a specific product or service AND the applicable rules, in accordance with applicable personal information protection related laws, regulations, policies, standards. 5.1.2.4 Analysis of evaluative compliance requirements Some laws, regulations, standards, which are related to the protection of personal information, put forward evaluative compliance requirements. Such requirements do not propose clear and specific security control measures, for specific personal information processing activities. Instead, they require organizations to conduct risk assessments for specific personal information processing activities; take security control measures appropriate to the degree of risk; reduce the risk of adverse effects on the legal rights and interests of personal information subjects to an acceptable level, to comply with its requirements. 5.1.3 Assessment of due diligence risk For the purpose of prudent operation, reputation maintenance, brand building, etc., organizations often select personal information processing activities, which may pose a high risk to individuals' legitimate rights and interests, to carry out assessments of due diligence risk. 5.2 Assessment preparation 5.2.1 Establish an assessment team The organization confirms and appoints a person (assessor), who is responsible for assessing the impact of personal information security. In addition, the organization has to appoint a person to be responsible for signing the assessment report. 5.2.2 Develop an assessment plan The plan needs to clearly stipulate the work to be done to complete the personal information security impact assessment report, the division of assessment tasks, the assessment schedule. In addition, the plan needs to consider the suspension or cancellation of the scenario to be evaluated. Consider the following aspects, during specific operations. 5.2.3 Determine the assessment object and scope Describe the object and scope of the assessment, from the following three aspects. 5.2.4 Develop a consultation plan for related parties Related parties include but are not limited to. 5.3 Data mapping analysis After the organization conducts a comprehensive survey on the personal information processing process, it forms a clear data list and data mapping chart. The data mapping analysis stage needs to be combined with the specific scenarios of personal information processing. The content of the survey includes the types of personal information, which are involved in the collection, storage, use, transfer, sharing, deletion of personal information; the purpose of processing; 5.4 Identification of risk sources Risk source identification is to analyze which threat sources are faced by personal information processing activities, whether the lack of adequate security measures leads to the existence of vulnerabilities AND triggers security incidents. There are many factors, which determine the occurrence of personal information security incidents. In terms of threat sources, there are internal threat sources and external threat sources, incidents such as data theft as caused by malicious personnel, data leakage as accidentally caused by non- malicious personnel. In terms of vulnerability, there are data damage as caused by physical environment, data leakage, tampering, loss as caused by technical factors, as well as abuse as caused by improper management. 5.5 Analysis of the impact of personal rights 5.5.1 Dimensions of personal rights Personal rights and interests impact analysis refers to the analysis, on whether specific personal information processing activities will affect the legal rights and interests of personal information subjects, as well as what kind of impact it may have. The general impact of personal rights and interests can be divided into four dimensions. "limiting individual's right to make decisions," "inducing differential treatment," "impairing personal reputation or suffering mental pressure", "impairing personal property". 5.5.2 Process of analysis of personal rights and interests impact The organization can analyze the results of data mapping analysis; determine the personal information processing activities, that need to be evaluated; analyze the entire life cycle of personal information processing activities or the impacts of specific processing behaviors on personal rights and interests, AND the possible impact of personal information leakage, damage, loss, abuse, etc., 5.6 Comprehensive analysis of security risks When conducting a comprehensive analysis of security risks, it may refer to the basic principles in 4.5 AND take the following steps. 5.7 Assessment report The content of the assessment report usually includes. the approval page of the personal information protection officer; the scope of application of the assessment report; the information of the personnel who implemented the assessment and wrote the report; the laws, regulations, standards referred to; the personal information impact assessment object (clearly involved personal sensitive information); assessment content; involved parties; the results of the analysis of personal rights and interests; the analysis of security protection measures; the analysis of the possibility of security incidents; the criteria for risk determination; the results of compliance analysis; the process and results of risk analysis; the risk disposal recommendations, etc. 5.8 Risk treatment and continuous improvement According to the assessment results, the organization can select and implement corresponding safety control measures, for risk treatment. Under normal circumstances, according to the level of risk, it may adopt the disposal methods, such as immediate disposal, deadline disposal, post-disposal after weighing the impact and cost, accepting the risk. 5.9 Development of report release strategy In order to promote itself to continuously improve the level of personal information protection, cooperate with regulatory activities, increase customer trust, organizations can formulate personal information security impact assessment report release strategies. The personal information security impact assessment report, which is selected for public release, can be simplified, on the basis of the existing assessment report. However, its content is usually not less than the following aspects. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 39335-2020 be delivered?Answer: The full copy PDF of English version of GB/T 39335-2020 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 39335-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 39335-2020_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 39335-2020 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 39335-2020?A step-by-step guide to download PDF of GB/T 39335-2020_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 39335-2020". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
