1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 39335-2020 English PDF (GBT39335-2020)
GB/T 39335-2020 English PDF (GBT39335-2020)
Regular price
$380.00 USD
Regular price
Sale price
$380.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 39335-2020
Historical versions: GB/T 39335-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 39335-2020: Information security technology -- Guidance for personal information security impact assessment
GB/T 39335-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guidance for
personal information security impact assessment
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Assessment principle ... 5
4.1 Overview ... 5
4.2 The value of conducting an assessment ... 5
4.3 Purpose of assessment report ... 6
4.4 Subjects responsible for assessment ... 8
4.5 Basic principles of assessment ... 8
4.6 Elements to be considered in the assessment implementation ... 9
5 Implementation process of assessment ... 11
5.1 Analysis of assessment necessity ... 11
5.2 Assessment preparation ... 13
5.3 Data mapping analysis ... 17
5.4 Identification of risk sources ... 18
5.5 Analysis of the impact of personal rights ... 23
5.6 Comprehensive analysis of security risks ... 24
5.7 Assessment report... 25
5.8 Risk treatment and continuous improvement ... 25
5.9 Development of report release strategy ... 26
Appendix A (Informative) Examples of evaluative compliance and assessment
points ... 27
Appendix B (Informative) Examples of high-risk personal information
processing activities ... 31
Appendix C (Informative) Commonly used tools for personal information
security impact assessment ... 34
Appendix D (Informative) Reference method for personal information security
impact assessment ... 37
References ... 43
Information security technology - Guidance for
personal information security impact assessment
1 Scope
This standard provides the basic principles and implementation process, of
personal information security impact assessment.
This standard applies to various organizations, to carry out personal information
security impact assessment on their own. At the same time, it can provide
reference for the supervision, inspection, assessment of personal information
security, by the competent regulatory authorities, third-party assessment
agencies and other organizations.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 20984 Information security technology - Risk assessment specification
for information security
GB/T 25069-2010 Information security technology - Glossary
GB/T 35273-2020 Information security technology - Personal information
security specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
2020, as well as the following terms and definitions, apply to this document.
3.1
Personal information
Various information, which is recorded electronically or in other ways, which
can identify a specific natural person alone OR in combination with other
information OR reflect the activities of a specific natural person.
scenarios, the responsible and participating departments and personnel, the
identified risks, the list of adopted and proposed security control measures,
residual risks, etc.
Therefore, the purpose of the personal information security impact assessment
report includes but is not limited to:
a) For the subject of personal information, the assessment report can ensure
that, the subject of personal information understands how their personal
information is processed AND how to protect it; the subject of personal
information is enabled to judge whether there are residual risks, which
have not been dealt with.
b) For organizations, which conduct impact assessments, the purpose of the
assessment report may include:
1) In the planning stage of a product, service or project, it is used to ensure
that, the protection requirements of personal information are fully
considered and realized, in the design of the product or service (for
example, the achievability, feasibility, traceability, etc.) of the security
mechanism;
2) During the operation of products, services or projects, it is used to
determine whether the internal and external factors of the operation
(such as changes in the operation team, Internet security environment,
third-party security control capabilities for information sharing, etc.),
laws and regulations have undergone substantial changes; whether it
is necessary to review and correct the results of the impact assessment;
3) It is used to establish a responsibility system, to supervise whether
security protection measures have been taken, for personal information
processing activities, which have security risks, to improve or eliminate
the identified risks;
4) It is used to enhance the personal information security awareness of
internal employees.
c) For the competent regulatory department, the organization is required to
provide a personal information security impact assessment report; the
organization may be urged to carry out the assessment AND take effective
security control measures. When handling personal information security
related complaints, investigating personal information security incidents,
etc., the competent supervisory authority can understand the relevant
situation, through the impact assessment report, OR use the report as
relevant evidence.
d) For the partners of the organization that conducts the impact assessment,
it is used to understand their role and function in the business scenario as
a whole, as well as their specific personal information protection work and
responsibilities.
4.4 Subjects responsible for assessment
The organization designates the responsible department or person responsible
for personal information security impact assessment, who is responsible for the
formulation, implementation, improvement of the personal information security
impact assessment work process, AND is responsible for the quality of the
personal information security impact assessment work results. The responsible
department or person is independent AND is not affected by the assessed party.
Usually, the department, which takes the lead in the implementation of personal
information security impact assessment, is the legal department, the
compliance department, or the information security department.
Responsible departments, within the organization, can choose to carry out
personal information security impact assessments on their own, OR hire
external independent third parties, to undertake specific personal information
security impact assessments, based on the specific capabilities of the
department.
For specific products, services or projects, the person in charge of the
corresponding product, service or project shall ensure the development and
smooth progress of personal information security impact assessment activities,
AND provide corresponding support.
When the organization conducts the personal information security impact
assessment on its own, the competent supervisory authority and the client can
request an independent audit, to verify the rationality and completeness of the
impact assessment activity. At the same time, the organization allows the
competent regulatory au...
Get QUOTATION in 1-minute: Click GB/T 39335-2020
Historical versions: GB/T 39335-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 39335-2020: Information security technology -- Guidance for personal information security impact assessment
GB/T 39335-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guidance for
personal information security impact assessment
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Assessment principle ... 5
4.1 Overview ... 5
4.2 The value of conducting an assessment ... 5
4.3 Purpose of assessment report ... 6
4.4 Subjects responsible for assessment ... 8
4.5 Basic principles of assessment ... 8
4.6 Elements to be considered in the assessment implementation ... 9
5 Implementation process of assessment ... 11
5.1 Analysis of assessment necessity ... 11
5.2 Assessment preparation ... 13
5.3 Data mapping analysis ... 17
5.4 Identification of risk sources ... 18
5.5 Analysis of the impact of personal rights ... 23
5.6 Comprehensive analysis of security risks ... 24
5.7 Assessment report... 25
5.8 Risk treatment and continuous improvement ... 25
5.9 Development of report release strategy ... 26
Appendix A (Informative) Examples of evaluative compliance and assessment
points ... 27
Appendix B (Informative) Examples of high-risk personal information
processing activities ... 31
Appendix C (Informative) Commonly used tools for personal information
security impact assessment ... 34
Appendix D (Informative) Reference method for personal information security
impact assessment ... 37
References ... 43
Information security technology - Guidance for
personal information security impact assessment
1 Scope
This standard provides the basic principles and implementation process, of
personal information security impact assessment.
This standard applies to various organizations, to carry out personal information
security impact assessment on their own. At the same time, it can provide
reference for the supervision, inspection, assessment of personal information
security, by the competent regulatory authorities, third-party assessment
agencies and other organizations.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) is applicable to this standard.
GB/T 20984 Information security technology - Risk assessment specification
for information security
GB/T 25069-2010 Information security technology - Glossary
GB/T 35273-2020 Information security technology - Personal information
security specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
2020, as well as the following terms and definitions, apply to this document.
3.1
Personal information
Various information, which is recorded electronically or in other ways, which
can identify a specific natural person alone OR in combination with other
information OR reflect the activities of a specific natural person.
scenarios, the responsible and participating departments and personnel, the
identified risks, the list of adopted and proposed security control measures,
residual risks, etc.
Therefore, the purpose of the personal information security impact assessment
report includes but is not limited to:
a) For the subject of personal information, the assessment report can ensure
that, the subject of personal information understands how their personal
information is processed AND how to protect it; the subject of personal
information is enabled to judge whether there are residual risks, which
have not been dealt with.
b) For organizations, which conduct impact assessments, the purpose of the
assessment report may include:
1) In the planning stage of a product, service or project, it is used to ensure
that, the protection requirements of personal information are fully
considered and realized, in the design of the product or service (for
example, the achievability, feasibility, traceability, etc.) of the security
mechanism;
2) During the operation of products, services or projects, it is used to
determine whether the internal and external factors of the operation
(such as changes in the operation team, Internet security environment,
third-party security control capabilities for information sharing, etc.),
laws and regulations have undergone substantial changes; whether it
is necessary to review and correct the results of the impact assessment;
3) It is used to establish a responsibility system, to supervise whether
security protection measures have been taken, for personal information
processing activities, which have security risks, to improve or eliminate
the identified risks;
4) It is used to enhance the personal information security awareness of
internal employees.
c) For the competent regulatory department, the organization is required to
provide a personal information security impact assessment report; the
organization may be urged to carry out the assessment AND take effective
security control measures. When handling personal information security
related complaints, investigating personal information security incidents,
etc., the competent supervisory authority can understand the relevant
situation, through the impact assessment report, OR use the report as
relevant evidence.
d) For the partners of the organization that conducts the impact assessment,
it is used to understand their role and function in the business scenario as
a whole, as well as their specific personal information protection work and
responsibilities.
4.4 Subjects responsible for assessment
The organization designates the responsible department or person responsible
for personal information security impact assessment, who is responsible for the
formulation, implementation, improvement of the personal information security
impact assessment work process, AND is responsible for the quality of the
personal information security impact assessment work results. The responsible
department or person is independent AND is not affected by the assessed party.
Usually, the department, which takes the lead in the implementation of personal
information security impact assessment, is the legal department, the
compliance department, or the information security department.
Responsible departments, within the organization, can choose to carry out
personal information security impact assessments on their own, OR hire
external independent third parties, to undertake specific personal information
security impact assessments, based on the specific capabilities of the
department.
For specific products, services or projects, the person in charge of the
corresponding product, service or project shall ensure the development and
smooth progress of personal information security impact assessment activities,
AND provide corresponding support.
When the organization conducts the personal information security impact
assessment on its own, the competent supervisory authority and the client can
request an independent audit, to verify the rationality and completeness of the
impact assessment activity. At the same time, the organization allows the
competent regulatory au...
Share
