Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
Introduction
Big data service is a kind of network information service that covers data activities related to the data lifecycle through scalable big data platform at the bottom layer and multiple big data applications at the upper layer, aiming at the data sets with huge quantity, diverse types, fast flow speed, changeable characteristics, etc. Big data service providers shall ensure the secure and reliable operation of big data platform and applications and meet the security objectives of big data services such as confidentiality, integrity and availability.
This standard divides the security capabilities of big data service into two levels: general requirements and enhanced requirements. General requirements refer to that big data service providers are capable of resisting or dealing with common threats, controlling the losses of big data services after being damaged within a limited range and degree, and also have the basic incident traceability capability when developing big data services. Enhanced requirements refer to that the big data service providers are capable of actively identifying and preventing potential attacks, effectively dealing with security incidents and controlling their losses to a small extent, and ensuring the effectiveness of security incident tracing as well as the reliability, extendibility and scalability of big data services when the big data service is related to national security or has a greater impact on economic development and social and public interests. The security capability requirements for big data service providers are also different according to the importance of the data carried and the extent and severity of the impact that the big data service may cause when the service is not normally provided or is damaged.
Information security technology - Security capability requirements for big data services
1 Scope
This standard specifies the organization-related basic security capabilities and data lifecycle-related data service security capabilities that big data service providers shall have.
This standard is applicable to the construction of big data service security capabilities by government departments, enterprises and institutions, as well as the review and evaluation on big data service security capabilities of big data service providers by third-party organizations.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22239-2008 Information security technology - Baseline for classified protection of information system security
GB/T 25069-2010 Information security technology - Glossary
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 35273-2017 Information security technology - Personal information security specification
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and GB/T 35295-2017 as well as the following apply.
3.1
big data
the data set that is featured by huge quantity, diverse types, fast flow speed, changeable characteristics, etc., and is difficult to be effectively organized, stored, computed, analyzed and managed by using the traditional data architecture and data processing technology
3.2
data lifecycle
an evolution process of data including various survival forms from data generation, through acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange, and to destruction, etc.
3.3
data service
a kind of network information service providing evolution of data survival forms such as data acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange and destruction
3.4
big data service
various data lifecycle-related data services and system services supporting organizations or individuals to collect, store, use and discover the value of big data
Note: Big data service generally faces structured, semi-structured and unstructured data services that are massive, heterogeneous and rapidly changing, and is provided through scalable big data platform at the bottom layer and multiple big data applications at the upper layer
3.5
big data application
various application systems operating on the big data platform to perform various data lifecycle-related data activities such as data acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange and destruction and to provide big data services
3.6
big data platform
a set of software and hardware with distributed storage and computing technologies to provide access to and processing of big data and to support secure and efficient operation of big data applications, including monitoring the software and hardware infrastructure of big data services such as storage, input/output (I/O), and operation control of big data
3.7
big data service provider
organizations that provide big data services through big data platforms and applications
3.8
big data consumer
end users and other information technology systems or intelligent sensing devices using big data platforms or applications
3.9
big data system
information system including big data consumers, big data service providers, big data applications and big data platforms
3.10
data supply chain
a chain-like structure formed by available data resources required for planning, coordinating, operating, controlling and optimizing the data collection, preprocessing, aggregation, interchange, access and other related data activities of big data service providers
Note: The goal of the data supply chain is to make the big data service providers deliver all kinds of data and system assets required for big data services to the right big data consumers at the right time and in accordance with the right data service agreement by data activities such as planning, coordination, operating, controlling and optimizing.
3.11
data interchange
a process of realizing flow of data resources between different platforms and applications with corresponding technologies according to certain principles so as to meet the needs of transmission and processing of data resources between different platforms or applications
3.12
data sharing
a kind of technology allowing different big data consumers to have access to various data resources integrated by big data service and also carry out relevant computing, analysis, visualization and other processing on these data resources through big data service or data interchange technology
3.13
important data
data collected and generated by Chinese organizations and individuals within the territory of PRC which do not involve state secrets, but are closely related to national security, economic development and public interests
Note: Important data usually refer to the data (including original data and derivative data) collected and generated by various organizations in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public service and e-government in the course of their business activities, which do not involve state secrets, but once leaked, tampered or abused, will adversely affect national security, economic development and social and public interests.
4 Overview
4.1 General requirements
Big data service providers shall take necessary security control measures for big data service infrastructure from the perspective of information technology (IT) according to GB/T 31168-2014 and GB/T 22239-2008 to ensure the secure and reliable operation of system services of big data platforms and applications and the business mission of big data services. This standard only specifies the basic security requirements and data service security requirements that the organizations providing big data services through big data platforms and applications shall have:
a) Basic security requirements: Big data service providers shall create big data service security policies and procedures, establish system and data asset lists, organizations and personnel positions, and form metadata structures that satisfy big data services, data supply chain structures and data service interface specifications that meet business processes, and basic security capability requirements for big data services that meet the requirements of laws, regulations and related standards through security planning and demand analysis of big data services.
b) Data service security requirements: Big data service providers shall form security requirements for data services such as data acquisition, transmission, storage, processing, interchange and destruction according to the data lifecycle-related data activities, so as to reduce security risks related to data lifecycle security management in big data services and ensure the business mission and data security of big data services.
Big data service providers shall select the big data service security capability requirements listed herein for construction and evaluation according to the data protection value and types of big data services, and in combination with their own big data service modes, roles, objectives and supporting infrastructure (see Annex A).
Note: The data resources involved in big data services may depend on the data services or system services of other organizations, then big data service providers shall stipulate and implement the corresponding security responsibilities of all participants in the supply chain through contracts, agreements or other means, requiring them to have the security protection capability equivalent to that of big data service providers.
4.2 Classification of requirements
This standard divides the security capabilities of big data service into general requirements and enhanced requirements. Big data service providers shall follow the following protection requirements according to the importance of the data carried by big data systems and the extent and severity of impact that big data service anomalies may cause:
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Overview
4.1 General requirements
4.2 Classification of requirements
5 Basic security requirements
5.1 Policies and procedures
5.2 Data and system assets
5.3 Organization and personnel management
5.4 Service planning and management
5.5 Data supply chain management
5.6 Compliance management
6 Data service security requirements
6.1 Data acquisition
6.2 Data transmission
6.3 Data storage
6.4 Data processing
6.5 Data interchange
6.6 Data destruction
Annex A (Informative) Big data service model, user roles and business objectives
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
Introduction
Big data service is a kind of network information service that covers data activities related to the data lifecycle through scalable big data platform at the bottom layer and multiple big data applications at the upper layer, aiming at the data sets with huge quantity, diverse types, fast flow speed, changeable characteristics, etc. Big data service providers shall ensure the secure and reliable operation of big data platform and applications and meet the security objectives of big data services such as confidentiality, integrity and availability.
This standard divides the security capabilities of big data service into two levels: general requirements and enhanced requirements. General requirements refer to that big data service providers are capable of resisting or dealing with common threats, controlling the losses of big data services after being damaged within a limited range and degree, and also have the basic incident traceability capability when developing big data services. Enhanced requirements refer to that the big data service providers are capable of actively identifying and preventing potential attacks, effectively dealing with security incidents and controlling their losses to a small extent, and ensuring the effectiveness of security incident tracing as well as the reliability, extendibility and scalability of big data services when the big data service is related to national security or has a greater impact on economic development and social and public interests. The security capability requirements for big data service providers are also different according to the importance of the data carried and the extent and severity of the impact that the big data service may cause when the service is not normally provided or is damaged.
Information security technology - Security capability requirements for big data services
1 Scope
This standard specifies the organization-related basic security capabilities and data lifecycle-related data service security capabilities that big data service providers shall have.
This standard is applicable to the construction of big data service security capabilities by government departments, enterprises and institutions, as well as the review and evaluation on big data service security capabilities of big data service providers by third-party organizations.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22239-2008 Information security technology - Baseline for classified protection of information system security
GB/T 25069-2010 Information security technology - Glossary
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 35273-2017 Information security technology - Personal information security specification
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and GB/T 35295-2017 as well as the following apply.
3.1
big data
the data set that is featured by huge quantity, diverse types, fast flow speed, changeable characteristics, etc., and is difficult to be effectively organized, stored, computed, analyzed and managed by using the traditional data architecture and data processing technology
3.2
data lifecycle
an evolution process of data including various survival forms from data generation, through acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange, and to destruction, etc.
3.3
data service
a kind of network information service providing evolution of data survival forms such as data acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange and destruction
3.4
big data service
various data lifecycle-related data services and system services supporting organizations or individuals to collect, store, use and discover the value of big data
Note: Big data service generally faces structured, semi-structured and unstructured data services that are massive, heterogeneous and rapidly changing, and is provided through scalable big data platform at the bottom layer and multiple big data applications at the upper layer
3.5
big data application
various application systems operating on the big data platform to perform various data lifecycle-related data activities such as data acquisition, transmission, storage, processing (including computing, analysis, visualization, etc.), interchange and destruction and to provide big data services
3.6
big data platform
a set of software and hardware with distributed storage and computing technologies to provide access to and processing of big data and to support secure and efficient operation of big data applications, including monitoring the software and hardware infrastructure of big data services such as storage, input/output (I/O), and operation control of big data
3.7
big data service provider
organizations that provide big data services through big data platforms and applications
3.8
big data consumer
end users and other information technology systems or intelligent sensing devices using big data platforms or applications
3.9
big data system
information system including big data consumers, big data service providers, big data applications and big data platforms
3.10
data supply chain
a chain-like structure formed by available data resources required for planning, coordinating, operating, controlling and optimizing the data collection, preprocessing, aggregation, interchange, access and other related data activities of big data service providers
Note: The goal of the data supply chain is to make the big data service providers deliver all kinds of data and system assets required for big data services to the right big data consumers at the right time and in accordance with the right data service agreement by data activities such as planning, coordination, operating, controlling and optimizing.
3.11
data interchange
a process of realizing flow of data resources between different platforms and applications with corresponding technologies according to certain principles so as to meet the needs of transmission and processing of data resources between different platforms or applications
3.12
data sharing
a kind of technology allowing different big data consumers to have access to various data resources integrated by big data service and also carry out relevant computing, analysis, visualization and other processing on these data resources through big data service or data interchange technology
3.13
important data
data collected and generated by Chinese organizations and individuals within the territory of PRC which do not involve state secrets, but are closely related to national security, economic development and public interests
Note: Important data usually refer to the data (including original data and derivative data) collected and generated by various organizations in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public service and e-government in the course of their business activities, which do not involve state secrets, but once leaked, tampered or abused, will adversely affect national security, economic development and social and public interests.
4 Overview
4.1 General requirements
Big data service providers shall take necessary security control measures for big data service infrastructure from the perspective of information technology (IT) according to GB/T 31168-2014 and GB/T 22239-2008 to ensure the secure and reliable operation of system services of big data platforms and applications and the business mission of big data services. This standard only specifies the basic security requirements and data service security requirements that the organizations providing big data services through big data platforms and applications shall have:
a) Basic security requirements: Big data service providers shall create big data service security policies and procedures, establish system and data asset lists, organizations and personnel positions, and form metadata structures that satisfy big data services, data supply chain structures and data service interface specifications that meet business processes, and basic security capability requirements for big data services that meet the requirements of laws, regulations and related standards through security planning and demand analysis of big data services.
b) Data service security requirements: Big data service providers shall form security requirements for data services such as data acquisition, transmission, storage, processing, interchange and destruction according to the data lifecycle-related data activities, so as to reduce security risks related to data lifecycle security management in big data services and ensure the business mission and data security of big data services.
Big data service providers shall select the big data service security capability requirements listed herein for construction and evaluation according to the data protection value and types of big data services, and in combination with their own big data service modes, roles, objectives and supporting infrastructure (see Annex A).
Note: The data resources involved in big data services may depend on the data services or system services of other organizations, then big data service providers shall stipulate and implement the corresponding security responsibilities of all participants in the supply chain through contracts, agreements or other means, requiring them to have the security protection capability equivalent to that of big data service providers.
4.2 Classification of requirements
This standard divides the security capabilities of big data service into general requirements and enhanced requirements. Big data service providers shall follow the following protection requirements according to the importance of the data carried by big data systems and the extent and severity of impact that big data service anomalies may cause:
Contents of GB/T 35274-2017
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Overview
4.1 General requirements
4.2 Classification of requirements
5 Basic security requirements
5.1 Policies and procedures
5.2 Data and system assets
5.3 Organization and personnel management
5.4 Service planning and management
5.5 Data supply chain management
5.6 Compliance management
6 Data service security requirements
6.1 Data acquisition
6.2 Data transmission
6.3 Data storage
6.4 Data processing
6.5 Data interchange
6.6 Data destruction
Annex A (Informative) Big data service model, user roles and business objectives
Bibliography
