Powered by Google www.ChineseStandard.net Database: 189760 (20 Apr 2024)

GB/T 37973-2019 (GBT37973-2019)

GB/T 37973-2019_English: PDF (GBT 37973-2019, GBT37973-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 37973-2019English320 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Big data security management guide Valid GB/T 37973-2019

Standard ID GB/T 37973-2019 (GB/T37973-2019)
Description (Translated English) Information security technology -- Big data security management guide
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 22,260
Date of Issue 2019-08-30
Date of Implementation 2020-03-01
Drafting Organization Sichuan University, China Electronics Standardization Institute, Tsinghua University, China Mobile Co., Ltd., Shenzhen Tencent Computer System Co., Ltd., Alibaba Cloud Computing Co., Ltd., Guangzhou Saibao Certification Center Service Co., Ltd., CLP Great Wall Internet System Application Co., Ltd., Tencent Cloud Computing (Beijing) Co., Ltd., Huawei Technologies Co., Ltd., Chengdu Supercomputing Center Co., Ltd., Shaanxi Information Engineering Research Institute, Beijing Qihoo Technology Co., Ltd., Beijing Qi Anxin Technology Co., Ltd., UnionPay Smart Information Service (Shanghai) ) Co., Ltd., Beijing Huayu Software Co., Ltd., China Electronics Technology Network Information Security Co., Ltd.
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, China National Standardization Administration

Standards related to: GB/T 37973-2019

GB/T 37973-2019
ICS 35.040
L 80
Information security technology -
Big data security management guide
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 6 
2 Normative references ... 6 
3 Terms and definitions ... 6 
4 Overview of big data security management ... 7 
4.1 Goals of big data security management ... 7 
4.2 Main content of big data security management ... 8 
4.3 Roles and responsibilities of big data security management ... 8 
5 Basic principles of big data security management ... 10 
5.1 Clear responsibilities ... 10 
5.2 Security compliance ... 10 
5.3 Quality assurance ... 11 
5.4 Data minimization ... 11 
5.5 Responsibilities not transferring with data ... 11 
5.6 Minimum authorization ... 12 
5.7 Ensure security ... 12 
5.8 Auditability ... 12 
6 Big data security requirements ... 13 
6.1 Confidentiality ... 13 
6.2 Integrity ... 13 
6.3 Availability ... 14 
6.4 Other requirements ... 14 
7 Data classifying and grading ... 14 
7.1 Principles of data classifying and grading ... 14 
7.2 Process of data classifying and grading ... 15 
7.3 Data classifying methods ... 16 
7.4 Data grading methods ... 16 
8 Big data activities and security requirements ... 16 
8.1 Main activities of big data ... 16 
8.2 Data collection ... 17 
8.3 Data storage ... 18 
8.4 Data processing ... 19 
8.5 Data distribution ... 20 
8.6 Data deletion ... 21 
9 Assessment of big data security risks ... 22 
9.1 Overview ... 22 
9.2 Asset identification ... 22 
9.3 Threat identification ... 23 
9.4 Vulnerability identification ... 23 
9.5 Confirmation of existing security measures ... 24 
9.6 Risk analysis ... 24 
Appendix A (Informative) Example of data classifying and grading in the telecom
industry ... 25 
Appendix B (Informative) Examples of life science big data risk analysis ... 28 
Appendix C (Informative) Big data security risks ... 30 
Bibliography ... 32 
Information security technology -
Big data security management guide
1 Scope
This Standard puts forward the basic principles of big data security
management; specifies big data security requirements, data classifying and
grading, security requirements for big data activities, and assessment of big
data security risks.
This Standard applies to various organizations for data security management;
can also be used as a reference for third-party assessment agencies.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the editions with the dates indicated are
applicable to this document. For the undated references, the latest edition
(including all the amendments) are applicable to this document.
GB/T 7027-2002 The basic principles and methods for information
classifying and coding
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 25069-2010 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 35274-2017 Information security technology - Security capability
requirements for big data services
3 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and
GB/T 35274-2017 and the following ones apply to this document.
a) Meet the requirements of personal information protection and data
protection laws, regulations, standards, etc.;
b) Meet the data protection requirements of big data related parties;
c) Through technology and management methods, ensure that the data
security risks under its own control and management are controllable.
4.2 Main content of big data security management
Big data security management mainly includes the following:
a) Clarify data security requirements. The organization shall analyze the new
problems faced by the confidentiality, integrity and availability of data in
the big data environment; analyze the influence that big data activities may
have on national security, social impact, public interest, personal life and
property safety, etc.; clarify the requirements for data security to address
these problems and impacts.
b) Data classifying and grading. The organization shall first classify and
grade the data. According to different data gradings, select appropriate
security measures.
c) Clarify the security requirements for big data activities. The organization
shall understand the characteristics of major big data activities, the data
operations that may be involved; clarify the security requirements of each
big data activity.
d) Assess big data security risks. In addition to carrying out information
system security risk assessments, the organization shall also assess the
big data security risks, in terms of the potential system vulnerabilities,
malicious use, consequences and other unfavorable factors in the big data
environment, as well as countermeasures.
4.3 Roles and responsibilities of big data security management
4.3.1 Overview
The organization shall establish a big data security management organizational
structure. According to the scale of the organization, the data volume of the big
data platform, business development and planning, etc., it shall also clarify
different roles and their responsibilities, including at least the following roles:
a) Big data security manager: The individual or team responsible for the
organization's big data security. Big data security managers are
responsible for decision-making in data security-related fields and links;
b) Allocate data access permissions and mechanisms for parties authorized
by big data security managers;
c) Cooperate with big data security managers to handle security incidents;
d) Record relevant logs for data activities.
4.3.4 Responsibilities of big data security auditors
The main responsibilities of big data security auditors include:
a) Review the data-related attributes such as the subject, operation and
object of the data activity, to ensure that the process and related
operations of the data activity meet the security requirements;
b) Regularly review the use of data.
5 Basic principles of big data security management
5.1 Clear responsibilities
The organization shall clarify the security responsibilities of different roles and
their big data activities. The organization shall:
a) Establish a big data security manager. According to the factors such as
organization's mission, data scale and value, organizational business, the
organization shall specify the person or department, which plays the role
of big data security manager. It can be composed of business leaders,
legal and regulatory experts, IT security experts, and data security experts.
It is responsible for the security of the organization's data and its
b) Clarify the role’s security responsibilities. The organization shall clarify the
security responsibilities of big data security managers, big data security
executors, big data security auditors, and other roles related to data
c) Clarify the implementation subject of the main activities. The organization
shall clarify the implementation subject and security responsibilities of the
main big data activities.
5.2 Security compliance
The organization shall formulate strategies and procedures, to ensure that all
data activities meet compliance requirements. The organization shall:
data security responsibilities;
d) Take effective measures, to ensure that the security incident responsibility
after data transfer can be traced.
5.6 Minimum authorization
The organization shall control data access permissions in big data activities, to
ensure that permissions are minimized on the basis of meeting business needs.
The organization shall:
a) Grant the minimum operation authorization and minimum data set to the
data activity subject;
b) Develop a data access authorization approval process; formulate an
application and approval process for changes in the data operation
authorization and scope of the data activity subject;
c) Recover expired data access permissions in a timely manner.
5.7 Ensure security
The organization shall take appropriate management and technological
measures to ensure data security. The organization shall:
a) Classify and grade data; implement appropriate security protection
measures for data with different security levels;
b) Ensure that the security control measures and strategies of the big data
platform and business are effective; protect the integrity, confidentiality
and availability of the data; ensure the security of the data life cycle;
c) Resolve the security risks and vulnerabilities found in risk assessment and
security inspections; take responsibility for security incidents caused by
improper security protection measures.
5.8 Auditability
The organization shall implement data audits on the big data platform and all
aspects of the business. The organization shall:
a) Record information about various operations in big data activities; ensure
that the records cannot be forged and tampered with;
b) Take effective technological measures, to ensure that all operations on big
data activities can be traced.
6.3 Availability
The availability requirements in the big data environment shall consider the
following aspects:
a) Anti-attack capabilities of big data platform;
b) Security analysis capabilities based on big data, such as security
intelligence analysis, data-driven misuse detection, security incident
detection, etc.;
c) Disaster tolerance capabilities of big data platform.
6.4 Other requirements
For big data security, in addition to considering the confidentiality, integrity and
availability of information systems, according to the characteristics of big data,
the organization shall also analyze security requirements from other aspects of
big data activities, including but not limited to:
a) Compliance with laws and regulations, national strategies, standards, etc.;
b) Possible social and public security impacts, and cultural inclusiveness;
c) Data sharing between cross-organizations;
d) Cross-border data flow;
e) Intellectual property protection and data value protection.
7 Data classifying and grading
7.1 Principles of data classifying and grading
Data classifying and grading shall meet the following principles:
a) Scientificity. According to the multi-dimensional characteristics of the data
and the logical associations between them, scientifically and
systematically classify the data. According to the big data security
requirements, determine the data security level.
b) Stability. Based on the most stable characteristics and attributes of the
data, the classifying and grading scheme shall be formulated.
c) Practicality. Data classifying shall ensure that there are data under each
category; no meaningless categories are set. The classification of data
categories must conform to the general understanding of data classifying.
7.3 Data classifying methods
The organization shall classify data according to Clause 6 of GB/T 7027-2002.
It can be classified according to different attributes such as data subject, subject,
and business.
7.4 Data grading methods
The organization shall grade the existing data or newly-collected data. The data
grading needs to be jointly determined by the organization's supervisors,
business experts, and security experts. For the grading of government data, in
accordance with the provisions of GB/T 31167-2014, 6.3, it shall classify non-
secret-involved data into public and sensitive data. For personal information
and personal sensitive information, it shall refer to Appendix A and Appendix B
in GB/T 35273-2017.
The processing, storage, transmission, and utilization of secret-involved
information shall be implemented in accordance with national secrecy
According to laws and regulations, business, organizational strategy, market
demand, etc., the organization may further grade sensitive data, to provide
appropriate security management and technological measures.
For different levels of data, in accordance with the provisions of Clause 4 to
Clause 6 of GB/T 35274-2017, the organization shall select appropriate
management and technological measures to implement effective security
protection for data.
8 Big data activities and security requirements
8.1 Main activities of big data
In the data life cycle, the organization may participate in one or more stages of
the data form. The collection of operational tasks that the organization may
implement on data, that is, activities are divided into: data collection, data
storage, data processing, data distribution, data deletion, etc.:
a) Data collection. Data enters the organization's big data environment. The
data can come from other organizations or generated by itself.
b) Data storage. Store data persistently on storage media.
c) Data processing. Through this activity, perform the duties of the
organization or achieve the goals of the organization. The processed data
b) Follow compliance principles, to ensure the legality, legitimacy and
necessity of data collection;
c) Follow the principle of data minimization. Only collect the minimum data
required by the business;
d) Follow the principle of quality assurance. Formulate data quality
assurance strategies, procedures and requirements;
e) Follow the principle of ensuring security. Classify, grade and mark the
collected data. And implement corresponding security management
strategies and safeguard measures for different types and levels of data.
Take necessary security control measures for the data collection
environment, facilities and technology.
8.3 Data storage
8.3.1 Concept of data storage activity
Data storage refers to the static storage of data on the big data platform. The
stored data includes collected data, result data analyzed and processed, etc.
The storage system can be a relational database, a non-relational database,
etc. It shall support the storage of different types and formats of data. And it
shall provide a variety of data access interfaces, such as file system interfaces,
database interfaces, etc. Until the data is completely deleted, the stored data
shall be provided with appropriate security protection by the organization.
The organization shall fully consider the security risks of using third-party data
storage platforms to store data. Due to intellectual property rights, laws and
regulations and other reasons, even if an organization can effectively control
the data in the storage system, such as personal information or health data, it
may not be the owner of the data. The organization still needs to bear the
responsibility of data storage management.
The main operations of data storage activity include but are not limited to: data
coding and decoding, data encryption and decryption, graded storage of cold
and hot data, data archiving and persistent storage, data backup, data update,
data access, etc.
8.3.2 Security requirements
When an organization carries out data storage activity, it shall:
a) Separately store data of different categories and levels; adopt a physical
or logical isolation mechanism.
a) Follow the principle of responsibilities not transferring with data.
b) When personal information, important data, etc. have a situational need,
in accordance with relevant laws, regulations, policy documents and
standards, a situational security assessment shall be carried out.
c) Before data distribution, it shall conduct risk assessment on the data, to
ensure that the risk after data distribution is bearable. And through the
contract, it shall clarify the data protection responsibility of the data
d) Before data distribution, the sensitivity of the data is evaluated. Based on
the evaluation results, the sensitive information, which needs to be
distributed, is desensitized.
e) Follow the principle of auditability. Record the related information such as
time, distributing data, data recipient.
f) Evaluate the transmission security risks in data distribution, to ensure the
security of data transmission.
g) Provide an effective data security sharing mechanism.
h) Establish a review system for data release; strictly review whether the
released information meets the requirements of relevant laws and
regulations. Clarify the content and scope of data release. Conduct
regular review of released data.
8.6 Data deletion
8.6.1 Concept of data deletion activity
Data deletion activity refers to the organization's deletion of data and copies of
its own or leased big data platforms. If the data comes from an external real-
time data stream, the link with the real-time data stream shall also be
The reasons for data deletion include but are not limited to:
a) In order to reduce the risk of data leakage. Avoid inappropriate distribution
or processing of data.
b) Delete irrelevant or incorrect data. The data is no longer relevant to the
original purpose of use; or the data is incorrect.
c) Data deletion processing after business completion. The data business
completes the service goal and no longer needs to save relevant data.
e) Big data processing framework, such as stream processing framework,
interactive processing framework, offline processing framework;
f) Big data storage framework, such as distributed file system, non-relational
database, etc.;
g) Big data platform computing resource (such as CPU, memory, network,
etc.) management framework, etc.
9.3 Threat identification
When an organization carries out threat identification, it shall pay attention to
the characteristics of threats in the big data environment, including but not
limited to:
a) Potential adverse factors:
- The resources, technological capabilities, motivations, etc. of the
potential attacker. Common attackers include individuals, organizations,
countries, etc.;
- The intention of potential attackers to steal, use and misuse data;
- The resources required for big data access, storage and processing;
- The risk of direct access to data or theft of data;
- The costs and benefits of launching attacks and malicious use of big data.
b) Malicious use of the required scientific expertise and skills:
- The skills and expertise required for data and result analysis;
- The technology and equipment required for data use and result analysis;
- The skills, technology, and knowledge required to take advantage of
system vulnerabilities.
c) Threat of data exit.
9.4 Vulnerability identification
When an organization carries out vulnerability identification, it shall pay
attention to the specific vulnerabilities in the big data environment, including but
not limited to:
a) The vulnerability of basic software and infrastructure such as big data
storage and processing;