1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 37988-2019 English PDF (GB/T37988-2019)
GB/T 37988-2019 English PDF (GB/T37988-2019)
Regular price
$910.00 USD
Regular price
Sale price
$910.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 37988-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37988-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37988-2019: Information security technology - Data security capability maturity model
GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 8
5 DSMM architecture ... 9
5.1 Maturity Model Architecture ... 9
5.2 Security capability dimensions ... 10
5.3 Capacity maturity level dimension ... 11
5.4 Data security process dimension ... 14
6 Data collection security ... 16
6.1 PA01 data classification and grading ... 16
6.2 PA02 Data collection security management ... 18
6.3 PA03 Data source authentication and recording ... 21
6.4 PA04 Data quality management ... 23
7 Data transmission security ... 25
7.1 PA05 data transmission encryption ... 25
7.2 PA06 Network availability management ... 28
8 Data storage security ... 29
8.1 PA07 storage media security ... 29
8.2 PA08 Logic storage security ... 31
8.3 PA09 Data backup and recovery ... 34
9 Data processing security ... 38
9.1 PA10 data desensitization ... 38
9.2 PA11 Data analysis security ... 41
9.3 Proper use of PA12 data ... 44
9.4 PA13 Data processing environment security ... 46
9.5 PA14 Data import and export security ... 49
10 Data exchange security ... 52
10.1 PA15 Data sharing security ... 52
10.2 PA16 Data release security ... 55
10.3 PA17 Data interface security ... 57
11 Data destruction security ... 59
11.1 PA18 Data destruction and disposal ... 59
11.2 Destruction and disposal of PA19 storage media ... 61
12 Generic security ... 64
12.1 PA20 Data security policy planning ... 64
12.2 PA21 Organization and personnel management ... 67
12.3 PA22 Compliance management ... 72
12.4 PA23 Data asset management ... 76
12.5 PA24 Data supply chain security ... 78
12.6 PA25 Metadata management ... 81
12.7 PA26 Terminal data security ... 83
12.8 PA27 Monitoring and audit ... 85
12.9 PA28 Authentication and access control ... 88
12.10 PA29 Requirement analysis ... 91
12.11 PA30 Security incident response ... 93
Appendix A (Informative) Description of capability maturity level and GP ... 96
A.1 Overview ... 96
A.2 Capability maturity level 1 - Informal execution ... 96
A.3 Capability maturity level 2 - Plan tracking ... 97
A.4 Capability maturity level 3 - Fully defined ... 99
A.5 Capability maturity level 4 - Quantitative control ... 101
A.6 Capability maturity level 5 - Continuous improvement ... 102
Appendix B (Informative) Reference method for evaluation of capability maturity
level ... 104
Appendix C (Informative) Assessment process of capability maturity level AND
model usage method ... 105
C.1 Assessment process of capability maturity level ... 105
C.2 How to use the capability maturity model ... 107
References ... 109
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's
data security capabilities; specifies the maturity level requirements for data
collection security, data transmission security, data storage security, data
processing security, data exchange security, data destruction security, general
security.
This standard applies to the assessment of the organization's data security
capabilities. It can also be used as a basis for the organization to develop data
security capabilities.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246-
2017, as well as the following terms and definitions apply to this document.
3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The
process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND
the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same
security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices,
such as establishing metadata management specifications, establishing metadata
access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security
goal.
Example: Establish a list of data assets, to carry out classified and graded
management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice.
3.12
Data desensitization
A data protection method, in which raw data is processed through a series
of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of
the data security system, the capability levels are differentiated based on the
following aspects:
a) The clarity of the authorization and approval process for key control nodes
in the data life cycle;
b) The standardization of the formulation, release, revision of related process
systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are
used by the organization to carry out data security work, the capability level is
differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as
well as the capability to deal with the security risks of the entire data life
cycle;
b) The capability to use technical tools for automatic support of data security
work, as well as the capability to implement solidified implementation of
the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the
organization, the capability level is differentiated according to the following
aspects:
a) Whether the data security skills possessed by data security personnel,
can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional
capabilities of data security);
b) Data security awareness of data security personnel AND the training of
data security capabilities for employees in critical data security positions.
5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels,
as shown in Table 1.
The data life cycle security process area includes the following 6 processes:
a) Data collection security PA (PA01 ~ PA04) includes 4 PA: Data
classification and grading, data collection security management, data
source identification and recording, data quality management;
b) Data transmission security PA (PA05 ~ PA06) includes 2 PA: data
transmission encryption, network availability management;
c) Data storage security PA (PA07 ~ PA09) includes 3 security PA: storage
media security, logical storage security, data backup and recovery;
d) Data processing security PA (PA10 ~ PA14) includes 5 security PA: data
desensitization, data analysis security, data proper use, data processing
environment security, data import and export security;
e) Data exchange security PA (PA15 ~ PA17) includes 3 security PA: data
sharing security, data release security, data interface security;
f) Data destruction security PA (PA18 ~ PA19) includes 2 security PA: data
destruction disposal, storage media destruction disposal.
The generic security process area (PA20 ~ PA30) includes 11 PA: data security
policy planning, organization and personnel management, compliance
management, data asset management, data supply chain security, metadata
management, terminal data security, monitoring and audit, authentication and
access control, demand analysis, security incident response.
5.4.2.2 Coding rules
The rules for coding the data security PA are as follows:
a) Each PA has a corresponding number, which is represented by increasing
numbers 01, 02, ..., respectively.
Example 1: PA01, stands for PA "Data classification and grading".
b) Each PA is composed of some BP. BP is numbered by BP.XX.XX, wherein
the first group of codes represents the serial number of the PA where it is
located, the second group of codes represents the serial number of the
specific BP. The serial number of the specific BP is represented by
increasing values 01, 02, ...
Example 2: BP.01.01 represents the first BP in the process area PA01 "Data
classification and grading".
c) For each level of each PA, it is necessary to meet the requirements of this
level AND all BPs below that level at the same time, to achieve the
1) It shall clearly define the principles, methods, operation guidelines of
data classification and grading (BP.01.05);
2) The organization's data shall be identified and managed, by
classification and grading (BP.01.06);
3) Establish corresponding security management and control measures,
such as access control, data encryption and decryption, data
desensitization, for different types and levels of data (BP.01.07);
4) The change approval process and mechanism for data classification
and grading shall be clarified; through this process, ensure that the
change operation of data classification and grading as well as its results
meet the requirements of the organization (BP.01.08).
c) Technical tools: Data classification and grading marking OR data asset
management tools shall be established, to realize the functions of
automatic identification of data classification and grading, release of
identification results, review (BP.01.09).
d) Personnel capability: The person in charge of this work shall understand
the compliance requirements of data classification and grading; be able to
identify which data is sensitive data (BP.01.10).
6.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall record the difference BETWEEN the automatic classification and
grading results AND the classification and grading results after manual
review; regularly analyze and improve the classification and grading
identification tools; improve the accuracy of tool processing (BP.01.11);
b) The operation and change process of data classification and grading shall
be recorded and analyzed. The change operation audit shall be carried
out regularly, through technical means such as log analysis. The data
classification and grading shall be traceable (BP.01.12).
6.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
a) System process: The specifications and rules of data classification and
grading shall be reviewed regularly, considering whether the content
completely covers the current business; meanwhile it shall implement
2) The core business shall clearly state the purpose, method and scope
of personal information collection, with the consent of the person being
collected (BP.02.04).
6.2.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows:
a) Organization construction: The organization shall set up data collection
security management positions and personnel, that are responsible for
formulating relevant data collection security management systems,
promoting the implementation of relevant requirements and processes,
providing consultation and support for the risk assessment of specific
businesses or projects ( BP.02.05).
b) System process:
1) It shall clarify the organization's data collection principles; define the
business data collection process and methods (BP.02.06);
2) It shall clarify the channels for data collection and external data sources;
confirm the legality of external data sources (BP.02.07);
3) It shall clarify the scope, quantity and frequency of data collection, to
ensure that personal information and important data, that are not
related to the provision of services, are not collected (BP.02.08);
4) It shall clarify the risk assessment process for organizing data collection;
carry out the risk assessment, for the collected data source, frequency,
channel, method, data range and type (BP.02.09);
5) It shall clarify the scope of knowledge of personal information and
important data, during the data collection process, as well as the control
measures that need to be taken, to ensure that the personal information
and important data, during the collection process, are not leaked
(BP.02.10);
6) It shall clarify the scope of automatic data collection (BP.02.11).
c) Technical tools:
1) It shall, according to a unified data collection process, build the data
collection-related tools, to ensure the consistency of the organization's
data collection process. At the same time, the rele...
Get Quotation: Click GB/T 37988-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37988-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37988-2019: Information security technology - Data security capability maturity model
GB/T 37988-2019
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Data security
capability maturity model
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 8
5 DSMM architecture ... 9
5.1 Maturity Model Architecture ... 9
5.2 Security capability dimensions ... 10
5.3 Capacity maturity level dimension ... 11
5.4 Data security process dimension ... 14
6 Data collection security ... 16
6.1 PA01 data classification and grading ... 16
6.2 PA02 Data collection security management ... 18
6.3 PA03 Data source authentication and recording ... 21
6.4 PA04 Data quality management ... 23
7 Data transmission security ... 25
7.1 PA05 data transmission encryption ... 25
7.2 PA06 Network availability management ... 28
8 Data storage security ... 29
8.1 PA07 storage media security ... 29
8.2 PA08 Logic storage security ... 31
8.3 PA09 Data backup and recovery ... 34
9 Data processing security ... 38
9.1 PA10 data desensitization ... 38
9.2 PA11 Data analysis security ... 41
9.3 Proper use of PA12 data ... 44
9.4 PA13 Data processing environment security ... 46
9.5 PA14 Data import and export security ... 49
10 Data exchange security ... 52
10.1 PA15 Data sharing security ... 52
10.2 PA16 Data release security ... 55
10.3 PA17 Data interface security ... 57
11 Data destruction security ... 59
11.1 PA18 Data destruction and disposal ... 59
11.2 Destruction and disposal of PA19 storage media ... 61
12 Generic security ... 64
12.1 PA20 Data security policy planning ... 64
12.2 PA21 Organization and personnel management ... 67
12.3 PA22 Compliance management ... 72
12.4 PA23 Data asset management ... 76
12.5 PA24 Data supply chain security ... 78
12.6 PA25 Metadata management ... 81
12.7 PA26 Terminal data security ... 83
12.8 PA27 Monitoring and audit ... 85
12.9 PA28 Authentication and access control ... 88
12.10 PA29 Requirement analysis ... 91
12.11 PA30 Security incident response ... 93
Appendix A (Informative) Description of capability maturity level and GP ... 96
A.1 Overview ... 96
A.2 Capability maturity level 1 - Informal execution ... 96
A.3 Capability maturity level 2 - Plan tracking ... 97
A.4 Capability maturity level 3 - Fully defined ... 99
A.5 Capability maturity level 4 - Quantitative control ... 101
A.6 Capability maturity level 5 - Continuous improvement ... 102
Appendix B (Informative) Reference method for evaluation of capability maturity
level ... 104
Appendix C (Informative) Assessment process of capability maturity level AND
model usage method ... 105
C.1 Assessment process of capability maturity level ... 105
C.2 How to use the capability maturity model ... 107
References ... 109
Information security technology - Data security
capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's
data security capabilities; specifies the maturity level requirements for data
collection security, data transmission security, data storage security, data
processing security, data exchange security, data destruction security, general
security.
This standard applies to the assessment of the organization's data security
capabilities. It can also be used as a basis for the organization to develop data
security capabilities.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques - Information
security management systems - Overview and vocabulary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 29246-
2017, as well as the following terms and definitions apply to this document.
3.1
Data security
The use of management and technical measures, to ensure the effective
protection of data and the status of compliant use.
3.2
Confidentiality
3.8
Security process
A complete process, which is used to achieve a certain security goal. The
process includes inputs and outputs.
Example: In the security process of "security audit", the input is the system log AND
the output is the audit report.
3.9
Process area
A collection of relevant data security base practices, to achieve the same
security goal.
Note: A process area contains one or more base practices.
Example: The process area of "metadata management" includes base practices,
such as establishing metadata management specifications, establishing metadata
access control strategies, establishing metadata technical tools.
3.10
Base practice
Data security related activities, which are used to achieve a certain security
goal.
Example: Establish a list of data assets, to carry out classified and graded
management of the data assets, etc.
3.11
Generic practice
Evaluation criteria, which is used in the evaluation, to determine the
implementation capability of any security process area or base practice.
3.12
Data desensitization
A data protection method, in which raw data is processed through a series
of data processing methods, to shield sensitive data.
3.13
From the perspective of the organization's construction and implementation of
the data security system, the capability levels are differentiated based on the
following aspects:
a) The clarity of the authorization and approval process for key control nodes
in the data life cycle;
b) The standardization of the formulation, release, revision of related process
systems;
c) Consistency and effectiveness of the implementation of system
procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools, that are
used by the organization to carry out data security work, the capability level is
differentiated according to the following aspects:
a) The use of data security technology during the entire data life cycle, as
well as the capability to deal with the security risks of the entire data life
cycle;
b) The capability to use technical tools for automatic support of data security
work, as well as the capability to implement solidified implementation of
the data security system and procedures.
5.2.5 Personnel capability
Starting from the capability of the personnel responsible for data security in the
organization, the capability level is differentiated according to the following
aspects:
a) Whether the data security skills possessed by data security personnel,
can meet the capability requirements for achieving security goals (the
degree of understanding of data-related businesses AND the professional
capabilities of data security);
b) Data security awareness of data security personnel AND the training of
data security capabilities for employees in critical data security positions.
5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels,
as shown in Table 1.
The data life cycle security process area includes the following 6 processes:
a) Data collection security PA (PA01 ~ PA04) includes 4 PA: Data
classification and grading, data collection security management, data
source identification and recording, data quality management;
b) Data transmission security PA (PA05 ~ PA06) includes 2 PA: data
transmission encryption, network availability management;
c) Data storage security PA (PA07 ~ PA09) includes 3 security PA: storage
media security, logical storage security, data backup and recovery;
d) Data processing security PA (PA10 ~ PA14) includes 5 security PA: data
desensitization, data analysis security, data proper use, data processing
environment security, data import and export security;
e) Data exchange security PA (PA15 ~ PA17) includes 3 security PA: data
sharing security, data release security, data interface security;
f) Data destruction security PA (PA18 ~ PA19) includes 2 security PA: data
destruction disposal, storage media destruction disposal.
The generic security process area (PA20 ~ PA30) includes 11 PA: data security
policy planning, organization and personnel management, compliance
management, data asset management, data supply chain security, metadata
management, terminal data security, monitoring and audit, authentication and
access control, demand analysis, security incident response.
5.4.2.2 Coding rules
The rules for coding the data security PA are as follows:
a) Each PA has a corresponding number, which is represented by increasing
numbers 01, 02, ..., respectively.
Example 1: PA01, stands for PA "Data classification and grading".
b) Each PA is composed of some BP. BP is numbered by BP.XX.XX, wherein
the first group of codes represents the serial number of the PA where it is
located, the second group of codes represents the serial number of the
specific BP. The serial number of the specific BP is represented by
increasing values 01, 02, ...
Example 2: BP.01.01 represents the first BP in the process area PA01 "Data
classification and grading".
c) For each level of each PA, it is necessary to meet the requirements of this
level AND all BPs below that level at the same time, to achieve the
1) It shall clearly define the principles, methods, operation guidelines of
data classification and grading (BP.01.05);
2) The organization's data shall be identified and managed, by
classification and grading (BP.01.06);
3) Establish corresponding security management and control measures,
such as access control, data encryption and decryption, data
desensitization, for different types and levels of data (BP.01.07);
4) The change approval process and mechanism for data classification
and grading shall be clarified; through this process, ensure that the
change operation of data classification and grading as well as its results
meet the requirements of the organization (BP.01.08).
c) Technical tools: Data classification and grading marking OR data asset
management tools shall be established, to realize the functions of
automatic identification of data classification and grading, release of
identification results, review (BP.01.09).
d) Personnel capability: The person in charge of this work shall understand
the compliance requirements of data classification and grading; be able to
identify which data is sensitive data (BP.01.10).
6.1.2.4 Level 4: Quantitative control
The data security capability requirements for this level are described as follows:
Technical tools:
a) It shall record the difference BETWEEN the automatic classification and
grading results AND the classification and grading results after manual
review; regularly analyze and improve the classification and grading
identification tools; improve the accuracy of tool processing (BP.01.11);
b) The operation and change process of data classification and grading shall
be recorded and analyzed. The change operation audit shall be carried
out regularly, through technical means such as log analysis. The data
classification and grading shall be traceable (BP.01.12).
6.1.2.5 Level 5: Continuous improvement
The data security capability requirements for this level are described as follows:
a) System process: The specifications and rules of data classification and
grading shall be reviewed regularly, considering whether the content
completely covers the current business; meanwhile it shall implement
2) The core business shall clearly state the purpose, method and scope
of personal information collection, with the consent of the person being
collected (BP.02.04).
6.2.2.3 Level 3: Fully defined
The data security capability requirements for this level are described as follows:
a) Organization construction: The organization shall set up data collection
security management positions and personnel, that are responsible for
formulating relevant data collection security management systems,
promoting the implementation of relevant requirements and processes,
providing consultation and support for the risk assessment of specific
businesses or projects ( BP.02.05).
b) System process:
1) It shall clarify the organization's data collection principles; define the
business data collection process and methods (BP.02.06);
2) It shall clarify the channels for data collection and external data sources;
confirm the legality of external data sources (BP.02.07);
3) It shall clarify the scope, quantity and frequency of data collection, to
ensure that personal information and important data, that are not
related to the provision of services, are not collected (BP.02.08);
4) It shall clarify the risk assessment process for organizing data collection;
carry out the risk assessment, for the collected data source, frequency,
channel, method, data range and type (BP.02.09);
5) It shall clarify the scope of knowledge of personal information and
important data, during the data collection process, as well as the control
measures that need to be taken, to ensure that the personal information
and important data, during the collection process, are not leaked
(BP.02.10);
6) It shall clarify the scope of automatic data collection (BP.02.11).
c) Technical tools:
1) It shall, according to a unified data collection process, build the data
collection-related tools, to ensure the consistency of the organization's
data collection process. At the same time, the rele...
Share
