Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
—— Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People’s Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC180).
Financial application specification of cloud computing technology - Disaster recovery
1 Scope
This standard specifies the disaster recovery requirements for cloud computing platforms in the financial field, including disaster recovery capability grading, disaster recovery plan and exercise, organization management, monitoring management, and supervision management and other contents of cloud computing platform.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 20988-2007 Information security technology - Disaster recovery specifications for information systems
GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security
GB/T 30146-2013 Social security - Business continuity management systems - Requirements
JR/T 0044-2008 Management specification of information system disaster recovery for banks
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in JR/T 0166-2018 and the following apply.
3.1
disaster
emergency incidents which manually or naturally cause major failure or breakdown of information system or severe damage to its data, thereby make the business functions supported by information system stop or the service level decrease to an unacceptable degree, and last for certain time
[JR/T 0044-2008, Definition 3.2]
3.2
disaster recovery
activity and process designed to recover the information system from operation failure or unacceptable state caused by disaster to normal operation state and recover the business functions it supports from abnormal state caused by disaster to acceptable state
[JR/T 0044-2008, Definition 3.3]
3.3
risk analysis
process of determining the risk affecting the normal operation of information system, evaluating the function vital to the business operation of organizations and defining the control measures to reduce the potential hazards. Risk analysis often involves the evaluation on the probability of a special incident
[JR/T 0044-2008, Definition 3.6]
3.4
business impact analysis
analysis of business functions and relevant information system resources and evaluation of the impact of specific disaster on each business function
[JR/T 0044-2008, Definition 3.7]
3.5
business continuity
the capability of an organization of continuously delivering products or provide service at a predetermined acceptable level after an interruptive event occurs
[GB/T 30146-2013, Definition 3.3]
3.6
recovery time objective
the requirement for the time interval within which the information system must be recovered from halt upon the occurrence of disaster
[JR/T 0044-2008, Definition 3.17]
3.7
recovery point objective
the requirement for the time point to which the data must be recovered upon the occurrence of disaster
[JR/T 0044-2008, Definition 3.18]
3.8
system availability
the capability of cloud service of performing specified functions under specified conditions and on a specified moment or within a specified time interval (except for the planned time interval of service interruption) under the premise that the exterior resources required are guaranteed, which is usually measured by permitted unplanned annual time interval of service interruption and availability of at least “numerous (n) 9s”
3.9
availability zone
the physical zones into which the cloud computing platform is divided with the disaster recovery factors of infrastructure such as power, network and water supply comprehensively considered, including physical resources such as air conditioners, power facilities, hosts, networks and memories
3.10
availability zone in the same region
two availability zones which are capable of withstanding the effects of all disasters such as power supply and water supply interruption, flooding, fire, network failure, hardware damage, and traffic disruption at the same time are mutually availability zones in the same region. Under normal circumstances, the geographical distance between two availability zones in the same region is tens of kilometers
3.11
availability zone in the different region
two availability zones which are capable of withstanding the effects of all large-scale regional disasters such as wars, floods, tsunamis, typhoons and earthquakes at the same time are mutually availability zones in the different region. Under normal circumstances, the geographical distance between two availability zones in different region is more than several hundred kilometers
3.12
exercise
exercises for improving disaster recovery capability based on disaster recovery plans, including desktop exercise, simulation exercise and field exercise
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
RPO Recovery Point Objective
RTO Recovery Time Objective
5 General
In recent years, the application of cloud computing technology in the financial field has gradually deepened, profoundly affected and changed the technical architecture, service model and business process of financial institutions, but it has also brought new challenges to disaster recovery. Due to the technical characteristics of multi-tenancy, virtualization, resource pool, etc., the cloud computing platform has an architecture with many differences with the traditional one in terms of impact evaluation, key indicators, technical requirements, organization management, etc. of disaster recovery, and shall be attached great importance to and properly handled. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the disaster recovery of information systems. This standard mainly proposes differentiated disaster recovery requirements characterized by the features of cloud computing platform.
6 Disaster recovery capability grading of cloud computing platform
6.1 Risk and business impact analysis
Financial institutions shall conduct detailed risk analysis of cloud computing platform based on business continuity objective and business development plan. During risk analysis, cloud service providers, cloud service users and cloud service partners shall focus on defining the objectives and scope of risk analysis based on current business scenarios, and shall thoroughly analyze the threats faced with them and vulnerability of current system using appropriate analysis methods to evaluate the probability of occurrence of various risks and the possible losses.
In the cloud computing environment of the financial field, risk analysis shall focus on new risks, threats, vulnerabilities and damages that might arise from the use of cloud computing technology, including but not limited to the following aspects:
——decline in service capability or unavailability of the system probably caused by multi-tenant resource competition in cloud computing environment.
——information leakage probably caused by improper isolation measures in cloud computing environment.
——system interruption probably caused by a single point bottleneck of equipment or performance in cloud computing environment.
——resource and information misuse probably caused by insufficient self-service control in cloud computing environment.
——concurrency of mass problems probably caused by system failures, upgrades, etc. in cloud computing environment. Research and judgment are required on possible impacts of risks on business after a rigorous risk analysis.
During the business impact analysis, it is necessary to conduct business function analysis based on the factors such as supervision requirements, business nature, business service scope, degree of data concentration, business time sensitivity, and functional relevance firstly and then evaluate possible impacts caused by business interruption so as to determine disaster recovery objective and recovery priority.
In the cloud computing environment of the financial field, the business impact analysis shall focus on (including but not limited to) the following aspects:
——comprehensive evaluation is required on the impacts on cloud computing platform in the case that multiple financial applications are possibly subjected to disasters at the same time.
——uncertainty of the same failure impact caused by the uncertainty of the actual physical equipment on which the applications and data are deployed.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Disaster recovery capability grading of cloud computing platform
7 Plan and exercise
8 Organization management
9 Monitoring management
10 Supervision management
JR/T 0168-2018, JR 0168-2018, JRT 0168-2018, JR/T0168-2018, JR/T 0168, JR/T0168, JR0168-2018, JR 0168, JR0168, JRT0168-2018, JRT 0168, JRT0168
Introduction of JR/T 0168-2018
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
—— Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People’s Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC180).
Financial application specification of cloud computing technology - Disaster recovery
1 Scope
This standard specifies the disaster recovery requirements for cloud computing platforms in the financial field, including disaster recovery capability grading, disaster recovery plan and exercise, organization management, monitoring management, and supervision management and other contents of cloud computing platform.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 20988-2007 Information security technology - Disaster recovery specifications for information systems
GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security
GB/T 30146-2013 Social security - Business continuity management systems - Requirements
JR/T 0044-2008 Management specification of information system disaster recovery for banks
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in JR/T 0166-2018 and the following apply.
3.1
disaster
emergency incidents which manually or naturally cause major failure or breakdown of information system or severe damage to its data, thereby make the business functions supported by information system stop or the service level decrease to an unacceptable degree, and last for certain time
[JR/T 0044-2008, Definition 3.2]
3.2
disaster recovery
activity and process designed to recover the information system from operation failure or unacceptable state caused by disaster to normal operation state and recover the business functions it supports from abnormal state caused by disaster to acceptable state
[JR/T 0044-2008, Definition 3.3]
3.3
risk analysis
process of determining the risk affecting the normal operation of information system, evaluating the function vital to the business operation of organizations and defining the control measures to reduce the potential hazards. Risk analysis often involves the evaluation on the probability of a special incident
[JR/T 0044-2008, Definition 3.6]
3.4
business impact analysis
analysis of business functions and relevant information system resources and evaluation of the impact of specific disaster on each business function
[JR/T 0044-2008, Definition 3.7]
3.5
business continuity
the capability of an organization of continuously delivering products or provide service at a predetermined acceptable level after an interruptive event occurs
[GB/T 30146-2013, Definition 3.3]
3.6
recovery time objective
the requirement for the time interval within which the information system must be recovered from halt upon the occurrence of disaster
[JR/T 0044-2008, Definition 3.17]
3.7
recovery point objective
the requirement for the time point to which the data must be recovered upon the occurrence of disaster
[JR/T 0044-2008, Definition 3.18]
3.8
system availability
the capability of cloud service of performing specified functions under specified conditions and on a specified moment or within a specified time interval (except for the planned time interval of service interruption) under the premise that the exterior resources required are guaranteed, which is usually measured by permitted unplanned annual time interval of service interruption and availability of at least “numerous (n) 9s”
3.9
availability zone
the physical zones into which the cloud computing platform is divided with the disaster recovery factors of infrastructure such as power, network and water supply comprehensively considered, including physical resources such as air conditioners, power facilities, hosts, networks and memories
3.10
availability zone in the same region
two availability zones which are capable of withstanding the effects of all disasters such as power supply and water supply interruption, flooding, fire, network failure, hardware damage, and traffic disruption at the same time are mutually availability zones in the same region. Under normal circumstances, the geographical distance between two availability zones in the same region is tens of kilometers
3.11
availability zone in the different region
two availability zones which are capable of withstanding the effects of all large-scale regional disasters such as wars, floods, tsunamis, typhoons and earthquakes at the same time are mutually availability zones in the different region. Under normal circumstances, the geographical distance between two availability zones in different region is more than several hundred kilometers
3.12
exercise
exercises for improving disaster recovery capability based on disaster recovery plans, including desktop exercise, simulation exercise and field exercise
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
RPO Recovery Point Objective
RTO Recovery Time Objective
5 General
In recent years, the application of cloud computing technology in the financial field has gradually deepened, profoundly affected and changed the technical architecture, service model and business process of financial institutions, but it has also brought new challenges to disaster recovery. Due to the technical characteristics of multi-tenancy, virtualization, resource pool, etc., the cloud computing platform has an architecture with many differences with the traditional one in terms of impact evaluation, key indicators, technical requirements, organization management, etc. of disaster recovery, and shall be attached great importance to and properly handled. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the disaster recovery of information systems. This standard mainly proposes differentiated disaster recovery requirements characterized by the features of cloud computing platform.
6 Disaster recovery capability grading of cloud computing platform
6.1 Risk and business impact analysis
Financial institutions shall conduct detailed risk analysis of cloud computing platform based on business continuity objective and business development plan. During risk analysis, cloud service providers, cloud service users and cloud service partners shall focus on defining the objectives and scope of risk analysis based on current business scenarios, and shall thoroughly analyze the threats faced with them and vulnerability of current system using appropriate analysis methods to evaluate the probability of occurrence of various risks and the possible losses.
In the cloud computing environment of the financial field, risk analysis shall focus on new risks, threats, vulnerabilities and damages that might arise from the use of cloud computing technology, including but not limited to the following aspects:
——decline in service capability or unavailability of the system probably caused by multi-tenant resource competition in cloud computing environment.
——information leakage probably caused by improper isolation measures in cloud computing environment.
——system interruption probably caused by a single point bottleneck of equipment or performance in cloud computing environment.
——resource and information misuse probably caused by insufficient self-service control in cloud computing environment.
——concurrency of mass problems probably caused by system failures, upgrades, etc. in cloud computing environment. Research and judgment are required on possible impacts of risks on business after a rigorous risk analysis.
During the business impact analysis, it is necessary to conduct business function analysis based on the factors such as supervision requirements, business nature, business service scope, degree of data concentration, business time sensitivity, and functional relevance firstly and then evaluate possible impacts caused by business interruption so as to determine disaster recovery objective and recovery priority.
In the cloud computing environment of the financial field, the business impact analysis shall focus on (including but not limited to) the following aspects:
——comprehensive evaluation is required on the impacts on cloud computing platform in the case that multiple financial applications are possibly subjected to disasters at the same time.
——uncertainty of the same failure impact caused by the uncertainty of the actual physical equipment on which the applications and data are deployed.
Contents of JR/T 0168-2018
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Disaster recovery capability grading of cloud computing platform
7 Plan and exercise
8 Organization management
9 Monitoring management
10 Supervision management
