Powered by Google www.ChineseStandard.net Database: 189760 (20 Jul 2024)

JR/T 0197-2020 PDF in English


JR/T 0197-2020 (JR/T0197-2020, JRT 0197-2020, JRT0197-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
JR/T 0197-2020English955 Add to Cart 0-9 seconds. Auto-delivery. Financial data security -- Guidelines for data security classification Valid

PDF Preview

Standards related to: JR/T 0197-2020

JR/T 0197-2020: PDF in English (JRT 0197-2020)

JR/T 0197-2020
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
Financial data security - Guidelines for data security
classification
ISSUED ON: SEPTEMBER 23, 2020
IMPLEMENTED ON: SEPTEMBER 23, 2020
Issued by: People’s Bank of China
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 5 
2 Normative references ... 5 
3 Terms and definitions ... 5 
4 Objectives, principles and scope ... 8 
5 Data security grading ... 10 
6 Identification of important data ... 21 
Appendix A (Informative) Reference rules for data grading ... 22 
Appendix B (Informative) Changes in data security level ... 79 
Appendix C (Informative) Important data ... 80 
References ... 82 
Financial data security - Guidelines for data security
classification
1 Scope
This standard gives the objectives, principles and scope of financial data
security classification, as well as the elements, rules and classification process
of data security classification.
This standard applies to financial institutions to carry out electronic data security
classification work; provides a reference for third-party evaluation agencies and
other organizations to carry out data security inspection and evaluation.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 4754-2017 Industrial classification for national economic activities
GB/T 5271.1-2000 Information technology - Vocabulary - Part 1:
Fundamental terms
GB/T 25069-2010 Information security technology - Glossary
GB/Z 28828-2012 Information security technology - Guideline for personal
information protection within information system for public and commercial
services
GB/T 35273-2020 Information security technology - Personal information
security specification
JR/T 0158-2018 Data classification guidelines for securities and futures
industry
JR/T 0171-2020 Personal financial information protection technical
specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
System execution of data manipulation.
Examples: Mathematical operations or logical operations of data, data
merging or classification, program assembly or compilation, or text
operations, such as editing, classification, merging, storage, retrieval,
display or printing.
Note 1: The term "data processing" cannot be used as a synonym for
"information processing".
Note 2: Rewrite GB/T 5271.1-2000, definition 2.01.01.06
3.6
Confidentiality
The features of keeping the information from leaking to unauthorized
individuals, physical entities, processes, or features that are not exploited.
[GB/T 25069-2010, definition 2.1.1]
3.7
Integrity
The property of protecting assets is accurate and complete.
Note: Rewrite GB/T 25069-2010, definition 2.1.42.
3.8
Availability
The characteristics of data and resources that an authorized entity can
access and use as soon as needed.
[GB/T 25069-2010, definition 2.1.20]
3.9
Security level
Regarding the level of sensitive information access, which, plus the security
category, can more finely control the access to data.
[GB/T 25069-2010, definition 2.2.1.6]
3.10
Data hierarchical management is the basic work for establishing a unified and
complete data lifecycle security protection framework, which can provide
support for financial institutions to formulate targeted data security control
measures. The financial industry includes currency and financial services,
capital market services, insurance, etc., as shown in GB/T 4754-2017. The
"financial institutions" mentioned in this standard refer to the relevant
institutions engaged in the aforementioned financial industries.
4.2 Principles of data security grading
Data security grading follows the following principles:
a) The principle of legal compliance: Meet national laws and regulations and
relevant regulations of industry authorities.
b) The principle of enforceability: Avoid too complicated data grading rules to
ensure the feasibility of data grading work.
c) Timeliness principle: The data security level has a certain validity period;
financial institutions should adjust the data level in time according to the
level change strategy.
d) The principle of autonomy: According to the data management needs of
financial industry institutions (such as strategic needs, business needs,
risk acceptance, etc.), the data security level is determined independently
under the framework of this standard.
e) The principle of difference: Divide different data security levels according
to the type and sensitivity of the organization's data; distribute the data to
different levels. It should not divide all data into several levels in a
centralized manner.
f) The principle of objectivity: The data grading rules are objective and
verifiable, that is, the data can be judged by its attributes and grading rules,
meanwhile the data grading can be reviewed and checked.
4.3 Scope of data security classification
In the process of financial data security grading, non-electronic financial data
shall be implemented in accordance with relevant management regulations
such as archives and documents; financial data involving state secrets shall be
implemented in accordance with relevant national laws and regulations, which
is not within the scope of this standard. The data security classification of the
securities industry can be implemented with reference to JR/T 0158-2018.
Among them, the financial data involved in the security grading work includes
but not limited to:
financial institutions, including national security, public rights, personal privacy,
legal rights of enterprises. The determination of affected objects mainly
considers the following:
- The situation where the affected object is national security, which generally
refers to the damage of data security that may affect the stability of national
power, territorial sovereignty, national organization, social and financial
market stability, etc.
- The situation where the affected object is the public rights and interests,
which generally refers to the destruction of data security that may influence
the social order of production and operation, teaching and research,
medical and health, public transportation, the public’s political rights,
personal freedom, economic rights, etc.
- The situation where the affected object is personal privacy, which generally
refers to the breach of data security that may affect the personal information,
private activities and private domains of personal financial information
subjects.
- The situation where the affected object is the legitimate rights and interests
of the enterprise, which generally refers to the destruction of data security
that may affect the production, operation, reputation and image, credibility
of a certain enterprise or other organization (which may be a financial
institution or other industry institutions).
5.1.3 Degree of influence
The degree of influence refers to the magnitude of the impact after the data
security of financial institutions is damaged. From high to low, it is divided into
serious damage, general damage, minor damage, no damage. The relevant
description is as shown in Table 1, which can be used as the reference to judge
the degree of influence. The degree of influence should be determined by
comprehensively considering factors such as data type, data characteristics,
data scale, combined with financial business attributes to determine the degree
of influence after data security is breached, for example:
- After data security is breached, the impact of customers' personal natural
information is usually higher than that of the basic information of the
organization.
- After data security is breached, the degree of influence of identity
authentication information is usually higher than that of personal basic
profile information.
- Data with high real-time requirements in transaction information, the impact
of security breaches is usually higher than that of data with low real-time
- Confidentiality assessment: Conduct data confidentiality assessment by
evaluating the impact of unauthorized disclosure of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized disclosure of data, which may cause damage to national
security, public rights, personal privacy, legal rights of enterprises, and
as well as the severity of the damage.
• Data obtained or exploited by unauthorized parties, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Data is exploited by unauthorized parties to conduct attacks such as
theft, tampering, destruction, or denial of service, which may cause
damage to national security, public rights, personal privacy, legal rights
of enterprises, as well as the severity of the damage.
• Whether the unauthorized disclosure or dissemination of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Integrity assessment: Conduct data integrity assessment by evaluating the
impact of unauthorized modification or destruction of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized modification or destruction of data, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Unauthorized modification or destruction of data, which may cause
damage to other organizations or individuals, as well as the severity of
the damage.
• Unauthorized modification or destruction of data, which may cause
damage to the organization's functions, credibility, as well as the
severity of the damage.
• Whether the unauthorized modification or damage of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Availability evaluation: Conduct data availability evaluation by evaluating
the impact of access or use interruption on the data and various types of
data formed after the combination/fusion, and the possible impact of the
institution’s failure to use these data. The content of the assessment
the important core node institutions in the financial transaction process.
It is generally disclosed to specific personnel and is only accessed or
used by objects that must be known.
• After data security is compromised, it will affect national security or
seriously affect public rights.
Note: "Must be known" refers to the determination of the scope of knowledge
of the data. The subject can only be aware of the data when it is clearly
necessary to know the data. Under normal circumstances, the principle of work
needs and the principle of minimization are followed. The former means that it
can be known only because of work, whilst the latter means that the scope of
knowledge meets the minimum enough.
- The characteristics of level 4 data are as follows:
• Data is usually mainly used for the important business use of large or
super large institutions in the financial industry, as well as important
core node institutions in the financial transaction process. It is generally
disclosed to specific persons and is only accessed or used by objects
that must be known.
• Category C3 information in personal financial information.
• After data security is compromised, it will have a general impact on the
public rights and interests, or have a serious impact on personal privacy
or the legitimate rights and interests of enterprises, but it will not affect
national security.
- The characteristics of level 3 data are as follows:
• Data is used for key or important business use of financial industry
institutions; it is generally disclosed to specific persons; it is only
accessed or used by objects that must be known.
• Category C2 information in personal financial information.
• After the security of data is compromised, it will have a slight impact on
public rights, or cause general influences on personal privacy or
enterprise legal rights, but does not affect national security.
- The characteristics of level 2 data are as follows:
• The data is used for the general business use of financial institutions; it
is generally disclosed for restricted objects. It is usually internally
managed and not suitable for widespread disclosure.
5.4 Grading process
5.4.1 Organizational guarantee
Determine the highest decision-making organization for data security
management; establish and clarify relevant departments (or organizations) and
their responsibilities, including but not limited to:
- The leading organization and person in charge of the data classification
work of this institution are mainly responsible for the overall planning of data
security classification work.
- The management department (or organization) of the organization's data
classification work and its person in charge are mainly responsible for the
organization, coordination, management, check, review of data
classification related work.
- The role of the information technology department and its person in charge
in the data security classification work, mainly responsible for implementing
the relevant requirements of data security classification and leading the
implementation of data security classification.
- The role of the business department (and/or the data owner department)
and the person in charge in the data security classification work of the
organization, mainly responsible for implementing the relevant
requirements of data security classification and coordinating the
implementation of data security classification.
- The roles, responsibilities and responsible persons of other relevant
departments of the organization in data security classification work.
5.4.2 System guarantee
Establish relevant systems for data classification work; clarify and implement
relevant work requirements, including but not limited to:
- The goals and principles of data classification.
- The roles, departments and related responsibilities involved in data
classification.
- Methods and specific requirements for data classification.
- Daily management process and operating procedures for data classification,
as well as the determination, review, approval, release, change mechanism
of classification results.
- Performance appraisal and evaluation mechanism related to data
Data asset sorting:
Step 1: To inventory, sort out and classify the data; form a unified list of data
assets; prepare for data security grading and compliance.
Data security grading preparation:
Step 2: Clarify the granularity of data grading (such as library files, tables, fields,
etc.).
Step 3: Identify the key elements of data security grading.
Data security level determination:
Step 4: According to the data grading rules described in 5.3, combined with
relevant national and industry laws and regulations, as well as departmental
rules, make an initial determination of the data security level.
Step 5: Comprehensively consider factors such as data scale, data timeliness,
data form (such as whether it has been aggregated, processed, counted,
desensitized or anonymized, etc.), review the data security level; make
adjustment to form assessment result and grading list of data security level.
Data security level review:
Step 6: Review the assessment process and results of data security level;
repeat the step 3 and subsequent work if necessary, until the security level
designation is consistent with the organization's data security protection goals.
Data security level approval:
Step 7: Finally, the top decision-making organization on data security
management will review and approve the results of the data security
classification.
5.5 Level change
After the data security grading is completed, when one of the following
situations occurs, financial institutions should change the security level of
related data (see Appendix B for related examples) and implement the data
grading process in accordance with 5.4.3.
- The data content has changed, causing the original data security level to
not apply to the changed data.
- Data content has not changed, but due to changes in data timeliness, data
scale, data usage scenarios, data processing methods, etc., the original
data security level is no longer applicable.
Appendix C
(Informative)
Important data
Important data refers to the data (including raw data and derivative data)
collected and generated by the Chinese government, enterprises, and
individuals within the territory that do not involve state secrets but are closely
related to national security, economic development, public interests. Once
subject to unauthorized disclosure, loss, abuse, tampering or destruction, or
aggregation, integration, analysis, it may cause the following consequences:
- Endanger national security and national defense interests; undermine
international relations.
- Damage to state property, social public interests and individual legitimate
interests.
- Influence the country to prevent and combat economic and military
espionage, political infiltration, organized crime, etc.
- Influence administrative agencies to investigate and deal with illegal,
dereliction of duty, or suspected of illegal or dereliction of duty.
- Interfere with administrative activities of government departments in
carrying out supervision, management, inspection, auditing in accordance
with the law; hinder government departments from performing their duties.
- Endanger the security of key national infrastructure, key information
infrastructure, government system information systems.
- Affect or endanger national economic order and financial security.
- Can analyze state secrets or sensitive information.
- Affect or endanger other national security issues such as national politics,
land, military, economy, culture, society, science and technology,
information, ecology, resources, nuclear facilities, etc.
Important data can include macro-feature data, derived feature data gathered
from massive information, data in the decision-making and law enforcement
process of industry regulatory agencies, critical information infrastructure
cybersecurity defect information, such as:
- Macro characteristics: Data that can reflect economic and social
......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.