draft-ietf-opsec-efforts-02.txt   draft-ietf-opsec-efforts-03.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Expires: July 21, 2006 Cisco Systems Expires: October 21, 2006 Cisco Systems
January 17, 2006 April 19, 2006
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-02.txt draft-ietf-opsec-efforts-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 21, 2006. This Internet-Draft will expire on October 21, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Format of this Document . . . . . . . . . . . . . . . . . . 7 2. Conventions Used in This Document . . . . . . . . . . . . . . 7
3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8 3. Format of this Document . . . . . . . . . . . . . . . . . . . 8
3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9
3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8 4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9
3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 4.2. Critical Infrastructure Glossary of Terms and Acronyms . . 9
3.4 Compendium of Approved ITU-T Security Definitions . . . . 9 4.3. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9
3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9 4.4. Compendium of Approved ITU-T Security Definitions . . . . 10
3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9 4.5. Microsoft Solutions for Security Glossary . . . . . . . . 10
3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9 4.6. SANS Glossary of Security Terms . . . . . . . . . . . . . 10
4. Standards Developing Organizations . . . . . . . . . . . . . 10 4.7. USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 10
4.1 3GPP - Third Generation Partnership Project . . . . . . . 10 5. Standards Developing Organizations . . . . . . . . . . . . . . 11
4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11
4.3 ANSI - The American National Standards Institute . . . . . 10 5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11
4.4 ATIS - Alliance for Telecommunications Industry 5.3. ANSI - The American National Standards Institute . . . . . 11
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10 5.4. ATIS - Alliance for Telecommunications Industry
4.4.1 ATIS Network Performance, Reliability and Quality Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11
of Service Committee, formerly T1A1 . . . . . . . . . 11 5.4.1. ATIS Network Performance, Reliability and Quality
4.4.2 ATIS Network Interface, Power, and Protection of Service Committee, formerly T1A1 . . . . . . . . . 12
Committee, formerly T1E1 . . . . . . . . . . . . . . . 11 5.4.2. ATIS Network Interface, Power, and Protection
4.4.3 ATIS Telecom Management and Operations Committee, Committee, formerly T1E1 . . . . . . . . . . . . . . . 12
formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11 5.4.3. ATIS Telecom Management and Operations Committee,
4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 12
4.4.5 ATIS Wireless Technologies and Systems Committee, 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B . . 12
formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12 5.4.5. ATIS Wireless Technologies and Systems Committee,
4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1P1 . . . . . . . . . . . . . . . . . . . . 13
formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12 5.4.6. ATIS Packet Technologies and Systems Committee,
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12 formerly T1S1 . . . . . . . . . . . . . . . . . . . . 13
4.4.8 ATIS Optical Transport and Synchronization 5.4.7. ATIS Protocol Interworking Committee, regarding
Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12 5.4.8. ATIS Optical Transport and Synchronization
4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13 Committee, formerly T1X1 . . . . . . . . . . . . . . . 13
4.7 ETSI - The European Telecommunications Standard 5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13
Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14
4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 5.7. ETSI - The European Telecommunications Standard
4.9 IEEE - The Institute of Electrical and Electronics Institute . . . . . . . . . . . . . . . . . . . . . . . . 14
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13 5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14
4.10 IETF - The Internet Engineering Task Force . . . . . . . 14 5.9. IEEE - The Institute of Electrical and Electronics
4.11 INCITS - InterNational Committee for Information Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14
Technology Standards . . . . . . . . . . . . . . . . . . 14 5.10. IETF - The Internet Engineering Task Force . . . . . . . . 14
4.12 INCITS Technical Committee T11 - Fibre Channel 5.11. INCITS - InterNational Committee for Information
Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14 Technology Standards . . . . . . . . . . . . . . . . . . . 15
4.13 ISO - The International Organization for 5.12. INCITS Technical Committee T11 - Fibre Channel
Standardization . . . . . . . . . . . . . . . . . . . . 14 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 15
4.14 ITU - International Telecommunication Union . . . . . . 14 5.13. ISO - The International Organization for
4.14.1 ITU Telecommunication Standardization Sector - Standardization . . . . . . . . . . . . . . . . . . . . . 15
ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15 5.14. ITU - International Telecommunication Union . . . . . . . 15
4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15 5.14.1. ITU Telecommunication Standardization Sector -
4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15
4.15 OASIS - Organization for the Advancement of 5.14.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16
Structured Information Standards . . . . . . . . . . . . 15 5.14.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16
4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15 5.15. OASIS - Organization for the Advancement of
4.17 NRIC - The Network Reliability and Interoperability Structured Information Standards . . . . . . . . . . . . . 16
Council . . . . . . . . . . . . . . . . . . . . . . . . 15 5.16. OIF - Optical Internetworking Forum . . . . . . . . . . . 16
4.18 National Security Telecommunications Advisory 5.17. NRIC - The Network Reliability and Interoperability
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16 Council . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.19 TIA - The Telecommunications Industry Association . . . 16 5.18. National Security Telecommunications Advisory
4.20 Web Services Interoperability Organization (WS-I) . . . 16 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17
5. Security Best Practices Efforts and Documents . . . . . . . 17 5.19. TIA - The Telecommunications Industry Association . . . . 17
5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17 5.20. Web Services Interoperability Organization (WS-I) . . . . 17
5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17 6. Security Best Practices Efforts and Documents . . . . . . . . 18
5.3 American National Standard T1.276-2003 - Baseline 6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18
Security Requirements for the Management Plane . . . . . . 17 6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18
5.4 DMTF - Security Protection and Management (SPAM) 6.3. American National Standard T1.276-2003 - Baseline
Working Group . . . . . . . . . . . . . . . . . . . . . . 18 Security Requirements for the Management Plane . . . . . . 18
5.5 DMTF - User and Security Working Group . . . . . . . . . . 18 6.4. DMTF - Security Protection and Management (SPAM)
5.6 ATIS Security & Emergency Preparedness Activities . . . . 18 Working Group . . . . . . . . . . . . . . . . . . . . . . 19
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, 6.5. DMTF - User and Security Working Group . . . . . . . . . . 19
End-To-End Standards and Solutions . . . . . . . . . . . . 18 6.6. ATIS Security & Emergency Preparedness Activities . . . . 19
5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19 6.7. ATIS Work-Plan to Achieve Interoperable,
5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19 Implementable, End-To-End Standards and Solutions . . . . 19
5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19 6.7.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20
5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6.8. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20
5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20 6.9. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20
5.12 Information System Security Assurance Architecture . . . 20 6.10. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.13 Operational Security Requirements for IP Network 6.11. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21
Infrastructure : Advanced Requirements . . . . . . . . . 20 6.12. Information System Security Assurance Architecture . . . . 21
5.14 INCITS Technical Committee T4 - Security Techniques . . 21 6.13. Operational Security Requirements for IP Network
5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21 Infrastructure : Advanced Requirements . . . . . . . . . . 22
5.16 ISO Guidelines for the Management of IT Security - 6.14. INCITS Technical Committee T4 - Security Techniques . . . 22
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21 6.15. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22
5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22 6.16. ISO Guidelines for the Management of IT Security -
5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23 6.17. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23
5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24 6.18. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24
5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24 6.19. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24
5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24 6.20. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25
5.23 Catalogue of ITU-T Recommendations related to 6.21. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25
Communications System Security . . . . . . . . . . . . . 24 6.22. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25
5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25 6.23. Catalogue of ITU-T Recommendations related to
5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25 Communications System Security . . . . . . . . . . . . . . 25
5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25 6.24. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26
5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26 6.25. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26
5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26 6.26. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26
5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26 6.27. OASIS Security Joint Committee . . . . . . . . . . . . . . 27
5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.28. OASIS Security Services TC . . . . . . . . . . . . . . . . 27
5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27 6.29. OIF Implementation Agreements . . . . . . . . . . . . . . 27
6. Security Considerations . . . . . . . . . . . . . . . . . . 28 6.30. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29 6.31. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
10.1 Normative References . . . . . . . . . . . . . . . . . . 32 10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32
10.2 Informative References . . . . . . . . . . . . . . . . . 32 11. Normative References . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
Intellectual Property and Copyright Statements . . . . . . . 33 Intellectual Property and Copyright Statements . . . . . . . . . . 35
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 7, line 5 skipping to change at page 7, line 5
document could be a useful reference in producing the documents document could be a useful reference in producing the documents
described in the Working Group Charter. The authors have agreed to described in the Working Group Charter. The authors have agreed to
keep this document current and request that those who read it will keep this document current and request that those who read it will
submit corrections or comments. submit corrections or comments.
Comments on this document may be addressed to the OpSec Working Group Comments on this document may be addressed to the OpSec Working Group
or directly to the authors. or directly to the authors.
opsec@ops.ietf.org opsec@ops.ietf.org
2. Format of this Document 2. Conventions Used in This Document
This document shall use the keywords "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" to describe requirements. These keywords are to be
interpreted as described in [1].
3. Format of this Document
The body of this document has three sections. The body of this document has three sections.
The first part of the body of this document, Section 3, contains a The first part of the body of this document, Section 4, contains a
listing of online glossaries relating to networking and security. It listing of online glossaries relating to networking and security. It
is very important that the definitions of words relating to security is very important that the definitions of words relating to security
and security events be consistent. Inconsistencies between the and security events be consistent. Inconsistencies between the
useage of words on standards is unacceptable as it would prevent a useage of words on standards is unacceptable as it would prevent a
reader of two standards to appropriately relate their reader of two standards to appropriately relate their
recommendations. The authors of this document have not reviewed the recommendations. The authors of this document have not reviewed the
definitions of the words in the listed glossaries so can offer no definitions of the words in the listed glossaries so can offer no
assurance of their alignment. assurance of their alignment.
The second part, Section 4, contains a listing of SDOs that appear to The second part, Section 5, contains a listing of SDOs that appear to
be working on security standards. be working on security standards.
The third part, Section 5, lists the documents which have been found The third part, Section 6, lists the documents which have been found
to offer good practices or recommendations for securing networks and to offer good practices or recommendations for securing networks and
networking devices. networking devices.
3. Online Security Glossaries 4. Online Security Glossaries
This section contains references to glossaries of network and This section contains references to glossaries of network and
computer security terms computer security terms
3.1 ATIS Telecom Glossary 2000 4.1. ATIS Telecom Glossary 2000
http://www.atis.org/tg2k/ http://www.atis.org/tg2k/
Under an approved T1 standards project (T1A1-20), an existing 5800- Under an approved T1 standards project (T1A1-20), an existing 5800-
entry, search-enabled hypertext telecommunications glossary titled entry, search-enabled hypertext telecommunications glossary titled
Federal Standard 1037C, Glossary of Telecommunication Terms was Federal Standard 1037C, Glossary of Telecommunication Terms was
updated and matured into this glossary, T1.523-2001, Telecom Glossary updated and matured into this glossary, T1.523-2001, Telecom Glossary
2000. This updated glossary was posted on the Web as a American 2000. This updated glossary was posted on the Web as a American
National Standard (ANS). National Standard (ANS).
3.2 Critical Infrastructure Glossary of Terms and Acronyms 4.2. Critical Infrastructure Glossary of Terms and Acronyms
http://www.ciao.gov/ciao_document_library/glossary/a.htm http://www.ciao.gov/ciao_document_library/glossary/a.htm
The Critical Infrastructure Assurance Office (CIAO) was created to The Critical Infrastructure Assurance Office (CIAO) was created to
coordinate the Federal Government's initiatives on critical coordinate the Federal Government's initiatives on critical
infrastructure assurance. While the glossary was not created as a infrastructure assurance. While the glossary was not created as a
glossary specifically for security terms, it is populated with many glossary specifically for security terms, it is populated with many
security related definitions, abbreviations, organizations, and security related definitions, abbreviations, organizations, and
concepts. concepts.
3.3 Internet Security Glossary - RFC 2828 4.3. Internet Security Glossary - RFC 2828
http://www.ietf.org/rfc/rfc2828.txt http://www.ietf.org/rfc/rfc2828.txt
Created in May 2000, the document defines itself to be, "an Created in May 2000, the document defines itself to be, "an
internally consistent, complementary set of abbreviations, internally consistent, complementary set of abbreviations,
definitions, explanations, and recommendations for use of terminology definitions, explanations, and recommendations for use of terminology
related to information system security." The glossary makes the related to information system security." The glossary makes the
distinction of the listed definitions throughout the document as distinction of the listed definitions throughout the document as
being: being:
skipping to change at page 9, line 6 skipping to change at page 10, line 6
o a recommended non-Internet definition o a recommended non-Internet definition
o not recommended as the first choice for Internet documents but o not recommended as the first choice for Internet documents but
something that an author of an Internet document would need to something that an author of an Internet document would need to
know know
o a definition that shouldn't be used in Internet documents o a definition that shouldn't be used in Internet documents
o additional commentary or usage guidance o additional commentary or usage guidance
3.4 Compendium of Approved ITU-T Security Definitions 4.4. Compendium of Approved ITU-T Security Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html http://www.itu.int/itudoc/itu-t/com17/activity/def004.html
Addendum to the Compendium of the Approved ITU-T Security-related Addendum to the Compendium of the Approved ITU-T Security-related
Definitions Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
These extensive materials were created from approved ITU-T These extensive materials were created from approved ITU-T
Recommendations with a view toward establishing a common Recommendations with a view toward establishing a common
understanding and use of security terms within ITU-T. understanding and use of security terms within ITU-T.
3.5 Microsoft Solutions for Security Glossary 4.5. Microsoft Solutions for Security Glossary
http://www.microsoft.com/security/glossary/ http://www.microsoft.com/security/glossary/
The Microsoft Solutions for Security Glossary was created to explain The Microsoft Solutions for Security Glossary was created to explain
the concepts, technologies, and products associated with computer the concepts, technologies, and products associated with computer
security. This glossary contains several definitions specific to security. This glossary contains several definitions specific to
Microsoft proprietary technologies and product solutions. Microsoft proprietary technologies and product solutions.
3.6 SANS Glossary of Security Terms 4.6. SANS Glossary of Security Terms
http://www.sans.org/resources/glossary.php http://www.sans.org/resources/glossary.php
The SANS Institute (SysAdmin, Audit, Network, Security) was created The SANS Institute (SysAdmin, Audit, Network, Security) was created
in 1989 as, "a cooperative research and education organization." in 1989 as, "a cooperative research and education organization."
Updated in May 2003, SANS cites the NSA for their help in creating Updated in May 2003, SANS cites the NSA for their help in creating
the online glossary of security terms. The SANS Institute is also the online glossary of security terms. The SANS Institute is also
home to many other resources including the SANS Intrusion Detection home to many other resources including the SANS Intrusion Detection
FAQ and the SANS/FBI Top 20 Vulnerabilities List. FAQ and the SANS/FBI Top 20 Vulnerabilities List.
3.7 USC InfoSec Glossary 4.7. USC InfoSec Glossary
http://www.usc.edu/org/infosec/resources/glossary_a.html http://www.usc.edu/org/infosec/resources/glossary_a.html
A glossary of Information Systems security terms compiled by the A glossary of Information Systems security terms compiled by the
University of Southern California Office of Information Security. University of Southern California Office of Information Security.
4. Standards Developing Organizations 5. Standards Developing Organizations
This section of this document lists the SDOs, or organizations that This section of this document lists the SDOs, or organizations that
appear to be developing security related standards. These SDOs are appear to be developing security related standards. These SDOs are
listed in alphabetical order. listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC. note will be removed before publication as an RFC.
4.1 3GPP - Third Generation Partnership Project 5.1. 3GPP - Third Generation Partnership Project
http://www.3gpp.org/ http://www.3gpp.org/
The 3rd Generation Partnership Project (3GPP) is a collaboration The 3rd Generation Partnership Project (3GPP) is a collaboration
agreement formed in December 1998. The collaboration agreement is agreement formed in December 1998. The collaboration agreement is
comprised of several telecommunications standards bodies which are comprised of several telecommunications standards bodies which are
known as "Organizational Partners". The current Organizational known as "Organizational Partners". The current Organizational
Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.
4.2 3GPP2 - Third Generation Partnership Project 2 5.2. 3GPP2 - Third Generation Partnership Project 2
http://www.3gpp2.org/ http://www.3gpp2.org/
Third Generation Partnership Project 2 (3GPP2) is a collaboration Third Generation Partnership Project 2 (3GPP2) is a collaboration
among Organizational Partners much like its sister project 3GPP. The among Organizational Partners much like its sister project 3GPP. The
Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, Organizational Partners (OPs) currently involved with 3GPP2 are ARIB,
CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes
the CDMA Development Group and IPv6 Forum as Market Representation the CDMA Development Group and IPv6 Forum as Market Representation
Partners for market advice. Partners for market advice.
4.3 ANSI - The American National Standards Institute 5.3. ANSI - The American National Standards Institute
http://www.ansi.org/ http://www.ansi.org/
ANSI is a private, non-profit organization that organizes and ANSI is a private, non-profit organization that organizes and
oversees the U.S. voluntary standardization and conformity assessment oversees the U.S. voluntary standardization and conformity assessment
system. ANSI was founded October 19, 1918. system. ANSI was founded October 19, 1918.
4.4 ATIS - Alliance for Telecommunications Industry Solutions 5.4. ATIS - Alliance for Telecommunications Industry Solutions
http://www.atis.org/ http://www.atis.org/
ATIS is a United States based body that is committed to rapidly ATIS is a United States based body that is committed to rapidly
developing and promoting technical and operations standards for the developing and promoting technical and operations standards for the
communications and related information technologies industry communications and related information technologies industry
worldwide using pragmatic, flexible and open approach. Committee T1 worldwide using pragmatic, flexible and open approach. Committee T1
as a group no longer exists as a result of the recent ATIS as a group no longer exists as a result of the recent ATIS
reorganization on January 1, 2004. ATIS has restructured the former reorganization on January 1, 2004. ATIS has restructured the former
T1 technical subcommittees into full ATIS standards committees to T1 technical subcommittees into full ATIS standards committees to
easily identify and promote the nature of standards work each easily identify and promote the nature of standards work each
committee performs. Due to the reorganization, some groups may have committee performs. Due to the reorganization, some groups may have
a new mission and scope statement. a new mission and scope statement.
4.4.1 ATIS Network Performance, Reliability and Quality of Service 5.4.1. ATIS Network Performance, Reliability and Quality of Service
Committee, formerly T1A1 Committee, formerly T1A1
http://www.atis.org/0010/index.asp http://www.atis.org/0010/index.asp
ATIS Network Performance, Reliability and Quality of Service ATIS Network Performance, Reliability and Quality of Service
Committee develops and recommends standards, requirements, and Committee develops and recommends standards, requirements, and
technical reports related to the performance, reliability, and technical reports related to the performance, reliability, and
associated security aspects of communications networks, as well as associated security aspects of communications networks, as well as
the processing of voice, audio, data, image, and video signals, and the processing of voice, audio, data, image, and video signals, and
their multimedia integration. their multimedia integration.
4.4.2 ATIS Network Interface, Power, and Protection Committee, formerly 5.4.2. ATIS Network Interface, Power, and Protection Committee,
T1E1 formerly T1E1
http://www.atis.org/0050/index.asp http://www.atis.org/0050/index.asp
ATIS Network Interface, Power, and Protection Committee develops and ATIS Network Interface, Power, and Protection Committee develops and
recommends standards and technical reports related to power systems, recommends standards and technical reports related to power systems,
electrical and physical protection for the exchange and interexchange electrical and physical protection for the exchange and interexchange
carrier networks, and interfaces associated with user access to carrier networks, and interfaces associated with user access to
telecommunications networks. telecommunications networks.
4.4.3 ATIS Telecom Management and Operations Committee, formerly T1M1 5.4.3. ATIS Telecom Management and Operations Committee, formerly T1M1
OAM&P OAM&P
http://www.atis.org/0130/index.asp http://www.atis.org/0130/index.asp
ATIS Telecom Management and Operations Committee develops ATIS Telecom Management and Operations Committee develops
internetwork operations, administration, maintenance and provisioning internetwork operations, administration, maintenance and provisioning
standards, and technical reports related to interfaces for standards, and technical reports related to interfaces for
telecommunications networks. telecommunications networks.
4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B
http://www.atis.org/obf/index.asp http://www.atis.org/obf/index.asp
The T1M1 O&B subcommittee has become part of the ATIS Ordering and The T1M1 O&B subcommittee has become part of the ATIS Ordering and
Billing Forum. Billing Forum.
The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum
for customers and providers in the telecommunications industry to for customers and providers in the telecommunications industry to
identify, discuss and resolve national issues which affect ordering, identify, discuss and resolve national issues which affect ordering,
billing, provisioning and exchange of information about access billing, provisioning and exchange of information about access
services, other connectivity and related matters. services, other connectivity and related matters.
4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 5.4.5. ATIS Wireless Technologies and Systems Committee, formerly T1P1
http://www.atis.org/0160/index.asp http://www.atis.org/0160/index.asp
ATIS Wireless Technologies and Systems Committee develops and ATIS Wireless Technologies and Systems Committee develops and
recommends standards and technical reports related to wireless and/or recommends standards and technical reports related to wireless and/or
mobile services and systems, including service descriptions and mobile services and systems, including service descriptions and
wireless technologies. wireless technologies.
4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1 5.4.6. ATIS Packet Technologies and Systems Committee, formerly T1S1
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. PTSC is responsible for producing standards to secure Committee. PTSC is responsible for producing standards to secure
signalling. signalling.
The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot
at this time. It is expected to move to an ANSI standard. at this time. It is expected to move to an ANSI standard.
4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 5.4.7. ATIS Protocol Interworking Committee, regarding T1S1
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. As a result of the reorganization of T1S1, these groups Committee. As a result of the reorganization of T1S1, these groups
will also probably have a new mission and scope. will also probably have a new mission and scope.
4.4.8 ATIS Optical Transport and Synchronization Committee, formerly 5.4.8. ATIS Optical Transport and Synchronization Committee, formerly
T1X1 T1X1
http://www.atis.org/0240/index.asp http://www.atis.org/0240/index.asp
ATIS Optical Transport and Synchronization Committee develops and ATIS Optical Transport and Synchronization Committee develops and
recommends standards and prepares technical reports related to recommends standards and prepares technical reports related to
telecommunications network technology pertaining to network telecommunications network technology pertaining to network
synchronization interfaces and hierarchical structures including synchronization interfaces and hierarchical structures including
optical technology. optical technology.
4.5 CC - Common Criteria 5.5. CC - Common Criteria
http://csrc.nist.gov/cc/
Note: The URL for the Common Criteria organization was
http://www.commoncriteria.org/ however, they have elected to take
their web site offline for the time being. It is hoped that the
proper URL will be available before this document becomes an RFC.
This note will be removed prior to publication as an RFC. http://www.commoncriteriaportal.org/
In June 1993, the sponsoring organizations of the existing US, In June 1993, the sponsoring organizations of the existing US,
Canadian, and European criterias (TCSEC, ITSEC, and similar) started Canadian, and European criterias (TCSEC, ITSEC, and similar) started
the Common Criteria Project to align their separate criteria into a the Common Criteria Project to align their separate criteria into a
single set of IT security criteria. single set of IT security criteria.
4.6 DMTF - Distributed Management Task Force, Inc. 5.6. DMTF - Distributed Management Task Force, Inc.
http://www.dmtf.org/ http://www.dmtf.org/
Founded in 1992, the DMTF brings the technology industry's customers Founded in 1992, the DMTF brings the technology industry's customers
and top vendors together in a collaborative, working group approach and top vendors together in a collaborative, working group approach
that involves DMTF members in all aspects of specification that involves DMTF members in all aspects of specification
development and refinement. development and refinement.
4.7 ETSI - The European Telecommunications Standard Institute 5.7. ETSI - The European Telecommunications Standard Institute
http://www.etsi.org/ http://www.etsi.org/
ETSI is an independent, non-profit organization which produces ETSI is an independent, non-profit organization which produces
telecommunications standards. ETSI is based in Sophia-Antipolis in telecommunications standards. ETSI is based in Sophia-Antipolis in
the south of France and maintains a membership from 55 countries. the south of France and maintains a membership from 55 countries.
Joint work between ETSI and ITU-T SG-17 Joint work between ETSI and ITU-T SG-17
http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/
GSC9_Joint_011_Security_Standardization_in_ITU.ppt GSC9_Joint_011_Security_Standardization_in_ITU.ppt
4.8 GGF - Global Grid Forum 5.8. GGF - Global Grid Forum
http://www.gridforum.org/ http://www.gridforum.org/
The Global Grid Forum (GGF) is a community-initiated forum of The Global Grid Forum (GGF) is a community-initiated forum of
thousands of individuals from industry and research leading the thousands of individuals from industry and research leading the
global standardization effort for grid computing. GGF's primary global standardization effort for grid computing. GGF's primary
objectives are to promote and support the development, deployment, objectives are to promote and support the development, deployment,
and implementation of Grid technologies and applications via the and implementation of Grid technologies and applications via the
creation and documentation of "best practices" - technical creation and documentation of "best practices" - technical
specifications, user experiences, and implementation guidelines. specifications, user experiences, and implementation guidelines.
4.9 IEEE - The Institute of Electrical and Electronics Engineers, Inc. 5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc.
http://www.ieee.org/ http://www.ieee.org/
IEEE is a non-profit, technical professional association of more than IEEE is a non-profit, technical professional association of more than
360,000 individual members in approximately 175 countries. The IEEE 360,000 individual members in approximately 175 countries. The IEEE
produces 30 percent of the world's published literature in electrical produces 30 percent of the world's published literature in electrical
engineering, computers and control technology through its technical engineering, computers and control technology through its technical
publishing, conferences and consensus-based standards activities. publishing, conferences and consensus-based standards activities.
4.10 IETF - The Internet Engineering Task Force 5.10. IETF - The Internet Engineering Task Force
http://www.ietf.org/ http://www.ietf.org/
IETF is a large, international community open to any interested IETF is a large, international community open to any interested
individual concerned with the evolution of the Internet architecture individual concerned with the evolution of the Internet architecture
and the smooth operation of the Internet. and the smooth operation of the Internet.
4.11 INCITS - InterNational Committee for Information Technology 5.11. INCITS - InterNational Committee for Information Technology
Standards Standards
http://www.incits.org/ http://www.incits.org/
INCITS focuses upon standardization in the field of Information and INCITS focuses upon standardization in the field of Information and
Communications Technologies (ICT), encompassing storage, processing, Communications Technologies (ICT), encompassing storage, processing,
transfer, display, management, organization, and retrieval of transfer, display, management, organization, and retrieval of
information. information.
4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces 5.12. INCITS Technical Committee T11 - Fibre Channel Interfaces
http://www.t11.org/index.htm http://www.t11.org/index.htm
T11 is responsible for standards development in the areas of T11 is responsible for standards development in the areas of
Intelligent Peripheral Interface (IPI), High-Performance Parallel Intelligent Peripheral Interface (IPI), High-Performance Parallel
Interface (HIPPI) and Fibre Channel (FC). T11 has a project called Interface (HIPPI) and Fibre Channel (FC). T11 has a project called
FC-SP to define Security Protocols for Fibre Channel. FC-SP to define Security Protocols for Fibre Channel.
FC-SP Project Proposal: FC-SP Project Proposal:
ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf
4.13 ISO - The International Organization for Standardization 5.13. ISO - The International Organization for Standardization
http://www.iso.org/ http://www.iso.org/
ISO is a network of the national standards institutes of 148 ISO is a network of the national standards institutes of 148
countries, on the basis of one member per country, with a Central countries, on the basis of one member per country, with a Central
Secretariat in Geneva, Switzerland, that coordinates the system. ISO Secretariat in Geneva, Switzerland, that coordinates the system. ISO
officially began operations on February 23, 1947. officially began operations on February 23, 1947.
4.14 ITU - International Telecommunication Union 5.14. ITU - International Telecommunication Union
http://www.itu.int/ http://www.itu.int/
The ITU is an international organization within the United Nations The ITU is an international organization within the United Nations
System headquartered in Geneva, Switzerland. The ITU is comprised of System headquartered in Geneva, Switzerland. The ITU is comprised of
three sectors: three sectors:
4.14.1 ITU Telecommunication Standardization Sector - ITU-T 5.14.1. ITU Telecommunication Standardization Sector - ITU-T
http://www.itu.int/ITU-T/ http://www.itu.int/ITU-T/
ITU-T's mission is to ensure an efficient and on-time production of ITU-T's mission is to ensure an efficient and on-time production of
high quality standards covering all fields of telecommunications. high quality standards covering all fields of telecommunications.
4.14.2 ITU Radiocommunication Sector - ITU-R 5.14.2. ITU Radiocommunication Sector - ITU-R
http://www.itu.int/ITU-R/ http://www.itu.int/ITU-R/
The ITU-R plays a vital role in the management of the radio-frequency The ITU-R plays a vital role in the management of the radio-frequency
spectrum and satellite orbits. spectrum and satellite orbits.
4.14.3 ITU Telecom Development - ITU-D 5.14.3. ITU Telecom Development - ITU-D
(also referred as ITU Telecommunication Development Bureau - BDT) (also referred as ITU Telecommunication Development Bureau - BDT)
http://www.itu.int/ITU-D/ http://www.itu.int/ITU-D/
The Telecommunication Development Bureau (BDT) is the executive arm The Telecommunication Development Bureau (BDT) is the executive arm
of the Telecommunication Development Sector. Its duties and of the Telecommunication Development Sector. Its duties and
responsibilities cover a variety of functions ranging from programme responsibilities cover a variety of functions ranging from programme
supervision and technical advice to the collection, processing and supervision and technical advice to the collection, processing and
publication of information relevant to telecommunication development. publication of information relevant to telecommunication development.
4.15 OASIS - Organization for the Advancement of Structured 5.15. OASIS - Organization for the Advancement of Structured
Information Standards Information Standards
http://www.oasis-open.org/ http://www.oasis-open.org/
OASIS is a not-for-profit, international consortium that drives the OASIS is a not-for-profit, international consortium that drives the
development, convergence, and adoption of e-business standards. development, convergence, and adoption of e-business standards.
4.16 OIF - Optical Internetworking Forum 5.16. OIF - Optical Internetworking Forum
http://www.oiforum.com/ http://www.oiforum.com/
On April 20, 1998 Cisco Systems and Ciena Corporation announced an On April 20, 1998 Cisco Systems and Ciena Corporation announced an
industry-wide initiative to create the Optical Internetworking Forum, industry-wide initiative to create the Optical Internetworking Forum,
an open forum focused on accelerating the deployment of optical an open forum focused on accelerating the deployment of optical
internetworks. internetworks.
4.17 NRIC - The Network Reliability and Interoperability Council 5.17. NRIC - The Network Reliability and Interoperability Council
http://www.nric.org/ http://www.nric.org/
The purposes of the Committee are to give telecommunications industry The purposes of the Committee are to give telecommunications industry
leaders the opportunity to provide recommendations to the FCC and to leaders the opportunity to provide recommendations to the FCC and to
the industry that assure optimal reliability and interoperability of the industry that assure optimal reliability and interoperability of
telecommunications networks. The Committee addresses topics in the telecommunications networks. The Committee addresses topics in the
area of Homeland Security, reliability, interoperability, and area of Homeland Security, reliability, interoperability, and
broadband deployment. broadband deployment.
4.18 National Security Telecommunications Advisory Committee (NSTAC) 5.18. National Security Telecommunications Advisory Committee (NSTAC)
http://www.ncs.gov/nstac/nstac.html http://www.ncs.gov/nstac/nstac.html
President Ronald Reagan created the National Security President Ronald Reagan created the National Security
Telecommunications Advisory Committee (NSTAC) by Executive Order Telecommunications Advisory Committee (NSTAC) by Executive Order
12382 in September 1982. Since then, the NSTAC has served four 12382 in September 1982. Since then, the NSTAC has served four
presidents. Composed of up to 30 industry chief executives presidents. Composed of up to 30 industry chief executives
representing the major communications and network service providers representing the major communications and network service providers
and information technology, finance, and aerospace companies, the and information technology, finance, and aerospace companies, the
NSTAC provides industry-based advice and expertise to the President NSTAC provides industry-based advice and expertise to the President
on issues and problems related to implementing national security and on issues and problems related to implementing national security and
emergency preparedness (NS/EP) communications policy. Since its emergency preparedness (NS/EP) communications policy. Since its
inception, the NSTAC has addressed a wide range of policy and inception, the NSTAC has addressed a wide range of policy and
technical issues regarding communications, information systems, technical issues regarding communications, information systems,
information assurance, critical infrastructure protection, and other information assurance, critical infrastructure protection, and other
NS/EP communications concerns. NS/EP communications concerns.
4.19 TIA - The Telecommunications Industry Association 5.19. TIA - The Telecommunications Industry Association
http://www.tiaonline.org/ http://www.tiaonline.org/
TIA is accredited by ANSI to develop voluntary industry standards for TIA is accredited by ANSI to develop voluntary industry standards for
a wide variety of telecommunications products. TIA's Standards and a wide variety of telecommunications products. TIA's Standards and
Technology Department is composed of five divisions: Fiber Optics, Technology Department is composed of five divisions: Fiber Optics,
User Premises Equipment, Network Equipment, Wireless Communications User Premises Equipment, Network Equipment, Wireless Communications
and Satellite Communications. and Satellite Communications.
4.20 Web Services Interoperability Organization (WS-I) 5.20. Web Services Interoperability Organization (WS-I)
http://www.ws-i.org/ http://www.ws-i.org/
WS-I is an open, industry organization chartered to promote Web WS-I is an open, industry organization chartered to promote Web
services interoperability across platforms, operating systems, and services interoperability across platforms, operating systems, and
programming languages. The organization works across the industry programming languages. The organization works across the industry
and standards organizations to respond to customer needs by providing and standards organizations to respond to customer needs by providing
guidance, best practices, and resources for developing Web services guidance, best practices, and resources for developing Web services
solutions. solutions.
5. Security Best Practices Efforts and Documents 6. Security Best Practices Efforts and Documents
This section lists the works produced by the SDOs. This section lists the works produced by the SDOs.
5.1 3GPP - TSG SA WG3 (Security) 6.1. 3GPP - TSG SA WG3 (Security)
http://www.3gpp.org/TB/SA/SA3/SA3.htm http://www.3gpp.org/TB/SA/SA3/SA3.htm
TSG SA WG3 Security is responsible for the security of the 3GPP TSG SA WG3 Security is responsible for the security of the 3GPP
system, performing analyses of potential security threats to the system, performing analyses of potential security threats to the
system, considering the new threats introduced by the IP based system, considering the new threats introduced by the IP based
services and systems and setting the security requirements for the services and systems and setting the security requirements for the
overall 3GPP system. overall 3GPP system.
Specifications: Specifications:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm
Work Items: Work Items:
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm
3GPP Confidentiality and Integrity algorithms: 3GPP Confidentiality and Integrity algorithms:
http://www.3gpp.org/TB/Other/algorithms.htm http://www.3gpp.org/TB/Other/algorithms.htm
5.2 3GPP2 - TSG-S Working Group 4 (Security) 6.2. 3GPP2 - TSG-S Working Group 4 (Security)
http://www.3gpp2.org/Public_html/S/index.cfm http://www.3gpp2.org/Public_html/S/index.cfm
The Services and Systems Aspects TSG (TSG-S) is responsible for the The Services and Systems Aspects TSG (TSG-S) is responsible for the
development of service capability requirements for systems based on development of service capability requirements for systems based on
3GPP2 specifications. Among its responsibilities TSG-S is addressing 3GPP2 specifications. Among its responsibilities TSG-S is addressing
management, technical coordination, as well as architectural and management, technical coordination, as well as architectural and
requirements development associated with all end-to-end features, requirements development associated with all end-to-end features,
services and system capabilities including, but not limited to, services and system capabilities including, but not limited to,
security and QoS. security and QoS.
TSG-S Specifications: TSG-S Specifications:
http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs
5.3 American National Standard T1.276-2003 - Baseline Security 6.3. American National Standard T1.276-2003 - Baseline Security
Requirements for the Management Plane Requirements for the Management Plane
Abstract: This standard contains a set of baseline security Abstract: This standard contains a set of baseline security
requirements for the management plane. The President's National requirements for the management plane. The President's National
Security Telecommunications Advisory Committee Network Security Security Telecommunications Advisory Committee Network Security
Information Exchange (NSIE) and Government NSIE jointly established a Information Exchange (NSIE) and Government NSIE jointly established a
Security Requirements Working Group (SRWG) to examine the security Security Requirements Working Group (SRWG) to examine the security
requirements for controlling access to the public switched network, requirements for controlling access to the public switched network,
in particular with respect to the emerging next generation network. in particular with respect to the emerging next generation network.
skipping to change at page 18, line 22 skipping to change at page 19, line 22
infrastructure. This initial list of security requirements was infrastructure. This initial list of security requirements was
submitted as a contribution to Committee T1 - Telecommunications, submitted as a contribution to Committee T1 - Telecommunications,
Working Group T1M1.5 for consideration as a standard. The Working Group T1M1.5 for consideration as a standard. The
requirements outlined in this document will allow vendors, government requirements outlined in this document will allow vendors, government
departments and agencies, and service providers to implement a secure departments and agencies, and service providers to implement a secure
telecommunications network management infrastructure. telecommunications network management infrastructure.
Documents: Documents:
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003
5.4 DMTF - Security Protection and Management (SPAM) Working Group 6.4. DMTF - Security Protection and Management (SPAM) Working Group
http://www.dmtf.org/about/committees/spamWGCharter.pdf http://www.dmtf.org/about/committees/spamWGCharter.pdf
The Working Group will define a CIM Common Model that addresses The Working Group will define a CIM Common Model that addresses
security protection and detection technologies, which may include security protection and detection technologies, which may include
devices and services, and classifies security information, attacks devices and services, and classifies security information, attacks
and responses. and responses.
5.5 DMTF - User and Security Working Group 6.5. DMTF - User and Security Working Group
http://www.dmtf.org/about/committees/userWGCharter.pdf http://www.dmtf.org/about/committees/userWGCharter.pdf
The User and Security Working Group defines objects and access The User and Security Working Group defines objects and access
methods required for principals - where principals include users, methods required for principals - where principals include users,
groups, software agents, systems, and organizations. groups, software agents, systems, and organizations.
5.6 ATIS Security & Emergency Preparedness Activities 6.6. ATIS Security & Emergency Preparedness Activities
http://www.atis.org/atis/atisinfo/emergency/ http://www.atis.org/atis/atisinfo/emergency/
security_committee_activities_T1.htm security_committee_activities_T1.htm
The link above contains the description of the ATIS Communications The link above contains the description of the ATIS Communications
Security Model, the scopes of the Technical Subcommittees in relation Security Model, the scopes of the Technical Subcommittees in relation
to the security model, and a list of published documents produced by to the security model, and a list of published documents produced by
ATIS addressed to various aspects of network security. ATIS addressed to various aspects of network security.
5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 6.7. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
Standards and Solutions Standards and Solutions
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
The ATIS TOPS Security Focus Group has made recommendations on work The ATIS TOPS Security Focus Group has made recommendations on work
items needed to be performed by other SDOs. items needed to be performed by other SDOs.
5.7.1 ATIS Work on Packet Filtering 6.7.1. ATIS Work on Packet Filtering
A part of the ATIS Work Plan was to define how disruptions may be A part of the ATIS Work Plan was to define how disruptions may be
prevented by filtering unwanted traffic at the edges of the network. prevented by filtering unwanted traffic at the edges of the network.
ATIS is developing this work in a document titled, "Traffic Filtering ATIS is developing this work in a document titled, "Traffic Filtering
for the Prevention of Unwanted Traffic". for the Prevention of Unwanted Traffic".
5.8 ATIS Work on the NGN 6.8. ATIS Work on the NGN
http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/
Part%20I/ATIS_NGN_Part_1_Issue1.pdf Part%20I/ATIS_NGN_Part_1_Issue1.pdf
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts In November 2004, ATIS released Part I of the ATIS NGN-FG efforts
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN
Definitions, Requirements, and Architecture, Issue 1.0, November Definitions, Requirements, and Architecture, Issue 1.0, November
2004." 2004."
5.9 Common Criteria 6.9. Common Criteria
http://csrc.nist.gov/cc/ http://www.commoncriteriaportal.org/
Version 1.0 of the CC was completed in January 1996. Based on a Version 1.0 of the CC was completed in January 1996. Based on a
number of trial evaluations and an extensive public review, Version number of trial evaluations and an extensive public review, Version
1.0 was extensively revised and CC Version 2.0 was produced in April 1.0 was extensively revised and CC Version 2.0 was produced in April
of 1998. This became ISO International Standard 15408 in 1999. The of 1998. This became ISO International Standard 15408 in 1999. The
CC Project subsequently incorporated the minor changes that had CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999. resulted in the ISO process, producing CC version 2.1 in August 1999.
Version 3.0 was published in June 2005 and is available for comment.
Common Criteria v2.1 contains: The official version of the Common Criteria and of the Common
Evaluation Methodology is v2.3 which was published in August 2005.
Part 1 - Intro & General Model All Common Criteria publications contain:
Part 2 - Functional Requirements (including Annexes) Part 1: Introduction and general model
Part 3 - Assurance Requirements Part 2: Security functional components
Documents: Common Criteria V2.1 Part 3: Security assurance components
http://csrc.nist.gov/cc/CC-v2.1.html
5.10 ETSI Documents: Common Criteria V2.3
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2
6.10. ETSI
http://www.etsi.org/ http://www.etsi.org/
The ETSI hosted the ETSI Global Security Conference in late November, The ETSI hosted the ETSI Global Security Conference in late November,
2003, which could lead to a standard. 2003, which could lead to a standard.
Groups related to security located from the ETSI Groups Portal: Groups related to security located from the ETSI Groups Portal:
OCG Security OCG Security
3GPP SA3 3GPP SA3
TISPAN WG7 TISPAN WG7
5.11 GGF Security Area (SEC) 6.11. GGF Security Area (SEC)
https://forge.gridforum.org/projects/sec/ https://forge.gridforum.org/projects/sec/
The Security Area (SEC) is concerned with various issues relating to The Security Area (SEC) is concerned with various issues relating to
authentication and authorization in Grid environments. authentication and authorization in Grid environments.
Working groups: Working groups:
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
https://forge.gridforum.org/projects/authz-wg https://forge.gridforum.org/projects/authz-wg
Certificate Authority Operations Working Group (CAOPS-WG) - Certificate Authority Operations Working Group (CAOPS-WG) -
https://forge.gridforum.org/projects/caops-wg https://forge.gridforum.org/projects/caops-wg
OGSA Authorization Working Group (OGSA-AUTHZ) - OGSA Authorization Working Group (OGSA-AUTHZ) -
https://forge.gridforum.org/projects/ogsa-authz https://forge.gridforum.org/projects/ogsa-authz
Grid Security Infrastructure (GSI-WG) - Grid Security Infrastructure (GSI-WG) -
https://forge.gridforum.org/projects/gsi-wg https://forge.gridforum.org/projects/gsi-wg
5.12 Information System Security Assurance Architecture 6.12. Information System Security Assurance Architecture
IEEE Working Group - http://issaa.org/ IEEE Working Group - http://issaa.org/
Formerly the Security Certification and Accreditation of Information Formerly the Security Certification and Accreditation of Information
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
Standard for Information System Security Assurance Architecture for Standard for Information System Security Assurance Architecture for
ballot and during the process begin development of a suite of ballot and during the process begin development of a suite of
associated standards for components of that architecture. associated standards for components of that architecture.
Documents: http://issaa.org/documents/index.html Documents: http://issaa.org/documents/index.html
5.13 Operational Security Requirements for IP Network Infrastructure : 6.13. Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements Advanced Requirements
IETF RFC 3871 IETF RFC 3871
Abstract: This document defines a list of operational security Abstract: This document defines a list of operational security
requirements for the infrastructure of large ISP IP networks (routers requirements for the infrastructure of large ISP IP networks (routers
and switches). A framework is defined for specifying "profiles", and switches). A framework is defined for specifying "profiles",
which are collections of requirements applicable to certain network which are collections of requirements applicable to certain network
topology contexts (all, core-only, edge-only...). The goal is to topology contexts (all, core-only, edge-only...). The goal is to
provide network operators a clear, concise way of communicating their provide network operators a clear, concise way of communicating their
security requirements to vendors. security requirements to vendors.
Documents: Documents:
skipping to change at page 21, line 16 skipping to change at page 22, line 22
and switches). A framework is defined for specifying "profiles", and switches). A framework is defined for specifying "profiles",
which are collections of requirements applicable to certain network which are collections of requirements applicable to certain network
topology contexts (all, core-only, edge-only...). The goal is to topology contexts (all, core-only, edge-only...). The goal is to
provide network operators a clear, concise way of communicating their provide network operators a clear, concise way of communicating their
security requirements to vendors. security requirements to vendors.
Documents: Documents:
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt
5.14 INCITS Technical Committee T4 - Security Techniques 6.14. INCITS Technical Committee T4 - Security Techniques
http://www.incits.org/tc_home/t4.htm http://www.incits.org/tc_home/t4.htm
Technical Committee T4, Security Techniques, participates in the Technical Committee T4, Security Techniques, participates in the
standardization of generic methods for information technology standardization of generic methods for information technology
security. This includes development of: security techniques and security. This includes development of: security techniques and
mechanisms; security guidelines; security evaluation criteria; and mechanisms; security guidelines; security evaluation criteria; and
identification of generic requirements for information technology identification of generic requirements for information technology
system security services. system security services.
5.15 INCITS CS1 - Cyber Security 6.15. INCITS CS1 - Cyber Security
http://www.incits.org/tc_home/cs1.htm http://www.incits.org/tc_home/cs1.htm
INCITS/CS1 was established in April 2005 to serve as the US TAG for INCITS/CS1 was established in April 2005 to serve as the US TAG for
ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2
(INCITS/T4 serves as the US TAG to SC 27/WG 2). (INCITS/T4 serves as the US TAG to SC 27/WG 2).
The scope of CS1 explicitly excludes the areas of work on cyber The scope of CS1 explicitly excludes the areas of work on cyber
security standardization presently underway in INCITS B10, M1 and T3; security standardization presently underway in INCITS B10, M1 and T3;
as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and
X9. INCITS T4's area of work would be narrowed to cryptography X9. INCITS T4's area of work would be narrowed to cryptography
projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and
mechanisms). mechanisms).
5.16 ISO Guidelines for the Management of IT Security - GMITS 6.16. ISO Guidelines for the Management of IT Security - GMITS
Guidelines for the Management of IT Security -- Part 1: Concepts and Guidelines for the Management of IT Security -- Part 1: Concepts and
models for IT Security models for IT Security
http://www.iso.ch/iso/en/ http://www.iso.ch/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35
Guidelines for the Management of IT Security -- Part 2: Managing and Guidelines for the Management of IT Security -- Part 2: Managing and
planning IT Security planning IT Security
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
ICS3= ICS3=
skipping to change at page 22, line 37 skipping to change at page 23, line 41
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
ICS3= ICS3=
Open Systems Interconnection -- Network layer security protocol Open Systems Interconnection -- Network layer security protocol
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
ICS3=30 ICS3=30
5.17 ISO JTC 1/SC 27 6.17. ISO JTC 1/SC 27
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143
Several security related ISO projects under JTC 1/SC 27 are listed Several security related ISO projects under JTC 1/SC 27 are listed
here such as: here such as:
IT security techniques -- Entity authentication IT security techniques -- Entity authentication
Security techniques -- Key management Security techniques -- Key management
Security techniques -- Evaluation criteria for IT security Security techniques -- Evaluation criteria for IT security
Security techniques -- A framework for IT security assurance Security techniques -- A framework for IT security assurance
IT Security techniques -- Code of practice for information IT Security techniques -- Code of practice for information
security management security management
Security techniques -- IT network security Security techniques -- IT network security
Guidelines for the implementation, operation and management of Guidelines for the implementation, operation and management of
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS)
skipping to change at page 23, line 17 skipping to change at page 24, line 21
security management security management
Security techniques -- IT network security Security techniques -- IT network security
Guidelines for the implementation, operation and management of Guidelines for the implementation, operation and management of
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS)
International Security, Trust, and Privacy Alliance -- Privacy International Security, Trust, and Privacy Alliance -- Privacy
Framework Framework
5.18 ITU-T Study Group 2 6.18. ITU-T Study Group 2
http://www.itu.int/ITU-T/studygroups/com02/index.asp http://www.itu.int/ITU-T/studygroups/com02/index.asp
Security related recommendations currently under study: Security related recommendations currently under study:
E.408 Telecommunication networks security requirements Q.5/2 E.408 Telecommunication networks security requirements Q.5/2 (was
(was E.sec1) E.sec1)
E.409 Incident Organisation and Security Incident Handling E.409 Incident Organisation and Security Incident Handling Q.5/2
Q.5/2 (was E.sec2) (was E.sec2)
Note: Access requires TIES account. Note: Access requires TIES account.
5.19 ITU-T Recommendation M.3016 6.19. ITU-T Recommendation M.3016
http://www.itu.int/itudoc/itu-t/com4/contr/068.html http://www.itu.int/itudoc/itu-t/com4/contr/068.html
This recommendation provides an overview and framework that This recommendation provides an overview and framework that
identifies the security requirements of a TMN and outlines how identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the available security services and mechanisms can be applied within the
context of the TMN functional architecture. context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from have taken the original document and are incorporating thoughts from
skipping to change at page 23, line 46 skipping to change at page 25, line 4
identifies the security requirements of a TMN and outlines how identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the available security services and mechanisms can be applied within the
context of the TMN functional architecture. context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from have taken the original document and are incorporating thoughts from
ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has
produced a new series of documents. produced a new series of documents.
M.3016.0 - Overview M.3016.0 - Overview
M.3016.1 - Requirements M.3016.1 - Requirements
M.3016.2 - Services M.3016.2 - Services
M.3016.3 - Mechanisms M.3016.3 - Mechanisms
M.3016.4 - Profiles M.3016.4 - Profiles
5.20 ITU-T Recommendation X.805 6.20. ITU-T Recommendation X.805
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
This Recommendation defines the general security-related This Recommendation defines the general security-related
architectural elements that, when appropriately applied, can provide architectural elements that, when appropriately applied, can provide
end-to-end network security. end-to-end network security.
5.21 ITU-T Study Group 16 6.21. ITU-T Study Group 16
http://www.itu.int/ITU-T/studygroups/com16/index.asp http://www.itu.int/ITU-T/studygroups/com16/index.asp
Security of Multimedia Systems and Services - Question G/16 Security of Multimedia Systems and Services - Question G/16
http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html
5.22 ITU-T Study Group 17 6.22. ITU-T Study Group 17
http://www.itu.int/ITU-T/studygroups/com17/index.asp http://www.itu.int/ITU-T/studygroups/com17/index.asp
ITU-T Study Group 17 is the Lead Study Group on Communication System ITU-T Study Group 17 is the Lead Study Group on Communication System
Security Security
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
Study Group 17 Security Project: Study Group 17 Security Project:
http://www.itu.int/ITU-T/studygroups/com17/security/index.html http://www.itu.int/ITU-T/studygroups/com17/security/index.html
During its November 2002 meeting, Study Group 17 agreed to establish During its November 2002 meeting, Study Group 17 agreed to establish
a new project entitled "Security Project" under the leadership of a new project entitled "Security Project" under the leadership of
Q.10/17 to coordinate the ITU-T standardization effort on security. Q.10/17 to coordinate the ITU-T standardization effort on security.
An analysis of the status on ITU-T Study Group action on information An analysis of the status on ITU-T Study Group action on information
and communication network security may be found in TSB Circular 147 and communication network security may be found in TSB Circular 147
of 14 February 2003. of 14 February 2003.
5.23 Catalogue of ITU-T Recommendations related to Communications 6.23. Catalogue of ITU-T Recommendations related to Communications
System Security System Security
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html
The Catalogue of the approved security Recommendations include those, The Catalogue of the approved security Recommendations include those,
designed for security purposes and those, which describe or use of designed for security purposes and those, which describe or use of
functions of security interest and need. Although some of the functions of security interest and need. Although some of the
security related Recommendations includes the phrase "Open Systems security related Recommendations includes the phrase "Open Systems
Interconnection", much of the information contained in them is Interconnection", much of the information contained in them is
pertinent to the establishment of security functionality in any pertinent to the establishment of security functionality in any
communicating system. communicating system.
5.24 ITU-T Security Manual 6.24. ITU-T Security Manual
http://www.itu.int/ITU-T/edh/files/security-manual.pdf http://www.itu.int/ITU-T/edh/files/security-manual.pdf
TSB is preparing an "ITU-T Security Manual" to provide an overview on TSB is preparing an "ITU-T Security Manual" to provide an overview on
security in telecommunications and information technologies, describe security in telecommunications and information technologies, describe
practical issues, and indicate how the different aspects of security practical issues, and indicate how the different aspects of security
in today's applications are addressed by ITU-T Recommendations. This in today's applications are addressed by ITU-T Recommendations. This
manual has a tutorial character: it collects security related manual has a tutorial character: it collects security related
material from ITU-T Recommendations into one place and explains the material from ITU-T Recommendations into one place and explains the
respective relationships. The intended audience for this manual is respective relationships. The intended audience for this manual is
engineers and product managers, students and academia, as well as engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in regulators who want to better understand security aspects in
practical applications. practical applications.
5.25 ITU-T NGN Effort 6.25. ITU-T NGN Effort
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html
During its January 2002 meeting, SG13 decided to undertake the During its January 2002 meeting, SG13 decided to undertake the
preparation of a new ITU-T Project entitled "NGN 2004 Project". At preparation of a new ITU-T Project entitled "NGN 2004 Project". At
the November 2002 SG13 meeting, a preliminary description of the the November 2002 SG13 meeting, a preliminary description of the
Project was achieved and endorsed by SG13 with the goal to launch the Project was achieved and endorsed by SG13 with the goal to launch the
Project. It is regularly updated since then. Project. It is regularly updated since then.
The role of the NGN 2004 Project is to organize and to coordinate The role of the NGN 2004 Project is to organize and to coordinate
ITU-T activities on Next Generation Networks. Its target is to ITU-T activities on Next Generation Networks. Its target is to
produce a first set of Recommendations on NGN by the end of this produce a first set of Recommendations on NGN by the end of this
study period, i.e. mid-2004. study period, i.e. mid-2004.
5.26 NRIC VI Focus Groups 6.26. NRIC VI Focus Groups
http://www.nric.org/fg/index.html http://www.nric.org/fg/index.html
The Network Reliability and Interoperability Council (NRIC) was The Network Reliability and Interoperability Council (NRIC) was
formed with the purpose to provide recommendations to the FCC and to formed with the purpose to provide recommendations to the FCC and to
the industry to assure the reliability and interoperability of the industry to assure the reliability and interoperability of
wireless, wireline, satellite, and cable public telecommunications wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a prevention of cyberattack and for restoration following a
skipping to change at page 26, line 15 skipping to change at page 27, line 17
Documents: Documents:
Homeland Defense - Recommendations Published 14-Mar-03 Homeland Defense - Recommendations Published 14-Mar-03
Preventative Best Practices - Recommendations Published 14-Mar-03 Preventative Best Practices - Recommendations Published 14-Mar-03
Recovery Best Practices - Recommendations Published 14-Mar-03 Recovery Best Practices - Recommendations Published 14-Mar-03
Best Practice Appendices - Recommendations Published 14-Mar-03 Best Practice Appendices - Recommendations Published 14-Mar-03
5.27 OASIS Security Joint Committee 6.27. OASIS Security Joint Committee
http://www.oasis-open.org/committees/ http://www.oasis-open.org/committees/
tc_home.php?wg_abbrev=security-jc tc_home.php?wg_abbrev=security-jc
The purpose of the Security JC is to coordinate the technical The purpose of the Security JC is to coordinate the technical
activities of multiple security related TCs. The SJC is advisory activities of multiple security related TCs. The SJC is advisory
only, and has no deliverables. The Security JC will promote the use only, and has no deliverables. The Security JC will promote the use
of consistent terms, promote re-use, champion an OASIS security of consistent terms, promote re-use, champion an OASIS security
standards model, provide consistent PR, and promote mutuality, standards model, provide consistent PR, and promote mutuality,
operational independence and ethics. operational independence and ethics.
5.28 OASIS Security Services TC 6.28. OASIS Security Services TC
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
The Security Services TC is working to advance the Security Assertion The Security Services TC is working to advance the Security Assertion
Markup Language (SAML) as an OASIS standard. SAML is an XML Markup Language (SAML) as an OASIS standard. SAML is an XML
framework for exchanging authentication and authorization framework for exchanging authentication and authorization
information. information.
5.29 OIF Implementation Agreements 6.29. OIF Implementation Agreements
The OIF has 2 approved Implementation Agreements (IAs) relating to The OIF has 2 approved Implementation Agreements (IAs) relating to
security. They are: security. They are:
OIF-SMI-01.0 - Security Management Interfaces to Network Elements OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces. security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified, It summarizes how well each of the systems, used as specified,
skipping to change at page 26, line 50 skipping to change at page 28, line 4
OIF-SMI-01.0 - Security Management Interfaces to Network Elements OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces. security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified, It summarizes how well each of the systems, used as specified,
satisfies the objectives. satisfies the objectives.
OIF - SEP - 01.1 - Security Extension for UNI and NNI OIF - SEP - 01.1 - Security Extension for UNI and NNI
This Implementation Agreement defines a common Security Extension for This Implementation Agreement defines a common Security Extension for
securing the protocols used in UNI 1.0, UNI 2.0, and NNI. securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf Documents: http://www.oiforum.com/public/documents/Security-IA.pdf
5.30 TIA 6.30. TIA
The TIA has produced the "Compendium of Emergency Communications and The TIA has produced the "Compendium of Emergency Communications and
Communications Network Security-related Work Activities". This Communications Network Security-related Work Activities". This
document identifies standards, or other technical documents and document identifies standards, or other technical documents and
ongoing Emergency/Public Safety Communications and Communications ongoing Emergency/Public Safety Communications and Communications
Network Security-related work activities within TIA and it's Network Security-related work activities within TIA and it's
Engineering Committees. Many P25 documents are specifically Engineering Committees. Many P25 documents are specifically
detailed. This "living document" is presented for information, detailed. This "living document" is presented for information,
coordination and reference. coordination and reference.
Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf
5.31 WS-I Basic Security Profile 6.31. WS-I Basic Security Profile
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
The WS-I Basic Security Profile 1.0 consists of a set of non- The WS-I Basic Security Profile 1.0 consists of a set of non-
proprietary Web services specifications, along with clarifications proprietary Web services specifications, along with clarifications
and amendments to those specifications which promote and amendments to those specifications which promote
interoperability. interoperability.
6. Security Considerations 7. Security Considerations
This document describes efforts to standardize security practices and This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance documents. As such this document offers no security guidance
whatsoever. whatsoever.
Readers of this document should be aware of the date of publication Readers of this document should be aware of the date of publication
of this document. It is feared that they may assume that the of this document. It is feared that they may assume that the
efforts, on-line material, and documents are current whereas they may efforts, on-line material, and documents are current whereas they may
not be. Please consider this when reading this document. not be. Please consider this when reading this document.
7. IANA Considerations 8. IANA Considerations
This Internet Draft does not propose a standard but is trying to pull This document does not propose a standard and does not require the
together information about the security related efforts of all IANA to do anything.
Standards Developing Organizations and some other efforts which
provide good secuirty methods, practices or recommendations.
8. Acknowledgments 9. Acknowledgments
The following people have contributed to this document. Listing The following people have contributed to this document. Listing
their names here does not mean that they endorse the document, but their names here does not mean that they endorse the document, but
that they have contributed to its substance. that they have contributed to its substance.
David Black, Mark Ellison, George Jones, Keith McCloghrie, John David Black, Mark Ellison, George Jones, Keith McCloghrie, John
McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer. McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce
Moon.
9. Changes from Prior Drafts 10. Changes from Prior Drafts
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt
-01 : Security Glossaries: -01 : Security Glossaries:
Added ATIS Telecom Glossary 2000, Critical Infrastructure Added ATIS Telecom Glossary 2000, Critical Infrastructure
Glossary of Terms and Acronyms, Microsoft Solutions for Glossary of Terms and Acronyms, Microsoft Solutions for
Security Glossary, and USC InfoSec Glossary. Security Glossary, and USC InfoSec Glossary.
Standards Developing Organizations: Standards Developing Organizations:
skipping to change at page 31, line 46 skipping to change at page 32, line 46
Added more information about the ITU-T SG3 Q18 effort to modify Added more information about the ITU-T SG3 Q18 effort to modify
ITU-T Recommendation M.3016. ITU-T Recommendation M.3016.
-01 : First revision as the WG ID. -01 : First revision as the WG ID.
Added information about the NGN in the sections about ATIS, the Added information about the NGN in the sections about ATIS, the
NSTAC, and ITU-T. NSTAC, and ITU-T.
-02 : Second revision as the WG ID. -02 : Second revision as the WG ID.
Updated the date. Corrected some url's and the reference to Updated the date.
George's RFC.
Note: This section will be removed before publication as an RFC. Corrected some url's and the reference to George's RFC.
10. References -03 : Third revision of the WG ID.
10.1 Normative References Updated the date.
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Updated the information about the CC
Levels", RFC 2119, STD 14, March 1997.
10.2 Informative References Added a Conventions section (not sure how this document got to
where it is without that)
[2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA Note: This section will be removed before publication as an RFC.
Considerations Section in RFCs", RFC 2869, BCP 26, October 1998.
11. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, STD 14, March 1997.
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
Phone: +1 512 378 1182 Phone: +1 512 378 1182
 End of changes. 114 change blocks. 
232 lines changed or deleted 236 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/