| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 27910-2011 | English | RFQ |
ASK
|
8 days [Need to translate]
|
Financial services -- Information security guidelines
| Obsolete |
GB/T 27910-2011
|
PDF similar to GB/T 27910-2011
Basic data | Standard ID | GB/T 27910-2011 (GB/T27910-2011) | | Description (Translated English) | Financial services -- Information security guidelines | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | A11 | | Classification of International Standard | 03.060 | | Word Count Estimation | 58,580 | | Date of Issue | 2011-12-30 | | Date of Implementation | 2012-02-01 | | Quoted Standard | ISO 9564-1; ISO 9564-2; ISO 9564-3; ISO 10202-1; ISO 10202-2; ISO 10202-3; ISO 10202-4; ISO 10202-5; ISO 10202-6; ISO 10202-7; ISO 10202-8; ISO 11568-1; ISO 11568-2; ISO 11568-3; ISO 11568-4; ISO 11568-5; ISO 11568-6; ISO/IEC 11770-1; ISO/IEC 11770-2; ISO/IEC 11770-3; ISO/IEC 11770-4; ISO 15782-1; ISO 15782-2; ISO 16609-2004; ISO/IEC 27002; ISO/IEC 18028-1; ISO/IEC 18028-2; ISO/IEC 18028-3; ISO/IEC 18028-4; ISO/IEC 18028-5; ISO/IEC 18033-1; ISO/IEC 18033-2; ISO/IEC 18033-3; ISO 21188 | | Adopted Standard | ISOTR 13569-2005, MOD | | Regulation (derived from) | Announcement of Newly Approved National Standards No. 23 of 2011 | | Issuing agency(ies) | General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China | | Summary | This standard provides financial institutions with the development of information security program guide. The guide includes strategies discussed, agencies and programs of the structural components of laws and regulations. This standard discusses the selection and implementation of safety control measures should take into account the content, as well as in the modern financial services organizations in the management of information security risk elements, and gives the business environment based institutions, practices, and procedures should take into account aspects of the proposal. This standard also includes legal compliance issues discussed, which requires the design and implementation phases to be considered. This standard applies to financial institutions in the development of information security solutions for their reference. | GB/T 27910-2011: Financial services -- Information security guidelines---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Financial services. Information security guidelines
ICS 03.060
A11
National Standards of People's Republic of China
Financial Services Information Security Guidelines
(ISO /T R13569.2005, MOD)
Issued on. 2011-12-30
2012-02-01 implementation
Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
Standardization Administration of China released
Table of Contents
Introduction Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions
4 Symbols and Abbreviations 8
5 Corporate Information Security Policy 9
6 --- Information Security Management security solutions 12
7 Information Security Agency 13
8 risk analysis and assessment 16
9 security control implementation and choice of 17
10 IT system control 20
11 implementation of specific control measures 23
12 auxiliary item 26
13 Follow-up protective measures 29
14 29 accident disposal
Appendix A (informative) sample documents 31
Appendix B (Informative Appendix) Web Services Security Analysis Example 36
Annex C (informative) Risk assessment notes 40
Annex D (informative) technical control 47
References 52
Foreword
This standard was drafted in accordance with GB/T 1.1-2009 given rules.
This standard uses redrafted law revision of international standards ISO /T R13569.2005 "Financial Services Information Security Guidelines."
Taking into account China's national conditions, in the use of ISO /T R13569.2005 when the technical content made the following changes.
--- Deleted the original 5.2 Legal and regulatory compliance, because this part describes the laws and regulations of foreign countries, and
Different domestic situations;
--- In view of the ISO /IEC 17799.2005 was officially change the number in July 2007 as ISO /IEC 27002.2005, the standard for
Undated references the standard replacement for the ISO /IEC 27002 is no date reference;
--- The original some error correction, as described in Appendix D.2.4 in "E.2.3" to "D.2.3" and so on.
For ease of use, this standard also made the following editorial changes.
--- Delete ISO foreword.
The correspondence between the consistency of the international normative documents referenced in our country with the following documents.
GB/T 22081 Information technology - Security techniques - Code of practice for information security management (GB/T 22081-2008, ISO /
IEC 27002.2005, IDT)
The standard proposed by the People's Bank of China.
This standard by the National Standardization Technical Committee on Finance (SAC/TC180) is responsible for centralized.
This standard is drafted by. China Financial Computerization Corporation.
Participated in the drafting of this standard. People's Bank of China, Agricultural Bank of China, China Merchants Bank, Shanghai Pudong Development Bank, China Information Security
Assessment Center, notes in the credit card industry Development Company Limited.
The main drafters of this standard. Wang Ping baby, Lushu Chun, Wang Tao, Yang Qian, Li Shuguang, Liu Yun, Wang Lianjiang, Dai Zhonghua, Don step days, with Li Xun,
Chen Jie, Li Anan, Zhaozhi Lan, Jia Shuhui, Tian Jie Yun Jing, Zhang Yan, Ma Xiaoqiong.
Introduction
With the introduction of computer and network technology, the implementation of financial services has undergone great changes, embodied in accordance with the electronic trading
Depend increasing, leading to the security of information and communication technologies to manage demand. A large amount of funds and securities trading day information
Transmitted by electronic means of communication, such communication by the security policy based on business rules that control.
Huge open environment, the mass of electronic transactions for financial institutions has brought great risks. Highly interconnected network and increasing skills
Superb technique malicious attackers to banks and bank customers increased risk, and when financial transactions involving important payment systems, these consequences
Possible adverse effects on the domestic and international financial markets.
In order to expand financial services in an open environment at the same time, effective risk management, financial institutions should establish a strong and there
Effective enterprise-wide information security program. Financial institutions should like to establish appropriate safety and business practices related agreements, external procurement processes, insurance
Full control measures as well to build information security solutions, reduce risk, meet domestic and international laws and regulations.
Just give us a warning Basel, operational, legal and regulatory risks may cause or worsen credit and liquidity risks. management
These risks have become the core of the financial organization's information security program. Specific risk control, each agency must live according to their own business
Moving its interpretation. Operational risks, including fraud and criminal activity, natural disasters, terrorist activities, must be given careful consideration. For small
Probability event must also develop response plans, such as the Asian tsunami in December 2004 and the terrorist attacks of September 11, 2001 of.
This standard is to different sizes and types of financial institutions to provide a prudent and reasonable cost of business information security management program, but it also
For financial institutions to service providers guide. For the financial industry for training institutions and publishers, this standard can also be used as the original document.
The goal of this standard are.
--- Define information security management programs;
--- A proposal strategy, organization and necessary structural components;
--- Proposed in financial applications based on acceptable business prudential measures to guide the selection of security controls;
--- Proposed information security management program of systematic resolution of financial services laws and regulations risk management needs.
This standard does not for all financial institutions to provide a single, general solution. Each financial institution must conduct risk
Analyzes and selects the appropriate measures. This standard is to provide a process management guidelines rather than specific solutions.
Financial Services Information Security Guidelines
1 Scope
This standard provides for financial institutions to develop information security program guide. The guide includes a structured policy discussion, agencies and programs
Laws and regulations component. This standard discusses the content in the selection and implementation of safety control measures should be considered, as well as in the modernization of financial services
Organization management elements of information security risks and gives recommendations based on institutional business environment, practices and procedures that should be considered for. This standard
Also includes a discussion of the legal compliance issues, which need to be considered in the design and implementation phases of the program.
This standard applies to the development of information security reference scheme of financial institutions.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version suitable for use herein
Member. For undated references, the latest edition (including any amendments) applies to this document.
ISO 9564 (all parts) Banking - Personal Identification Number management and security (Banking-PersonalIdentification
Number (PIN) managementandsecurity)
ISO 10202 (all parts) financial transaction card IC card security system of financial transaction systems (Financial
transactioncards-Securityarchitectureoffinancialtransactionsystemsusingintegratedcircuitcards)
ISO 11568 (all parts), Banking - Key management (retail) (Banking-Keymanagement (retail))
ISO /IEC 11770 (all parts), Information technology - Security techniques - Key management (Informationtechnology-Security
techniques-Keymanagement)
ISO 15782 (all parts) Financial Services Certificate Management (Certificatemanagementforfinancialservices)
ISO 16609.2004 Banking using symmetric encryption technology for message authentication requirements (Banking-Requirements
formessageauthenticationusingsymmetrictechniques)
ISO /IEC 27002 Information technology - Security techniques - Information security management utility rules (Informationtechnology-
Securitytechniques-CodeofpracticeforInformationsecuritymanagement)
ISO /IEC 18028 (all parts), Information technology - Security techniques - IT network security (Informationtechnology-Secu-
ritytechniques-ITnetworksecurity)
ISO /IEC 18033 (all parts), Information technology - Security techniques - Encryption algorithms (Informationtechnology-Security
techniques-Encryptionalgorithms)
ISO 21188 for the Financial Services PKI business and policy framework (Publickeyinfrastructureforfinan-
cialservices-Practicesandpolicyframework)
3 Terms and Definitions
The following terms and definitions apply to this document.
3.1
Access control accesscontrol
It refers to allow only authorized personnel to access information or applications (or access to information processing facilities) features, including physical access control (in
Placing a physical barrier between unauthorized personnel and information resources are protected) and logical access control (limiting the use of other methods).
|