Search result: GB/T 35274-2023 (GB/T 35274-2017 Older version)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 35274-2023 | English | 499 |
Add to Cart
|
5 days [Need to translate]
|
Information security technology - Security capability requirements for big data services
| Valid |
GB/T 35274-2023
|
| GB/T 35274-2017 | English | 1199 |
Add to Cart
|
5 days [Need to translate]
|
Information security technology -- Security capability requirements for big data services
| Obsolete |
GB/T 35274-2017
|
| Standard ID | GB/T 35274-2023 (GB/T35274-2023) | | Description (Translated English) | Information security technology - Security capability requirements for big data services | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 26,237 | | Date of Issue | 2023-08-06 | | Date of Implementation | 2024-03-01 | | Older Standard (superseded by this standard) | GB/T 35274-2017 | | Drafting Organization | Tsinghua University, Peking University, China Electronics Standardization Institute, China Cybersecurity Review Technology and Certification Center, China Information Security Evaluation Center, National Computer Network Emergency Response Technology Coordination Center, Sangfor Technology Co., Ltd., Zhejiang Ant Small and Micro Financial Services Group Co., Ltd., Beijing Kuaishou Technology Co., Ltd., Alibaba (China) Co., Ltd., Tencent Cloud Computing (Beijing) Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, Huakong Qingjiao Information Technology (Beijing) Co., Ltd., Beijing Tianrongxin Network Security Technology Co., Ltd., Beijing Volcano Engine Technology Co., Ltd., Changyang Technology (Beijing) Co., Ltd., Shanghai Guanan Information Technology Co., Ltd., Huawei Technologies Co., Ltd., Beijing Qihu Technology Co., Ltd., and Venus Information Technology Group | | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration |
GB/T 35274-2023. Information security technology big data service security capability requirements
ICS 35.030
CCSL80
National Standards of People's Republic of China
Replace GB/T 35274-2017
Information security technology
Big data service security capability requirements
Published on 2023-08-06
2024-03-01 Implementation
State Administration for Market Regulation
Released by the National Standardization Administration Committee
Table of contents
Preface III
1 range 1
2 Normative reference documents 1
3 Terms and Definitions 1
4 Overview 3
5 Big data organization management security capabilities 4
5.1 Policies and Procedures 4
5.2 Organization and personnel5
5.3 Asset Management 6
6 Big data processing security capabilities7
6.1 Data collection7
6.2 Data storage 8
6.3 Data usage 9
6.4 Data processing 10
6.5 Data transmission 12
6.6 Data provision12
6.7 Data disclosure13
6.8 Data destruction14
7 Big data service security risk management capabilities14
7.1 Risk identification14
7.2 Security protection15
7.3 Security monitoring17
7.4 Safety Check 18
7.5 Security response 18
7.6 Safe recovery 20
Reference 21
Preface
This document complies with the provisions of GB/T 1.1-2020 "Standardization Work Guidelines Part 1.Structure and Drafting Rules of Standardization Documents"
Drafting.
This document replaces GB/T 35274-2017 "Information Security Technology Big Data Service Security Capability Requirements" and is consistent with GB/T 35274-
Compared with.2017, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) Deleted 5 data life cycle, data services, data exchange, data sharing and important data (see Chapter 3 of the.2017 edition)
Terms and definitions, adding data processing, data security, data protection, data collection, data storage, data use, data processing,
11 terms and definitions of data transmission, data provision, data disclosure and data destruction (see Chapter 3), revised big data platform,
Big data applications, big data systems, big data users, big data services, big data service providers and data supply chains (see section
Chapter 3, Chapter 3 of the.2017 edition) Description of 7 terms and definitions;
b) The overall requirements (see 4.1 of the.2017 version) and requirement classification (see 4.2 of the.2017 version) are deleted, and the overall content of the standard is revised.
sorted out (see Chapter 4, 4.3 of the.2017 edition);
c) Deleted service planning and management (see 5.4 of the.2017 version), data supply chain management (see 5.5 of the.2017 version) and compliance
Management (see 5.6 of the.2017 edition), the policies and procedures, organization and personnel, and asset management security capability requirements have been modified (see
5.1, 5.2, 5.3,.2017 version of 5.1, 5.3, 5.2);
d) Reorganized and changed data activity security for data collection, data transmission, data storage, data processing, data exchange and data destruction
Requirements, data collection, storage, use, processing, transmission, provision, disclosure in accordance with the requirements of the Data Security Law and the Personal Information Protection Law
The data processing process and destruction clarifies the big data processing security capability requirements of big data service providers (see Chapter 6,.2017
Chapter 6 of the annual edition);
e) Added "big data service security risk management capabilities", from risk identification, security protection, security monitoring, security inspection, security impact
The response and security recovery link stipulates the data security risk management capabilities of big data service providers in the operation of big data systems.
(See Chapter 7);
f) Deleted in Appendix A (see Appendix A of the.2017 version).
Please note that some content in this document may be subject to patents. The publisher of this document assumes no responsibility for identifying patents.
This document is proposed and coordinated by the National Information Security Standardization Technical Committee (SAC/TC260).
This document was drafted by. Tsinghua University, Peking University, China Electronics Technology Standardization Institute, China Cyber Security Review Technology and Certification
Center, China Information Security Evaluation Center, National Computer Network Emergency Technology Coordination Center, Sangfor Technology Co., Ltd., Zhejiang
Ant Small and Micro Financial Services Group Co., Ltd., Beijing Kuaishou Technology Co., Ltd., Alibaba (China) Co., Ltd., Tencent Cloud Computing (Beijing)
Beijing) Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences, Huakong Qingjiao Information Technology (Beijing) Co., Ltd., Beijing Tianrongxin Network Security
Quan Technology Co., Ltd., Beijing Volcano Engine Technology Co., Ltd., Changyang Technology (Beijing) Co., Ltd., Shanghai Guanan Information Technology Co., Ltd.
Ltd., Huawei Technologies Co., Ltd., Beijing Qihu Technology Co., Ltd., Venus Information Technology Group Co., Ltd., China Software
Evaluation Center (Software and Integrated Circuit Promotion Center of the Ministry of Industry and Information Technology), Beijing Shuanxing Technology Co., Ltd., Shanghai Fuyuan Technology Service Co., Ltd.
Co., Ltd., Hangzhou Shiping Information Technology Co., Ltd., Beijing Xinan Century Technology Co., Ltd., Lenovo (Beijing) Co., Ltd., Hangzhou Anheng
Information Technology Co., Ltd., Chengdu Guardian Information Industry Co., Ltd., Shanghai 30 Guardian Information Security Co., Ltd., Shaanxi Province
Information Engineering Research Institute, Shanghai SenseTime Intelligent Technology Co., Ltd., Beijing Shenzhou Green Alliance Technology Co., Ltd., Beijing Baidu Netcom Technology Co., Ltd.
Company, Zhejiang Dahua Technology Co., Ltd., and Beijing Tengyun Tianxia Technology Co., Ltd.
The main drafters of this document. Ye Xiaojun, Xie Anming, Wu Di, Wang Jianmin, Zhao Yinghua, Xu Yujia, Liu Xiangang, Chen Xingshu, Zhao Yunwei,
Song Botao, Bai Xiaoyuan, Luo Hongwei, Chen Chi, Jin Chen, Ye Runguo, Chen Xing, Zha Haiping, Xie Jiang, Liu Yuhong, Li Jiaojiao, Zhang Yajing, Lan Anna,
Li Shiqi, Hu Ying, Jin Tao, Min Jinghua, Wang Yongxia, Ge Xiaoyu, Zhang Yi, Du Jing, Zhou Runsong, Chen Hongyun, Yang Baolei, Ding Guohui, Wu Gao, Wang Yalu,
Xu Hao, Wang Haitang, Zhang Yu, Ma Hongxia, Liu Yuling, Wang Qinglei, Weng Huihui, Pan Zhengtai, Ge Mengying.
The previous versions of this document and the documents it replaces are as follows.
---First published as GB/T 35274-2017 in.2017;
---This is the first revision.
Information security technology
Big data service security capability requirements
1 Scope
This document stipulates the big data service security capability requirements of big data service providers, including big data organizational management security capabilities, big data
According to the requirements of processing security capabilities and big data service security risk management capabilities.
This document is applicable to guide the construction of big data service security capabilities of big data service providers, and is also applicable to third-party organizations’ use of big data security capabilities.
Evaluate the service provider’s big data service security capabilities.
2 Normative reference documents
The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, the dated quotations
For undated referenced documents, only the version corresponding to that date applies to this document; for undated referenced documents, the latest version (including all amendments) applies to
this document.
GB/T 5271 (all parts) Information technology vocabulary
GB/T 25069-2022 Information security technical terms
GB/T 35273-2020 Information Security Technology Personal Information Security Specifications
GB/T 35295-2017 Information technology big data terminology
3 Terms and definitions
GB/T 5271 (all parts), GB/T 25069-2022, GB/T 35273-2020 and GB/T 35295-2017
and the following terms and definitions apply to this document.
3.1
big databigdata
It has the characteristics of huge volume, diverse sources, extremely fast generation, adaptable to change, etc., and is difficult to be effectively processed by traditional data architecture.
Data from large datasets.
[Source. GB/T 35295-2017,2.1.1]
3.2
data handlingdatahandling
System execution of data operations to achieve specific purposes of data collection, storage, use, processing, transmission, provision, disclosure, destruction, etc.
Activity.
Note. Data operations include mathematical operations or logical operations on data, merging or classifying data, text operations, storage, retrieval, display or printing, and data mining.
Analysis, data visualization, etc.
[Source. GB/T 5271.1-2000,01.01.06, with modifications]
3.3
data collectiondatacollection
According to specific purposes and requirements, select and obtain data from one or more data sources, and clean, identify, load, etc. the data.
......
GB/T 35274-2017
Information security technology-Security capability requirements for big data services
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Big Data Service Security Capability Requirements
2017-12-29 Posted
2018-07-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 Overview 2
4.1 General Requirements 2
4.2 Requirements classification 3
5 basic safety requirements 3
5.1 Strategies and Procedures 3
5.2 Data and System Assets 4
5.3 Organization and personnel management 4
5.4 Service Planning and Management 6
5.5 Data Supply Chain Management 7
5.6 Compliance Management 8
6 Data Services Security Requirements 9
6.1 Data Acquisition 9
6.2 Data Transmission 10
6.3 Data Storage 11
6.4 Data Processing 13
6.5 Data Exchange 15
6.6 Data destruction 17
Appendix A (Informative) Big Data Service Model, User Roles and Business Goals 19
References 24
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard drafting unit. Tsinghua University, China Electronics Standardization Institute, China Information Security Assessment Center, Alibaba (Beijing)
Software Services Ltd., China Mobile Communications Corporation, Zhejiang Ant Micro Financial Services Group Co., Ltd., Ali cloud computing limited
Division, Venus Information Technology Group Co., Ltd., Lenovo (Beijing) Co., Ltd., Sichuan University, Ministry of Industry and Information Technology and micro-computer
Electronic Development Research Center (China Software Testing Center), Huawei Technologies Co., Ltd., China Electronics Technology Network Information Security Co., Ltd., deep
Shenzhen Tencent Computer System Co., Ltd., CLP Great Wall Internet System Application Co., Ltd., Shaanxi Province Institute of Information Engineering, Guangzhou 赛 Po
Certification Center Services Ltd., Tianjin Nanda General Data Technology Co., Ltd., Xi'an Future International Information Co., Ltd., convinced
Service Technology Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences (State Key Laboratory of Information Security), Chinese Academy of Sciences Software Research
Beijing Jingdong San Bai Lu Baidu e-commerce Co., Ltd., National Information Technology Security Research Center, Beijing Kuang En Network Technology Co., Ltd.
Company, Tencent Cloud Computing (Beijing) Co., Ltd., Beijing Qihoo Technology Co., Ltd., Beijing Digital World Information Technology Co., Ltd., Northwest
the University.
The main drafters of this standard. Ye Xiaojun, Ye Runuo, Xie Anming, Wang Jianmin, Liu Xian Gang, Chen Xing Shu, Hu Ying, Chen Xing, Chen Xuexiu, Li Kepeng,
Jiang Weijiang, Min Jinghua, Zhang Yong, Wang Yu, Zhou Bo, Sun Yin Yin, Cheng Guangming, Huang Shaoqing, Ren Lanfang, Wang Yongxia, Ge Xiaoyu, Wang Ya Lu,
Mei Jingting, Zhao Wei, Li Ruxin, Jin Tao, Liu Xie, Guo Xiaolei, Ma Hongxia, Liu Yuling, Zhang Huiwen, Liu Bozhong, Li Xiaoding, Du Jing, Dai Wei,
Any hope, Sun Qian, Zhang Bin, Feng Yunbo, Luo Yonggang, Bao Xuhua, Zhu Hongru, Zhourong Song, Sun Yan.
introduction
Big data service is aimed at a large number of diverse, fast flow, features and other characteristics of the data set, through the bottom of the scalable
Big data platform and a variety of big data applications at the upper level, providing a kind of network information service covering data life cycle related data activities. Large number
According to service providers to ensure that big data platforms and applications to run safely and reliably to meet the confidentiality, integrity, availability and other big data services
The whole goal.
This standard will be big data services security capabilities are divided into general requirements and enhance the requirements of two levels. The general requirement is big data service provision
When carrying out big data services, they can resist or cope with common threats and can control the loss of big data services after being damaged to a limited
Within the scope and extent, with basic event traceability. Enhanced requirements refer to big data services involving national security or economic development
Social and public interests have a greater impact, big data service providers have a certain ability to take the initiative to identify and prevent potential attacks, can effectively
The security incident and its loss control in a smaller range, to ensure the effectiveness of traceability of security incidents, the reliability of large data services can be expanded
Extensibility and scalability. Depending on the importance of the data being carried and the possible inability of the Big Data service to provide service or damage
The scope and severity of the big data service provider's security capabilities are also different.
Information Security Technology
Big Data Service Security Capability Requirements
1 Scope
This standard specifies the big data service providers should have the organization related to basic security capabilities and data life-cycle related data services
Security capabilities.
This standard applies to government departments and enterprises and institutions to build big data service security capabilities, but also for third-party agencies on big data
Service provider big data service security review and assessment.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
Information security technology - Information system - Security level protection - Basic requirements GB/T 22239-2008
Information technology - Security terminology
Information security technology Cloud computing service security capability requirements
Information security technology personal information security specification GB/T 35273-2017
GB/T 35295-2017 Information technology - Big data terms
3 Terms and definitions
GB/T 25069-2010 and GB/T 35295-2017 defined and the following terms and definitions apply to this document.
3.1
Big data bigdata
With a huge number, variety, fast flow, features such as changeable, and difficult to use traditional data architecture and data processing
Technology to efficiently organize, store, calculate, analyze and manage data sets.
3.2
Data Lifecycle datalifecycle
Data from generation, through data acquisition, data transmission, data storage, data processing (including calculation, analysis, visualization, etc.), data exchange,
Until the destruction of data and other survival forms of evolution.
3.3
Data service dataservice
Provide data collection, data transmission, data storage, data processing (including calculation, analysis, visualization, etc.), data exchange, data destruction, etc.
A kind of network information service evolved from data survival.
3.4
Big data service bigdataservice
Support organizations or individuals for various data services related to data lifecycle such as big data collection, storage, usage and data value discovery and
system service.
Note. Big data services are generally faced with massive, heterogeneous and rapidly changing structured, semi-structured and unstructured data services, and through the underlying scalable
......
|