Path: Home > GB/T > Page206 > GB/T 45577-2025

Price & Delivery

US$1099.00 · In stock · Download in 9 seconds
GB/T 45577-2025: Data security technology - Risk assessment method for data security
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid

Std ID	Version	USD	Buy	Deliver [PDF] in	Title (Description)
GB/T 45577-2025	English	1099	Add to Cart	7 days [Need to translate]	Data security technology - Risk assessment method for data security

GB/T 45577-2025: Data security technology - Risk assessment method for data security

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35.030 CCSL80 National Standard of the People's Republic of China Data security technology Data security risk assessment method Released on 2025-04-25 2025-11-01 Implementation State Administration for Market Regulation The National Standardization Administration issued

Table of contents

Preface III 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 General 3 5.1 Overview 3 5.2 Relationship between data security risk assessment elements 3 5.3 Principles of Data Security Risk Assessment 4 5.4 Applicable Situations for Data Security Risk Assessment 5 5.5 Data Security Risk Assessment Implementation Process 5 5.6 Data Security Risk Assessment Content Framework 6 5.7 Data security risk assessment methods 7 6 Data Security Risk Assessment Preparation 7 6.1 Determine the evaluation objectives 7 6.2 Determine the scope of the assessment 8 6.3 Establishing an evaluation team 8 6.4 Carry out preliminary preparations 8 6.5 Develop an evaluation plan 9 7 Information Research 9 7.1 Data Processor Survey 9 7.2 Business and Information System Research 10 7.3 Data Asset Research 10 7.4 Survey on data processing activities 10 7.5 Safety protection measures research 11 8 Risk Identification11 8.1 General 11 8.2 Analysis of the evaluation situation carried out 12 8.3 Data Security Management 12 8.4 Security of data processing activities12 8.5 Data Security Technology 13 8.6 Personal Information Protection13 9 Risk Analysis and Assessment14 9.1 General 14 9.2 Data Security Risk Analysis 14 9.3 Data Security Risk Assessment 16 9.4 Create a data security risk list 17 10 Evaluation Summary 17 10.1 Preparation of assessment report 17 10.2 Risk Management Recommendations 18 10.3 Residual risk analysis 18 Appendix A (Normative) Data Security Risk Identification Content 19 A.1 Data Security Management19 A.2 Data processing activities24 A.3 Data security technology 30 A.4 Protection of Personal Information34 Appendix B (Informative) Typical Data Security Risk Types 39 Appendix C (Informative) Data Security Risk Analysis Reference 41 C.1 Data security risk analysis reference 41 C.2 Analysis of the likelihood of data security risks occurring Reference 43 Appendix D (Informative) Data Security Risk Quantitative Analysis and Evaluation Method 45 D.1 Quantitative analysis method of data security risk degree 45 D.2 Quantitative analysis method for the possibility of data security risks occurring45 D.3 Data security risk quantitative assessment method 45 Appendix E (Informative) Data Security Risk Assessment Report Template 46 References 49

Foreword

This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents" Drafting. Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents. This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260). This document was drafted by. China Electronics Technology Standardization Institute, National Information Technology Security Research Center, National Computer Network Emergency Response Team Technical Processing Coordination Center, National Industrial Information Security Development Research Center, Central Cyberspace Affairs Office Data and Technology Support Center, China Information Security Evaluation Center, National Information Center, Information Engineering Institute of Chinese Academy of Sciences, Third Research Institute of Ministry of Public Security, Beijing Municipal Government Information Security Center Center, China Cybersecurity Review Certification and Market Supervision Big Data Center, University of Science and Technology of China, Institute of Software, Chinese Academy of Sciences, Alibaba Cloud Computing Co., Ltd., Beijing Kuaishou Technology Co., Ltd., Ant Technology Group Co., Ltd., and Huawei Technologies Co., Ltd. The main drafters of this document are. Yang Jianjun, Yao Xiangzhen, Zhang Yuguang, Hu Ying, Chen Qi, Yang Tao, Lin Xingchen, Chen Te, Lu Lei, Lin Zhiqiang, Jiang Songhao, Shangguan Xiaoli, Ren Yingjie, Zhu Xuefeng, Yan Hui, Li Min, Zhao Ran, Liu Xize, Li Ye, Chen Jing, Xu Feng, Wang Hui, Wang Defu, Du Jing, Ma Ying, Zhang Yan, Su Yanfang, Li Yuan, Cheng Yuqi, Zuo Xiaodong, Zhang Liwu, Song Jing, Sun Yong, Wang Xin, Bai Xiaoyuan, Shao Meng, Sudan, Li Haidong, Zhang Mingtian, Gao Chentao. Data security technology Data security risk assessment method

1 Scope

This document describes the basic concepts, element relationships, and analysis principles of data security risk assessment, and provides practical examples for data security risk assessment. Implementation process, assessment content, analysis and evaluation methods, etc. This document is applicable to guiding data processors and third-party assessment agencies in conducting data security risk assessments, and can also be used by relevant regulatory authorities. For reference when implementing data security review assessments.

2 Normative references

The contents of the following documents constitute essential clauses of this document through normative references in this document. For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to This document. GB/T 25069-2022 Information Security Technical Terminology GB/T 43697-2024 Data security technology data classification and grading rules

3 Terms and definitions

The terms and definitions defined in GB/T 25069-2022 and the following apply to this document. 3.1 data Any recording of information by electronic or other means. 3.2 Data security By taking necessary measures, we ensure that data is effectively protected and legally used, and that there are mechanisms to ensure continuous security. ability. 3.3 Activities such as data collection, storage, use, processing, transmission, provision, disclosure, and deletion. 3.4 rationality Data processing activities must comply with laws, administrative regulations, and common sense in cybersecurity and data security, and must not harm national security or public order. The common interests and the legitimate rights and interests of individuals and organizations. 3.5 Threats, vulnerabilities, problems, hidden dangers that may lead to events that endanger the confidentiality, integrity, availability and reasonableness of data processing Suffering, etc. Note. In this document, “risk sources” are referred to as such, which include risk sources that may lead to data security incidents due to security threats exploiting vulnerabilities, as well as data processing activities. ...