Guidelines for the Construction of the Online Data Security Standards System

Posted on Updated on

(Opinion-seeking draft)

April 2020


Following the connection and convergence of information technology and human production and lives, global data have gained the characteristics of explosive growth and massive collection, the big data industry is in a period of brisk development, technological progress and application innovation have accelerated their advance in lockstep, data resources have become national fundamental strategic resources and innovation factors for social production. At present, our country’s telecommunications and Internet sectors are developing rapidly, collecting large amounts of online data, and at the same time as liberating the development potential of the data economy and stimulating the accelerated growth of the data economy, we face severe security risks. This requires that we deeply understand the importance and urgency of online data security, persist in equally stressing security and development, vigorously responding to complex and severe security risks and challenges, and accelerate the construction of a security protection system for online data.

“In safe development, standards go first”, standardization work is an important basis in guaranteeing online data security. In order to implement the requirements of laws and regulations such as the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., guide online data security standardization work in the telecommunications and Internet sectors, the Ministry of Industry and Information Technology has organized the drafting of the “Guidelines for the Construction of the Online Data Security Standards System” (hereafter simply named “Construction Guidelines”. The “Construction Guidelines” give full rein to the top-level design and fundamental guidance roles of standards, and provides a powerful support for guaranteeing online data security in the telecommunications and Internet sectors, stimulating the rational and orderly flow of online data, and assist the high-quality development of the digital economy.

I, Train of thought and objectives of construction

(1) General train of thought

With Xi Jinping Thought on Socialism with Chinese Characteristics in a New Era as guidance, comprehensively implement the spirit of the 19th Party Congress and its 2nd, 3rd and 4th Plenums, implement the requirements of laws and regulations such as  the “Cybersecurity Law of the People’s Republic of China”, the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Telecommunications and Internet User Personal Information Protection Regulations”, etc., give full rein to the supporting and guiding role of standards in guaranteeing online data security, promoting the healthy and orderly development of the sector, effectively construct an online data security standards system for the telecommunications and Internet sectors. Accelerate the comprehensive planning of standards, ensure linkage with national standards and sectoral standards in corresponding areas, encourage innovative technological results to transform into standards, strengthen the implementation and application of standards, strengthen the international exchange and cooperation of standards, enhance the overall supporting roles of standards in online data security protection, and provide escorts for the high-quality growth of the digital economy.

(2) Basic principles

Comprehensive planning, overall deployment. Integrate the technology and development status quo and characteristics of the telecommunications and Internet sectors, give rein to the important role of government controlling departments in top-level design, organizational coordination and policy formulation, formulate combined government-guided and market-driven standards system construction plans, establish online data security standard systems suited to the overall situation of the telecommunications and Internet sectors.

First establish a basis, urgent needs have priority. Start from the key points and difficult points in online data security management work, determine focus  areas for the construction of an online data security standards system, accelerate research and formulation of basic and general, critical technology, security and management standards. On this basis, comprehensively consider the current situation of and risk and challenges faced by online data security in related and important areas, accelerate the promotion of research and formulation of urgently needed standards projects.

Multi-party participation, coordination and cooperation. In the process of standards formulation, assemble the strengths of multiple sides from industry circles and academic circles such as telecommunications operations enterprises, Internet enterprises, equipment providers, security enterprises, scientific research institutions, higher education institutions, etc., fully concentrate consensus, research and formulate online data security-related standards, perfect whole-life cycle management for standards research, formulation and application. Comprehensively use sectoral resources, fully give rein to the dominant role of enterprises in technological innovation, product research and development, demonstration and guidance and other such aspects of standards research and application, organize and coordinate relevant work units to vigorously participate in drafting, exchange and cooperation on international standards.

(3) Construction objectives

By 2021, establish a preliminary online security standards system, effectively implement online data security management requirements, basically satisfy the sector’s online data security protection requirements, advance the application of standards in focus enterprises and focus areas, and research and formulate over 20 online data security sector standards.

By 20243, complete and perfect the online data security standards system, standards technology levels, application levels and internationalization levels are to clearly increase, forcefully stimulate the upgrade of online data security protection capabilities, research and formulate over 50 online data security sector standards.

II, Construction content

(1) The framework for the online data security standards system

The online data security standards system includes four major categories of standards: basic and general, critical technology, security management, and focus areas. Basic and general standards include language definitions, data security frameworks, data categorization and hierarchy, and related standards provide basic support for all categories of standards. Critical technology standards standardize critical data technology across the dimensions of the whole data lifecycle including data collection, transmission, storage, processing, exchange, deletion, etc. Security management standards start from the management angle of online data security protection, and guide the sector to effectively implement the requirements of laws and regulations concerning online data security management, including data security norms, data security assessment, monitoring, early warning and handling, emergency response and disaster back-ups, security capacity certification, etc. Focus area standards integrate the actual situation and concrete requirements of corresponding areas, and guide the sector to effectively conduct online data protection work in focus areas. The online data security standards system framework is displayed in image 1

[Image 1 absent]

(2) Focus standardization areas and their trends

  1. Basic and general standards

Basic and general standards are fundamental, common and guiding standards for online data security protection, and include terminology definitions, data security frameworks, data categorization, hierarchy and other such standards. Basic and general standard sub-systems are as indicated in image 2.

[Image 2 absent]

1.1 Terminology definitions

Terminology definitions are used to standardize online data security-related concepts, they provide support for the drafting of parts of other standards, including terminology, concepts and definitions, relationships between similar concepts concerning technology, norms, areas of application, etc.

1.2 Data security frameworks

Data security framework standards include online data security system frameworks as well as all partial reference frameworks, in order to determine and delineate online data security angles, duties and responsibilities, boundaries, the relationship and internal links between all partial levels.

1.3 Data categorization and hierarchy

Data categorization and hierarchy standards are used to guide online data categorization and hierarchy, and provide the basic principles, dimensions, methods, examples, etc. of data categorization and hierarchy, they provide a basis for categorized and tiered protection of data security, and provide support for standards drafting for data security norms, data security assessment and other such areas.

  1. Critical technology standards

Critical technology standards start from links across the whole life cycle such as collection, transmission, storage, processing, exchange, deletion, etc., and standardize the critical technology of online data security. The sub-systems of critical technology standards are as indicated in image 3

[Image 3 absent]

2.1 Data collection

Data collection standards are used to standardize related technological requirements in areas such as data collection forms, data labelling, data investigation and verification, etc., effectively increase data quality, and mainly include standards for data cleansing and comparative verification, data quality supervision and control, etc.

2.2 Data transmission

Data transmission standards are used to standardize the functions and structures, security coordination and other security-related technological requirements that may be standardized for the process of data transmission, and mainly include standards for data integrity protection, encrypted data transmission, etc.

2.3 Data storage

Data storage standards are used to standardize  technological requirements related to storage platform security mechanisms, secure data storage methods, security audits, security protection technology, etc. and mainly include standards for database security, cloud storage security, data security audits, data leak prevention, etc.

2.4 Data processing

Data processing standards are used to standardize requirements concerning sensitive data, personal information protection, and clarify sensitive data protection settings, norms and technological methods, and mainly include standards on anonymization and de-characterization, data desensitization etc.

2.5 Data exchange

Data exchange standards are used to standardize secure data exchange models, define the powers and responsibilities of roles, data management and control technology frameworks, and clarify data tracing models, processes and methods, support secure data sharing, auditing, supervision and management, and mainly include standards on multi-party secure computing, transparent encryption, data tracing etc.

2.6 Data deletion

Data  deletion standards are used to standardize data deletion and medium deletion security mechanisms and technological requirements, and clarify permanent deletion beyond recovery of stored data, and mainly include standards on data deletion, medium deletion, etc.

  1. Security management standards

Security management standards start from the angle of online data security framework management, guide sectors in implementing the management requirements of laws, regulations as well as governmental controlling departments, and include data security norms, data security assessment, supervision, early warning and processing, emergency response and disaster back-ups, security capability certification etc. Security management standards sub-systems are as indicated in image 4

[Image 4 absent]

3.1 Data security norms

Data security norm standards are used to implement and detail the requirements of laws and regulations, provide guidance and norms for sectors to conduct data security management, and mainly include standards on common data security requirements, personal information protection requirements, important data protection requirements, etc.

3.2 Data security assessment

Data security assessment standards are used to guide sectors to implement online data security assessment requirements, they clarify the basic concepts, factor relationships, analysis principles, assessment methods, implementation workflows, implementation focus points, work methods and other such factors in assessment, and guide the sector to standardize the conduct of online data security assessment work, and mainly standards on include data security compliance assessment, data  security risk assessment, personal information security impact assessment, data export security assessment, etc.

3.3 Monitoring, early warning and processing

Monitoring, early warning and processing standards start from the angle of supervision and management requirements from governmental controlling departments, clarify data security monitoring, early warning and processing systems and their technology requirements, conduct comprehensive analysis by combining data sensitivity, quantity and level, direction as well as account limitations, trace data security risks in a real-time and dynamic manner, and mainly include standards on technological requirements, interface norms, monitoring norms etc. for monitoring, early warning and processing.

3.4 Emergency response and disaster backups

Emergency response and disaster back-up standards are used to standardize data security incident emergency response management and processing measures, and standardize disaster back-up and recovery work objective and principles, technological requirements as well as implementation methods, and mainly include standards on data security emergency response guidelines, disaster back-up technology requirements, recovery capability evaluation, etc.

3.5 Security capacity certification

Security capacity certification standards are used to standardize the data security protection capacity of organizations and personnel, product and service data security protection levels, data security service capacity and other such related certification requirements, and are used to guide online operators and security service bodies to enhance their own security capacity and service capacity, and mainly include standards on managing security certification, product security certification, secure service certification, personnel capacity certification, etc.

  1. Focus area standards

On the basis of basic and general standards, critical technology standards and security management standards, and integrating the development situation of next-generation information and telecommunications technologies, focus on advancing arrangements in focus areas such as 5G, mobile Internet, the Internet of Cars, the Internet of Things, the industrial Internet, cloud computing, big data, artificial intelligence, blockchain, etc., and in integration with the development situation of sectors, progressively cover other important areas. In integration with the development situation of focus areas themselves and the requirements for online data security protection, formulate corresponding online data security standards. The sub-systems for security standards in focus area are as indicated in image 5.

[Image 5 absent]

4.1 5G

5G security mechanisms provide differentialized security services for different business settings, on the basis of satisfying common security requirements, they adapt to multiple kinds of online access methods and novel network structures, protect users’ personal privacy, and support the provision of open security capacities. Online data security standards in the area of 5G mainly include general 5G data security requirements, 5G terminal data security, 5G network-side data security, 5G network capacity open data security, etc.

4.1 5G

4.2 Mobile Internet

Traditional mobile Internet security mainly includes areas such as terminal security, network security and application security. Following the widespread application of mobile operating systems in open ecology systems, and the large-scale circulation of data, mobile Internet data security risks have become more prominent. Online data security standards in the area of the mobile Internet mainly include mobile applications’ personal information protection, mobile application software SDK security, etc.

4.3 Internet of cars

Security in the Internet of cars covers an all-inclusive chain and data exchange processes within cars, between cars, between cars and roads, between cars and people, and between cars and service platforms, data security and privacy protection pervade every segment of the Internet of cars. Online data security standards for the Internet of cars mainly includes Internet of cars cloud platform data security, V2X telecommunications data security, smart connected car data security, Internet of cars mobile app data security, etc.

4.4 Internet of things

Internet of things security contains the sensing level, transmission and application level of the Internet of things, it involves service-end security, terminal security, telecommunications network security and other such areas, and data security pervades every segment of these. Online data security standards in the area of the Internet of things mainly include Internet of things cloud-end data security protection, Internet of things management system data security protection, Internet of things terminal data security protection, etc.

4.5 Industrial Internet

The focus of industrial Internet security consists of control systems, equipment, networks, data, platforms, application software security and security management. Online data security standards in the area of the industrial Internet mainly include industrial Internet data security protection, tiered industrial Internet data technologies, etc.

4.6 Cloud computing

Cloud computing security has cloud host security at the core, and covers network security, data security, application security, security management, business security and other such areas. Online data standards in the area of cloud computing include client data protection, cloud service business data protection, on-cloud asset management etc.

4.7 Big data

Big data security covers every segment and the whole lifecycle of management, and covers conducting security function guarantees for big data platform operations as well as conducting asset management to data counterparts, etc. Online data security standards in the area of big data mainly include big data platform security, big data asset management, etc.

4.8: Artificial intelligence

Artificial intelligence security covers personal information security, algorithm security, data security, network security, etc. Online data security standards in the area of artificial intelligence mainly include artificial intelligence platform data security, artificial intelligence terminal personal information protection, etc.

4.9: Blockchain

Blockchain security includes the three dimensions of the security of application services, the security of system design (including smart contracting and consensus mechanisms), the security of basic elements (including network telecommunications, data security and encryption technology). Online data security standards in the area of blockchain mainly include blockchain privacy data protection, blockchain digital asset storage and exchange protection, etc.

III, Organizing implementation.

First, implement dynamic renewal. Implement perfect mechanisms for dynamic renewal, following  the continued advance of the economic and social digital transformation, and the rise in data security consciousness and practical proficiency levels, and in integration with the newest requirements of data security-related laws and regulations, timely revise the “Construction Guidelines” on a rolling basis.

Second, advance research and formulation of standards. Organize the China Telecommunications Standardization Association and corresponding telecommunications operating enterprises, Internet enterprises, equipment providers, security enterprises, scientific research institutions, higher education and other such work units to, according to the standard research and formulation paths clarified in the “Standards Guidelines”, advance sectoral standard research and formulation work in an orderly manner, stress the organic integration of online data security standardization work and the newest research achievement in online data protection and best industry practices.

Third, strengthening propaganda and implementation. Give full rein to the roles of standardization organizations and sectoral associations to organize relevant experts to conduct standards research activities, and advance standards propaganda through training, consulting, forums, etc. Vigorously organize the launch of standard-type trials and demonstrations, create best practices, and stimulate the application and popularization of standards in industry circles.

Fourth, strengthen international exchange and cooperation. Strengthen cooperation and exchange with international standardization organizations, vigorously participate in international standardization organizations such as the International Telecommunications Union, the International Standardization Organization, the International Electronics Committee, etc., and international standards research and formulation. Vigorously stimulate linkages between domestic and international standards, and promote advanced domestic standards to be transformed into international standards.

Appendix 1: Terminology definitions

1, Online data

All kinds of digital data collected, stored, transmitted, processed and engendered through networks.

2, Important data

Data from our country’s bodies and individuals collected and engendered within the borders, that does not involve State secrets, but is closely connected to national security, economic development as well as the public interest.

3, Personal information

All kinds of information recorded electronically or through other means, that enables by itself or in combination with other information, to distinguish the identity of a specific natural person or reflects the activities of a specific natural person, including but not limited to a natural person’s name and surname, date of birth, identity card number, distinctive personal biological information, address, telephone number etc.

4, Data export

One-time or continuous activities where network operators, through networks and other such measures, provide foreign bodies, organizations or individuals with personal data and important data collected or engendered through operations within the borders of the People’s Republic of China, through direct provision or conducting business activities, providing products or services, etc.

5, Whole data lifecycle

The evolutionary process of data from its engendering, including all kinds of forms of existence such as data collection, data transmission, data storage, data processing (including computing, analysis, visualization etc.), data exchange, up to data deletion.

  1. Data exchange

The process where, in order to satisfy the data resource transmission and processing needs between different platforms or applications, on the basis of certain principles, and adopting corresponding technologies, flows or data resources between different platforms and applications are realized.

7, Data cleaning

The process of conducting re-examination and inspection of data, with the aim to delete duplicate information, rectify existing errors, deal with null values and deficient values, and providing data uniformity.

8, Data quality supervision and control

The process of conducting identification, measuring, supervision, control and early warning in areas such as data integrity, accuracy, uniformity, timeliness etc.

9, Data integrity

The characteristic that data does not suffer change or deletion through unauthorized methods.

10, Big data platforms

Software and hardware assemblies using distributed storage and computing technologies, providing big data inquiry and processing, supporting the secure and efficient operation or big data applications, including big data service software and hardware infrastructure monitoring the storage, transmission or export, operational control, etc. of big data.

11, Security auditing

The action of recording and analysing events, and making corresponding comparisons with particular events.

12, Data leak prevention

A kind of tactics of, through certain technological means, preventing the data assigned to bodies or their information assets to flow in a manner violating security policies and regulations.

13, Anonymization

The process of ensuring personal information subjects cannot be identified, and the information cannot be resorted after processing, through  technological processing of personal information.

14, De-identification

The process of ensuring that, under circumstances where there is no assistance of extra information, it is impossible to identify the subject of personal information, through technological processing of personal information.

15, Data desensitization

Changing particular sensitive data through desensitization rules, realizing reliable protection of sensitive and privacy-related data.

16, Multi-party secure computing

Multiple data holders conducting coordinated computing in mutually untrusted circumstances, exporting computing results, and guaranteeing that any party is unable to obtain any other information than the due computing results.

17, Transparent encryption

Through supervising and controlling the manipulations by application software of files, decrypting ciphertext automatically when opening files, automatically encrypting the cleartext into storage media when writing files, and thereby guaranteeing that the file on a storage medium retains its encrypted state throughout.

18, Data falsification

Falsification, addition to or deletion of data, resulting in data destruction.

19, Data tracing

Recording the evolution information and evolution processing content of original data throughout the entire lifecycle (from creation and transmission to extinction).

Appendix 2: Online data security-related standard projects list


No.Standard titleStandard no./project no.Organization in chargeState
Basic and general
Terminology definitions
1.Information security technology – Definitions SAC/TC260Opinion-seeking draft
2.Telecommunications data service platforms – Part 2: definitions and reference models


2018-2321T-YDCCSAOpinion-seeking draft
Data security frameworks
3.Information security technology – Big data security reference frameworks SAC/TC260Research project
4.Information technology – Security technology – Privacy protection frameworks SAC/TC260Research project
Data categorization and hierarchy
5.Information security technology – Data security categorization and hierarchy implementation guidelines SAC/TC260Research project
6.Telecommunications and Internet services – User personal information protection – Definitions and categoriesYD/T 2781-2014CCSAPromulgated
7.Telecommunications and Internet services – User personal information protection – Hierarchy guidelinesYD/T 2782-2014CCSAPromulgated
8.Telecommunications Operators – Big data security management and control categorization and hierarchy technology requirements2018-0162T-YDCCSAOpinion-seeking draft
9.Basic telecommunications enterprises data categorization and hierarchy methods2019-0216T-YDCCSAOpinion-seeking draft
10.Telecommunications and Internet/Internet of things business data categorization and hierarchy methods CCSAFormulation planned
Critical technology
Data collection
11.Security requirements for using cookies to conduct Internet data collection2013-2498T-YDCCSAApproval draft
12.Public security big data – Data collection and pre-processing2019-CCSA-08CCSADraft
Data transmission
13.Information security technology – electronic file encryption and signature information syntaxesGB/T 31503-2015SAC/TC260Promulgated
14.Information security technology – XML digital signature syntaxes and processing norms SAC/TC260Opinion-seeking draft
Data storage
15.Information security technology – Information system security audit product technology requirements and monitoring and evaluation methodsGB/T 20945-2013SAC/TC260Promulgated
16.Information security technology – Online storage security technology requirements SAC/TC260Approval draft
17.Information security technology – Database management system security technology requirements SAC/TC260Approval draft
18.Communication storage media (SSD) encryption security technology requirementsYD/T 2390-2011CCSAPromulgated
19.Telecommunications network data leak prevention systems (DLP) technology requirements2018-1785T-YDCCSAApproval draft
20.Database auditing systems technology requirements in the big data environment2019-0743T-YDCCSADraft
21.Telecommunications networks and Internet data security record auditing norms CCSAFormulation planned
22.General telecommunications and Internet data lifecycle record requirements CCSAFormulation planned
Data processing
23.Information security technology – Personal information de-identification guidelinesGB/T 37964-2019SAC/TC260Approval draft
24.Telecommunications and big data platform data desensitization implementation methods2019-0215T-YDCCSAApproval draft
25.Internet-facing applications’ healthcare data application desensitization technology requirements2019-0302T-YDCCSAApproval draft
Data exchange
26.Information security technology – data exchange service security requirementsGB/T 37932-2019SAC/TC260Approval draft
27.Information security technology – government affairs information sharing data security technology requirements SAC/TC260Opinion-seeking draft
28.Basic Internet infrastructure resource support system information and data sharing interface technology requirements2018-0180T-YDCCSAApproval draft
29.Telecommunications sector data openness and sharing security management requirements2017-0302T-YDCCSADraft
30.Application data flow security requirements in the online environment2019-0742T-YDCCSADraft
31.Data security flow platform technology requirements CCSAFormulation planned
Data deletion
Security management
Data security norms
32.Information security technology – public and commercial service information systems’ personal information protection guidelinesGB/Z 28828-2012SAC/TC260Promulgated

Information security technology – personal information security standard


GB/T 35273-2017SAC/TC260Approval draft
34.Information security technology – personal information project guidelines SAC/TC260Opinion-seeking draft
35.Information security technology – personal information notification and agreement guidelines SAC/TC260Opinion-seeking draft
36.Information security technology – basic data security requirements SAC/TC260Opinion-seeking draft
37.Information security technology – basic standards for personal information collection in mobile Internet applications (Apps) SAC/TC260Draft
38.Information security technology – implementation guidelines for personal identifiable information (PII) processors for PII protection in the public cloud SAC/TC260Draft
39.Telecommunications networks and Internet user personal electronic information protection general technology requirements and management requirements2018-1784T-YDCCSASubmission draft
40.Basic telecommunications enterprises’ important data identification guidelines2019-0217T-YDCCSADraft
41.Telecommunications and Internet services – User personal information protection technology requirements20173806-T-339CCSADraft
42.Telecommunications and Internet services – User personal information protection technology requirements – E-commerce servicesYD/T 3105-2016CCSAPromulgated
43.Telecommunications and Internet services – User personal information protection technology requirements – mobile application storesYD/T 3106-2016CCSAPromulgated
44.Telecommunications and Internet services – User personal information protection technology requirements – instant communication servicesYD/T 3327-2018CCSAPromulgated
45.Telecommunications and Internet services – User personal information protection technology requirements – basic telecommunications services2018-1688T-YDCCSADraft
46.Telecommunications and Internet services – User personal information protection technology requirements – Mobility services2018-1687T-YDCCSADraft
Data security assessment
47.Information security technology – database management system security assessment norms SAC/TC260Approval draft
48.Information security technology – data export security assessment guidelines SAC/TC260Submission draft
49.Information security technology – personal information security impact assessment guidelines SAC/TC260Approval draft
50.Information security technology – big data business security risk control implementation guidelines SAC/TC260Research project
51.Internet new technology and new business model security evaluation requirements – Big data technology applications and services2017-0298T-YDCCSAApproval draft
52.Telecommunications and Internet data security risk assessment implementation methods2018-1669T-YDCCSAApproval draft
53.Telecommunications networks and Internet data security requirements2019-0218T-YDCCSASubmission draft
54.Telecommunications networks and internet data security assessment norms2019-0219T-YDCCSAOpinion-seeking draft
55.Telecommunications networks and Internet data security assessment implementation technology requirements2019-0220T-YDCCSAOpinion-seeking draft
56.Telecommunications networks and Internet data security assessment service bodies capacity certification norms CCSAFormulation planned
Monitoring, early warning and processing
57.Cybersecurity threat data reporting interface requirements2016-1069T-YDCCSAApproval draft
Emergency response and disaster back-ups
58.Information security technology – disaster recovery service requirementsGB/T 36957-2018SAC/TC260Promulgated
59.Information security technology – storage medium data recovery service requirementsGB/T 31500-2015SAC/TC260Promulgated
60.Third-party disaster data exchange technology requirementsYD/T 2393-2011CCSAPromulgated
61.Telecommunications networks and Internet disaster back-ups and recovery implementation guidelines2017-1024T-YDCCSADraft
62.Telecommunications and Internet data security incident emergency response implementation guidelines CCSAFormulation planned
Security capacity certification
63.Information security technology – big data service security capacity requirementsGB/T 35274-2017SAC/TC260Promulgated
64.Information security technology – disaster recovery service capacity assessment normsGB/T 37046-2018SAC/TC260Promulgated
65.Information security technology –data back-up and disaster recovery product and technology requirements, and monitoring and evaluation methodsGB/T 29765-2013SAC/TC260Promulgated
66.Information security technology – data security capacity maturity modelsGB/T 37988-2019SAC/TC260Approval draft
67.Information security technology – data security management certification norms SAC/TC260Draft
68.Internet-facing data security capacity technology frameworksYD/T 3644-2020CCSAPromulgated
69.Telecommunications networks and Internet third-party security service capacity assessment norms2018-1783T-YDCCSADraft
Focus areas
70.5G mobile telecommunications – security technology requirements2018-2367T-YDCCSAApproval draft
71.5G data security – general technology requirements CCSAFormulation planned
Mobile Internet
72.Information security technology – mobile smart terminal data storage security technology requirements and monitoring and evaluation methods.GB/T 34977-2017SAC/TC260Promulgated
73.Information security technology – mobile smart terminal personal information protection technology requirementsGB/T 34978-2017SAC/TC260Promulgated
74.Information security technology 0 mobile Internet security audit product technology requirements SAC/TC260Opinion-seeking draft
75.Personal information sharing technology guidelines in the mobile Internet environmentYD/T 3411-2018CCSAPromulgated
76.Mobile browser personal information protection technology requirementsYD/T 3367-2018CCSAPromulgated
77.Mobile smart terminal personal information protection technology requirementsYD/T 3082-2016CCSAPromulgated
78.Personal data sharing evaluation and monitoring methods in the mobile Internet environment2016-1933T-YDCCSAApproval draft
79.Personal information protection requirements and assessment methods for mobile application software2019-1132T-YDCCSAOpinion-seeking draft
80.Mobile application software SDK security technology requirements and monitoring methods CCSAFormulation planned
81.Mobile application software SDK security guidelines CCSAFormulation planned
82.Mobile application store data security requirements CCSAFormulation planned
Internet of cars
83.Internet of cars information services – data security technology requirements2017-0926T-YDCCSAApproval draft
84.Internet of cars information services – user personal information protection requirements


2017-0959T-YDCCSASubmission draft
85.Mobile Internet-based car user data application and protection technology requirements2018-0182T-YDCCSAOpinion-seeking draft
86.Mobile Internet-based car user data application and protection assessment methods2018-0183T-YDCCSADraft
87.Online taxi booking service platform data security protection requirements2017-0938T-YDCCSADraft
Internet of things
88.Information security technology – Internet of Things data transmission security technology requirementsGB/T 37025-2018SAC/TC260Promulgated
89.Blockchain-based Internet of things online data exchange and sharing technology analysis2017B73CCSAApproval draft
90.Blockchain-based secure and trusted Internet of things data communication frameworks2018-2359T-YDCCSADraft
Industrial Internet
91.Information security technology – Industrial control system information security hierarchy normsGB/T 36324-2018SAC/TC260Promulgated
92.Information security technology – Industrial control system online audit product security technology standards SAC/TC260Approval draft
93.Industrial Internet online data security protection requirements2018-1369T-YDCCSAOpinion-seeking draft
94.Industrial Internet security capacity maturity assessment norms2018-1395T-YDCCSAOpinion-seeking draft
Cloud computing
95.Information security technology – Government website cloud computing service guidelinesGB/T 38249-2019SAC/TC 260Promulgated
96.Information security technology – Cloud computing security reference frameworksGB/T 35279-2017SAC/TC 260Promulgated
97.Information security technology – Cloud computing service security capacity assessment methodsGB/T 34942-2017SAC/TC 260Promulgated
98.Information security technology – Cloud computing service security guidelinesGB/T31167-2014SAC/TC 260Promulgated
99.Information security technology – cloud computing service security capacity requirementsGB/T 31168-2014SAC/TC 260Promulgated
100.Cloud computing security frameworksYD/T 3148-2016CCSAPromulgated
101.Public cloud service security protection requirementsYD/T 3157-2016CCSAPromulgated
102.Public cloud service security protection inspection requirementsYD/T 3158-2016CCSAPromulgated
103.Cloud-facing services data security labelling normsYD/T 3470-2019CCSAPromulgated
104.Cloud service user data protection capacity reference frameworks2018-1796T-YDCCSAApproval draft
105.Cloud service user data protection capacity assessment methods part 1: Public cloud2018-1797T-YDCCSAApproval draft
106.Cloud service user data protection capacity assessment methods part 2: Private cloud2019-0209T-YDCCSAApproval draft
107.Telecommunications and Internet service business data categorization and hierarchy methods CCSAFormulation planned
Big data
108.Information security technology – big data security management guidelinesGB/T 37973-2019SAC/TC260Approval draft
109.Information security technology – Telecommunications-related big data security protection implementation guidelines SAC/TC260Draft
110.Big data platform security management product security technology requirement research SAC/TC260Research project
111.Telecommunications operators’ big data application activity security technology requirementsYD/T 3472-2019CCSAPromulgated
112.Telecommunications and Internet big data platform security protection requirements2017-0929T-YDCCSAApproval draft
113.Telecommunications and Internet big data platform security protection and monitoring requirements2018-1782T-YDCCSAApproval draft
114.Big data processing platform security baseline requirement applications and basic equipment platforms2017-0297T-YDCCSAOpinion-seeking draft
115.Telecommunications networks and Internet data asset combing norms CCSAFormulation planned
Artificial intelligence
116.Mobile smart terminal artificial intelligence applications’ personal information protection technology requirements and assessment methods2019-0745T-YDCCSADraft
117.Artificial intelligence service platform data security requirements and assessment methods2019-0031T-YDCCSADraft
118.Blockchain exploitation platforms’ network and data security technology requirements2017-1054T-YDCCSAApproval draft
119.Blockchain-based edge cloud network data sharing mechanism research2019B62CCSADraft
120.Blockchain smart contracting and distributed ledger security in financial exchange technology research2019B32CCSADraft











  • 建设思路及目标
  • 总体思路


  • 基本原则




  • 建设目标



  • 建设内容
  • 网络数据安全标准体系框架



图1 网络数据安全标准体系框架


  • 重点标准化领域及方向



图2 基础共性标准子体系

1.1 术语定义


1.2 数据安全框架


1.3 数据分类分级




图3 关键技术标准子体系

2.1 数据采集


2.2 数据传输


2.3 数据存储


2.4 数据处理


2.5 数据交换


2.6 数据销毁




图4 安全管理标准子体系

3.1 数据安全规范


3.2 数据安全评估


3.3 监测预警与处置


3.4 应急响应与灾难备份


3.5 安全能力认证




图5 重点领域标准子体系

4.1 5G

5G 安全机制在满足通用安全要求基础上,为不同业务场景提供差异化安全服务,适应多种网络接入方式及新型网络架构,保护用户个人隐私,并支持提供开放的安全能力。5G领域的网络数据安全标准主要包括5G数据安全总体要求、5G终端数据安全、5G网络侧数据安全、5G网络能力开放数据安全等。

4.2 移动互联网


4.3 车联网


4.4 物联网


4.5 工业互联网


4.6 云计算


4.7 大数据


4.8 人工智能


4.9 区块链


  • 组织实施






附件1 术语定义

  • 网络数据










































附件2 网络数据安全相关标准项目明细表

1.《信息安全技术 术语》 SAC/TC260征求意见稿
2.《电信数据服务平台 第2部分:术语及参考模型》2018-2321T-YDCCSA征求意见稿
3.《信息安全技术 大数据安全参考框架》 SAC/TC260研究项目
4.《信息技术 安全技术 隐私保护框架》 SAC/TC260研究项目
5.《信息安全技术 数据安全分类分级实施指南》 SAC/TC260研究项目
6.《电信和互联网服务 用户个人信息保护 定义及分类》YD/T 2781-2014CCSA已发布
7.《电信和互联网服务 用户个人信息保护 分级指南》YD/T 2782-2014CCSA已发布
8.《电信运营商 大数据安全管控分类分级技术要求》2018-0162T-YDCCSA征求意见稿
10.《电信和互联网物联网业务数据分类分级方法》 CCSA拟制定
12.《公共安全大数据 数据采集与预处理》2019-CCSA-08CCSA草案
13.《信息安全技术 电子文档加密与签名消息语法》GB/T 31503-2015SAC/TC260已发布
14.《信息安全技术XML数字签名语法与处理规范》 SAC/TC260征求意见稿
15.《信息安全技术 信息系统安全审计产品技术要求和测试评价方法》GB/T 20945-2013SAC/TC260已发布
16.《信息安全技术 网络存储安全技术要求》 SAC/TC260报批稿
17.《信息安全技术 数据库管理系统安全技术要求》 SAC/TC260报批稿
18.《通信存储介质(SSD)加密安全技术要求》YD/T 2390-2011CCSA已发布
21.《电信网和互联网数据安全日志审计规范》 CCSA拟制定
22.《电信网和互联网数据生命周期日志通用要求》 CCSA拟制定
23.《信息安全技术 个人信息去标识化指南》GB/T 37964-2019SAC/TC260报批稿
26.《信息安全技术 数据交易服务安全要求》GB/T 37932-2019SAC/TC260报批稿
27.《信息安全技术 政务信息共享 数据安全技术要求》 SAC/TC260征求意见稿
31.《数据安全流通平台技术要求》 CCSA拟制定
32.《信息安全技术 公共及商用服务信息系统个人信息保护指南》GB/Z 28828-2012SAC/TC260已发布
33.《信息安全技术 个人信息安全规范》GB/T 35273-2017SAC/TC260报批稿
34.《信息安全技术 个人信息工程指南》 SAC/TC260征求意见稿
35.《信息安全技术 个人信息告知同意指南》 SAC/TC260征求意见稿
36.《信息安全技术 数据安全基本要求》 SAC/TC260征求意见稿
37.《信息安全技术 移动互联网应用(App)收集个人信息基本规范》 SAC/TC260草案
38.《信息安全技术 个人可识别信息(PII)处理者在公有云中保护PII的实践指南》 SAC/TC260草案
41.《电信和互联网服务 用户个人信息保护技术要求》20173806-T-339CCSA草案
42.《电信和互联网服务 用户个人信息保护技术要求 电子商务服务》YD/T 3105-2016CCSA已发布
43.《电信和互联网服务 用户个人信息保护技术要求 移动应用商店》YD/T 3106-2016CCSA已发布
44.《电信和互联网服务 用户个人信息保护技术要求 即时通信服务》YD/T 3327-2018CCSA已发布
45.《电信和互联网服务 用户个人信息保护技术要求 基础电信服务》2018-1688T-YDCCSA草案
46.《电信和互联网服务 用户个人信息保护技术要求 出行服务》2018-1687T-YDCCSA草案
47.《信息安全技术 数据库管理系统安全评估准则》 SAC/TC260报批稿
48.《信息安全技术 数据出境安全评估指南》 SAC/TC260送审稿
49.《信息安全技术 个人信息安全影响评估指南》 SAC/TC260报批稿
50.《信息安全技术 大数据业务安全风险控制实施指南》 SAC/TC260研究项目
51.《互联网新技术新业务安全评估要求 大数据技术应用与服务》2017-0298T-YDCCSA报批稿
56.《电信网和互联网数据安全评估服务机构能力认定准则》 CCSA拟制定
58.《信息安全技术 灾难恢复服务要求》GB/T 36957-2018SAC/TC260已发布
59.《信息安全技术 存储介质数据恢复服务要求》GB/T 31500-2015SAC/TC260已发布
60.《第三方灾备数据交换技术要求》YD/T 2393-2011CCSA已发布
62.《电信和互联网数据安全事件应急响应实施指南》 CCSA拟制定
63.《信息安全技术 大数据服务安全能力要求》GB/T 35274-2017SAC/TC260已发布
64.《信息安全技术 灾难恢复服务能力评估准则》GB/T 37046-2018SAC/TC260已发布
65.《信息安全技术 数据备份与恢复产品技术要求与测试评价方法》GB/T 29765-2013SAC/TC260已发布
66.《信息安全技术 数据安全能力成熟度模型》GB/T 37988-2019SAC/TC260报批稿
67.《信息安全技术 数据安全管理认证规范》 SAC/TC260草案
68.《面向互联网的数据安全能力技术框架》YD/T 3644-2020CCSA已发布
70.《5G移动通信网 安全技术要求》2018-2367T-YDCCSA报批稿
71.《5G数据安全总体技术要求》 CCSA拟制定
72.《信息安全技术 移动智能终端数据存储安全技术要求与测试评价方法》GB/T 34977-2017SAC/TC260已发布
73.《信息安全技术 移动智能终端个人信息保护技术要求》GB/T 34978-2017SAC/TC260已发布
74.《信息安全技术 移动互联网安全审计产品技术要求》 SAC/TC260征求意见稿
75.《移动互联网环境下个人信息共享技术导则》YD/T 3411-2018CCSA已发布
76.《移动浏览器个人信息保护技术要求》YD/T 3367-2018CCSA已发布
77.《移动智能终端上的个人信息保护技术要求》YD/T 3082-2016CCSA已发布
80.《移动应用软件SDK安全技术要求和测试方法》 CCSA拟制定
81.《移动应用软件SDK安全指南》 CCSA拟制定
82.《移动应用商店数据安全要求》 CCSA拟制定
83.《车联网信息服务 数据安全技术要求》2017-0926T-YDCCSA报批稿
84.《车联网信息服务 用户个人信息保护要求》2017-0959T-YDCCSA送审稿
88.《信息安全技术 物联网数据传输安全技术要求》GB/T 37025-2018SAC/TC260已发布
91.《信息安全技术 工业控制系统信息安全分级规范》GB/T 36324-2018SAC/TC260已发布
92.《信息安全技术 工业控制系统网络审计产品安全技术要求》 SAC/TC260报批稿
95.《信息安全技术 政府网站云计算服务安全指南》GB/T 38249-2019SAC/TC 260已发布
96.《信息安全技术 云计算安全参考架构》GB/T 35279-2017SAC/TC 260已发布
97.《信息安全技术 云计算服务安全能力评估方法》GB/T 34942-2017SAC/TC 260已发布
98.《信息安全技术 云计算服务安全指南》GB/T 31167-2014SAC/TC 260已发布
99.《信息安全技术 云计算服务安全能力要求》GB/T 31168-2014SAC/TC 260已发布
100.《云计算安全框架》YD/T 3148-2016CCSA已发布
101.《公有云服务安全防护要求》YD/T 3157-2016CCSA已发布
102.《公有云服务安全防护检测要求》YD/T 3158-2016CCSA已发布
103.《面向云服务的数据安全标记规范》YD/T 3470-2019CCSA已发布
105.《云服务用户数据保护能力评估方法 第1部分:公有云》2018-1797T-YDCCSA报批稿
106.《云服务用户数据保护能力评估方法 第2部分:私有云》2019-0209T-YDCCSA报批稿
107.《电信和互联网云服务业务数据分类分级方法》 CCSA拟制定
108.《信息安全技术 大数据安全管理指南》GB/T 37973-2019SAC/TC260报批稿
109.《信息安全技术 电信领域大数据安全防护实现指南》 SAC/TC260草案
110.《大数据平台安全管理产品安全技术要求研究》 SAC/TC260研究项目
111.《电信运营商的大数据应用业务安全技术要求》YD/T 3472-2019CCSA已发布
114.《大数据处理平台安全基线要求 应用及基础设施平台》2017-0297T-YDCCSA征求意见稿
115.《电信网和互联网数据资产梳理规范》 CCSA拟制定


Leave a Reply

Fill in your details below or click an icon to log in:

You are commenting using your account.Log Out / Change )

You are commenting using your Google account.Log Out / Change )

You are commenting using your Twitter account.Log Out / Change )

You are commenting using your Facebook account.Log Out / Change )

Connecting to %s