GB/T 41817:2022 Information security technology - Guidelines for personal information security engineering
1 Scope
This document sets forth the principles, objectives, stages and preparations of personal information security engineering, and provides engineering guidelines for implementing personal information security requirements in the requirements, design, development, testing and release stages of network products and services.
This document is applicable to network products and services (including information systems) that involve the processing of personal information, providing guidelines for their synchronous planning and construction of personal information security measures, and may also be referenced to by organizations when carrying out privacy engineering in the software development lifecycle.
Note: In case of no confusion, the term "network products and services" is referred to as "products and services" herein.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2022 Information security techniques - Terminology
GB/T 35273-2020 Information security technology - Personal information security specification
GB/T 39335-2020 Information security technology - Guidance for personal information security impact assessment
GB/T 41391-2022 Information security technology - Basic requirements for collecting personal information in mobile internet applications
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2022 and the following apply.
3.1
personal information security engineering
an engineering process of integrating personal information security principles and requirements into each stage of product and service planning and construction, so that personal information security requirements can be effectively implemented in products and services
Note: It is also known as "privacy engineering".
3.2
personal information protection impact assessment
process of, for the personal information processing, inspecting whether the purpose and method of personal information processing are legal, legitimate and necessary, judging the impact on the legitimate rights and interests of individuals and the security risks, and assessing the effectiveness of personal information protection measures taken
Note: It is also known as "personal information security impact assessment".
3.3
personal information processing
collection, storage, use, processing, transmission, provision, disclosure, deletion and other acts of personal information
3.4
automated decision-making
activity of automatically analyzing and assessing an individual's behavioral habits, interests, or economic, health, or credit status through a computer program, and thus making decisions
Note: It includes personalized recommendation, personalized display and precision marketing.
3.5
third-party components
applications such as software development kits, codes, plug-ins and programs provided by organizations or individuals other than product and service providers
Note 1: They include commercial applications and open source applications.
Note 2: They include SDKs, codes and plug-ins (referred to as "third-party components") embedded in products and services, as well as mobile Internet applications (referred to as "mobile applications"), applets and application systems (referred to as "third-party products or services") accessing products and services.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API: application programming interface
ICT: information communication technology
SDK: software development kit
SDL: security development lifecycle
Foreword III
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
5.1 Principles of personal information security engineering
5.2 Objectives of personal information security engineering
5.3 Stages of personal information security engineering
5.4 Preparations for personal information security engineering
6 Requirements stage of personal information security engineering
6.1 Description
6.2 Inputs
6.3 Roles and responsibilities
6.4 Main activities
6.5 Outputs
7 Design stage of personal information security engineering
7.1 Description
7.2 Inputs
7.3 Roles and responsibilities
7.4 Main activities
7.5 Outputs
8 Development stage of personal information security engineering
8.1 Description
8.2 Inputs
8.3 Roles and responsibilities
8.4 Main activities
8.5 Outputs
9 Testing stage of personal information security engineering
9.1 Description
9.2 Inputs
9.3 Roles and responsibilities
9.4 Main activities
9.5 Outputs
10 Release stage of personal information security engineering
10.1 Description
10.2 Inputs
10.3 Roles and responsibilities
10.4 Main activities
10.5 Outputs
Annex A (Informative) Common personal information security design reference points
Annex B (Informative) Common personal information security default configuration reference points
Bibliography