GB/T 37988-2019 English PDF
Price & Delivery
US$910.00 · In stock · Download in 9 secondsGB/T 37988-2019: Information security technology - Data security capability maturity model
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid
| Standard ID | USD | BUY PDF | Delivery | Standard Title (Description) | Status |
| GB/T 37988-2019 | 910 | Add to Cart | Auto, 9 seconds. | Information security technology - Data security capability maturity model | Valid |
Click to Preview this PDF
Similar standards
GB/T 37988-2019: Information security technology - Data security capability maturity model
---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT37988-2019GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Data security capability maturity model Issued on. AUGUST 30, 2019 Implemented on. MARCH 01, 2020 Issued by. State Administration for Market Regulation; Standardization Administration of PRC.
Table of Contents
Foreword... 4 1 Scope... 5 2 Normative references... 5 3 Terms and definitions... 5 4 Abbreviations... 8 5 DSMM architecture... 9 5.1 Maturity Model Architecture... 9 5.2 Security capability dimensions... 10 5.3 Capacity maturity level dimension... 11 5.4 Data security process dimension... 14 6 Data collection security... 16 6.1 PA01 data classification and grading... 16 6.2 PA02 Data collection security management... 18 6.3 PA03 Data source authentication and recording... 21 6.4 PA04 Data quality management... 23 7 Data transmission security... 25 7.1 PA05 data transmission encryption... 25 7.2 PA06 Network availability management... 28 8 Data storage security... 29 8.1 PA07 storage media security... 29 8.2 PA08 Logic storage security... 31 8.3 PA09 Data backup and recovery... 34 9 Data processing security... 38 9.1 PA10 data desensitization... 38 9.2 PA11 Data analysis security... 41 9.3 Proper use of PA12 data... 44 9.4 PA13 Data processing environment security... 46 9.5 PA14 Data import and export security... 49 10 Data exchange security... 52 10.1 PA15 Data sharing security... 52 10.2 PA16 Data release security... 55 10.3 PA17 Data interface security... 57 11 Data destruction security... 59 11.1 PA18 Data destruction and disposal... 59 11.2 Destruction and disposal of PA19 storage media... 61 12 Generic security... 64 12.1 PA20 Data security policy planning... 64 12.2 PA21 Organization and personnel management... 67 12.3 PA22 Compliance management... 72 12.4 PA23 Data asset management... 76 12.5 PA24 Data supply chain security... 78 12.6 PA25 Metadata management... 81 12.7 PA26 Terminal data security... 83 12.8 PA27 Monitoring and audit... 85 12.9 PA28 Authentication and access control... 88 12.10 PA29 Requirement analysis... 91 12.11 PA30 Security incident response... 93 Appendix A (Informative) Description of capability maturity level and GP... 96 A.1 Overview... 96 A.2 Capability maturity level 1 - Informal execution... 96 A.3 Capability maturity level 2 - Plan tracking... 97 A.4 Capability maturity level 3 - Fully defined... 99 A.5 Capability maturity level 4 - Quantitative control... 101 A.6 Capability maturity level 5 - Continuous improvement... 102 Appendix B (Informative) Reference method for evaluation of capability maturity level... 104 Appendix C (Informative) Assessment process of capability maturity level AND model usage method... 105 C.1 Assessment process of capability maturity level... 105 C.2 How to use the capability maturity model... 107 References... 109Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed by AND shall be under the jurisdiction of the National Information Security Standardization Technical Committee (SAC/TC 260). Drafting organizations of this standard. Alibaba (Beijing) Software Service Co., Ltd., China Electronics Standardization Institute, China Information Security Evaluation Center, Beijing Qi'anxin Technology Co., Ltd., Lenovo (Beijing) Co., Ltd., the Third Research Institute of the Ministry of Public Security, Tsinghua University, China Cyber Security Review Technology and Certification Center, Software Research Institute of Chinese Academy of Sciences, China Mobile Communications Corporation, Alibaba Cloud Computing Co., Ltd., Beijing Tianrongxin Technology Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, Shaanxi Province Information Engineering Research Institute, Northwest University, Inspur Electronic Information Industry Co., Ltd., Beijing Yihualu Information Technology Co., Ltd., New H3C Technology Co., Ltd., Qinzhi Digital Technology Co., Ltd., Beijing Digital Certification Co., Ltd., Venus Star Information Technology Group Co., Ltd., Hisense Group Co., Ltd., Yinchuan Big Data Industry Development Service Center, Nanjing Zhongxin Saike Technology Co., Ltd., Beijing Weibu Online Technology Co., Ltd., Shanghai Guanan Information Technology Co., Ltd., Huawei Technology Co., Ltd., Sanliu Zero Technology Co., Ltd., China Power Great Wall Internet System Application Co., Ltd. The main drafters of this standard. Zhu Hongru, Liu Xiangang, Hu Ying, Jia Xuefei, Bai Xiaoyuan, Ye Xiaojun, Li Kepeng, Pan Liang, Xue Yong, Xie Anming, Mei Jingting, Jin Tao, Ye Runguo, Sun Mingliang, Zhang Yuguang, Xu Yujia, Du Yuejin, Chen Caifang, Ke Yan, Zhang Yudong, Xu Yuqing, Zhang Shichang, Song Lingwei, Min Jinghua, Zheng Xinhua, Miao Guangsheng, Liu Yuling, Pan Zhengtai, Zhang Ruiqing, Ren Weihong, Ren Lanfang, Cai Xiaodan, Chang Ling, Zhao Bei, Zhang Dajiang, Tang Hailong, Sun Xiaojun, Li Zheng, Sun Qian, Zhao Jiang, Ma Hongxia, Lu Jin, Wang Chuan, Du Qingfeng, Xue Kun, Especially, Wang Wei, Zhang Yi, He Jun, Zhang Xing. Information security technology - Data security capability maturity model1 Scope
This standard provides the maturity model architecture of the organization's data security capabilities; specifies the maturity level requirements for data collection security, data transmission security, data storage security, data processing security, data exchange security, data destruction security, general security.2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) is applicable to this standard. GB/T 25069-2010 Information security technology - Glossary3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246- 2017, as well as the following terms and definitions apply to this document.4 Abbreviations
The following abbreviations apply to this document.5 DSMM architecture
Through the quantification of the security capabilities of each data security process of the organization, it evaluates the realization capability of each security process.6 Data collection security
The data security capability requirements for this level are described as follows. Technical tools.7 Data transmission security
The data security capabilities of this level are described as follows. Organizational construction. No mature and stable data transmission security and key management mechanisms have been established in any business; The data security capability requirements for this level are described as follows. Technical tools.8 Data storage security
The data security capability requirements for this level are described as follows. Technical tools. The data security capability requirements for this level are described as follows.9 Data processing security
The data security capability requirements for this level are described as follows. Technical tools. By adopting appropriate security control measures in the data analysis process, prevent the security risks of the leakage of valuable information and personal privacy, in the data mining and analysis process. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
