Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

JR/T 0071.5-2020 English PDF

Q: How long will the true-PDF of English version of JR/T 0071.5-2020 be delivered?

Upon your order, we will start to translate JR/T 0071.5-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of JR/T 0071.5-2020_English with my colleagues?

Yes. The purchased PDF of JR/T 0071.5-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$319.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0071.5-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
JR/T 0071.5-2020	319	Add to Cart	3 days	Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements	Valid

Similar standards

JR/T 0072 GB/T 19584 GB/T 12406 JR/T 0071.2 JR/T 0071.3 JR/T 0071.1

Basic data

Standard ID: JR/T 0071.5-2020 (JR/T0071.5-2020)
Description (Translated English): Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements
Sector / Industry: Finance Industry Standard (Recommended)
Classification of Chinese Standard: A11
Classification of International Standard: 03.060
Word Count Estimation: 13,140
Date of Issue: 2020
Date of Implementation: 2020-11-11
Issuing agency(ies): People's Bank of China

JR/T 0071.5-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Implementation guidelines for classified protection of cybersecurity of financial industry-Part 5.Audit requirements People's Republic of China Financial Industry Standards Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry Part 5.Audit Requirements 2020-11-11 release 2020-11-11 implementation Issued by the People's Bank of China 1 Scope...1 2 Normative references...1 3 Audit objectives...1 4 Auditor requirements...1 5 Audit Information Management Requirements...2 6 Audit process requirements...2 7 Audit content requirements...4 References...7

Foreword

JR/T 0071 "Implementation Guidelines for Cyber Security Graded Protection in the Financial Industry" consists of the following 6 parts. --Part 1.Basics and terminology; --Part 2.Basic requirements; --Part 3.Job ability requirements and evaluation guidelines; --Part 4.Training Guidelines; --Part 5.Audit requirements; --Part 6.Audit Guidelines. This part is part 5 of JR/T 0071. This part was drafted in accordance with the rules given in GB/T 1.1-2009. This part was proposed by the People's Bank of China. This part is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180). Drafting organizations of this section. the Department of Science and Technology of the People’s Bank of China, the Statistical Information and Risk Monitoring Department of China Banking and Insurance Regulatory Commission, China China Financial Electronics Corporation, Beijing Zhongjin Guosheng Certification Co., Ltd. The main drafters of this section. Li Wei, Chen Liwu, Shen Xiaoyan, Che Zhen, Zan Xin, Xia Lei, Fang Yi, Zhang Haiyan, Tang Hui, Li Fan, Wang Haitao, Zhang Lu, Hou Manli, Pan Liyang, Deng Hao, Zhao Fangmeng, Qiao Yuan, Sun Guodong, Liu Wenjuan, Cui Ying, Chen Xuefeng, Ma Chenglong, Du Wei, Li Ruifeng.

Introduction

The level of cyber security protection is a basic system for the national cyber security assurance work. Important systems in the financial industry are related to the national economy and the people’s livelihood. It is the key protection object of national network security, so it needs a series of grade protection standard systems suitable for the financial industry as the support to standardize and Guide the implementation of hierarchical protection in the financial industry. With the widespread application of new technologies such as cloud computing, mobile internet, Internet of Things, and big data, the Golden Financial institutions are continuing to promote the transformation of IT architecture in accordance with their own development needs. In order to adapt to the new technology, new application and new structure, the financial bank For the development of industrial network security level protection, JR/T 0071 is now revised. The revised JR/T 0071 is based on the national cyber security level Protect relevant requirements, provide methodology, specific construction measures and technical guidance for the financial industry’s network security construction, and improve the financial industry’s network The network security level protection system is better adapted to the application of new technologies in the financial industry. Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry Part 5.Audit requirements

1 Scope

This part stipulates the requirements for the implementation of auditing of the level of network security protection of financial institutions. This part is applicable to guide financial institutions, evaluation institutions, and financial industry cybersecurity level protection authorities to implement cybersecurity level protection. Protect audit work.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated reference documents, the latest version (including all amendments) is applicable to this document. GB/T 25058 Information Security Technology Network Security Level Protection Implementation Guide

3 Audit objectives

Through the network security grade protection audit, obtain relevant evidence of the financial institution’s network security grade protection work, and conduct customer review on it. To determine the level of network security protection in various financial institutions, such as rating, filing, construction rectification, self-examination, security inspection, etc. Whether the requirements of network security level protection are followed in the work.

4 Auditor requirements

4.1 Auditing principles Auditors should follow the following principles during the audit process. a) Ethical behavior. Auditors should be honest, upright and keep the secrets of the audited organization. b) Fair expression. Auditors should report the audit results truthfully and accurately. c) Professional competence. Auditors should have the necessary auditing competence. d) Independence. Auditors should be free of prejudice, have no conflicts of interest with the audited institution, and maintain an objective mind during the audit process. To ensure that the audit findings and conclusions are only based on the audit evidence. e) Evidence-based. audit evidence should be based on available information samples. 4.2 Ability requirements Auditors who implement graded protection audits for the financial industry should have the following capabilities. a) Familiar with the relevant policies and regulations of network security level protection. b) Correctly understand the network security level protection standard system and main standard content. c) Familiar with the whole process of grade protection work, including grading, filing, construction rectification, self-examination of evaluation, and safety inspection Requirements. d) Master the basic knowledge of network security, and be familiar with audit methods and procedures. e) Have the ability of comprehensive analysis and judgment, and be able to grasp the objectivity and accuracy of audit conclusions as a whole. Have strong textual expression ability. 4.3 Personnel training Auditors who implement the cybersecurity level protection audit of the financial industry should participate in the organization of the financial industry cybersecurity level protection authority Relevant standard training to master the various requirements for the development of network security level protection in the financial industry. 4.4 Personnel records Auditors should submit the latest records of their education, work experience, training and audit experience, as the audit agency to choose when arranging audit work. The basis for selecting auditors.

5 Audit information management requirements

5.1 Confidentiality requirements Audit institutions are responsible for the confidentiality of information obtained during the audit process regarding the commercial, technical, and audit process of financial institutions. Auditors should identify whether confidentiality is required for all information obtained or generated during the audit in accordance with the requirements of the audit agency. auditors And related personnel should not spread, spread, or leak confidential information in any form or excuse. When the law requires confidential information to be provided to a third party, unless otherwise specified, the audit institution shall provide the information required by the law in advance. Inform the financial institution of the information. When it is necessary to provide confidential information to other agencies (such as public security departments, confidential departments), the audit agency should take this action Inform the financial institution. Audit institutions shall implement confidential management of information on audit activities, and configure and use corresponding security processing equipment and facilities as required. An Full processing equipment and facilities are mainly used for the establishment, custody, storage, reproduction and final disposal of classified information. 5.2 Integrity requirements When media containing financial institution information (such as paper documents or CDs) are physically transported, reliable transmission channels should be used to prevent unauthorized transmission. Access, information tampering, improper use or destruction. When necessary, special controls should be taken to protect key information from unauthorized disclosure or Tampering, such as manual delivery, use of tamper-proof packaging, etc. Appropriate protection should be given to the information contained in the electronic message transmission to prevent unauthorized access and tampering of the information, such as by adding Enforce protection by means of encryption, hashing or electronic signature.

6 Audit process requirements

6.1 General 6.1.1 General requirements The audit institution shall prepare an audit plan for each audit as a basis for reaching agreement with the financial institution on the schedule and implementation of audit activities. according to. The audit institution shall communicate with the financial institution on the audit plan in advance and agree on the audit date. Audit institutions should formally establish an audit team, clarify the tasks of the audit team, and inform the financial institution. The audit institution should request the audit team. a) Inspect and verify the rating, filing, construction rectification, self-examination, and safety of financial institutions related to cybersecurity level protection work Check relevant documents and records. b) Make sure that the above aspects meet all the requirements of the financial industry's graded protection documents and standards. c) Make sure that financial institutions have effectively established, implemented, and continued to carry out various activities of cyber security level protection work. d) Inform the financial institution of any inconsistencies with the requirements so that they can take corrective measures. The audit institution shall provide a written report for each audit. The audit team can provide suggestions for improvement, but should not suggest specific solutions. For non-conformities found in the audit, the audit institution shall require the financial institution to analyze the reasons within the prescribed time limit and explain that it is necessary to eliminate the non-conformities. The specific corrective measures that have been taken or planned to be taken in compliance with the situation. Audit institutions should review the corrective actions submitted by financial institutions to determine whether they are acceptable. 6.1.2 Audit Team The audit institution shall formally establish an audit team and provide it with corresponding working documents. The audit institution should clearly define the tasks of the audit team Financial institutions know. Tasks should include checking the rating, filing, construction rectification, self-examination and safety inspection of financial institutions, and confirming their Meet relevant requirements. 6.1.3 Audit scope The audit team shall, in accordance with all applicable audit requirements, carry out the protection of the cyber security level of financial institutions included in the limited scope. audit. The audit institution shall ensure that the relevant equipment and related equipment and Components. 6.1.4 Audit report The audit institution shall convene a meeting with the audit team and the financial institution manager before leaving the premises of the financial institution, either in writing or verbally, Explain to the financial institution the findings of the compliance audit during the audit process, the deficiencies of the financial institution’s work in the cybersecurity level protection process, and rectification Change requirements. The audit institution should request the audit team to provide an audit report, which includes the financial institution’s compliance with the requirements of all cybersecurity protection work. Compliance audit findings. 6.2 Audit preparation The audit institution should form an audit team and assign audit tasks. The audit team leader should prepare an audit plan. The members of the audit team should Compile an applicable checklist according to the conditions. Audit institutions should require financial institutions to make necessary preparations for the implementation of audits. These preparations include. providing documents to be inspected to And access areas, records and personnel. Before the on-site audit, financial institutions should provide at least the following information. a) The overall description file of the graded protection object. b) Work certification documents such as grading, filing, construction rectification, evaluation self-examination, safety inspection, etc. of the graded protection objects. 6.3 On-site audit 6.3.1 Obtaining audit evidence During the audit process, the audit team should collect information related to audit standards based on the audit content, including grading, filing, construction rectification, Process information and result information related to activities such as evaluation self-inspection and safety inspection. At the level of financial institutions, there are a large number of protection objects, a wide range, and a In the case of scattered, appropriate sampling methods should be used for collection and verification. Only verifiable information can be used as audit evidence and recorded record. 6.3.2 Forming an audit issue... ......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of JR/T 0071.5-2020_English be delivered?

Answer: Upon your order, we will start to translate JR/T 0071.5-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of JR/T 0071.5-2020_English with my colleagues?

Answer: Yes. The purchased PDF of JR/T 0071.5-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.