|
US$259.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 39770-2021: Information technology service - Service security requirements
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 39770-2021 | English | 259 |
Add to Cart
|
3 days [Need to translate]
|
Information technology service - Service security requirements
| Valid |
GB/T 39770-2021
|
PDF similar to GB/T 39770-2021
Basic data | Standard ID | GB/T 39770-2021 (GB/T39770-2021) | | Description (Translated English) | Information technology service - Service security requirements | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L77 | | Word Count Estimation | 14,144 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 39770-2021: Information technology service - Service security requirements---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information technology service - Service security requirements
ICS 35.080
L77
National Standards of People's Republic of China
Information Technology Service Service Security Requirements
Released on 2021-03-09
2021-10-01 implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Management Committee
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Service Security Model 2
5 General Principles of Service Safety 2
5.1 Service Security Objective 2
5.2 Service Security Principle 3
5.3 Security risk assessment 3
5.4 Service demander 3
5.5 Service provider 3
6 Service life cycle safety requirements 4
6.1 Demand 4
6.2 Design 4
6.3 Implementation 4
6.4 Operations 4
6.5 Exit 4
7 Security requirements for service capability elements 5
7.1 Personnel 5
7.2 Process 5
7.3 Technology 6
7.4 Resources 7
Appendix A (informative appendix) Information technology service security risk assessment 8
Appendix B (informative appendix) Examples of service security roles and responsibilities 9
Reference 10
Information Technology Service Service Security Requirements
1 Scope
This standard proposes a security model for information technology services and specifies security requirements for general security principles, life cycle and capability elements.
This standard applies to information technology service providers, service demanders and third parties.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 25069 Information Security Technical Terms
3 Terms and definitions
The following terms and definitions defined in GB/T 25069 apply to this document.
3.1
Informationtechnologyserviceinformationtechnologyservice
The service provider develops and applies information technology services for the service demander, and the service provider provides support by means of information technology
Services that serve the business activities of the demand side.
Note 1.Common services include software services, hardware services and other related services.
Note 2.Common service forms include information technology consulting services, design and development services, information system integration implementation services, operation and maintenance services, data processing and storage
Storage services, operational services, digital content services, call center services and other information technology services.
[GB/T 29264-2012, definition 2.1]
3.2
Serviceacquirer
Organizations or individuals that need information technology services.
3.3
Serviceprovider
Organizations or individuals that provide information technology services.
3.4
Servicesecurity
Not due to the intervention of the service provider's relevant service elements and the interaction between the supplier and the demander, the business, assets, and systems of the service demander will not be affected.
And other properties that cause damage.
3.5
Servicepeople servicepeople
Provide personnel required for information technology services.
3.6
Serviceprocess
When providing information technology services, a set of interrelated and structured activities that make rational use of necessary resources and transform inputs into outputs.
d) Satisfy the confidentiality, integrity and availability requirements of assets during the service.
5.2 Service security principles
Service providers and service demanders shall follow the following safety principles in the process of service provision.
a) Compliance principle
Based on the principle of compliance with laws, regulations and standards related to cybersecurity;
b) Key business principles
Based on the principle of giving priority to the safety of key business of the service demander
c) The principle of least impact
The principle of minimizing the impact on the business operation of the service demander;
d) Principles of cooperation
The principle is that service demanders and service providers work together to ensure service safety.
5.3 Security risk assessment
The service provider, service life cycle, and service capability elements should be assessed for security risks, and service security requirements should be implemented in a targeted manner.
To achieve effective control of information technology service security risks, see Appendix A for the assessment content.
5.4 Service demander
Starting from the service security goal, the service demander proposes service security requirements and implements service security control measures. The requirements include.
a) Strengthen the construction of service safety and improve the service safety management system;
b) Clarify service security requirements and communicate the requirements to the service provider;
c) Provide necessary resource support for service providers;
d) Carry out service safety supervision and cooperate with service providers to continuously improve the service safety level.
5.5 Service provider
5.5.1 Organizational Structure
The service provider shall establish a service security organization and define service security responsibilities. The requirements include.
a) Have a human resource scale that is compatible with information technology services, and establish a service security organization;
b) Define relevant service security positions and clarify security responsibilities.
Note. See Appendix B for examples of service security roles and responsibilities definitions.
5.5.2 Management System
The service provider shall establish a service safety management system, the requirements include.
a) Establish a service security management system to meet the needs of the information technology services provided;
Note. Refer to GB/T 24405.1-2009 and GB/T 22080-2016 when establishing information security management system.
b) Maintain consistency with the safety management requirements of the service demander;
c) Continuously carry out internal inspection and improvement of the implementation of the system;
d) Periodically review the effectiveness of the service safety management system.
5.5.3 Supply chain security
The service provider shall ensure the security of the service supply chain and improve service continuity. The requirements include.
a) Clarify the external supply chain involved in the service project and its supporting relationship, and obtain confirmation from the service demander;
b) Choose alternative services and products to reduce dependence on a single supplier;
c) Effectively transfer service safety goals, principles and related safety requirements to the external supply chain;
d) Sign service agreements or purchase agreements with external suppliers, and effectively supervise the implementation of the agreements.
6 Service life cycle safety requirements
6.1 Requirements
The service provider identifies and controls the security risks of the service requirements through the research and analysis of the service requirements. The requirements include.
a) Evaluate the service provider's service capabilities, qualifications, service system, safety management and guarantee capabilities, and select reliable service providers;
b) Analyze service security requirements, including clear requirements (such as agreement requirements, business requirements) and implicit requirements (such as legal and regulatory requirements, service requirements)
Service demand side expectations) to form a service demand document;
c) Review service requirements to ensure that the supply and demand parties reach a consensus;
d) Sign a service contract or service agreement to ensure that it includes service security and confidentiality obligations.
6.2 Design
The service provider designs the service according to the security requirements of the service demander, and identifies and controls the security risks of the service design. The requirements include.
a) Prepare the service design plan, determine the components and elements required by the service, and meet the service security requirements;
b) Develop a service safety management, evaluation and improvement plan, guarantee the resources and budget required for the service, and ensure that it meets the overall safety goals;
c) Review the risks of new or changed services to existing services and countermeasures, and keep process records.
6.3 Implementation
The service provider implements deployment according to the service design plan, identifies and controls the security risks of the service realization, and the requirements include.
a) Ensure that the implementation results are consistent with the service design and can meet the security requirements;
b) Carry out tests or trial runs to reduce process risks and the impact on the production and operation environment, such as stress tests, user tests, etc.;
c) Identify the risks in the process of service deployment and handover, and formulate reasonable countermeasures.
6.4 Operation
The service demander monitors the services provided by the service provider, identifies and controls the security risks of service operations, and the requirements include.
a) Establish the service process, ensure the effective execution of the service process, and form a record;
b) Back up and properly keep the service data (such as plans, reports, records, etc.) generated during the service process;
c) Regularly review the implementation of service safety management and control, and promptly take measures to deal with abnormal situations;
d) Develop and update service safety emergency plans, and organize drills and assessments;
e) Dynamically monitor service security risks, formulate risk treatment strategies, and take risk treatment measures in a timely manner;
f) Strengthen the monitoring and control of service risks in response to changes in key business and key assets, major events or important periods during the service process.
Early warning, ready for emergency coordination;
g) Keep confidential the sensitive information such as facilities, data, events, problems, and configurations involved in the service process;
h) Use the information generated during the service process safely and reasonably to ensure that it is not used outside the scope of the service.
6.5 Exit
When the service agreement expires or terminates, in order to ensure the smooth exit of the service, the service parties communicate and choose an appropriate exit strategy to identify and
To control the security risks of service withdrawal, the requirements include.
a) Develop a service termination plan, identify the risk of service termination, and take corresponding risk control measures;
b) Under the premise of ensuring business continuity, confirm the recycling of equipment and facilities, information resources, and personnel invested in the service;
c) Transfer, save or destroy service-related materials;
d) Conduct security review of service authorization and sensitive information.
7 Security requirements for service capability elements
7.1 Personnel
7.1.1 Personnel selection
The selection of personnel is based on service security requirements, and the requirements include.
a) Identify and define the safety requirements of service positions;
b) Conduct background checks on service personnel of important positions;
c) Assign a unique identity to the service staff;
d) Assign authority to service personnel based on the principle of separation of duties and minimum authorization;
e) For service personnel involved in sensitive information, clarify their confidentiality obligations and sign confidentiality agreements.
7.1.2 Personnel training
Training personnel according to service safety requirements, requirements include.
a) Before starting the job, carry out service safety training for personnel, the training content includes but not limited to. relevant laws and regulations, safety systems and regulations
Scope, safety awareness, and necessary safety skills required to engage in services, etc.;
b) Personnel with special safety requirements should have relevant qualification certification;
c) During the service process, regularly carry out service safety training for personnel.
7.1.3 Personnel assessment
Appraisal of personnel according to service safety requirements, requirements include.
a) Before starting the job, carry out the information security assessment of the personnel, and the personnel who fail the assessment will not be given the job;
b) During the service process, information security assessment is carried out regularly, and personnel who fail the assessment shall be strengthened or replaced;
c) Record the assessment performance of the responsible personnel who violated the safety regulations, and the responsible personnel who caused adverse effects shall bear corresponding responsibilities.
7.1.4 Personnel change
Personnel changes require effective safety management and control, and the requirements include.
a) Before personnel changes, the service provider informs the service demander in advance and submits the change plan.
Implement the change in case of continuity;
b) After the change is confirmed, all information assets of the departing personnel shall be recovered, the relevant authority of the departing personnel shall be revoked, and a written confirmation shall be made;
c) After the change, the confidentiality obligation shall be reiterated to the departure personnel in written form, and the departure personnel will be subject to retrospective audit.
7.2 Process
7.2.1 Process definition
Process definition security should clarify the service process definition and security responsibilities, and the requirements include.
a) Define the service standard operation process and service supervision and management process;
b) Identify process ownership and clarify process activities safety rights and responsibilities;
c) Clarify the process and related document version control;
d) Regular review of the service process.
7.2.2 Process execution
Process execution safety should clarify the safe execution of the service process and continuously monitor the safety risks. The requirements include.
a) According to the process definition, allocate personnel and resources, and adopt the agreed technical execution services;
b) Implement safety control measures in the service process;
c) Continue to monitor service security risks.
7.2.3 Process recording
Process record security should clarify the storage and access control of service process records, and the requirements include.
a) Ensure that all service processes and service activities are recorded;
b) Ensure that the service process records are not accessed by unauthorized access;
c) The service process records are stored and backed up, and the retention period should meet the compliance requirements.
7.2.4 Process changes
Process change security should clarify the security controls required for service process changes, and the requirements include.
a) Implement process changes in strict accordance with the change management system to ensure that the change process is approved;
b) Review the rationality and correctness of the change process, and fully evaluate the safety risk of the change;
c) Fully test the changes in a controlled environment;
d) Record and keep the change process and results.
7.3 Technology
7.3.1 Technology acquisition
Technology acquisition security shall ensure that secure and compliant technologies are obtained in a reasonable manner. The requirements include.
a) Select a security-compliant technology provider and meet the security support capabilities of the provided technology;
b) Ensure that the acquired technology is complete, safe and reliable;
c) In the technology license agreement, specify the parameters related to technology security;
d) Demonstration and verification of the rationality and correctness of the technology acquisition process;
e) Record and keep the method and reason for technology acquisition.
7.3.2 Technical implementation
The security of technology implementation should ensure the security of the implemented technology, and the requirements include.
a) Provide and verify the delivery list, such as technical equipment, tools, documents, etc.;
b) Provide technical training, such as technical principles, technical use, security risks, etc.;
c) Fully test the technology implementation in a controlled environment;
d) Demonstration and verification of the rationality and correctness of the technical implementation process;
e) Record and keep the process and results of technical implementation.
7.3.3 Technical maintenance
Technical maintenance security should ensure that the technology can continue to meet the service agreement, and the requirements include.
a) Monitor the operation status of the technology and continuously evaluate whether the technology meets the service agreement;
b) Adjust the corresponding technology in time according to service demand and technological progress, including technology introduction, technology upgrade, technology withdrawal, etc., and evaluate
risk;
c) Record and keep the process and results of technical maintenance.
7.4 Resources
7.4.1 Resource classification and grading
Identify the security requirements and sensitivity of resources, and classify and manage resources.
7.4.2 Resource Security Responsibility
Identify and define different roles for resource security, and clarify the security responsibilities of each role.
7.4.3 Reasonable use of resources
7.4.3.1 Resource acquisition
The security of resource acquisition shall ensure the legal acquisition and availability of resources. The requirements include.
a) Ensure the availability of service resources;
b) Ensure the legitimacy of service resource acquisition.
7.4.3.2 Resource utilization
The security of resource utilization shall ensure the reasonable use of resources in the service process, and the requirements include.
a) Ensure that service resources are only used for the intended purpose of the service and prevent unauthorized access;
b) Formulate resource utilization rules and processes to avoid resource abuse;
c) Keep resource usage records and logs.
7.4.3.3 Resource recovery
The safety of resource recovery shall ensure the safe recovery of resources after the end of the service. The requirements include.
a) Release resources in time after the end of the service, and carry out service resource recovery;
b) Evaluate the residual risk of access permissions for resource recovery, and recover various access accounts and permissions in a timely manner;
c) Evaluate the data residual risk of resource recovery, and carry out effective risk disposal in accordance with the requirements.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 39770-2021_English be delivered?Answer: Upon your order, we will start to translate GB/T 39770-2021_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 39770-2021_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 39770-2021_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|