draft-ietf-opsec-efforts-02.txt | draft-ietf-opsec-efforts-03.txt | |||
---|---|---|---|---|
Network Working Group C. Lonvick | Network Working Group C. Lonvick | |||
Internet-Draft D. Spak | Internet-Draft D. Spak | |||
Expires: July 21, 2006 Cisco Systems | Expires: October 21, 2006 Cisco Systems | |||
January 17, 2006 | April 19, 2006 | |||
Security Best Practices Efforts and Documents | Security Best Practices Efforts and Documents | |||
draft-ietf-opsec-efforts-02.txt | draft-ietf-opsec-efforts-03.txt | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on July 21, 2006. | This Internet-Draft will expire on October 21, 2006. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
This document provides a snapshot of the current efforts to define or | This document provides a snapshot of the current efforts to define or | |||
apply security requirements in various Standards Developing | apply security requirements in various Standards Developing | |||
Organizations (SDO). | Organizations (SDO). | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
2. Format of this Document . . . . . . . . . . . . . . . . . . 7 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 7 | |||
3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8 | 3. Format of this Document . . . . . . . . . . . . . . . . . . . 8 | |||
3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 | 4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9 | |||
3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8 | 4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9 | |||
3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 | 4.2. Critical Infrastructure Glossary of Terms and Acronyms . . 9 | |||
3.4 Compendium of Approved ITU-T Security Definitions . . . . 9 | 4.3. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9 | |||
3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9 | 4.4. Compendium of Approved ITU-T Security Definitions . . . . 10 | |||
3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9 | 4.5. Microsoft Solutions for Security Glossary . . . . . . . . 10 | |||
3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9 | 4.6. SANS Glossary of Security Terms . . . . . . . . . . . . . 10 | |||
4. Standards Developing Organizations . . . . . . . . . . . . . 10 | 4.7. USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 10 | |||
4.1 3GPP - Third Generation Partnership Project . . . . . . . 10 | 5. Standards Developing Organizations . . . . . . . . . . . . . . 11 | |||
4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 | 5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 | |||
4.3 ANSI - The American National Standards Institute . . . . . 10 | 5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 | |||
4.4 ATIS - Alliance for Telecommunications Industry | 5.3. ANSI - The American National Standards Institute . . . . . 11 | |||
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.4. ATIS - Alliance for Telecommunications Industry | |||
4.4.1 ATIS Network Performance, Reliability and Quality | Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
of Service Committee, formerly T1A1 . . . . . . . . . 11 | 5.4.1. ATIS Network Performance, Reliability and Quality | |||
4.4.2 ATIS Network Interface, Power, and Protection | of Service Committee, formerly T1A1 . . . . . . . . . 12 | |||
Committee, formerly T1E1 . . . . . . . . . . . . . . . 11 | 5.4.2. ATIS Network Interface, Power, and Protection | |||
4.4.3 ATIS Telecom Management and Operations Committee, | Committee, formerly T1E1 . . . . . . . . . . . . . . . 12 | |||
formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11 | 5.4.3. ATIS Telecom Management and Operations Committee, | |||
4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11 | formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 12 | |||
4.4.5 ATIS Wireless Technologies and Systems Committee, | 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B . . 12 | |||
formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12 | 5.4.5. ATIS Wireless Technologies and Systems Committee, | |||
4.4.6 ATIS Packet Technologies and Systems Committee, | formerly T1P1 . . . . . . . . . . . . . . . . . . . . 13 | |||
formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12 | 5.4.6. ATIS Packet Technologies and Systems Committee, | |||
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12 | formerly T1S1 . . . . . . . . . . . . . . . . . . . . 13 | |||
4.4.8 ATIS Optical Transport and Synchronization | 5.4.7. ATIS Protocol Interworking Committee, regarding | |||
Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 | T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12 | 5.4.8. ATIS Optical Transport and Synchronization | |||
4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13 | Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 | |||
4.7 ETSI - The European Telecommunications Standard | 5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 | |||
Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 | |||
4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 | 5.7. ETSI - The European Telecommunications Standard | |||
4.9 IEEE - The Institute of Electrical and Electronics | Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13 | 5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 | |||
4.10 IETF - The Internet Engineering Task Force . . . . . . . 14 | 5.9. IEEE - The Institute of Electrical and Electronics | |||
4.11 INCITS - InterNational Committee for Information | Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 | |||
Technology Standards . . . . . . . . . . . . . . . . . . 14 | 5.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 | |||
4.12 INCITS Technical Committee T11 - Fibre Channel | 5.11. INCITS - InterNational Committee for Information | |||
Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14 | Technology Standards . . . . . . . . . . . . . . . . . . . 15 | |||
4.13 ISO - The International Organization for | 5.12. INCITS Technical Committee T11 - Fibre Channel | |||
Standardization . . . . . . . . . . . . . . . . . . . . 14 | Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.14 ITU - International Telecommunication Union . . . . . . 14 | 5.13. ISO - The International Organization for | |||
4.14.1 ITU Telecommunication Standardization Sector - | Standardization . . . . . . . . . . . . . . . . . . . . . 15 | |||
ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15 | 5.14. ITU - International Telecommunication Union . . . . . . . 15 | |||
4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15 | 5.14.1. ITU Telecommunication Standardization Sector - | |||
4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15 | ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.15 OASIS - Organization for the Advancement of | 5.14.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 | |||
Structured Information Standards . . . . . . . . . . . . 15 | 5.14.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 | |||
4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15 | 5.15. OASIS - Organization for the Advancement of | |||
4.17 NRIC - The Network Reliability and Interoperability | Structured Information Standards . . . . . . . . . . . . . 16 | |||
Council . . . . . . . . . . . . . . . . . . . . . . . . 15 | 5.16. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 | |||
4.18 National Security Telecommunications Advisory | 5.17. NRIC - The Network Reliability and Interoperability | |||
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16 | Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.19 TIA - The Telecommunications Industry Association . . . 16 | 5.18. National Security Telecommunications Advisory | |||
4.20 Web Services Interoperability Organization (WS-I) . . . 16 | Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 | |||
5. Security Best Practices Efforts and Documents . . . . . . . 17 | 5.19. TIA - The Telecommunications Industry Association . . . . 17 | |||
5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17 | 5.20. Web Services Interoperability Organization (WS-I) . . . . 17 | |||
5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17 | 6. Security Best Practices Efforts and Documents . . . . . . . . 18 | |||
5.3 American National Standard T1.276-2003 - Baseline | 6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 | |||
Security Requirements for the Management Plane . . . . . . 17 | 6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 | |||
5.4 DMTF - Security Protection and Management (SPAM) | 6.3. American National Standard T1.276-2003 - Baseline | |||
Working Group . . . . . . . . . . . . . . . . . . . . . . 18 | Security Requirements for the Management Plane . . . . . . 18 | |||
5.5 DMTF - User and Security Working Group . . . . . . . . . . 18 | 6.4. DMTF - Security Protection and Management (SPAM) | |||
5.6 ATIS Security & Emergency Preparedness Activities . . . . 18 | Working Group . . . . . . . . . . . . . . . . . . . . . . 19 | |||
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, | 6.5. DMTF - User and Security Working Group . . . . . . . . . . 19 | |||
End-To-End Standards and Solutions . . . . . . . . . . . . 18 | 6.6. ATIS Security & Emergency Preparedness Activities . . . . 19 | |||
5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19 | 6.7. ATIS Work-Plan to Achieve Interoperable, | |||
5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19 | Implementable, End-To-End Standards and Solutions . . . . 19 | |||
5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19 | 6.7.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 | |||
5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 6.8. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 | |||
5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20 | 6.9. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 | |||
5.12 Information System Security Assurance Architecture . . . 20 | 6.10. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
5.13 Operational Security Requirements for IP Network | 6.11. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 | |||
Infrastructure : Advanced Requirements . . . . . . . . . 20 | 6.12. Information System Security Assurance Architecture . . . . 21 | |||
5.14 INCITS Technical Committee T4 - Security Techniques . . 21 | 6.13. Operational Security Requirements for IP Network | |||
5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21 | Infrastructure : Advanced Requirements . . . . . . . . . . 22 | |||
5.16 ISO Guidelines for the Management of IT Security - | 6.14. INCITS Technical Committee T4 - Security Techniques . . . 22 | |||
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 6.15. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 | |||
5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22 | 6.16. ISO Guidelines for the Management of IT Security - | |||
5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23 | GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23 | 6.17. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 | |||
5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24 | 6.18. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 | |||
5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24 | 6.19. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 | |||
5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24 | 6.20. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 | |||
5.23 Catalogue of ITU-T Recommendations related to | 6.21. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 | |||
Communications System Security . . . . . . . . . . . . . 24 | 6.22. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 | |||
5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25 | 6.23. Catalogue of ITU-T Recommendations related to | |||
5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25 | Communications System Security . . . . . . . . . . . . . . 25 | |||
5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25 | 6.24. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 | |||
5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26 | 6.25. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 | |||
5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26 | 6.26. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 | |||
5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26 | 6.27. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 | |||
5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 6.28. OASIS Security Services TC . . . . . . . . . . . . . . . . 27 | |||
5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27 | 6.29. OIF Implementation Agreements . . . . . . . . . . . . . . 27 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . 28 | 6.30. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29 | 6.31. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 | |||
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
10.1 Normative References . . . . . . . . . . . . . . . . . . 32 | 10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 | |||
10.2 Informative References . . . . . . . . . . . . . . . . . 32 | 11. Normative References . . . . . . . . . . . . . . . . . . . . . 33 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
Intellectual Property and Copyright Statements . . . . . . . 33 | Intellectual Property and Copyright Statements . . . . . . . . . . 35 | |||
1. Introduction | 1. Introduction | |||
The Internet is being recognized as a critical infrastructure similar | The Internet is being recognized as a critical infrastructure similar | |||
in nature to the power grid and a potable water supply. Just like | in nature to the power grid and a potable water supply. Just like | |||
those infrastructures, means are needed to provide resiliency and | those infrastructures, means are needed to provide resiliency and | |||
adaptability to the Internet so that it remains consistently | adaptability to the Internet so that it remains consistently | |||
available to the public throughout the world even during times of | available to the public throughout the world even during times of | |||
duress or attack. For this reason, many SDOs are developing | duress or attack. For this reason, many SDOs are developing | |||
standards with hopes of retaining an acceptable level, or even | standards with hopes of retaining an acceptable level, or even | |||
skipping to change at page 7, line 5 | skipping to change at page 7, line 5 | |||
document could be a useful reference in producing the documents | document could be a useful reference in producing the documents | |||
described in the Working Group Charter. The authors have agreed to | described in the Working Group Charter. The authors have agreed to | |||
keep this document current and request that those who read it will | keep this document current and request that those who read it will | |||
submit corrections or comments. | submit corrections or comments. | |||
Comments on this document may be addressed to the OpSec Working Group | Comments on this document may be addressed to the OpSec Working Group | |||
or directly to the authors. | or directly to the authors. | |||
opsec@ops.ietf.org | opsec@ops.ietf.org | |||
2. Format of this Document | 2. Conventions Used in This Document | |||
This document shall use the keywords "MUST", "MUST NOT", "REQUIRED", | ||||
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", | ||||
and "OPTIONAL" to describe requirements. These keywords are to be | ||||
interpreted as described in [1]. | ||||
3. Format of this Document | ||||
The body of this document has three sections. | The body of this document has three sections. | |||
The first part of the body of this document, Section 3, contains a | The first part of the body of this document, Section 4, contains a | |||
listing of online glossaries relating to networking and security. It | listing of online glossaries relating to networking and security. It | |||
is very important that the definitions of words relating to security | is very important that the definitions of words relating to security | |||
and security events be consistent. Inconsistencies between the | and security events be consistent. Inconsistencies between the | |||
useage of words on standards is unacceptable as it would prevent a | useage of words on standards is unacceptable as it would prevent a | |||
reader of two standards to appropriately relate their | reader of two standards to appropriately relate their | |||
recommendations. The authors of this document have not reviewed the | recommendations. The authors of this document have not reviewed the | |||
definitions of the words in the listed glossaries so can offer no | definitions of the words in the listed glossaries so can offer no | |||
assurance of their alignment. | assurance of their alignment. | |||
The second part, Section 4, contains a listing of SDOs that appear to | The second part, Section 5, contains a listing of SDOs that appear to | |||
be working on security standards. | be working on security standards. | |||
The third part, Section 5, lists the documents which have been found | The third part, Section 6, lists the documents which have been found | |||
to offer good practices or recommendations for securing networks and | to offer good practices or recommendations for securing networks and | |||
networking devices. | networking devices. | |||
3. Online Security Glossaries | 4. Online Security Glossaries | |||
This section contains references to glossaries of network and | This section contains references to glossaries of network and | |||
computer security terms | computer security terms | |||
3.1 ATIS Telecom Glossary 2000 | 4.1. ATIS Telecom Glossary 2000 | |||
http://www.atis.org/tg2k/ | http://www.atis.org/tg2k/ | |||
Under an approved T1 standards project (T1A1-20), an existing 5800- | Under an approved T1 standards project (T1A1-20), an existing 5800- | |||
entry, search-enabled hypertext telecommunications glossary titled | entry, search-enabled hypertext telecommunications glossary titled | |||
Federal Standard 1037C, Glossary of Telecommunication Terms was | Federal Standard 1037C, Glossary of Telecommunication Terms was | |||
updated and matured into this glossary, T1.523-2001, Telecom Glossary | updated and matured into this glossary, T1.523-2001, Telecom Glossary | |||
2000. This updated glossary was posted on the Web as a American | 2000. This updated glossary was posted on the Web as a American | |||
National Standard (ANS). | National Standard (ANS). | |||
3.2 Critical Infrastructure Glossary of Terms and Acronyms | 4.2. Critical Infrastructure Glossary of Terms and Acronyms | |||
http://www.ciao.gov/ciao_document_library/glossary/a.htm | http://www.ciao.gov/ciao_document_library/glossary/a.htm | |||
The Critical Infrastructure Assurance Office (CIAO) was created to | The Critical Infrastructure Assurance Office (CIAO) was created to | |||
coordinate the Federal Government's initiatives on critical | coordinate the Federal Government's initiatives on critical | |||
infrastructure assurance. While the glossary was not created as a | infrastructure assurance. While the glossary was not created as a | |||
glossary specifically for security terms, it is populated with many | glossary specifically for security terms, it is populated with many | |||
security related definitions, abbreviations, organizations, and | security related definitions, abbreviations, organizations, and | |||
concepts. | concepts. | |||
3.3 Internet Security Glossary - RFC 2828 | 4.3. Internet Security Glossary - RFC 2828 | |||
http://www.ietf.org/rfc/rfc2828.txt | http://www.ietf.org/rfc/rfc2828.txt | |||
Created in May 2000, the document defines itself to be, "an | Created in May 2000, the document defines itself to be, "an | |||
internally consistent, complementary set of abbreviations, | internally consistent, complementary set of abbreviations, | |||
definitions, explanations, and recommendations for use of terminology | definitions, explanations, and recommendations for use of terminology | |||
related to information system security." The glossary makes the | related to information system security." The glossary makes the | |||
distinction of the listed definitions throughout the document as | distinction of the listed definitions throughout the document as | |||
being: | being: | |||
skipping to change at page 9, line 6 | skipping to change at page 10, line 6 | |||
o a recommended non-Internet definition | o a recommended non-Internet definition | |||
o not recommended as the first choice for Internet documents but | o not recommended as the first choice for Internet documents but | |||
something that an author of an Internet document would need to | something that an author of an Internet document would need to | |||
know | know | |||
o a definition that shouldn't be used in Internet documents | o a definition that shouldn't be used in Internet documents | |||
o additional commentary or usage guidance | o additional commentary or usage guidance | |||
3.4 Compendium of Approved ITU-T Security Definitions | 4.4. Compendium of Approved ITU-T Security Definitions | |||
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html | http://www.itu.int/itudoc/itu-t/com17/activity/def004.html | |||
Addendum to the Compendium of the Approved ITU-T Security-related | Addendum to the Compendium of the Approved ITU-T Security-related | |||
Definitions | Definitions | |||
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html | http://www.itu.int/itudoc/itu-t/com17/activity/add002.html | |||
These extensive materials were created from approved ITU-T | These extensive materials were created from approved ITU-T | |||
Recommendations with a view toward establishing a common | Recommendations with a view toward establishing a common | |||
understanding and use of security terms within ITU-T. | understanding and use of security terms within ITU-T. | |||
3.5 Microsoft Solutions for Security Glossary | 4.5. Microsoft Solutions for Security Glossary | |||
http://www.microsoft.com/security/glossary/ | http://www.microsoft.com/security/glossary/ | |||
The Microsoft Solutions for Security Glossary was created to explain | The Microsoft Solutions for Security Glossary was created to explain | |||
the concepts, technologies, and products associated with computer | the concepts, technologies, and products associated with computer | |||
security. This glossary contains several definitions specific to | security. This glossary contains several definitions specific to | |||
Microsoft proprietary technologies and product solutions. | Microsoft proprietary technologies and product solutions. | |||
3.6 SANS Glossary of Security Terms | 4.6. SANS Glossary of Security Terms | |||
http://www.sans.org/resources/glossary.php | http://www.sans.org/resources/glossary.php | |||
The SANS Institute (SysAdmin, Audit, Network, Security) was created | The SANS Institute (SysAdmin, Audit, Network, Security) was created | |||
in 1989 as, "a cooperative research and education organization." | in 1989 as, "a cooperative research and education organization." | |||
Updated in May 2003, SANS cites the NSA for their help in creating | Updated in May 2003, SANS cites the NSA for their help in creating | |||
the online glossary of security terms. The SANS Institute is also | the online glossary of security terms. The SANS Institute is also | |||
home to many other resources including the SANS Intrusion Detection | home to many other resources including the SANS Intrusion Detection | |||
FAQ and the SANS/FBI Top 20 Vulnerabilities List. | FAQ and the SANS/FBI Top 20 Vulnerabilities List. | |||
3.7 USC InfoSec Glossary | 4.7. USC InfoSec Glossary | |||
http://www.usc.edu/org/infosec/resources/glossary_a.html | http://www.usc.edu/org/infosec/resources/glossary_a.html | |||
A glossary of Information Systems security terms compiled by the | A glossary of Information Systems security terms compiled by the | |||
University of Southern California Office of Information Security. | University of Southern California Office of Information Security. | |||
4. Standards Developing Organizations | 5. Standards Developing Organizations | |||
This section of this document lists the SDOs, or organizations that | This section of this document lists the SDOs, or organizations that | |||
appear to be developing security related standards. These SDOs are | appear to be developing security related standards. These SDOs are | |||
listed in alphabetical order. | listed in alphabetical order. | |||
Note: The authors would appreciate corrections and additions. This | Note: The authors would appreciate corrections and additions. This | |||
note will be removed before publication as an RFC. | note will be removed before publication as an RFC. | |||
4.1 3GPP - Third Generation Partnership Project | 5.1. 3GPP - Third Generation Partnership Project | |||
http://www.3gpp.org/ | http://www.3gpp.org/ | |||
The 3rd Generation Partnership Project (3GPP) is a collaboration | The 3rd Generation Partnership Project (3GPP) is a collaboration | |||
agreement formed in December 1998. The collaboration agreement is | agreement formed in December 1998. The collaboration agreement is | |||
comprised of several telecommunications standards bodies which are | comprised of several telecommunications standards bodies which are | |||
known as "Organizational Partners". The current Organizational | known as "Organizational Partners". The current Organizational | |||
Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. | Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. | |||
4.2 3GPP2 - Third Generation Partnership Project 2 | 5.2. 3GPP2 - Third Generation Partnership Project 2 | |||
http://www.3gpp2.org/ | http://www.3gpp2.org/ | |||
Third Generation Partnership Project 2 (3GPP2) is a collaboration | Third Generation Partnership Project 2 (3GPP2) is a collaboration | |||
among Organizational Partners much like its sister project 3GPP. The | among Organizational Partners much like its sister project 3GPP. The | |||
Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, | Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, | |||
CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes | CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes | |||
the CDMA Development Group and IPv6 Forum as Market Representation | the CDMA Development Group and IPv6 Forum as Market Representation | |||
Partners for market advice. | Partners for market advice. | |||
4.3 ANSI - The American National Standards Institute | 5.3. ANSI - The American National Standards Institute | |||
http://www.ansi.org/ | http://www.ansi.org/ | |||
ANSI is a private, non-profit organization that organizes and | ANSI is a private, non-profit organization that organizes and | |||
oversees the U.S. voluntary standardization and conformity assessment | oversees the U.S. voluntary standardization and conformity assessment | |||
system. ANSI was founded October 19, 1918. | system. ANSI was founded October 19, 1918. | |||
4.4 ATIS - Alliance for Telecommunications Industry Solutions | 5.4. ATIS - Alliance for Telecommunications Industry Solutions | |||
http://www.atis.org/ | http://www.atis.org/ | |||
ATIS is a United States based body that is committed to rapidly | ATIS is a United States based body that is committed to rapidly | |||
developing and promoting technical and operations standards for the | developing and promoting technical and operations standards for the | |||
communications and related information technologies industry | communications and related information technologies industry | |||
worldwide using pragmatic, flexible and open approach. Committee T1 | worldwide using pragmatic, flexible and open approach. Committee T1 | |||
as a group no longer exists as a result of the recent ATIS | as a group no longer exists as a result of the recent ATIS | |||
reorganization on January 1, 2004. ATIS has restructured the former | reorganization on January 1, 2004. ATIS has restructured the former | |||
T1 technical subcommittees into full ATIS standards committees to | T1 technical subcommittees into full ATIS standards committees to | |||
easily identify and promote the nature of standards work each | easily identify and promote the nature of standards work each | |||
committee performs. Due to the reorganization, some groups may have | committee performs. Due to the reorganization, some groups may have | |||
a new mission and scope statement. | a new mission and scope statement. | |||
4.4.1 ATIS Network Performance, Reliability and Quality of Service | 5.4.1. ATIS Network Performance, Reliability and Quality of Service | |||
Committee, formerly T1A1 | Committee, formerly T1A1 | |||
http://www.atis.org/0010/index.asp | http://www.atis.org/0010/index.asp | |||
ATIS Network Performance, Reliability and Quality of Service | ATIS Network Performance, Reliability and Quality of Service | |||
Committee develops and recommends standards, requirements, and | Committee develops and recommends standards, requirements, and | |||
technical reports related to the performance, reliability, and | technical reports related to the performance, reliability, and | |||
associated security aspects of communications networks, as well as | associated security aspects of communications networks, as well as | |||
the processing of voice, audio, data, image, and video signals, and | the processing of voice, audio, data, image, and video signals, and | |||
their multimedia integration. | their multimedia integration. | |||
4.4.2 ATIS Network Interface, Power, and Protection Committee, formerly | 5.4.2. ATIS Network Interface, Power, and Protection Committee, | |||
T1E1 | formerly T1E1 | |||
http://www.atis.org/0050/index.asp | http://www.atis.org/0050/index.asp | |||
ATIS Network Interface, Power, and Protection Committee develops and | ATIS Network Interface, Power, and Protection Committee develops and | |||
recommends standards and technical reports related to power systems, | recommends standards and technical reports related to power systems, | |||
electrical and physical protection for the exchange and interexchange | electrical and physical protection for the exchange and interexchange | |||
carrier networks, and interfaces associated with user access to | carrier networks, and interfaces associated with user access to | |||
telecommunications networks. | telecommunications networks. | |||
4.4.3 ATIS Telecom Management and Operations Committee, formerly T1M1 | 5.4.3. ATIS Telecom Management and Operations Committee, formerly T1M1 | |||
OAM&P | OAM&P | |||
http://www.atis.org/0130/index.asp | http://www.atis.org/0130/index.asp | |||
ATIS Telecom Management and Operations Committee develops | ATIS Telecom Management and Operations Committee develops | |||
internetwork operations, administration, maintenance and provisioning | internetwork operations, administration, maintenance and provisioning | |||
standards, and technical reports related to interfaces for | standards, and technical reports related to interfaces for | |||
telecommunications networks. | telecommunications networks. | |||
4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B | 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B | |||
http://www.atis.org/obf/index.asp | http://www.atis.org/obf/index.asp | |||
The T1M1 O&B subcommittee has become part of the ATIS Ordering and | The T1M1 O&B subcommittee has become part of the ATIS Ordering and | |||
Billing Forum. | Billing Forum. | |||
The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum | The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum | |||
for customers and providers in the telecommunications industry to | for customers and providers in the telecommunications industry to | |||
identify, discuss and resolve national issues which affect ordering, | identify, discuss and resolve national issues which affect ordering, | |||
billing, provisioning and exchange of information about access | billing, provisioning and exchange of information about access | |||
services, other connectivity and related matters. | services, other connectivity and related matters. | |||
4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 | 5.4.5. ATIS Wireless Technologies and Systems Committee, formerly T1P1 | |||
http://www.atis.org/0160/index.asp | http://www.atis.org/0160/index.asp | |||
ATIS Wireless Technologies and Systems Committee develops and | ATIS Wireless Technologies and Systems Committee develops and | |||
recommends standards and technical reports related to wireless and/or | recommends standards and technical reports related to wireless and/or | |||
mobile services and systems, including service descriptions and | mobile services and systems, including service descriptions and | |||
wireless technologies. | wireless technologies. | |||
4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1 | 5.4.6. ATIS Packet Technologies and Systems Committee, formerly T1S1 | |||
T1S1 was split into two separate ATIS committees: the ATIS Packet | T1S1 was split into two separate ATIS committees: the ATIS Packet | |||
Technologies and Systems Committee and the ATIS Protocol Interworking | Technologies and Systems Committee and the ATIS Protocol Interworking | |||
Committee. PTSC is responsible for producing standards to secure | Committee. PTSC is responsible for producing standards to secure | |||
signalling. | signalling. | |||
The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot | The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot | |||
at this time. It is expected to move to an ANSI standard. | at this time. It is expected to move to an ANSI standard. | |||
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 | 5.4.7. ATIS Protocol Interworking Committee, regarding T1S1 | |||
T1S1 was split into two separate ATIS committees: the ATIS Packet | T1S1 was split into two separate ATIS committees: the ATIS Packet | |||
Technologies and Systems Committee and the ATIS Protocol Interworking | Technologies and Systems Committee and the ATIS Protocol Interworking | |||
Committee. As a result of the reorganization of T1S1, these groups | Committee. As a result of the reorganization of T1S1, these groups | |||
will also probably have a new mission and scope. | will also probably have a new mission and scope. | |||
4.4.8 ATIS Optical Transport and Synchronization Committee, formerly | 5.4.8. ATIS Optical Transport and Synchronization Committee, formerly | |||
T1X1 | T1X1 | |||
http://www.atis.org/0240/index.asp | http://www.atis.org/0240/index.asp | |||
ATIS Optical Transport and Synchronization Committee develops and | ATIS Optical Transport and Synchronization Committee develops and | |||
recommends standards and prepares technical reports related to | recommends standards and prepares technical reports related to | |||
telecommunications network technology pertaining to network | telecommunications network technology pertaining to network | |||
synchronization interfaces and hierarchical structures including | synchronization interfaces and hierarchical structures including | |||
optical technology. | optical technology. | |||
4.5 CC - Common Criteria | 5.5. CC - Common Criteria | |||
http://csrc.nist.gov/cc/ | ||||
Note: The URL for the Common Criteria organization was | ||||
http://www.commoncriteria.org/ however, they have elected to take | ||||
their web site offline for the time being. It is hoped that the | ||||
proper URL will be available before this document becomes an RFC. | ||||
This note will be removed prior to publication as an RFC. | http://www.commoncriteriaportal.org/ | |||
In June 1993, the sponsoring organizations of the existing US, | In June 1993, the sponsoring organizations of the existing US, | |||
Canadian, and European criterias (TCSEC, ITSEC, and similar) started | Canadian, and European criterias (TCSEC, ITSEC, and similar) started | |||
the Common Criteria Project to align their separate criteria into a | the Common Criteria Project to align their separate criteria into a | |||
single set of IT security criteria. | single set of IT security criteria. | |||
4.6 DMTF - Distributed Management Task Force, Inc. | 5.6. DMTF - Distributed Management Task Force, Inc. | |||
http://www.dmtf.org/ | http://www.dmtf.org/ | |||
Founded in 1992, the DMTF brings the technology industry's customers | Founded in 1992, the DMTF brings the technology industry's customers | |||
and top vendors together in a collaborative, working group approach | and top vendors together in a collaborative, working group approach | |||
that involves DMTF members in all aspects of specification | that involves DMTF members in all aspects of specification | |||
development and refinement. | development and refinement. | |||
4.7 ETSI - The European Telecommunications Standard Institute | 5.7. ETSI - The European Telecommunications Standard Institute | |||
http://www.etsi.org/ | http://www.etsi.org/ | |||
ETSI is an independent, non-profit organization which produces | ETSI is an independent, non-profit organization which produces | |||
telecommunications standards. ETSI is based in Sophia-Antipolis in | telecommunications standards. ETSI is based in Sophia-Antipolis in | |||
the south of France and maintains a membership from 55 countries. | the south of France and maintains a membership from 55 countries. | |||
Joint work between ETSI and ITU-T SG-17 | Joint work between ETSI and ITU-T SG-17 | |||
http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ | http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ | |||
GSC9_Joint_011_Security_Standardization_in_ITU.ppt | GSC9_Joint_011_Security_Standardization_in_ITU.ppt | |||
4.8 GGF - Global Grid Forum | 5.8. GGF - Global Grid Forum | |||
http://www.gridforum.org/ | http://www.gridforum.org/ | |||
The Global Grid Forum (GGF) is a community-initiated forum of | The Global Grid Forum (GGF) is a community-initiated forum of | |||
thousands of individuals from industry and research leading the | thousands of individuals from industry and research leading the | |||
global standardization effort for grid computing. GGF's primary | global standardization effort for grid computing. GGF's primary | |||
objectives are to promote and support the development, deployment, | objectives are to promote and support the development, deployment, | |||
and implementation of Grid technologies and applications via the | and implementation of Grid technologies and applications via the | |||
creation and documentation of "best practices" - technical | creation and documentation of "best practices" - technical | |||
specifications, user experiences, and implementation guidelines. | specifications, user experiences, and implementation guidelines. | |||
4.9 IEEE - The Institute of Electrical and Electronics Engineers, Inc. | 5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. | |||
http://www.ieee.org/ | http://www.ieee.org/ | |||
IEEE is a non-profit, technical professional association of more than | IEEE is a non-profit, technical professional association of more than | |||
360,000 individual members in approximately 175 countries. The IEEE | 360,000 individual members in approximately 175 countries. The IEEE | |||
produces 30 percent of the world's published literature in electrical | produces 30 percent of the world's published literature in electrical | |||
engineering, computers and control technology through its technical | engineering, computers and control technology through its technical | |||
publishing, conferences and consensus-based standards activities. | publishing, conferences and consensus-based standards activities. | |||
4.10 IETF - The Internet Engineering Task Force | 5.10. IETF - The Internet Engineering Task Force | |||
http://www.ietf.org/ | http://www.ietf.org/ | |||
IETF is a large, international community open to any interested | IETF is a large, international community open to any interested | |||
individual concerned with the evolution of the Internet architecture | individual concerned with the evolution of the Internet architecture | |||
and the smooth operation of the Internet. | and the smooth operation of the Internet. | |||
4.11 INCITS - InterNational Committee for Information Technology | 5.11. INCITS - InterNational Committee for Information Technology | |||
Standards | Standards | |||
http://www.incits.org/ | http://www.incits.org/ | |||
INCITS focuses upon standardization in the field of Information and | INCITS focuses upon standardization in the field of Information and | |||
Communications Technologies (ICT), encompassing storage, processing, | Communications Technologies (ICT), encompassing storage, processing, | |||
transfer, display, management, organization, and retrieval of | transfer, display, management, organization, and retrieval of | |||
information. | information. | |||
4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces | 5.12. INCITS Technical Committee T11 - Fibre Channel Interfaces | |||
http://www.t11.org/index.htm | http://www.t11.org/index.htm | |||
T11 is responsible for standards development in the areas of | T11 is responsible for standards development in the areas of | |||
Intelligent Peripheral Interface (IPI), High-Performance Parallel | Intelligent Peripheral Interface (IPI), High-Performance Parallel | |||
Interface (HIPPI) and Fibre Channel (FC). T11 has a project called | Interface (HIPPI) and Fibre Channel (FC). T11 has a project called | |||
FC-SP to define Security Protocols for Fibre Channel. | FC-SP to define Security Protocols for Fibre Channel. | |||
FC-SP Project Proposal: | FC-SP Project Proposal: | |||
ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf | ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf | |||
4.13 ISO - The International Organization for Standardization | 5.13. ISO - The International Organization for Standardization | |||
http://www.iso.org/ | http://www.iso.org/ | |||
ISO is a network of the national standards institutes of 148 | ISO is a network of the national standards institutes of 148 | |||
countries, on the basis of one member per country, with a Central | countries, on the basis of one member per country, with a Central | |||
Secretariat in Geneva, Switzerland, that coordinates the system. ISO | Secretariat in Geneva, Switzerland, that coordinates the system. ISO | |||
officially began operations on February 23, 1947. | officially began operations on February 23, 1947. | |||
4.14 ITU - International Telecommunication Union | 5.14. ITU - International Telecommunication Union | |||
http://www.itu.int/ | http://www.itu.int/ | |||
The ITU is an international organization within the United Nations | The ITU is an international organization within the United Nations | |||
System headquartered in Geneva, Switzerland. The ITU is comprised of | System headquartered in Geneva, Switzerland. The ITU is comprised of | |||
three sectors: | three sectors: | |||
4.14.1 ITU Telecommunication Standardization Sector - ITU-T | 5.14.1. ITU Telecommunication Standardization Sector - ITU-T | |||
http://www.itu.int/ITU-T/ | http://www.itu.int/ITU-T/ | |||
ITU-T's mission is to ensure an efficient and on-time production of | ITU-T's mission is to ensure an efficient and on-time production of | |||
high quality standards covering all fields of telecommunications. | high quality standards covering all fields of telecommunications. | |||
4.14.2 ITU Radiocommunication Sector - ITU-R | 5.14.2. ITU Radiocommunication Sector - ITU-R | |||
http://www.itu.int/ITU-R/ | http://www.itu.int/ITU-R/ | |||
The ITU-R plays a vital role in the management of the radio-frequency | The ITU-R plays a vital role in the management of the radio-frequency | |||
spectrum and satellite orbits. | spectrum and satellite orbits. | |||
4.14.3 ITU Telecom Development - ITU-D | 5.14.3. ITU Telecom Development - ITU-D | |||
(also referred as ITU Telecommunication Development Bureau - BDT) | (also referred as ITU Telecommunication Development Bureau - BDT) | |||
http://www.itu.int/ITU-D/ | http://www.itu.int/ITU-D/ | |||
The Telecommunication Development Bureau (BDT) is the executive arm | The Telecommunication Development Bureau (BDT) is the executive arm | |||
of the Telecommunication Development Sector. Its duties and | of the Telecommunication Development Sector. Its duties and | |||
responsibilities cover a variety of functions ranging from programme | responsibilities cover a variety of functions ranging from programme | |||
supervision and technical advice to the collection, processing and | supervision and technical advice to the collection, processing and | |||
publication of information relevant to telecommunication development. | publication of information relevant to telecommunication development. | |||
4.15 OASIS - Organization for the Advancement of Structured | 5.15. OASIS - Organization for the Advancement of Structured | |||
Information Standards | Information Standards | |||
http://www.oasis-open.org/ | http://www.oasis-open.org/ | |||
OASIS is a not-for-profit, international consortium that drives the | OASIS is a not-for-profit, international consortium that drives the | |||
development, convergence, and adoption of e-business standards. | development, convergence, and adoption of e-business standards. | |||
4.16 OIF - Optical Internetworking Forum | 5.16. OIF - Optical Internetworking Forum | |||
http://www.oiforum.com/ | http://www.oiforum.com/ | |||
On April 20, 1998 Cisco Systems and Ciena Corporation announced an | On April 20, 1998 Cisco Systems and Ciena Corporation announced an | |||
industry-wide initiative to create the Optical Internetworking Forum, | industry-wide initiative to create the Optical Internetworking Forum, | |||
an open forum focused on accelerating the deployment of optical | an open forum focused on accelerating the deployment of optical | |||
internetworks. | internetworks. | |||
4.17 NRIC - The Network Reliability and Interoperability Council | 5.17. NRIC - The Network Reliability and Interoperability Council | |||
http://www.nric.org/ | http://www.nric.org/ | |||
The purposes of the Committee are to give telecommunications industry | The purposes of the Committee are to give telecommunications industry | |||
leaders the opportunity to provide recommendations to the FCC and to | leaders the opportunity to provide recommendations to the FCC and to | |||
the industry that assure optimal reliability and interoperability of | the industry that assure optimal reliability and interoperability of | |||
telecommunications networks. The Committee addresses topics in the | telecommunications networks. The Committee addresses topics in the | |||
area of Homeland Security, reliability, interoperability, and | area of Homeland Security, reliability, interoperability, and | |||
broadband deployment. | broadband deployment. | |||
4.18 National Security Telecommunications Advisory Committee (NSTAC) | 5.18. National Security Telecommunications Advisory Committee (NSTAC) | |||
http://www.ncs.gov/nstac/nstac.html | http://www.ncs.gov/nstac/nstac.html | |||
President Ronald Reagan created the National Security | President Ronald Reagan created the National Security | |||
Telecommunications Advisory Committee (NSTAC) by Executive Order | Telecommunications Advisory Committee (NSTAC) by Executive Order | |||
12382 in September 1982. Since then, the NSTAC has served four | 12382 in September 1982. Since then, the NSTAC has served four | |||
presidents. Composed of up to 30 industry chief executives | presidents. Composed of up to 30 industry chief executives | |||
representing the major communications and network service providers | representing the major communications and network service providers | |||
and information technology, finance, and aerospace companies, the | and information technology, finance, and aerospace companies, the | |||
NSTAC provides industry-based advice and expertise to the President | NSTAC provides industry-based advice and expertise to the President | |||
on issues and problems related to implementing national security and | on issues and problems related to implementing national security and | |||
emergency preparedness (NS/EP) communications policy. Since its | emergency preparedness (NS/EP) communications policy. Since its | |||
inception, the NSTAC has addressed a wide range of policy and | inception, the NSTAC has addressed a wide range of policy and | |||
technical issues regarding communications, information systems, | technical issues regarding communications, information systems, | |||
information assurance, critical infrastructure protection, and other | information assurance, critical infrastructure protection, and other | |||
NS/EP communications concerns. | NS/EP communications concerns. | |||
4.19 TIA - The Telecommunications Industry Association | 5.19. TIA - The Telecommunications Industry Association | |||
http://www.tiaonline.org/ | http://www.tiaonline.org/ | |||
TIA is accredited by ANSI to develop voluntary industry standards for | TIA is accredited by ANSI to develop voluntary industry standards for | |||
a wide variety of telecommunications products. TIA's Standards and | a wide variety of telecommunications products. TIA's Standards and | |||
Technology Department is composed of five divisions: Fiber Optics, | Technology Department is composed of five divisions: Fiber Optics, | |||
User Premises Equipment, Network Equipment, Wireless Communications | User Premises Equipment, Network Equipment, Wireless Communications | |||
and Satellite Communications. | and Satellite Communications. | |||
4.20 Web Services Interoperability Organization (WS-I) | 5.20. Web Services Interoperability Organization (WS-I) | |||
http://www.ws-i.org/ | http://www.ws-i.org/ | |||
WS-I is an open, industry organization chartered to promote Web | WS-I is an open, industry organization chartered to promote Web | |||
services interoperability across platforms, operating systems, and | services interoperability across platforms, operating systems, and | |||
programming languages. The organization works across the industry | programming languages. The organization works across the industry | |||
and standards organizations to respond to customer needs by providing | and standards organizations to respond to customer needs by providing | |||
guidance, best practices, and resources for developing Web services | guidance, best practices, and resources for developing Web services | |||
solutions. | solutions. | |||
5. Security Best Practices Efforts and Documents | 6. Security Best Practices Efforts and Documents | |||
This section lists the works produced by the SDOs. | This section lists the works produced by the SDOs. | |||
5.1 3GPP - TSG SA WG3 (Security) | 6.1. 3GPP - TSG SA WG3 (Security) | |||
http://www.3gpp.org/TB/SA/SA3/SA3.htm | http://www.3gpp.org/TB/SA/SA3/SA3.htm | |||
TSG SA WG3 Security is responsible for the security of the 3GPP | TSG SA WG3 Security is responsible for the security of the 3GPP | |||
system, performing analyses of potential security threats to the | system, performing analyses of potential security threats to the | |||
system, considering the new threats introduced by the IP based | system, considering the new threats introduced by the IP based | |||
services and systems and setting the security requirements for the | services and systems and setting the security requirements for the | |||
overall 3GPP system. | overall 3GPP system. | |||
Specifications: | Specifications: | |||
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm | http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm | |||
Work Items: | Work Items: | |||
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm | http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm | |||
3GPP Confidentiality and Integrity algorithms: | 3GPP Confidentiality and Integrity algorithms: | |||
http://www.3gpp.org/TB/Other/algorithms.htm | http://www.3gpp.org/TB/Other/algorithms.htm | |||
5.2 3GPP2 - TSG-S Working Group 4 (Security) | 6.2. 3GPP2 - TSG-S Working Group 4 (Security) | |||
http://www.3gpp2.org/Public_html/S/index.cfm | http://www.3gpp2.org/Public_html/S/index.cfm | |||
The Services and Systems Aspects TSG (TSG-S) is responsible for the | The Services and Systems Aspects TSG (TSG-S) is responsible for the | |||
development of service capability requirements for systems based on | development of service capability requirements for systems based on | |||
3GPP2 specifications. Among its responsibilities TSG-S is addressing | 3GPP2 specifications. Among its responsibilities TSG-S is addressing | |||
management, technical coordination, as well as architectural and | management, technical coordination, as well as architectural and | |||
requirements development associated with all end-to-end features, | requirements development associated with all end-to-end features, | |||
services and system capabilities including, but not limited to, | services and system capabilities including, but not limited to, | |||
security and QoS. | security and QoS. | |||
TSG-S Specifications: | TSG-S Specifications: | |||
http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs | http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs | |||
5.3 American National Standard T1.276-2003 - Baseline Security | 6.3. American National Standard T1.276-2003 - Baseline Security | |||
Requirements for the Management Plane | Requirements for the Management Plane | |||
Abstract: This standard contains a set of baseline security | Abstract: This standard contains a set of baseline security | |||
requirements for the management plane. The President's National | requirements for the management plane. The President's National | |||
Security Telecommunications Advisory Committee Network Security | Security Telecommunications Advisory Committee Network Security | |||
Information Exchange (NSIE) and Government NSIE jointly established a | Information Exchange (NSIE) and Government NSIE jointly established a | |||
Security Requirements Working Group (SRWG) to examine the security | Security Requirements Working Group (SRWG) to examine the security | |||
requirements for controlling access to the public switched network, | requirements for controlling access to the public switched network, | |||
in particular with respect to the emerging next generation network. | in particular with respect to the emerging next generation network. | |||
skipping to change at page 18, line 22 | skipping to change at page 19, line 22 | |||
infrastructure. This initial list of security requirements was | infrastructure. This initial list of security requirements was | |||
submitted as a contribution to Committee T1 - Telecommunications, | submitted as a contribution to Committee T1 - Telecommunications, | |||
Working Group T1M1.5 for consideration as a standard. The | Working Group T1M1.5 for consideration as a standard. The | |||
requirements outlined in this document will allow vendors, government | requirements outlined in this document will allow vendors, government | |||
departments and agencies, and service providers to implement a secure | departments and agencies, and service providers to implement a secure | |||
telecommunications network management infrastructure. | telecommunications network management infrastructure. | |||
Documents: | Documents: | |||
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 | http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 | |||
5.4 DMTF - Security Protection and Management (SPAM) Working Group | 6.4. DMTF - Security Protection and Management (SPAM) Working Group | |||
http://www.dmtf.org/about/committees/spamWGCharter.pdf | http://www.dmtf.org/about/committees/spamWGCharter.pdf | |||
The Working Group will define a CIM Common Model that addresses | The Working Group will define a CIM Common Model that addresses | |||
security protection and detection technologies, which may include | security protection and detection technologies, which may include | |||
devices and services, and classifies security information, attacks | devices and services, and classifies security information, attacks | |||
and responses. | and responses. | |||
5.5 DMTF - User and Security Working Group | 6.5. DMTF - User and Security Working Group | |||
http://www.dmtf.org/about/committees/userWGCharter.pdf | http://www.dmtf.org/about/committees/userWGCharter.pdf | |||
The User and Security Working Group defines objects and access | The User and Security Working Group defines objects and access | |||
methods required for principals - where principals include users, | methods required for principals - where principals include users, | |||
groups, software agents, systems, and organizations. | groups, software agents, systems, and organizations. | |||
5.6 ATIS Security & Emergency Preparedness Activities | 6.6. ATIS Security & Emergency Preparedness Activities | |||
http://www.atis.org/atis/atisinfo/emergency/ | http://www.atis.org/atis/atisinfo/emergency/ | |||
security_committee_activities_T1.htm | security_committee_activities_T1.htm | |||
The link above contains the description of the ATIS Communications | The link above contains the description of the ATIS Communications | |||
Security Model, the scopes of the Technical Subcommittees in relation | Security Model, the scopes of the Technical Subcommittees in relation | |||
to the security model, and a list of published documents produced by | to the security model, and a list of published documents produced by | |||
ATIS addressed to various aspects of network security. | ATIS addressed to various aspects of network security. | |||
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End | 6.7. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End | |||
Standards and Solutions | Standards and Solutions | |||
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf | ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf | |||
The ATIS TOPS Security Focus Group has made recommendations on work | The ATIS TOPS Security Focus Group has made recommendations on work | |||
items needed to be performed by other SDOs. | items needed to be performed by other SDOs. | |||
5.7.1 ATIS Work on Packet Filtering | 6.7.1. ATIS Work on Packet Filtering | |||
A part of the ATIS Work Plan was to define how disruptions may be | A part of the ATIS Work Plan was to define how disruptions may be | |||
prevented by filtering unwanted traffic at the edges of the network. | prevented by filtering unwanted traffic at the edges of the network. | |||
ATIS is developing this work in a document titled, "Traffic Filtering | ATIS is developing this work in a document titled, "Traffic Filtering | |||
for the Prevention of Unwanted Traffic". | for the Prevention of Unwanted Traffic". | |||
5.8 ATIS Work on the NGN | 6.8. ATIS Work on the NGN | |||
http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ | http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ | |||
Part%20I/ATIS_NGN_Part_1_Issue1.pdf | Part%20I/ATIS_NGN_Part_1_Issue1.pdf | |||
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts | In November 2004, ATIS released Part I of the ATIS NGN-FG efforts | |||
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN | entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN | |||
Definitions, Requirements, and Architecture, Issue 1.0, November | Definitions, Requirements, and Architecture, Issue 1.0, November | |||
2004." | 2004." | |||
5.9 Common Criteria | 6.9. Common Criteria | |||
http://csrc.nist.gov/cc/ | http://www.commoncriteriaportal.org/ | |||
Version 1.0 of the CC was completed in January 1996. Based on a | Version 1.0 of the CC was completed in January 1996. Based on a | |||
number of trial evaluations and an extensive public review, Version | number of trial evaluations and an extensive public review, Version | |||
1.0 was extensively revised and CC Version 2.0 was produced in April | 1.0 was extensively revised and CC Version 2.0 was produced in April | |||
of 1998. This became ISO International Standard 15408 in 1999. The | of 1998. This became ISO International Standard 15408 in 1999. The | |||
CC Project subsequently incorporated the minor changes that had | CC Project subsequently incorporated the minor changes that had | |||
resulted in the ISO process, producing CC version 2.1 in August 1999. | resulted in the ISO process, producing CC version 2.1 in August 1999. | |||
Version 3.0 was published in June 2005 and is available for comment. | ||||
Common Criteria v2.1 contains: | The official version of the Common Criteria and of the Common | |||
Evaluation Methodology is v2.3 which was published in August 2005. | ||||
Part 1 - Intro & General Model | All Common Criteria publications contain: | |||
Part 2 - Functional Requirements (including Annexes) | Part 1: Introduction and general model | |||
Part 3 - Assurance Requirements | Part 2: Security functional components | |||
Documents: Common Criteria V2.1 | Part 3: Security assurance components | |||
http://csrc.nist.gov/cc/CC-v2.1.html | ||||
5.10 ETSI | Documents: Common Criteria V2.3 | |||
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 | ||||
6.10. ETSI | ||||
http://www.etsi.org/ | http://www.etsi.org/ | |||
The ETSI hosted the ETSI Global Security Conference in late November, | The ETSI hosted the ETSI Global Security Conference in late November, | |||
2003, which could lead to a standard. | 2003, which could lead to a standard. | |||
Groups related to security located from the ETSI Groups Portal: | Groups related to security located from the ETSI Groups Portal: | |||
OCG Security | OCG Security | |||
3GPP SA3 | 3GPP SA3 | |||
TISPAN WG7 | TISPAN WG7 | |||
5.11 GGF Security Area (SEC) | 6.11. GGF Security Area (SEC) | |||
https://forge.gridforum.org/projects/sec/ | https://forge.gridforum.org/projects/sec/ | |||
The Security Area (SEC) is concerned with various issues relating to | The Security Area (SEC) is concerned with various issues relating to | |||
authentication and authorization in Grid environments. | authentication and authorization in Grid environments. | |||
Working groups: | Working groups: | |||
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - | Authorization Frameworks and Mechanisms WG (AuthZ-WG) - | |||
https://forge.gridforum.org/projects/authz-wg | https://forge.gridforum.org/projects/authz-wg | |||
Certificate Authority Operations Working Group (CAOPS-WG) - | Certificate Authority Operations Working Group (CAOPS-WG) - | |||
https://forge.gridforum.org/projects/caops-wg | https://forge.gridforum.org/projects/caops-wg | |||
OGSA Authorization Working Group (OGSA-AUTHZ) - | OGSA Authorization Working Group (OGSA-AUTHZ) - | |||
https://forge.gridforum.org/projects/ogsa-authz | https://forge.gridforum.org/projects/ogsa-authz | |||
Grid Security Infrastructure (GSI-WG) - | Grid Security Infrastructure (GSI-WG) - | |||
https://forge.gridforum.org/projects/gsi-wg | https://forge.gridforum.org/projects/gsi-wg | |||
5.12 Information System Security Assurance Architecture | 6.12. Information System Security Assurance Architecture | |||
IEEE Working Group - http://issaa.org/ | IEEE Working Group - http://issaa.org/ | |||
Formerly the Security Certification and Accreditation of Information | Formerly the Security Certification and Accreditation of Information | |||
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft | Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft | |||
Standard for Information System Security Assurance Architecture for | Standard for Information System Security Assurance Architecture for | |||
ballot and during the process begin development of a suite of | ballot and during the process begin development of a suite of | |||
associated standards for components of that architecture. | associated standards for components of that architecture. | |||
Documents: http://issaa.org/documents/index.html | Documents: http://issaa.org/documents/index.html | |||
5.13 Operational Security Requirements for IP Network Infrastructure : | 6.13. Operational Security Requirements for IP Network Infrastructure : | |||
Advanced Requirements | Advanced Requirements | |||
IETF RFC 3871 | IETF RFC 3871 | |||
Abstract: This document defines a list of operational security | Abstract: This document defines a list of operational security | |||
requirements for the infrastructure of large ISP IP networks (routers | requirements for the infrastructure of large ISP IP networks (routers | |||
and switches). A framework is defined for specifying "profiles", | and switches). A framework is defined for specifying "profiles", | |||
which are collections of requirements applicable to certain network | which are collections of requirements applicable to certain network | |||
topology contexts (all, core-only, edge-only...). The goal is to | topology contexts (all, core-only, edge-only...). The goal is to | |||
provide network operators a clear, concise way of communicating their | provide network operators a clear, concise way of communicating their | |||
security requirements to vendors. | security requirements to vendors. | |||
Documents: | Documents: | |||
skipping to change at page 21, line 16 | skipping to change at page 22, line 22 | |||
and switches). A framework is defined for specifying "profiles", | and switches). A framework is defined for specifying "profiles", | |||
which are collections of requirements applicable to certain network | which are collections of requirements applicable to certain network | |||
topology contexts (all, core-only, edge-only...). The goal is to | topology contexts (all, core-only, edge-only...). The goal is to | |||
provide network operators a clear, concise way of communicating their | provide network operators a clear, concise way of communicating their | |||
security requirements to vendors. | security requirements to vendors. | |||
Documents: | Documents: | |||
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt | ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt | |||
5.14 INCITS Technical Committee T4 - Security Techniques | 6.14. INCITS Technical Committee T4 - Security Techniques | |||
http://www.incits.org/tc_home/t4.htm | http://www.incits.org/tc_home/t4.htm | |||
Technical Committee T4, Security Techniques, participates in the | Technical Committee T4, Security Techniques, participates in the | |||
standardization of generic methods for information technology | standardization of generic methods for information technology | |||
security. This includes development of: security techniques and | security. This includes development of: security techniques and | |||
mechanisms; security guidelines; security evaluation criteria; and | mechanisms; security guidelines; security evaluation criteria; and | |||
identification of generic requirements for information technology | identification of generic requirements for information technology | |||
system security services. | system security services. | |||
5.15 INCITS CS1 - Cyber Security | 6.15. INCITS CS1 - Cyber Security | |||
http://www.incits.org/tc_home/cs1.htm | http://www.incits.org/tc_home/cs1.htm | |||
INCITS/CS1 was established in April 2005 to serve as the US TAG for | INCITS/CS1 was established in April 2005 to serve as the US TAG for | |||
ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 | ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 | |||
(INCITS/T4 serves as the US TAG to SC 27/WG 2). | (INCITS/T4 serves as the US TAG to SC 27/WG 2). | |||
The scope of CS1 explicitly excludes the areas of work on cyber | The scope of CS1 explicitly excludes the areas of work on cyber | |||
security standardization presently underway in INCITS B10, M1 and T3; | security standardization presently underway in INCITS B10, M1 and T3; | |||
as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and | as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and | |||
X9. INCITS T4's area of work would be narrowed to cryptography | X9. INCITS T4's area of work would be narrowed to cryptography | |||
projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and | projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and | |||
mechanisms). | mechanisms). | |||
5.16 ISO Guidelines for the Management of IT Security - GMITS | 6.16. ISO Guidelines for the Management of IT Security - GMITS | |||
Guidelines for the Management of IT Security -- Part 1: Concepts and | Guidelines for the Management of IT Security -- Part 1: Concepts and | |||
models for IT Security | models for IT Security | |||
http://www.iso.ch/iso/en/ | http://www.iso.ch/iso/en/ | |||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 | CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 | |||
Guidelines for the Management of IT Security -- Part 2: Managing and | Guidelines for the Management of IT Security -- Part 2: Managing and | |||
planning IT Security | planning IT Security | |||
http://www.iso.org/iso/en/ | http://www.iso.org/iso/en/ | |||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& | CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& | |||
ICS3= | ICS3= | |||
skipping to change at page 22, line 37 | skipping to change at page 23, line 41 | |||
http://www.iso.org/iso/en/ | http://www.iso.org/iso/en/ | |||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& | CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& | |||
ICS3= | ICS3= | |||
Open Systems Interconnection -- Network layer security protocol | Open Systems Interconnection -- Network layer security protocol | |||
http://www.iso.org/iso/en/ | http://www.iso.org/iso/en/ | |||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& | CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& | |||
ICS3=30 | ICS3=30 | |||
5.17 ISO JTC 1/SC 27 | 6.17. ISO JTC 1/SC 27 | |||
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ | http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ | |||
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 | TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 | |||
Several security related ISO projects under JTC 1/SC 27 are listed | Several security related ISO projects under JTC 1/SC 27 are listed | |||
here such as: | here such as: | |||
IT security techniques -- Entity authentication | IT security techniques -- Entity authentication | |||
Security techniques -- Key management | Security techniques -- Key management | |||
Security techniques -- Evaluation criteria for IT security | Security techniques -- Evaluation criteria for IT security | |||
Security techniques -- A framework for IT security assurance | Security techniques -- A framework for IT security assurance | |||
IT Security techniques -- Code of practice for information | IT Security techniques -- Code of practice for information | |||
security management | security management | |||
Security techniques -- IT network security | Security techniques -- IT network security | |||
Guidelines for the implementation, operation and management of | Guidelines for the implementation, operation and management of | |||
Intrusion Detection Systems (IDS) | Intrusion Detection Systems (IDS) | |||
skipping to change at page 23, line 17 | skipping to change at page 24, line 21 | |||
security management | security management | |||
Security techniques -- IT network security | Security techniques -- IT network security | |||
Guidelines for the implementation, operation and management of | Guidelines for the implementation, operation and management of | |||
Intrusion Detection Systems (IDS) | Intrusion Detection Systems (IDS) | |||
International Security, Trust, and Privacy Alliance -- Privacy | International Security, Trust, and Privacy Alliance -- Privacy | |||
Framework | Framework | |||
5.18 ITU-T Study Group 2 | 6.18. ITU-T Study Group 2 | |||
http://www.itu.int/ITU-T/studygroups/com02/index.asp | http://www.itu.int/ITU-T/studygroups/com02/index.asp | |||
Security related recommendations currently under study: | Security related recommendations currently under study: | |||
E.408 Telecommunication networks security requirements Q.5/2 | E.408 Telecommunication networks security requirements Q.5/2 (was | |||
(was E.sec1) | E.sec1) | |||
E.409 Incident Organisation and Security Incident Handling | E.409 Incident Organisation and Security Incident Handling Q.5/2 | |||
Q.5/2 (was E.sec2) | (was E.sec2) | |||
Note: Access requires TIES account. | Note: Access requires TIES account. | |||
5.19 ITU-T Recommendation M.3016 | 6.19. ITU-T Recommendation M.3016 | |||
http://www.itu.int/itudoc/itu-t/com4/contr/068.html | http://www.itu.int/itudoc/itu-t/com4/contr/068.html | |||
This recommendation provides an overview and framework that | This recommendation provides an overview and framework that | |||
identifies the security requirements of a TMN and outlines how | identifies the security requirements of a TMN and outlines how | |||
available security services and mechanisms can be applied within the | available security services and mechanisms can be applied within the | |||
context of the TMN functional architecture. | context of the TMN functional architecture. | |||
Question 18 of Study Group 3 is revising Recommendation M.3016. They | Question 18 of Study Group 3 is revising Recommendation M.3016. They | |||
have taken the original document and are incorporating thoughts from | have taken the original document and are incorporating thoughts from | |||
skipping to change at page 23, line 46 | skipping to change at page 25, line 4 | |||
identifies the security requirements of a TMN and outlines how | identifies the security requirements of a TMN and outlines how | |||
available security services and mechanisms can be applied within the | available security services and mechanisms can be applied within the | |||
context of the TMN functional architecture. | context of the TMN functional architecture. | |||
Question 18 of Study Group 3 is revising Recommendation M.3016. They | Question 18 of Study Group 3 is revising Recommendation M.3016. They | |||
have taken the original document and are incorporating thoughts from | have taken the original document and are incorporating thoughts from | |||
ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has | ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has | |||
produced a new series of documents. | produced a new series of documents. | |||
M.3016.0 - Overview | M.3016.0 - Overview | |||
M.3016.1 - Requirements | M.3016.1 - Requirements | |||
M.3016.2 - Services | M.3016.2 - Services | |||
M.3016.3 - Mechanisms | M.3016.3 - Mechanisms | |||
M.3016.4 - Profiles | M.3016.4 - Profiles | |||
5.20 ITU-T Recommendation X.805 | 6.20. ITU-T Recommendation X.805 | |||
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html | http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html | |||
This Recommendation defines the general security-related | This Recommendation defines the general security-related | |||
architectural elements that, when appropriately applied, can provide | architectural elements that, when appropriately applied, can provide | |||
end-to-end network security. | end-to-end network security. | |||
5.21 ITU-T Study Group 16 | 6.21. ITU-T Study Group 16 | |||
http://www.itu.int/ITU-T/studygroups/com16/index.asp | http://www.itu.int/ITU-T/studygroups/com16/index.asp | |||
Security of Multimedia Systems and Services - Question G/16 | Security of Multimedia Systems and Services - Question G/16 | |||
http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html | http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html | |||
5.22 ITU-T Study Group 17 | 6.22. ITU-T Study Group 17 | |||
http://www.itu.int/ITU-T/studygroups/com17/index.asp | http://www.itu.int/ITU-T/studygroups/com17/index.asp | |||
ITU-T Study Group 17 is the Lead Study Group on Communication System | ITU-T Study Group 17 is the Lead Study Group on Communication System | |||
Security | Security | |||
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html | http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html | |||
Study Group 17 Security Project: | Study Group 17 Security Project: | |||
http://www.itu.int/ITU-T/studygroups/com17/security/index.html | http://www.itu.int/ITU-T/studygroups/com17/security/index.html | |||
During its November 2002 meeting, Study Group 17 agreed to establish | During its November 2002 meeting, Study Group 17 agreed to establish | |||
a new project entitled "Security Project" under the leadership of | a new project entitled "Security Project" under the leadership of | |||
Q.10/17 to coordinate the ITU-T standardization effort on security. | Q.10/17 to coordinate the ITU-T standardization effort on security. | |||
An analysis of the status on ITU-T Study Group action on information | An analysis of the status on ITU-T Study Group action on information | |||
and communication network security may be found in TSB Circular 147 | and communication network security may be found in TSB Circular 147 | |||
of 14 February 2003. | of 14 February 2003. | |||
5.23 Catalogue of ITU-T Recommendations related to Communications | 6.23. Catalogue of ITU-T Recommendations related to Communications | |||
System Security | System Security | |||
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html | http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html | |||
The Catalogue of the approved security Recommendations include those, | The Catalogue of the approved security Recommendations include those, | |||
designed for security purposes and those, which describe or use of | designed for security purposes and those, which describe or use of | |||
functions of security interest and need. Although some of the | functions of security interest and need. Although some of the | |||
security related Recommendations includes the phrase "Open Systems | security related Recommendations includes the phrase "Open Systems | |||
Interconnection", much of the information contained in them is | Interconnection", much of the information contained in them is | |||
pertinent to the establishment of security functionality in any | pertinent to the establishment of security functionality in any | |||
communicating system. | communicating system. | |||
5.24 ITU-T Security Manual | 6.24. ITU-T Security Manual | |||
http://www.itu.int/ITU-T/edh/files/security-manual.pdf | http://www.itu.int/ITU-T/edh/files/security-manual.pdf | |||
TSB is preparing an "ITU-T Security Manual" to provide an overview on | TSB is preparing an "ITU-T Security Manual" to provide an overview on | |||
security in telecommunications and information technologies, describe | security in telecommunications and information technologies, describe | |||
practical issues, and indicate how the different aspects of security | practical issues, and indicate how the different aspects of security | |||
in today's applications are addressed by ITU-T Recommendations. This | in today's applications are addressed by ITU-T Recommendations. This | |||
manual has a tutorial character: it collects security related | manual has a tutorial character: it collects security related | |||
material from ITU-T Recommendations into one place and explains the | material from ITU-T Recommendations into one place and explains the | |||
respective relationships. The intended audience for this manual is | respective relationships. The intended audience for this manual is | |||
engineers and product managers, students and academia, as well as | engineers and product managers, students and academia, as well as | |||
regulators who want to better understand security aspects in | regulators who want to better understand security aspects in | |||
practical applications. | practical applications. | |||
5.25 ITU-T NGN Effort | 6.25. ITU-T NGN Effort | |||
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html | http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html | |||
During its January 2002 meeting, SG13 decided to undertake the | During its January 2002 meeting, SG13 decided to undertake the | |||
preparation of a new ITU-T Project entitled "NGN 2004 Project". At | preparation of a new ITU-T Project entitled "NGN 2004 Project". At | |||
the November 2002 SG13 meeting, a preliminary description of the | the November 2002 SG13 meeting, a preliminary description of the | |||
Project was achieved and endorsed by SG13 with the goal to launch the | Project was achieved and endorsed by SG13 with the goal to launch the | |||
Project. It is regularly updated since then. | Project. It is regularly updated since then. | |||
The role of the NGN 2004 Project is to organize and to coordinate | The role of the NGN 2004 Project is to organize and to coordinate | |||
ITU-T activities on Next Generation Networks. Its target is to | ITU-T activities on Next Generation Networks. Its target is to | |||
produce a first set of Recommendations on NGN by the end of this | produce a first set of Recommendations on NGN by the end of this | |||
study period, i.e. mid-2004. | study period, i.e. mid-2004. | |||
5.26 NRIC VI Focus Groups | 6.26. NRIC VI Focus Groups | |||
http://www.nric.org/fg/index.html | http://www.nric.org/fg/index.html | |||
The Network Reliability and Interoperability Council (NRIC) was | The Network Reliability and Interoperability Council (NRIC) was | |||
formed with the purpose to provide recommendations to the FCC and to | formed with the purpose to provide recommendations to the FCC and to | |||
the industry to assure the reliability and interoperability of | the industry to assure the reliability and interoperability of | |||
wireless, wireline, satellite, and cable public telecommunications | wireless, wireline, satellite, and cable public telecommunications | |||
networks. These documents provide general information and guidance | networks. These documents provide general information and guidance | |||
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | |||
prevention of cyberattack and for restoration following a | prevention of cyberattack and for restoration following a | |||
skipping to change at page 26, line 15 | skipping to change at page 27, line 17 | |||
Documents: | Documents: | |||
Homeland Defense - Recommendations Published 14-Mar-03 | Homeland Defense - Recommendations Published 14-Mar-03 | |||
Preventative Best Practices - Recommendations Published 14-Mar-03 | Preventative Best Practices - Recommendations Published 14-Mar-03 | |||
Recovery Best Practices - Recommendations Published 14-Mar-03 | Recovery Best Practices - Recommendations Published 14-Mar-03 | |||
Best Practice Appendices - Recommendations Published 14-Mar-03 | Best Practice Appendices - Recommendations Published 14-Mar-03 | |||
5.27 OASIS Security Joint Committee | 6.27. OASIS Security Joint Committee | |||
http://www.oasis-open.org/committees/ | http://www.oasis-open.org/committees/ | |||
tc_home.php?wg_abbrev=security-jc | tc_home.php?wg_abbrev=security-jc | |||
The purpose of the Security JC is to coordinate the technical | The purpose of the Security JC is to coordinate the technical | |||
activities of multiple security related TCs. The SJC is advisory | activities of multiple security related TCs. The SJC is advisory | |||
only, and has no deliverables. The Security JC will promote the use | only, and has no deliverables. The Security JC will promote the use | |||
of consistent terms, promote re-use, champion an OASIS security | of consistent terms, promote re-use, champion an OASIS security | |||
standards model, provide consistent PR, and promote mutuality, | standards model, provide consistent PR, and promote mutuality, | |||
operational independence and ethics. | operational independence and ethics. | |||
5.28 OASIS Security Services TC | 6.28. OASIS Security Services TC | |||
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security | http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security | |||
The Security Services TC is working to advance the Security Assertion | The Security Services TC is working to advance the Security Assertion | |||
Markup Language (SAML) as an OASIS standard. SAML is an XML | Markup Language (SAML) as an OASIS standard. SAML is an XML | |||
framework for exchanging authentication and authorization | framework for exchanging authentication and authorization | |||
information. | information. | |||
5.29 OIF Implementation Agreements | 6.29. OIF Implementation Agreements | |||
The OIF has 2 approved Implementation Agreements (IAs) relating to | The OIF has 2 approved Implementation Agreements (IAs) relating to | |||
security. They are: | security. They are: | |||
OIF-SMI-01.0 - Security Management Interfaces to Network Elements | OIF-SMI-01.0 - Security Management Interfaces to Network Elements | |||
This Implementation Agreement lists objectives for securing OAM&P | This Implementation Agreement lists objectives for securing OAM&P | |||
interfaces to a Network Element and then specifies ways of using | interfaces to a Network Element and then specifies ways of using | |||
security systems (e.g., IPsec or TLS) for securing these interfaces. | security systems (e.g., IPsec or TLS) for securing these interfaces. | |||
It summarizes how well each of the systems, used as specified, | It summarizes how well each of the systems, used as specified, | |||
skipping to change at page 26, line 50 | skipping to change at page 28, line 4 | |||
OIF-SMI-01.0 - Security Management Interfaces to Network Elements | OIF-SMI-01.0 - Security Management Interfaces to Network Elements | |||
This Implementation Agreement lists objectives for securing OAM&P | This Implementation Agreement lists objectives for securing OAM&P | |||
interfaces to a Network Element and then specifies ways of using | interfaces to a Network Element and then specifies ways of using | |||
security systems (e.g., IPsec or TLS) for securing these interfaces. | security systems (e.g., IPsec or TLS) for securing these interfaces. | |||
It summarizes how well each of the systems, used as specified, | It summarizes how well each of the systems, used as specified, | |||
satisfies the objectives. | satisfies the objectives. | |||
OIF - SEP - 01.1 - Security Extension for UNI and NNI | OIF - SEP - 01.1 - Security Extension for UNI and NNI | |||
This Implementation Agreement defines a common Security Extension for | This Implementation Agreement defines a common Security Extension for | |||
securing the protocols used in UNI 1.0, UNI 2.0, and NNI. | securing the protocols used in UNI 1.0, UNI 2.0, and NNI. | |||
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf | Documents: http://www.oiforum.com/public/documents/Security-IA.pdf | |||
5.30 TIA | 6.30. TIA | |||
The TIA has produced the "Compendium of Emergency Communications and | The TIA has produced the "Compendium of Emergency Communications and | |||
Communications Network Security-related Work Activities". This | Communications Network Security-related Work Activities". This | |||
document identifies standards, or other technical documents and | document identifies standards, or other technical documents and | |||
ongoing Emergency/Public Safety Communications and Communications | ongoing Emergency/Public Safety Communications and Communications | |||
Network Security-related work activities within TIA and it's | Network Security-related work activities within TIA and it's | |||
Engineering Committees. Many P25 documents are specifically | Engineering Committees. Many P25 documents are specifically | |||
detailed. This "living document" is presented for information, | detailed. This "living document" is presented for information, | |||
coordination and reference. | coordination and reference. | |||
Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf | Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf | |||
5.31 WS-I Basic Security Profile | 6.31. WS-I Basic Security Profile | |||
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html | http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html | |||
The WS-I Basic Security Profile 1.0 consists of a set of non- | The WS-I Basic Security Profile 1.0 consists of a set of non- | |||
proprietary Web services specifications, along with clarifications | proprietary Web services specifications, along with clarifications | |||
and amendments to those specifications which promote | and amendments to those specifications which promote | |||
interoperability. | interoperability. | |||
6. Security Considerations | 7. Security Considerations | |||
This document describes efforts to standardize security practices and | This document describes efforts to standardize security practices and | |||
documents. As such this document offers no security guidance | documents. As such this document offers no security guidance | |||
whatsoever. | whatsoever. | |||
Readers of this document should be aware of the date of publication | Readers of this document should be aware of the date of publication | |||
of this document. It is feared that they may assume that the | of this document. It is feared that they may assume that the | |||
efforts, on-line material, and documents are current whereas they may | efforts, on-line material, and documents are current whereas they may | |||
not be. Please consider this when reading this document. | not be. Please consider this when reading this document. | |||
7. IANA Considerations | 8. IANA Considerations | |||
This Internet Draft does not propose a standard but is trying to pull | This document does not propose a standard and does not require the | |||
together information about the security related efforts of all | IANA to do anything. | |||
Standards Developing Organizations and some other efforts which | ||||
provide good secuirty methods, practices or recommendations. | ||||
8. Acknowledgments | 9. Acknowledgments | |||
The following people have contributed to this document. Listing | The following people have contributed to this document. Listing | |||
their names here does not mean that they endorse the document, but | their names here does not mean that they endorse the document, but | |||
that they have contributed to its substance. | that they have contributed to its substance. | |||
David Black, Mark Ellison, George Jones, Keith McCloghrie, John | David Black, Mark Ellison, George Jones, Keith McCloghrie, John | |||
McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer. | McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce | |||
Moon. | ||||
9. Changes from Prior Drafts | 10. Changes from Prior Drafts | |||
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | |||
-01 : Security Glossaries: | -01 : Security Glossaries: | |||
Added ATIS Telecom Glossary 2000, Critical Infrastructure | Added ATIS Telecom Glossary 2000, Critical Infrastructure | |||
Glossary of Terms and Acronyms, Microsoft Solutions for | Glossary of Terms and Acronyms, Microsoft Solutions for | |||
Security Glossary, and USC InfoSec Glossary. | Security Glossary, and USC InfoSec Glossary. | |||
Standards Developing Organizations: | Standards Developing Organizations: | |||
skipping to change at page 31, line 46 | skipping to change at page 32, line 46 | |||
Added more information about the ITU-T SG3 Q18 effort to modify | Added more information about the ITU-T SG3 Q18 effort to modify | |||
ITU-T Recommendation M.3016. | ITU-T Recommendation M.3016. | |||
-01 : First revision as the WG ID. | -01 : First revision as the WG ID. | |||
Added information about the NGN in the sections about ATIS, the | Added information about the NGN in the sections about ATIS, the | |||
NSTAC, and ITU-T. | NSTAC, and ITU-T. | |||
-02 : Second revision as the WG ID. | -02 : Second revision as the WG ID. | |||
Updated the date. Corrected some url's and the reference to | Updated the date. | |||
George's RFC. | ||||
Note: This section will be removed before publication as an RFC. | Corrected some url's and the reference to George's RFC. | |||
10. References | -03 : Third revision of the WG ID. | |||
10.1 Normative References | Updated the date. | |||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | Updated the information about the CC | |||
Levels", RFC 2119, STD 14, March 1997. | ||||
10.2 Informative References | Added a Conventions section (not sure how this document got to | |||
where it is without that) | ||||
[2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA | Note: This section will be removed before publication as an RFC. | |||
Considerations Section in RFCs", RFC 2869, BCP 26, October 1998. | ||||
11. Normative References | ||||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
Levels", RFC 2119, STD 14, March 1997. | ||||
Authors' Addresses | Authors' Addresses | |||
Chris Lonvick | Chris Lonvick | |||
Cisco Systems | Cisco Systems | |||
12515 Research Blvd. | 12515 Research Blvd. | |||
Austin, Texas 78759 | Austin, Texas 78759 | |||
US | US | |||
Phone: +1 512 378 1182 | Phone: +1 512 378 1182 | |||
End of changes. 114 change blocks. | ||||
232 lines changed or deleted | 236 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |