ISO-ITU Cooperation on ISO ITU Cooperation on Security Standardization Dr. Walter Fumy Chairman ISO/IEC JTC 1/SC 27 Chief Scientist, Bundesdruckerei GmbH, Germany Chief Scientist, Bundesdruckerei GmbH, Germany 7th ETSI Security Workshop - Sophia Antipolis, January 2012
24
Embed
ISO-ITU Cooperation on Security Standardization Cooperation on Security Standardization Dr. Walter Fumy Chairman ISO/IEC JTC 1/SC 27 Chief Scientist,Chief Scientist, Bundesdruckerei
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ISO-ITU Cooperation onISO ITU Cooperation on Security Standardization
7th ETSI Security Workshop - Sophia Antipolis, January 2012
Agenda
ISO/IEC JTC 1/SC 27 – IT Security TechniquesScope, organization, work programmeRecent achievementsNew projects
Collaboration with ITU-TModes of collaborationJTC 1 – ITU-T collaboration on security standardization
Conclusion
Walter Fumy I 218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
ISO/IEC JTC 1/SC 27Scope
The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects such asprivacy aspects, such as
Information Security Management Systems (ISMS), security controls and services;security controls and services;Cryptographic mechanisms;Security aspects of identity management biometricsSecurity aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditingConformance assessment, accreditation and auditing requirements in the area of information security;Security evaluation criteria and methodology.
Walter Fumy I 318.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
y gy
ISO/IEC JTC 1/SC 27Structure
ISO/IEC JTC 1/SC 27IT Security techniques
SC 27 Secretariat
DINChair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete
DINMs. K. Passia
Working Group 5Identity
management and privacy
Working Group 4Security controls
and services
Working Group 3Security
evaluation criteria
Working Group 2Cryptography and security mechanisms
Working Group 1Information
security management and privacy
technologiesConvener
Mr. K. RannenbergConvener
Mr. M.-C. Kang
criteria
ConvenerMr. M. Bañón
mechanisms
ConvenerMr. T. Chikazawa
management systemsConvener
Mr. T. Humphreys ggp y
http://www.jtc1sc27.din.de/en
Walter Fumy I 418.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
SC 27/WG 1ISMS Family of Standards
27001: 2005ISMS Requirements
27000: 2009 ISMS Overview and
Vocabulary
27006: 2011 Accreditation Requirements
27010 ISMS for inter-sector and inter-organisational communicationsVocabulary
WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management biometrics and the protectionaddressing security aspects of identity management, biometrics and the protection of personal data. This includes:
Protection Conceptsotect o Co ceptsBiometric information protection (ISO/IEC 24745, IS)Requirements for partially anonymous, partially unlinkable authentication(ISO/IEC 29191 CD)(ISO/IEC 29191, CD)
Guidance on Context and AssessmentAuthentication context for biometrics (ISO/IEC 24761, 2009)P i bili f k (ISO/IEC 29190 WD)
Walter Fumy I 918.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
between October 2010 and September 201113 International Standards and Technical Reports have
been published14 new projects have been approved
(total number of projects: ~ 170)4 dditi l P b (t t l 46)4 additional P-members (total 46)
(total number of O-members: 17)24 internal liaisons24 internal liaisons 29 external liaisons
Walter Fumy I 1018.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Approved New Projects (I)
ISO/IEC 17825: Testing methods for the mitigation of non-invasive attack classes against cryptographic modules ISO/IEC 18014-4: Time-stamping services
P t 4 T bilit f ti– Part 4: Traceability of time sourcesISO/IEC 18033-5: Encryption algorithms
Part 5: Identity based mechanisms– Part 5: Identity-based mechanismsISO/IEC 20009-3: Anonymous entity authentication – Part 3: Mechanisms based on blind signaturesPart 3: Mechanisms based on blind signatures ISO/IEC 27017: Guidelines on information security controls for the use of cloud computing services based on ISO/IECfor the use of cloud computing services based on ISO/IEC 27002 (as Technical Specification)
Walter Fumy I 1118.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Approved New Projects (II)
ISO/IEC 27036: Information security for supplier relationships –P t 1 O i d t– Part 1: Overview and concepts
– Part 2: Common requirements– Part 3: Guidelines for ICT supply chain securitypp y y– Part 4: Guidelines for security of outsourcingISO/IEC 27041: Guidance on assuring suitability and adequacy f i i i h dof investigation methods
ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidencedigital evidence ISO/IEC 27043: Investigation principles and processesISO/IEC 30111: Vulnerability handling processesISO/IEC 30111: Vulnerability handling processes ISO/IEC 30104: Physical security attacks, mitigation techniques and security requirements
Walter Fumy I 1218.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Participation & More Information
Next SC 27 meetingsMay 7-15, 2012Stockholm, Sweden(WGs and Plenary)( y)Oct 22-26, 2012Italy (WGs)(WGs)
http://www.jtc1sc27.din.de/en
Walter Fumy I 1318.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
SC 27 Collaboration with ITU-T
ITU-T SG17 and SC 27 collaborate on many projects in order to progress common or twin text documents and to publish common standardscommon or twin text documents and to publish common standards. These include
ISO/IEC ITU‐T Title Type Remark
TR 14516 X.842Guidelines on the use and management of
Trusted Third Party servicesCommon 2002
15816 X.841 Security information objects (SIOs) for access control Common 2002
15945 X.843Specification of TTP Services to support the application of
27011 X.1051Information security management guidelines for telecommunications organizations based on
ISO/IEC 27002Common 2008
27014 X.1054 Governance of information security Common DIS
29115 X.1254 Entity authentication assurance framework Common DIS
tbs X bhsmTelebiometric authentication framework using biometric
Common NWIP
Walter Fumy I 1418.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
tbs X.bhsmhardware security module
Common NWIP
Example for Common Text Standard
ISO/IEC 27011: 2008 = ITU‐T Recommendation X.1051: Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002organizations based on ISO/IEC 27002
Walter Fumy I 1518.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Guide for ITU-T and ISO/IEC JTC 1 cooperation
ISO/IEC JTC 1 Standing Document 3 Annex A to Recommendation ITU T A 23Annex A to Recommendation ITU-T A.23
Walter Fumy I 1618.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Modes of Collaboration
Specific to collaboration of JTC 1 and ITU-TDesire: produce common or twin (technically aligned) textsJTC 1 and ITU-T keep their own processes, approvals are synchronizedTwo options for collaboration
Interchange mode is used when the work is straightforward, non-controversial, and with sufficient common participation in the meetings of the twocommon participation in the meetings of the two organizationsFor more complex situations a joint CollaborativeFor more complex situations a joint Collaborative Team may work better
Walter Fumy I 1718.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Useful References
Guide for ITU-T and ISO/IEC JTC 1 Cooperationhtt // it i t/ /T REC A 23 201002 I!A Ahttp://www.itu.int/rec/T-REC-A.23-201002-I!AnnA
List of common text and technically aligned Recommendations | International Standards|
http://www.itu.int/oth/T0A0D000011/enMapping between ISO/IEC International Standards and ITU T RecommendationsStandards and ITU-T Recommendations
http://www.itu.int/oth/T0A0D000012/enRelationships of SG 17 Questions with JTC 1 SCs categorized as
joint work (collaboration) (level 1)technical cooperation via liaison (level 2)technical cooperation via liaison (level 2)informational liaison (level 3)http://www.itu.int/en/ITU-T/ t d / 17/P / l ti hi
Walter Fumy I 1818.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
T/studygroups/com17/Pages/relationships.aspx
ISO/IEC JTC 1 – Information Technology Security Related Sub-committees
SC 6 Telecommunications and information exchange between systems
SC 7 Software and systems engineering
SC 17 Cards and personal identification
SC 25 Interconnection of information technology equipment
SC 27 IT Security techniques
SC 29 Coding of audio, picture, multimedia and hypermedia information
SC 31 Automatic identification and data capture techniques
SC 32 Data management and interchange
SC 36 Information technology for learning, education and training
SC 37 Biometrics
SC 38 Distributed application platforms and services (DAPS)
Walter Fumy I 1918.01.2012 I 7th ETSI Security Workshop, Sophia Antipolis, January 2012
Relationships of SG 17 Questions with JTC 1 SCs (I)
Question Title ISO, IEC Level
Q.1/WP1 Telecommunications systems security project JTC 1/SC 27 2&3
Q.2/WP1 Security architecture and framework JTC 1/SC 27 1&2
Q.3/WP1 Telecommunication information security management JTC 1/SC 27 1&2