draft-ietf-opsec-efforts-00.txt   draft-ietf-opsec-efforts-01.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Expires: July 23, 2005 Cisco Systems Expires: January 8, 2006 Cisco Systems
January 22, 2005 July 7, 2005
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-00.txt draft-ietf-opsec-efforts-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of section 3 of RFC 3667. By submitting this Internet-Draft, each applicable patent or other IPR claims of which he or she is aware
author represents that any applicable patent or other IPR claims of have been or will be disclosed, and any of which he or she becomes
which he or she is aware have been or will be disclosed, and any of aware will be disclosed, in accordance with Section 6 of BCP 79.
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 23, 2005. This Internet-Draft will expire on January 8, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Format of this Document . . . . . . . . . . . . . . . . . . 6 2. Format of this Document . . . . . . . . . . . . . . . . . . 7
3. Online Security Glossaries . . . . . . . . . . . . . . . . . 7 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8
3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 7 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8
3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 7 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8
3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 7 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8
3.4 Compendium of Approved ITU-T Security Definitions . . . . 7 3.4 Compendium of Approved ITU-T Security Definitions . . . . 9
3.5 Microsoft Solutions for Security Glossary . . . . . . . . 8 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9
3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 8 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9
3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 8 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9
4. Standards Developing Organizations . . . . . . . . . . . . . 9 4. Standards Developing Organizations . . . . . . . . . . . . . 10
4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 9 4.1 3GPP - Third Generation Partnership Project . . . . . . . 10
4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 9 4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10
4.3 ANSI - The American National Standards Institute . . . . . 9 4.3 ANSI - The American National Standards Institute . . . . . 10
4.4 ATIS - Alliance for Telecommunications Industry 4.4 ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 9 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10
4.4.1 ATIS Network Performance, Reliability and Quality 4.4.1 ATIS Network Performance, Reliability and Quality
of Service Committee, formerly T1A1 . . . . . . . . . 10 of Service Committee, formerly T1A1 . . . . . . . . . 11
4.4.2 ATIS Network Interface, Power, and Protection 4.4.2 ATIS Network Interface, Power, and Protection
Committee, formerly T1E1 . . . . . . . . . . . . . . . 10 Committee, formerly T1E1 . . . . . . . . . . . . . . . 11
4.4.3 ATIS Telecom Management and Operations Committee, 4.4.3 ATIS Telecom Management and Operations Committee,
formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 10 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11
4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 10 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11
4.4.5 ATIS Wireless Technologies and Systems Committee, 4.4.5 ATIS Wireless Technologies and Systems Committee,
formerly T1P1 . . . . . . . . . . . . . . . . . . . . 11 formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12
4.4.6 ATIS Packet Technologies and Systems Committee, 4.4.6 ATIS Packet Technologies and Systems Committee,
regarding T1S1 . . . . . . . . . . . . . . . . . . . . 11 formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 11 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12
4.4.8 ATIS Optical Transport and Synchronization 4.4.8 ATIS Optical Transport and Synchronization
Committee, formerly T1X1 . . . . . . . . . . . . . . . 11 Committee, formerly T1X1 . . . . . . . . . . . . . . . 12
4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 11 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12
4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 12 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13
4.7 ETSI - The European Telecommunications Standard 4.7 ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 12 Institute . . . . . . . . . . . . . . . . . . . . . . . . 13
4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 12 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13
4.9 IEEE - The Institute of Electrical and Electronics 4.9 IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 12 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13
4.10 IETF - The Internet Engineering Task Force . . . . . . . 13 4.10 IETF - The Internet Engineering Task Force . . . . . . . 14
4.11 INCITS - InterNational Committee for Information 4.11 INCITS - InterNational Committee for Information
Technology Standards . . . . . . . . . . . . . . . . . . 13 Technology Standards . . . . . . . . . . . . . . . . . . 14
4.12 ISO - The International Organization for 4.12 INCITS Technical Committee T11 - Fibre Channel
Standardization . . . . . . . . . . . . . . . . . . . . 13 Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14
4.13 ITU - International Telecommunication Union . . . . . . 13 4.13 ISO - The International Organization for
4.13.1 ITU Telecommunication Standardization Sector - Standardization . . . . . . . . . . . . . . . . . . . . 14
ITU-T . . . . . . . . . . . . . . . . . . . . . . . 13 4.14 ITU - International Telecommunication Union . . . . . . 14
4.13.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 13 4.14.1 ITU Telecommunication Standardization Sector -
4.13.3 ITU Telecom Development - ITU-D . . . . . . . . . . 14 ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15
4.14 OASIS - Organization for the Advancement of 4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15
Structured Information Standards . . . . . . . . . . . . 14 4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15
4.15 OIF - Optical Internetworking Forum . . . . . . . . . . 14 4.15 OASIS - Organization for the Advancement of
4.16 NRIC - The Network Reliability and Interoperability Structured Information Standards . . . . . . . . . . . . 15
Council . . . . . . . . . . . . . . . . . . . . . . . . 14 4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15
4.17 TIA - The Telecommunications Industry Association . . . 14 4.17 NRIC - The Network Reliability and Interoperability
4.18 Web Services Interoperability Organization (WS-I) . . . 15 Council . . . . . . . . . . . . . . . . . . . . . . . . 15
5. Security Best Practices Efforts and Documents . . . . . . . 16 4.18 National Security Telecommunications Advisory
5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 16 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16
5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 16 4.19 TIA - The Telecommunications Industry Association . . . 16
4.20 Web Services Interoperability Organization (WS-I) . . . 16
5. Security Best Practices Efforts and Documents . . . . . . . 17
5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17
5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17
5.3 American National Standard T1.276-2003 - Baseline 5.3 American National Standard T1.276-2003 - Baseline
Security Requirements for the Management Plane . . . . . . 16 Security Requirements for the Management Plane . . . . . . 17
5.4 DMTF - Security Protection and Management (SPAM) 5.4 DMTF - Security Protection and Management (SPAM)
Working Group . . . . . . . . . . . . . . . . . . . . . . 17 Working Group . . . . . . . . . . . . . . . . . . . . . . 18
5.5 DMTF - User and Security Working Group . . . . . . . . . . 17 5.5 DMTF - User and Security Working Group . . . . . . . . . . 18
5.6 ATIS Security & Emergency Preparedness Activities . . . . 17 5.6 ATIS Security & Emergency Preparedness Activities . . . . 18
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable,
End-To-End Standards and Solutions . . . . . . . . . . . . 17 End-To-End Standards and Solutions . . . . . . . . . . . . 18
5.8 Common Criteria . . . . . . . . . . . . . . . . . . . . . 18 5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19
5.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19
5.10 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 18 5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19
5.11 Information System Security Assurance Architecture . . . 19 5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.12 Operational Security Requirements for IP Network 5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20
Infrastructure : Advanced Requirements . . . . . . . . . 19 5.12 Information System Security Assurance Architecture . . . 20
5.13 INCITS Technical Committee T4 - Security Techniques . . 19 5.13 Operational Security Requirements for IP Network
5.14 INCITS Technical Committee T11 - Fibre Channel Infrastructure : Advanced Requirements . . . . . . . . . 20
Interfaces . . . . . . . . . . . . . . . . . . . . . . . 19 5.14 INCITS Technical Committee T4 - Security Techniques . . 21
5.15 ISO Guidelines for the Management of IT Security - 5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.16 ISO Guidelines for the Management of IT Security -
5.16 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 20 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.17 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 21 5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22
5.18 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 21 5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23
5.19 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 22 5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23
5.20 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 22 5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24
5.21 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 22 5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24
5.22 Catalogue of ITU-T Recommendations related to 5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24
Communications System Security . . . . . . . . . . . . . 22 5.23 Catalogue of ITU-T Recommendations related to
5.23 ITU-T Security Manual . . . . . . . . . . . . . . . . . 23 Communications System Security . . . . . . . . . . . . . 24
5.24 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 23 5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25
5.25 OASIS Security Joint Committee . . . . . . . . . . . . . 23 5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25
5.26 OASIS Security Services TC . . . . . . . . . . . . . . . 24 5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25
5.27 OIF Implementation Agreements . . . . . . . . . . . . . 24 5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26
5.28 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26
5.29 WS-I Basic Security Profile . . . . . . . . . . . . . . 24 5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26
6. Security Considerations . . . . . . . . . . . . . . . . . . 26 5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 27 5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 28 6. Security Considerations . . . . . . . . . . . . . . . . . . 28
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 29 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30
10.1 Normative References . . . . . . . . . . . . . . . . . . . 30 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31
10.2 Informative References . . . . . . . . . . . . . . . . . . 30 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 10.1 Normative References . . . . . . . . . . . . . . . . . . 32
Intellectual Property and Copyright Statements . . . . . . . 31 10.2 Informative References . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32
Intellectual Property and Copyright Statements . . . . . . . 33
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 7, line 14 skipping to change at page 8, line 14
3. Online Security Glossaries 3. Online Security Glossaries
This section contains references to glossaries of network and This section contains references to glossaries of network and
computer security terms computer security terms
3.1 ATIS Telecom Glossary 2000 3.1 ATIS Telecom Glossary 2000
http://www.atis.org/tg2k/ http://www.atis.org/tg2k/
Under an approved T1 standards project (T1A1-20), an existing Under an approved T1 standards project (T1A1-20), an existing 5800-
5800-entry, search-enabled hypertext telecommunications glossary entry, search-enabled hypertext telecommunications glossary titled
titled Federal Standard 1037C, Glossary of Telecommunication Terms Federal Standard 1037C, Glossary of Telecommunication Terms was
was updated and matured into this glossary, T1.523-2001, Telecom updated and matured into this glossary, T1.523-2001, Telecom Glossary
Glossary 2000. This updated glossary was posted on the Web as a 2000. This updated glossary was posted on the Web as a American
American National Standard (ANS). National Standard (ANS).
3.2 Critical Infrastructure Glossary of Terms and Acronyms 3.2 Critical Infrastructure Glossary of Terms and Acronyms
http://www.ciao.gov/ciao_document_library/glossary/a.htm http://www.ciao.gov/ciao_document_library/glossary/a.htm
The Critical Infrastructure Assurance Office (CIAO) was created to The Critical Infrastructure Assurance Office (CIAO) was created to
coordinate the Federal Government's initiatives on critical coordinate the Federal Government's initiatives on critical
infrastructure assurance. While the glossary was not created as a infrastructure assurance. While the glossary was not created as a
glossary specifically for security terms, it is populated with many glossary specifically for security terms, it is populated with many
security related definitions, abbreviations, organizations, and security related definitions, abbreviations, organizations, and
skipping to change at page 9, line 14 skipping to change at page 10, line 14
4. Standards Developing Organizations 4. Standards Developing Organizations
This section of this document lists the SDOs, or organizations that This section of this document lists the SDOs, or organizations that
appear to be developing security related standards. These SDOs are appear to be developing security related standards. These SDOs are
listed in alphabetical order. listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC. note will be removed before publication as an RFC.
4.1 3GPP - Third Generation P P 4.1 3GPP - Third Generation Partnership Project
http://www.3gpp.org http://www.3gpp.org
The 3rd Generation Partnership Project (3GPP) is a collaboration The 3rd Generation Partnership Project (3GPP) is a collaboration
agreement formed in December 1998. The collaboration agreement is agreement formed in December 1998. The collaboration agreement is
comprised of several telecommunications standards bodies which are comprised of several telecommunications standards bodies which are
known as "Organizational Partners". The current Organizational known as "Organizational Partners". The current Organizational
Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.
4.2 3GPP2 - Third Generation P P 2 4.2 3GPP2 - Third Generation Partnership Project 2
http://www.3gpp2.org http://www.3gpp2.org
Third Generation Partnership Project 2 (3GPP2) is a collaboration Third Generation Partnership Project 2 (3GPP2) is a collaboration
among Organizational Partners much like its sister project 3GPP. The among Organizational Partners much like its sister project 3GPP. The
Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, Organizational Partners (OPs) currently involved with 3GPP2 are ARIB,
CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes
the CDMA Development Group and IPv6 Forum as Market Representation the CDMA Development Group and IPv6 Forum as Market Representation
Partners for market advice. Partners for market advice.
4.3 ANSI - The American National Standards Institute 4.3 ANSI - The American National Standards Institute
http://www.ansi.org http://www.ansi.org
ANSI is a private, non-profit organization that organizes and ANSI is a private, non-profit organization that organizes and
oversees the U.S. voluntary standardization and conformity oversees the U.S. voluntary standardization and conformity assessment
assessment system. ANSI was founded October 19, 1918. system. ANSI was founded October 19, 1918.
4.4 ATIS - Alliance for Telecommunications Industry Solutions 4.4 ATIS - Alliance for Telecommunications Industry Solutions
http://www.atis.org http://www.atis.org
ATIS is a United States based body that is committed to rapidly ATIS is a United States based body that is committed to rapidly
developing and promoting technical and operations standards for the developing and promoting technical and operations standards for the
communications and related information technologies industry communications and related information technologies industry
worldwide using pragmatic, flexible and open approach. Committee T1 worldwide using pragmatic, flexible and open approach. Committee T1
as a group no longer exists as a result of the recent ATIS as a group no longer exists as a result of the recent ATIS
skipping to change at page 11, line 16 skipping to change at page 12, line 16
4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1
http://www.atis.org/0160/index.asp http://www.atis.org/0160/index.asp
ATIS Wireless Technologies and Systems Committee develops and ATIS Wireless Technologies and Systems Committee develops and
recommends standards and technical reports related to wireless and/or recommends standards and technical reports related to wireless and/or
mobile services and systems, including service descriptions and mobile services and systems, including service descriptions and
wireless technologies. wireless technologies.
4.4.6 ATIS Packet Technologies and Systems Committee, regarding T1S1 4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. As a result of the reorganization of T1S1, these groups Committee. PTSC is responsible for producing standards to secure
will also probably have a new mission and scope. signalling.
The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot
at this time. It is expected to move to an ANSI standard.
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. As a result of the reorganization of T1S1, these groups Committee. As a result of the reorganization of T1S1, these groups
will also probably have a new mission and scope. will also probably have a new mission and scope.
4.4.8 ATIS Optical Transport and Synchronization Committee, formerly 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly
T1X1 T1X1
skipping to change at page 13, line 23 skipping to change at page 14, line 25
4.11 INCITS - InterNational Committee for Information Technology 4.11 INCITS - InterNational Committee for Information Technology
Standards Standards
http://www.incits.org http://www.incits.org
INCITS focuses upon standardization in the field of Information and INCITS focuses upon standardization in the field of Information and
Communications Technologies (ICT), encompassing storage, processing, Communications Technologies (ICT), encompassing storage, processing,
transfer, display, management, organization, and retrieval of transfer, display, management, organization, and retrieval of
information. information.
4.12 ISO - The International Organization for Standardization 4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces
http://www.t11.org/index.htm
T11 is responsible for standards development in the areas of
Intelligent Peripheral Interface (IPI), High-Performance Parallel
Interface (HIPPI) and Fibre Channel (FC). T11 has a project called
FC-SP to define Security Protocols for Fibre Channel.
FC-SP Project Proposal:
ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf
4.13 ISO - The International Organization for Standardization
http://www.iso.org http://www.iso.org
ISO is a network of the national standards institutes of 148 ISO is a network of the national standards institutes of 148
countries, on the basis of one member per country, with a Central countries, on the basis of one member per country, with a Central
Secretariat in Geneva, Switzerland, that coordinates the system. ISO Secretariat in Geneva, Switzerland, that coordinates the system. ISO
officially began operations on February 23, 1947. officially began operations on February 23, 1947.
4.13 ITU - International Telecommunication Union 4.14 ITU - International Telecommunication Union
http://www.itu.int/ http://www.itu.int/
The ITU is an international organization within the United Nations The ITU is an international organization within the United Nations
System headquartered in Geneva, Switzerland. The ITU is comprised of System headquartered in Geneva, Switzerland. The ITU is comprised of
three sectors: three sectors:
4.13.1 ITU Telecommunication Standardization Sector - ITU-T 4.14.1 ITU Telecommunication Standardization Sector - ITU-T
http://www.itu.int/ITU-T/ http://www.itu.int/ITU-T/
ITU-T's mission is to ensure an efficient and on-time production of ITU-T's mission is to ensure an efficient and on-time production of
high quality standards covering all fields of telecommunications. high quality standards covering all fields of telecommunications.
4.13.2 ITU Radiocommunication Sector - ITU-R 4.14.2 ITU Radiocommunication Sector - ITU-R
http://www.itu.int/ITU-R/ http://www.itu.int/ITU-R/
The ITU-R plays a vital role in the management of the radio-frequency The ITU-R plays a vital role in the management of the radio-frequency
spectrum and satellite orbits. spectrum and satellite orbits.
4.13.3 ITU Telecom Development - ITU-D 4.14.3 ITU Telecom Development - ITU-D
(also referred as ITU Telecommunication Development Bureau - BDT) (also referred as ITU Telecommunication Development Bureau - BDT)
http://www.itu.int/ITU-D/ http://www.itu.int/ITU-D/
The Telecommunication Development Bureau (BDT) is the executive arm The Telecommunication Development Bureau (BDT) is the executive arm
of the Telecommunication Development Sector. Its duties and of the Telecommunication Development Sector. Its duties and
responsibilities cover a variety of functions ranging from programme responsibilities cover a variety of functions ranging from programme
supervision and technical advice to the collection, processing and supervision and technical advice to the collection, processing and
publication of information relevant to telecommunication development. publication of information relevant to telecommunication development.
4.14 OASIS - Organization for the Advancement of Structured 4.15 OASIS - Organization for the Advancement of Structured
Information Standards Information Standards
http://www.oasis-open.org/ http://www.oasis-open.org/
OASIS is a not-for-profit, international consortium that drives the OASIS is a not-for-profit, international consortium that drives the
development, convergence, and adoption of e-business standards. development, convergence, and adoption of e-business standards.
4.15 OIF - Optical Internetworking Forum 4.16 OIF - Optical Internetworking Forum
http://www.oiforum.com/ http://www.oiforum.com/
On April 20, 1998 Cisco Systems and Ciena Corporation announced an On April 20, 1998 Cisco Systems and Ciena Corporation announced an
industry-wide initiative to create the Optical Internetworking Forum, industry-wide initiative to create the Optical Internetworking Forum,
an open forum focused on accelerating the deployment of optical an open forum focused on accelerating the deployment of optical
internetworks. internetworks.
4.16 NRIC - The Network Reliability and Interoperability Council 4.17 NRIC - The Network Reliability and Interoperability Council
http://www.nric.org/ http://www.nric.org/
The purposes of the Committee are to give telecommunications industry The purposes of the Committee are to give telecommunications industry
leaders the opportunity to provide recommendations to the FCC and to leaders the opportunity to provide recommendations to the FCC and to
the industry that assure optimal reliability and interoperability of the industry that assure optimal reliability and interoperability of
telecommunications networks. The Committee addresses topics in the telecommunications networks. The Committee addresses topics in the
area of Homeland Security, reliability, interoperability, and area of Homeland Security, reliability, interoperability, and
broadband deployment. broadband deployment.
4.17 TIA - The Telecommunications Industry Association 4.18 National Security Telecommunications Advisory Committee (NSTAC)
http://www.ncs.gov/nstac/nstac.html
President Ronald Reagan created the National Security
Telecommunications Advisory Committee (NSTAC) by Executive Order
12382 in September 1982. Since then, the NSTAC has served four
presidents. Composed of up to 30 industry chief executives
representing the major communications and network service providers
and information technology, finance, and aerospace companies, the
NSTAC provides industry-based advice and expertise to the President
on issues and problems related to implementing national security and
emergency preparedness (NS/EP) communications policy. Since its
inception, the NSTAC has addressed a wide range of policy and
technical issues regarding communications, information systems,
information assurance, critical infrastructure protection, and other
NS/EP communications concerns.
4.19 TIA - The Telecommunications Industry Association
http://www.tiaonline.org http://www.tiaonline.org
TIA is accredited by ANSI to develop voluntary industry standards for TIA is accredited by ANSI to develop voluntary industry standards for
a wide variety of telecommunications products. TIA's Standards and a wide variety of telecommunications products. TIA's Standards and
Technology Department is composed of five divisions: Fiber Optics, Technology Department is composed of five divisions: Fiber Optics,
User Premises Equipment, Network Equipment, Wireless Communications User Premises Equipment, Network Equipment, Wireless Communications
and Satellite Communications. and Satellite Communications.
4.18 Web Services Interoperability Organization (WS-I) 4.20 Web Services Interoperability Organization (WS-I)
http://www.ws-i.org/ http://www.ws-i.org/
WS-I is an open, industry organization chartered to promote Web WS-I is an open, industry organization chartered to promote Web
services interoperability across platforms, operating systems, and services interoperability across platforms, operating systems, and
programming languages. The organization works across the industry programming languages. The organization works across the industry
and standards organizations to respond to customer needs by providing and standards organizations to respond to customer needs by providing
guidance, best practices, and resources for developing Web services guidance, best practices, and resources for developing Web services
solutions. solutions.
skipping to change at page 17, line 41 skipping to change at page 18, line 41
5.5 DMTF - User and Security Working Group 5.5 DMTF - User and Security Working Group
http://www.dmtf.org/about/committees/userWGCharter.pdf http://www.dmtf.org/about/committees/userWGCharter.pdf
The User and Security Working Group defines objects and access The User and Security Working Group defines objects and access
methods required for principals - where principals include users, methods required for principals - where principals include users,
groups, software agents, systems, and organizations. groups, software agents, systems, and organizations.
5.6 ATIS Security & Emergency Preparedness Activities 5.6 ATIS Security & Emergency Preparedness Activities
http://www.atis.org/atis/atisinfo/emergency/security_committee_activi http://www.atis.org/atis/atisinfo/emergency/
ties_T1.htm security_committee_activities_T1.htm
The link above contains the description of the ATIS Communications The link above contains the description of the ATIS Communications
Security Model, the scopes of the Technical Subcommittees in relation Security Model, the scopes of the Technical Subcommittees in relation
to the security model, and a list of published documents produced by to the security model, and a list of published documents produced by
ATIS addressed to various aspects of network security. ATIS addressed to various aspects of network security.
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
Standards and Solutions Standards and Solutions
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
The ATIS TOPS Security Focus Group has made recommendations on work The ATIS TOPS Security Focus Group has made recommendations on work
items needed to be performed by other SDOs. items needed to be performed by other SDOs.
5.8 Common Criteria 5.7.1 ATIS Work on Packet Filtering
A part of the ATIS Work Plan was to define how disruptions may be
prevented by filtering unwanted traffic at the edges of the network.
ATIS is developing this work in a document titled, "Traffic Filtering
for the Prevention of Unwanted Traffic".
5.8 ATIS Work on the NGN
http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/
Part%20I/ATIS_NGN_Part_1_Issue1.pdf
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN
Definitions, Requirements, and Architecture, Issue 1.0, November
2004."
5.9 Common Criteria
http://csrc.nist.gov/cc/ http://csrc.nist.gov/cc/
Version 1.0 of the CC was completed in January 1996. Based on a Version 1.0 of the CC was completed in January 1996. Based on a
number of trial evaluations and an extensive public review, Version number of trial evaluations and an extensive public review, Version
1.0 was extensively revised and CC Version 2.0 was produced in April 1.0 was extensively revised and CC Version 2.0 was produced in April
of 1998. This became ISO International Standard 15408 in 1999. The of 1998. This became ISO International Standard 15408 in 1999. The
CC Project subsequently incorporated the minor changes that had CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999. resulted in the ISO process, producing CC version 2.1 in August 1999.
skipping to change at page 18, line 19 skipping to change at page 19, line 36
http://csrc.nist.gov/cc/ http://csrc.nist.gov/cc/
Version 1.0 of the CC was completed in January 1996. Based on a Version 1.0 of the CC was completed in January 1996. Based on a
number of trial evaluations and an extensive public review, Version number of trial evaluations and an extensive public review, Version
1.0 was extensively revised and CC Version 2.0 was produced in April 1.0 was extensively revised and CC Version 2.0 was produced in April
of 1998. This became ISO International Standard 15408 in 1999. The of 1998. This became ISO International Standard 15408 in 1999. The
CC Project subsequently incorporated the minor changes that had CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999. resulted in the ISO process, producing CC version 2.1 in August 1999.
Common Criteria v2.1 contains: Common Criteria v2.1 contains:
Part 1 - Intro & General Model Part 1 - Intro & General Model
Part 2 - Functional Requirements (including Annexes) Part 2 - Functional Requirements (including Annexes)
Part 3 - Assurance Requirements Part 3 - Assurance Requirements
Documents: Common Criteria V2.1 Documents: Common Criteria V2.1
http://csrc.nist.gov/cc/CC-v2.1.html http://csrc.nist.gov/cc/CC-v2.1.html
5.9 ETSI 5.10 ETSI
http://www.etsi.org http://www.etsi.org
The ETSI hosted the ETSI Global Security Conference in late November, The ETSI hosted the ETSI Global Security Conference in late November,
2003, which could lead to a standard. 2003, which could lead to a standard.
Groups related to security located from the ETSI Groups Portal: Groups related to security located from the ETSI Groups Portal:
OCG Security OCG Security
3GPP SA3 3GPP SA3
TISPAN WG7 TISPAN WG7
5.10 GGF Security Area (SEC) 5.11 GGF Security Area (SEC)
https://forge.gridforum.org/projects/sec/ https://forge.gridforum.org/projects/sec/
The Security Area (SEC) is concerned with various issues relating to The Security Area (SEC) is concerned with various issues relating to
authentication and authorization in Grid environments. authentication and authorization in Grid environments.
Working groups: Working groups:
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
https://forge.gridforum.org/projects/authz-wg https://forge.gridforum.org/projects/authz-wg
Certificate Authority Operations Working Group (CAOPS-WG) - Certificate Authority Operations Working Group (CAOPS-WG) -
https://forge.gridforum.org/projects/caops-wg https://forge.gridforum.org/projects/caops-wg
OGSA Authorization Working Group (OGSA-AUTHZ) - OGSA Authorization Working Group (OGSA-AUTHZ) -
https://forge.gridforum.org/projects/ogsa-authz https://forge.gridforum.org/projects/ogsa-authz
Grid Security Infrastructure (GSI-WG) - Grid Security Infrastructure (GSI-WG) -
https://forge.gridforum.org/projects/gsi-wg https://forge.gridforum.org/projects/gsi-wg
5.11 Information System Security Assurance Architecture 5.12 Information System Security Assurance Architecture
IEEE Working Group - http://issaa.org/ IEEE Working Group - http://issaa.org/
Formerly the Security Certification and Accreditation of Information Formerly the Security Certification and Accreditation of Information
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
Standard for Information System Security Assurance Architecture for Standard for Information System Security Assurance Architecture for
ballot and during the process begin development of a suite of ballot and during the process begin development of a suite of
associated standards for components of that architecture. associated standards for components of that architecture.
Documents: http://issaa.org/documents/index.html Documents: http://issaa.org/documents/index.html
5.12 Operational Security Requirements for IP Network Infrastructure : 5.13 Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements Advanced Requirements
IETF Internet-Draft IETF Internet-Draft
Abstract: This document defines a list of operational security Abstract: This document defines a list of operational security
requirements for the infrastructure of large ISP IP networks (routers requirements for the infrastructure of large ISP IP networks (routers
and switches). A framework is defined for specifying "profiles", and switches). A framework is defined for specifying "profiles",
which are collections of requirements applicable to certain network which are collections of requirements applicable to certain network
topology contexts (all, core-only, edge-only...). The goal is to topology contexts (all, core-only, edge-only...). The goal is to
provide network operators a clear, concise way of communicating their provide network operators a clear, concise way of communicating their
security requirements to vendors. security requirements to vendors.
Documents: Documents:
http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt
5.13 INCITS Technical Committee T4 - Security Techniques 5.14 INCITS Technical Committee T4 - Security Techniques
http://www.incits.org/tc_home/t4.htm http://www.incits.org/tc_home/t4.htm
Technical Committee T4, Security Techniques, participates in the Technical Committee T4, Security Techniques, participates in the
standardization of generic methods for information technology standardization of generic methods for information technology
security. This includes development of: security techniques and security. This includes development of: security techniques and
mechanisms; security guidelines; security evaluation criteria; and mechanisms; security guidelines; security evaluation criteria; and
identification of generic requirements for information technology identification of generic requirements for information technology
system security services. system security services.
5.14 INCITS Technical Committee T11 - Fibre Channel Interfaces 5.15 INCITS CS1 - Cyber Security
http://www.t11.org/index.htm http://www.incits.org/tc_home/cs1.htm
T11 is responsible for standards development in the areas of INCITS/CS1 was established in April 2005 to serve as the US TAG for
Intelligent Peripheral Interface (IPI), High-Performance Parallel ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2
Interface (HIPPI) and Fibre Channel (FC). T11 has a project called (INCITS/T4 serves as the US TAG to SC 27/WG 2).
FC-SP to define Security Protocols for Fibre Channel.
FC-SP Project Proposal: The scope of CS1 explicitly excludes the areas of work on cyber
ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf security standardization presently underway in INCITS B10, M1 and T3;
as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and
X9. INCITS T4's area of work would be narrowed to cryptography
projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and
mechanisms).
5.15 ISO Guidelines for the Management of IT Security - GMITS 5.16 ISO Guidelines for the Management of IT Security - GMITS
Guidelines for the Management of IT Security -- Part 1: Concepts and Guidelines for the Management of IT Security -- Part 1: Concepts and
models for IT Security models for IT Security
http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER http://www.iso.ch/iso/en/
=21733&ICS1=35 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35
Guidelines for the Management of IT Security -- Part 2: Managing and Guidelines for the Management of IT Security -- Part 2: Managing and
planning IT Security planning IT Security
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE http://www.iso.org/iso/en/
R=21755&ICS1=35&ICS2=40&ICS3= CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security -- Part 3: Techniques Guidelines for the Management of IT Security -- Part 3: Techniques
for the management of IT Security for the management of IT Security
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE http://www.iso.org/iso/en/
R=21756&ICS1=35&ICS2=40&ICS3= CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security -- Part 4: Selection of Guidelines for the Management of IT Security -- Part 4: Selection of
safeguards safeguards
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE http://www.iso.org/iso/en/
R=29240&ICS1=35&ICS2=40&ICS3= CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&
ICS3=
Guidelines for the Management of IT Security - Part 5: Management Guidelines for the Management of IT Security - Part 5: Management
guidance on network security guidance on network security
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE http://www.iso.org/iso/en/
R=31142&ICS1=35&ICS2=40&ICS3= CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
ICS3=
Open Systems Interconnection -- Network layer security protocol Open Systems Interconnection -- Network layer security protocol
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE http://www.iso.org/iso/en/
R=22084&ICS1=35&ICS2=100&ICS3=30 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
ICS3=30
5.16 ISO JTC 1/SC 27 5.17 ISO JTC 1/SC 27
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/TechnicalP
rogrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143
Several security related ISO projects under JTC 1/SC 27 are listed Several security related ISO projects under JTC 1/SC 27 are listed
here such as: here such as:
IT security techniques -- Entity authentication IT security techniques -- Entity authentication
Security techniques -- Key management Security techniques -- Key management
Security techniques -- Evaluation criteria for IT security Security techniques -- Evaluation criteria for IT security
Security techniques -- A framework for IT security assurance Security techniques -- A framework for IT security assurance
IT Security techniques -- Code of practice for information IT Security techniques -- Code of practice for information
security management security management
Security techniques -- IT network security Security techniques -- IT network security
Guidelines for the implementation, operation and management of Guidelines for the implementation, operation and management of
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS)
International Security, Trust, and Privacy Alliance -- Privacy International Security, Trust, and Privacy Alliance -- Privacy
Framework Framework
5.17 ITU-T Study Group 2 5.18 ITU-T Study Group 2
http://www.itu.int/ITU-T/studygroups/com02/index.asp http://www.itu.int/ITU-T/studygroups/com02/index.asp
Security related recommendations currently under study: Security related recommendations currently under study:
E.408 Telecommunication networks security requirements Q.5/2 E.408 Telecommunication networks security requirements Q.5/2
(was E.sec1) (was E.sec1)
E.409 Incident Organisation and Security Incident Handling E.409 Incident Organisation and Security Incident Handling
Q.5/2 (was E.sec2) Q.5/2 (was E.sec2)
Note: Access requires TIES account. Note: Access requires TIES account.
5.18 ITU-T Recommendation M.3016 5.19 ITU-T Recommendation M.3016
http://www.itu.int/itudoc/itu-t/com4/contr/068.html http://www.itu.int/itudoc/itu-t/com4/contr/068.html
This recommendation provides an overview and framework that This recommendation provides an overview and framework that
identifies the security requirements of a TMN and outlines how identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the available security services and mechanisms can be applied within the
context of the TMN functional architecture. context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from have taken the original document and are incorporating thoughts from
ITU-T Recommendation X.805 and from ANSI T1.276-2003. This will ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has
produce a series of documents. produced a new series of documents.
Overview
Requirements
Services
Mechanisms
Profiles
This document will be discussed at the ITU meetings in February 2005. M.3016.0 - Overview
5.19 ITU-T Recommendation X.805 M.3016.1 - Requirements
M.3016.2 - Services
M.3016.3 - Mechanisms
M.3016.4 - Profiles
5.20 ITU-T Recommendation X.805
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
This Recommendation defines the general security-related This Recommendation defines the general security-related
architectural elements that, when appropriately applied, can provide architectural elements that, when appropriately applied, can provide
end-to-end network security. end-to-end network security.
5.20 ITU-T Study Group 16 5.21 ITU-T Study Group 16
http://www.itu.int/ITU-T/studygroups/com16/index.asp http://www.itu.int/ITU-T/studygroups/com16/index.asp
Security of Multimedia Systems and Services - Question G/16 Security of Multimedia Systems and Services - Question G/16
http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html
5.21 ITU-T Study Group 17 5.22 ITU-T Study Group 17
http://www.itu.int/ITU-T/studygroups/com17/index.asp http://www.itu.int/ITU-T/studygroups/com17/index.asp
ITU-T Study Group 17 is the Lead Study Group on Communication System ITU-T Study Group 17 is the Lead Study Group on Communication System
Security Security
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
Study Group 17 Security Project: Study Group 17 Security Project:
http://www.itu.int/ITU-T/studygroups/com17/security/index.html http://www.itu.int/ITU-T/studygroups/com17/security/index.html
During its November 2002 meeting, Study Group 17 agreed to establish During its November 2002 meeting, Study Group 17 agreed to establish
a new project entitled "Security Project" under the leadership of a new project entitled "Security Project" under the leadership of
Q.10/17 to coordinate the ITU-T standardization effort on security. Q.10/17 to coordinate the ITU-T standardization effort on security.
An analysis of the status on ITU-T Study Group action on information An analysis of the status on ITU-T Study Group action on information
and communication network security may be found in TSB Circular 147 and communication network security may be found in TSB Circular 147
of 14 February 2003. of 14 February 2003.
5.22 Catalogue of ITU-T Recommendations related to Communications 5.23 Catalogue of ITU-T Recommendations related to Communications
System Security System Security
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html
The Catalogue of the approved security Recommendations include those, The Catalogue of the approved security Recommendations include those,
designed for security purposes and those, which describe or use of designed for security purposes and those, which describe or use of
functions of security interest and need. Although some of the functions of security interest and need. Although some of the
security related Recommendations includes the phrase "Open Systems security related Recommendations includes the phrase "Open Systems
Interconnection", much of the information contained in them is Interconnection", much of the information contained in them is
pertinent to the establishment of security functionality in any pertinent to the establishment of security functionality in any
communicating system. communicating system.
5.23 ITU-T Security Manual 5.24 ITU-T Security Manual
http://www.itu.int/ITU-T/edh/files/security-manual.pdf http://www.itu.int/ITU-T/edh/files/security-manual.pdf
TSB is preparing an "ITU-T Security Manual" to provide an overview on TSB is preparing an "ITU-T Security Manual" to provide an overview on
security in telecommunications and information technologies, describe security in telecommunications and information technologies, describe
practical issues, and indicate how the different aspects of security practical issues, and indicate how the different aspects of security
in today's applications are addressed by ITU-T Recommendations. This in today's applications are addressed by ITU-T Recommendations. This
manual has a tutorial character: it collects security related manual has a tutorial character: it collects security related
material from ITU-T Recommendations into one place and explains the material from ITU-T Recommendations into one place and explains the
respective relationships. The intended audience for this manual is respective relationships. The intended audience for this manual is
engineers and product managers, students and academia, as well as engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in regulators who want to better understand security aspects in
practical applications. practical applications.
5.24 NRIC VI Focus Groups 5.25 ITU-T NGN Effort
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html
During its January 2002 meeting, SG13 decided to undertake the
preparation of a new ITU-T Project entitled "NGN 2004 Project". At
the November 2002 SG13 meeting, a preliminary description of the
Project was achieved and endorsed by SG13 with the goal to launch the
Project. It is regularly updated since then.
The role of the NGN 2004 Project is to organize and to coordinate
ITU-T activities on Next Generation Networks. Its target is to
produce a first set of Recommendations on NGN by the end of this
study period, i.e. mid-2004.
5.26 NRIC VI Focus Groups
http://www.nric.org/fg/index.html http://www.nric.org/fg/index.html
The Network Reliability and Interoperability Council (NRIC) was The Network Reliability and Interoperability Council (NRIC) was
formed with the purpose to provide recommendations to the FCC and to formed with the purpose to provide recommendations to the FCC and to
the industry to assure the reliability and interoperability of the industry to assure the reliability and interoperability of
wireless, wireline, satellite, and cable public telecommunications wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a prevention of cyberattack and for restoration following a
skipping to change at page 23, line 34 skipping to change at page 26, line 6
The Network Reliability and Interoperability Council (NRIC) was The Network Reliability and Interoperability Council (NRIC) was
formed with the purpose to provide recommendations to the FCC and to formed with the purpose to provide recommendations to the FCC and to
the industry to assure the reliability and interoperability of the industry to assure the reliability and interoperability of
wireless, wireline, satellite, and cable public telecommunications wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a prevention of cyberattack and for restoration following a
cyberattack. cyberattack.
Documents: Documents:
Homeland Defense - Recommendations Published 14-Mar-03 Homeland Defense - Recommendations Published 14-Mar-03
Preventative Best Practices - Recommendations Published 14-Mar-03 Preventative Best Practices - Recommendations Published 14-Mar-03
Recovery Best Practices - Recommendations Published 14-Mar-03 Recovery Best Practices - Recommendations Published 14-Mar-03
Best Practice Appendices - Recommendations Published 14-Mar-03 Best Practice Appendices - Recommendations Published 14-Mar-03
5.25 OASIS Security Joint Committee 5.27 OASIS Security Joint Committee
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security-j http://www.oasis-open.org/committees/
c tc_home.php?wg_abbrev=security-jc
The purpose of the Security JC is to coordinate the technical The purpose of the Security JC is to coordinate the technical
activities of multiple security related TCs. The SJC is advisory activities of multiple security related TCs. The SJC is advisory
only, and has no deliverables. The Security JC will promote the use only, and has no deliverables. The Security JC will promote the use
of consistent terms, promote re-use, champion an OASIS security of consistent terms, promote re-use, champion an OASIS security
standards model, provide consistent PR, and promote mutuality, standards model, provide consistent PR, and promote mutuality,
operational independence and ethics. operational independence and ethics.
5.26 OASIS Security Services TC 5.28 OASIS Security Services TC
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
The Security Services TC is working to advance the Security Assertion The Security Services TC is working to advance the Security Assertion
Markup Language (SAML) as an OASIS standard. SAML is an XML Markup Language (SAML) as an OASIS standard. SAML is an XML
framework for exchanging authentication and authorization framework for exchanging authentication and authorization
information. information.
5.27 OIF Implementation Agreements 5.29 OIF Implementation Agreements
The OIF has 2 approved Implementation Agreements (IAs) relating to The OIF has 2 approved Implementation Agreements (IAs) relating to
security. They are: security. They are:
OIF-SMI-01.0 - Security Management Interfaces to Network Elements OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces. security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified, It summarizes how well each of the systems, used as specified,
satisfies the objectives. satisfies the objectives.
OIF - SEP - 01.1 - Security Extension for UNI and NNI OIF - SEP - 01.1 - Security Extension for UNI and NNI
This Implementation Agreement defines a common Security Extension for This Implementation Agreement defines a common Security Extension for
securing the protocols used in UNI 1.0, UNI 2.0, and NNI. securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf Documents: http://www.oiforum.com/public/documents/Security-IA.pdf
5.28 TIA 5.30 TIA
The TIA has produced the "Compendium of Emergency Communications and The TIA has produced the "Compendium of Emergency Communications and
Communications Network Security-related Work Activities". This Communications Network Security-related Work Activities". This
document identifies standards, or other technical documents and document identifies standards, or other technical documents and
ongoing Emergency/Public Safety Communications and Communications ongoing Emergency/Public Safety Communications and Communications
Network Security-related work activities within TIA and it's Network Security-related work activities within TIA and it's
Engineering Committees. Many P25 documents are specifically Engineering Committees. Many P25 documents are specifically
detailed. This "living document" is presented for information, detailed. This "living document" is presented for information,
coordination and reference. coordination and reference.
Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf
5.29 WS-I Basic Security Profile 5.31 WS-I Basic Security Profile
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
The WS-I Basic Security Profile 1.0 consists of a set of The WS-I Basic Security Profile 1.0 consists of a set of non-
non-proprietary Web services specifications, along with proprietary Web services specifications, along with clarifications
clarifications and amendments to those specifications which promote and amendments to those specifications which promote
interoperability. interoperability.
6. Security Considerations 6. Security Considerations
This document describes efforts to standardize security practices and This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance documents. As such this document offers no security guidance
whatsoever. whatsoever.
Readers of this document should be aware of the date of publication Readers of this document should be aware of the date of publication
of this document. It is feared that they may assume that the of this document. It is feared that they may assume that the
skipping to change at page 29, line 14 skipping to change at page 31, line 14
9. Changes from Prior Drafts 9. Changes from Prior Drafts
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt
-01 : Security Glossaries: -01 : Security Glossaries:
Added ATIS Telecom Glossary 2000, Critical Infrastructure Added ATIS Telecom Glossary 2000, Critical Infrastructure
Glossary of Terms and Acronyms, Microsoft Solutions for Glossary of Terms and Acronyms, Microsoft Solutions for
Security Glossary, and USC InfoSec Glossary. Security Glossary, and USC InfoSec Glossary.
Standards Developing Organizations: Standards Developing Organizations:
Added DMTF, GGF, INCITS, OASIS, and WS-I Added DMTF, GGF, INCITS, OASIS, and WS-I
Removal of Committee T1 and modifications to ATIS and former T1 Removal of Committee T1 and modifications to ATIS and former T1
technical subcommittees due to the recent ATIS reorganization. technical subcommittees due to the recent ATIS reorganization.
Efforts and Documents: Efforts and Documents:
Added DMTF User and Security WG, DMTF SPAM WG, GGF Security Added DMTF User and Security WG, DMTF SPAM WG, GGF Security
Area (SEC), INCITS Technical Committee T4 - Security Area (SEC), INCITS Technical Committee T4 - Security
Techniques, INCITS Technical Committee T11 - Fibre Channel Techniques, INCITS Technical Committee T11 - Fibre Channel
Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint
Committee, OASIS Security Services TC, and WS-I Basic Security Committee, OASIS Security Services TC, and WS-I Basic Security
Profile. Profile.
Updated Operational Security Requirements for IP Network Updated Operational Security Requirements for IP Network
Infrastructure : Advanced Requirements. Infrastructure : Advanced Requirements.
-00 : as the WG ID -00 : as the WG ID
Added more information about the ITU-T SG3 Q18 effort to modify Added more information about the ITU-T SG3 Q18 effort to modify
ITU-T Recommendation M.3016. ITU-T Recommendation M.3016.
-01 : First revision as the WG ID.
Added information about the NGN in the sections about ATIS, the
NSTAC, and ITU-T.
Note: This section will be removed before publication as an RFC. Note: This section will be removed before publication as an RFC.
10. References 10. References
10.1 Normative References 10.1 Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, STD 14, March 1997. Levels", RFC 2119, STD 14, March 1997.
10.2 Informative References 10.2 Informative References
skipping to change at page 30, line 26 skipping to change at page 32, line 26
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
Phone: +1 512 378 1182 Phone: +1 512 378 1182
EMail: clonvick@cisco.com Email: clonvick@cisco.com
David Spak David Spak
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
Phone: +1 512 378 1720 Phone: +1 512 378 1720
EMail: dspak@cisco.com Email: dspak@cisco.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
 End of changes. 

This html diff was produced by rfcdiff 1.24, available from http://www.levkowetz.com/ietf/tools/rfcdiff/