ISO/IEC JTC 1 SC 27Dr. Marijke De Soete Vice Chair ISO/IEC JTC 1/SC 27 “IT Security Techniques”
ETSI Security Workshop16-17 January 2007Sophia-Antipolis, France
3
International Organization for Standardization (ISO)
Worldwide federation of national standards bodies from 146 countries, one from each country, established in 1947 (www.iso.org)
Missionto promote the development of standardization and related activities in the world with a view to facilitating the international exchange of goods and services, and to developing cooperation in the spheres of intellectual, scientific, technological and economic activity.
2.952 technical bodies190 technical committees (TCs)544 subcommittees (SCs)2.188 working groups (WGs)
ISO's work results in international agreements which are published as International Standards (IS)
More than 15.000 standards and standards-type documents
4
Interconnections
CEN CENELEC ETSI
TC ESI
regional(e.g., Europe)
EESSI
IEC ITU
JTC 1
SC 27
international
188 TCs550 SCs2.175 WGs30.000 experts
B037
SCII3A
national(e.g., B
elgium)
BINBIN
5
ISO/IEC JTC 1/SC 27 “IT Security Techniques”Scope & Organization
Standardization of generic IT security services and techniques, includingidentification of generic requirements for IT system security services,development of security techniques and mechanisms (cryptographic and non-cryptographic),development of security guidelines,development of management support documentation and standards,development of criteria for IT security evaluation and certification of IT systems, components, and products.
ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy
Vice-Chair: Ms. M. De Soete
ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy
Vice-Chair: Ms. M. De Soete
SC 27 SecretariatDIN
Ms. K. Passia
SC 27 SecretariatDIN
Ms. K. Passia
Working Group 1Requirements,
services, guidelines
ConvenerMr. T. Humphreys
Working Group 1Requirements,
services, guidelines
ConvenerMr. T. Humphreys
Working Group 2Security techniques
and mechanisms
ConvenerMr. K. Naemura
Working Group 2Security techniques
and mechanisms
ConvenerMr. K. Naemura
Working Group 3Security evaluation
criteria
ConvenerMr. M. Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr. M. Ohlin
6
Membership of SC 27
Canada
USA
founding P-Members (in 1990)
Brazil
China
Japan
Belgium
Denmark
Finland
France
Germany
Italy
Netherlands
Norway
Spain
Sweden
Switzerland
UK
USSR
Korea
Australia
1994
Russian Federation
1996
Poland
1999
Malaysia
Czech Republic
Ukraine
2001
India
South Africa
2002
Austria
Kenya
2003
SingaporeLuxembourg
New Zealand
additional P-Members
Sri Lanka
2005/06
Uruguay
O-members:Argentina, Hong Kong, Indonesia, Belarus, Cyprus, Estonia, Hungary, Ireland, Israel, Lithuania, Serbia and Montenegro, Romania, Slovakia, Turkey
7
Selected Liaisons
SC37
ISSA
ISSEA TC65
TC215
TC68
ITU-T
SC27 Liaisons
telecoms
healthcare
banking
safety
informationsecurity
biometrics
8
Hierarchical Security Management Model(SC 27 View)
Terminology
Toolbox ofTechniques
Frameworksprovide a simplified description of interrelationships used to organize
concepts, methods and technologies
Principlesprovide generally accepted high-level basic rules used as a foundation to
guidance
Element Standards
provide specific requirements that apply to a defined area of security
management
Application Guidesand Supplements
provide detailed descriptions offering guidance on how element standards may
be applied in specific situations
9
Hierarchical Security Management Model(SC 27 View)
Application Guidesand Supplements
Element Standards
Frameworks
Principles
Terminology
Toolbox ofTechniques
ISMS Requirements
(NP 27001)
ISM Metrics & Measurements
(NP 27004)
Code of Practice for
ISM (IS 17799 /ITU-T X.1051)
MICTS-1:Models and
concepts
MICTS-2:Risk
management
InformationSecurity Management
Implementation Guidance(NP 27003)
InformationSecurity MgtFramework
IT Network Security
(IS 18028 /ITU-T X.???)
IT Intrusion Detection
Framework(TR 15947)
Guidelines for TTP Services
(IS 14516 /ITU-T X.842)
Healthcare ISMS Guide
(TC 215)
T-ISMS: Telecom ISMS
Guide (ITU-T X.1051)
Financial ISMS Guide (TC 68)
SC 27 SD 6Updated and harmonized
ISO Guide 73
IS 19011Auditing
Info Security Incident
Management(TR 18044)
10
SC 27 Standards –Cryptographic Techniques
Cryptographic Protocols
Message Authentication Digital Signatures
Encryption & Modes of Operation
Parameter Generation
Key Mgt(IS 11770)
Entity Authentica
tion (IS 9798)
Encryption(IS 18033)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving msgrecovery(IS 9796)
Non-Repudiatio
n(IS 13888)
Signatures with
appendix(IS 14888)
Check Character Systems(IS 7064)
Crypto Techniques
based on Elliptic Curves
(IS 15946)
Time Stamping Services(IS 18014)
Random Bit
Generation(IS 18031)
Prime Number
Generation(IS 18032)
Biometric Template Protection(NP 24745)
Authenticated
Encryption(IS 19772)
11
SC 27 Standards –Security Evaluation
Framework for Security Evaluation & Testing of Biometric Technology
(IS 19792)
Security Assessment of Operational Systems
(TR 19791)
Evaluation Criteria forIT Security
(“Common Criteria”)(IS 15408)
Security Requirements for Cryptographic
Modules(IS 19790)
Protection Profile Registration Procedures
(IS 15292)
Systems Security Engineering – Capability
Maturity Model(IS 21827)
Methodology for IT Security Evaluation
(IS 18045)
Framework for IT Security Assurance
(TR 15443)
Guide on the Productionof Protection Profiles &
Security Targets(TR 15446)
Test Requirements for Cryptographic
Modules(IS 24759)
12
New security areas - restructuring
SC27 recently started new projects/studies in the following areas:BiometricsFull ISMS frameworkRequirements from new ISMS applications domains (health care, transport, …)Identification Privacy,…..
This required a revision and re-structuring of the SC 27 organisation in order toAttract new additional NB representatives to broaden the expertise availableCreating WGs with a clearly focused scope Increase the attractiveness for the experts to participateEnsure the appropriate level of detail, quality and customer orientation in the standards and technical reports producedImprove balance between WGs with respect to workload and participationImprove overall efficiency across work programme and WGs
13
Evolving Structure
WG 5“Privacy, Identity &Biometric Security”
WG 1“ISMS”
WG 4“Security Controls & Services”
WG 2“Cryptography & Security
Mechanisms”
WG 3“Security Evaluation”
WG 1“Security Guidelines”
Assessment
Guidelines
Techniques
Process EnvironmentSystemProduct
WGs in italics are new
14
ISO/IEC JTC 1/SC 27 “IT Security Techniques”Scope & Organization
ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy
Vice-Chair: Ms. M. De Soete
ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy
Vice-Chair: Ms. M. De Soete
SC 27 SecretariatDIN
Ms. K. Passia
SC 27 SecretariatDIN
Ms. K. Passia
Working Group 1Information security
management systemsConvener
Mr. T. Humphreys
Working Group 1Information security
management systemsConvener
Mr. T. Humphreys
Working Group 2Cryptography and
security mechanisms
ConvenerMr. K. Naemura
Working Group 2Cryptography and
security mechanisms
ConvenerMr. K. Naemura
Working Group 3Security evaluation
criteria
ConvenerMr. M. Ohlin
Working Group 3Security evaluation
criteria
ConvenerMr. M. Ohlin
Standardization of generic IT security services and techniques, includingidentification of generic requirements for IT system security services,development of security techniques and mechanisms (cryptographic and non-cryptographic),development of security guidelines,development of management support documentation and standards,development of criteria for IT security evaluation and certification of IT systems, components, and products.
Working Group 4Security controls
and services
ConvenerMr. M.-C. Kang
Working Group 4Security controls
and services
ConvenerMr. M.-C. Kang
Working Group 5Identity
managementand privacy
technologiesActing ConvenerMr. John Snare
Working Group 5Identity
managementand privacy
technologiesActing ConvenerMr. John Snare
to be revised
15
Information Security Management Systems (WG 1) –Revised Scope
The scope of WG 1 covers the development of Information SecurityManagement System (ISMS) standards and guidelines.
Development and maintenance of the ISO/IEC 27000 ISMS standards family
Identification of requirements for future ISMS standards and guidelinesLiaison and collaboration with those organizations and committees dealing with specific requirements and guidelines for ISMS, e.g.:
ITU-T (Telecoms)TC 215 (Healthcare)TC 68 (Financial Services)TC 204 (Transportation) [in process]World Lottery Association (Gambling) [in process]
16
2700027000
2700627006
2700527005
2700427004
2700327003
2700227002
2700127001
ISMS Standards
ISMS Standards
27000 Principles and Vocabulary27000 Principles and Vocabulary
27001 ISMS Requirements27001 ISMS Requirements
27002 ISM Code of Practice27002 ISM Code of Practice
27003 ISMS Implementation Guidance27003 ISMS Implementation Guidance
27004 ISM Measurements27004 ISM Measurements
27005 ISMS Risk Assessment27005 ISMS Risk Assessment
27006 Accreditation Requirements27006 Accreditation Requirements 16
17
27001- ISMS requirements
Published 15th Oct 2005A specification for 3rd party certificationsBased on the PDCA (Plan, Do, Check, Act) modelReplaces BS 7799 Part 2
Design ISMS
Implement & use ISMS Monitor &
review ISMS
Maintain & improve ISMS
18
27002 - Code of Practice
Code of Practice for Information Security ManagementThe number to be given to ISO 17799 as of April 2007
Revision of ISO/IEC 17799:2000( e.g. on asset management, mobile & wireless, vulnerability management, human resources, incident handling, third party services,…)
Published 15th June 2005
19
27003 – ISMS Implementation
Objective: provide implementation guidance to support the ISMS requirements standard 27001
Guidance and detailed advice and regarding the PDCA processes e.g.,
ISMS Scope and policyIdentification of assetsMonitoring and reviewContinuous improvement
Working Draft level
20
27004 – ISM Measurements
Objective: to develop an information security management measurements standard aimed at addressing how to measure the EFFECTIVENESS of ISMS implementations (processes and controls)
Performance targets, benchmarking …What to measure, How to measure and When to measure
At CD levelExpected publication around the end of 2007
21
27005 – Risk Management
Objective: to cover risk management process that supports ISO 27001
Risk assessmentRisk treatmentSelection of controlsOn-going risk management activities e.g. re-assessment of risks
Includes MICTS Part 2 (GMITS Parts 3 and 4)Currently at FCD levelExpected publication end 2007
22
27006 – Accreditation requirements
Objective: to specify requirements for bodies providing audit and certification of information security management systems
Replaces EA 7/03Expected to be published Feb 07
23
27000 – Principles and vocabulary
Includes a reference model for the 27000 seriesIncludes MICTS Part 1 (GMITS Parts 1 and 2)Currently at working draft levelExpected publication 2008
24
Security Controls and Services (WG 4) –Scope
Established in May 2006, “spin-off” from WG 1
Scope covers the development and maintenance of standards and guidelines addressing security controls and services, including current SC 27 projects
Identification of requirements for and development of future service and applications standards and guidelines, for example in the areas of
ICT Readiness for Business Continuity Cyber SecurityApplication Security
25
Security Controls and Services (WG 4) –Scope
Network SecurityNetwork Security
TTP Services SecurityTTP Services Security
ICT Readiness for BC, DR, & ERICT Readiness for BC, DR, & ER
Application SecurityApplication Security
Forensic InvestigationForensic Investigation
CybersecurityCybersecurity
NP; Possibly include ISO/IEC 24762, Vulnerability Mgmt, IDS, & Incident Response related standards
Anti-Spyware, Anti-SPAM, Anti-Phishing
ISO 18028 revision
under study
Future NP
Includes outsourcing and off-shoring security
26
Identity Management and Privacy Technologies (WG 5) –Scope
Established May 2006Scope covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. This includes:
Current SC 27 projectsFramework for Identity Management (24760)Biometric template protection (24745)Authentication context for biometrics (24761)A privacy framework (NP 29100)A privacy reference architecture (NP 29101)
Identification of requirements for and development of future standards and guidelines in these areas. Potential topics include
Role based access control, provisioning, identifiers, and single sign-on in the area of identity management Privacy infrastructures, anonymity and credentials, specific Privacy Enhancing Technologies (PETs), and privacy engineering.
27
Personal Identification
WG 5 has undertaken a study on personal identification As a result of this study, matters concerning personal identification will be addressed in project 1.27.50 –CD 24760 “A Framework For Identity Management”.
This standard will define concepts associated with identity and identity management, provide a framework for the secure, reliable, and private management of identity information (including information related to personal identification) over the lifecycle of entity identities and identity information.
WG 5 is liaising with SC 17 and SC 37 on this subject.
28
Privacy Management
WG 5 has undertaken a study on Privacy Management Privacy Management will be addressed in new projects 1.27.54 “Privacy Framework (NP 29100)” and 1.27.55 “Privacy Reference Architecture (NP 29101)”.SC 27 has liaisons with SC 7, SC 17, SC 25, SC 36 and SC 37, andintends to establish liaison with SC 32. Through these liaisons SC 27 will take account of related work in these JTC 1 SCs.SC27 is in the process of establishing Cat C liaison to the International Conference of Data Protection and Privacy Commissioners
29
NP 29100 –A Privacy Framework
NP approved with 23 YES, 1 NO (Q.2)10 NB commitments for active participation (Q.3)
NB contributions received; editor proposed.The privacy framework standard will
provide a framework for defining privacy requirements as they relate to personally identifiable (PI) information processed by any information and communication system in any jurisdiction; set a common privacy terminology, define privacy principles whenprocessing PI information, categorize privacy features and relate all described privacy aspects to existing security guidelines;
1st WD expected for Q2 2007
30
NP 29101 –A Privacy Reference Architecture
NP approved with 22 YES, 1 NO (Q.2)9 NB commitments for active participation (Q.3)
NB contributions received; editor proposedThe privacy reference architecture will
describe best practices for a consistent, technical implementation of privacy requirements as they relate to the processing of personally identifiable (PI) information in information and communication systems;cover the various stages in data life cycle management and the required privacy functionalities for PI data in each data life cycle, as well as positioning the roles and responsibilities of all involved parties;present a target architecture and provide guidance for planning and building system architectures that facilitate the proper handling of PI data across system platforms;set out the necessary prerequisites to allow the categorization of data and control over specific sets of data within various data life cycles.
1st WD expected Q2 2007
31
New activities
Study Periods:Biometrics.Object identifiers and ASN.1 syntax.Transport system security.Low power encryption.Cyber security.Personal identification.ICT Readiness for Business Continuity (new 11/06).Application Security (new 11/06).
32
Low Power Encryption
WG2 Study Period establishedCall for NB contributionsWG2 reviewing contributions received
Further study necessary
33
Cyber Security
WG4 Study period established; Co-Rapporteurs appointedFirst call for contributions; no substantial input received
Clarify scopes and objectives Identify key issues to be addressed Establish liaison with relevant bodies, including ITU-T SG17, OECD
Specific call for contributions (NWI proposals) early 2007
34
Transportation Security
WG1 study period has been established NWI proposal by April 2007Start NP October 2007
Establish liaison with TC 204 in order to consider the development of sector-specific requirements for ISMS within the transportation sector.
Note: Similar activities are expected to take place for the automotive sector, aerospace industry, manufacturing sector, …
35
SC 27 - Summary
SC 27 is responsible for~ 90 projects, including over 40 active projects
Between 1990 and today, SC 27 has published 50+ International Standards (IS) and Technical Reports (TR)
Next MeetingsMay 2007 Moscow-St. Petersburg (Russia) WGs & PlenaryOctober 2007 Luzern (Switzerland) WGs April 2008 Kyoto (Japan) WGs & Plenary
More Information & ContactSC 27 web-page: scope, organization, work items, etc.http://www.ni.din.de/sc27 SD7: Catalogue of SC 27 Projects & StandardsSC 27 Secretariat: [email protected] 27 Chairman: [email protected] Vice Chair: [email protected]
Thank YouContact: [email protected]