GB/T 32920-2023 Information security technology—Information security management for inter-sector and inter-organizational communications (English Version)
GB/T 32920-2023 Information security technology - Information security management for inter-sector and inter-organizational communications
1 Scope
This document provides guidelines in addition to the guidance given in the Information Security Management System (ISMS) for implementing information security management within information sharing communities.
This document provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods.
This document is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization's or nation state's critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2016 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 2700 :2013, IDT)
GB/T 22081-2016 Information technology - Security techniques - Code of practice for information security controls (ISO/IEC 27002:2013, IDT)
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2016, IDT)
Note: There is no technical difference between the contents cited in GB/T 29246-2017 and those cited in ISO/IEC 27000:2014.
3 Terms and definitions
For the purposes of this document, the terms and definitions in GB/T 29246-2017 apply.
4 Concepts and justification
4.1 Introduction
ISMS guidance specific to inter-sector and inter-organizational communications has been identified in Clauses 5 to 18 of this document.
GB/T 22081-2016 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Often the information can only be made available to certain individuals within each member organization, or may have other security requirements such as anonymization of information. This document defines additional potential controls and provides additional guidance and interpretation of GB/T 22080-2016 and GB/T 22081-2016 in order to meet these requirements.
There are four informative annexes. Annex A describes the potential benefits from sharing sensitive information between organizations. Annex B provides guidance on how members of an information sharing community can assess the degree of trust that can be placed in information provided by other members. Annex C describes the Traffic Light Protocol, a mechanism widely used in information sharing communities to indicate the permitted distribution of information. Annex D contains some examples of models for organizing an information sharing community.
4.2 Information sharing communities
To be effective, information sharing communities must have some common interest or other relationship to define the scope of the shared sensitive information. For example, communities maybe market sector specific, and limit membership to organizations within that one sector. Of course, there may be other bases for common interest, for example, geographical location or common ownership.
There must also be trust between members, in particular that all members will follow the information sharing agreement (see A.6 for details).
4.3 Community management
Information sharing communities may be created from independent organizations or parts of organizations. Information security management commitment is necessary. There should, therefore, be clear organizational structures and management functions of community information security management.
Differences among member organizations of an information sharing community should also be considered. The differences could include:
- differing legal or regulatory environments,
- whether member organizations already operate their own ISMS, and
- member rules on protections of assets and information disclosure.
4.4 Supporting entities
Many information sharing communities may choose to establish or appoint a centralized supporting entity to organize and support information sharing. Such an entity can provide many supporting controls such as anonymization of source and recipients more easily and efficiently than where members communicate directly.
There are a number of different organizational models that can be used to create supporting entities. Annex D describes two common models, the Trusted Information Communication Entity (TICE) and the Warning, Advice and Reporting Point (WARP).
4.5 Inter-sector communication
Many information sharing communities will be sector based, as this provides a natural scope of common interest. However, there may well be information shared by such communities that would be of interest to other information sharing communities established in other sectors. In such cases it may be possible to establish information sharing communities of information sharing communities, again based on some common interest, such as the nature of the shared information. We refer to this as inter-sector communication.
Supporting entities provide effective support for inter-sector communication, on one hand, the necessary information exchange agreements and controls is established, on the other hand, anonymization of the source or recipient organizations can be achieved for some inter-sector communities.
4.6 Conformity
There are a number of places where GB/T 22080-2016 will need to be interpreted when applied to an information sharing community (or, for inter-sector communication, a community of communities).
The first area where interpretation is required is the definition of the organization concerned.
GB/T 22080-2016 requires that an ISMS is established, implemented, maintained and continually improved by an organization (GB/T 22080-2016, 4.4). In this context, the relevant organization is the information sharing community. However, the members of the information sharing community will themselves be organizations see Figure 1.
Secondly, in many information sharing communities, not all persons within the member organizations will be permitted access to the sensitive information shared between members. In this case, part of the member organization will be within scope of the community ISMS and part will be outside. The part outside the community scope will only have access to community information if it is marked for wider release, see Figure 2.
When members of the information sharing community have their own information security management systems and, in consequence, some processes might fall within scope of both the community and members' management systems. In this case, there is at least a theoretical possibility that there might be conflicting and incompatible requirements upon those processes. This might be an issue justifying exclusion from the scope of the member's ISMS, see GB/T 22080-2016, 4.3.
When defining its risk assessment process (GB/T 22080-2016, 6.1.2), the information sharing community will need to recognize that the impact of risks may be different on different members of the community. The community will, therefore, need to choose a risk assessment methodology that can handle non-uniform impact, and similarly for its risk assessment criteria.
4.7 Communications model
Communications of sensitive information as covered by this document can take any form- written, verbal or electronic.
In this document, sensitive communications are described in terms of the following participants:
- The source is the person or organization that originates an item of information; the source does not need to be a member of the community.
- The originator is the member of an information sharing community that initiates its distribution within the community. The originator may distribute the information directly, or send it to a supporting entity for distribution. The originator may, but need not be, the same as the source of the information; the originator may conceal the identity of the source. Communities may provide facilities to enable a member to conceal its own identity as the originator.
- A recipient is a receiver of information distributed within the community. Recipients need not be members of the community if the information is identified as available for wider distribution. Communities may provide facilities to enable recipients to conceal their identities from the originators of information.
Standard
GB/T 32920-2023 Information security technology—Information security management for inter-sector and inter-organizational communications (English Version)
Standard No.
GB/T 32920-2023
Status
valid
Language
English
File Format
PDF
Word Count
14500 words
Price(USD)
435.0
Implemented on
2023-12-1
Delivery
via email in 1~3 business day
Detail of GB/T 32920-2023
Standard No.
GB/T 32920-2023
English Name
Information security technology—Information security management for inter-sector and inter-organizational communications
GB/T 32920-2023 Information security technology - Information security management for inter-sector and inter-organizational communications
1 Scope
This document provides guidelines in addition to the guidance given in the Information Security Management System (ISMS) for implementing information security management within information sharing communities.
This document provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods.
This document is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization's or nation state's critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2016 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 2700 :2013, IDT)
GB/T 22081-2016 Information technology - Security techniques - Code of practice for information security controls (ISO/IEC 27002:2013, IDT)
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2016, IDT)
Note: There is no technical difference between the contents cited in GB/T 29246-2017 and those cited in ISO/IEC 27000:2014.
3 Terms and definitions
For the purposes of this document, the terms and definitions in GB/T 29246-2017 apply.
4 Concepts and justification
4.1 Introduction
ISMS guidance specific to inter-sector and inter-organizational communications has been identified in Clauses 5 to 18 of this document.
GB/T 22081-2016 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Often the information can only be made available to certain individuals within each member organization, or may have other security requirements such as anonymization of information. This document defines additional potential controls and provides additional guidance and interpretation of GB/T 22080-2016 and GB/T 22081-2016 in order to meet these requirements.
There are four informative annexes. Annex A describes the potential benefits from sharing sensitive information between organizations. Annex B provides guidance on how members of an information sharing community can assess the degree of trust that can be placed in information provided by other members. Annex C describes the Traffic Light Protocol, a mechanism widely used in information sharing communities to indicate the permitted distribution of information. Annex D contains some examples of models for organizing an information sharing community.
4.2 Information sharing communities
To be effective, information sharing communities must have some common interest or other relationship to define the scope of the shared sensitive information. For example, communities maybe market sector specific, and limit membership to organizations within that one sector. Of course, there may be other bases for common interest, for example, geographical location or common ownership.
There must also be trust between members, in particular that all members will follow the information sharing agreement (see A.6 for details).
4.3 Community management
Information sharing communities may be created from independent organizations or parts of organizations. Information security management commitment is necessary. There should, therefore, be clear organizational structures and management functions of community information security management.
Differences among member organizations of an information sharing community should also be considered. The differences could include:
- differing legal or regulatory environments,
- whether member organizations already operate their own ISMS, and
- member rules on protections of assets and information disclosure.
4.4 Supporting entities
Many information sharing communities may choose to establish or appoint a centralized supporting entity to organize and support information sharing. Such an entity can provide many supporting controls such as anonymization of source and recipients more easily and efficiently than where members communicate directly.
There are a number of different organizational models that can be used to create supporting entities. Annex D describes two common models, the Trusted Information Communication Entity (TICE) and the Warning, Advice and Reporting Point (WARP).
4.5 Inter-sector communication
Many information sharing communities will be sector based, as this provides a natural scope of common interest. However, there may well be information shared by such communities that would be of interest to other information sharing communities established in other sectors. In such cases it may be possible to establish information sharing communities of information sharing communities, again based on some common interest, such as the nature of the shared information. We refer to this as inter-sector communication.
Supporting entities provide effective support for inter-sector communication, on one hand, the necessary information exchange agreements and controls is established, on the other hand, anonymization of the source or recipient organizations can be achieved for some inter-sector communities.
4.6 Conformity
There are a number of places where GB/T 22080-2016 will need to be interpreted when applied to an information sharing community (or, for inter-sector communication, a community of communities).
The first area where interpretation is required is the definition of the organization concerned.
GB/T 22080-2016 requires that an ISMS is established, implemented, maintained and continually improved by an organization (GB/T 22080-2016, 4.4). In this context, the relevant organization is the information sharing community. However, the members of the information sharing community will themselves be organizations see Figure 1.
Secondly, in many information sharing communities, not all persons within the member organizations will be permitted access to the sensitive information shared between members. In this case, part of the member organization will be within scope of the community ISMS and part will be outside. The part outside the community scope will only have access to community information if it is marked for wider release, see Figure 2.
When members of the information sharing community have their own information security management systems and, in consequence, some processes might fall within scope of both the community and members' management systems. In this case, there is at least a theoretical possibility that there might be conflicting and incompatible requirements upon those processes. This might be an issue justifying exclusion from the scope of the member's ISMS, see GB/T 22080-2016, 4.3.
When defining its risk assessment process (GB/T 22080-2016, 6.1.2), the information sharing community will need to recognize that the impact of risks may be different on different members of the community. The community will, therefore, need to choose a risk assessment methodology that can handle non-uniform impact, and similarly for its risk assessment criteria.
4.7 Communications model
Communications of sensitive information as covered by this document can take any form- written, verbal or electronic.
In this document, sensitive communications are described in terms of the following participants:
- The source is the person or organization that originates an item of information; the source does not need to be a member of the community.
- The originator is the member of an information sharing community that initiates its distribution within the community. The originator may distribute the information directly, or send it to a supporting entity for distribution. The originator may, but need not be, the same as the source of the information; the originator may conceal the identity of the source. Communities may provide facilities to enable a member to conceal its own identity as the originator.
- A recipient is a receiver of information distributed within the community. Recipients need not be members of the community if the information is identified as available for wider distribution. Communities may provide facilities to enable recipients to conceal their identities from the originators of information.
