1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 37988-2019 English PDF (GBT37988-2019)
GB/T 37988-2019 English PDF (GBT37988-2019)
Regular price
$910.00 USD
Regular price
Sale price
$910.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 37988-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37988-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37988-2019: Information security technology - Data security capability maturity model
GB/T 37988-2019
Information security technology - Data security capability maturity model
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology data security capability maturity model
2019-08-30 released
2020-03-01 Implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Administration of China
Table of contents
Foreword Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 3
5 DSMM architecture 3
5.1 Maturity Model Architecture 3
5.2 Security Capability Dimension 4
5.3 Ability maturity level dimension 4
5.4 Data security process dimension 6
6 Data Collection Security 7
6.1 PA01 Data Classification and Classification 7
6.2 PA02 Data Collection Security Management 8
6.3 PA03 data source identification and recording 9
6.4 PA04 Data Quality Management 11
7 Data transmission security 12
7.1 PA05 data transmission encryption 12
7.2 PA06 Network Availability Management 13
8 Data storage security 14
8.1 PA07 Storage Media Security 14
8.2 PA08 Logical Storage Security 15
8.3 PA09 Data Backup and Recovery 17
9 Data Processing Security 19
9.1 PA10 data desensitization 19
9.2 PA11 Data Analysis Security 20
9.3 Proper use of PA12 data 22
9.4 PA13 Data Processing Environment Security 23
9.5 PA14 Data Import and Export Security 24
10 Data Exchange Security 26
10.1 PA15 Data Sharing Security 26
10.2 PA16 Data Release Security 27
10.3 PA17 data interface security 28
11 Data Destruction Security 29
11.1 PA18 Data Destruction and Disposal 29
11.2 Destruction and disposal of PA19 storage media 31
12 General Security 32
12.1 PA20 Data Security Strategy Planning 32
12.2 PA21 Organization and Personnel Management 34
12.3 PA22 Compliance Management 36
12.4 PA23 Data Asset Management 38
12.5 PA24 Data Supply Chain Security 39
12.6 PA25 Metadata Management 41
12.7 PA26 Terminal Data Security 42
12.8 PA27 Monitoring and Audit 43
12.9 PA28 Authentication and Access Control 44
12.10 PA29 Demand Analysis 46
12.11 PA30 Security Incident Response 47
Appendix A (informative appendix) Description of Capability Maturity Level and GP 49
A.1 Overview 49
A.2 Capability Maturity Level 1-Informal Implementation 49
A.3 Capability Maturity Level 2-Plan Tracking 49
A.4 Capability Maturity Level 3-Fully Defined 50
A.5 Capability Maturity Level 4-Quantitative Control 51
A.6 Capability Maturity Level 5-Continuous Optimization 52
Appendix B (informative appendix) Reference method for assessment of capability maturity level 54
Appendix C (informative appendix) Capability maturity level assessment process and model usage method 55
C.1 Capability maturity level assessment process 55
C.2 How to use the capability maturity model 56
Reference 57
Information security technology data security capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's data security capabilities, and specifies the security of data collection, data transmission, and data storage.
The maturity level requirements of storage security, data processing security, data exchange security, data destruction security, and general security.
This standard applies to the assessment of the organization's data security capabilities, and can also be used as a basis for the organization to develop data security capabilities.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 25069-2010 Information Security Technical Terms
GB/T 29246-2017 Information Technology Security Technology Information Security Management System Overview and Vocabulary
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GB/T 29246-2017 apply to this document.
3.1
Datasecurity
Through management and technical measures, to ensure the effective protection of data and the status of compliant use.
3.2
Confidentiality
The feature that prevents information from leaking to unauthorized individuals, entities, processes, or being used by them.
[GB/T 25069-2010, definition 2.1.1]
3.3
Integrity
Accurate and complete characteristics.
[GB/T 29246-2017, definition 2.40]
3.4
Availability
The characteristics of data and resources that an authorized entity can access and use as soon as it needs it.
[GB/T 25069-2010, definition 2.1.20]
3.5
Datasecuritycapability
The organization's data security guarantee in terms of organizational construction, system processes, technical tools, and personnel capabilities.
3.6
Capability maturity
An organization’s methodical and continuous improvement capabilities and the realization of the continuity, sustainability, effectiveness and credibility of a specific process
Level.
3.7
Capabilitymaturitymodel
A model for measuring the capability maturity of an organization, including a series of characteristics, attributes, instructions, or
mode.
Note. The capability maturity model provides a reference benchmark for the organization to measure its current practice, process, and method capability level, and sets clear goals for improvement.
3.8
Securityprocess
The complete process used to achieve a certain safety goal, the process includes input and output.
Example. In the security process of "security audit", the input is the system log and the output is the audit report.
3.9
Processarea
A collection of relevant data security basic practices to achieve the same security goal.
Note. A process area contains one or more basic practices.
Example. The process area of "Metadata Management" includes the establishment of metadata management standards, the establishment of metadata access control strategies, and the establishment of metadata technical tools.
practice.
3.10
Basic practice
Data security related activities to achieve a certain security goal.
Example. Establish a list of data assets, classify and manage data assets, etc.
3.11
Generic practice
Evaluation criteria used in the evaluation to determine the implementation capability of any safety process area or basic practice.
3.12
Data desensitization
A data protection method in which raw data is processed through a series of data processing methods to shield sensitive data.
3.13
Data processing
The process of extracting, transforming, and loading the original data.
Note 1.Data processing includes the development of data products or data analysis.
Note 2.Data products include, but are not limited to, access to raw data, providing data calculation, data storage, data exchange, data analysis, data mining, and data display
Software and hardware products for other applications.
3.14
Data supply chain datasupplychain
In order to meet the data supply relationship, a structure that interconnects the demander and the supplier through resources and processes.
3.15
Procedure
A written description of the course of actions taken to perform a given task.
[GB/T 25069-2010, definition 2.1.7]
3.16
Compliance
The degree of compliance with laws and regulations applicable to data security.
c) Data security process dimension
1) The data security process includes the data life cycle security process and the general security process;
2) The data life cycle security process specifically includes. data collection security, data transmission security, data storage security, and data processing
There are 6 stages of security, data exchange security, and data destruction security.
5.2 Security Capability Dimensions
5.2.1 Competence composition
Through the quantification of the security capabilities of each data security process of the organization, the realization capability of each security process can be evaluated.
Security capabilities are divided into the following 4 aspects.
a) Organizational construction. establishment of a data security organization, assignment of responsibilities, communication and collaboration;
b) System and process. organize the implementation of systems and processes in the field of data security;
c) Technical tools. implement safety requirements or automate safety work through technical means and product tools;
d) Personnel competence. the security awareness and related professional capabilities of personnel performing data security work.
5.2.2 Organization Building
From the perspective of organizational building capabilities that organizations that undertake data security work should have, the ability levels are differentiated according to the following aspects.
a) The applicability of the data security organization structure to the organization's business;
b) The clarity of the work responsibilities undertaken by the data security organization;
c) The effectiveness of data security organization operations, communication and coordination.
5.2.3 System process
From the perspective of the organization's construction and implementation of the data security system, the ability level is differentiated according to the following aspects.
a) The clarity of the authorization and approval process for key control nodes in the data life cycle;
b) The standardization of the formulation, release, and revision of related process systems;
c) Consistency and effectiveness of the implementation of system procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools used by the organization to carry out data security work, the ability level is based on the following aspects
distinguish.
a) The use of data security technology during the entire data life cycle, and the ability to deal with the security risks of the entire data life cycle;
b) The ability to use technical tools to automatically support data security work, and to achieve the ability to implement solidification of data security system procedures.
5.2.5 Personnel Ability
Starting from the ability of the personnel responsible for the organization to undertake data security work, the ability level is divided according to the following aspects.
a) Whether the data security skills possessed by data security personnel can meet the capability requirements for achieving security goals (for data-related industries)
Business understanding and data security professional capabilities);
b) Data security awareness of data security personnel and the training of data security capabilities for employees in critical data security positions.
5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels, as shown in Table 1.
Management, data supply chain security, metadata management, terminal data security, monitoring and auditing, identification and access control, demand analysis, security incident response
Urgent 11 PA.
5.4.2.2 Encoding rules
The data security PA encoding rules are as follows.
a) Each PA has a corresponding number, which is represented by increasing numbers 01, 02,..., respectively.
Example 1.PA01, which stands for PA "Data Classification and Classification".
The second group of codes represents the serial number of a specific BP, and the serial number of a specific BP is represented by increasing numbers 01, 02,...
Example 2.BP.01.01 represents the first BP in the process area PA01 "Data Classification and Classification".
c) For each level of each PA, it is necessary to meet the requirements of this level and all BPs below that level at the same time to achieve this level.
Level of ability level, and so on.
6 Data collection security
6.1 PA01 data classification and classification
6.1.1 PA description
Determine the data classification and grading method within the organization based on laws, regulations and business requirements, and classify the generated or collected data
Level identification.
6.1.2 Grade description
6.1.2.1 Level 1.Informal execution
The data security capabilities of this level are described as follows.
System process. The organization has not established a mature and stable data classification and classification in any business, and is only based on temporary needs or based on personal experience.
Part of the data has been classified or graded (BP.01.01).
6.1.2.2 Level 2.Plan tracking
The data security capability requirements for this level are described as follows.
a) Organizational construction. The relevant personnel of the business team should be responsible for the data classification and grading of the relevant business (BP.01.02);
b) Institutional process. According to business characteristics and external compliance requirements, the key data of the core business should be classified and hierarchically managed
(BP.01.03).
6.1.2.3 Level 3.Fully defined
The data security capability requirements for this level are described as follows.
a) Organizational construction. The organization should establish management positions and personnel responsible for data security classification and classification, mainly responsible for defining the overall organization
The security principle of data classification and grading (BP.01.04).
b) System process.
1) The principles, methods and operation guidelines for data classification and classification (BP.01.05) should be clarified;
2) The organization's data should be classified, graded, identified and managed (BP.01.06);
3) The security management and control of different types and levels of data, such as access control, data encryption and decryption, and data desensitization, should be established.
Control measures (BP.01.07);
4) The data classification and classification change approval process and mechanism should be clarified, and the change operation of the data classification and classification should be guaranteed through this process
And the results meet the requirements of the organization (BP.01.08).
c) Technical tools. Data classifi...
Get Quotation: Click GB/T 37988-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 37988-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 37988-2019: Information security technology - Data security capability maturity model
GB/T 37988-2019
Information security technology - Data security capability maturity model
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology data security capability maturity model
2019-08-30 released
2020-03-01 Implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Administration of China
Table of contents
Foreword Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 3
5 DSMM architecture 3
5.1 Maturity Model Architecture 3
5.2 Security Capability Dimension 4
5.3 Ability maturity level dimension 4
5.4 Data security process dimension 6
6 Data Collection Security 7
6.1 PA01 Data Classification and Classification 7
6.2 PA02 Data Collection Security Management 8
6.3 PA03 data source identification and recording 9
6.4 PA04 Data Quality Management 11
7 Data transmission security 12
7.1 PA05 data transmission encryption 12
7.2 PA06 Network Availability Management 13
8 Data storage security 14
8.1 PA07 Storage Media Security 14
8.2 PA08 Logical Storage Security 15
8.3 PA09 Data Backup and Recovery 17
9 Data Processing Security 19
9.1 PA10 data desensitization 19
9.2 PA11 Data Analysis Security 20
9.3 Proper use of PA12 data 22
9.4 PA13 Data Processing Environment Security 23
9.5 PA14 Data Import and Export Security 24
10 Data Exchange Security 26
10.1 PA15 Data Sharing Security 26
10.2 PA16 Data Release Security 27
10.3 PA17 data interface security 28
11 Data Destruction Security 29
11.1 PA18 Data Destruction and Disposal 29
11.2 Destruction and disposal of PA19 storage media 31
12 General Security 32
12.1 PA20 Data Security Strategy Planning 32
12.2 PA21 Organization and Personnel Management 34
12.3 PA22 Compliance Management 36
12.4 PA23 Data Asset Management 38
12.5 PA24 Data Supply Chain Security 39
12.6 PA25 Metadata Management 41
12.7 PA26 Terminal Data Security 42
12.8 PA27 Monitoring and Audit 43
12.9 PA28 Authentication and Access Control 44
12.10 PA29 Demand Analysis 46
12.11 PA30 Security Incident Response 47
Appendix A (informative appendix) Description of Capability Maturity Level and GP 49
A.1 Overview 49
A.2 Capability Maturity Level 1-Informal Implementation 49
A.3 Capability Maturity Level 2-Plan Tracking 49
A.4 Capability Maturity Level 3-Fully Defined 50
A.5 Capability Maturity Level 4-Quantitative Control 51
A.6 Capability Maturity Level 5-Continuous Optimization 52
Appendix B (informative appendix) Reference method for assessment of capability maturity level 54
Appendix C (informative appendix) Capability maturity level assessment process and model usage method 55
C.1 Capability maturity level assessment process 55
C.2 How to use the capability maturity model 56
Reference 57
Information security technology data security capability maturity model
1 Scope
This standard provides the maturity model architecture of the organization's data security capabilities, and specifies the security of data collection, data transmission, and data storage.
The maturity level requirements of storage security, data processing security, data exchange security, data destruction security, and general security.
This standard applies to the assessment of the organization's data security capabilities, and can also be used as a basis for the organization to develop data security capabilities.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 25069-2010 Information Security Technical Terms
GB/T 29246-2017 Information Technology Security Technology Information Security Management System Overview and Vocabulary
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GB/T 29246-2017 apply to this document.
3.1
Datasecurity
Through management and technical measures, to ensure the effective protection of data and the status of compliant use.
3.2
Confidentiality
The feature that prevents information from leaking to unauthorized individuals, entities, processes, or being used by them.
[GB/T 25069-2010, definition 2.1.1]
3.3
Integrity
Accurate and complete characteristics.
[GB/T 29246-2017, definition 2.40]
3.4
Availability
The characteristics of data and resources that an authorized entity can access and use as soon as it needs it.
[GB/T 25069-2010, definition 2.1.20]
3.5
Datasecuritycapability
The organization's data security guarantee in terms of organizational construction, system processes, technical tools, and personnel capabilities.
3.6
Capability maturity
An organization’s methodical and continuous improvement capabilities and the realization of the continuity, sustainability, effectiveness and credibility of a specific process
Level.
3.7
Capabilitymaturitymodel
A model for measuring the capability maturity of an organization, including a series of characteristics, attributes, instructions, or
mode.
Note. The capability maturity model provides a reference benchmark for the organization to measure its current practice, process, and method capability level, and sets clear goals for improvement.
3.8
Securityprocess
The complete process used to achieve a certain safety goal, the process includes input and output.
Example. In the security process of "security audit", the input is the system log and the output is the audit report.
3.9
Processarea
A collection of relevant data security basic practices to achieve the same security goal.
Note. A process area contains one or more basic practices.
Example. The process area of "Metadata Management" includes the establishment of metadata management standards, the establishment of metadata access control strategies, and the establishment of metadata technical tools.
practice.
3.10
Basic practice
Data security related activities to achieve a certain security goal.
Example. Establish a list of data assets, classify and manage data assets, etc.
3.11
Generic practice
Evaluation criteria used in the evaluation to determine the implementation capability of any safety process area or basic practice.
3.12
Data desensitization
A data protection method in which raw data is processed through a series of data processing methods to shield sensitive data.
3.13
Data processing
The process of extracting, transforming, and loading the original data.
Note 1.Data processing includes the development of data products or data analysis.
Note 2.Data products include, but are not limited to, access to raw data, providing data calculation, data storage, data exchange, data analysis, data mining, and data display
Software and hardware products for other applications.
3.14
Data supply chain datasupplychain
In order to meet the data supply relationship, a structure that interconnects the demander and the supplier through resources and processes.
3.15
Procedure
A written description of the course of actions taken to perform a given task.
[GB/T 25069-2010, definition 2.1.7]
3.16
Compliance
The degree of compliance with laws and regulations applicable to data security.
c) Data security process dimension
1) The data security process includes the data life cycle security process and the general security process;
2) The data life cycle security process specifically includes. data collection security, data transmission security, data storage security, and data processing
There are 6 stages of security, data exchange security, and data destruction security.
5.2 Security Capability Dimensions
5.2.1 Competence composition
Through the quantification of the security capabilities of each data security process of the organization, the realization capability of each security process can be evaluated.
Security capabilities are divided into the following 4 aspects.
a) Organizational construction. establishment of a data security organization, assignment of responsibilities, communication and collaboration;
b) System and process. organize the implementation of systems and processes in the field of data security;
c) Technical tools. implement safety requirements or automate safety work through technical means and product tools;
d) Personnel competence. the security awareness and related professional capabilities of personnel performing data security work.
5.2.2 Organization Building
From the perspective of organizational building capabilities that organizations that undertake data security work should have, the ability levels are differentiated according to the following aspects.
a) The applicability of the data security organization structure to the organization's business;
b) The clarity of the work responsibilities undertaken by the data security organization;
c) The effectiveness of data security organization operations, communication and coordination.
5.2.3 System process
From the perspective of the organization's construction and implementation of the data security system, the ability level is differentiated according to the following aspects.
a) The clarity of the authorization and approval process for key control nodes in the data life cycle;
b) The standardization of the formulation, release, and revision of related process systems;
c) Consistency and effectiveness of the implementation of system procedures.
5.2.4 Technical tools
Starting from the security technology, application systems and tools used by the organization to carry out data security work, the ability level is based on the following aspects
distinguish.
a) The use of data security technology during the entire data life cycle, and the ability to deal with the security risks of the entire data life cycle;
b) The ability to use technical tools to automatically support data security work, and to achieve the ability to implement solidification of data security system procedures.
5.2.5 Personnel Ability
Starting from the ability of the personnel responsible for the organization to undertake data security work, the ability level is divided according to the following aspects.
a) Whether the data security skills possessed by data security personnel can meet the capability requirements for achieving security goals (for data-related industries)
Business understanding and data security professional capabilities);
b) Data security awareness of data security personnel and the training of data security capabilities for employees in critical data security positions.
5.3 Capacity maturity level dimension
The organization's data security capability maturity level is divided into 5 levels, as shown in Table 1.
Management, data supply chain security, metadata management, terminal data security, monitoring and auditing, identification and access control, demand analysis, security incident response
Urgent 11 PA.
5.4.2.2 Encoding rules
The data security PA encoding rules are as follows.
a) Each PA has a corresponding number, which is represented by increasing numbers 01, 02,..., respectively.
Example 1.PA01, which stands for PA "Data Classification and Classification".
The second group of codes represents the serial number of a specific BP, and the serial number of a specific BP is represented by increasing numbers 01, 02,...
Example 2.BP.01.01 represents the first BP in the process area PA01 "Data Classification and Classification".
c) For each level of each PA, it is necessary to meet the requirements of this level and all BPs below that level at the same time to achieve this level.
Level of ability level, and so on.
6 Data collection security
6.1 PA01 data classification and classification
6.1.1 PA description
Determine the data classification and grading method within the organization based on laws, regulations and business requirements, and classify the generated or collected data
Level identification.
6.1.2 Grade description
6.1.2.1 Level 1.Informal execution
The data security capabilities of this level are described as follows.
System process. The organization has not established a mature and stable data classification and classification in any business, and is only based on temporary needs or based on personal experience.
Part of the data has been classified or graded (BP.01.01).
6.1.2.2 Level 2.Plan tracking
The data security capability requirements for this level are described as follows.
a) Organizational construction. The relevant personnel of the business team should be responsible for the data classification and grading of the relevant business (BP.01.02);
b) Institutional process. According to business characteristics and external compliance requirements, the key data of the core business should be classified and hierarchically managed
(BP.01.03).
6.1.2.3 Level 3.Fully defined
The data security capability requirements for this level are described as follows.
a) Organizational construction. The organization should establish management positions and personnel responsible for data security classification and classification, mainly responsible for defining the overall organization
The security principle of data classification and grading (BP.01.04).
b) System process.
1) The principles, methods and operation guidelines for data classification and classification (BP.01.05) should be clarified;
2) The organization's data should be classified, graded, identified and managed (BP.01.06);
3) The security management and control of different types and levels of data, such as access control, data encryption and decryption, and data desensitization, should be established.
Control measures (BP.01.07);
4) The data classification and classification change approval process and mechanism should be clarified, and the change operation of the data classification and classification should be guaranteed through this process
And the results meet the requirements of the organization (BP.01.08).
c) Technical tools. Data classifi...
Share
