|
US$669.00 ยท In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 41574-2022: Information technology - Security techniques - Code of practice for protection of personal information in public clouds
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 41574-2022 | English | 669 |
Add to Cart
|
5 days [Need to translate]
|
Information technology - Security techniques - Code of practice for protection of personal information in public clouds
| Valid |
GB/T 41574-2022
|
PDF similar to GB/T 41574-2022
Basic data | Standard ID | GB/T 41574-2022 (GB/T41574-2022) | | Description (Translated English) | Information technology - Security techniques - Code of practice for protection of personal information in public clouds | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Word Count Estimation | 34,325 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 41574-2022: Information technology - Security techniques - Code of practice for protection of personal information in public clouds
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information technology - Security techniques - Code of practice for protection of personal information in public clouds
ICS 35.030
CCSL80
National Standards of People's Republic of China
information technology security technology
A practical guide to the protection of personal information in the public cloud
Published on 2022-07-11
2023-02-01 Implementation
State Administration for Market Regulation
Released by the National Standardization Administration
directory
Foreword V
Introduction VII
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Overview 2
4.1 Structure of this document2
4.2 Control Category 3
5 Information Security Policy 3
5.1 Information Security Management Guidance 3
5.1.1 Information Security Policy 3
5.1.2 Review of Information Security Policy 4
6 Information Security Organizations 4
6.1 Internal Organization 4
6.1.1 Roles and responsibilities for information security4
6.1.2 Separation of duties 4
6.1.3 Liaison with functional bodies4
6.1.4 Contact with specific interested parties4
6.1.5 Information Security in Project Management 4
6.2 Mobile devices and remote work4
7 Human Resource Security 4
7.1 Before Appointment 4
7.2 Appointment 5
7.2.1 Management responsibilities5
7.2.2 Information security awareness, education and training5
7.2.3 Violation Handling Process 5
7.3 Termination and Change of Appointment5
8 Asset Management5
9 Access Control 5
9.1 Business Requirements for Access Control 5
9.2 User Access Management 5
9.2.1 User registration and logout 6
9.2.2 User Access Provision 6
9.2.3 Privileged Access Management 6
9.2.4 User's Secret Authentication Information Management 6
9.2.5 Review of User Access Rights 6
9.2.6 Removal or adjustment of access rights6
9.3 User Responsibilities 6
9.3.1 Use of Secret Authentication Information 6
9.4 System and Application Access Control 6
9.4.1 Information Access Restrictions 6
9.4.2 Secure Login Procedure 6
9.4.3 Password Management System 6
9.4.4 Use of Privileged Utilities 7
9.4.5 Access control of program source code 7
10 Password 7
10.1 Password Control 7
10.1.1 Password Control Usage Policy 7
10.1.2 Key management 7
11 Physical and Environmental Security 7
11.1 Safe area 7
11.2 Equipment 7
11.2.1 Equipment placement and protection 7
11.2.2 Supporting Facilities 7
11.2.3 Cabling Safety 7
11.2.4 Equipment maintenance 8
11.2.5 Movement of assets 8
11.2.6 Security of equipment and assets outside the organization's premises 8
11.2.7 Safe disposal or reuse of equipment 8
11.2.8 Unattended User Equipment 8
11.2.9 Cleaning up the desktop and screen strategy 8
12 Operational Safety 8
12.1 Operating procedures and responsibilities 8
12.1.1 Documented operating procedures 8
12.1.2 Change Management 8
12.1.3 Capacity Management 8
12.1.4 Separation of development, test, and runtime environments 8
12.2 Malware Prevention 9
12.3 Backup 9
12.3.1 Information backup 9
12.4 Logging and Monitoring 9
12.4.1 Event Log 9
12.4.2 Protection of log information 9
12.4.3 Administrator and operator logs 10
12.4.4 Clock synchronization 10
12.5 Running software control 10
12.6 Technical Aspects of Vulnerability Management 10
12.7 Information Systems Audit Considerations 10
13 Communication Security 10
13.1 Network Security Management 10
13.2 Information transfer 10
13.2.1 Information transfer policies and procedures 10
13.2.2 Information transfer protocol 10
13.2.3 Electronic messaging 10
13.2.4 Confidentiality or non-disclosure agreement10
14 System acquisition, development and maintenance 11
15 Supplier Relations 11
16 Information Security Incident Management 11
16.1 Management and Improvement of Information Security Incidents 11
16.1.1 Responsibilities and Procedures 11
16.1.2 Reporting information security incidents 11
16.1.3 Reporting information security weaknesses 11
16.1.4 Assessment and decision-making of information security events 11
16.1.5 Response to information security incidents 11
16.1.6 Learning from information security incidents 11
16.1.7 Evidence collection 12
17 Information Security Aspects of Business Continuity Management 12
18 Compliance 12
18.1 Compliance with legal and contractual requirements12
18.2 Information Security Review 12
18.2.1 Independent Review of Information Security 12
18.2.2 Compliance with security policies and standards 12
18.2.3 Technical conformity review 12
Appendix A (informative) Comparison of structure numbers between this document and ISO /IEC 27018.201913
Appendix B (normative) Extended set of control measures for the protection of personal information by public cloud personal information processors 15
Appendix C (Informative) Relationship between Cloud Service Providers, Cloud Service Customers and Cloud Service Users 21
Reference 22
foreword
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents"
drafted.
This document is modified to adopt ISO /IEC 27018.2019 "Information technology security technology Personally identifiable information (PII) processors in the public
There is a practical guide to protecting PII in the cloud.
Compared with ISO /IEC 27018.2019, this document has more structural adjustments. Comparison of structure number changes between two files
See Appendix A for a list.
The technical differences between this document and ISO /IEC 27018.2019 and their reasons are as follows.
--- Changed the term "Personally Identifiable Information (PII)" to "Personal Information" and changed the definition, consistent with GB/T 35273-2020
Terms and definitions remain consistent (see 3.1, 3.2 of ISO /IEC 27018.2019);
--- Changed the term "PII controller" to "personal information controller" and changed the definition to match the term of GB/T 35273-2020
Be consistent with the definition (see 3.2, 3.3 of ISO /IEC 27018.2019);
--- Changed the term "PII subject" to "Personal information subject", and changed the definition to match the terms and definitions of GB/T 35273-2020
The definition is consistent (see 3.3, 3.4 of ISO /IEC 27018.2019);
--- Changed the term "PII processor" to "Personal information processor" and changed the definition to match the term of GB/T 35273-2020
Be consistent with the definition (see 3.4, 3.5 of ISO /IEC 27018.2019);
--- Changed the term "PII processing" to "personal information processing", and changed the definition, and the terms and definitions of GB/T 35273-2020
The definition is consistent (see 3.5, 3.6 of ISO /IEC 27018.2019);
--- Change ISO /IEC 27002 in the title of the table to GB/T 22081 (see Table 1, Table 1 of ISO /IEC 27018.2019);
---Add the suggestion that processors entrust subcontractors to process personal information, and GB/T 35273-2020 9.1c) 2) about entrusting
be consistent with the requirements of the operator (see 5.1.1);
---Delete the statement in "Public Cloud PII Protection of Other Information" that laws and regulations have different requirements for processors and controllers, in order to comply with my country's
Rules for the drafting of standardized documents (see 5.1.1 of ISO /IEC 27018.2019);
---Delete the requirements of laws and regulations on punishment for processors in "Public Cloud PII Protection of Other Information", in order to comply with my country's standardization documents
Drafting rules (see 7.2.2 of ISO /IEC 27018.2019);
--- Increase the requirements for the use of cryptographic techniques to address confidentiality, integrity, authenticity, and non-repudiation requirements (see 10.1.1);
--- Increase the proposal for processors to transfer personal information, consistent with the relevant provisions of GB/T 35273-2020 (see B.2.3);
---Add suggestions for processors to provide personal information overseas to adapt to my country's technical conditions and facilitate the application of this document (see
B.4.1, B.7.14);
---Increase the suggestion that the processor entrusts an agent to process personal information, and GB/T 35273-2020 9.1c) 2) about entrusted
conform to the requirements of the other party (see B.7.1);
--- Increase the suggestion that the data recovery log contains information (see B.7.3);
---Delete the relevant legal expressions on the processor's notification obligation in the "Public Cloud PII Protection Implementation Guide" to comply with my country's standardization
Rules for drafting documents (see ISO /IEC 27018.2019, A.10.1).
The following editorial changes have been made to this document.
--- In order to be consistent with the existing standard series, the name of the standard was changed to "Practice of Personal Information Protection in Public Cloud of Information Technology Security Technology".
Practice Guide;
--- Change the classification principles of the new control measures in Appendix B to be consistent with my country's personal information protection principles (see B.1,
A.1 of ISO /IEC 27018.2019);
--- Add the explanation of "off-chain" to improve the readability of the terms and facilitate the application of this document (see Note 1 of B.2.3);
--- Add the explanation of "degaussing" to improve the legibility of the terms and facilitate the application of this document (see Note 2 of B.2.3);
--- Add Appendix A (informative) "Comparison of this document with ISO /IEC 27018.2019 structure number";
--- Add Appendix C (informative) "Relationship between cloud service providers, cloud service customers and cloud service users";
--- Delete Note 9.2.1 of ISO /IEC 27018.2019;
--- Delete Note 10.1.1 of ISO /IEC 27018.2019;
--- Delete Note 1 and Note 2 of 12.3.1 of ISO /IEC 27018.2019;
--- Delete the example of A.6.1 of ISO /IEC 27018.2019;
--- Delete the first sentence of Note A.11.3 of ISO /IEC 27018.2019;
--- Change the other principles that this control measure and guide can be classified into to the principle of "openness and transparency", which is in line with my country's personal information protection principles
Be consistent (see Note 3 of B.2.3, Note A.10.3 of ISO /IEC 27018.2019);
---Changed the expression of the principles followed in the "Public Cloud PII Protection Implementation Guide" involving the collection and use of PII, which is consistent with the personal information of our country.
information protection principles (see B.3.1, A.3.1 of ISO /IEC 27018.2019);
--- Changed "PII Controller" in "Public Cloud PII Protection Implementation Guide" to "Cloud Service Client" to improve readability and facilitate this article
application of the software (see B.8.1, A.2.1 of ISO /IEC 27018.2019).
Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents.
This document is under the jurisdiction of the National Information Security Standardization Technical Committee (SAC/TC260).
This document was drafted by. Shandong Institute of Standardization, Hangzhou Tuoshen Technology Co., Ltd., China Network Security Review Technology and Certification Center
Heart, Shaanxi Provincial Network and Information Security Evaluation Center, Elong.com Information Technology (Beijing) Co., Ltd., CLP Great Wall Internet System Application Co., Ltd.
Company, Beijing Qiandaibao Payment Technology Co., Ltd., National Industrial Information Security Development Research Center, Tencent Cloud Computing (Beijing) Co., Ltd.,
Shaanxi Information Engineering Research Institute, CLP Data Service Co., Ltd., Shanghai Information Security Industry Association, Shanghai Anyan Information Technology Co., Ltd.
Company, Anhui Electronic Products Supervision and Inspection Institute, Shandong Zhongshi Information Technology Co., Ltd.
The main drafters of this document. Wang Qingsheng, You You, Dang Bin, Min Jinghua, Lan Anna, Liu Caiyun, Wang Yongxia, Zhang Yong, Zhang Bo, Zhou Yachao, Sun Yan,
Zhang Xuanming, Jin Qian, Wang Liqiang, Zhao Shouhua, Wang Aiyi, Yang Fan, Shi Lei, Huang Lei, Wang Lidong, Zhao Qianqian, Ma Zhuoyuan, Jia Mengni, Yan Yuyun, Qin Feng,
Yang Xiangdong, Wang Fazhong, Xu Liqian, Fan Zhengxiang, Yu Xiuyan, Liu Kanpu, Wu Bo.
Introduction
0.1 Background and environment
In recent years, more and more cloud service customers use the services of cloud service providers and entrust them with personal information processing.
GB/T 35273-2020 stipulates that the party who accepts the entrusted processing (9.1 in GB/T 35273-2020 is called "the entrusted person", this article
"Processor" in the document, that is, "entrusted person") requirements. This document provides a
A general compliance framework for the protection of personal information in the public cloud, which guides processors to carry out personal information processing operations in the public cloud.
Public cloud service providers are usually required to sign contracts with cloud service customers and comply with personal information protection laws on both sides
Provide services under the premise of relevant regulations. For these requirements of personal information protection, cloud service providers and cloud service customers are based on the law
laws and regulations and the contracts between them.
When the public cloud service provider processes personal information in accordance with the requirements of cloud service customers, the public cloud service provider acts as a "personal information"
The role of "processor". Cloud service customers who have a contractual relationship with public cloud personal information processors are "personal information controllers". In cloud computing
Under the environment, the personal information controller has the right to control personal information, and it also has the authority to process and use personal information. Personal Information Control
Both the personal information processor and the personal information processor can process personal information, but the personal information processor, as the entrusted party, can only perform personal information control
Personal information processing operations requested by the controller and operations necessary to achieve the objectives of the personal information controller. At the same time, cloud service customers can also
Authorize one or more cloud service users to use its services, but these services are limited to the cloud service customer's contract with the public cloud personal information processor
Available services agreed in the contract.
The purpose of this document is to create a common set of control categories and control measures, consistent with the information security control objectives and controls in GB/T 22081
The measures are used in combination and implemented by the personal information processor. The purpose of this document is as follows.
---Help public cloud personal information processors perform their corresponding obligations, including direct obligations and contractual obligations stipulated by laws and regulations.
other obligations as set out;
---Make public cloud personal information processors transparent in related matters, and facilitate cloud service customers to choose well-managed cloud-based
personal information processing services;
---Assist cloud service customers and public cloud personal information processors to sign contracts and agreements;
---Unable to audit data hosted in multiple parties or virtualized servers (clouds) in a single cloud service customer, or such audits
Exercising audit powers and assuming compliance for cloud service customers that may increase risk to existing physical and logical cybersecurity controls
Consistency responsibility provides a mechanism.
This document provides a general compliance framework for public cloud service providers, especially those operating across borders.
0.2 Personal information protection control of public cloud computing services
In the process of implementing cloud computing information security management system based on GB/T 22080, public cloud personal information processors can refer to this article
choose personal information protection controls. This document can also implement general personal information protection controls as a public cloud personal information processor
Guidance document for measures. In particular, this document, on the basis of GB/T 22081, takes into account the specific risks faced by personal information processors
surroundings.
Generally speaking, organizations implement GB/T 22080 to protect their own information assets. However, public cloud personal information processors protect
The personal information is actually the information assets of cloud service customers. Therefore, the implementation of GB/T 22081 by the public cloud personal information processor
Control measures are reasonable and necessary. At the same time, in order to adapt to the characteristics of risk dispersion in the public cloud computing environment, and to meet the needs of cloud service customers
Contractual requirements with public cloud personal information processors, this document enhances the control measures in GB/T 22081.This document is passed by
GB/T 22081 is enhanced in the following 2 ways.
--- Provides implementation guidelines applicable to public cloud personal information protection for certain control measures in GB/T 22081;
---Appendix B provides a new set of control measures and related guidance to address the failure to meet the set of control measures in GB/T 22081
public cloud personal information protection requirements.
0.3 Personal Information Protection Requirements
Organizations determine their protection requirements for personal information. These requirements come from the following 3 main sources.
a) Legal, regulatory, regulatory and contractual requirements. A source is the legal, legal and
Regulatory, regulatory and contractual requirements or obligations, as well as sociocultural responsibilities and operating environment requirements. It should be noted that laws, regulations and
Contracts may mandate that personal information processors choose specific controls, or they may be required to develop specific guidelines to implement them.
these control measures.
b) Risk. Another source is the organization's assessment of risk associated with personal information, based on consideration of the organization's overall business strategy and objectives
risk. Organizations use risk assessments to identify threats, assess vulnerabilities and likelihood of occurrence, and estimate potential impacts. GB/T 31722
Provides information security risk management guidelines, including recommendations for risk assessment, risk acceptance, risk communication, risk monitoring, and risk review.
discussion. ISO /IEC 29134 provides guidance on privacy impact assessments.
c) Organizational policy. Although organizational policy covers many obligations from law and social culture, the organization may voluntarily choose to go beyond
a) requirements.
0.4 Selection and implementation of control measures in cloud computing environment
Organizations may select controls from this document (including those in the referenced GB/T 22081, as well as application-specific innovations
The built-in portfolio reference set of controls). If desired, the organization may also select controls from other sets of controls, or design new controls.
measures to meet specific requirements.
The choice of control measures depends on the decision of the organization. These decisions are based on risk acceptance, risk treatment options, and
based on the general risk management approach of the customers and suppliers with which the organization has contractual relationships. The choice of control measures is also subject to domestic and foreign laws and regulations
constraints. If a control measure in this document is not selected, the reason for not being selected shall be stated and documented.
In addition, the selection and implementation of controls also depends on the organization's actual role in the overall cloud computing reference architecture (see
GB/T 32399). In a cloud computing environment, there may be situations where multiple organizations participate in providing infrastructure services and application services. in a
In some cases, the selected controls may be unique to a particular service class in the cloud computing reference architecture. and in other cases
Below, implementing security controls may share roles. The contractual agreement needs to specify the personal information assumed by all organizations providing or using the cloud service.
information protection responsibility. These organizations include public cloud personal information processors and their subcontractors, cloud service customers.
The control measures in this document can be considered as a guideline applicable to most organizations. Details of these control measures are given below
Description and implementation guide. If public cloud personal information processors design information systems, services and operations with pre-emptive consideration to protect personal information
requirements for personal information, the implementation of these control measures will be simpler. This is part of "Privacy by Design" (see Ref. [9])
part.
0.5 Develop additional guidelines
This document can be seen as a starting point for the development of guidelines for the protection of personal information. For the protection of personal information, the controls and practices in this document
Not all existing guidance may be applicable, and additional controls and implementation guidance not included in this document may be required. included in the development
When documenting additional controls or guidance, cross-referencing the applicable provisions in this document may assist auditors and business partners
Compliance check.
0.6 Lifecycle Considerations
Personal information has its inherent life cycle, from creation and generation, through storage, processing, use, transmission, and eventual destruction or disappearance.
Personal information faces different risks in its life cycle, but it is still important to protect personal information at all stages of the life cycle.
Personal information protection needs to be considered in combination with existing and new information systems, and full life cycle management should be carried out.
information technology security technology
A practical guide to the protection of personal information in the public cloud
1 Scope
This document gives the control objectives and control measures for implementing personal information protection in the public cloud, based on GB/T 22081
Guidelines for the protection of personal information in the public cloud.
This document applies to organizations of all types and sizes that are processors of personal information, including public and private companies, government agencies and non-governmental organizations
for-profit organization.
This document may also apply to organisations that are controllers of personal information. However, personal information controllers may also be subject to additional personal information
information protection laws, regulations and obligations, and these laws, regulations and obligations do not apply to personal information processors. This document does not cover such
additional obligations.
2 Normative references
The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, dated citations
documents, only the version corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to
this document.
GB/T 22081-2016 Information Technology Security Technical Information Security Control Practice Guidelines (ISO /IEC 27002.2013, IDT)
GB/T 29246 Information Technology Security Technology Information Security Management System Overview and Vocabulary (GB/T 29246-2017,
ISO /IEC 27000.2016, IDT)
GB/T 32400 Information Technology Cloud Computing Overview and Vocabulary (GB/T 32400-2015, ISO /IEC 17788.2014, IDT)
GB/T 35273-2020 Information Security Technology Personal Information Security Specification
3 Terms and Definitions
The terms and definitions defined in GB/T 29246 and GB/T 32400 and the following terms and definitions apply to this document.
3.1
Personal informationpersonalinformation
Recorded electronically or otherwise that, alone or in combination with other information, can identify a specific natural person or reflect a specific natural
Various information about people's activities.
Note 1.Personal information includes name, date of birth, ID number, personal biometric information, address, communication contact information, communication records and content, account number
Password, property information, credit information, whereabouts, accommodation information, health and physiological information, transaction information, etc.
Note 2.For the determination methods and types of personal information, see Appendix A in GB/T 35273-2020.
Note 3.The information formed by the personal information controller through the processing of personal information or other information, such as user portraits or feature tags, can be individually or
If it is combined with other information to identify the identity of a specific natural person or reflect the activities of a specific natural person, it is personal information.
[Source. GB/T 35273-2020, 3.1].
3.2
An organization or individual that has the ability to decide the purpose and method of processing personal information.
[Source. GB/T 35273-2020, 3.4].
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 41574-2022_English be delivered?Answer: Upon your order, we will start to translate GB/T 41574-2022_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 41574-2022_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 41574-2022_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|