GB/T 37932-2019 English PDFUS$199.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 37932-2019: Information security technology - Security requirements for data transaction service Status: Valid
Basic dataStandard ID: GB/T 37932-2019 (GB/T37932-2019)Description (Translated English): Information security technology - Security requirements for data transaction service Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 10,159 Date of Issue: 2019-08-30 Date of Implementation: 2020-03-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 37932-2019: Information security technology - Security requirements for data transaction service---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology - Security requirements for data transaction service ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Data transaction service security requirements 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration Table of contentsForeword Ⅰ Introduction Ⅱ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Safety overview 2 4.1 Reference Frame 2 4.2 Data Transaction Security Principle 3 5 Security requirements for data transaction participants 3 5.1 Data provider security requirements 3 5.2 Data demander security requirements 3 5.3 Security requirements for data transaction service agencies 4 6 Security of transaction objects 6 6.1 Prohibition of transaction data 6 6.2 Data quality requirements 6 6.3 Personal information security protection 6 6.4 Security Protection of Important Data 6 7 Data transaction process safety 6 7.1 Transaction application 6 7.2 Transaction negotiation 7 7.3 Transaction Implementation 7 7.4 End of transaction 7ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. Alibaba Cloud Computing Co., Ltd., China Electronics Standardization Institute, Beijing Saixi Technology Development Co., Ltd. Company, Beijing Software and Information Service Exchange Co., Ltd., Guiyang Big Data Exchange Co., Ltd., Shanghai Data Exchange Center Co., Ltd. Company, Alibaba (Beijing) Software Service Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, China Mobile Communications Corporation, Shaanxi Province Information Engineering Research Institute, Beijing Qi'anxin Technology Co., Ltd., China Network Security Review Technology and Certification Center, Tsinghua University, Northwest University Science, Shaanxi Province Network and Information Security Evaluation Center, Institute of Software, Chinese Academy of Sciences, Venus Star Information Technology Group Co., Ltd., Beijing Jingtian Rongxin Technology Co., Ltd., Lenovo (Beijing) Co., Ltd., Xidian University. The main drafters of this standard. Ye Runguo, Zhang Dajiang, Sun Yan, Shen Xiyong, Liu Xiangang, Chen Xuexiu, Hu Yuanyuan, Sun Aimei, Yu Tieqiang, Hu Ying, Zhang Minchong, Xie Anming, Liu Yuling, Zhao Bei, Zhang Qun, Ye Xiaojun, Wu Di, Cai Lei, Li Yi, Jin Tao, Zhang Yong, Li Kepeng, Chen Chi, Zheng Xinhua, Zhang Ruiqing, Chang Ling, Liu Jialin, Ren Lanfang, Pei Qingqi, Sun Qian.IntroductionData is increasingly affecting global production, circulation, distribution, consumption activities, economic operation mechanisms, social lifestyles, and national governance capabilities. Important impact. Data transactions can promote the circulation of data resources, eliminate data islands, effectively support the rapid development of data applications, and give full play to data. According to the economic value of resources. However, data transactions face many security issues and challenges, which affect the further healthy development of data applications. In order to standardize data resource transaction behavior, establish a good data transaction order, and promote the improvement of the security assurance capabilities of data transaction service participants. Rise, this standard will implement security specifications for data transaction services, enhance the security management and control capabilities of data transaction services, and ensure data security. Under the premise, promote the free circulation of data resources, thereby driving the safe, healthy and rapid development of the entire data industry. Information Security Technology Data transaction service security requirements1 ScopeThis standard specifies the security requirements for data transaction services through data transaction service institutions, including data transaction participants, transaction pairs Security requirements for the image and transaction process. This standard applies to data transaction service institutions to conduct security self-assessment, and it can also be used by third-party evaluation institutions to conduct data transaction service institutions. Refer to when conducting safety assessment.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements GB/T 25069-2010 Information Security Technical Terms GB/T 35273-2017 Information Security Technology Personal Information Security Specification GB/T 35274-2017 Information Security Technology Big Data Service Security Capability Requirements GB/T 36343-2018 Information Technology Data Transaction Service Platform Transaction Data Description GB/T 37988-2019 Information Security Technology Data Security Capability Maturity Model3 Terms and definitionsThe following terms and definitions defined in GB/T 25069-2010 and GB/T 36343-2018 apply to this document. 3.1 Datatransaction The act of exchanging data commodities with currency or currency equivalents between data suppliers and demanders with data commodities as the transaction objects. Note 1.Data commodities include raw data used for transactions or processed data derivative products. Note 2.Data transactions include data transactions that use big data or its derivatives as data commodities, as well as traditional data or its derivatives as data commodities. Data transactions. 3.3 Data demander The organization that purchases and uses data in a data transaction. 3.4 Data transaction service Help data suppliers and demanders complete data transaction activities. 3.5 Data Transaction Service Agency An organization that provides data transaction services for both data suppliers and demanders. 3.6 Data transaction service platform An information platform that provides various services for data transactions. 3.7 Online data delivery The data supplier delivers data to the data demander through the network. 3.8 Offline data delivery After the data supply and demand parties have reached a data transaction agreement, the data supplier will provide the data from the supplier to the demander in an offline manner. mode. 3.9 Escrow data transaction After the data supply and demand parties reach a data transaction agreement, the supplier will copy the data to the data custody service designated by the data transaction service agency. Service platform, the demand side uses data in the data hosting service platform, and the data is not transferred. 3.10 Data transaction process Data supply and demand parties rely on the data transaction service platform to conduct a complete and specific data transaction for specific data transaction objects. Easy behavior. Note. The data transaction process is generally divided into transaction application, transaction negotiation, transaction implementation and transaction closure. 3.11 Important data The collection and production of Chinese institutions and individuals within the territory does not involve state secrets, but is closely related to national security, economic development and public interests related data. Note. Important data usually refers to various types of institutions in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government. It does not involve state secrets, but once it is leaked, tampered with or abused, it will be harmful to national security, economic development and social development. Data (including raw data and derived data) that will adversely affect the public interest. [GB/T 35274-2017, definition 3.13]4 Safety overview4.1 Reference frame Data transaction is an activity carried out by both parties on the original data or processed data in accordance with the transaction process. Through data transaction service The data transaction service reference framework of financial institutions is shown in Figure 1.Data transactions involve data suppliers, data demanders and data transaction services mechanism. Data transaction service institutions rely on the data transaction service platform to provide data transaction services for both data supply and demand parties. From the data transaction service From the perspective of financial institutions, the data transaction process generally includes four links. transaction application, transaction negotiation, transaction implementation and transaction completion. Common Data delivery modes include online mode, offline mode and hosting mode. Figure 1 Data transaction service reference framework 4.2 Data transaction security principles Data transactions should follow the following principles. a) Principles of legal compliance. Data transactions should comply with my country's relevant laws and regulations on data security management, respect social ethics, and must not Damage the national interest, the public interest of society and the legitimate rights and interests of others. b) The principle of shared responsibility of the main body. the data supply and demand parties and the data transaction service agency are responsible for the consequences of the data transaction and jointly ensure the security of the data transaction. c) Data security protection principle. Data transaction service agencies should take measures such as data security protection, detection and response to prevent data loss Loss, damage, leakage and tampering to ensure data security. d) Personal information protection principles. data suppliers and demanders and data transaction service agencies should adopt personal information security protection technology and management Measures to avoid security risks such as illegal collection, illegal acquisition, illegal sale, abuse, and disclosure of personal information, and effectively protect personal rights. e) The principle of controllable transaction process. It should be ensured that the parties involved in the data transaction are authentic, the counterparty of the transaction is legal, and the data delivery process is controllable and The non-repudiation of transactions ensures that security incidents can be traced and security risks can be prevented.5 Security requirements for data transaction participants5.1 Data provider security requirements Data transaction service agencies shall ensure that data providers meet the following requirements. a) It is a legal organization that has no records of major data violations within one year. b) After completing the registration with the data transaction service organization, and the data transaction service organization has passed the review, it is allowed to participate in the data transaction business. c) The data supplier shall prove its ability to safely deliver data to the data demander. d) Provide a written security commitment to the data transaction service organization, including but not limited to. the legality of the transaction data source Data, transaction data meet the requirements of laws, regulations and policies, instructions for evaluating transaction data quality, compliance with data transaction security principles, willingness Willing to accept the safety supervision of data transaction service agencies, willing to be responsible for the consequences of data circulation, etc. e) Comply with the security management system and procedures of the data transaction service organization. 5.2 Data acquirer security requirements Data transaction service agencies shall ensure that the data demander meets the following requirements. a) It is a legal organization that has no records of major data violations within one year. b) After completing the registration with the data transaction service organization, and the data transaction service organization has passed the review, it is allowed to participate in the data transaction business. c) Prove the ability to implement security protection for transaction data. d) Provide written data transaction and use security commitments, including but not limited to. meeting the requirements of laws, regulations and policies, and complying with data According to transaction security principles, willing to accept the security supervision of data transaction service agencies, and comply with the data security requirements agreed with the data provider Requirements, provide adequate security protection for the data held, and do not disclose or transfer the data to a third party without explicit authorization. e) Use the data in accordance with the purpose, scope, method and time limit agreed by the supplier and the buyer, and re-identification of personal information is prohibited. f) After completing the use of data in accordance with the data transaction agreement, the transaction data should be destroyed in time. g) Comply with the security management system and procedures of the data transaction service agency. 5.3 Security requirements of data transaction service agencies 5.3.1 Basic requirements Data transaction service institutions shall meet the following basic requirements. a) Obtain authorization or permission from my country's administrative or competent department. b) It is a domestic legal organization that has no records of major data violations within one year. d) Deploy a data transaction service platform for domestic data transaction services in my country. e) Review the declaration of the legality of the data source provided by the data provider. f) Monitor data violations. g) Formulate and implement punishment rules for transaction violations. h) Do not use the data or data derivatives of the data supplier or demander without authorization. i) At least meet the level 3 requirements of GB/T 37988-2019. 5.3.2 Organizational safety management requirements 5.3.2.1 Safety management system and procedures Data transaction service institutions shall meet the following requirements. a) Develop a data transaction service security management strategy, and explain the overall goals, scope, principles and security framework of data transaction security. b) Establish a data transaction service security management system, including but not limited to. transaction participant security management system, data security management system Degree, personal information security protection system, etc. c) Establish operating procedures for management or business operations performed by data transaction managers or operators. d) Regularly review the data transaction service security management strategies, systems and procedures, and update them in a timely manner. e) Establish and implement safety management systems and procedures for data suppliers and demanders. f) Establish a credit management mechanism for the supply and demand side. 5.3.2.2 Safety-related organizations and personnel Data transaction service institutions shall meet the following requirements. a) Establish a data transaction security leadership group, with the top manager or authorized representative of the organization as the group leader. b) Establish a data transaction security management functional department, set up a security management person in charge, and clarify security responsibilities. d) Conduct security review and technical assessment of personnel in important positions in data transactions to ensure that there are no records of violations of laws and regulations. e) Sign security and confidentiality agreements with personnel in important positions in data transactions, and sign post responsibility agreements with personnel in important positions. f) Develop and implement training plans for personnel in various positions in data transactions. The training content includes security awareness, special skills, etc. Safety management knowledge and professional technical level appropriate to the job requirements. g) Perform security management for third-party personnel, and sign security confidentiality agreements for third-party personnel who may have access to transaction data. 5.3.3 Data transaction service platform security requirements 5.3.3.1 Basic requirements The data transaction service platform shall meet the following requirements. a) Meet the relevant safety requirements of level 3 in GB/T 22239-2019. b) Provide emergency plans for dealing with data breaches. c) The cryptographic technology adopted follows the relevant national standards and industry standards. 5.3.3.2 Extension requirements 5.3.3.2.1 Transaction data security protection The data transaction service platform shall meet the following requirements. a) Provide a secure upload or download interface, a strong identity authentication mechanism, and transmission link encryption for data suppliers and demanders. To ensure the safety of data transmission. b) Implement security measures such as encrypted storage and access control on transaction data to prevent data leakage or illegal use. c) Realize the traceability of data sources and data operations, and the non-repudiation of transactions. d) In the managed data delivery mode, an isolated and secure environment is provided for the data demander, and the data demander runs in the data use environment. Relevant procedures and data results generated are reviewed. e) In the custodial data delivery mode, transaction data is safely stored and backed up to ensure the confidentiality, integrity and availability of data. f) When the data provider revokes the escrow data, the remaining information is cleared and cannot be recovered. 5.3.3.2.2 Security control of the transaction process The data transaction service platform shall meet the following requirements. a) It is allowed to set up manual intervention functions for the participants, objects, and key processes of data transactions. b) The content of manual intervention should at least include. transaction participant review, transaction review, transaction suspension, transaction cancellation, and transaction resumption. c) Handle the arbitration requirements of the data supplier or data demander and require the respondent to provide evidence in response. 5.3.3.2.3 Data transaction security audit The data transaction service platform shall meet the following requirements. a) Record each data transaction operation and generate a data transaction log. b) The data transaction log includes at least the following information. transaction unique identifier, transaction time, transaction provider, transaction demander, transaction data label Identification, sensitive data labels, transaction prices, transaction patterns, transaction results, etc. c) Safely keep documents such as data transaction logs and the legality of data sources for at least 6 months. d) Only authorized auditors are allowed to access the data transaction log, and support for query and analysis of the data transaction log. e) Allow data suppliers and dat......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37932-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37932-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 37932-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37932-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
