ISO-ITU Cooperation on Security Standardization Cooperation on Security Standardization Dr. Walter...

ISO-ITU Cooperation onISO ITU Cooperation on Security Standardization

Dr. Walter Fumyy

Chairman ISO/IEC JTC 1/SC 27Chief Scientist, Bundesdruckerei GmbH, GermanyChief Scientist, Bundesdruckerei GmbH, Germany

7th ETSI Security Workshop - Sophia Antipolis, January 2012

Agenda

ISO/IEC JTC 1/SC 27 – IT Security TechniquesScope, organization, work programmeRecent achievementsNew projects

Collaboration with ITU-TModes of collaborationJTC 1 – ITU-T collaboration on security standardization

Conclusion

Walter Fumy I 218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012

ISO/IEC JTC 1/SC 27Scope

The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects such asprivacy aspects, such as

Information Security Management Systems (ISMS), security controls and services;security controls and services;Cryptographic mechanisms;Security aspects of identity management biometricsSecurity aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditingConformance assessment, accreditation and auditing requirements in the area of information security;Security evaluation criteria and methodology.


y gy

ISO/IEC JTC 1/SC 27Structure

ISO/IEC JTC 1/SC 27IT Security techniques

SC 27 Secretariat

DINChair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete

DINMs. K. Passia

Working Group 5Identity

management and privacy

Working Group 4Security controls

and services

Working Group 3Security

evaluation criteria

Working Group 2Cryptography and security mechanisms

Working Group 1Information

security management and privacy

technologiesConvener

Mr. K. RannenbergConvener

Mr. M.-C. Kang

criteria

ConvenerMr. M. Bañón

mechanisms

ConvenerMr. T. Chikazawa

management systemsConvener

Mr. T. Humphreys ggp y

http://www.jtc1sc27.din.de/en


SC 27/WG 1ISMS Family of Standards

27001: 2005ISMS Requirements

27000: 2009 ISMS Overview and

Vocabulary

27006: 2011 Accreditation Requirements

27010 ISMS for inter-sector and inter-organisational communicationsVocabulary

27002: 2005 (pka 17799)Code of Practice

27007: 2011 ISMS Auditing Guidelines

27011: 2008 | ITU-T X.1051Telecom Sector ISMS

Requirements

organisational communications

27003: 2010 ISMS Implementation

Guidance

q

TR 27008: 2011 ISMS Guide for auditors on

ISMS controls

27014 | ITU-T X.1054Governance of information

security

27004: 2009 Information Security Mgt

Measurement

TR 27015 Information security mgt

guidelines for financial services

27005: 2011 Information SecurityRisk Management

TR 27016Information security mgt -Organizational economics


Supporting Guidelines Accreditation Requirements and Auditing Guidelines

Sector Specific Requirements and Guidelines

SC 27/WG 4Security Controls and Services

ICT Readiness for Business Continuity (IS 27031)Unknown or emerging

Cybersecurity (FDIS 27032)

Network Security (CD 27033 1 WD 27033 2/3/4)

g gsecurity issues

Network Security (CD 27033-1, WD 27033-2/3/4)Application Security (IS 27034-1)

Security Info-Objects for Access Control (TR 15816) K it i15816)

Security of Outsourcing (27036)

TTP Services Security (TR 14516; 15945)

Known security issues

Time Stamping Services (TR 29149)

Information security incident management (27035)

ICT Disaster Recovery Services (24762)

Identification, collection and/or acquisition, and

Security breaches and compromises


Identification, collection and/or acquisition, and preservation of digital evidence (NP)

SC 27/WG 2Cryptography and Security Mechanisms

Cryptographic ProtocolsEntity

Authentication

(IS 9798)

Key Mgt(IS 11770)

Non-Repudiatio

n(IS 13888)

Time Stamping Services(IS 18014)(IS 9798)

Message Signatures

(IS 13888)

SignaturesCheckCryptographic

Techniques

(IS 18014)

Message Authentication Digital SignaturesHash

Functions(IS 10118)

Message Authentication Codes(IS 9797)

Signatures giving Msg Recovery(IS 9796)

Signatures with

Appendix(IS 14888)

Check Character Systems(IS 7064)

qbased on

Elliptic Curves (IS 15946)

Encryption & Parameter EncryptionModes of Operation

Random Bit

Prime Number

Authenticated

Biometric Template yp

Modes of Operation Generationyp

(IS 18033)Operation(IS 10116) Generation

(IS 18031)Generation(IS 18032)

Encryption(IS 19772)

pProtection(NP 24745)


SC 27/WG 3Security Evaluation Criteria

Secure System Engineering Principles and Techniques (NWIP)

Responsible VulnerabilityDisclosure(WD 29147)

Trusted Platform Module(IS 11889)

A Framework forSSE-CMM(IS 21827)

Security Requirements for Cryptographic Modules

(IS 19790)

and Techniques (NWIP) (WD 29147)

a e o oIT SecurityAssurance(TR 15443)Security Assessment of

Operational Systems(TR 19791)

( )

Test Requirements for Cryptographic Modules

(IS 24759)

(IS 19790)

IT Security Evaluation Criteria (CC) (IS 15408)

(TR 19791) (IS 24759)

(IS 15408)

Evaluation Methodology (CEM) (IS 18045)

PP/ STGuide

(TR 15446)

Protection Profile Registration Procedures

(IS 15292)(TR 15446) (IS 15292)

Security Evaluation of Biometrics

Verification of Cryptographic Protocols


(IS 19792)(IS 29128)

SC 27/WG 5Identity Management & Privacy Technologies

WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management biometrics and the protectionaddressing security aspects of identity management, biometrics and the protection of personal data. This includes:

Frameworks & ArchitecturesA framework for identity management (ISO/IEC 24760 IS/WD/WD)A framework for identity management (ISO/IEC 24760, IS/WD/WD)Privacy framework (ISO/IEC 29100, IS)Privacy reference architecture (ISO/IEC 29101, CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU-T X.1254, DIS) A framework for access management (ISO/IEC 29146, WD)

Protection Conceptsotect o Co ceptsBiometric information protection (ISO/IEC 24745, IS)Requirements for partially anonymous, partially unlinkable authentication(ISO/IEC 29191 CD)(ISO/IEC 29191, CD)

Guidance on Context and AssessmentAuthentication context for biometrics (ISO/IEC 24761, 2009)P i bili f k (ISO/IEC 29190 WD)


Privacy capability assessment framework (ISO/IEC 29190, WD)

Recent Achievements

between October 2010 and September 201113 International Standards and Technical Reports have

been published14 new projects have been approved

(total number of projects: ~ 170)4 dditi l P b (t t l 46)4 additional P-members (total 46)

(total number of O-members: 17)24 internal liaisons24 internal liaisons 29 external liaisons


Approved New Projects (I)

ISO/IEC 17825: Testing methods for the mitigation of non-invasive attack classes against cryptographic modules ISO/IEC 18014-4: Time-stamping services

P t 4 T bilit f ti– Part 4: Traceability of time sourcesISO/IEC 18033-5: Encryption algorithms

Part 5: Identity based mechanisms– Part 5: Identity-based mechanismsISO/IEC 20009-3: Anonymous entity authentication – Part 3: Mechanisms based on blind signaturesPart 3: Mechanisms based on blind signatures ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services based on ISO/IECfor the use of cloud computing services based on ISO/IEC 27002 (as Technical Specification)


Approved New Projects (II)

ISO/IEC 27036: Information security for supplier relationships –P t 1 O i d t– Part 1: Overview and concepts

– Part 2: Common requirements– Part 3: Guidelines for ICT supply chain securitypp y y– Part 4: Guidelines for security of outsourcingISO/IEC 27041: Guidance on assuring suitability and adequacy f i i i h dof investigation methods

ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidencedigital evidence ISO/IEC 27043: Investigation principles and processesISO/IEC 30111: Vulnerability handling processesISO/IEC 30111: Vulnerability handling processes ISO/IEC 30104: Physical security attacks, mitigation techniques and security requirements


Participation & More Information

Next SC 27 meetingsMay 7-15, 2012Stockholm, Sweden(WGs and Plenary)( y)Oct 22-26, 2012Italy (WGs)(WGs)

http://www.jtc1sc27.din.de/en


SC 27 Collaboration with ITU-T

ITU-T SG17 and SC 27 collaborate on many projects in order to progress common or twin text documents and to publish common standardscommon or twin text documents and to publish common standards. These include

ISO/IEC ITU‐T Title Type Remark

TR 14516 X.842Guidelines on the use and management of

Trusted Third Party servicesCommon 2002

15816 X.841 Security information objects (SIOs) for access control Common 2002

15945 X.843Specification of TTP Services to support the application of

digital signaturesCommon 2002

18028‐2 X.805IT network security –

Part 2: Network security architectureTwin

20062003Part 2: Network security architecture 2003

27011 X.1051Information security management guidelines for telecommunications organizations based on

ISO/IEC 27002Common 2008

27014 X.1054 Governance of information security Common DIS

29115 X.1254 Entity authentication assurance framework Common DIS

tbs X bhsmTelebiometric authentication framework using biometric

Common NWIP


tbs X.bhsmhardware security module

Common NWIP

Example for Common Text Standard

ISO/IEC 27011: 2008 = ITU‐T Recommendation X.1051: Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002organizations based on ISO/IEC 27002


Guide for ITU-T and ISO/IEC JTC 1 cooperation

ISO/IEC JTC 1 Standing Document 3 Annex A to Recommendation ITU T A 23Annex A to Recommendation ITU-T A.23


Modes of Collaboration

Specific to collaboration of JTC 1 and ITU-TDesire: produce common or twin (technically aligned) textsJTC 1 and ITU-T keep their own processes, approvals are synchronizedTwo options for collaboration

Interchange mode is used when the work is straightforward, non-controversial, and with sufficient common participation in the meetings of the twocommon participation in the meetings of the two organizationsFor more complex situations a joint CollaborativeFor more complex situations a joint Collaborative Team may work better


Useful References

Guide for ITU-T and ISO/IEC JTC 1 Cooperationhtt // it i t/ /T REC A 23 201002 I!A Ahttp://www.itu.int/rec/T-REC-A.23-201002-I!AnnA

List of common text and technically aligned Recommendations | International Standards|

http://www.itu.int/oth/T0A0D000011/enMapping between ISO/IEC International Standards and ITU T RecommendationsStandards and ITU-T Recommendations

http://www.itu.int/oth/T0A0D000012/enRelationships of SG 17 Questions with JTC 1 SCs categorized as

joint work (collaboration) (level 1)technical cooperation via liaison (level 2)technical cooperation via liaison (level 2)informational liaison (level 3)http://www.itu.int/en/ITU-T/ t d / 17/P / l ti hi


T/studygroups/com17/Pages/relationships.aspx

ISO/IEC JTC 1 – Information Technology Security Related Sub-committees

SC 6 Telecommunications and information exchange between systems

SC 7 Software and systems engineering

SC 17 Cards and personal identification

SC 25 Interconnection of information technology equipment

SC 27 IT Security techniques

SC 29 Coding of audio, picture, multimedia and hypermedia information

SC 31 Automatic identification and data capture techniques

SC 32 Data management and interchange

SC 36 Information technology for learning, education and training

SC 37 Biometrics

SC 38 Distributed application platforms and services (DAPS)


Relationships of SG 17 Questions with JTC 1 SCs (I)

Question Title ISO, IEC Level

Q.1/WP1 Telecommunications systems security project JTC 1/SC 27 2&3

Q.2/WP1 Security architecture and framework JTC 1/SC 27 1&2

Q.3/WP1 Telecommunication information security management JTC 1/SC 27 1&2

JTC 1/SC 27 2Q.4/WP1 Cybersecurity JTC 1/SC 27ISO TC 215

23

Q.5/WP1 Countering spam by technical means JTC 1/SC 27 2

JTC 1/SC 6 1&2

Q.6/WP2 Security aspects of ubiquitous telecommunication services JTC 1/SC 25JTC 1/SC 27JTC 1/SC 31

223

JTC 1/SC 6JTC 1/SC 25

22Q.7/WP2 Secure application services JTC 1/SC 25

JTC 1/SC 27JTC 1/SC 31

223

Q.8/WP2 Service oriented architecture security JTC 1/SC 38 3

Q.9/WP2 Telebiometrics

JTC 1/SC 17JTC 1/SC 27JTC 1/SC 37ISO TC 12IEC TC 25

32

1&222


IEC TC 25 2

Relationships of SG 17 Questions with JTC 1 SCs (II)

Question Title ISO, IEC Level

Q.10/WP3 Identity management architecture and mechanisms JTC 1/SC 27 1&2

Q.11/WP3 Directory services, Directory systems, and public-key/attribute certificates

JTC 1/SC 6JTC 1/SC 27JTC 1/SC 31

133

Q.12/WP3 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration

JTC 1/SC 6JTC 1/SC 27JTC 1/SC 31JTC 1/SC 37JTC 1/SC 38

12223J C /SC 38

ISO TC 215IEC TC 3

322

Q.13/WP3 Formal languages and telecommunication software JTC 1/SC 7JTC 1/SC 22

11&3J C /SC &3

Q.14/WP3 Testing languages, methodologies and framework JTC 1/SC 7 3

Q.15/WP3 Open Systems Interconnection (OSI) JTC 1/SC 6 1


Further Examples for ISO-ITUCollaboration on Security Standardization

ISO/IEC ITU‐T Title Type JTC 1 SC Remark

7498‐2 X.800Open Systems Interconnection −

Basic Reference Model − Part 2: Security ArchitectureTwin SC 21

19891991

TR 13594 X 802Open Systems Interconnection − C SC 6 1995TR 13594 X.802p yLower layers security model

Common SC 6 1995

10745 X.803Open Systems Interconnection −Upper layers security model

Common SC 21 1995

. . .

. . .

24708 X.1083 Biometrics − BioAPI interworking protocol Common SC 37 2008

29180 X 1311 S it f k f th bi it t k C SC 6 201129180 X.1311 Security framework for the ubiquitous sensor network Common SC 6 2011


Conclusion

SG 17 is the ITU-T lead study group on security

SC 27 is responsible for generic IT Security techniques

Almost every security Question in ITU-T has some relation with the work programme of SC 27ISO-ITU cooperation on security standardization affects

JTC 1 SCmany JTC 1 SCs

Additional new work items where cooperation/collaboration is needed are continually being identified


Thank You!Thank You!

[email protected]@

Date post:	21-Mar-2018
Category:	Documents
Upload:	trinhkhue
View:	224 times
Download:	1 times

ISO-ITU Cooperation on Security Standardization Cooperation on Security Standardization Dr. Walter...

Documents