1
/
из
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
JR/T 0197-2020 English PDF (JR/T0197-2020)
JR/T 0197-2020 English PDF (JR/T0197-2020)
Обычная цена
$955.00 USD
Обычная цена
Цена со скидкой
$955.00 USD
Цена за единицу
/
за
Не удалось загрузить сведения о доступности самовывоза
Delivery: 2 working-hours manually (Sales@ChineseStandard.net)
Need delivered in 3-second? USA-Site: JR/T 0197-2020
Get Quotation: Click JR/T 0197-2020 (Self-service in 1-minute)
Historical versions (Master-website): JR/T 0197-2020
Preview True-PDF (Reload/Scroll-down if blank)
JR/T 0197-2020: Financial data security -- Guidelines for data security classification
JR/T 0197-2020
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
Financial data security - Guidelines for data security
classification
ISSUED ON: SEPTEMBER 23, 2020
IMPLEMENTED ON: SEPTEMBER 23, 2020
Issued by: People’s Bank of China
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Objectives, principles and scope ... 8
5 Data security grading ... 10
6 Identification of important data ... 21
Appendix A (Informative) Reference rules for data grading ... 22
Appendix B (Informative) Changes in data security level ... 79
Appendix C (Informative) Important data ... 80
References ... 82
Financial data security - Guidelines for data security
classification
1 Scope
This standard gives the objectives, principles and scope of financial data
security classification, as well as the elements, rules and classification process
of data security classification.
This standard applies to financial institutions to carry out electronic data security
classification work; provides a reference for third-party evaluation agencies and
other organizations to carry out data security inspection and evaluation.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 4754-2017 Industrial classification for national economic activities
GB/T 5271.1-2000 Information technology - Vocabulary - Part 1:
Fundamental terms
GB/T 25069-2010 Information security technology - Glossary
GB/Z 28828-2012 Information security technology - Guideline for personal
information protection within information system for public and commercial
services
GB/T 35273-2020 Information security technology - Personal information
security specification
JR/T 0158-2018 Data classification guidelines for securities and futures
industry
JR/T 0171-2020 Personal financial information protection technical
specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
System execution of data manipulation.
Examples: Mathematical operations or logical operations of data, data
merging or classification, program assembly or compilation, or text
operations, such as editing, classification, merging, storage, retrieval,
display or printing.
Note 1: The term "data processing" cannot be used as a synonym for
"information processing".
Note 2: Rewrite GB/T 5271.1-2000, definition 2.01.01.06
3.6
Confidentiality
The features of keeping the information from leaking to unauthorized
individuals, physical entities, processes, or features that are not exploited.
[GB/T 25069-2010, definition 2.1.1]
3.7
Integrity
The property of protecting assets is accurate and complete.
Note: Rewrite GB/T 25069-2010, definition 2.1.42.
3.8
Availability
The characteristics of data and resources that an authorized entity can
access and use as soon as needed.
[GB/T 25069-2010, definition 2.1.20]
3.9
Security level
Regarding the level of sensitive information access, which, plus the security
category, can more finely control the access to data.
[GB/T 25069-2010, definition 2.2.1.6]
3.10
Data hierarchical management is the basic work for establishing a unified and
complete data lifecycle security protection framework, which can provide
support for financial institutions to formulate targeted data security control
measures. The financial industry includes currency and financial services,
capital market services, insurance, etc., as shown in GB/T 4754-2017. The
"financial institutions" mentioned in this standard refer to the relevant
institutions engaged in the aforementioned financial industries.
4.2 Principles of data security grading
Data security grading follows the following principles:
a) The principle of legal compliance: Meet national laws and regulations and
relevant regulations of industry authorities.
b) The principle of enforceability: Avoid too complicated data grading rules to
ensure the feasibility of data grading work.
c) Timeliness principle: The data security level has a certain validity period;
financial institutions should adjust the data level in time according to the
level change strategy.
d) The principle of autonomy: According to the data management needs of
financial industry institutions (such as strategic needs, business needs,
risk acceptance, etc.), the data security level is determined independently
under the framework of this standard.
e) The principle of difference: Divide different data security levels according
to the type and sensitivity of the organization's data; distribute the data to
different levels. It should not divide all data into several levels in a
centralized manner.
f) The principle of objectivity: The data grading rules are objective and
verifiable, that is, the data can be judged by its attributes and grading rules,
meanwhile the data grading can be reviewed and checked.
4.3 Scope of data security classification
In the process of financial data security grading, non-electronic financial data
shall be implemented in accordance with relevant management regulations
such as archives and documents; financial data involving state secrets shall be
implemented in accordance with relevant national laws and regulations, which
is not within the scope of this standard. The data security classification of the
securities industry can be implemented with reference to JR/T 0158-2018.
Among them, the financial data involved in the security grading work includes
but not limited to:
financial institutions, including national security, public rights, personal privacy,
legal rights of enterprises. The determination of affected objects mainly
considers the following:
- The situation where the affected object is national security, which generally
refers to the damage of data security that may affect the stability of national
power, territorial sovereignty, national organization, social and financial
market stability, etc.
- The situation where the affected object is the public rights and interests,
which generally refers to the destruction of data security that may influence
the social order of production and operation, teaching and research,
medical and health, public transportation, the public’s political rights,
personal freedom, economic rights, etc.
- The situation where the affected object is personal privacy, which generally
refers to the breach of data security that may affect the personal information,
private activities and private domains of personal financial information
subjects.
- The situation where the affected object is the legitimate rights and interests
of the enterprise, which generally refers to the destruction of data security
that may affect the production, operation, reputation and image, credibility
of a certain enterprise or other organization (which may be a financial
institution or other industry institutions).
5.1.3 Degree of influence
The degree of influence refers to the magnitude of the impact after the data
security of financial institutions is damaged. From high to low, it is divided into
serious damage, general damage, minor damage, no damage. The relevant
description is as shown in Table 1, which can be used as the reference to judge
the degree of influence. The degree of influence should be determined by
comprehensively considering factors such as data type, data characteristics,
data scale, combined with financial business attributes to determine the degree
of influence after data security is breached, for example:
- After data security is breached, the impact of customers' personal natural
information is usually higher than that of the basic information of the
organization.
- After data security is breached, the degree of influence of identity
authentication information is usually higher than that of personal basic
profile information.
- Data with high real-time requirements in transaction information, the impact
of security breaches is usually higher than that of data with low real-time
- Confidentiality assessment: Conduct data confidentiality assessment by
evaluating the impact of unauthorized disclosure of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized disclosure of data, which may cause damage to national
security, public rights, personal privacy, legal rights of enterprises, and
as well as the severity of the damage.
• Data obtained or exploited by unauthorized parties, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Data is exploited by unauthorized parties to conduct attacks such as
theft, tampering, destruction, or denial of service, which may cause
damage to national security, public rights, personal privacy, legal rights
of enterprises, as well as the severity of the damage.
• Whether the unauthorized disclosure or dissemination of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Integrity assessment: Conduct data integrity assessment by evaluating the
impact of unauthorized modification or destruction of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized modification or destruction of data, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Unauthorized modification or destruction of data, which may cause
damage to other organizations or individuals, as well as the severity of
the damage.
• Unauthorized modification or destruction of data, which may cause
damage to the organization's functions, credibility, as well as the
severity of the damage.
• Whether the unauthorized modification or damage of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Availability evaluation: Conduct data availability evaluation by evaluating
the impact of access or use interruption on the data and various types of
data formed after the combination/fusion, and the possible impact of the
institution’s failure to use these data. The content of the assessment
the important core node institutions in the financial transaction process.
It is generally disclosed to specific personnel and is only accessed or
used by objects that must be known.
• After data security is compromised, it will affect national security or
seriously affect public rights.
Note: "Must be known" refers to the determination of the scope of knowledge
of the data. The subject can only be aware of the data when it is clearly
necessary to know the data. Under normal circumstances, the principle of work
needs and the principle of minimization are followed. The former means that it
can be known only because of work, whilst the latter means that the scope of
knowledge meets the minimum enough.
- The characteristics of level 4 data are as follows:
• Data is usually mainly used for the important business use of large or
super large institutions in the financial industry, as well as important
core node institutions in the financial transaction process. It is generally
disclosed to specific persons and is only accessed or used by objects
that must be known.
• Category C3 information in personal financial information.
• After data security is compromised, it will have a general impact on the
public rights and interests, or have a serious impact on personal privacy
or the legitimate rights and interests of enterprises, but it will not affect
national security.
- The characteristics of level 3 data are as follows:
• Data is used for key or important business use of financial industry
institutions; it is generally disclosed to specific persons; it is only
accessed or used by objects that must be known.
• Category C2 information in personal financial information.
• After the security of data is compromised, it will have a slight impact on
public rights, or cause general influences on personal privacy or
enterprise legal rights, but does not affect national security.
- The characteristics of level 2 data are as follows:
• The data is used for the general business use of financial institutions; it
is generally disclosed for restricted objects. It is usually internally
managed and not suitable for widespread disclosure.
5.4 Grading process
5.4.1 Organizational guarantee
Determine the highest decision-making organization for data security
management; establish and clarify relevant departments (or organizations) and
their responsibilities, including but not limited to:
- The leading organization and person in charge of the data classification
work of this institution are mainly responsible for the overall planning of data
security classification work.
- The management department (or organization) of the organization's data
classification work and its person in charge are mainly responsible for the
organization, coordination, management, check, review of data
classification related work.
- The role of the information technology department and its person in charge
in the data security classification work, mainly responsible for implementing
the relevant requirements of data security classification and leading the
implementation of data security classification.
- The role of the business department (and/or the da...
Need delivered in 3-second? USA-Site: JR/T 0197-2020
Get Quotation: Click JR/T 0197-2020 (Self-service in 1-minute)
Historical versions (Master-website): JR/T 0197-2020
Preview True-PDF (Reload/Scroll-down if blank)
JR/T 0197-2020: Financial data security -- Guidelines for data security classification
JR/T 0197-2020
JR
FINANCIAL INDUSTRY STANDARD OF
THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.40
A 11
Financial data security - Guidelines for data security
classification
ISSUED ON: SEPTEMBER 23, 2020
IMPLEMENTED ON: SEPTEMBER 23, 2020
Issued by: People’s Bank of China
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Objectives, principles and scope ... 8
5 Data security grading ... 10
6 Identification of important data ... 21
Appendix A (Informative) Reference rules for data grading ... 22
Appendix B (Informative) Changes in data security level ... 79
Appendix C (Informative) Important data ... 80
References ... 82
Financial data security - Guidelines for data security
classification
1 Scope
This standard gives the objectives, principles and scope of financial data
security classification, as well as the elements, rules and classification process
of data security classification.
This standard applies to financial institutions to carry out electronic data security
classification work; provides a reference for third-party evaluation agencies and
other organizations to carry out data security inspection and evaluation.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 4754-2017 Industrial classification for national economic activities
GB/T 5271.1-2000 Information technology - Vocabulary - Part 1:
Fundamental terms
GB/T 25069-2010 Information security technology - Glossary
GB/Z 28828-2012 Information security technology - Guideline for personal
information protection within information system for public and commercial
services
GB/T 35273-2020 Information security technology - Personal information
security specification
JR/T 0158-2018 Data classification guidelines for securities and futures
industry
JR/T 0171-2020 Personal financial information protection technical
specification
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 and GB/T 35273-
System execution of data manipulation.
Examples: Mathematical operations or logical operations of data, data
merging or classification, program assembly or compilation, or text
operations, such as editing, classification, merging, storage, retrieval,
display or printing.
Note 1: The term "data processing" cannot be used as a synonym for
"information processing".
Note 2: Rewrite GB/T 5271.1-2000, definition 2.01.01.06
3.6
Confidentiality
The features of keeping the information from leaking to unauthorized
individuals, physical entities, processes, or features that are not exploited.
[GB/T 25069-2010, definition 2.1.1]
3.7
Integrity
The property of protecting assets is accurate and complete.
Note: Rewrite GB/T 25069-2010, definition 2.1.42.
3.8
Availability
The characteristics of data and resources that an authorized entity can
access and use as soon as needed.
[GB/T 25069-2010, definition 2.1.20]
3.9
Security level
Regarding the level of sensitive information access, which, plus the security
category, can more finely control the access to data.
[GB/T 25069-2010, definition 2.2.1.6]
3.10
Data hierarchical management is the basic work for establishing a unified and
complete data lifecycle security protection framework, which can provide
support for financial institutions to formulate targeted data security control
measures. The financial industry includes currency and financial services,
capital market services, insurance, etc., as shown in GB/T 4754-2017. The
"financial institutions" mentioned in this standard refer to the relevant
institutions engaged in the aforementioned financial industries.
4.2 Principles of data security grading
Data security grading follows the following principles:
a) The principle of legal compliance: Meet national laws and regulations and
relevant regulations of industry authorities.
b) The principle of enforceability: Avoid too complicated data grading rules to
ensure the feasibility of data grading work.
c) Timeliness principle: The data security level has a certain validity period;
financial institutions should adjust the data level in time according to the
level change strategy.
d) The principle of autonomy: According to the data management needs of
financial industry institutions (such as strategic needs, business needs,
risk acceptance, etc.), the data security level is determined independently
under the framework of this standard.
e) The principle of difference: Divide different data security levels according
to the type and sensitivity of the organization's data; distribute the data to
different levels. It should not divide all data into several levels in a
centralized manner.
f) The principle of objectivity: The data grading rules are objective and
verifiable, that is, the data can be judged by its attributes and grading rules,
meanwhile the data grading can be reviewed and checked.
4.3 Scope of data security classification
In the process of financial data security grading, non-electronic financial data
shall be implemented in accordance with relevant management regulations
such as archives and documents; financial data involving state secrets shall be
implemented in accordance with relevant national laws and regulations, which
is not within the scope of this standard. The data security classification of the
securities industry can be implemented with reference to JR/T 0158-2018.
Among them, the financial data involved in the security grading work includes
but not limited to:
financial institutions, including national security, public rights, personal privacy,
legal rights of enterprises. The determination of affected objects mainly
considers the following:
- The situation where the affected object is national security, which generally
refers to the damage of data security that may affect the stability of national
power, territorial sovereignty, national organization, social and financial
market stability, etc.
- The situation where the affected object is the public rights and interests,
which generally refers to the destruction of data security that may influence
the social order of production and operation, teaching and research,
medical and health, public transportation, the public’s political rights,
personal freedom, economic rights, etc.
- The situation where the affected object is personal privacy, which generally
refers to the breach of data security that may affect the personal information,
private activities and private domains of personal financial information
subjects.
- The situation where the affected object is the legitimate rights and interests
of the enterprise, which generally refers to the destruction of data security
that may affect the production, operation, reputation and image, credibility
of a certain enterprise or other organization (which may be a financial
institution or other industry institutions).
5.1.3 Degree of influence
The degree of influence refers to the magnitude of the impact after the data
security of financial institutions is damaged. From high to low, it is divided into
serious damage, general damage, minor damage, no damage. The relevant
description is as shown in Table 1, which can be used as the reference to judge
the degree of influence. The degree of influence should be determined by
comprehensively considering factors such as data type, data characteristics,
data scale, combined with financial business attributes to determine the degree
of influence after data security is breached, for example:
- After data security is breached, the impact of customers' personal natural
information is usually higher than that of the basic information of the
organization.
- After data security is breached, the degree of influence of identity
authentication information is usually higher than that of personal basic
profile information.
- Data with high real-time requirements in transaction information, the impact
of security breaches is usually higher than that of data with low real-time
- Confidentiality assessment: Conduct data confidentiality assessment by
evaluating the impact of unauthorized disclosure of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized disclosure of data, which may cause damage to national
security, public rights, personal privacy, legal rights of enterprises, and
as well as the severity of the damage.
• Data obtained or exploited by unauthorized parties, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Data is exploited by unauthorized parties to conduct attacks such as
theft, tampering, destruction, or denial of service, which may cause
damage to national security, public rights, personal privacy, legal rights
of enterprises, as well as the severity of the damage.
• Whether the unauthorized disclosure or dissemination of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Integrity assessment: Conduct data integrity assessment by evaluating the
impact of unauthorized modification or destruction of data and the possible
impact of the institution's continued use of these data. The content of the
assessment includes but is not limited to:
• Unauthorized modification or destruction of data, which may cause
damage to national security, public rights, personal privacy, legal rights
of the enterprise, as well as the severity of the damage.
• Unauthorized modification or destruction of data, which may cause
damage to other organizations or individuals, as well as the severity of
the damage.
• Unauthorized modification or destruction of data, which may cause
damage to the organization's functions, credibility, as well as the
severity of the damage.
• Whether the unauthorized modification or damage of data violates
national laws and regulations, relevant regulations of industry
authorities, or internal management regulations of the organization.
- Availability evaluation: Conduct data availability evaluation by evaluating
the impact of access or use interruption on the data and various types of
data formed after the combination/fusion, and the possible impact of the
institution’s failure to use these data. The content of the assessment
the important core node institutions in the financial transaction process.
It is generally disclosed to specific personnel and is only accessed or
used by objects that must be known.
• After data security is compromised, it will affect national security or
seriously affect public rights.
Note: "Must be known" refers to the determination of the scope of knowledge
of the data. The subject can only be aware of the data when it is clearly
necessary to know the data. Under normal circumstances, the principle of work
needs and the principle of minimization are followed. The former means that it
can be known only because of work, whilst the latter means that the scope of
knowledge meets the minimum enough.
- The characteristics of level 4 data are as follows:
• Data is usually mainly used for the important business use of large or
super large institutions in the financial industry, as well as important
core node institutions in the financial transaction process. It is generally
disclosed to specific persons and is only accessed or used by objects
that must be known.
• Category C3 information in personal financial information.
• After data security is compromised, it will have a general impact on the
public rights and interests, or have a serious impact on personal privacy
or the legitimate rights and interests of enterprises, but it will not affect
national security.
- The characteristics of level 3 data are as follows:
• Data is used for key or important business use of financial industry
institutions; it is generally disclosed to specific persons; it is only
accessed or used by objects that must be known.
• Category C2 information in personal financial information.
• After the security of data is compromised, it will have a slight impact on
public rights, or cause general influences on personal privacy or
enterprise legal rights, but does not affect national security.
- The characteristics of level 2 data are as follows:
• The data is used for the general business use of financial institutions; it
is generally disclosed for restricted objects. It is usually internally
managed and not suitable for widespread disclosure.
5.4 Grading process
5.4.1 Organizational guarantee
Determine the highest decision-making organization for data security
management; establish and clarify relevant departments (or organizations) and
their responsibilities, including but not limited to:
- The leading organization and person in charge of the data classification
work of this institution are mainly responsible for the overall planning of data
security classification work.
- The management department (or organization) of the organization's data
classification work and its person in charge are mainly responsible for the
organization, coordination, management, check, review of data
classification related work.
- The role of the information technology department and its person in charge
in the data security classification work, mainly responsible for implementing
the relevant requirements of data security classification and leading the
implementation of data security classification.
- The role of the business department (and/or the da...
Share
