Security Standardization

Similar documents
ISO/IEC JTC 1/SC 27 N7769

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

ISO/IEC ISO/IEC

John Snare Chair Standards Australia Committee IT/12/4

SC27 WG4 Mission. Security controls and services

Recent Developments in ISO Security Standardization

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC JTC 1 N 13145

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Overview and vocabulary

Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities

ISO/IEC JTC 1 Study Group on Smart Cities

ISO/IEC INTERNATIONAL STANDARD

ITU-T SG 17 Achievements in ICT Security Standardization

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Predstavenie štandardu ISO/IEC 27005

ISO/IEC TR Information technology Security techniques Guidelines for the use and management of Trusted Third Party services

International Standardisation on IT Security

Work and Projects in ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy technologies

NSAI s ICT standardization participation and consultation system and operation as ETSI/NSO. Dr. Ian J. Cowan, Technical Secretary, NSAI/ICTSCC

An Overview of ISO/IEC family of Information Security Management System Standards

Information technology Security techniques Information security controls for the energy utility industry

This document is a preview generated by EVS

ISO/IEC JTC 1 N 13538

Information technology Security techniques Telebiometric authentication framework using biometric hardware security module

JTC 1 SC 37 Biometrics International Standards

Information Systems Security Management: A Review and a Classification of the ISO Standards

International standardization activities in SC 27 regarding Security Assurance and Evaluation

TITLE: Final Linked Agenda for the 31st JTC 1 Plenary Meeting, 7-11 November 2016 in Lillehammer, Norway

This document is a preview generated by EVS

Introducing the JTC 1 Strategic Advisory Committee. October 2013

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

_isms_27001_fnd_en_sample_set01_v2, Group A

ISO/IEC JTC 1 N 13127

SMART ICT STANDARDS ANALYSIS

ISO/IEC Information technology Common Biometric Exchange Formats Framework Security block format specifications

ISO/IEC JTC 1/SC 22 N Replaces

Introduction of ISO/IEC JTC1 SC 38 & its standard work on cloud computing. Junfeng ZHAO

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

ISO/IEC JTC1/SC7 /N3040

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC JTC 1/SWG 5 N 11

Networks - Technical specifications of the current networks features used vs. those available in new networks.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

ISO/IEC INTERNATIONAL STANDARD. Information technology JPEG 2000 image coding system: Motion JPEG 2000

ISO/IEC JTC 1/SC 27 N17XXX ISO/IEC JTC 1/SC 27/WG 1 N9XX

This document is a preview generated by EVS

ISA99 - Industrial Automation and Controls Systems Security

TWELVEDOT SECURITY DESIGN.BUILD.SECURE

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

ISO/IEC Information technology Security techniques Code of practice for information security management

INTERNATIONAL STANDARD

BRUCON BISI Norm track

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Open Systems Interconnection The Directory: Procedures for distributed operation

Mark Hofman SANS Institute/Shearwater Solutions

Cyber Security Standards Developments

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Information technology Security techniques Information security controls for the energy utility industry

Information technology Security techniques Sector-specific application of ISO/IEC Requirements

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

ISO/IEC INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

Internet of Things Security standards

ISO/IEC INTERNATIONAL STANDARD. Information technology Abstract Syntax Notation One (ASN.1): Information object specification

Information technology Security techniques Code of practice for personally identifiable information protection

Information technology Security techniques Blind digital signatures. Part 1: General

Information technology Security techniques Cryptographic algorithms and security mechanisms conformance testing

ISO/IEC INTERNATIONAL STANDARD. Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.

ISO/IEC Information technology Open Systems Interconnection The Directory. Part 9: Replication

Synergies of the Common Criteria with Other Standards

Frequently Asked Questions

Electronic Commerce Working Group report

ISO/IEC Information technology Security techniques Code of practice for information security controls

ISO & ISO & ISO Cloud Documentation Toolkit

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

WELCOME ISO/IEC 27001:2017 Information Briefing

ETSI TC MTS, SECURITY SIG IN MTS (METHODS FOR TESTING AND SPECIFICATION) Jürgen Großmann, Fraunhofer FOKUS

Part 7: Selected object classes

ISO/IEC INTERNATIONAL STANDARD. Information technology Open distributed processing Reference model: Architecture

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques A framework for IT security assurance Part 2: Assurance methods

Key Security Issues for implementation of Digital Currency, including ITU-T SG17 activities

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC Information technology Radio frequency identification (RFID) for item management: Data protocol Application interface

ISO/IEC INTERNATIONAL STANDARD. Information technology Message Handling Systems (MHS): MHS routing

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF INFOR- MATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

ITU-T Standardization on Countering Spam

ISO/IEC JTC1/SC7 /N4314

B C ISO/IEC TR TECHNICAL REPORT

INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

IAF Mandatory Document KNOWLEDGE REQUIREMENTS FOR ACCREDITATION BODY PERSONNEL FOR INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

ISO/IEC JTC 1 N 11737

ETSI ISG ISI Information Security Indicators

B C ISO/IEC INTERNATIONAL STANDARD

Transcription:

ISO-ITU ITU Cooperation on Security Standardization Dr. Walter Fumy Chairman ISO/IEC JTC 1/SC 27 Chief Scientist, Bundesdruckerei GmbH, Germany 7th ETSI Security Workshop - Sophia Antipolis, January 2012

Agenda ISO/IEC JTC 1/SC 27 IT Security Techniques Scope, organization, work programme Recent achievements New projects Collaboration with ITU-T Modes of collaboration JTC 1 ITU-T collaboration on security standardization Conclusion Walter Fumy I 2

ISO/IEC JTC 1/SC 27 Scope The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as Information Security Management Systems (ISMS), security controls and services; Cryptographic mechanisms; Security aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditing requirements in the area of information security; Security evaluation criteria and methodology. Walter Fumy I 3

ISO/IEC JTC 1/SC 27 Structure ISO/IEC JTC 1/SC 27 IT Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete SC 27 Secretariat DIN Ms. K. Passia Working Group 1 Information security management systems Convener Mr. T. Humphreys Working Group 2 Cryptography and security mechanisms Convener Mr. T. Chikazawa Working Group 3 Security evaluation criteria Convener Mr. M. Bañón Working Group 4 Security controls and services Convener Mr. M.-C. Kang Working Group 5 Identity management and privacy technologies Convener Mr. K. Rannenberg http://www.jtc1sc27.din.de/en Walter Fumy I 4

SC 27/WG 1 ISMS Family of Standards 27001: 2005 ISMS Requirements 27000: 2009 ISMS Overview and Vocabulary 27002: 2005 (pka 17799) Code of Practice 27003: 2010 ISMS Implementation Guidance 27004: 2009 Information Security Mgt Measurement 27005: 2011 Information Security Risk Management Supporting Guidelines 27006: 2011 Accreditation Requirements 27007: 2011 ISMS Auditing Guidelines TR 27008: 2011 ISMS Guide for auditors on ISMS controls Accreditation Requirements and Auditing Guidelines 27010 ISMS for inter-sector and inter- organisational communications 27011: 2008 ITU-T X.1051 Telecom Sector ISMS Requirements 27014 ITU-T X.1054 Governance of information security TR 27015 Information security mgt guidelines for financial services TR 27016 Information security mgt - Organizational economics Sector Specific Requirements and Guidelines Walter Fumy I 5

SC 27/WG 4 Security Controls and Services ICT Readiness for Business Continuity (IS 27031) Cybersecurity (FDIS 27032) Unknown or emerging g security issues Network Security (CD 27033-1, WD 27033-2/3/4) 2/3/4) Application Security (IS 27034-1) Security Info-Objects for Access Control (TR 15816) Known security issues Security of Outsourcing (27036) TTP Services Security (TR 14516; 15945) Time Stamping Services (TR 29149) Information security incident management (27035) ICT Disaster Recovery Services (24762) Identification, collection and/or acquisition, and preservation of digital evidence (NP) Security breaches and compromises Walter Fumy I 6

SC 27/WG 2 Cryptography and Security Mechanisms Entity Authentica tion (IS 9798) Key Mgt (IS 11770) Non- Repudiatio n (IS 13888) Cryptographic Protocols Time Stamping Services (IS 18014) Hash Functions (IS 10118) Message Authentica tion Codes (IS 9797) Check Character Systems (IS 7064) Message Authentication Cryptographic Techniques based on Elliptic Curves (IS 15946) Signatures giving Msg Recovery (IS 9796) Digital Signatures Signatures with Appendix (IS 14888) Biometric Template Protection (NP 24745) Authentica Modes of Encryption ted & Operation Modes Encryption of Operation (IS 19772) (IS 10116) Encryption (IS 18033) Random Prime Number Generation (IS 18032) Bit Parameter Generation Generation (IS 18031) Walter Fumy I 7

SC 27/WG 3 Security Evaluation Criteria Secure System Responsible Vulnerability Engineering Principles Disclosure and Techniques (NWIP) (WD 29147) Trusted Platform Module (IS 11889) SSE-CMM Security Requirements for (IS 21827) Cryptographic Modules A Framework for (IS 19790) IT Security Assurance Security Assessment of (TR 15443) Test Requirements for Operational Systems Cryptographic Modules (TR 19791) (IS 24759) IT Security Evaluation Criteria (CC) (IS 15408) Evaluation Methodology (CEM) (IS 18045) PP/ ST Protection Profile Guide Registration Procedures (TR 15446) (IS 15292) Verification of Cryptographic Protocols (IS 29128) Security Evaluation of Biometrics (IS 19792) Walter Fumy I 8

SC 27/WG 5 Identity Management & Privacy Technologies WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. This includes: Frameworks & Architectures A framework for identity management (ISO/IEC 24760, IS/WD/WD) Privacy framework (ISO/IEC 29100, IS) Privacy reference architecture (ISO/IEC 29101, CD) Entity authentication assurance framework (ISO/IEC 29115 / ITU-T X.1254, DIS) A framework for access management (ISO/IEC 29146, WD) Protection o Concepts Biometric information protection (ISO/IEC 24745, IS) Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, CD) Guidance on Context and Assessment Authentication context for biometrics (ISO/IEC 24761, 2009) Privacy capability assessment framework (ISO/IEC 29190, WD) Walter Fumy I 9

Recent Achievements between October 2010 and September 2011 13 International Standards and Technical Reports have been published 14 new projects have been approved (total number of projects: ~ 170) 4 additional P-members (total t 46) (total number of O-members: 17) 24 internal liaisons 29 external liaisons Walter Fumy I 10

Approved New Projects (I) ISO/IEC 17825: Testing methods for the mitigation of noninvasive attack classes against cryptographic modules ISO/IEC 18014-4: Time-stamping services Part 4: Traceability of time sources ISO/IEC 18033-5: Encryption algorithms Part 5: Identity-based mechanisms ISO/IEC 20009-3: Anonymous entity authentication Part 3: Mechanisms based on blind signatures ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 (as Technical Specification) Walter Fumy I 11

Approved New Projects (II) ISO/IEC 27036: Information security for supplier relationships Part 1: Overview and concepts Part 2: Common requirements Part 3: Guidelines for ICT supply chain security Part 4: Guidelines for security of outsourcing ISO/IEC 27041: Guidance on assuring suitability and adequacy of finvestigation i i methods ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043: Investigation principles and processes ISO/IEC 30111: Vulnerability handling processes ISO/IEC 30104: Physical security attacks, mitigation techniques and security requirements Walter Fumy I 12

Participation & More Information Next SC 27 meetings May 7-15, 2012 Stockholm, Sweden (WGs and Plenary) Oct 22-26, 2012 Italy (WGs) http://www.jtc1sc27.din.de/en Walter Fumy I 13

SC 27 Collaboration with ITU-T ITU-T SG17 and SC 27 collaborate on many projects in order to progress common or twin text documents and to publish common standards. These include ISO/IEC ITU T Title Type Remark TR 14516 X.842 Guidelines on the use and management of Trusted Third Party services Common 2002 15816 X.841 Security information objects (SIOs) for access control Common 2002 15945 X.843 18028 2 X.805 27011 X.1051 Specification of TTP Services to support the application of digital signatures Common 2002 IT network security 2006 Twin Part 2: Network security architecture 2003 Information security management guidelines for telecommunications organizations based on Common 2008 ISO/IEC 27002 27014 X.1054 Governance of information security Common DIS 29115 X.1254 Entity authentication assurance framework Common DIS tbs X.bhsm Telebiometric authentication framework using biometric hardware security module Common NWIP Walter Fumy I 14

Example for Common Text Standard ISO/IEC 27011: 2008 = ITU T Recommendation X.1051: Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 Walter Fumy I 15

Guide for ITU-T and ISO/IEC JTC 1 cooperation ISO/IEC JTC 1 Standing Document 3 Annex A to Recommendation ITU-T TA23 A.23 Walter Fumy I 16

Modes of Collaboration Specific to collaboration of JTC 1 and ITU-T Desire: produce common or twin (technically aligned) texts JTC 1 and ITU-T keep their own processes, approvals are synchronized Two options for collaboration Interchange mode is used when the work is straightforward, non-controversial, and with sufficient common participation in the meetings of the two organizations For more complex situations a joint Collaborative Team may work better Walter Fumy I 17

Useful References Guide for ITU-T and ISO/IEC JTC 1 Cooperation http://www.itu.int/rec/t-rec-a.23-201002-i!anna i t/ /T A23201002 A List of common text and technically aligned Recommendations International Standards http://www.itu.int/oth/t0a0d000011/en Mapping between ISO/IEC International Standards and ITU-T T Recommendations http://www.itu.int/oth/t0a0d000012/en Relationships of SG 17 Questions with JTC 1 SCs categorized as joint work (collaboration) (level 1) technical cooperation via liaison (level 2) informational liaison (level 3) http://www.itu.int/en/itu- T/studygroups/com17/Pages/relationships.aspx / / ti Walter Fumy I 18

ISO/IEC JTC 1 Information Technology Security Related Sub-committees SC 6 Telecommunications and information exchange between systems SC 7 Software and systems engineering SC 17 Cards and personal identification SC 25 Interconnection of information technology equipment SC 27 IT Security techniques SC 29 Coding of audio, picture, multimedia and hypermedia information SC 31 Automatic identification and data capture techniques SC 32 Data management and interchange SC 36 Information technology for learning, education and training SC 37 Biometrics SC 38 Distributed application platforms and services (DAPS) Walter Fumy I 19

Relationships of SG 17 Questions with JTC 1 SCs (I) Question Title ISO, IEC Level Q.1/WP1 Telecommunications systems security project JTC 1/SC 27 2&3 Q.2/WP1 Security architecture and framework JTC 1/SC 27 1&2 Q.3/WP1 Telecommunication information security management JTC 1/SC 27 1&2 Q.4/WP1 Cybersecurity JTC1/SC27 2 ISO TC 215 3 Q.5/WP1 Countering spam by technical means JTC 1/SC 27 2 Q.6/WP2 Q.7/WP2 Security aspects of ubiquitous telecommunication services Secure application services JTC 1/SC 6 1&2 JTC 1/SC 25 2 JTC 1/SC 27 2 JTC 1/SC 31 3 JTC 1/SC 6 JTC1/SC25 JTC 1/SC 27 JTC 1/SC 31 2 2 2 3 Q.8/WP2 Service oriented architecture security JTC 1/SC 38 3 Q.9/WP2 Telebiometrics JTC 1/SC 17 JTC 1/SC 27 JTC 1/SC 37 ISO TC 12 IEC TC 25 3 2 1&2 2 2 IEC TC 25 2 Walter Fumy I 20

Relationships of SG 17 Questions with JTC 1 SCs (II) Question Title ISO, IEC Level Q.10/WP3 Identity management architecture and mechanisms JTC 1/SC 27 1&2 Q.11/WP3 Directory services, Directory systems, and public-key/attribute certificates JTC 1/SC 6 JTC 1/SC 27 JTC 1/SC 31 1 3 3 Q.12/WP3 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration JTC 1/SC 6 JTC 1/SC 27 JTC 1/SC 31 JTC 1/SC 37 JTC 1/SC 38 ISO TC 215 IEC TC 3 1 2 2 2 3 2 2 Q.13/WP3 Formal languages and telecommunication software JTC 1/SC 7 1 JTC 1/SC 22 1&3 Q.14/WP3 Testing languages, methodologies and framework JTC 1/SC 7 3 Q.15/WP3 Open Systems Interconnection (OSI) JTC 1/SC 6 1 Walter Fumy I 21

Further Examples for ISO-ITU Collaboration on Security Standardization ISO/IEC ITU T Title Type JTC 1 SC Remark 7498 2 X.800 TR 13594 X.802 10745 X.803 Open Systems Interconnection Basic Reference Model Part 2: Security Architecture Open Systems Interconnection Lower layers security model Open Systems Interconnection Upper layers security model... Twin SC 21 1989 1991 Common SC 6 1995 Common SC 21 1995... 24708 X.1083 Biometrics BioAPI interworking protocol Common SC 37 2008 29180 X.1311 Security framework kfor the ubiquitous it sensor network Common SC 6 2011 Walter Fumy I 22

Conclusion SG 17 is the ITU-T lead study group on security SC 27 is responsible for generic IT Security techniques Almost every security Question in ITU-T has some relation with the work programme of SC 27 ISO-ITU cooperation on security standardization affects many JTC 1 SCs Additional new work items where cooperation/collaboration is needed are continually being identified Walter Fumy I 23

Thank You! Walter.Fumy@bdr.de

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback