Guidelines for the Construction of the Online Data Security Standards System

Posted on Updated on

(Opinion-seeking draft)

April 2020

Foreword

Following the connection and convergence of information technology and human production and lives, global data have gained the characteristics of explosive growth and massive collection, the big data industry is in a period of brisk development, technological progress and application innovation have accelerated their advance in lockstep, data resources have become national fundamental strategic resources and innovation factors for social production. At present, our country’s telecommunications and Internet sectors are developing rapidly, collecting large amounts of online data, and at the same time as liberating the development potential of the data economy and stimulating the accelerated growth of the data economy, we face severe security risks. This requires that we deeply understand the importance and urgency of online data security, persist in equally stressing security and development, vigorously responding to complex and severe security risks and challenges, and accelerate the construction of a security protection system for online data.

“In safe development, standards go first”, standardization work is an important basis in guaranteeing online data security. In order to implement the requirements of laws and regulations such as the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., guide online data security standardization work in the telecommunications and Internet sectors, the Ministry of Industry and Information Technology has organized the drafting of the “Guidelines for the Construction of the Online Data Security Standards System” (hereafter simply named “Construction Guidelines”. The “Construction Guidelines” give full rein to the top-level design and fundamental guidance roles of standards, and provides a powerful support for guaranteeing online data security in the telecommunications and Internet sectors, stimulating the rational and orderly flow of online data, and assist the high-quality development of the digital economy.

I, Train of thought and objectives of construction

(1) General train of thought

With Xi Jinping Thought on Socialism with Chinese Characteristics in a New Era as guidance, comprehensively implement the spirit of the 19th Party Congress and its 2nd, 3rd and 4th Plenums, implement the requirements of laws and regulations such as  the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., give full rein to the supporting and guiding role of standards in guaranteeing online data security, promoting the healthy and orderly development of the sector, effectively construct an online data security standards system for the telecommunications and Internet sectors. Accelerate the comprehensive planning of standards, ensure linkage with national standards and sectoral standards in corresponding areas, encourage innovative technological results to transform into standards, strengthen the implementation and application of standards, strengthen the international exchange and cooperation of standards, enhance the overall supporting roles of standards in online data security protection, and provide escorts for the high-quality growth of the digital economy.

(2) Basic principles

Comprehensive planning, overall deployment. Integrate the technology and development status quo and characteristics of the telecommunications and Internet sectors, give rein to the important role of government controlling departments in top-level design, organizational coordination and policy formulation, formulate combined government-guided and market-driven standards system construction plans, establish online data security standard systems suited to the overall situation of the telecommunications and Internet sectors.

First establish a basis, urgent needs have priority. Start from the key points and difficult points in online data security management work, determine focus  areas for the construction of an online data security standards system, accelerate research and formulation of basic and general, critical technology, security and management standards. On this basis, comprehensively consider the current situation of and risk and challenges faced by online data security in related and important areas, accelerate the promotion of research and formulation of urgently needed standards projects.

Multi-party participation, coordination and cooperation. In the process of standards formulation, assemble the strengths of multiple sides from industry circles and academic circles such as telecommunications operations enterprises, Internet enterprises, equipment providers, security enterprises, scientific research institutions, higher education institutions, etc., fully concentrate consensus, research and formulate online data security-related standards, perfect whole-life cycle management for standards research, formulation and application. Comprehensively use sectoral resources, fully give rein to the dominant role of enterprises in technological innovation, product research and development, demonstration and guidance and other such aspects of standards research and application, organize and coordinate relevant work units to vigorously participate in drafting, exchange and cooperation on international standards.

(3) Construction objectives

By 2021, establish a preliminary online security standards system, effectively implement online data security management requirements, basically satisfy the sector’s online data security protection requirements, advance the application of standards in focus enterprises and focus areas, and research and formulate over 20 online data security sector standards.

By 20243, complete and perfect the online data security standards system, standards technology levels, application levels and internationalization levels are to clearly increase, forcefully stimulate the upgrade of online data security protection capabilities, research and formulate over 50 online data security sector standards.

II, Construction content

(1) The framework for the online data security standards system

The online data security standards system includes four major categories of standards: basic and general, critical technology, security management, and focus areas. Basic and general standards include language definitions, data security frameworks, data categorization and hierarchy, and related standards provide basic support for all categories of standards. Critical technology standards standardize critical data technology across the dimensions of the whole data lifecycle including data collection, transmission, storage, processing, exchange, deletion, etc. Security management standards start from the management angle of online data security protection, and guide the sector to effectively implement the requirements of laws and regulations concerning online data security management, including data security norms, data security assessment, monitoring, early warning and handling, emergency response and disaster back-ups, security capacity certification, etc. Focus area standards integrate the actual situation and concrete requirements of corresponding areas, and guide the sector to effectively conduct online data protection work in focus areas. The online data security standards system framework is displayed in image 1

[Image 1 absent]

(2) Focus standardization areas and their trends

  1. Basic and general standards

Basic and general standards are fundamental, common and guiding standards for online data security protection, and include terminology definitions, data security frameworks, data categorization, hierarchy and other such standards. Basic and general standard sub-systems are as indicated in image 2.

[Image 2 absent]

1.1 Terminology definitions

Terminology definitions are used to standardize online data security-related concepts, they provide support for the drafting of parts of other standards, including terminology, concepts and definitions, relationships between similar concepts concerning technology, norms, areas of application, etc.

1.2 Data security frameworks

Data security framework standards include online data security system frameworks as well as all partial reference frameworks, in order to determine and delineate online data security angles, duties and responsibilities, boundaries, the relationship and internal links between all partial levels.

1.3 Data categorization and hierarchy

Data categorization and hierarchy standards are used to guide online data categorization and hierarchy, and provide the basic principles, dimensions, methods, examples, etc. of data categorization and hierarchy, they provide a basis for categorized and tiered protection of data security, and provide support for standards drafting for data security norms, data security assessment and other such areas.

  1. Critical technology standards

Critical technology standards start from links across the whole life cycle such as collection, transmission, storage, processing, exchange, deletion, etc., and standardize the critical technology of online data security. The sub-systems of critical technology standards are as indicated in image 3

[Image 3 absent]

2.1 Data collection

Data collection standards are used to standardize related technological requirements in areas such as data collection forms, data labelling, data investigation and verification, etc., effectively increase data quality, and mainly include standards for data cleansing and comparative verification, data quality supervision and control, etc.

2.2 Data transmission

Data transmission standards are used to standardize the functions and structures, security coordination and other security-related technological requirements that may be standardized for the process of data transmission, and mainly include standards for data integrity protection, encrypted data transmission, etc.

2.3 Data storage

Data storage standards are used to standardize  technological requirements related to storage platform security mechanisms, secure data storage methods, security audits, security protection technology, etc. and mainly include standards for database security, cloud storage security, data security audits, data leak prevention, etc.

2.4 Data processing

Data processing standards are used to standardize requirements concerning sensitive data, personal information protection, and clarify sensitive data protection settings, norms and technological methods, and mainly include standards on anonymization and de-characterization, data desensitization etc.

2.5 Data exchange

Data exchange standards are used to standardize secure data exchange models, define the powers and responsibilities of roles, data management and control technology frameworks, and clarify data tracing models, processes and methods, support secure data sharing, auditing, supervision and management, and mainly include standards on multi-party secure computing, transparent encryption, data tracing etc.

2.6 Data deletion

Data  deletion standards are used to standardize data deletion and medium deletion security mechanisms and technological requirements, and clarify permanent deletion beyond recovery of stored data, and mainly include standards on data deletion, medium deletion, etc.

  1. Security management standards

Security management standards start from the angle of online data security framework management, guide sectors in implementing the management requirements of laws, regulations as well as governmental controlling departments, and include data security norms, data security assessment, supervision, early warning and processing, emergency response and disaster back-ups, security capability certification etc. Security management standards sub-systems are as indicated in image 4

[Image 4 absent]

3.1 Data security norms

Data security norm standards are used to implement and detail the requirements of laws and regulations, provide guidance and norms for sectors to conduct data security management, and mainly include standards on common data security requirements, personal information protection requirements, important data protection requirements, etc.

3.2 Data security assessment

Data security assessment standards are used to guide sectors to implement online data security assessment requirements, they clarify the basic concepts, factor relationships, analysis principles, assessment methods, implementation workflows, implementation focus points, work methods and other such factors in assessment, and guide the sector to standardize the conduct of online data security assessment work, and mainly standards on include data security compliance assessment, data  security risk assessment, personal information security impact assessment, data export security assessment, etc.

3.3 Monitoring, early warning and processing

Monitoring, early warning and processing standards start from the angle of supervision and management requirements from governmental controlling departments, clarify data security monitoring, early warning and processing systems and their technology requirements, conduct comprehensive analysis by combining data sensitivity, quantity and level, direction as well as account limitations, trace data security risks in a real-time and dynamic manner, and mainly include standards on technological requirements, interface norms, monitoring norms etc. for monitoring, early warning and processing.

3.4 Emergency response and disaster backups

Emergency response and disaster back-up standards are used to standardize data security incident emergency response management and processing measures, and standardize disaster back-up and recovery work objective and principles, technological requirements as well as implementation methods, and mainly include standards on data security emergency response guidelines, disaster back-up technology requirements, recovery capability evaluation, etc.

3.5 Security capacity certification

Security capacity certification standards are used to standardize the data security protection capacity of organizations and personnel, product and service data security protection levels, data security service capacity and other such related certification requirements, and are used to guide online operators and security service bodies to enhance their own security capacity and service capacity, and mainly include standards on managing security certification, product security certification, secure service certification, personnel capacity certification, etc.

  1. Focus area standards

On the basis of basic and general standards, critical technology standards and security management standards, and integrating the development situation of next-generation information and telecommunications technologies, focus on advancing arrangements in focus areas such as 5G, mobile Internet, the Internet of Cars, the Internet of Things, the industrial Internet, cloud computing, big data, artificial intelligence, blockchain, etc., and in integration with the development situation of sectors, progressively cover other important areas. In integration with the development situation of focus areas themselves and the requirements for online data security protection, formulate corresponding online data security standards. The sub-systems for security standards in focus area are as indicated in image 5.

[Image 5 absent]

4.1 5G

5G security mechanisms provide differentialized security services for different business settings, on the basis of satisfying common security requirements, they adapt to multiple kinds of online access methods and novel network structures, protect users’ personal privacy, and support the provision of open security capacities. Online data security standards in the area of 5G mainly include general 5G data security requirements, 5G terminal data security, 5G network-side data security, 5G network capacity open data security, etc.

4.1 5G

4.2 Mobile Internet

Traditional mobile Internet security mainly includes areas such as terminal security, network security and application security. Following the widespread application of mobile operating systems in open ecology systems, and the large-scale circulation of data, mobile Internet data security risks have become more prominent. Online data security standards in the area of the mobile Internet mainly include mobile applications’ personal information protection, mobile application software SDK security, etc.

4.3 Internet of cars

Security in the Internet of cars covers an all-inclusive chain and data exchange processes within cars, between cars, between cars and roads, between cars and people, and between cars and service platforms, data security and privacy protection pervade every segment of the Internet of cars. Online data security standards for the Internet of cars mainly includes Internet of cars cloud platform data security, V2X telecommunications data security, smart connected car data security, Internet of cars mobile app data security, etc.

4.4 Internet of things

Internet of things security contains the sensing level, transmission and application level of the Internet of things, it involves service-end security, terminal security, telecommunications network security and other such areas, and data security pervades every segment of these. Online data security standards in the area of the Internet of things mainly include Internet of things cloud-end data security protection, Internet of things management system data security protection, Internet of things terminal data security protection, etc.

4.5 Industrial Internet

The focus of industrial Internet security consists of control systems, equipment, networks, data, platforms, application software security and security management. Online data security standards in the area of the industrial Internet mainly include industrial Internet data security protection, tiered industrial Internet data technologies, etc.

4.6 Cloud computing

Cloud computing security has cloud host security at the core, and covers network security, data security, application security, security management, business security and other such areas. Online data standards in the area of cloud computing include client data protection, cloud service business data protection, on-cloud asset management etc.

4.7 Big data

Big data security covers every segment and the whole lifecycle of management, and covers conducting security function guarantees for big data platform operations as well as conducting asset management to data counterparts, etc. Online data security standards in the area of big data mainly include big data platform security, big data asset management, etc.

4.8: Artificial intelligence

Artificial intelligence security covers personal information security, algorithm security, data security, network security, etc. Online data security standards in the area of artificial intelligence mainly include artificial intelligence platform data security, artificial intelligence terminal personal information protection, etc.

4.9: Blockchain

Blockchain security includes the three dimensions of the security of application services, the security of system design (including smart contracting and consensus mechanisms), the security of basic elements (including network telecommunications, data security and encryption technology). Online data security standards in the area of blockchain mainly include blockchain privacy data protection, blockchain digital asset storage and exchange protection, etc.

III, Organizing implementation.

First, implement dynamic renewal. Implement perfect mechanisms for dynamic renewal, following  the continued advance of the economic and social digital transformation, and the rise in data security consciousness and practical proficiency levels, and in integration with the newest requirements of data security-related laws and regulations, timely revise the “Construction Guidelines” on a rolling basis.

Second, advance research and formulation of standards. Organize the China Telecommunications Standardization Association and corresponding telecommunications operating enterprises, Internet enterprises, equipment providers, security enterprises, scientific research institutions, higher education and other such work units to, according to the standard research and formulation paths clarified in the “Standards Guidelines”, advance sectoral standard research and formulation work in an orderly manner, stress the organic integration of online data security standardization work and the newest research achievement in online data protection and best industry practices.

Third, strengthening propaganda and implementation. Give full rein to the roles of standardization organizations and sectoral associations to organize relevant experts to conduct standards research activities, and advance standards propaganda through training, consulting, forums, etc. Vigorously organize the launch of standard-type trials and demonstrations, create best practices, and stimulate the application and popularization of standards in industry circles.

Fourth, strengthen international exchange and cooperation. Strengthen cooperation and exchange with international standardization organizations, vigorously participate in international standardization organizations such as the International Telecommunications Union, the International Standardization Organization, the International Electronics Committee, etc., and international standards research and formulation. Vigorously stimulate linkages between domestic and international standards, and promote advanced domestic standards to be transformed into international standards.

Appendix 1: Terminology definitions

1, Online data

All kinds of digital data collected, stored, transmitted, processed and engendered through networks.

2, Important data

Data from our country’s bodies and individuals collected and engendered within the borders, that does not involve State secrets, but is closely connected to national security, economic development as well as the public interest.

3, Personal information

All kinds of information recorded electronically or through other means, that enables by itself or in combination with other information, to distinguish the identity of a specific natural person or reflects the activities of a specific natural person, including but not limited to a natural person’s name and surname, date of birth, identity card number, distinctive personal biological information, address, telephone number etc.

4, Data export

One-time or continuous activities where network operators, through networks and other such measures, provide foreign bodies, organizations or individuals with personal data and important data collected or engendered through operations within the borders of the People’s Republic of China, through direct provision or conducting business activities, providing products or services, etc.

5, Whole data lifecycle

The evolutionary process of data from its engendering, including all kinds of forms of existence such as data collection, data transmission, data storage, data processing (including computing, analysis, visualization etc.), data exchange, up to data deletion.

  1. Data exchange

The process where, in order to satisfy the data resource transmission and processing needs between different platforms or applications, on the basis of certain principles, and adopting corresponding technologies, flows or data resources between different platforms and applications are realized.

7, Data cleaning

The process of conducting re-examination and inspection of data, with the aim to delete duplicate information, rectify existing errors, deal with null values and deficient values, and providing data uniformity.

8, Data quality supervision and control

The process of conducting identification, measuring, supervision, control and early warning in areas such as data integrity, accuracy, uniformity, timeliness etc.

9, Data integrity

The characteristic that data does not suffer change or deletion through unauthorized methods.

10, Big data platforms

Software and hardware assemblies using distributed storage and computing technologies, providing big data inquiry and processing, supporting the secure and efficient operation or big data applications, including big data service software and hardware infrastructure monitoring the storage, transmission or export, operational control, etc. of big data.

11, Security auditing

The action of recording and analysing events, and making corresponding comparisons with particular events.

12, Data leak prevention

A kind of tactics of, through certain technological means, preventing the data assigned to bodies or their information assets to flow in a manner violating security policies and regulations.

13, Anonymization

The process of ensuring personal information subjects cannot be identified, and the information cannot be resorted after processing, through  technological processing of personal information.

14, De-identification

The process of ensuring that, under circumstances where there is no assistance of extra information, it is impossible to identify the subject of personal information, through technological processing of personal information.

15, Data desensitization

Changing particular sensitive data through desensitization rules, realizing reliable protection of sensitive and privacy-related data.

16, Multi-party secure computing

Multiple data holders conducting coordinated computing in mutually untrusted circumstances, exporting computing results, and guaranteeing that any party is unable to obtain any other information than the due computing results.

17, Transparent encryption

Through supervising and controlling the manipulations by application software of files, decrypting ciphertext automatically when opening files, automatically encrypting the cleartext into storage media when writing files, and thereby guaranteeing that the file on a storage medium retains its encrypted state throughout.

18, Data falsification

Falsification, addition to or deletion of data, resulting in data destruction.

19, Data tracing

Recording the evolution information and evolution processing content of original data throughout the entire lifecycle (from creation and transmission to extinction).

Appendix 2: Online data security-related standard projects list

 

No. Standard title Standard no./project no. Organization in charge State
Basic and general
Terminology definitions
1. Information security technology – Definitions   SAC/TC260 Opinion-seeking draft
2. Telecommunications data service platforms – Part 2: definitions and reference models

 

2018-2321T-YD CCSA Opinion-seeking draft
Data security frameworks
3. Information security technology – Big data security reference frameworks   SAC/TC260 Research project
4. Information technology – Security technology – Privacy protection frameworks   SAC/TC260 Research project
Data categorization and hierarchy
5. Information security technology – Data security categorization and hierarchy implementation guidelines   SAC/TC260 Research project
6. Telecommunications and Internet services – User personal information protection – Definitions and categories YD/T 2781-2014 CCSA Promulgated
7. Telecommunications and Internet services – User personal information protection – Hierarchy guidelines YD/T 2782-2014 CCSA Promulgated
8. Telecommunications Operators – Big data security management and control categorization and hierarchy technology requirements 2018-0162T-YD CCSA Opinion-seeking draft
9. Basic telecommunications enterprises data categorization and hierarchy methods 2019-0216T-YD CCSA Opinion-seeking draft
10. Telecommunications and Internet/Internet of things business data categorization and hierarchy methods   CCSA Formulation planned
Critical technology
Data collection
11. Security requirements for using cookies to conduct Internet data collection 2013-2498T-YD CCSA Approval draft
12. Public security big data – Data collection and pre-processing 2019-CCSA-08 CCSA Draft
Data transmission
13. Information security technology – electronic file encryption and signature information syntaxes GB/T 31503-2015 SAC/TC260 Promulgated
14. Information security technology – XML digital signature syntaxes and processing norms   SAC/TC260 Opinion-seeking draft
Data storage
15. Information security technology – Information system security audit product technology requirements and monitoring and evaluation methods GB/T 20945-2013 SAC/TC260 Promulgated
16. Information security technology – Online storage security technology requirements   SAC/TC260 Approval draft
17. Information security technology – Database management system security technology requirements   SAC/TC260 Approval draft
18. Communication storage media (SSD) encryption security technology requirements YD/T 2390-2011 CCSA Promulgated
19. Telecommunications network data leak prevention systems (DLP) technology requirements 2018-1785T-YD CCSA Approval draft
20. Database auditing systems technology requirements in the big data environment 2019-0743T-YD CCSA Draft
21. Telecommunications networks and Internet data security record auditing norms   CCSA Formulation planned
22. General telecommunications and Internet data lifecycle record requirements   CCSA Formulation planned
Data processing
23. Information security technology – Personal information de-identification guidelines GB/T 37964-2019 SAC/TC260 Approval draft
24. Telecommunications and big data platform data desensitization implementation methods 2019-0215T-YD CCSA Approval draft
25. Internet-facing applications’ healthcare data application desensitization technology requirements 2019-0302T-YD CCSA Approval draft
Data exchange
26. Information security technology – data exchange service security requirements GB/T 37932-2019 SAC/TC260 Approval draft
27. Information security technology – government affairs information sharing data security technology requirements   SAC/TC260 Opinion-seeking draft
28. Basic Internet infrastructure resource support system information and data sharing interface technology requirements 2018-0180T-YD CCSA Approval draft
29. Telecommunications sector data openness and sharing security management requirements 2017-0302T-YD CCSA Draft
30. Application data flow security requirements in the online environment 2019-0742T-YD CCSA Draft
31. Data security flow platform technology requirements   CCSA Formulation planned
Data deletion
Security management
Data security norms
32. Information security technology – public and commercial service information systems’ personal information protection guidelines GB/Z 28828-2012 SAC/TC260 Promulgated
33.  

Information security technology – personal information security standard

 

GB/T 35273-2017 SAC/TC260 Approval draft
34. Information security technology – personal information project guidelines   SAC/TC260 Opinion-seeking draft
35. Information security technology – personal information notification and agreement guidelines   SAC/TC260 Opinion-seeking draft
36. Information security technology – basic data security requirements   SAC/TC260 Opinion-seeking draft
37. Information security technology – basic standards for personal information collection in mobile Internet applications (Apps)   SAC/TC260 Draft
38. Information security technology – implementation guidelines for personal identifiable information (PII) processors for PII protection in the public cloud   SAC/TC260 Draft
39. Telecommunications networks and Internet user personal electronic information protection general technology requirements and management requirements 2018-1784T-YD CCSA Submission draft
40. Basic telecommunications enterprises’ important data identification guidelines 2019-0217T-YD CCSA Draft
41. Telecommunications and Internet services – User personal information protection technology requirements 20173806-T-339 CCSA Draft
42. Telecommunications and Internet services – User personal information protection technology requirements – E-commerce services YD/T 3105-2016 CCSA Promulgated
43. Telecommunications and Internet services – User personal information protection technology requirements – mobile application stores YD/T 3106-2016 CCSA Promulgated
44. Telecommunications and Internet services – User personal information protection technology requirements – instant communication services YD/T 3327-2018 CCSA Promulgated
45. Telecommunications and Internet services – User personal information protection technology requirements – basic telecommunications services 2018-1688T-YD CCSA Draft
46. Telecommunications and Internet services – User personal information protection technology requirements – Mobility services 2018-1687T-YD CCSA Draft
Data security assessment
47. Information security technology – database management system security assessment norms   SAC/TC260 Approval draft
48. Information security technology – data export security assessment guidelines   SAC/TC260 Submission draft
49. Information security technology – personal information security impact assessment guidelines   SAC/TC260 Approval draft
50. Information security technology – big data business security risk control implementation guidelines   SAC/TC260 Research project
51. Internet new technology and new business model security evaluation requirements – Big data technology applications and services 2017-0298T-YD CCSA Approval draft
52. Telecommunications and Internet data security risk assessment implementation methods 2018-1669T-YD CCSA Approval draft
53. Telecommunications networks and Internet data security requirements 2019-0218T-YD CCSA Submission draft
54. Telecommunications networks and internet data security assessment norms 2019-0219T-YD CCSA Opinion-seeking draft
55. Telecommunications networks and Internet data security assessment implementation technology requirements 2019-0220T-YD CCSA Opinion-seeking draft
56. Telecommunications networks and Internet data security assessment service bodies capacity certification norms   CCSA Formulation planned
Monitoring, early warning and processing
57. Cybersecurity threat data reporting interface requirements 2016-1069T-YD CCSA Approval draft
Emergency response and disaster back-ups
58. Information security technology – disaster recovery service requirements GB/T 36957-2018 SAC/TC260 Promulgated
59. Information security technology – storage medium data recovery service requirements GB/T 31500-2015 SAC/TC260 Promulgated
60. Third-party disaster data exchange technology requirements YD/T 2393-2011 CCSA Promulgated
61. Telecommunications networks and Internet disaster back-ups and recovery implementation guidelines 2017-1024T-YD CCSA Draft
62. Telecommunications and Internet data security incident emergency response implementation guidelines   CCSA Formulation planned
Security capacity certification
63. Information security technology – big data service security capacity requirements GB/T 35274-2017 SAC/TC260 Promulgated
64. Information security technology – disaster recovery service capacity assessment norms GB/T 37046-2018 SAC/TC260 Promulgated
65. Information security technology –data back-up and disaster recovery product and technology requirements, and monitoring and evaluation methods GB/T 29765-2013 SAC/TC260 Promulgated
66. Information security technology – data security capacity maturity models GB/T 37988-2019 SAC/TC260 Approval draft
67. Information security technology – data security management certification norms   SAC/TC260 Draft
68. Internet-facing data security capacity technology frameworks YD/T 3644-2020 CCSA Promulgated
69. Telecommunications networks and Internet third-party security service capacity assessment norms 2018-1783T-YD CCSA Draft
Focus areas
5G
70. 5G mobile telecommunications – security technology requirements 2018-2367T-YD CCSA Approval draft
71. 5G data security – general technology requirements   CCSA Formulation planned
Mobile Internet
72. Information security technology – mobile smart terminal data storage security technology requirements and monitoring and evaluation methods. GB/T 34977-2017 SAC/TC260 Promulgated
73. Information security technology – mobile smart terminal personal information protection technology requirements GB/T 34978-2017 SAC/TC260 Promulgated
74. Information security technology 0 mobile Internet security audit product technology requirements   SAC/TC260 Opinion-seeking draft
75. Personal information sharing technology guidelines in the mobile Internet environment YD/T 3411-2018 CCSA Promulgated
76. Mobile browser personal information protection technology requirements YD/T 3367-2018 CCSA Promulgated
77. Mobile smart terminal personal information protection technology requirements YD/T 3082-2016 CCSA Promulgated
78. Personal data sharing evaluation and monitoring methods in the mobile Internet environment 2016-1933T-YD CCSA Approval draft
79. Personal information protection requirements and assessment methods for mobile application software 2019-1132T-YD CCSA Opinion-seeking draft
80. Mobile application software SDK security technology requirements and monitoring methods   CCSA Formulation planned
81. Mobile application software SDK security guidelines   CCSA Formulation planned
82. Mobile application store data security requirements   CCSA Formulation planned
Internet of cars
83. Internet of cars information services – data security technology requirements 2017-0926T-YD CCSA Approval draft
84. Internet of cars information services – user personal information protection requirements

 

2017-0959T-YD CCSA Submission draft
85. Mobile Internet-based car user data application and protection technology requirements 2018-0182T-YD CCSA Opinion-seeking draft
86. Mobile Internet-based car user data application and protection assessment methods 2018-0183T-YD CCSA Draft
87. Online taxi booking service platform data security protection requirements 2017-0938T-YD CCSA Draft
Internet of things
88. Information security technology – Internet of Things data transmission security technology requirements GB/T 37025-2018 SAC/TC260 Promulgated
89. Blockchain-based Internet of things online data exchange and sharing technology analysis 2017B73 CCSA Approval draft
90. Blockchain-based secure and trusted Internet of things data communication frameworks 2018-2359T-YD CCSA Draft
Industrial Internet
91. Information security technology – Industrial control system information security hierarchy norms GB/T 36324-2018 SAC/TC260 Promulgated
92. Information security technology – Industrial control system online audit product security technology standards   SAC/TC260 Approval draft
93. Industrial Internet online data security protection requirements 2018-1369T-YD CCSA Opinion-seeking draft
94. Industrial Internet security capacity maturity assessment norms 2018-1395T-YD CCSA Opinion-seeking draft
Cloud computing
95. Information security technology – Government website cloud computing service guidelines GB/T 38249-2019 SAC/TC 260 Promulgated
96. Information security technology – Cloud computing security reference frameworks GB/T 35279-2017 SAC/TC 260 Promulgated
97. Information security technology – Cloud computing service security capacity assessment methods GB/T 34942-2017 SAC/TC 260 Promulgated
98. Information security technology – Cloud computing service security guidelines GB/T31167-2014 SAC/TC 260 Promulgated
99. Information security technology – cloud computing service security capacity requirements GB/T 31168-2014 SAC/TC 260 Promulgated
100. Cloud computing security frameworks YD/T 3148-2016 CCSA Promulgated
101. Public cloud service security protection requirements YD/T 3157-2016 CCSA Promulgated
102. Public cloud service security protection inspection requirements YD/T 3158-2016 CCSA Promulgated
103. Cloud-facing services data security labelling norms YD/T 3470-2019 CCSA Promulgated
104. Cloud service user data protection capacity reference frameworks 2018-1796T-YD CCSA Approval draft
105. Cloud service user data protection capacity assessment methods part 1: Public cloud 2018-1797T-YD CCSA Approval draft
106. Cloud service user data protection capacity assessment methods part 2: Private cloud 2019-0209T-YD CCSA Approval draft
107. Telecommunications and Internet service business data categorization and hierarchy methods   CCSA Formulation planned
Big data
108. Information security technology – big data security management guidelines GB/T 37973-2019 SAC/TC260 Approval draft
109. Information security technology – Telecommunications-related big data security protection implementation guidelines   SAC/TC260 Draft
110. Big data platform security management product security technology requirement research   SAC/TC260 Research project
111. Telecommunications operators’ big data application activity security technology requirements YD/T 3472-2019 CCSA Promulgated
112. Telecommunications and Internet big data platform security protection requirements 2017-0929T-YD CCSA Approval draft
113. Telecommunications and Internet big data platform security protection and monitoring requirements 2018-1782T-YD CCSA Approval draft
114. Big data processing platform security baseline requirement applications and basic equipment platforms 2017-0297T-YD CCSA Opinion-seeking draft
115. Telecommunications networks and Internet data asset combing norms   CCSA Formulation planned
Artificial intelligence
116. Mobile smart terminal artificial intelligence applications’ personal information protection technology requirements and assessment methods 2019-0745T-YD CCSA Draft
117. Artificial intelligence service platform data security requirements and assessment methods 2019-0031T-YD CCSA Draft
Blockchain
118. Blockchain exploitation platforms’ network and data security technology requirements 2017-1054T-YD CCSA Approval draft
119. Blockchain-based edge cloud network data sharing mechanism research 2019B62 CCSA Draft
120. Blockchain smart contracting and distributed ledger security in financial exchange technology research 2019B32 CCSA Draft

 

 

网络数据安全标准体系建设指南

(征求意见稿)

2020年4月

前言

 

随着信息技术和人类生产生活交汇融合,全球数据呈现爆发增长、海量聚集的特点,大数据产业正值活跃发展期,技术演进和应用创新并行加速推进,数据资源已成为国家基础战略性资源和社会生产的创新要素。当前,我国电信和互联网行业高速发展,汇聚大量网络数据,在释放数字经济发展潜力、促进数字经济加快成长的同时,面临严峻的安全风险。这要求我们深刻认识网络数据安全的重要性和紧迫性,坚持安全与发展并重,积极应对复杂严峻的安全风险与挑战,加速构建网络数据安全保障体系。

“安全发展、标准先行”,标准化工作是保障网络数据安全的重要基础。为落实《中华人民共和国网络安全法》《全国人民代表大会常务委员会关于加强网络信息保护的决定》《电信和互联网用户个人信息保护规定》等法律法规要求,指导电信和互联网行业网络数据安全标准化工作,工业和信息化部组织制定了《网络数据安全标准体系建设指南》(以下简称《建设指南》)。《建设指南》充分发挥标准的顶层设计和基础引领作用,为保障电信和互联网行业网络数据安全、促进网络数据合理有序流动、助力数字经济高质量发展提供有力支撑。

 

  • 建设思路及目标
  • 总体思路

以习近平新时代中国特色社会主义思想为指导,全面贯彻党的十九大和十九届二中、三中、四中全会精神,落实《中华人民共和国网络安全法》《全国人民代表大会常务委员会关于加强网络信息保护的决定》《电信和互联网用户个人信息保护规定》等法律法规要求,充分发挥标准在保障网络数据安全、推动行业健康有序发展中的支撑和引领作用,有效建立电信和互联网行业网络数据安全标准体系。加强标准的统筹规划,做好与国家标准、相关领域行业标准的衔接工作,鼓励创新技术成果向标准转化,强化标准的实施与应用,加强标准的国际交流与合作,提升标准对网络数据安全保护的整体支撑作用,为数字经济高质量发展保驾护航。

  • 基本原则

统筹规划,全面布局。结合电信和互联网行业技术、产业发展现状及特点,发挥政府主管部门在顶层设计、组织协调和政策制定等方面的重要作用,制定政府引导和市场驱动相结合的标准体系建设方案,建立适合电信和互联网行业整体情况的网络数据安全标准体系。

基础先立,急用先行。从网络数据安全管理工作的重点和难点出发,确定网络数据安全标准体系建设的重点领域,加快基础共性、关键技术、安全管理类标准的研究制定。在此基础上,综合考虑相关重要领域的网络数据安全现状及面临的风险和挑战,加快推进急需标准项目的研究制定。

多方参与,协同合作。在标准制定过程中聚集电信运营企业、互联网企业、设备提供商、安全企业、科研院所、高校等产业界、学术界多方力量,充分凝聚共识,研究制定网络数据安全相关标准,完善标准研制、应用的全生命周期管理。统筹运用行业资源,充分发挥企业在技术创新、产品开发、示范引领等标准研究与应用方面的主体作用,组织协调相关单位积极参与国际标准的制定、交流与合作。

  • 建设目标

到2021年,初步建立网络数据安全标准体系,有效落实网络数据安全管理要求,基本满足行业网络数据安全保护需要,推进标准在重点企业、重点领域中的应用,研制网络数据安全行业标准20项以上。

到2023年,健全完善网络数据安全标准体系,标准技术水平、应用水平和国际化水平显著提高,有力促进行业网络数据安全保护能力提升,研制网络数据安全行业标准50项以上。

  • 建设内容
  • 网络数据安全标准体系框架

网络数据安全标准体系包括基础共性、关键技术、安全管理、重点领域四大类标准。基础共性标准包括术语定义、数据安全框架、数据分类分级,相关标准为各类标准提供基础性支撑。关键技术标准从数据采集、传输、存储、处理、交换、销毁等数据全生命周期维度对数据安全关键技术进行规范。安全管理标准从网络数据安全保护的管理视角出发,指导行业有效落实法律法规关于网络数据安全管理的要求,包括数据安全规范、数据安全评估、监测预警与处置、应急响应与灾难备份、安全能力认证等。重点领域标准结合相关领域的实际情况和具体要求,指导行业有效开展重点领域网络数据安全保护工作。网络数据安全标准体系框架如图1所示。

 

图1 网络数据安全标准体系框架

 

  • 重点标准化领域及方向

1.基础共性标准

基础共性标准是网络数据安全保护的基础性、通用性、指导性标准,包括术语定义、数据安全框架、数据分类分级等标准。基础共性标准子体系如图2所示。

图2 基础共性标准子体系

1.1 术语定义

术语定义用于规范网络数据安全相关概念,为其它部分标准的制定提供支撑,包括技术、规范、应用领域的相关术语、概念定义、相近概念之间的关系等。

1.2 数据安全框架

数据安全框架标准包括网络数据安全体系框架以及各部分参考框架,以明确和界定网络数据安全的角色、职责、边界、各部分的层级关系和内在联系。

1.3 数据分类分级

数据分类分级标准用于指导对网络数据分类分级,给出数据分类分级的基本原则、维度、方法、示例等,为数据安全分类、分级保护提供依据,为数据安全规范、数据安全评估等方面的标准制定提供支撑。

2.关键技术标准

关键技术标准从采集、传输、存储、处理、交换、销毁等全生命周期环节出发,对网络数据安全的关键技术进行规范。关键技术标准子体系如图3所示。

图3 关键技术标准子体系

2.1 数据采集

数据采集标准用于规范数据采集格式、数据标签、数据审查校验等方面相关技术要求,有效提升数据质量,主要包括数据清洗比对、数据质量监控等标准。

2.2 数据传输

数据传输标准用于规范数据传输过程中可以标准化的功能架构、安全协议及其他安全相关技术要求,主要包括数据完整性保护、数据加密传输等标准。

2.3 数据存储

数据存储标准用于规范存储平台安全机制、数据安全存储方法、安全审计、安全防护技术等相关技术要求,主要包括数据库安全、云存储安全、数据安全审计、数据防泄漏等标准。

2.4 数据处理

数据处理标准用于规范敏感数据、个人信息的保护机制及相关技术要求,明确敏感数据保护的场景、规则、技术方法,主要包括匿名化/去标识化、数据脱敏等标准。

2.5 数据交换

数据交换标准用于规范数据安全交换模型、角色权责定义、安全管控技术框架,并明确数据溯源模型、过程和方法,支撑数据安全共享、审计和监管,主要包括多方安全计算、透明加密、数据溯源等标准。

2.6 数据销毁

数据销毁标准用于规范数据销毁和介质销毁的安全机制和技术要求,确保存储数据永久删除、不可恢复,主要包括数据销毁、介质销毁等标准。

3.安全管理标准

安全管理标准从网络数据安全框架的管理视角出发,指导行业落实法律法规以及政府主管部门的管理要求,包括数据安全规范、数据安全评估、监测预警与处置、应急响应与灾难备份、安全能力认证等。安全管理标准子体系如图4所示。

图4 安全管理标准子体系

3.1 数据安全规范

数据安全规范标准用于落实细化相关法律法规对网络数据安全保护的要求,对行业开展数据安全管理提供指导和规范,主要包括数据安全通用要求、个人信息保护要求、重要数据保护要求等标准。

3.2 数据安全评估

数据安全评估标准用于指导行业落实网络数据安全评估的要求,明确评估的基本概念、要素关系、分析原理、评估方法、实施流程、实施要点和工作形式等要素,指导行业规范开展网络数据安全评估工作,主要包括数据安全合规性评估、数据安全风险评估、个人信息安全影响评估、数据出境安全评估等标准。

3.3 监测预警与处置

监测预警与处置标准从政府主管部门监管需求的视角出发,明确数据安全监测预警与处置系统及其技术要求,结合数据的敏感度、量级、流向以及账号权限等进行综合分析,实时动态追踪数据安全风险,主要包括监测预警与处置方面的技术要求、接口规范、测试规范等标准。

3.4 应急响应与灾难备份

应急响应与灾难备份标准用于规范数据安全事件的应急响应管理、处置措施,规范灾难备份及恢复工作的目标和原则、技术要求以及实施方法,主要包括数据安全应急响应指南、灾难备份技术要求、恢复能力评价等标准。

3.5 安全能力认证

安全能力认证标准用于规范组织及人员数据安全保障能力、产品与服务数据安全保护水平、数据安全服务能力等相关认证要求,用于指导网络运营者与安全服务机构提升自身的安全能力、服务能力,主要包括管理安全认证、产品安全认证、安全服务认证、人员能力认证等标准。

4.重点领域标准

在基础共性标准、关键技术标准、安全管理标准的基础上,结合新一代信息通信技术发展情况,重点在5G、移动互联网、车联网、物联网、工业互联网、云计算、大数据、人工智能、区块链等重点领域进行布局,并结合行业发展情况,逐步覆盖其他重要领域。结合重点领域自身发展情况和网络数据安全保护需求,制定相关网络数据安全标准。重点领域安全标准子体系如图5所示。

图5 重点领域标准子体系

4.1 5G

5G 安全机制在满足通用安全要求基础上,为不同业务场景提供差异化安全服务,适应多种网络接入方式及新型网络架构,保护用户个人隐私,并支持提供开放的安全能力。5G领域的网络数据安全标准主要包括5G数据安全总体要求、5G终端数据安全、5G网络侧数据安全、5G网络能力开放数据安全等。

4.2 移动互联网

传统的移动互联网安全主要包括终端安全、网络安全和应用安全等方面。随着开放生态体系下移动操作系统的普遍应用和数据的大规模流动,移动互联网的数据安全风险进一步凸显。移动互联网领域的网络数据安全标准主要包括移动应用个人信息保护、移动应用软件SDK安全等。

4.3 车联网

车联网安全覆盖车内、车与车、车与路、车与人、车与服务平台的全方位连接和数据交互过程,数据安全和隐私保护贯穿于车联网的各个环节。车联网领域的网络数据安全标准主要包括车联网云平台数据安全、V2X通信数据安全、智能网联汽车数据安全、车联网移动App数据安全等。

4.4 物联网

物联网安全涵盖物联网的感知层、传输层、应用层,涉及服务端安全、终端安全和通信网络安全等方面,数据安全贯穿于其中的各个环节。物联网领域的网络数据安全标准主要包括物联网云端数据安全保护、物联网管理系统数据安全保护、物联网终端数据安全保护等。

4.5 工业互联网

工业互联网安全重点关注控制系统、设备、网络、数据、平台、应用程序安全和安全管理等。工业互联网领域的网络数据安全标准主要包括工业互联网数据安全保护、工业互联网数据分级技术等。

4.6 云计算

云计算安全以云主机安全为核心,涵盖网络安全、数据安全、应用安全、安全管理、业务安全等方面。云计算领域的网络数据安全标准主要包括客户数据保护、云服务业务数据安全、云上资产管理等。

4.7 大数据

大数据安全覆盖数据全生命周期管理各环节,涵盖对大数据平台运行安全功能保障及以数据为对象进行资产管理等。大数据领域的网络数据安全标准主要包括大数据平台安全、大数据资产管理等。

4.8 人工智能

人工智能安全覆盖个人信息安全、算法安全、数据安全、网络安全等。人工智能领域的网络数据安全标准主要包括人工智能平台数据安全、人工智能终端个人信息保护等。

4.9 区块链

区块链安全包括应用服务的安全性、系统设计的安全性(包含智能合约、共识机制)、基础组件的安全性(包含网络通信、数据安全、密码技术)三个维度。区块链领域的网络数据安全标准主要包括区块链隐私数据保护、区块链数字资产存储与交互保护等。

  • 组织实施

一是实施动态更新。实施动态更新完善机制,随着经济社会数字化转型持续推进、数据安全认知与实践水平的提高,结合数据安全相关法律法规的最新要求,适时滚动修订《建设指南》。

二是推进标准研制。组织中国通信标准化协会及相关电信运营企业、互联网企业、设备提供商、安全企业、科研院所、高校等单位,按照《标准指南》明确的标准研制路径,有序推进行业标准研制工作,注重网络数据安全标准化工作与网络数据安全保护最新研究成果、行业最佳实践的有机结合。

三是加强宣贯实施。充分发挥标准化组织、行业协会作用,组织相关专家开展标准研讨活动,通过培训、咨询、论坛等手段推进标准的宣贯。积极组织开展标准试点示范,形成最佳实践,促进标准在业界的应用推广。

四是加强国际交流合作。加强与国际标准化组织的交流与合作,积极参与国际电信联盟(ITU)、国际标准化组织(ISO)、国际电工技术委员会(IEC)等国际标准化组织活动及国际标准研制。积极促进国内标准与国际接轨,推动国内先进标准向国际标准转化。

 

附件1 术语定义

  • 网络数据

通过网络收集、存储、传输、处理和产生的各种电子数据。

2、重要数据

我国机构和个人在境内收集、产生的不涉及国家秘密,但与国家安全、经济发展以及公共利益密切相关的数据。

3、个人信息

以电子或者其他方式记录的能够单独或者与其他信息结合识别特定自然人身份或者反映特定自然人活动情况的各种信息,包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

4、数据出境

网络运营者通过网络等方式,将其在中华人民共和国境内运营中收集和产生的个人信息和重要数据,通过直接提供或开展业务、提供服务、产品等方式提供给境外机构、组织或个人的一次性活动或连续性活动。

5、数据全生命周期

数据从产生,经过数据采集、数据传输、数据存储、数据处理(包括计算、分析、可视化等)、数据交换,直至数据销毁等各种生存形态的演变过程。

 

6、数据交换

为满足不同平台或应用间数据资源的传送和处理需要,依据一定的原则,采取相应的技术,实现不同平台和应用间数据资源的流动过程。

7、数据清洗

对数据进行重新审查和校验的过程,目的在于删除重复信息、纠正存在的错误,处理无效值和缺失值,并提供数据一致性。

8、数据质量监控

从数据的完整性、准确性、一致性和及时性等方面,对采集数据的质量进行识别、度量、监控、预警的过程。

9、数据完整性

数据没有遭受以未授权方式所作的更改或破坏的特性。

10、大数据平台

采用分布式存储和计算技术,提供大数据的访问和处理,支持大数据应用安全高效运行的软硬件集合,包括监测大数据的存储、输入/输出、操作控制等大数据服务软硬件基础设施。

11、安全审计

对事件进行记录和分析,并针对特定事件采取相应比较的动作。

 

12、数据防泄露

通过一定的技术手段,防止机构的指定数据或信息资产以违反安全策略规定的形式流出机构的一种策略。

13、匿名化

通过对于个人信息的技术处理,使得个人信息主体无法被识别,且处理后的信息不能被复原的过程。

14、去标识化

通过对个人信息的技术处理,使其在不借助额外信息的情况下,无法识别个人信息主体的过程。

15、数据脱敏

对某些敏感信息通过脱敏规则进行数据的变形,实现敏感隐私数据的可靠保护。

16、安全多方计算

多个数据所有者在互不信任的情况下进行协同计算,输出计算结果,并保证任何一方均无法得到除应得的计算结果之外的其他任何信息。

17、透明加密

通过监控应用程序对文件的操作,在打开文件时自动对密文进行解密,在写文件时自动将内存中的明文加密写入存储介质,从而保证存储介质上的文件始终处于加密状态。

18、数据篡改

数据被篡改、增加或删除,造成数据破坏。

19、数据溯源

记录原始数据在整个生命周期内(从产生、传播到消亡)的演变信息和演变处理内容。

 

 

附件2 网络数据安全相关标准项目明细表

序号 标准名称 标准号/计划号 所属组织 状态
基础共性
术语定义
1. 《信息安全技术 术语》   SAC/TC260 征求意见稿
2. 《电信数据服务平台 第2部分:术语及参考模型》 2018-2321T-YD CCSA 征求意见稿
数据安全框架
3. 《信息安全技术 大数据安全参考框架》   SAC/TC260 研究项目
4. 《信息技术 安全技术 隐私保护框架》   SAC/TC260 研究项目
数据分类分级
5. 《信息安全技术 数据安全分类分级实施指南》   SAC/TC260 研究项目
6. 《电信和互联网服务 用户个人信息保护 定义及分类》 YD/T 2781-2014 CCSA 已发布
7. 《电信和互联网服务 用户个人信息保护 分级指南》 YD/T 2782-2014 CCSA 已发布
8. 《电信运营商 大数据安全管控分类分级技术要求》 2018-0162T-YD CCSA 征求意见稿
9. 《基础电信企业数据分类分级方法》 2019-0216T-YD CCSA 征求意见稿
10. 《电信和互联网物联网业务数据分类分级方法》   CCSA 拟制定
关键技术
数据采集
11. 《使用cookie进行互联网数据采集的安全性要求》 2013-2498T-YD CCSA 报批稿
12. 《公共安全大数据 数据采集与预处理》 2019-CCSA-08 CCSA 草案
数据传输
13. 《信息安全技术 电子文档加密与签名消息语法》 GB/T 31503-2015 SAC/TC260 已发布
14. 《信息安全技术XML数字签名语法与处理规范》   SAC/TC260 征求意见稿
数据存储
15. 《信息安全技术 信息系统安全审计产品技术要求和测试评价方法》 GB/T 20945-2013 SAC/TC260 已发布
16. 《信息安全技术 网络存储安全技术要求》   SAC/TC260 报批稿
17. 《信息安全技术 数据库管理系统安全技术要求》   SAC/TC260 报批稿
18. 《通信存储介质(SSD)加密安全技术要求》 YD/T 2390-2011 CCSA 已发布
19. 《电信网数据泄露防护系统(DLP)技术要求》 2018-1785T-YD CCSA 报批稿
20. 《大数据环境下数据库审计系统技术要求》 2019-0743T-YD CCSA 草案
21. 《电信网和互联网数据安全日志审计规范》   CCSA 拟制定
22. 《电信网和互联网数据生命周期日志通用要求》   CCSA 拟制定
数据处理
23. 《信息安全技术 个人信息去标识化指南》 GB/T 37964-2019 SAC/TC260 报批稿
24. 《电信大数据平台数据脱敏实施方法》 2019-0215T-YD CCSA 报批稿
25. 《面向互联网应用的健康医疗数据应用脱敏技术要求》 2019-0302T-YD CCSA 报批稿
数据交换
26. 《信息安全技术 数据交易服务安全要求》 GB/T 37932-2019 SAC/TC260 报批稿
27. 《信息安全技术 政务信息共享 数据安全技术要求》   SAC/TC260 征求意见稿
28. 《互联网基础资源支撑系统信息数据共享接口技术要求》 2018-0180T-YD CCSA 报批稿
29. 《通信行业数据开放共享安全管理要求》 2017-0302T-YD CCSA 草案
30. 《网络环境下应用数据流通安全要求》 2019-0742T-YD CCSA 草案
31. 《数据安全流通平台技术要求》   CCSA 拟制定
数据销毁
安全管理
数据安全规范
32. 《信息安全技术 公共及商用服务信息系统个人信息保护指南》 GB/Z 28828-2012 SAC/TC260 已发布
33. 《信息安全技术 个人信息安全规范》 GB/T 35273-2017 SAC/TC260 报批稿
34. 《信息安全技术 个人信息工程指南》   SAC/TC260 征求意见稿
35. 《信息安全技术 个人信息告知同意指南》   SAC/TC260 征求意见稿
36. 《信息安全技术 数据安全基本要求》   SAC/TC260 征求意见稿
37. 《信息安全技术 移动互联网应用(App)收集个人信息基本规范》   SAC/TC260 草案
38. 《信息安全技术 个人可识别信息(PII)处理者在公有云中保护PII的实践指南》   SAC/TC260 草案
39. 《电信网和互联网用户个人电子信息保护通用技术要求和管理要求》 2018-1784T-YD CCSA 送审稿
40. 《基础电信企业重要数据识别指南》 2019-0217T-YD CCSA 草案
41. 《电信和互联网服务 用户个人信息保护技术要求》 20173806-T-339 CCSA 草案
42. 《电信和互联网服务 用户个人信息保护技术要求 电子商务服务》 YD/T 3105-2016 CCSA 已发布
43. 《电信和互联网服务 用户个人信息保护技术要求 移动应用商店》 YD/T 3106-2016 CCSA 已发布
44. 《电信和互联网服务 用户个人信息保护技术要求 即时通信服务》 YD/T 3327-2018 CCSA 已发布
45. 《电信和互联网服务 用户个人信息保护技术要求 基础电信服务》 2018-1688T-YD CCSA 草案
46. 《电信和互联网服务 用户个人信息保护技术要求 出行服务》 2018-1687T-YD CCSA 草案
数据安全评估
47. 《信息安全技术 数据库管理系统安全评估准则》   SAC/TC260 报批稿
48. 《信息安全技术 数据出境安全评估指南》   SAC/TC260 送审稿
49. 《信息安全技术 个人信息安全影响评估指南》   SAC/TC260 报批稿
50. 《信息安全技术 大数据业务安全风险控制实施指南》   SAC/TC260 研究项目
51. 《互联网新技术新业务安全评估要求 大数据技术应用与服务》 2017-0298T-YD CCSA 报批稿
52. 《电信和互联网数据安全风险评估实施方法》 2018-1669T-YD CCSA 报批稿
53. 《电信网和互联网数据安全要求》 2019-0218T-YD CCSA 送审稿
54. 《电信网和互联网数据安全评估规范》 2019-0219T-YD CCSA 征求意见稿
55. 《电信网和互联网数据安全评估实施技术要求》 2019-0220T-YD CCSA 征求意见稿
56. 《电信网和互联网数据安全评估服务机构能力认定准则》   CCSA 拟制定
监测预警与处置
57. 《网络安全威胁数据报送接口要求》 2016-1069T-YD CCSA 报批稿
应急响应与灾难备份
58. 《信息安全技术 灾难恢复服务要求》 GB/T 36957-2018 SAC/TC260 已发布
59. 《信息安全技术 存储介质数据恢复服务要求》 GB/T 31500-2015 SAC/TC260 已发布
60. 《第三方灾备数据交换技术要求》 YD/T 2393-2011 CCSA 已发布
61. 《电信网和互联网灾难备份及恢复实施指南》 2017-1024T-YD CCSA 草案
62. 《电信和互联网数据安全事件应急响应实施指南》   CCSA 拟制定
安全能力认证
63. 《信息安全技术 大数据服务安全能力要求》 GB/T 35274-2017 SAC/TC260 已发布
64. 《信息安全技术 灾难恢复服务能力评估准则》 GB/T 37046-2018 SAC/TC260 已发布
65. 《信息安全技术 数据备份与恢复产品技术要求与测试评价方法》 GB/T 29765-2013 SAC/TC260 已发布
66. 《信息安全技术 数据安全能力成熟度模型》 GB/T 37988-2019 SAC/TC260 报批稿
67. 《信息安全技术 数据安全管理认证规范》   SAC/TC260 草案
68. 《面向互联网的数据安全能力技术框架》 YD/T 3644-2020 CCSA 已发布
69. 《电信网和互联网第三方安全服务能力评定准则》 2018-1783T-YD CCSA 草案
重点领域
5G
70. 《5G移动通信网 安全技术要求》 2018-2367T-YD CCSA 报批稿
71. 《5G数据安全总体技术要求》   CCSA 拟制定
移动互联网
72. 《信息安全技术 移动智能终端数据存储安全技术要求与测试评价方法》 GB/T 34977-2017 SAC/TC260 已发布
73. 《信息安全技术 移动智能终端个人信息保护技术要求》 GB/T 34978-2017 SAC/TC260 已发布
74. 《信息安全技术 移动互联网安全审计产品技术要求》   SAC/TC260 征求意见稿
75. 《移动互联网环境下个人信息共享技术导则》 YD/T 3411-2018 CCSA 已发布
76. 《移动浏览器个人信息保护技术要求》 YD/T 3367-2018 CCSA 已发布
77. 《移动智能终端上的个人信息保护技术要求》 YD/T 3082-2016 CCSA 已发布
78. 《移动互联网环境下个人数据共享评估和测试方法》 2016-1933T-YD CCSA 报批稿
79. 《移动应用软件个人信息保护要求和评估方法》 2019-1132T-YD CCSA 征求意见稿
80. 《移动应用软件SDK安全技术要求和测试方法》   CCSA 拟制定
81. 《移动应用软件SDK安全指南》   CCSA 拟制定
82. 《移动应用商店数据安全要求》   CCSA 拟制定
车联网
83. 《车联网信息服务 数据安全技术要求》 2017-0926T-YD CCSA 报批稿
84. 《车联网信息服务 用户个人信息保护要求》 2017-0959T-YD CCSA 送审稿
85. 《基于移动互联网的汽车用户数据应用与保护技术要求》 2018-0182T-YD CCSA 征求意见稿
86. 《基于移动互联网的汽车用户数据应用与保护评估方法》 2018-0183T-YD CCSA 草案
87. 《网络预约出租汽车服务平台数据安全防护要求》 2017-0938T-YD CCSA 草案
物联网
88. 《信息安全技术 物联网数据传输安全技术要求》 GB/T 37025-2018 SAC/TC260 已发布
89. 《基于区块链的物联网数据交换与共享技术分析》 2017B73 CCSA 报批稿
90. 《基于区块链的安全可信物联网数据通信架构》 2018-2359T-YD CCSA 草案
工业互联网
91. 《信息安全技术 工业控制系统信息安全分级规范》 GB/T 36324-2018 SAC/TC260 已发布
92. 《信息安全技术 工业控制系统网络审计产品安全技术要求》   SAC/TC260 报批稿
93. 《工业互联网数据安全保护要求》 2018-1369T-YD CCSA 征求意见稿
94. 《工业互联网安全能力成熟度评估规范》 2018-1395T-YD CCSA 征求意见稿
云计算
95. 《信息安全技术 政府网站云计算服务安全指南》 GB/T 38249-2019 SAC/TC 260 已发布
96. 《信息安全技术 云计算安全参考架构》 GB/T 35279-2017 SAC/TC 260 已发布
97. 《信息安全技术 云计算服务安全能力评估方法》 GB/T 34942-2017 SAC/TC 260 已发布
98. 《信息安全技术 云计算服务安全指南》 GB/T 31167-2014 SAC/TC 260 已发布
99. 《信息安全技术 云计算服务安全能力要求》 GB/T 31168-2014 SAC/TC 260 已发布
100. 《云计算安全框架》 YD/T 3148-2016 CCSA 已发布
101. 《公有云服务安全防护要求》 YD/T 3157-2016 CCSA 已发布
102. 《公有云服务安全防护检测要求》 YD/T 3158-2016 CCSA 已发布
103. 《面向云服务的数据安全标记规范》 YD/T 3470-2019 CCSA 已发布
104. 《云服务用户数据保护能力参考框架》 2018-1796T-YD CCSA 报批稿
105. 《云服务用户数据保护能力评估方法 第1部分:公有云》 2018-1797T-YD CCSA 报批稿
106. 《云服务用户数据保护能力评估方法 第2部分:私有云》 2019-0209T-YD CCSA 报批稿
107. 《电信和互联网云服务业务数据分类分级方法》   CCSA 拟制定
大数据
108. 《信息安全技术 大数据安全管理指南》 GB/T 37973-2019 SAC/TC260 报批稿
109. 《信息安全技术 电信领域大数据安全防护实现指南》   SAC/TC260 草案
110. 《大数据平台安全管理产品安全技术要求研究》   SAC/TC260 研究项目
111. 《电信运营商的大数据应用业务安全技术要求》 YD/T 3472-2019 CCSA 已发布
112. 《电信和互联网大数据平台安全防护要求》 2017-0929T-YD CCSA 报批稿
113. 《电信和互联网大数据平台安全防护检测要求》 2018-1782T-YD CCSA 报批稿
114. 《大数据处理平台安全基线要求 应用及基础设施平台》 2017-0297T-YD CCSA 征求意见稿
115. 《电信网和互联网数据资产梳理规范》   CCSA 拟制定
人工智能
116. 《移动智能终端人工智能应用的个人信息保护技术要求及评估方法》 2019-0745T-YD CCSA 草案
117. 《人工智能服务平台数据安全要求和评估方法》 2019-0031T-YD CCSA 草案
区块链
118. 《区块链开发平台网络与数据安全技术要求》 2017-1054T-YD CCSA 报批稿
119. 《基于区块链的边缘云网络数据共享机制研究》 2019B62 CCSA 草案
120. 《金融交易中的区块链智能合约与分布式账本安全技术研究》 2019B32 CCSA 草案

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s