ISO-ITU Cooperation onISO ITU Cooperation on Security Standardization
Dr. Walter Fumyy
Chairman ISO/IEC JTC 1/SC 27Chief Scientist, Bundesdruckerei GmbH, GermanyChief Scientist, Bundesdruckerei GmbH, Germany
7th ETSI Security Workshop - Sophia Antipolis, January 2012
Agenda
ISO/IEC JTC 1/SC 27 – IT Security TechniquesScope, organization, work programmeRecent achievementsNew projects
Collaboration with ITU-TModes of collaborationJTC 1 – ITU-T collaboration on security standardization
Conclusion
Walter Fumy I 218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
ISO/IEC JTC 1/SC 27Scope
The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects such asprivacy aspects, such as
Information Security Management Systems (ISMS), security controls and services;security controls and services;Cryptographic mechanisms;Security aspects of identity management biometricsSecurity aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditingConformance assessment, accreditation and auditing requirements in the area of information security;Security evaluation criteria and methodology.
Walter Fumy I 318.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
y gy
ISO/IEC JTC 1/SC 27Structure
ISO/IEC JTC 1/SC 27IT Security techniques
SC 27 Secretariat
DINChair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete
DINMs. K. Passia
Working Group 5Identity
management and privacy
Working Group 4Security controls
and services
Working Group 3Security
evaluation criteria
Working Group 2Cryptography and security mechanisms
Working Group 1Information
security management and privacy
technologiesConvener
Mr. K. RannenbergConvener
Mr. M.-C. Kang
criteria
ConvenerMr. M. Bañón
mechanisms
ConvenerMr. T. Chikazawa
management systemsConvener
Mr. T. Humphreys ggp y
http://www.jtc1sc27.din.de/en
Walter Fumy I 418.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
SC 27/WG 1ISMS Family of Standards
27001: 2005ISMS Requirements
27000: 2009 ISMS Overview and
Vocabulary
27006: 2011 Accreditation Requirements
27010 ISMS for inter-sector and inter-organisational communicationsVocabulary
27002: 2005 (pka 17799)Code of Practice
27007: 2011 ISMS Auditing Guidelines
27011: 2008 | ITU-T X.1051Telecom Sector ISMS
Requirements
organisational communications
27003: 2010 ISMS Implementation
Guidance
q
TR 27008: 2011 ISMS Guide for auditors on
ISMS controls
27014 | ITU-T X.1054Governance of information
security
27004: 2009 Information Security Mgt
Measurement
TR 27015 Information security mgt
guidelines for financial services
27005: 2011 Information SecurityRisk Management
TR 27016Information security mgt -Organizational economics
Walter Fumy I 518.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Supporting Guidelines Accreditation Requirements and Auditing Guidelines
Sector Specific Requirements and Guidelines
SC 27/WG 4Security Controls and Services
ICT Readiness for Business Continuity (IS 27031)Unknown or emerging
Cybersecurity (FDIS 27032)
Network Security (CD 27033 1 WD 27033 2/3/4)
g gsecurity issues
Network Security (CD 27033-1, WD 27033-2/3/4)Application Security (IS 27034-1)
Security Info-Objects for Access Control (TR 15816) K it i15816)
Security of Outsourcing (27036)
TTP Services Security (TR 14516; 15945)
Known security issues
Time Stamping Services (TR 29149)
Information security incident management (27035)
ICT Disaster Recovery Services (24762)
Identification, collection and/or acquisition, and
Security breaches and compromises
Walter Fumy I 618.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Identification, collection and/or acquisition, and preservation of digital evidence (NP)
SC 27/WG 2Cryptography and Security Mechanisms
Cryptographic ProtocolsEntity
Authentication
(IS 9798)
Key Mgt(IS 11770)
Non-Repudiatio
n(IS 13888)
Time Stamping Services(IS 18014)(IS 9798)
Message Signatures
(IS 13888)
SignaturesCheckCryptographic
Techniques
(IS 18014)
Message Authentication Digital SignaturesHash
Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving Msg Recovery(IS 9796)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
qbased on
Elliptic Curves (IS 15946)
Encryption & Parameter EncryptionModes of Operation
Random Bit
Prime Number
Authenticated
Biometric Template yp
Modes of Operation Generationyp
(IS 18033)Operation(IS 10116) Generation
(IS 18031)Generation(IS 18032)
Encryption(IS 19772)
pProtection(NP 24745)
Walter Fumy I 718.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
SC 27/WG 3Security Evaluation Criteria
Secure System Engineering Principles and Techniques (NWIP)
Responsible VulnerabilityDisclosure(WD 29147)
Trusted Platform Module(IS 11889)
A Framework forSSE-CMM(IS 21827)
Security Requirements for Cryptographic Modules
(IS 19790)
and Techniques (NWIP) (WD 29147)
a e o oIT SecurityAssurance(TR 15443)Security Assessment of
Operational Systems(TR 19791)
( )
Test Requirements for Cryptographic Modules
(IS 24759)
(IS 19790)
IT Security Evaluation Criteria (CC) (IS 15408)
(TR 19791) (IS 24759)
(IS 15408)
Evaluation Methodology (CEM) (IS 18045)
PP/ STGuide
(TR 15446)
Protection Profile Registration Procedures
(IS 15292)(TR 15446) (IS 15292)
Security Evaluation of Biometrics
Verification of Cryptographic Protocols
Walter Fumy I 818.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
(IS 19792)(IS 29128)
SC 27/WG 5Identity Management & Privacy Technologies
WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management biometrics and the protectionaddressing security aspects of identity management, biometrics and the protection of personal data. This includes:
Frameworks & ArchitecturesA framework for identity management (ISO/IEC 24760 IS/WD/WD)A framework for identity management (ISO/IEC 24760, IS/WD/WD)Privacy framework (ISO/IEC 29100, IS)Privacy reference architecture (ISO/IEC 29101, CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU-T X.1254, DIS) A framework for access management (ISO/IEC 29146, WD)
Protection Conceptsotect o Co ceptsBiometric information protection (ISO/IEC 24745, IS)Requirements for partially anonymous, partially unlinkable authentication(ISO/IEC 29191 CD)(ISO/IEC 29191, CD)
Guidance on Context and AssessmentAuthentication context for biometrics (ISO/IEC 24761, 2009)P i bili f k (ISO/IEC 29190 WD)
Walter Fumy I 918.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Privacy capability assessment framework (ISO/IEC 29190, WD)
Recent Achievements
between October 2010 and September 201113 International Standards and Technical Reports have
been published14 new projects have been approved
(total number of projects: ~ 170)4 dditi l P b (t t l 46)4 additional P-members (total 46)
(total number of O-members: 17)24 internal liaisons24 internal liaisons 29 external liaisons
Walter Fumy I 1018.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Approved New Projects (I)
ISO/IEC 17825: Testing methods for the mitigation of non-invasive attack classes against cryptographic modules ISO/IEC 18014-4: Time-stamping services
P t 4 T bilit f ti– Part 4: Traceability of time sourcesISO/IEC 18033-5: Encryption algorithms
Part 5: Identity based mechanisms– Part 5: Identity-based mechanismsISO/IEC 20009-3: Anonymous entity authentication – Part 3: Mechanisms based on blind signaturesPart 3: Mechanisms based on blind signatures ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services based on ISO/IECfor the use of cloud computing services based on ISO/IEC 27002 (as Technical Specification)
Walter Fumy I 1118.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Approved New Projects (II)
ISO/IEC 27036: Information security for supplier relationships –P t 1 O i d t– Part 1: Overview and concepts
– Part 2: Common requirements– Part 3: Guidelines for ICT supply chain securitypp y y– Part 4: Guidelines for security of outsourcingISO/IEC 27041: Guidance on assuring suitability and adequacy f i i i h dof investigation methods
ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidencedigital evidence ISO/IEC 27043: Investigation principles and processesISO/IEC 30111: Vulnerability handling processesISO/IEC 30111: Vulnerability handling processes ISO/IEC 30104: Physical security attacks, mitigation techniques and security requirements
Walter Fumy I 1218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Participation & More Information
Next SC 27 meetingsMay 7-15, 2012Stockholm, Sweden(WGs and Plenary)( y)Oct 22-26, 2012Italy (WGs)(WGs)
http://www.jtc1sc27.din.de/en
Walter Fumy I 1318.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
SC 27 Collaboration with ITU-T
ITU-T SG17 and SC 27 collaborate on many projects in order to progress common or twin text documents and to publish common standardscommon or twin text documents and to publish common standards. These include
ISO/IEC ITU‐T Title Type Remark
TR 14516 X.842Guidelines on the use and management of
Trusted Third Party servicesCommon 2002
15816 X.841 Security information objects (SIOs) for access control Common 2002
15945 X.843Specification of TTP Services to support the application of
digital signaturesCommon 2002
18028‐2 X.805IT network security –
Part 2: Network security architectureTwin
20062003Part 2: Network security architecture 2003
27011 X.1051Information security management guidelines for telecommunications organizations based on
ISO/IEC 27002Common 2008
27014 X.1054 Governance of information security Common DIS
29115 X.1254 Entity authentication assurance framework Common DIS
tbs X bhsmTelebiometric authentication framework using biometric
Common NWIP
Walter Fumy I 1418.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
tbs X.bhsmhardware security module
Common NWIP
Example for Common Text Standard
ISO/IEC 27011: 2008 = ITU‐T Recommendation X.1051: Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002organizations based on ISO/IEC 27002
Walter Fumy I 1518.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Guide for ITU-T and ISO/IEC JTC 1 cooperation
ISO/IEC JTC 1 Standing Document 3 Annex A to Recommendation ITU T A 23Annex A to Recommendation ITU-T A.23
Walter Fumy I 1618.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Modes of Collaboration
Specific to collaboration of JTC 1 and ITU-TDesire: produce common or twin (technically aligned) textsJTC 1 and ITU-T keep their own processes, approvals are synchronizedTwo options for collaboration
Interchange mode is used when the work is straightforward, non-controversial, and with sufficient common participation in the meetings of the twocommon participation in the meetings of the two organizationsFor more complex situations a joint CollaborativeFor more complex situations a joint Collaborative Team may work better
Walter Fumy I 1718.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Useful References
Guide for ITU-T and ISO/IEC JTC 1 Cooperationhtt // it i t/ /T REC A 23 201002 I!A Ahttp://www.itu.int/rec/T-REC-A.23-201002-I!AnnA
List of common text and technically aligned Recommendations | International Standards|
http://www.itu.int/oth/T0A0D000011/enMapping between ISO/IEC International Standards and ITU T RecommendationsStandards and ITU-T Recommendations
http://www.itu.int/oth/T0A0D000012/enRelationships of SG 17 Questions with JTC 1 SCs categorized as
joint work (collaboration) (level 1)technical cooperation via liaison (level 2)technical cooperation via liaison (level 2)informational liaison (level 3)http://www.itu.int/en/ITU-T/ t d / 17/P / l ti hi
Walter Fumy I 1818.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
T/studygroups/com17/Pages/relationships.aspx
ISO/IEC JTC 1 – Information Technology Security Related Sub-committees
SC 6 Telecommunications and information exchange between systems
SC 7 Software and systems engineering
SC 17 Cards and personal identification
SC 25 Interconnection of information technology equipment
SC 27 IT Security techniques
SC 29 Coding of audio, picture, multimedia and hypermedia information
SC 31 Automatic identification and data capture techniques
SC 32 Data management and interchange
SC 36 Information technology for learning, education and training
SC 37 Biometrics
SC 38 Distributed application platforms and services (DAPS)
Walter Fumy I 1918.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Relationships of SG 17 Questions with JTC 1 SCs (I)
Question Title ISO, IEC Level
Q.1/WP1 Telecommunications systems security project JTC 1/SC 27 2&3
Q.2/WP1 Security architecture and framework JTC 1/SC 27 1&2
Q.3/WP1 Telecommunication information security management JTC 1/SC 27 1&2
JTC 1/SC 27 2Q.4/WP1 Cybersecurity JTC 1/SC 27ISO TC 215
23
Q.5/WP1 Countering spam by technical means JTC 1/SC 27 2
JTC 1/SC 6 1&2
Q.6/WP2 Security aspects of ubiquitous telecommunication services JTC 1/SC 25JTC 1/SC 27JTC 1/SC 31
223
JTC 1/SC 6JTC 1/SC 25
22Q.7/WP2 Secure application services JTC 1/SC 25
JTC 1/SC 27JTC 1/SC 31
223
Q.8/WP2 Service oriented architecture security JTC 1/SC 38 3
Q.9/WP2 Telebiometrics
JTC 1/SC 17JTC 1/SC 27JTC 1/SC 37ISO TC 12IEC TC 25
32
1&222
Walter Fumy I 2018.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
IEC TC 25 2
Relationships of SG 17 Questions with JTC 1 SCs (II)
Question Title ISO, IEC Level
Q.10/WP3 Identity management architecture and mechanisms JTC 1/SC 27 1&2
Q.11/WP3 Directory services, Directory systems, and public-key/attribute certificates
JTC 1/SC 6JTC 1/SC 27JTC 1/SC 31
133
Q.12/WP3 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration
JTC 1/SC 6JTC 1/SC 27JTC 1/SC 31JTC 1/SC 37JTC 1/SC 38
12223J C /SC 38
ISO TC 215IEC TC 3
322
Q.13/WP3 Formal languages and telecommunication software JTC 1/SC 7JTC 1/SC 22
11&3J C /SC &3
Q.14/WP3 Testing languages, methodologies and framework JTC 1/SC 7 3
Q.15/WP3 Open Systems Interconnection (OSI) JTC 1/SC 6 1
Walter Fumy I 2118.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Further Examples for ISO-ITUCollaboration on Security Standardization
ISO/IEC ITU‐T Title Type JTC 1 SC Remark
7498‐2 X.800Open Systems Interconnection −
Basic Reference Model − Part 2: Security ArchitectureTwin SC 21
19891991
TR 13594 X 802Open Systems Interconnection − C SC 6 1995TR 13594 X.802p yLower layers security model
Common SC 6 1995
10745 X.803Open Systems Interconnection −Upper layers security model
Common SC 21 1995
. . .
. . .
24708 X.1083 Biometrics − BioAPI interworking protocol Common SC 37 2008
29180 X 1311 S it f k f th bi it t k C SC 6 201129180 X.1311 Security framework for the ubiquitous sensor network Common SC 6 2011
Walter Fumy I 2218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Conclusion
SG 17 is the ITU-T lead study group on security
SC 27 is responsible for generic IT Security techniques
Almost every security Question in ITU-T has some relation with the work programme of SC 27ISO-ITU cooperation on security standardization affects
JTC 1 SCmany JTC 1 SCs
Additional new work items where cooperation/collaboration is needed are continually being identified
Walter Fumy I 2318.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012