| GB/T 37973-2019 PDF EnglishUS$320.00 · In stock · Download in 9 seconds GB/T 37973-2019: Information security technology - Big data security management guide Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid 
 Similar standardsGB/T 37973-2019: Information security technology - Big data security management guide---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT37973-2019GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Big data security management guide ISSUED ON: AUGUST 30, 2019 IMPLEMENTED ON: MARCH 01, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the PRC. Table of ContentsForeword ... 4 Introduction ... 5 1 Scope ... 6 2 Normative references ... 6 3 Terms and definitions ... 6 4 Overview of big data security management ... 7 4.1 Goals of big data security management ... 7 4.2 Main content of big data security management ... 8 4.3 Roles and responsibilities of big data security management ... 8 5 Basic principles of big data security management ... 10 5.1 Clear responsibilities ... 10 5.2 Security compliance ... 10 5.3 Quality assurance ... 11 5.4 Data minimization ... 11 5.5 Responsibilities not transferring with data ... 11 5.6 Minimum authorization ... 12 5.7 Ensure security ... 12 5.8 Auditability ... 12 6 Big data security requirements ... 13 6.1 Confidentiality ... 13 6.2 Integrity ... 13 6.3 Availability ... 14 6.4 Other requirements ... 14 7 Data classifying and grading ... 14 7.1 Principles of data classifying and grading ... 14 7.2 Process of data classifying and grading ... 15 7.3 Data classifying methods ... 16 7.4 Data grading methods ... 16 8 Big data activities and security requirements ... 16 8.1 Main activities of big data ... 16 8.2 Data collection ... 17 8.3 Data storage ... 18 8.4 Data processing ... 19 8.5 Data distribution ... 20 8.6 Data deletion ... 21 9 Assessment of big data security risks ... 22 9.1 Overview ... 22 9.2 Asset identification ... 22 9.3 Threat identification ... 23 9.4 Vulnerability identification ... 23 9.5 Confirmation of existing security measures ... 24 9.6 Risk analysis ... 24 Appendix A (Informative) Example of data classifying and grading in the telecom industry ... 25 Appendix B (Informative) Examples of life science big data risk analysis ... 28 Appendix C (Informative) Big data security risks ... 30 Bibliography ... 32 Information security technology - Big data security management guide1 ScopeThis Standard puts forward the basic principles of big data security management; specifies big data security requirements, data classifying and grading, security requirements for big data activities, and assessment of big data security risks. This Standard applies to various organizations for data security management; can also be used as a reference for third-party assessment agencies.2 Normative referencesThe following documents are indispensable for the application of this document. For the dated references, only the editions with the dates indicated are applicable to this document. For the undated references, the latest edition (including all the amendments) are applicable to this document. GB/T 7027-2002 The basic principles and methods for information classifying and coding GB/T 20984-2007 Information security technology - Risk assessment specification for information security GB/T 25069-2010 Information security technology glossary GB/T 31167-2014 Information security technology - Security guide of cloud computing services GB/T 35274-2017 Information security technology - Security capability requirements for big data services3 Terms and definitionsThe terms and definitions defined in GB/T 25069-2010, GB/T 20984-2007 and GB/T 35274-2017 and the following ones apply to this document. 3.1 a) Meet the requirements of personal information protection and data protection laws, regulations, standards, etc.; b) Meet the data protection requirements of big data related parties; c) Through technology and management methods, ensure that the data security risks under its own control and management are controllable. 4.2 Main content of big data security management Big data security management mainly includes the following: a) Clarify data security requirements. The organization shall analyze the new problems faced by the confidentiality, integrity and availability of data in the big data environment; analyze the influence that big data activities may have on national security, social impact, public interest, personal life and property safety, etc.; clarify the requirements for data security to address these problems and impacts. b) Data classifying and grading. The organization shall first classify and grade the data. According to different data gradings, select appropriate security measures. c) Clarify the security requirements for big data activities. The organization shall understand the characteristics of major big data activities, the data operations that may be involved; clarify the security requirements of each big data activity. d) Assess big data security risks. In addition to carrying out information system security risk assessments, the organization shall also assess the big data security risks, in terms of the potential system vulnerabilities, malicious use, consequences and other unfavorable factors in the big data environment, as well as countermeasures. 4.3 Roles and responsibilities of big data security management 4.3.1 Overview The organization shall establish a big data security management organizational structure. According to the scale of the organization, the data volume of the big data platform, business development and planning, etc., it shall also clarify different roles and their responsibilities, including at least the following roles: a) Big data security manager: The individual or team responsible for the organization's big data security. Big data security managers are responsible for decision-making in data security-related fields and links; b) Allocate data access permissions and mechanisms for parties authorized by big data security managers; c) Cooperate with big data security managers to handle security incidents; d) Record relevant logs for data activities. 4.3.4 Responsibilities of big data security auditors The main responsibilities of big data security auditors include: a) Review the data-related attributes such as the subject, operation and object of the data activity, to ensure that the process and related operations of the data activity meet the security requirements; b) Regularly review the use of data.5 Basic principles of big data security management5.1 Clear responsibilities The organization shall clarify the security responsibilities of different roles and their big data activities. The organization shall: a) Establish a big data security manager. According to the factors such as organization's mission, data scale and value, organizational business, the organization shall specify the person or department, which plays the role of big data security manager. It can be composed of business leaders, legal and regulatory experts, IT security experts, and data security experts. It is responsible for the security of the organization's data and its applications. b) Clarify the role’s security responsibilities. The organization shall clarify the security responsibilities of big data security managers, big data security executors, big data security auditors, and other roles related to data security. c) Clarify the implementation subject of the main activities. The organization shall clarify the implementation subject and security responsibilities of the main big data activities. 5.2 Security compliance The organization shall formulate strategies and procedures, to ensure that all data activities meet compliance requirements. The organization shall: data security responsibilities; d) Take effective measures, to ensure that the security incident responsibility after data transfer can be traced. 5.6 Minimum authorization The organization shall control data access permissions in big data activities, to ensure that permissions are minimized on the basis of meeting business needs. The organization shall: a) Grant the minimum operation authorization and minimum data set to the data activity subject; b) Develop a data access authorization approval process; formulate an application and approval process for changes in the data operation authorization and scope of the data activity subject; c) Recover expired data access permissions in a timely manner. 5.7 Ensure security The organization shall take appropriate management and technological measures to ensure data security. The organization shall: a) Classify and grade data; implement appropriate security protection measures for data with different security levels; b) Ensure that the security control measures and strategies of the big data platform and business are effective; protect the integrity, confidentiality and availability of the data; ensure the security of the data life cycle; c) Resolve the security risks and vulnerabilities found in risk assessment and security inspections; take responsibility for security incidents caused by improper security protection measures. 5.8 Auditability The organization shall implement data audits on the big data platform and all aspects of the business. The organization shall: a) Record information about various operations in big data activities; ensure that the records cannot be forged and tampered with; b) Take effective technological measures, to ensure that all operations on big data activities can be traced. 6.3 Availability The availability requirements in the big data environment shall consider the following aspects: a) Anti-attack capabilities of big data platform; b) Security analysis capabilities based on big data, such as security intelligence analysis, data-driven misuse detection, security incident detection, etc.; c) Disaster tolerance capabilities of big data platform. 6.4 Other requirements For big data security, in addition to considering the confidentiality, integrity and availability of information systems, according to the characteristics of big data, the organization shall also analyze security requirements from other aspects of big data activities, including but not limited to: a) Compliance with laws and regulations, national strategies, standards, etc.; b) Possible social and public security impacts, and cultural inclusiveness; c) Data sharing between cross-organizations; d) Cross-border data flow; e) Intellectual property protection and data value protection.7 Data classifying and grading7.1 Principles of data classifying and grading Data classifying and grading shall meet the following principles: a) Scientificity. According to the multi-dimensional characteristics of the data and the logical associations between them, scientifically and systematically classify the data. According to the big data security requirements, determine the data security level. b) Stability. Based on the most stable characteristics and attributes of the data, the classifying and grading scheme shall be formulated. c) Practicality. Data classifying shall ensure that there are data under each category; no meaningless categories are set. The classification of data categories must conform to the general understanding of data classifying. 7.3 Data classifying methods The organization shall classify data according to Clause 6 of GB/T 7027-2002. It can be classified according to different attributes such as data subject, subject, and business. 7.4 Data grading methods The organization shall grade the existing data or newly-collected data. The data grading needs to be jointly determined by the organization's supervisors, business experts, and security experts. For the grading of government data, in accordance with the provisions of GB/T 31167-2014, 6.3, it shall classify non- secret-involved data into public and sensitive data. For personal information and personal sensitive information, it shall refer to Appendix A and Appendix B in GB/T 35273-2017. The processing, storage, transmission, and utilization of secret-involved information shall be implemented in accordance with national secrecy regulations. According to laws and regulations, business, organizational strategy, market demand, etc., the organization may further grade sensitive data, to provide appropriate security management and technological measures. For different levels of data, in accordance with the provisions of Clause 4 to Clause 6 of GB/T 35274-2017, the organization shall select appropriate management and technological measures to implement effective security protection for data.8 Big data activities and security requirements8.1 Main activities of big data In the data life cycle, the organization may participate in one or more stages of the data form. The collection of operational tasks that the organization may implement on data, that is, activities are divided into: data collection, data storage, data processing, data distribution, data deletion, etc.: a) Data collection. Data enters the organization's big data environment. The data can come from other organizations or generated by itself. b) Data storage. Store data persistently on storage media. c) Data processing. Through this activity, perform the duties of the organization or achieve the goals of the organization. The processed data b) Follow compliance principles, to ensure the legality, legitimacy and necessity of data collection; c) Follow the principle of data minimization. Only collect the minimum data required by the business; d) Follow the principle of quality assurance. Formulate data quality assurance strategies, procedures and requirements; e) Follow the principle of ensuring security. Classify, grade and mark the collected data. And implement corresponding security management strategies and safeguard measures for different types and levels of data. Take necessary security control measures for the data collection environment, facilities and technology. 8.3 Data storage 8.3.1 Concept of data storage activity Data storage refers to the static storage of data on the big data platform. The stored data includes collected data, result data analyzed and processed, etc. The storage system can be a relational database, a non-relational database, etc. It shall support the storage of different types and formats of data. And it shall provide a variety of data access interfaces, such as file system interfaces, database interfaces, etc. Until the data is completely deleted, the stored data shall be provided with appropriate security protection by the organization. The organization shall fully consider the security risks of using third-party data storage platforms to store data. Due to intellectual property rights, laws and regulations and other reasons, even if an organization can effectively control the data in the storage system, such as personal information or health data, it may not be the owner of the data. The organization still needs to bear the responsibility of data storage management. The main operations of data storage activity include but are not limited to: data coding and decoding, data encryption and decryption, graded storage of cold and hot data, data archiving and persistent storage, data backup, data update, data access, etc. 8.3.2 Security requirements When an organization carries out data storage activity, it shall: a) Separately store data of different categories and levels; adopt a physical or logical isolation mechanism. a) Follow the principle of responsibilities not transferring with data. b) When personal information, important data, etc. have a situational need, in accordance with relevant laws, regulations, policy documents and standards, a situational security assessment shall be carried out. c) Before data distribution, it shall conduct risk assessment on the data, to ensure that the risk after data distribution is bearable. And through the contract, it shall clarify the data protection responsibility of the data recipient. d) Before data distribution, the sensitivity of the data is evaluated. Based on the evaluation results, the sensitive information, which needs to be distributed, is desensitized. e) Follow the principle of auditability. Record the related information such as time, distributing data, data recipient. f) Evaluate the transmission security risks in data distribution, to ensure the security of data transmission. g) Provide an effective data security sharing mechanism. h) Establish a review system for data release; strictly review whether the released information meets the requirements of relevant laws and regulations. Clarify the content and scope of data release. Conduct regular review of released data. 8.6 Data deletion 8.6.1 Concept of data deletion activity Data deletion activity refers to the organization's deletion of data and copies of its own or leased big data platforms. If the data comes from an external real- time data stream, the link with the real-time data stream shall also be disconnected. The reasons for data deletion include but are not limited to: a) In order to reduce the risk of data leakage. Avoid inappropriate distribution or processing of data. b) Delete irrelevant or incorrect data. The data is no longer relevant to the original purpose of use; or the data is incorrect. c) Data deletion processing after business completion. The data business completes the service goal and no longer needs to save relevant data. e) Big data processing framework, such as stream processing framework, interactive processing framework, offline processing framework; f) Big data storage framework, such as distributed file system, non-relational database, etc.; g) Big data platform computing resource (such as CPU, memory, network, etc.) management framework, etc. 9.3 Threat identification When an organization carries out threat identification, it shall pay attention to the characteristics of threats in the big data environment, including but not limited to: a) Potential adverse factors: - The resources, technological capabilities, motivations, etc. of the potential attacker. Common attackers include individuals, organizations, countries, etc.; - The intention of potential attackers to steal, use and misuse data; - The resources required for big data access, storage and processing; - The risk of direct access to data or theft of data; - The costs and benefits of launching attacks and malicious use of big data. b) Malicious use of the required scientific expertise and skills: - The skills and expertise required for data and result analysis; - The technology and equipment required for data use and result analysis; - The skills, technology, and knowledge required to take advantage of system vulnerabilities. c) Threat of data exit. 9.4 Vulnerability identification When an organization carries out vulnerability identification, it shall pay attention to the specific vulnerabilities in the big data environment, including but not limited to: a) The vulnerability of basic software and infrastructure such as big data storage and processing; ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 37973-2019 be delivered?Answer: The full copy PDF of English version of GB/T 37973-2019 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 37973-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37973-2019_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 37973-2019 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 37973-2019?A step-by-step guide to download PDF of GB/T 37973-2019_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 37973-2019". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |