Powered by Google www.ChineseStandard.net Database: 189760 (20 Jul 2024)

GB/T 37988-2019 PDF in English


GB/T 37988-2019 (GB/T37988-2019, GBT 37988-2019, GBT37988-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 37988-2019English910 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Data security capability maturity model Valid

PDF Preview

Standards related to: GB/T 37988-2019

GB/T 37988-2019: PDF in English (GBT 37988-2019)

GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4 
1 Scope ... 5 
2 Normative references ... 5 
3 Terms and definitions ... 5 
4 Abbreviations ... 8 
5 DSMM architecture ... 9 
5.1 Maturity Model Architecture ... 9 
5.2 Security capability dimensions ... 10 
5.3 Capacity maturity level dimension ... 11 
5.4 Data security process dimension ... 14 
6 Data collection security ... 16 
6.1 PA01 data classification and grading ... 16 
6.2 PA02 Data collection security management ... 18 
6.3 PA03 Data source authentication and recording ... 21 
6.4 PA04 Data quality management ... 23 
7 Data transmission security ... 25 
7.1 PA05 data transmission encryption ... 25 
7.2 PA06 Network availability management ... 28 
8 Data storage security ... 29 
8.1 PA07 storage media security ... 29 
8.2 PA08 Logic storage security ... 31 
8.3 PA09 Data backup and recovery ... 34 
9 Data processing security ... 38 
9.1 PA10 data desensitization ... 38 
9.2 PA11 Data analysis security ... 41 
9.3 Proper use of PA12 data ... 44 
9.4 PA13 Data processing environment security ... 46 
9.5 PA14 Data import and export security ... 49 
10 Data exchange security ... 52 
10.1 PA15 Data sharing security ... 52 
10.2 PA16 Data release security ... 55 
10.3 PA17 Data interface security ... 57 
11 Data destruction security ... 59 
11.1 PA18 Data destruction and disposal ... 59 
11.2 Destruction and disposal of PA19 storage media ... 61 
12 Generic security ... 64 
12.1 PA20 Data security policy planning ... 64 
12.2 PA21 Organization and personnel management ... 67 
12.3 PA22 Compliance management ... 72 
12.4 PA23 Data asset management ... 76 
12.5 PA24 Data supply chain security ... 78 
12.6 PA25 Metadata management ... 81 
12.7 PA26 Terminal data security ... 83 
12.8 PA27 Monitoring and audit ... 85 
12.9 PA28 Authentication and access control ... 88 
12.10 PA29 Requirement analysis ... 91 
12.11 PA30 Security incident response ... 93 
Appendix A (Informative) Description of capability maturity level and GP ... 96 
A.1 Overview ... 96 
A.2 Capability maturity level 1 - Informal execution ... 96 
A.3 Capability maturity level 2 - Plan tracking ... 97 
A.4 Capability maturity level 3 - Fully defined ... 99 
A.5 Capability maturity level 4 - Quantitative control ... 101 
A.6 Capability maturity level 5 - Continuous improvement ... 102 
Appendix B (Informative) Reference method for evaluation of capability maturity
level ... 104 
Appendix C (Informative) Assessment process of capability maturity level AND
model usage method ... 105 
C.1 Assessment process of capability maturity level ... 105 
C.2 How to use the capability maturity model ... 107 
References ... 109 
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's
data security capabilities; specifies the maturity level requirements for data
collection security, data transmission security, data storage security, data
processing security, data exchange security, data destruction security, general
security.
This standard applies to the assessment of the organization's data security
capabilities. It can also be used as a basis for the organization to develop data
security capabilities.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246-
2017, as well as the following terms and definitions apply to this document.
3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The
process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND
the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same
security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices,
such as establishing metadata management specifications, establishing metadata
access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security
goal.
Example: Establish a list of data assets, to carry out classified and graded
management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice.
3.12
Data desensitization
A data protection method, in which raw data is processed through a series
of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of
the data security system, the capability levels are differentiated based on the
following aspects:
a) The clarity of the authorization and approval process for key control nodes
in the data life cycle;
b) The standardization of the formulation, release, revision of related process
systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are
used by the organization to carry out data security work, the capability level is
differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as
well as the capability to deal with the security risks of the entire data life
cycle;
b) The capability to use technical tools for automatic support of data security
work, as well as the capability to implement solidified implementation of
the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the
organization, the capability level is differentiated according to the following
aspects:
a) Whether the data security skills possessed by data security personnel,
can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional
capabilities of data security);
b) Data security awareness of data security personnel AND the training of
data security capabilities for employees in critical data security positions.
5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels,
as shown in Table 1.
The data life cycle security process area includes the following 6 processes:
a) Data collection security PA (PA01 ~ PA04) includes 4 PA: Data
classification and grading, data collection security management, data
source identification and recording, data quality management;
b) Data transmission security PA (PA05 ~ PA06) includes 2 PA: data
transmission encryption, network availability management;
c) Data storage security PA (PA07 ~ PA09) includes 3 security PA: storage
media security, logical storage security, data backup and recovery;
d) Data processing security PA (PA10 ~ PA14) includes 5 security PA: data
desensitization, data analysis security, data proper use, data processing
environment security, data import and export security;
e) Data exchange security PA (PA15 ~ PA17) includes 3 security PA: data
sharing security, data release security, data interface security;
f) Data destruction security PA (PA18 ~ PA19) includes 2 security PA: data
destruction disposal, storage media destruction disposal.
The generic security process area (PA20 ~ PA30) includes 11 PA: data security
policy planning, organization and personnel management, compliance
management, data asset management, data supply chain security, metadata
management, terminal data security, monitoring and audit, authentication and
access control, demand analysis, security incident response.
5.4.2.2 Coding rules
The rules for coding the data security PA are as follows:
a) Each PA has a corresponding number, which is represented by increasing
numbers 01, 02, ..., respectively.
Example 1: PA01, stands for PA "Data classification and grading".
b) Each PA is composed of some BP. BP is numbered by BP.XX.XX, wherein
the first group of codes represents the serial number of the PA where it is
located, the second group of codes represents the serial number of the
specific BP. The serial number of the specific BP is represented by
increasing values 01, 02, ...
Example 2: BP.01.01 represents the first BP in the process area PA01 "Data
classification and grading".
c) For each level of each PA, it is necessary to meet the requirements of this
level AND all BPs below that level at the same time, to achieve the
1) It shall clearly define the principles, methods, operation guidelines of
data classification and grading (BP.01.05);
2) The organization's data shall be identified and managed, by
classification and grading (BP.01.06);
3) Establish corresponding security management and control measures,
such as access control, data encryption and decryption, data
desensitization, for different types and levels of data (BP.01.07);
4) The change approval process and mechanism for data classification
and grading shall be clarified; through this process, ensure that the
change operation of data classification and grading as well as its results
meet the requirements of the organization (BP.01.08).
c) Technical tools: Data classification and grading marking OR data asset
management tools shall be established, to realize the functions of
automatic identification of data classification and grading, release of
identification results, review (BP.01.09).
d) Personnel capability: The person in charge of this work shall understand
the compliance requirements of data classification and grading; be able to
identify which data is sensitive data (BP.01.10).
6.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall record the difference BETWEEN the automatic classification and
grading results AND the classification and grading results after manual
review; regularly analyze and improve the classification and grading
identification tools; improve the accuracy of tool processing (BP.01.11);
b) The operation and change process of data classification and grading shall
be recorded and analyzed. The change operation audit shall be carried
out regularly, through technical means such as log analysis. The data
classification and grading shall be traceable (BP.01.12).
6.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
a) System process: The specifications and rules of data classification and
grading shall be reviewed regularly, considering whether the content
completely covers the current business; meanwhile it shall implement
2) The core business shall clearly state the purpose, method and scope
of personal information collection, with the consent of the person being
collected (BP.02.04).
6.2.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows:
a) Organization construction: The organization shall set up data collection
security management positions and personnel, that are responsible for
formulating relevant data collection security management systems,
promoting the implementation of relevant requirements and processes,
providing consultation and support for the risk assessment of specific
businesses or projects ( BP.02.05).
b) System process:
1) It shall clarify the organization's data collection principles; define the
business data collection process and methods (BP.02.06);
2) It shall clarify the channels for data collection and external data sources;
confirm the legality of external data sources (BP.02.07);
3) It shall clarify the scope, quantity and frequency of data collection, to
ensure that personal information and important data, that are not
related to the provision of services, are not collected (BP.02.08);
4) It shall clarify the risk assessment process for organizing data collection;
carry out the risk assessment, for the collected data source, frequency,
channel, method, data range and type (BP.02.09);
5) It shall clarify the scope of knowledge of personal information and
important data, during the data collection process, as well as the control
measures that need to be taken, to ensure that the personal information
and important data, during the collection process, are not leaked
(BP.02.10);
6) It shall clarify the scope of automatic data collection (BP.02.11).
c) Technical tools:
1) It shall, according to a unified data collection process, build the data
collection-related tools, to ensure the consistency of the organization's
data collection process. At the same time, the relevant system shall
have a detailed logging function, to ensure a complete record of the
data collection authorization process (BP.02.12);
6.3 PA03 Data source authentication and recording
6.3.1 PA description
Authenticate and record the identity of the data source that generates the data,
to prevent data counterfeiting and data forgery.
6.3.2 Level description
6.3.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No effective management of the collected data
sources of any business, there are only temporary records of collected data
sources, based on temporary needs or personal experience (BP.03.01).
6.3.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows:
a) Organizational construction: The relevant personnel of the business team
shall be responsible for data source authentication and recording
(BP.03.02);
b) System process: For the online data collection of the core business
system AND the external third-party collection, it shall establish a
corresponding mechanism, to perform the authentication and recording of
the data source (BP.03.03);
c) Technical tools: The core business shall have technical tools, to support
the authentication and recording of data sources (BP.03.04).
6.3.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows:
a) Organizational construction: The relevant personnel of the business team
shall be responsible for authenticating and recording data sources
(BP.03.05).
b) System process: It shall clarify the system of data source management,
to authenticate and record the data sources, which are collected by the
organization (BP.03.06).
c) Technical tools:
1) It shall, oriented to the update of the system and process, continuously
improve the service capability of the tool in data identification, recording,
traceability (BP.03.14);
2) It shall participate in the formulation of international, national or
industry-related standards. Share best practices in the industry AND
become an industry benchmark (BP.03.15).
6.4 PA04 Data quality management
6.4.1 PA description
Establish an organizational data quality management system, to ensure the
accuracy, consistency, completeness of the data collected/generated in the
data collection process.
6.4.2 Level description
6.4.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No mature and stable data quality management or
monitoring has been established in any business; it only consider the data
quality management, based on temporary needs or based on personal
experience (BP.04.01).
6.4.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows:
a) Organization construction: Data quality management shall be carried out
by relevant personnel of the business team, according to business
requirements (BP.04.02).
b) System process: Data quality management or monitoring shall be used as
a necessary link in the core business (BP.04.03).
6.4.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows:
a) Organizational construction: The organization shall set up data quality
management positions and personnel, that are responsible for formulating
unified data quality management requirements; clarify the responsible
departments or personnel for the management and monitoring of data
quality (BP.04.04).
personnel of various business teams; can continuously and timely
improve data quality management work (BP.04.12).
b) Technical tools:
1) It shall establish the technical indicators of data quality; evaluate the
level of data quality management, through the relevant management
system (BP.04.13);
2) It shall participate in the formulation of international, national or
industry-related standards. Share best practices in the industry AND
become an industry benchmark (BP.04.14).
7 Data transmission security
7.1 PA05 data transmission encryption
7.1.1 PA description
According to the internal and external data transmission requirements of the
organization, adopt appropriate encryption protection measures, to ensure the
security of transmission channels, transmission nodes, transmission data;
prevent data leakage during transmission.
7.1.2 Level description
7.1.2.1 Level 1: Informal execution
The data security capabilities of this level are described as follows:
Organizational construction: No mature and stable data transmission security
and key management mechanisms have been established in any business;
only temporary encryption protection measures are adopted, for transmission
channels, transmission nodes or data, based on individual business needs and
compliance requirements (BP.05.01).
7.1.2.2 Level 2: Plan tracking
The data security capability requirements for this level are described as follows:
a) Organizational construction: The relevant personnel of the business team
shall be responsible for the encryption of the transmission channel
(BP.05.02).
b) System process: According to compliance requirements and business
performance requirements, in the core business, it shall clarify the data
recommended by the competent authority; choose the appropriate data
transmission security management method, based on the specific
business (BP.05.11);
2) The person in charge of this work shall be familiar with the data
encryption algorithm; be able to select the appropriate encryption
technology, based on the specific business (BP.05.12).
7.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
a) System process: It shall, based on the definition of data classification and
grading, define the encrypted transmission requirements for different
types and levels of data, including requirements for data encryption
algorithms and key management (BP.05.13).
b) Technical tools:
1) On each node on the transmission link, it shall deploy an independent
key pair and digital certificate, to ensure the effective identity
authentication of each node (BP.05.14);
2) It shall comprehensively quantify the implementation effect and cost of
sensitive data encryption and data transmission channel encryption;
regularly review and adjust the implementation plan of data encryption
(BP.05.15);
3) The organization shall provide a unified data encryption module, for
those who develop transmission functions to call; perform data
encryption processing, according to different data types and levels, to
ensure the unity of data encryption functions within the organization
(BP.05.16).
7.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall follow-up the technical development of encryption protection of
transmission channels; evaluate the impact of new technologies on
security solutions; appropriately introduce new technologies, to deal with
the latest security risks (BP.05.17);
b) It shall participate in the formulation of international, national or industry-
related standards. Share best practices in the industry AND become an
1) It shall, for key network transmission links and network equipment
nodes, implement the redundancy construction (BP.06.06);
2) It shall deploy the relevant equipment, to prevent the risk of network
availability and data leakage, such as load balancing, anti-intrusion
attacks, data anti-leakage detection and protection equipment
(BP.06.07).
d) Personnel capability: The person in charge of this work shall have the
ability of network security management; understand the security
requirements for availability in network security; be able to formulate
effective availability security protection programs, according to the
network performance requirements of different businesses (BP.06.08).
7.2.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
Technical tools: It shall quantitatively analyze the current status of network
availability and data leakage prevention services, through relevant indicators;
solve the problems in a targeted manner, to improve network availability
(BP.06.09).
7.2.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall realize the health status check and automatic switching of network
security equipment (BP.06.10);
b) It shall participate in the formulation of international, national or industry-
related standards. Share best practices in the industry AND become an
industry benchmark (BP.06.11).
8 Data storage security
8.1 PA07 storage media security
8.1.1 PA description
For scenarios where data storage media needs to be accessed and used within
the organization, provide effective technology and management method, to
prevent the risk of data leakage, that may be caused by improper use of the
media. Storage media includes terminal equipment and network storage.
4) It shall carry out the regular and random inspections of storage media,
to ensure that the use of storage media complies with the institution's
systems on the use of storage media (BP.07.09).
c) Technical tools:
1) The organization shall use technical tools, to monitor the performance
of storage media, including the use history of the storage media,
performance indicators, errors or damage; provide early warning of
storage media that exceed the security threshold (BP.07.10);
2) Record and audit the access and use behavior of storage media
(BP.07.11).
d) Personnel capability: The person in charge of this work shall be familiar
with the relevant compliance requirements of storage media security
management; be familiar with the differences in access and use of
different storage media (BP.07.12).
8.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
Technical tools: It shall establish a storage media management system, to
ensure that the use and delivery of storage media are closely tracked
(BP.07.13).
8.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall continuously update and improve the storage media management
system and purification tools, to ensure the secured use of storage media
(BP.07.14);
b) It shall participate in the formulation of international, national or industry-
related standards. Share best practices in the industry AND become an
industry benchmark (BP.07.15).
8.2 PA08 Logic storage security
8.2.1 PA description
Based on the organization's internal business characteristics and data storage
security requirements, establish effective security controls for data logical
(BP.08.06);
2) The internal data storage system shall follow the unified configuration
requirements, for effective security configuration, before going online;
the external data storage system used shall also have effective security
configuration (BP.08.07);
3) It shall clarify the authorization and operation requirements for logical
data storage isolation; ensure the security isolation capability of multi-
user data storage (BP.08.08).
c) Technical tools:
1) It shall provide a data storage system configuration scanning tool, to
regularly scan the security configuration of the main data storage
system, to ensure compliance with the security baseline requirements
(BP.08.09);
2) Technical tools shall be used, to monitor the data usage standardization
of the logical storage system, to ensure that the data storage meets the
relevant security requirements of the organization (BP.08.10);
3) It shall have the ability to encrypt and store personal information,
important data, other sensitive data (BP.08.11).
d) Personnel capability: The person in charge of this work shall be familiar
with the data storage system architecture, be able to analyze the security
risks faced by data storage, so as to ensure effective security protection
for various storage systems (BP.08.12).
8.2.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
a) System process:
1) It shall clarify the hierarchical logical storage authorization management
rules and authorization operation requirements; have the leveled and
hierarchical protection capabilities for the data logical storage structure
(BP.08.13);
2) It shall clarify the sharded and distributed storage security rules of data,
such as data storage integrity rules, multiple-copy consistency
management rules, storage transfer security rules, to meet the
protection requirements for integrity, consistency, confidentiality of
sharded data, under distributed storage (BP.08.14);
......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.