GB/T 32921-2016 PDF English
Search result: GB/T 32921-2016 English: PDF (GB/T32921-2016)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GB/T 32921-2016 | English | 110 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology - Security criterion on supplier conduct of information technology products
| Valid |
PDF Preview: GB/T 32921-2016
GB/T 32921-2016: PDF in English (GBT 32921-2016) GB/T 32921-2016
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Security criterion on
supplier conduct of information technology products
ISSUED ON: AUGUST 29, 2016
IMPLEMENTED ON: MARCH 01, 2017
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Supplier code of conduct and safety ... 6
Bibliography ... 10
Information security technology - Security criterion on
supplier conduct of information technology products
1 Scope
This Standard specifies the basic guidelines that information technology
product suppliers shall abide by, so as to protect user-related information and
maintain user information security in the process of providing information
technology products.
This Standard applies to the management of supplier behavior in the supply,
operation or maintenance of information technology products. It can also
provide a basis for the research and development, operation and maintenance,
and evaluation of information technology products.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T
25069-2010 as well as the followings apply.
3.1 information technology product
hardware, software, systems and services with the functions of collecting,
storing, processing, transmitting, controlling, exchanging, and displaying data
or information
NOTE: Information technology products include computers and their auxiliary equipment,
communication equipment, network equipment, automatic control equipment, operating
systems, databases, application software and services and so on.
3.2 information technology product supplier
an organization that provides information technology products
NOTE: Information technology product suppliers include manufacturers, sellers, agents,
integrators, and service providers.
3.3 user related information
information related to natural or legal persons and data defining and describing
such information
NOTE: User related information includes user identity information, as well as user-
generated documents, programs, multimedia materials, user communication content,
address, time, product configuration, operation and location data, and logs generated
during system operation, and so on.
3.4 expressed consent
the user information subject clearly authorizes consent and retains evidence
3.5 remote control
control activities implemented on user products through remote connection
NOTE: Remote control activities include realizing product start and stop, changing product
configuration, changing product operating status, popping up dialog boxes, automatic
remote upgrades, and pushing business data, and so on.
3.6 national critical information infrastructure
basic information networks and important information systems related to the
national economy and people's livelihood; when these networks or systems are
attacked and damaged, they will harm national network security, economic
security, public interests, public safety, and so on
4 Supplier code of conduct and safety
4.1 General
In principle, information technology product supplier shall not collect, store, and
process user-related information, and remotely control the products that have
been provided to users and the information systems where the products are
located. When really necessary, the principles of express authorization,
minimum sufficient usage, minimum authority, safety and credibility shall be
followed.
4.2 Safety guidelines for the collection and processing of user related
information
with foreign laws.
4.3 Safety guidelines for remotely controlling user products
When the supplier remotely controls the user's product:
a) Before the user purchases and uses the product, the user shall be clearly
informed of the purpose and usage of the remote-control behavior;
b) Before the user purchases and uses the product, a method to prohibit
remote control shall be provided. The user shall be informed of the missing
features of the product after the remote control is prohibited;
c) The user's product can be controlled remotely only after the user's
expressed consent. Display prompt information when remotely controlling
the user's product;
d) The remote control activities shall be used only for the purpose and use
agreed by the user. Strictly limit the frequency of remote control activities
and the range of product systems involved;
e) No hidden interface shall be set in the product. Components that can
disable or bypass security mechanisms shall not be loaded;
f) There shall be no unspecified functional modules in the product;
g) Users shall be informed to test or maintain the interface. Provide users
with a way to close the test or maintain the interface;
h) Necessary technical and management measures shall be taken to ensure
the safety of the remote control process. Provide security features that
can only be accessed using a specific account within a limited time
window;
i) Record all input and output data of remote control. Log the remote control
activities implemented for future audits;
j) It shall provide detection and verification methods for remote control of user
products and data interaction between products and suppliers. If
encryption technology is used, information such as encryption algorithm
shall be provided during the inspection and verification of the third-party
organization. The port and protocol used by the third-party organization
shall be notified.
4.4 Other behavioral safety guidelines
The supplier:
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|