GB/T 33770.2-2019 English PDFUS$599.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 33770.2-2019: Information technology service -- Outsourcing -- Part 2: Data protection requirements Status: Valid
Basic dataStandard ID: GB/T 33770.2-2019 (GB/T33770.2-2019)Description (Translated English): Information technology service -- Outsourcing -- Part 2: Data protection requirements Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L77 Classification of International Standard: 35.080 Word Count Estimation: 30,343 Date of Issue: 2019-08-30 Date of Implementation: 2020-03-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 33770.2-2019: Information technology service -- Outsourcing -- Part 2: Data protection requirements---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology service - Outsourcing - Part 2. Data protection requirements ICS 35.080 L77 National Standards of People's Republic of China Information technology service outsourcing Part 2. Data Protection Requirements Part 2. Dataprotectionrequirements Published on.2019-08-30 2020-03-01 implementation State market supervision and administration China National Standardization Administration issued ContentForeword III Introduction V 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 3 5 data life cycle 3 6 Data subject rights 4 6.1 Right to know 4 6.2 Dominion 4 6.3 Control 4 6.4 Sharing rights 4 6.5 Right to challenge 4 7 Data Manager 5 7.1 Rule 5 7.2 Role 5 7.3 Service Management 5 7.4 Responsibilities and obligations 5 8 Data Management 6 8.1 Requirements 6 8.2 Principle 6 8.3 Guideline 6 8.4 Plan 7 8.5 Organization 7 8.6 Data Management System 9 8.7 Resource Management 10 8.8 Control 10 8.9 Coordination 10 9 Management Mechanism 11 9.1 Management System 11 9.2 Promotion 11 9.3 Training and Education 12 9.4 Publicity 12 9.5 Database Management 12 9.6 Data Management Document 14 9.7 Personnel Management 14 9.8 Confidentiality 14 10 data acquisition 14 10.1 Purpose 14 10.2 Limit 14 10.3 Category 14 10.4 Save 15 11 Data Processing 15 11.1 Process 15 11.2 Use 15 11.3 Available 16 11.4 Commission 16 11.5 Secondary development 16 11.6 Trading 17 11.7 Post-processing 17 12 Security Management 17 12.1 Requirements 17 12.2 Risk Management 18 12.3 Physical Environment Security 18 12.4 Work environment security 18 12.5 Network Behavior Management 18 12.6 IT Environment Security 18 12.7 Storage Security 18 12.8 Database Security 18 12.9 Mobile Terminal Security 19 12.10 Data Subject Security 19 13 Process Management 19 13.1 Process Mode 19 13.2 Internal Audit 20 13.3 Process Improvement 20 14 Emergency Management 20 15 Exceptions 21 15.1 Collection of exceptions 21 15.2 Legal exceptions 21 16 Management Evaluation 21 Appendix A (Normative) Data Management Related Resources 22 Reference 23ForewordGB/T 33770 "Information Technology Service Outsourcing" is divided into six parts. --- Part 1. General requirements for service providers; --- Part 2. Data protection requirements; --- Part 3. Delivery Center requirements; --- Part 4. Unstructured data management and service requirements; --- Part 5. Project management requirements of the contractor; --- Part 6. General requirements for service buyers. This part is the second part of GB/T 33770. This part is drafted in accordance with the rules given in GB/T 1.1-2009. This part is proposed and managed by the National Information Technology Standardization Technical Committee (SAC/TC28). This section drafted by. Dalian Software Industry Association, Dalian Huaxin Computer Technology Co., Ltd., Neusoft Group Co., Ltd., Chengdu Big Data Center, Beijing Escort Technology Co., Ltd., Guangzhou Saibao Certification Center Service Co., Ltd., China Electronic Technology Standard Institute of Chemical Research, Golden Tax Information Technology Services Co., Ltd., Shanghai Beizhou Enterprise Management Consulting Co., Ltd., Shanghai Youfu Network Co., Ltd. Company, Beijing Xinchengtong Digital Technology Co., Ltd., Guangzhou Panyu Vocational and Technical College, Shanghai Sanshi Guardian Information Security Co., Ltd., Shenzhou Code System Integration Services Co., Ltd., Shanghai Baoxin Software Co., Ltd., Kunming Dongdian Technology Co., Ltd., Neusoft Ruidao Education Information Technology Technology Co., Ltd., Jiangsu Runhe Software Co., Ltd., Wensi Haihui Technology Co., Ltd. The main drafters of this section. Lang Qingbin, Yin Hong, Liu Hong, Gao Wei, Chen Ximin, Zhao Zhenwen, Dan Qiang, Yu Hao, Liang Xiaoyan, Ding Zong'an, Xiong Jianyu, Shi Liangliang, Liu Wei, Zhang Shuling, Liu Tingshan, Du Yuan, Tang Baihui, Wang Wei, Min Minhua, Li Yang, Zheng Yi, Wang Binbin, Wan Qidong, Xu Yao, Xie Shangfei, Han Mo, Shao Feng, Dong Lei, Song Yue, Wang Xin.IntroductionThe connotation and extension of this part are relatively broad, and there are concepts and understandings that are easy to be confused and ambiguous. It needs to be explained to facilitate the standard provisions. Interpretation and application of standards. 0.1 benchmark This section considers that personal information has similar characteristics to commercial data. In the collection, processing, and use, its security requirements, security mechanisms, security The whole strategy and the like are equal, and the same management method can be adopted, which is suitable for the IT service outsourcing organization to jointly observe and apply, and can also be other lines. Industry provides reference. 0.2 data “Data” is a broad concept. In this section, it refers to information related to personal information and commercial data. Intellectual property rights are extensive, complex, and have relevant regulations. However, there is a legal gap in the protection of intellectual property-related information. Because this part of the information is similar to the characteristics of commercial data. Therefore, this section classifies intellectual property-related information into business data. 0.3 Business Data "Business data" is also a broad concept with broad connotations. In this section, specifically sensitive business secrets or other things that need to be protected data. 0.4 Comprehensive database This part of the definition of the comprehensive database is composed of structured, unstructured personal information, commercial data (including automatic processing and non-automatic processing) Do not constitute a logical database. 0.5 Data Management Data protection is one of the management activities or behaviors for data and related resources, environment, management systems, etc. According to management, “data protection” is covered. This part of data management involves personal information management and business data management. Data management encompasses the entire lifecycle of data collection, processing, and use. 0.6 Data Security The data security involved in this section refers to the confidentiality, integrity, accuracy, usability, authenticity, and availability of personal information and commercial data. Control and non-repudiation. 0.7 Data Management System Refers to an organic whole that has a specific function and consists of several related elements. By integrating and coordinating resources, focusing on management elements, The target is now scheduled. The interaction between elements and elements, elements and systems, systems and the environment interacts with each other. This section provides basic rules and requirements for personal information management and business data management to build a data management system and fully guarantee The rights of the data subject to ensure the stable and effective operation of related businesses. 0.8 Standard Architecture and Style This part takes management as the main line, and is guided by the data life cycle to build a data management standard architecture, which is different from the quality management system. Standard system, in order to agglomerate, integrate management elements, improve, improve, and control the data management system to ensure data security. 0.9 standard compatibility This section is coordinated with international and domestic information security standards and other relevant standards, and is compatible with or integrated with these standards. Shi and run. 0.10 business continuity While providing safety guidance, this part needs to ensure the continuity of business based on the reasonable circulation of data. 0.11 standard applicability IT service outsourcing organizations are basically consistent with the data security attributes and characteristics of various organizations, and their security mechanisms and security policies are similar. However, this part is universal. a) The data management rules in this part of the specification are not only the basis of IT service management, but also establish data management for the development of IT services. Benchmark b) The data management rules of this part of the specification have common characteristics and can be interpreted and tailored according to the characteristics of the organization; c) The difference between the characteristics of IT service outsourcing organizations and various organizations is the organization's business and management, and the data involved (including contract management). For this part of the scope; d) This section is not only applicable to IT service outsourcing organizations, but also to other organizations, enterprises, businesses, social organizations, etc. carried out. Information technology service outsourcing Part 2. Data Protection Requirements1 ScopeThis part of GB/T 33770 specifies the data life cycle and data subject rights involved in data protection in information technology outsourcing services. Basics in terms of profit, data manager, data management, management mechanism, data acquisition, data processing, security management, process management, emergency management, etc. Rules and requirements. This section applies to organizations that select and provide IT services, evaluate and identify IT service delivery capabilities. Other organizations can refer to carried out.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 22080 Information Technology Security Technology Information Security Management System Requirements GB/T 22081 Information Technology Security Technology Information Security Management Practical Rules3 Terms and definitionsThe following terms and definitions apply to this document. 3.1 Medium medium A carrier that carries data. 3.2 Mediation A carrier that stores and transmits data. 3.3 Media media The medium for producing and disseminating data. 3.4 Data Describe personal information, the form and attributes of business data, and facilitate storage, processing, and use. 3.5 Personal information personalinformation Attached to the individual and can describe the basic form of the individual, including the direct identification of the individual's letter through the senses such as hearing, sight, and touch. Interests, such as sounds, numbers, words, images, images, etc.; indirectly identify individual information by means of various means, such as comparison with various information related to individuals, Reference, analysis, etc. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 33770.2-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 33770.2-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 33770.2-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 33770.2-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
