PDF GB/T 40685-2021 English
Search result: GB/T 40685-2021
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GB/T 40685-2021 | English | 230 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information technology service - Data asset - Management requirements
| Valid |
PDF Preview: GB/T 40685-2021
GB/T 40685-2021: PDF in English (GBT 40685-2021) GB/T 40685-2021
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.080
CCS L 77
Information technology service - Data asset - Management
requirements
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions... 5
4 General management rules ... 7
4.1 Management principle ... 7
4.2 Management framework ... 7
5 Management object ... 9
5.1 Overview ... 9
5.2 Data asset characteristics ... 9
5.3 Data asset information elements ... 9
6 Management process ... 10
6.1 Overview ... 10
6.2 Data asset catalog management ... 10
6.3 Data asset identification ... 10
6.4 Data asset registration ... 11
6.5 Data asset application ... 11
6.6 Data asset inventory ... 12
6.7 Data asset change ... 12
6.8 Data asset disposal ... 13
6.9 Data asset assessment ... 13
6.10 Data asset audit ... 14
6.11 Data asset security management ... 14
7 Management assurance ... 15
7.1 Overview ... 15
7.2 Organizational guarantee ... 15
7.3 Institutional guarantee ... 16
7.4 Technical support ... 16
Annex A (informative) Reference method for data asset value assessment ... 17
A.1 Market method ... 17
A.2 Income method ... 17
A.3 Cost method ... 19
A.4 Comprehensive assessment method ... 19
Bibliography... 21
Information technology service - Data asset - Management
requirements
1 Scope
This Standard specifies data asset management general principles, management objects,
management processes and management assurance requirements.
This Standard is applicable to the application and management of data assets of
organizations, and users including organizations that need to carry out data asset
management and provide data asset management services.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GB/T 25000.12-2017, Systems and software engineering-Systems and software
Quality Requirements and Evaluation (SQuaRE) - Part 12: Data quality model
GB/T 25000.24-2017, Systems and software engineering - Systems and software
Quality Requirements and Evaluation (SQuaRE) - Part 24: Measurement of data
quality
GB/T 33770.2-2019, Information technology service – Outsourcing - Part 2: Data
protection requirements
GB/T 35273-2020, Information security technology - Personal information security
specification
GB/T 37973-2019, Information security technology - Big data security management
guide
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1 data asset
legally owned or controlled data resources that can be measured and bring economic
and social value to the organization
[Source: GB/T 34960.5-2018, 3.3, modified]
3.2 management objective
the objective set for data asset management activities within a certain period of time,
based on organizational strategy
3.3 management domain
the collection of management objects, management processes and management
guarantees in the process of data asset management
NOTE: Intra-domain behavior is subject to a system-administered policy.
3.4 data asset catalog
a set of information that describes the characteristics of a data asset by means of
classification, grading, and coding
3.5 data asset identification
the activity to identify and register data assets from existing data sources according to
management objectives
3.6 data asset registration
the activity of registering and confirming the ownership of data assets in an organization
through technical means, so that it has attributes such as time, identity and content
3.7 data asset application
the activity to meet business scenarios and organizational development needs, and
promote the appreciation of data assets through sharing, circulation, use, and so on
3.8 data asset change
the activity to ensure consistency of data assets with catalog information through a
change control process
3.9 data asset assessment
the activity to quantitatively and qualitatively evaluate the status, quality, and value of
data assets within an organization
3.10 data asset audit
the activity to review and monitor the authenticity, consistency, correctness, legality,
5 Management object
5.1 Overview
The object of data asset management is the data asset itself. Identify data assets based
on characteristics in the management process. Describe and manage through the
information elements of data assets.
5.2 Data asset characteristics
The characteristics of data assets are as follows:
a) Value can be increased: The value of data assets is easy to change. It can be
increased with the application scenarios, the number of users and the frequency
of use. Its economic value and social value will continue to grow;
b) Can be shared: Under the premise of controllable permissions, data assets can be
copied and shared and applied by multiple entities inside and outside the
organization;
c) Can be controlled: To meet the requirements of risk controllability and operational
compliance, data assets need to have controllable permissions and traceable
behavior;
d) Can be quantified: The quality, cost and value of data assets are measurable and
assessable.
5.3 Data asset information elements
The elements of data asset information shall mainly include:
a) Basic attributes, including data source, type, structure, scale, update cycle,
standard and quality;
b) Business elements, including business descriptions, business indicators, business
rules and associations;
c) Management elements, including data ownership, classification and grading,
security information, data traceability, responsibilities, authority, and application;
d) Value elements, including market information, field information, geographical
information, application value and financial attributes.
6 Management process
6.1 Overview
The management process defines a series of activities for an organization to implement
data asset management. The data asset catalog is used to record and manage the
information elements of data assets. The identification, confirmation, application,
inventory, change and disposal of data assets are the core management activities.
Realize the life cycle management of data assets, as well as preserve and increase value.
Assessment, auditing and security management of data assets provide support for value
discovery, operational compliance and risk control of data assets.
6.2 Data asset catalog management
6.2.1 Purpose
Record all identified data asset information in the organization through the data asset
catalog. Support the whole process management of data asset identification, application,
change, inventory and disposal.
6.2.2 Requirements
The specific requirements that data asset catalog management shall meet are as follows:
a) Create a data asset catalog. Record data asset information elements;
b) Establish control mechanisms such as permissions, versions and releases for data
asset catalog management;
c) Categorize data assets. Dimensions include but are not limited to subject, subject
and business;
d) Combining with the implementation of other management processes of data assets,
ensure the timely and effective data asset catalog information.
6.3 Data asset identification
6.3.1 Purpose
The organization shall be based on management objectives. Sort out existing data
resources. Identify data assets and their information elements based on business
applications and market requirements. Register data asset information to ensure it is
accurate and valid.
6.3.2 Requirements
b) Establish mechanisms for data asset service guarantee, benefit evaluation, and
effect evaluation;
c) Ensure that the application process of data assets is safe, controllable, legal and
compliant;
d) Completely record the behavior of data asset application to ensure traceability and
auditability.
6.6 Data asset inventory
6.6.1 Purpose
Check the status of data assets through data asset inventory activities. Discover the
inconsistency between the data asset catalog and data assets. Update data asset catalog
information to ensure the consistency and integrity of data asset information.
6.6.2 Requirements
The specific requirements that data asset inventory shall meet are as follows:
a) Prepare data asset inventory plan. Clarify the scope, requirements, procedures and
timing of the inventory;
b) Arrange a special person to be responsible for the inventory of data assets. Define
the rights and responsibilities of the inventory personnel;
c) According to the data asset inventory plan, the inventory personnel check the
consistency and accuracy of the data asset catalog and data assets. Record the
inventory results;
d) Analyze and deal with problems found in the inventory in a timely manner.
6.7 Data asset change
6.7.1 Purpose
When data asset management activities or business requirements trigger data asset
changes, the change activities shall be implemented in an orderly manner through a
change management process. Update the data asset catalog in a timely manner to ensure
that the data asset catalog information is consistent with the actual situation.
6.7.2 Requirements
The specific requirements that data asset changes shall meet are as follows:
a) Establish a data asset change mechanism. Clarify the triggering conditions for
data asset changes. Effectively manage the change process;
b) Review the submitted changes to data assets, including completeness of
information, business necessity, compliance with requirements, scope of impact,
and ownership;
c) Analyze the impact of changes to data assets. Post a change impact notice;
d) Implement changes based on data asset change review results. Update data asset
catalog;
e) Document the change process. Establish a mechanism for continuous tracking,
review and improvement of data asset changes.
6.8 Data asset disposal
6.8.1 Purpose
On the premise of complying with relevant laws, regulations and standards, optimize
the allocation of data assets through the destruction and transfer of data assets. Reduce
operation and management costs. Excavate the remaining use value.
6.8.2 Requirements
The specific requirements that shall be met for the disposal of data assets are as follows:
a) Establish a data asset disposal mechanism. Effectively control the disposal process
and risks;
b) Develop a disposal plan based on disposal needs. Prepare a disposal plan;
c) Carry out risk assessment and impact analysis of the disposal plan, and review
them;
d) According to the approved disposal plan, implement disposal and record. Set a
retention period for data assets that need to be destroyed.
6.9 Data asset assessment
6.9.1 Purpose
Sort out the status quo of data assets by carrying out data asset assessment activities.
Assess the quality and value of data assets. Promote the quality improvement and value
realization of data assets.
6.9.2 Requirements
Establish a data asset security management mechanism that combines management and
technical means and is oriented to the data life cycle. Develop data asset security
management process. Clarify the management requirements of organizational
personnel to ensure that data assets are safe and controllable.
6.11.2 Requirements
The specific requirements for data asset security management are as follows:
a) It shall be classified and graded according to the sensitivity and importance of
data assets, which shall comply with the provisions of GB/T 37973-2019;
b) Establish a safety management team. Establish a safety management mechanism.
Carry out supervision and inspection. Ensure segregation of duties;
c) Mechanisms for collection, transmission, storage, processing, exchange,
destruction, and backup and recovery shall be established. See GB/T 37988-2019;
d) Sensitive data shall be protected by means of data desensitization. That involves
personal information security shall comply with the provisions of GB/T 35273-
2020;
e) It is advisable to mark and trace the data assets through technical means, so as to
realize the controllable risk of the life cycle.
7 Management assurance
7.1 Overview
Management guarantee specifies the resource condition guarantee for data asset
management activities, including organization, system and technology.
7.2 Organizational guarantee
The specific requirements for organizational security are as follows:
a) A data asset management leadership group shall be established. Designate senior
managers as team leaders;
b) A data asset management oversight group shall be established to carry out regular
inspections and assessments;
c) A data asset management team shall be formed. Clarify job responsibilities.
Identify the person responsible for data asset management;
d) It is advisable to select a qualified third-party organization to carry out data asset
assessment and audit;
e) It is advisable to conduct regular training for stakeholders in data asset
management. The training content includes laws and regulations, management
systems and job skills.
7.3 Institutional guarantee
The specific requirements that institutional guarantees shall meet are as follows:
a) Develop a management system for data assets and make continuous improvements;
b) Clarify the management requirements, standard procedures and operating
specifications of each process;
c) Establish a work appraisal mechanism and incorporate it into the performance
appraisal of relevant departments;
d) Clarify the scope, content, form and management procedures of deliverables;
e) Establish a funding guarantee mechanism. The budget is included in the overall
budget plan of the organization.
7.4 Technical support
The specific requirements for technical support are as follows:
a) Data asset catalog management shall be supported. Realize the query and
traceability of data assets;
b) It shall support data asset sensitivity analysis and sensitive information processing;
c) Data asset value assessment and quality assessment shall be supported;
d) Management of deliverables in the data asset management process shall be
supported.
P2 - The social value of data assets calculated based on the income method, in yuan;
R2t - The expected social benefit of the data asset to be assessed in year t, in yuan. It
can be weighted by data sharing value, government governance value, data industry
value and data environment value. Data sharing value is such as data access, browsing,
downloading, and so on. Government governance values are such as government
governance efficiency, transparency and other values. The value of the data industry is
such as the value of employment, taxation, and upgrading of the industry. The value of
data environment is such as the value of data ecology, business, healthy environment
and so on;
n2 - The remaining social value life, refers to the remaining time that the data assets to
be evaluated can still generate social value, in years;
r2 - The social discount rate is the rate (%) at which the expected future social benefits
are discounted to their present value.
A.3 Cost method
The cost method is based on a series of labor consumption during the formation of data
assets. It reflects the value of data assets by cost.
The value of data assets is based on the replacement cost and combined with the market
value of data assets to assess the value of data assets. See formula (A.5):
Where,
P - The value of the data asset to be assessed, in yuan;
Ci - The replacement cost of each dataset, which is estimated according to the cost of
data collection, storage, processing and other processes and the operation and
maintenance cost, in yuan;
n - The number of datasets (pieces);
Qi - The impact of data asset value (%);
b - The data asset value influence coefficient (%).
A.4 Comprehensive assessment method
The calculation method of the comprehensive assessment method is shown in the
formula (A.6):
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|