Security Standardization

Transcription

1 ISO-ITU ITU Cooperation on Security Standardization Dr. Walter Fumy Chairman ISO/IEC JTC 1/SC 27 Chief Scientist, Bundesdruckerei GmbH, Germany 7th ETSI Security Workshop - Sophia Antipolis, January 2012

2 Agenda ISO/IEC JTC 1/SC 27 IT Security Techniques Scope, organization, work programme Recent achievements New projects Collaboration with ITU-T Modes of collaboration JTC 1 ITU-T collaboration on security standardization Conclusion Walter Fumy I 2

3 ISO/IEC JTC 1/SC 27 Scope The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as Information Security Management Systems (ISMS), security controls and services; Cryptographic mechanisms; Security aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditing requirements in the area of information security; Security evaluation criteria and methodology. Walter Fumy I 3

4 ISO/IEC JTC 1/SC 27 Structure ISO/IEC JTC 1/SC 27 IT Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete SC 27 Secretariat DIN Ms. K. Passia Working Group 1 Information security management systems Convener Mr. T. Humphreys Working Group 2 Cryptography and security mechanisms Convener Mr. T. Chikazawa Working Group 3 Security evaluation criteria Convener Mr. M. Bañón Working Group 4 Security controls and services Convener Mr. M.-C. Kang Working Group 5 Identity management and privacy technologies Convener Mr. K. Rannenberg Walter Fumy I 4

5 SC 27/WG 1 ISMS Family of Standards 27001: 2005 ISMS Requirements 27000: 2009 ISMS Overview and Vocabulary 27002: 2005 (pka 17799) Code of Practice 27003: 2010 ISMS Implementation Guidance 27004: 2009 Information Security Mgt Measurement 27005: 2011 Information Security Risk Management Supporting Guidelines 27006: 2011 Accreditation Requirements 27007: 2011 ISMS Auditing Guidelines TR 27008: 2011 ISMS Guide for auditors on ISMS controls Accreditation Requirements and Auditing Guidelines ISMS for inter-sector and inter- organisational communications 27011: 2008 ITU-T X.1051 Telecom Sector ISMS Requirements ITU-T X.1054 Governance of information security TR Information security mgt guidelines for financial services TR Information security mgt - Organizational economics Sector Specific Requirements and Guidelines Walter Fumy I 5

6 SC 27/WG 4 Security Controls and Services ICT Readiness for Business Continuity (IS 27031) Cybersecurity (FDIS 27032) Unknown or emerging g security issues Network Security (CD , WD /3/4) 2/3/4) Application Security (IS ) Security Info-Objects for Access Control (TR 15816) Known security issues Security of Outsourcing (27036) TTP Services Security (TR 14516; 15945) Time Stamping Services (TR 29149) Information security incident management (27035) ICT Disaster Recovery Services (24762) Identification, collection and/or acquisition, and preservation of digital evidence (NP) Security breaches and compromises Walter Fumy I 6

7 SC 27/WG 2 Cryptography and Security Mechanisms Entity Authentica tion (IS 9798) Key Mgt (IS 11770) Non- Repudiatio n (IS 13888) Cryptographic Protocols Time Stamping Services (IS 18014) Hash Functions (IS 10118) Message Authentica tion Codes (IS 9797) Check Character Systems (IS 7064) Message Authentication Cryptographic Techniques based on Elliptic Curves (IS 15946) Signatures giving Msg Recovery (IS 9796) Digital Signatures Signatures with Appendix (IS 14888) Biometric Template Protection (NP 24745) Authentica Modes of Encryption ted & Operation Modes Encryption of Operation (IS 19772) (IS 10116) Encryption (IS 18033) Random Prime Number Generation (IS 18032) Bit Parameter Generation Generation (IS 18031) Walter Fumy I 7

8 SC 27/WG 3 Security Evaluation Criteria Secure System Responsible Vulnerability Engineering Principles Disclosure and Techniques (NWIP) (WD 29147) Trusted Platform Module (IS 11889) SSE-CMM Security Requirements for (IS 21827) Cryptographic Modules A Framework for (IS 19790) IT Security Assurance Security Assessment of (TR 15443) Test Requirements for Operational Systems Cryptographic Modules (TR 19791) (IS 24759) IT Security Evaluation Criteria (CC) (IS 15408) Evaluation Methodology (CEM) (IS 18045) PP/ ST Protection Profile Guide Registration Procedures (TR 15446) (IS 15292) Verification of Cryptographic Protocols (IS 29128) Security Evaluation of Biometrics (IS 19792) Walter Fumy I 8

9 SC 27/WG 5 Identity Management & Privacy Technologies WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. This includes: Frameworks & Architectures A framework for identity management (ISO/IEC 24760, IS/WD/WD) Privacy framework (ISO/IEC 29100, IS) Privacy reference architecture (ISO/IEC 29101, CD) Entity authentication assurance framework (ISO/IEC / ITU-T X.1254, DIS) A framework for access management (ISO/IEC 29146, WD) Protection o Concepts Biometric information protection (ISO/IEC 24745, IS) Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, CD) Guidance on Context and Assessment Authentication context for biometrics (ISO/IEC 24761, 2009) Privacy capability assessment framework (ISO/IEC 29190, WD) Walter Fumy I 9

10 Recent Achievements between October 2010 and September International Standards and Technical Reports have been published 14 new projects have been approved (total number of projects: ~ 170) 4 additional P-members (total t 46) (total number of O-members: 17) 24 internal liaisons 29 external liaisons Walter Fumy I 10

11 Approved New Projects (I) ISO/IEC 17825: Testing methods for the mitigation of noninvasive attack classes against cryptographic modules ISO/IEC : Time-stamping services Part 4: Traceability of time sources ISO/IEC : Encryption algorithms Part 5: Identity-based mechanisms ISO/IEC : Anonymous entity authentication Part 3: Mechanisms based on blind signatures ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services based on ISO/IEC (as Technical Specification) Walter Fumy I 11

12 Approved New Projects (II) ISO/IEC 27036: Information security for supplier relationships Part 1: Overview and concepts Part 2: Common requirements Part 3: Guidelines for ICT supply chain security Part 4: Guidelines for security of outsourcing ISO/IEC 27041: Guidance on assuring suitability and adequacy of finvestigation i i methods ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043: Investigation principles and processes ISO/IEC 30111: Vulnerability handling processes ISO/IEC 30104: Physical security attacks, mitigation techniques and security requirements Walter Fumy I 12

13 Participation & More Information Next SC 27 meetings May 7-15, 2012 Stockholm, Sweden (WGs and Plenary) Oct 22-26, 2012 Italy (WGs) Walter Fumy I 13

14 SC 27 Collaboration with ITU-T ITU-T SG17 and SC 27 collaborate on many projects in order to progress common or twin text documents and to publish common standards. These include ISO/IEC ITU T Title Type Remark TR X.842 Guidelines on the use and management of Trusted Third Party services Common X.841 Security information objects (SIOs) for access control Common X X X.1051 Specification of TTP Services to support the application of digital signatures Common 2002 IT network security 2006 Twin Part 2: Network security architecture 2003 Information security management guidelines for telecommunications organizations based on Common 2008 ISO/IEC X.1054 Governance of information security Common DIS X.1254 Entity authentication assurance framework Common DIS tbs X.bhsm Telebiometric authentication framework using biometric hardware security module Common NWIP Walter Fumy I 14

15 Example for Common Text Standard ISO/IEC 27011: 2008 = ITU T Recommendation X.1051: Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC Walter Fumy I 15

16 Guide for ITU-T and ISO/IEC JTC 1 cooperation ISO/IEC JTC 1 Standing Document 3 Annex A to Recommendation ITU-T TA23 A.23 Walter Fumy I 16

17 Modes of Collaboration Specific to collaboration of JTC 1 and ITU-T Desire: produce common or twin (technically aligned) texts JTC 1 and ITU-T keep their own processes, approvals are synchronized Two options for collaboration Interchange mode is used when the work is straightforward, non-controversial, and with sufficient common participation in the meetings of the two organizations For more complex situations a joint Collaborative Team may work better Walter Fumy I 17

18 Useful References Guide for ITU-T and ISO/IEC JTC 1 Cooperation i t/ /T A A List of common text and technically aligned Recommendations International Standards Mapping between ISO/IEC International Standards and ITU-T T Recommendations Relationships of SG 17 Questions with JTC 1 SCs categorized as joint work (collaboration) (level 1) technical cooperation via liaison (level 2) informational liaison (level 3) T/studygroups/com17/Pages/relationships.aspx / / ti Walter Fumy I 18

19 ISO/IEC JTC 1 Information Technology Security Related Sub-committees SC 6 Telecommunications and information exchange between systems SC 7 Software and systems engineering SC 17 Cards and personal identification SC 25 Interconnection of information technology equipment SC 27 IT Security techniques SC 29 Coding of audio, picture, multimedia and hypermedia information SC 31 Automatic identification and data capture techniques SC 32 Data management and interchange SC 36 Information technology for learning, education and training SC 37 Biometrics SC 38 Distributed application platforms and services (DAPS) Walter Fumy I 19

20 Relationships of SG 17 Questions with JTC 1 SCs (I) Question Title ISO, IEC Level Q.1/WP1 Telecommunications systems security project JTC 1/SC 27 2&3 Q.2/WP1 Security architecture and framework JTC 1/SC 27 1&2 Q.3/WP1 Telecommunication information security management JTC 1/SC 27 1&2 Q.4/WP1 Cybersecurity JTC1/SC27 2 ISO TC Q.5/WP1 Countering spam by technical means JTC 1/SC 27 2 Q.6/WP2 Q.7/WP2 Security aspects of ubiquitous telecommunication services Secure application services JTC 1/SC 6 1&2 JTC 1/SC 25 2 JTC 1/SC 27 2 JTC 1/SC 31 3 JTC 1/SC 6 JTC1/SC25 JTC 1/SC 27 JTC 1/SC Q.8/WP2 Service oriented architecture security JTC 1/SC 38 3 Q.9/WP2 Telebiometrics JTC 1/SC 17 JTC 1/SC 27 JTC 1/SC 37 ISO TC 12 IEC TC &2 2 2 IEC TC 25 2 Walter Fumy I 20

21 Relationships of SG 17 Questions with JTC 1 SCs (II) Question Title ISO, IEC Level Q.10/WP3 Identity management architecture and mechanisms JTC 1/SC 27 1&2 Q.11/WP3 Directory services, Directory systems, and public-key/attribute certificates JTC 1/SC 6 JTC 1/SC 27 JTC 1/SC Q.12/WP3 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration JTC 1/SC 6 JTC 1/SC 27 JTC 1/SC 31 JTC 1/SC 37 JTC 1/SC 38 ISO TC 215 IEC TC Q.13/WP3 Formal languages and telecommunication software JTC 1/SC 7 1 JTC 1/SC 22 1&3 Q.14/WP3 Testing languages, methodologies and framework JTC 1/SC 7 3 Q.15/WP3 Open Systems Interconnection (OSI) JTC 1/SC 6 1 Walter Fumy I 21

22 Further Examples for ISO-ITU Collaboration on Security Standardization ISO/IEC ITU T Title Type JTC 1 SC Remark X.800 TR X X.803 Open Systems Interconnection Basic Reference Model Part 2: Security Architecture Open Systems Interconnection Lower layers security model Open Systems Interconnection Upper layers security model... Twin SC Common SC Common SC X.1083 Biometrics BioAPI interworking protocol Common SC X.1311 Security framework kfor the ubiquitous it sensor network Common SC Walter Fumy I 22

23 Conclusion SG 17 is the ITU-T lead study group on security SC 27 is responsible for generic IT Security techniques Almost every security Question in ITU-T has some relation with the work programme of SC 27 ISO-ITU cooperation on security standardization affects many JTC 1 SCs Additional new work items where cooperation/collaboration is needed are continually being identified Walter Fumy I 23

24 Thank You!