International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Cyber Security Cyber Security StandardizationStandardization
Walter FumyVP Security Technology Siemens AG
Chairman ISOIEC JTC 1SC 27 ldquoIT Security Techniquesrdquo
WalterFumysiemenscom - 24-Sep-04 - page 2
ITU-T
Common Sense
copy T
he N
ew Y
orke
r Col
lect
ion
1993
Pet
er S
tein
er fr
om c
arto
onlin
kco
m A
ll ri
ghts
rese
rved
ldquoOn the Internet nobody knows yoursquore a dogrdquo
ldquoeBusiness (eGovernment ) will not evolve without appropriate security solutionsrdquo
ldquoSecure systems are 10 about security technology and 90 about organizationrdquo
ldquoStandards connect the worldrdquo
WalterFumysiemenscom - 24-Sep-04 - page 3
ITU-T
Security Technologies
Policy Auditand SecurityManagement
Fraud amp Risk Management
Application and Commerce
Security
Network Security
ee--BusinessBusiness
Information Information flowflow
Pattern matching
Identification
Authentication
AuthorizationContent filtering
Applications
forensics
access controls
Employees
Data
e-directories
Audit
digital signatures
AvoidanceCompliance
Reliance
Privacy
Assurance
Internet services Customers
Suppliers
e-Mailweb services
intrusion detection
VPNs
PKI
risk assessment
cryptography
firewalls
smart cards
biometricstokens
monitoring and reporting
Partners
RAS
Source AberdeenGroup
WalterFumysiemenscom - 24-Sep-04 - page 4
ITU-T
Agenda
Introduction
Cyber Security StandardizationCryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
Cyber Security Standardization Initiatives
Conclusion
WalterFumysiemenscom - 24-Sep-04 - page 5
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 2
ITU-T
Common Sense
copy T
he N
ew Y
orke
r Col
lect
ion
1993
Pet
er S
tein
er fr
om c
arto
onlin
kco
m A
ll ri
ghts
rese
rved
ldquoOn the Internet nobody knows yoursquore a dogrdquo
ldquoeBusiness (eGovernment ) will not evolve without appropriate security solutionsrdquo
ldquoSecure systems are 10 about security technology and 90 about organizationrdquo
ldquoStandards connect the worldrdquo
WalterFumysiemenscom - 24-Sep-04 - page 3
ITU-T
Security Technologies
Policy Auditand SecurityManagement
Fraud amp Risk Management
Application and Commerce
Security
Network Security
ee--BusinessBusiness
Information Information flowflow
Pattern matching
Identification
Authentication
AuthorizationContent filtering
Applications
forensics
access controls
Employees
Data
e-directories
Audit
digital signatures
AvoidanceCompliance
Reliance
Privacy
Assurance
Internet services Customers
Suppliers
e-Mailweb services
intrusion detection
VPNs
PKI
risk assessment
cryptography
firewalls
smart cards
biometricstokens
monitoring and reporting
Partners
RAS
Source AberdeenGroup
WalterFumysiemenscom - 24-Sep-04 - page 4
ITU-T
Agenda
Introduction
Cyber Security StandardizationCryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
Cyber Security Standardization Initiatives
Conclusion
WalterFumysiemenscom - 24-Sep-04 - page 5
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 3
ITU-T
Security Technologies
Policy Auditand SecurityManagement
Fraud amp Risk Management
Application and Commerce
Security
Network Security
ee--BusinessBusiness
Information Information flowflow
Pattern matching
Identification
Authentication
AuthorizationContent filtering
Applications
forensics
access controls
Employees
Data
e-directories
Audit
digital signatures
AvoidanceCompliance
Reliance
Privacy
Assurance
Internet services Customers
Suppliers
e-Mailweb services
intrusion detection
VPNs
PKI
risk assessment
cryptography
firewalls
smart cards
biometricstokens
monitoring and reporting
Partners
RAS
Source AberdeenGroup
WalterFumysiemenscom - 24-Sep-04 - page 4
ITU-T
Agenda
Introduction
Cyber Security StandardizationCryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
Cyber Security Standardization Initiatives
Conclusion
WalterFumysiemenscom - 24-Sep-04 - page 5
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 4
ITU-T
Agenda
Introduction
Cyber Security StandardizationCryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
Cyber Security Standardization Initiatives
Conclusion
WalterFumysiemenscom - 24-Sep-04 - page 5
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 5
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 6
ITU-T
Cryptographic Mechanisms ndashMajor Players
ISOIEC JTC 1SC 27 Information technology -Security techniques
standardization of generic IT security services and techniques
ETSI SAGE Security Experts Group creates reports (containing confidential specifications) in the area of cryptographic algorithms and protocols specific to publicprivate telecommunications networks
IEEE P1363 Standard Specifications for Public-Key Cryptography
NIST National Institute of Standards and Technologyissues standards and guidelines as Federal Information Processing Standards (FIPS) for use by the US government
ANSI X9F Data amp Information Securitystandards for the financial services industry
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 7
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 8
ITU-T
Lifetime of Cryptographic Algorithms
Moorersquos law amp steady growth of the Internet
Chip complexity doubles every 18 monthsInternet computing power doubles every 12 monthsPower of attack doubles every 12 months
Steady loss of cryptographic strength
Symmetric ciphers bdquoloseldquo 1 bit of security per yearHash functions and Elliptic Curve based schemes bdquoloseldquo 2 bits of security per yearRSA schemes bdquoloseldquo about 50 bits of security per year
Additional algorithmic improvementsin particular for asymmetric schemes
-20
-10
0
10
20
30
40
50
60
70
80
1990 2000 2010 2020 2030 2040
DES 56 AES 128 RSA 1024RSA 2048 EC-DSA 160
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 9
ITU-T
ConclusionCryptographic Mechanisms
Well established technologyUnanticipated advances in algorithms may occurMajor trends include
increasing block and key lengthsincreasing size of hash codessignature schemes allowing for message recoveryrandomized signatures
New generation of mechanismsDES AESRSA ECC ()SHA-1 SHA-256 -384 -512
Many techniques have been (or are being) standardized
In addition techniques are approved at a national level
AESDESRSA
ECC
FIPS 197IS 18033-3
IEEE 1363IS 15946 FIPS 46
IS 9796IEEE 1363
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 10
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
InternetIPSec Gateway
Untrusted Network
Trusted Network
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 11
ITU-T
Security Protocols amp Services ndashMajor Players
IETF Internet Engineering Task ForceIP Security Protocol Transport Layer Security Public-Key Infrastructure (X509) SMIME Mail Security
ITU-T International Telecommunication UnionX509 (Public-key certificates) H235 (Security and encryption for H-Series multimedia terminals) X841 X842 X843
ETSIGSM 3GPP TETRA TIPHON SPAN TISPAN
IEEE 80211 Wireless LANs80211i 8021X
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 12
ITU-T
Internet Security Protocols
Security services provided by security protocols depend on the layer of integration
Security protocols can only protect the payload andor header information available at this layerHeader information of lower layers is not protected
IP IPSec (Internet Protocol Security)IP IPSec (Internet Protocol Security)
Transport Layer Security (SSH SSL TLS)
Transport Layer Security (SSH SSL TLS)
SMIMESMIME
Electronic Commerce LayerSET Ecash
Electronic Commerce LayerSET Ecash
PEMPEMPGPPGPH235H235
Public-Key InfrastructurePublic-Key
PKIXPKIX
Datagram Security (WTLS)
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
Datagram Security (WTLS)
User Datagram Protocol (UDP)User Datagram Protocol (UDP)
Infrastructure
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 13
ITU-T
ConclusionSecurity Architectures amp Protocols
IPSec and TLS are well-established security protocolstransition from DES to AES (at moderate speed)
WEP is a weak security protocolConfidentiality data integrity amp access control are not preserved when using WEPVPN and other solutions can be used on top of WEP80211i (RSN) overcomes the vulnerabilities of WEPWPA serves as intermediate solution
Definition of NGN security architecture at the beginning(ETSI TISPAN)
Trend from security as an add-on to integrated security solutions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 14
ITU-T
Cyber Security Standardization
Cryptographic MechanismsSecurity Architectures amp ProtocolsSecurity Management Awareness amp Education
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 15
ITU-T
Information Security Management SystemKey Principles
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 16
ITU-T
Best Practice ISMS Model(PDCA Plan-Do-Check-Act)
Report(s)into Forum(s)
lsquoEvidentialrsquodocumentation
Policies Standards
amp Procedures
managing amp protectingpeople business
processes amp applications procedures information
communications networks
Review amp Audit
People
CorporateInformation Security Policy
Information Security Management
Information Security Risks
Processes
Technology
Education ampAwareness
Policies Standards FrameworkExisting
ProcessesTechnicalControls
Audit amp ReviewBusiness Continuity MgmtChange ManagementEducation amp AwarenessIncident ManagementMonitoring amp ReportingRisk Analysis amp Risk MgmtSecurity Operations Mgmt
ISMS Processes
ISM
S O
pera
tiona
l Man
agem
ent
Man
agem
ent S
yste
m F
ram
ewor
k
Security incidentsSuspected weaknessesMalfunctions
Events
Audit observationsTesting findingsSpot check findings
Review and update ISMS
Recording and analysis
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 17
ITU-T
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Principles
Overall Guide
Terminology
Toolbox ofTechniques
Information Security Mgt
System(NP)
ISM Metrics amp Measurements
(NP)
Code of Practice for
ISM (IS 17799 ITU-T X)
MICTS-1Models and
concepts
MICTS-2Risk
management
InformationSecurity Management
Principles
SC 27 SD 6Updated and harmonized
ISO Guide 73
InformationSecurity MgtFramework
IT Network Security
(IS 18028 ITU-T X)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 ITU-T X842)
Healthcare ISMS Guide
(TC 215)
T-ISMS Telecom ISMS
Guide (ITU-T X1051)
ISO 19011Auditing
Financial ISMS Guide (TC 68)
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 18
ITU-T
ISOIEC 17799 Code of practice for information security management 2000
Guide for managing risk and development of a management system for
managing people business processes amp applications procedures information communications networks operations legal 3rd party services compliance contractual obligations physical assets etc
Developing information security assurance
organisational assurance business partner and third party supplier assurance hellip
based on BS 7799-12nd edition expected for 2005
ISO 17799 Control AreasSecurity PolicySecurity OrganizationAsset Control amp ClassificationPersonnel SecurityPhysical amp Environmental SecurityCommunications amp Operations ManagementAccess ControlSystems Development amp MaintenanceBusiness Continuity ManagementCompliance
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 19
ITU-T1 Information security policy
Middle 54 6 Communications and operations management High 76
8 System developement and maintenance Middle 71
11 Documentation of the security policy 54
61 Operational procedures and responsibilities 78
81 Security requirements of systems75
2 Security organizationMiddle 61
62 Systemplanning and acceptance87
82 Security in application systems65
21 Information security infrastructure56
63 Protection against malicious software 82
83 Cryptographic controls48
22 Security of third party access69
64 Housekeeping80
84 Security of system files95
23 Outsourcing83
65 Network management81
85 Security in development and support processes 81
3 Asset classification and controlLow 45
66 Media handling and security56
9 Business Continuity Management Middle 56
31 Accountability for assets73
67 Exchange of information and software 50
91 Aspects of business continuity56
32 Information classification14
7 Access controlMiddle 70
10 ComplianceMiddle 57
4 Personnel securityMiddle 54
71 Business requirements for access control 60
101 Compliance with legal requirements 63
41 Security in job definition and resourcing 62
72 User access management78
102 Review of security policy and technical compliance 47
42 User training30
73 User responsibilities65
103 System audit consideration50
43 Responding to security incidents and malfunctions 63
74 Network access control74
5 Physical and environmental security High 78
75 Operating system access control64
51 Secure areas85
76 Application access control80 Average InfoSec Status 66
52 Equipment site security77
77 Monitoring system access and use73
53 General controls47
78 Mobile computing and teleworking60
0
25
50
75
100Policy amp Security Organization
Asset classif ication
Personnel Security
Physical security
Communication amp operationAccess control
System Development
Business ContinuityManagement
ComplianceExample Scorecard GAP Analysis IT Security
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 20
ITU-T
Standards ndashAwareness Training amp Education
National Colloquium for Information Systems Security Educationcreated in 1997 to provide a forum for dialogue among leading figures in government industry and academiaannual conference in Junewwwncisseorg
NSA - National Information Assurance Education and Training Program (NIETP)
CNSS (Committee on National Security Systems) training amp education standards
NSTISSI-4011 - INFOSEC ProfessionalsNSTISSI-4012 - Designated Approving AuthorityNSTISSI-4013 - System Administrators in Information Systems SecurityNSTISSI-4014 - Information Systems Security Officers (ISSO)NSTISSI-4015 - System Certifiers
wwwnsagov
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 21
ITU-T
Standards ndashAwareness Training amp Education
NIST ndash National Institute of Standards and Technology Computer Security DivisionComputer Security Resource Center
SP 800-16 ldquoIT Security Training Requirements A Role- and Performance-Based ModelrdquoSP 800-50 ldquoBuilding an IT Security Awareness and Training Programrdquo
httpcsrcnistgov
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 22
ITU-T
ConclusionSecurity Management Awareness amp Education
Need to continuously review policies measures and procedures to help assure that they meet the evolving challenges posed by threats to IT systems and networksToday there is no internationally recognized Information Security Management System (ISMS) standard
there are a number of ISMS standards at a national or regional level including
BS 7799-2 Information security management systems - Specification with guidance for use (UK) IT Baseline Protection Manual (Germany)
there are international standards that cover certain elements ofan ISMS
process guidelines (eg IS 13335 IS 21827)procedural guidelines (eg TR 18044)catalogues of controls (eg IS 17799)
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 23
ITU-T
Cyber Security StandardizationInitiatives
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 24
ITU-T
Example Cyber Security Standard for Electricity Sector
developed by North American Electric Reliability Council (NERC)NERC Critical Infrastructure Protection Advisory Group (CIPAG) initiated ldquoUrgent Action Standard Authorization Requestrdquo to establish a NERC Cyber Security Standard NERC Urgent Action Standard 1200 Cyber Security
approved June 2003 in effect for one year with possible one-year extension
NERC Board of Trustees approved one-year extension effective August 13 2004
to be replaced with permanent standard via ANSI Standard Authorization process compliance with this standard will be evaluated in the first quarter of 2005
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 25
ITU-T
ANSI Homeland Security Standards Panel (HSSP)
Formation of ANSI-HSSP announced February 2003Facilitate the development and enhancement of homeland security standards Serve as privatepublic sector forum for standards issues that cut cross-sector
Co-chairs provided by industry and governmentA forum for information sharing on HS standards issuesDoes not itself develop standards
httpwwwansiorghssp
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 26
ITU-T
ISO Technical Management BoardAdvisory Group on Security
The ISOTMB Advisory Group willconduct a review of existing ISO deliverables related to the field of security including the subjects of
Private sector emergency preparedness and business continuityIdentification techniques including biometricsEmergency communicationsRisk assessmentCyber security
assess the needs of all relevant stakeholders for international security standardsassess relevant standards developed by other organizationsrecommend actions to be taken by the ISO Council andor ISOTMB on subjects within the field of security that may benefit from the development of International Standards and that ISO would have the capability to providesubmit a final report to the ISOTMB and ISO Council by 31 December 2004
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 27
ITU-T
ENISA ndashEuropean Network amp Information Security Agency
Objectivesto facilitate the application of European Community measures relating to network and information security to help ensure the interoperability of security functions in networks and information systemsto enhance the capability of the Community and the Member States to respond to network and information security problems
established in March 2004situated on Greek island
wwwenisaeuint
Conference on Network amp Information Securitye-Security in Europe Todays status and The Next StepAmsterdam 27 28 October 2004
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 28
ITU-T
Conclusion
ldquoThe good thing about standards is there are so many to choose fromrdquo
A substantial number of cyber security standards is available oravailable or currently under developmentThere are initiatives at both national and international levels to to identify gaps and to recommend actions
Improved collaboration and harmonization between standards organizations needed
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
AnnexAnnex
ISOIEC JTC 1SC 27 ISOIEC JTC 1SC 27 ITIT Security TechniquesSecurity Techniques
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 30
ITU-T
SC 27 - ldquoIT Security Techniquesrdquo
Standardization of generic IT security services and techniques including
identification of generic requirements for IT system security servicesdevelopment of security techniques and mechanisms (cryptographic and non-cryptographic)development of security guidelinesdevelopment of management support documentation and standardsdevelopment of criteria for IT security evaluation and certification of IT systems components and products
ISOIEC JTC 1SC 27 Information technology -Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
ISOIEC JTC 1SC 27 Information technology -SC 27 Secretariat
DINMs K Passia
SC 27 SecretariatDIN
Ms K Passia
Security techniquesChair Mr W Fumy
Vice-Chair Ms M De Soete
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 1Requirements
services guidelines
ConvenerMr T Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr K Naemura
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr M Ohlin
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 31
ITU-T
Membership of SC 27
Participating MembershipObligation to take an active part in the work (eg to attend meetings to vote)One Member Body per country(eg ANSI IBN BSI DIN)Power of vote
P-members of SC 27 (total 31)South Africa KenyaBrazil Canada USAAustralia China India Japan Korea Malaysia New Zealand SingaporeAustria Belgium Czech Republic Denmark Finland France Germany Italy Luxembourg Netherlands Norway Poland Russian Federation Spain Sweden Switzerland UK Ukraine
Observing MembershipOption to take an active part in the work (eg to attend meetings to make contributions to receive documents)No power of vote
O-members of SC 27 (total 11)
ArgentinaIndonesia
Estonia Hungary Ireland Israel Lithuania Serbia and Montenegro Romania Slovakia Turkey
) new SC 27 members
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 32
ITU-T
Security Guidelines ndashSC 27 Standards
Guidelines on the Use amp Management
of TTP Services(IS 14516 ITU-T X842)
TTP Servicesto Support Digital
Signatures (IS 15945 ITU-T X843)
IT Network Security (IS 18028 ITU-T X)
IT Intrusion Detection Framework(TR 15947)
Guidelines for the Implementation Op amp
Mgt of ID Systems(IS 18043)
GMITS Managementof ICT Security
(TR 13335)
Information Security Incident Management
(TR 18044)
Code of Practice for Information Security
Management(IS 17799 ITU-T X)
ISMS Requirements Specification
(NP)
Information Security Management Metrics and Measurements
(NP)
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 33
ITU-T
Cryptographic Protocols
Message Authentication
Entity Authentica
tion (IS 9798)
Key Mgt(IS 11770)
Digital Signatures
Encryption amp Modes of Operation Parameter GenerationEncryption
(IS 18033)
Register of Algorithms
(IS 9979)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving MsgRecovery(IS 9796)
Non-Repudiation(IS 13888)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
Cryptographic Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 8031)
Prime Number
Generation(IS 8032)
Data Encapsulat
ion(IS 19772)
Biometric Template Protection
(NP)
Cryptographic Techniques ndashSC 27 Standards
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 34
ITU-T
Security Evaluation ndashSC 27 Standards
Framework for Security Evaluation amp Testing of Biometric Technology
(TR 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria for ITSecurity (ldquoCommon
Criteriardquo)(IS 15408)
Security Requirements for Cryptographic
Modules(TR 19790)
Protection Profile Registration Procedures
(IS 15292)
Framework for ITSecurity Assurance
(TR 15443)
Systems Security Engineering ndash Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Guide on the Production of Protection Profiles amp
Security Targets(TR 15446)
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 35
ITU-T
New Projects
IS 9798 Entity authentication mechanismsPart 6 Entity authentication based on manual data transfer
IS 11770 Key managementPart 4 Key establishment mechanisms based on weak secrets
IS 19790 Security requirements for cryptographic modulesTR 19791 Security assessment of operational systemsIS 19792 A framework for security evaluation and testing of biometric technology
2nd edition of IS 15408 Evaluation criteria for IT Security 1999next ICC conference 289 - 3092004 Berlinwwwcommoncriteriaportalorg (under construction)
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 36
ITU-T
NP amp PAS Ballots
NP BallotsInformation Security Management System (ISMS)Information security management metrics and measurementsBiometric template protection ISOIEC 18043 Selection deployment and operation of intrusion detection systems (IDS) [formerly TR]
PAS BallotDIS 20886 International Security Trust and Privacy Alliance -Privacy Framework [ballot ends 2004-12-11]
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 37
ITU-T
Selected Collaboration
Security Guidelines
Security Techniques
Security Evaluation
Secure Communicationsamp Security Infrastructure
Secure Applications
SC 37SC 17
TC 68
CCDB
ITU-T Q10SG17
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 38
ITU-T
SC 27 CollaborationITU-T SG 17Q10
ITU-T Study Group 17 has been designated the Lead Study Group for Communication Systems Security (CSS)
within SG 17 the Rapporteur for Q1017 has been identified as the coordinator for CSS activities
Close collaboration between SC 27 and Q1017 in order to progress common or twin text documents and to publish common standards
ISOIEC 15816 Security information objects for access control (= ITU-T X841)ISOIEC 14516 Guidelines on the use and management of Trusted Third Party services (= ITU-T X842)ISOIEC 15945 Specification of TTP services to support the application of digital signatures (= ITU-T X843)ISOIEC 18028 IT Network Security (= ITU-T X)ISOIEC 17799 Code of Practice for Information Security Management (= ITU-T X)
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
WalterFumysiemenscom - 24-Sep-04 - page 39
ITU-T
Summary
SC 27 is responsible forgt 60 projects including 26 active projects
Between 1990 and today SC 27 has published 32 ISOIEC International Standards (IS)13 revised editions of International Standards 6 ISOIEC Technical Reports (TR)
More Information amp ContactSC 27 web-page scope organization work items etchttpwwwnidindesc27 Catalogue of SC 27 Projects amp Standardshttpwwwnidindesc27doc7htmlSC 27 Secretariat KrystynaPassiadindeSC 27 Chairman WalterFumysiemenscom
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianoacutepolis Brazil 4 October 2004
Any Questions Any Questions