GB/T 41574-2022 English PDFUS$669.00 ยท In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 41574-2022: Information technology - Security techniques - Code of practice for protection of personal information in public clouds Status: Valid
Basic dataStandard ID: GB/T 41574-2022 (GB/T41574-2022)Description (Translated English): Information technology - Security techniques - Code of practice for protection of personal information in public clouds Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Word Count Estimation: 34,325 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 41574-2022: Information technology - Security techniques - Code of practice for protection of personal information in public clouds---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information technology - Security techniques - Code of practice for protection of personal information in public clouds ICS 35.030 CCSL80 National Standards of People's Republic of China information technology security technology A practical guide to the protection of personal information in the public cloud Published on 2022-07-11 2023-02-01 Implementation State Administration for Market Regulation Released by the National Standardization Administration directory Foreword V Introduction VII 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Overview 2 4.1 Structure of this document2 4.2 Control Category 3 5 Information Security Policy 3 5.1 Information Security Management Guidance 3 5.1.1 Information Security Policy 3 5.1.2 Review of Information Security Policy 4 6 Information Security Organizations 4 6.1 Internal Organization 4 6.1.1 Roles and responsibilities for information security4 6.1.2 Separation of duties 4 6.1.3 Liaison with functional bodies4 6.1.4 Contact with specific interested parties4 6.1.5 Information Security in Project Management 4 6.2 Mobile devices and remote work4 7 Human Resource Security 4 7.1 Before Appointment 4 7.2 Appointment 5 7.2.1 Management responsibilities5 7.2.2 Information security awareness, education and training5 7.2.3 Violation Handling Process 5 7.3 Termination and Change of Appointment5 8 Asset Management5 9 Access Control 5 9.1 Business Requirements for Access Control 5 9.2 User Access Management 5 9.2.1 User registration and logout 6 9.2.2 User Access Provision 6 9.2.3 Privileged Access Management 6 9.2.4 User's Secret Authentication Information Management 6 9.2.5 Review of User Access Rights 6 9.2.6 Removal or adjustment of access rights6 9.3 User Responsibilities 6 9.3.1 Use of Secret Authentication Information 6 9.4 System and Application Access Control 6 9.4.1 Information Access Restrictions 6 9.4.2 Secure Login Procedure 6 9.4.3 Password Management System 6 9.4.4 Use of Privileged Utilities 7 9.4.5 Access control of program source code 7 10 Password 7 10.1 Password Control 7 10.1.1 Password Control Usage Policy 7 10.1.2 Key management 7 11 Physical and Environmental Security 7 11.1 Safe area 7 11.2 Equipment 7 11.2.1 Equipment placement and protection 7 11.2.2 Supporting Facilities 7 11.2.3 Cabling Safety 7 11.2.4 Equipment maintenance 8 11.2.5 Movement of assets 8 11.2.6 Security of equipment and assets outside the organization's premises 8 11.2.7 Safe disposal or reuse of equipment 8 11.2.8 Unattended User Equipment 8 11.2.9 Cleaning up the desktop and screen strategy 8 12 Operational Safety 8 12.1 Operating procedures and responsibilities 8 12.1.1 Documented operating procedures 8 12.1.2 Change Management 8 12.1.3 Capacity Management 8 12.1.4 Separation of development, test, and runtime environments 8 12.2 Malware Prevention 9 12.3 Backup 9 12.3.1 Information backup 9 12.4 Logging and Monitoring 9 12.4.1 Event Log 9 12.4.2 Protection of log information 9 12.4.3 Administrator and operator logs 10 12.4.4 Clock synchronization 10 12.5 Running software control 10 12.6 Technical Aspects of Vulnerability Management 10 12.7 Information Systems Audit Considerations 10 13 Communication Security 10 13.1 Network Security Management 10 13.2 Information transfer 10 13.2.1 Information transfer policies and procedures 10 13.2.2 Information transfer protocol 10 13.2.3 Electronic messaging 10 13.2.4 Confidentiality or non-disclosure agreement10 14 System acquisition, development and maintenance 11 15 Supplier Relations 11 16 Information Security Incident Management 11 16.1 Management and Improvement of Information Security Incidents 11 16.1.1 Responsibilities and Procedures 11 16.1.2 Reporting information security incidents 11 16.1.3 Reporting information security weaknesses 11 16.1.4 Assessment and decision-making of information security events 11 16.1.5 Response to information security incidents 11 16.1.6 Learning from information security incidents 11 16.1.7 Evidence collection 12 17 Information Security Aspects of Business Continuity Management 12 18 Compliance 12 18.1 Compliance with legal and contractual requirements12 18.2 Information Security Review 12 18.2.1 Independent Review of Information Security 12 18.2.2 Compliance with security policies and standards 12 18.2.3 Technical conformity review 12 Appendix A (informative) Comparison of structure numbers between this document and ISO /IEC 27018.201913 Appendix B (normative) Extended set of control measures for the protection of personal information by public cloud personal information processors 15 Appendix C (Informative) Relationship between Cloud Service Providers, Cloud Service Customers and Cloud Service Users 21 Reference 22 forewordThis document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents" drafted. This document is modified to adopt ISO /IEC 27018.2019 "Information technology security technology Personally identifiable information (PII) processors in the public There is a practical guide to protecting PII in the cloud. Compared with ISO /IEC 27018.2019, this document has more structural adjustments. Comparison of structure number changes between two files See Appendix A for a list. The technical differences between this document and ISO /IEC 27018.2019 and their reasons are as follows. --- Changed the term "Personally Identifiable Information (PII)" to "Personal Information" and changed the definition, consistent with GB/T 35273-2020 Terms and definitions remain consistent (see 3.1, 3.2 of ISO /IEC 27018.2019); --- Changed the term "PII controller" to "personal information controller" and changed the definition to match the term of GB/T 35273-2020 Be consistent with the definition (see 3.2, 3.3 of ISO /IEC 27018.2019); --- Changed the term "PII subject" to "Personal information subject", and changed the definition to match the terms and definitions of GB/T 35273-2020 The definition is consistent (see 3.3, 3.4 of ISO /IEC 27018.2019); --- Changed the term "PII processor" to "Personal information processor" and changed the definition to match the term of GB/T 35273-2020 Be consistent with the definition (see 3.4, 3.5 of ISO /IEC 27018.2019); --- Changed the term "PII processing" to "personal information processing", and changed the definition, and the terms and definitions of GB/T 35273-2020 The definition is consistent (see 3.5, 3.6 of ISO /IEC 27018.2019); --- Change ISO /IEC 27002 in the title of the table to GB/T 22081 (see Table 1, Table 1 of ISO /IEC 27018.2019); ---Add the suggestion that processors entrust subcontractors to process personal information, and GB/T 35273-2020 9.1c) 2) about entrusting be consistent with the requirements of the operator (see 5.1.1); ---Delete the statement in "Public Cloud PII Protection of Other Information" that laws and regulations have different requirements for processors and controllers, in order to comply with my country's Rules for the drafting of standardized documents (see 5.1.1 of ISO /IEC 27018.2019); ---Delete the requirements of laws and regulations on punishment for processors in "Public Cloud PII Protection of Other Information", in order to comply with my country's standardization documents Drafting rules (see 7.2.2 of ISO /IEC 27018.2019); --- Increase the requirements for the use of cryptographic techniques to address confidentiality, integrity, authenticity, and non-repudiation requirements (see 10.1.1); --- Increase the proposal for processors to transfer personal information, consistent with the relevant provisions of GB/T 35273-2020 (see B.2.3); ---Add suggestions for processors to provide personal information overseas to adapt to my country's technical conditions and facilitate the application of this document (see B.4.1, B.7.14); ---Increase the suggestion that the processor entrusts an agent to process personal information, and GB/T 35273-2020 9.1c) 2) about entrusted conform to the requirements of the other party (see B.7.1); --- Increase the suggestion that the data recovery log contains information (see B.7.3); ---Delete the relevant legal expressions on the processor's notification obligation in the "Public Cloud PII Protection Implementation Guide" to comply with my country's standardization Rules for drafting documents (see ISO /IEC 27018.2019, A.10.1). The following editorial changes have been made to this document. --- In order to be consistent with the existing standard series, the name of the standard was changed to "Practice of Personal Information Protection in Public Cloud of Information Technology Security Technology". Practice Guide; --- Change the classification principles of the new control measures in Appendix B to be consistent with my country's personal information protection principles (see B.1, A.1 of ISO /IEC 27018.2019); --- Add the explanation of "off-chain" to improve the readability of the terms and facilitate the application of this document (see Note 1 of B.2.3); --- Add the explanation of "degaussing" to improve the legibility of the terms and facilitate the application of this document (see Note 2 of B.2.3); --- Add Appendix A (informative) "Comparison of this document with ISO /IEC 27018.2019 structure number"; --- Add Appendix C (informative) "Relationship between cloud service providers, cloud service customers and cloud service users"; --- Delete Note 9.2.1 of ISO /IEC 27018.2019; --- Delete Note 10.1.1 of ISO /IEC 27018.2019; --- Delete Note 1 and Note 2 of 12.3.1 of ISO /IEC 27018.2019; --- Delete the example of A.6.1 of ISO /IEC 27018.2019; --- Delete the first sentence of Note A.11.3 of ISO /IEC 27018.2019; --- Change the other principles that this control measure and guide can be classified into to the principle of "openness and transparency", which is in line with my country's personal information protection principles Be consistent (see Note 3 of B.2.3, Note A.10.3 of ISO /IEC 27018.2019); ---Changed the expression of the principles followed in the "Public Cloud PII Protection Implementation Guide" involving the collection and use of PII, which is consistent with the personal information of our country. information protection principles (see B.3.1, A.3.1 of ISO /IEC 27018.2019); --- Changed "PII Controller" in "Public Cloud PII Protection Implementation Guide" to "Cloud Service Client" to improve readability and facilitate this article application of the software (see B.8.1, A.2.1 of ISO /IEC 27018.2019). Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents. This document is under the jurisdiction of the National Information Security Standardization Technical Committee (SAC/TC260). This document was drafted by. Shandong Institute of Standardization, Hangzhou Tuoshen Technology Co., Ltd., China Network Security Review Technology and Certification Center Heart, Shaanxi Provincial Network and Information Security Evaluation Center, Elong.com Information Technology (Beijing) Co., Ltd., CLP Great Wall Internet System Application Co., Ltd. Company, Beijing Qiandaibao Payment Technology Co., Ltd., National Industrial Information Security Development Research Center, Tencent Cloud Computing (Beijing) Co., Ltd., Shaanxi Information Engineering Research Institute, CLP Data Service Co., Ltd., Shanghai Information Security Industry Association, Shanghai Anyan Information Technology Co., Ltd. Company, Anhui Electronic Products Supervision and Inspection Institute, Shandong Zhongshi Information Technology Co., Ltd. The main drafters of this document. Wang Qingsheng, You You, Dang Bin, Min Jinghua, Lan Anna, Liu Caiyun, Wang Yongxia, Zhang Yong, Zhang Bo, Zhou Yachao, Sun Yan, Zhang Xuanming, Jin Qian, Wang Liqiang, Zhao Shouhua, Wang Aiyi, Yang Fan, Shi Lei, Huang Lei, Wang Lidong, Zhao Qianqian, Ma Zhuoyuan, Jia Mengni, Yan Yuyun, Qin Feng, Yang Xiangdong, Wang Fazhong, Xu Liqian, Fan Zhengxiang, Yu Xiuyan, Liu Kanpu, Wu Bo.Introduction0.1 Background and environment In recent years, more and more cloud service customers use the services of cloud service providers and entrust them with personal information processing. GB/T 35273-2020 stipulates that the party who accepts the entrusted processing (9.1 in GB/T 35273-2020 is called "the entrusted person", this article "Processor" in the document, that is, "entrusted person") requirements. This document provides a A general compliance framework for the protection of personal information in the public cloud, which guides processors to carry out personal information processing operations in the public cloud. Public cloud service providers are usually required to sign contracts with cloud service customers and comply with personal information protection laws on both sides Provide services under the premise of relevant regulations. For these requirements of personal information protection, cloud service providers and cloud service customers are based on the law laws and regulations and the contracts between them. When the public cloud service provider processes personal information in accordance with the requirements of cloud service customers, the public cloud service provider acts as a "personal information" The role of "processor". Cloud service customers who have a contractual relationship with public cloud personal information processors are "personal information controllers". In cloud computing Under the environment, the personal information controller has the right to control personal information, and it also has the authority to process and use personal information. Personal Information Control Both the personal information processor and the personal information processor can process personal information, but the personal information processor, as the entrusted party, can only perform personal information control Personal information processing operations requested by the controller and operations necessary to achieve the objectives of the personal information controller. At the same time, cloud service customers can also Authorize one or more cloud service users to use its services, but these services are limited to the cloud service customer's contract with the public cloud personal information processor Available services agreed in the contract. The purpose of this document is to create a common set of control categories and control measures, consistent with the information security control objectives and controls in GB/T 22081 The measures are used in combination and implemented by the personal information processor. The purpose of this document is as follows. ---Help public cloud personal information processors perform their corresponding obligations, including direct obligations and contractual obligations stipulated by laws and regulations. other obligations as set out; ---Make public cloud personal information processors transparent in related matters, and facilitate cloud service customers to choose well-managed cloud-based personal information processing services; ---Assist cloud service customers and public cloud personal information processors to sign contracts and agreements; ---Unable to audit data hosted in multiple parties or virtualized servers (clouds) in a single cloud service customer, or such audits Exercising audit powers and assuming compliance for cloud service customers that may increase risk to existing physical and logical cybersecurity controls Consistency responsibility provides a mechanism. This document provides a general compliance framework for public cloud service providers, especially those operating across borders. 0.2 Personal information protection control of public cloud computing services In the process of implementing cloud computing information security management system based on GB/T 22080, public cloud personal information processors can refer to this article choose personal information protection controls. This document can also implement general personal information protection controls as a public cloud personal information processor Guidance document for measures. In particular, this document, on the basis of GB/T 22081, takes into account the specific risks faced by personal information processors surroundings. Generally speaking, organizations implement GB/T 22080 to protect their own information assets. However, public cloud personal information processors protect The personal information is actually the information assets of cloud service customers. Therefore, the implementation of GB/T 22081 by the public cloud personal information processor Control measures are reasonable and necessary. At the same time, in order to adapt to the characteristics of risk dispersion in the public cloud computing environment, and to meet the needs of cloud service customers Contractual requirements with public cloud personal information processors, this document enhances the control measures in GB/T 22081.This document is passed by GB/T 22081 is enhanced in the following 2 ways. --- Provides implementation guidelines applicable to public cloud personal information protection for certain control measures in GB/T 22081; ---Appendix B provides a new set of control measures and related guidance to address the failure to meet the set of control measures in GB/T 22081 public cloud personal information protection requirements. 0.3 Personal Information Protection Requirements Organizations determine their protection requirements for personal information. These requirements come from the following 3 main sources. a) Legal, regulatory, regulatory and contractual requirements. A source is the legal, legal and Regulatory, regulatory and contractual requirements or obligations, as well as sociocultural responsibilities and operating environment requirements. It should be noted that laws, regulations and Contracts may mandate that personal information processors choose specific controls, or they may be required to develop specific guidelines to implement them. these control measures. b) Risk. Another source is the organization's assessment of risk associated with personal information, based on consideration of the organization's overall business strategy and objectives risk. Organizations use risk assessments to identify threats, assess vulnerabilities and likelihood of occurrence, and estimate potential impacts. GB/T 31722 Provides information security risk management guidelines, including recommendations for risk assessment, risk acceptance, risk communication, risk monitoring, and risk review. discussion. ISO /IEC 29134 provides guidance on privacy impact assessments. c) Organizational policy. Although organizational policy covers many obligations from law and social culture, the organization may voluntarily choose to go beyond a) requirements. 0.4 Selection and implementation of control measures in cloud computing environment Organizations may select controls from this document (including those in the referenced GB/T 22081, as well as application-specific innovations The built-in portfolio reference set of controls). If desired, the organization may also select controls from other sets of controls, or design new controls. measures to meet specific requireme......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 41574-2022_English be delivered?Answer: Upon your order, we will start to translate GB/T 41574-2022_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 41574-2022_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 41574-2022_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
