1
/
de
9
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 42447-2023 English PDF (GBT42447-2023)
GB/T 42447-2023 English PDF (GBT42447-2023)
Prix habituel
$200.00 USD
Prix habituel
Prix promotionnel
$200.00 USD
Prix unitaire
/
par
Frais d'expédition calculés à l'étape de paiement.
Impossible de charger la disponibilité du service de retrait
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 42447-2023
Historical versions: GB/T 42447-2023
Preview True-PDF (Reload/Scroll if blank)
GB/T 42447-2023: Information security technology -- Data security guidelines for telecom field
GB/T 42447-2023
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology -
Data security guidelines for telecom field
ISSUED ON: MARCH 17, 2023
IMPLEMENTED ON: OCTOBER 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 5
5 General ... 5
6 Security principles ... 6
7 General security measures for telecom data ... 6
8 Security measures for telecom data processing ... 11
Bibliography ... 15
Information security technology -
Data security guidelines for telecom field
1 Scope
This document provides security principles and general security measures for carrying
out data processing activities in the telecom field, as well as corresponding security
measures that should be taken during the implementation of data collection, storage,
use and processing, transmission, provision, disclosure, destruction, etc.
This document applies for guiding telecom data processors to carry out data security
protection work, and is also applies for guiding third-party organizations to carry out
telecom data security assessment work.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GB/T 41479-2022 Information security technology - Network data processing
security requirements
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in GB/T 41479-
2022 and the following apply.
3.1
telecom data
Data generated and collected in the course of telecommunications filed business
operations.
NOTE 1: Such as user identity information, call data, location data, signaling data, base station
construction and operation and maintenance data, network optimization data, etc.
NOTE 2: Without causing confusion, “telecommunications field data” in this document is
referred to as “telecom data”.
3.2
NOTE 1: The identification rules for important data and core data refer to relevant national and
industry standards, and other data are general data. Since general data covers a wide range of
data, telecom data processors can refine and grade general data according to production and
operation needs.
NOTE 2: For links where general measures and enhancement measures are not distinguished,
general data, important data, and core data shall be protected with reference to the same
measures.
6 Security principles
Telecom data processors shall adhere to the following principles:
a) Principle of three synchronization of security: during the design, construction, and
operation of relevant platforms carrying data, achieve synchronous planning,
construction, and operation of data security protection measures;
b) Principle of classification and grading protection: classify and grade data, and
take appropriate security measures commensurate with data security risks
according to differential characteristics such as category attributes, importance,
and sensitivity to ensure data security;
c) Principle of minimum necessary: during the collection, storage, use, processing,
transmission, provision, disclosure, destruction and other processing activities of
data, the type and size of data used are limited to those necessary for business
development and have legal, legitimate, and necessary purposes;
d) Principle of full life cycle management and control: data security protection
measures cover the entire life cycle of data from generation to destruction;
e) Principle of continuous evaluation and optimization: conduct normalized and
comprehensive security evaluation of security measures, and continuously and
dynamically optimize data security protection measures based on the evaluation
results.
7 General security measures for telecom data
7.1 Organizational guarantee
Telecom data processors should take the following security measures in terms of
organizational guarantee.
a) General measures:
1) Clarify the responsible departments for data security management, equip data
security managers, formulate data security system specifications and operating
procedures, and equip data security technical capabilities;
2) Establish a supervision, inspection, and assessment management system for
data security protection, and carry out data security supervision, inspection,
and assessment management.
b) Enhancement measures:
1) Establish a data security working system, clarify the data security management
organization, set up full-time positions for data security management, and
establish a collaboration mechanism between the data security management
organization and relevant departments;
2) Clarify key roles such as the person with the primary responsibility for data
security management within the organization;
3) Sort out the job positions involving important data and core data processing,
clarify job responsibilities, and sign a data security responsibility letter or
confidentiality agreement.
7.2 Data classification and grading
Telecom data processors should take the following security measures in terms of data
classification and grading.
a) General measures:
1) Regularly sort out data assets, form and update a list of data assets in a timely
manner, and carry out data classification and grading in accordance with
relevant regulations;
2) Classify organizational data categories based on factors such as business needs,
data sources, and uses, and update the data asset list in a timely manner based
on changes in data assets and changes in classification and grading
requirements.
b) Enhancement measures: Form and update a catalog of important data and core
data, and carry out catalog filing work in accordance with relevant regulations.
7.3 Permission management
Telecom data processors should take the following security measures in terms of
authority management.
a) General measures:
1) Clarify the data security audit coordinating department, assign security
auditors, and conduct security audits on authority allocation approval, data
processing logs, etc.;
2) Determine necessary data security audit strategies, clarify audit objects, audit
content and implementation cycles, and carry out security audits and data
analysis in key scenarios such as major data operations, unauthorized access
to data and remote access to data;
3) Promptly deal with, rectify, and track and review problems discovered in the
audit, and formulate regular data security audit summaries in accordance with
relevant regulations.
b) Enhancement measures:
1) Carry out data security audit technical capacity building (such as 4A), and
refine security audit strategies for common risks and prone events;
2) Regularly form a summary of security audits of important data and core data
in accordance with relevant regulations.
7.6 Risk monitoring and early warning
Telecom data processors should take the following security measures in terms of risk
monitoring and early warning: carry out data security risk monitoring; conduct
monitoring and inspections of data assets, data processing environments, network and
system equip...
Get QUOTATION in 1-minute: Click GB/T 42447-2023
Historical versions: GB/T 42447-2023
Preview True-PDF (Reload/Scroll if blank)
GB/T 42447-2023: Information security technology -- Data security guidelines for telecom field
GB/T 42447-2023
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology -
Data security guidelines for telecom field
ISSUED ON: MARCH 17, 2023
IMPLEMENTED ON: OCTOBER 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 5
5 General ... 5
6 Security principles ... 6
7 General security measures for telecom data ... 6
8 Security measures for telecom data processing ... 11
Bibliography ... 15
Information security technology -
Data security guidelines for telecom field
1 Scope
This document provides security principles and general security measures for carrying
out data processing activities in the telecom field, as well as corresponding security
measures that should be taken during the implementation of data collection, storage,
use and processing, transmission, provision, disclosure, destruction, etc.
This document applies for guiding telecom data processors to carry out data security
protection work, and is also applies for guiding third-party organizations to carry out
telecom data security assessment work.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GB/T 41479-2022 Information security technology - Network data processing
security requirements
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in GB/T 41479-
2022 and the following apply.
3.1
telecom data
Data generated and collected in the course of telecommunications filed business
operations.
NOTE 1: Such as user identity information, call data, location data, signaling data, base station
construction and operation and maintenance data, network optimization data, etc.
NOTE 2: Without causing confusion, “telecommunications field data” in this document is
referred to as “telecom data”.
3.2
NOTE 1: The identification rules for important data and core data refer to relevant national and
industry standards, and other data are general data. Since general data covers a wide range of
data, telecom data processors can refine and grade general data according to production and
operation needs.
NOTE 2: For links where general measures and enhancement measures are not distinguished,
general data, important data, and core data shall be protected with reference to the same
measures.
6 Security principles
Telecom data processors shall adhere to the following principles:
a) Principle of three synchronization of security: during the design, construction, and
operation of relevant platforms carrying data, achieve synchronous planning,
construction, and operation of data security protection measures;
b) Principle of classification and grading protection: classify and grade data, and
take appropriate security measures commensurate with data security risks
according to differential characteristics such as category attributes, importance,
and sensitivity to ensure data security;
c) Principle of minimum necessary: during the collection, storage, use, processing,
transmission, provision, disclosure, destruction and other processing activities of
data, the type and size of data used are limited to those necessary for business
development and have legal, legitimate, and necessary purposes;
d) Principle of full life cycle management and control: data security protection
measures cover the entire life cycle of data from generation to destruction;
e) Principle of continuous evaluation and optimization: conduct normalized and
comprehensive security evaluation of security measures, and continuously and
dynamically optimize data security protection measures based on the evaluation
results.
7 General security measures for telecom data
7.1 Organizational guarantee
Telecom data processors should take the following security measures in terms of
organizational guarantee.
a) General measures:
1) Clarify the responsible departments for data security management, equip data
security managers, formulate data security system specifications and operating
procedures, and equip data security technical capabilities;
2) Establish a supervision, inspection, and assessment management system for
data security protection, and carry out data security supervision, inspection,
and assessment management.
b) Enhancement measures:
1) Establish a data security working system, clarify the data security management
organization, set up full-time positions for data security management, and
establish a collaboration mechanism between the data security management
organization and relevant departments;
2) Clarify key roles such as the person with the primary responsibility for data
security management within the organization;
3) Sort out the job positions involving important data and core data processing,
clarify job responsibilities, and sign a data security responsibility letter or
confidentiality agreement.
7.2 Data classification and grading
Telecom data processors should take the following security measures in terms of data
classification and grading.
a) General measures:
1) Regularly sort out data assets, form and update a list of data assets in a timely
manner, and carry out data classification and grading in accordance with
relevant regulations;
2) Classify organizational data categories based on factors such as business needs,
data sources, and uses, and update the data asset list in a timely manner based
on changes in data assets and changes in classification and grading
requirements.
b) Enhancement measures: Form and update a catalog of important data and core
data, and carry out catalog filing work in accordance with relevant regulations.
7.3 Permission management
Telecom data processors should take the following security measures in terms of
authority management.
a) General measures:
1) Clarify the data security audit coordinating department, assign security
auditors, and conduct security audits on authority allocation approval, data
processing logs, etc.;
2) Determine necessary data security audit strategies, clarify audit objects, audit
content and implementation cycles, and carry out security audits and data
analysis in key scenarios such as major data operations, unauthorized access
to data and remote access to data;
3) Promptly deal with, rectify, and track and review problems discovered in the
audit, and formulate regular data security audit summaries in accordance with
relevant regulations.
b) Enhancement measures:
1) Carry out data security audit technical capacity building (such as 4A), and
refine security audit strategies for common risks and prone events;
2) Regularly form a summary of security audits of important data and core data
in accordance with relevant regulations.
7.6 Risk monitoring and early warning
Telecom data processors should take the following security measures in terms of risk
monitoring and early warning: carry out data security risk monitoring; conduct
monitoring and inspections of data assets, data processing environments, network and
system equip...
Share
