draft-ietf-opsec-efforts-03.txt   draft-ietf-opsec-efforts-04.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Expires: October 21, 2006 Cisco Systems Expires: December 16, 2006 Cisco Systems
April 19, 2006 June 14, 2006
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-03.txt draft-ietf-opsec-efforts-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 21, 2006. This Internet-Draft will expire on December 16, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Conventions Used in This Document . . . . . . . . . . . . . . 7 2. Conventions Used in This Document . . . . . . . . . . . . . . 7
3. Format of this Document . . . . . . . . . . . . . . . . . . . 8 3. Format of this Document . . . . . . . . . . . . . . . . . . . 8
4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9 4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9
4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9 4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9
4.2. Critical Infrastructure Glossary of Terms and Acronyms . . 9 4.2. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9
4.3. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9 4.3. Compendium of Approved ITU-T Security Definitions . . . . 9
4.4. Compendium of Approved ITU-T Security Definitions . . . . 10 4.4. Microsoft Solutions for Security Glossary . . . . . . . . 10
4.5. Microsoft Solutions for Security Glossary . . . . . . . . 10 4.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 10
4.6. SANS Glossary of Security Terms . . . . . . . . . . . . . 10 4.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 10
4.7. USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 10
5. Standards Developing Organizations . . . . . . . . . . . . . . 11 5. Standards Developing Organizations . . . . . . . . . . . . . . 11
5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11
5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11
5.3. ANSI - The American National Standards Institute . . . . . 11 5.3. ANSI - The American National Standards Institute . . . . . 11
5.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11
5.4. ATIS - Alliance for Telecommunications Industry 5.4. ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12
5.4.1. ATIS Network Performance, Reliability and Quality 5.4.1. ATIS NIPP - Network Interface, Power, and
of Service Committee, formerly T1A1 . . . . . . . . . 12 Protection Committee, formerly T1E1 . . . . . . . . . 12
5.4.2. ATIS Network Interface, Power, and Protection 5.4.2. ATIS NPRQ - Network Performance, Reliability, and
Committee, formerly T1E1 . . . . . . . . . . . . . . . 12 Quality of Service Committee, formerly T1A1 . . . . . 12
5.4.3. ATIS Telecom Management and Operations Committee, 5.4.3. ATIS OBF - Ordering and Billing Forum, formerly
formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 12 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 12
5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B . . 12 5.4.4. ATIS OPTXS - Optical Transport and Synchronization
5.4.5. ATIS Wireless Technologies and Systems Committee,
formerly T1P1 . . . . . . . . . . . . . . . . . . . . 13
5.4.6. ATIS Packet Technologies and Systems Committee,
formerly T1S1 . . . . . . . . . . . . . . . . . . . . 13
5.4.7. ATIS Protocol Interworking Committee, regarding
T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.4.8. ATIS Optical Transport and Synchronization
Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 Committee, formerly T1X1 . . . . . . . . . . . . . . . 13
5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 5.4.5. ATIS TMOC - Telecom Management and Operations
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13
5.4.6. ATIS WTSC - Wireless Technologies and Systems
Committee, formerly T1P1 . . . . . . . . . . . . . . . 13
5.4.7. ATIS PTSC - Packet Technologies and Systems
Committee, formerly T1S1 . . . . . . . . . . . . . . . 13
5.4.8. ATIS Protocol Interworking Committee, regarding
T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14
5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14
5.7. ETSI - The European Telecommunications Standard 5.7. ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14
5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14
5.9. IEEE - The Institute of Electrical and Electronics 5.9. IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15
5.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 5.10. IETF - The Internet Engineering Task Force . . . . . . . . 15
5.11. INCITS - InterNational Committee for Information 5.11. INCITS - InterNational Committee for Information
Technology Standards . . . . . . . . . . . . . . . . . . . 15 Technology Standards . . . . . . . . . . . . . . . . . . . 15
5.12. INCITS Technical Committee T11 - Fibre Channel 5.11.1. INCITS Technical Committee T11 - Fibre Channel
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 15 Interfaces . . . . . . . . . . . . . . . . . . . . . . 15
5.13. ISO - The International Organization for 5.12. ISO - The International Organization for
Standardization . . . . . . . . . . . . . . . . . . . . . 15 Standardization . . . . . . . . . . . . . . . . . . . . . 15
5.14. ITU - International Telecommunication Union . . . . . . . 15 5.13. ITU - International Telecommunication Union . . . . . . . 16
5.14.1. ITU Telecommunication Standardization Sector - 5.13.1. ITU Telecommunication Standardization Sector -
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 16
5.14.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 5.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16
5.14.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 5.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16
5.15. OASIS - Organization for the Advancement of 5.14. OASIS - Organization for the Advancement of
Structured Information Standards . . . . . . . . . . . . . 16 Structured Information Standards . . . . . . . . . . . . . 16
5.16. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 5.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16
5.17. NRIC - The Network Reliability and Interoperability 5.16. NRIC - The Network Reliability and Interoperability
Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 Council . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.18. National Security Telecommunications Advisory 5.17. National Security Telecommunications Advisory
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17
5.19. TIA - The Telecommunications Industry Association . . . . 17 5.18. TIA - The Telecommunications Industry Association . . . . 17
5.20. Web Services Interoperability Organization (WS-I) . . . . 17 5.19. TTA - Telecommunications Technology Association . . . . . 17
6. Security Best Practices Efforts and Documents . . . . . . . . 18 5.20. Web Services Interoperability Organization (WS-I) . . . . 18
6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 6. Security Best Practices Efforts and Documents . . . . . . . . 19
6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19
6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19
6.3. American National Standard T1.276-2003 - Baseline 6.3. American National Standard T1.276-2003 - Baseline
Security Requirements for the Management Plane . . . . . . 18 Security Requirements for the Management Plane . . . . . . 19
6.4. DMTF - Security Protection and Management (SPAM) 6.4. DMTF - Security Protection and Management (SPAM)
Working Group . . . . . . . . . . . . . . . . . . . . . . 19 Working Group . . . . . . . . . . . . . . . . . . . . . . 20
6.5. DMTF - User and Security Working Group . . . . . . . . . . 19 6.5. DMTF - User and Security Working Group . . . . . . . . . . 20
6.6. ATIS Security & Emergency Preparedness Activities . . . . 19 6.6. ATIS Work-Plan to Achieve Interoperable,
6.7. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End Standards and Solutions . . . . 20
Implementable, End-To-End Standards and Solutions . . . . 19 6.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20
6.7.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 6.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21
6.8. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 6.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 21
6.9. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 6.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.10. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 6.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 22
6.11. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 6.11. Information System Security Assurance Architecture . . . . 22
6.12. Information System Security Assurance Architecture . . . . 21 6.12. Operational Security Requirements for IP Network
6.13. Operational Security Requirements for IP Network
Infrastructure : Advanced Requirements . . . . . . . . . . 22 Infrastructure : Advanced Requirements . . . . . . . . . . 22
6.14. INCITS Technical Committee T4 - Security Techniques . . . 22 6.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 23
6.15. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 6.14. ISO Guidelines for the Management of IT Security -
6.16. ISO Guidelines for the Management of IT Security - GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 23
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 6.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 24
6.17. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 6.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24
6.18. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 6.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 25
6.19. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 6.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25
6.20. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 6.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25
6.21. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 6.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26
6.22. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 6.21. Catalogue of ITU-T Recommendations related to
6.23. Catalogue of ITU-T Recommendations related to Communications System Security . . . . . . . . . . . . . . 26
Communications System Security . . . . . . . . . . . . . . 25 6.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26
6.24. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 6.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27
6.25. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 6.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27
6.26. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 6.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 27
6.27. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 6.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 28
6.28. OASIS Security Services TC . . . . . . . . . . . . . . . . 27 6.27. OIF Implementation Agreements . . . . . . . . . . . . . . 28
6.29. OIF Implementation Agreements . . . . . . . . . . . . . . 27 6.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.30. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28
6.31. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 7. Security Considerations . . . . . . . . . . . . . . . . . . . 30
7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 33
10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 11. Normative References . . . . . . . . . . . . . . . . . . . . . 34
11. Normative References . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 Intellectual Property and Copyright Statements . . . . . . . . . . 36
Intellectual Property and Copyright Statements . . . . . . . . . . 35
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 9, line 18 skipping to change at page 9, line 18
computer security terms computer security terms
4.1. ATIS Telecom Glossary 2000 4.1. ATIS Telecom Glossary 2000
http://www.atis.org/tg2k/ http://www.atis.org/tg2k/
Under an approved T1 standards project (T1A1-20), an existing 5800- Under an approved T1 standards project (T1A1-20), an existing 5800-
entry, search-enabled hypertext telecommunications glossary titled entry, search-enabled hypertext telecommunications glossary titled
Federal Standard 1037C, Glossary of Telecommunication Terms was Federal Standard 1037C, Glossary of Telecommunication Terms was
updated and matured into this glossary, T1.523-2001, Telecom Glossary updated and matured into this glossary, T1.523-2001, Telecom Glossary
2000. This updated glossary was posted on the Web as a American 2000. This updated glossary was posted on the Web as an American
National Standard (ANS). National Standard (ANS).
4.2. Critical Infrastructure Glossary of Terms and Acronyms 4.2. Internet Security Glossary - RFC 2828
http://www.ciao.gov/ciao_document_library/glossary/a.htm
The Critical Infrastructure Assurance Office (CIAO) was created to
coordinate the Federal Government's initiatives on critical
infrastructure assurance. While the glossary was not created as a
glossary specifically for security terms, it is populated with many
security related definitions, abbreviations, organizations, and
concepts.
4.3. Internet Security Glossary - RFC 2828
http://www.ietf.org/rfc/rfc2828.txt http://www.ietf.org/rfc/rfc2828.txt
Created in May 2000, the document defines itself to be, "an Created in May 2000, the document defines itself to be, "an
internally consistent, complementary set of abbreviations, internally consistent, complementary set of abbreviations,
definitions, explanations, and recommendations for use of terminology definitions, explanations, and recommendations for use of terminology
related to information system security." The glossary makes the related to information system security." The glossary makes the
distinction of the listed definitions throughout the document as distinction of the listed definitions throughout the document as
being: being:
skipping to change at page 10, line 4 skipping to change at page 9, line 41
o a recommended Internet definition o a recommended Internet definition
o a recommended non-Internet definition o a recommended non-Internet definition
o not recommended as the first choice for Internet documents but o not recommended as the first choice for Internet documents but
something that an author of an Internet document would need to something that an author of an Internet document would need to
know know
o a definition that shouldn't be used in Internet documents o a definition that shouldn't be used in Internet documents
o additional commentary or usage guidance o additional commentary or usage guidance
4.4. Compendium of Approved ITU-T Security Definitions 4.3. Compendium of Approved ITU-T Security Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html http://www.itu.int/itudoc/itu-t/com17/activity/def004.html
Addendum to the Compendium of the Approved ITU-T Security-related Addendum to the Compendium of the Approved ITU-T Security-related
Definitions Definitions
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
These extensive materials were created from approved ITU-T These extensive materials were created from approved ITU-T
Recommendations with a view toward establishing a common Recommendations with a view toward establishing a common
understanding and use of security terms within ITU-T. understanding and use of security terms within ITU-T.
4.5. Microsoft Solutions for Security Glossary 4.4. Microsoft Solutions for Security Glossary
http://www.microsoft.com/security/glossary/ http://www.microsoft.com/security/glossary.mspx
The Microsoft Solutions for Security Glossary was created to explain The Microsoft Solutions for Security Glossary was created to explain
the concepts, technologies, and products associated with computer the concepts, technologies, and products associated with computer
security. This glossary contains several definitions specific to security. This glossary contains several definitions specific to
Microsoft proprietary technologies and product solutions. Microsoft proprietary technologies and product solutions.
4.6. SANS Glossary of Security Terms 4.5. SANS Glossary of Security Terms
http://www.sans.org/resources/glossary.php http://www.sans.org/resources/glossary.php
The SANS Institute (SysAdmin, Audit, Network, Security) was created The SANS Institute (SysAdmin, Audit, Network, Security) was created
in 1989 as, "a cooperative research and education organization." in 1989 as, "a cooperative research and education organization."
Updated in May 2003, SANS cites the NSA for their help in creating Updated in May 2003, SANS cites the NSA for their help in creating
the online glossary of security terms. The SANS Institute is also the online glossary of security terms. The SANS Institute is also
home to many other resources including the SANS Intrusion Detection home to many other resources including the SANS Intrusion Detection
FAQ and the SANS/FBI Top 20 Vulnerabilities List. FAQ and the SANS/FBI Top 20 Vulnerabilities List.
4.7. USC InfoSec Glossary 4.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler
http://www.usc.edu/org/infosec/resources/glossary_a.html http://www.garlic.com/~lynn/secure.htm
A glossary of Information Systems security terms compiled by the Anne and Lynn Wheeler maintain a security taxonomy and glossary with
University of Southern California Office of Information Security. terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1,
FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/
SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53,
800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA
Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504,
RFC2647, RFC2828, TCSEC, TDI, and TNI.
5. Standards Developing Organizations 5. Standards Developing Organizations
This section of this document lists the SDOs, or organizations that This section of this document lists the SDOs, or organizations that
appear to be developing security related standards. These SDOs are appear to be developing security related standards. These SDOs are
listed in alphabetical order. listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC. note will be removed before publication as an RFC.
skipping to change at page 11, line 43 skipping to change at page 11, line 43
Partners for market advice. Partners for market advice.
5.3. ANSI - The American National Standards Institute 5.3. ANSI - The American National Standards Institute
http://www.ansi.org/ http://www.ansi.org/
ANSI is a private, non-profit organization that organizes and ANSI is a private, non-profit organization that organizes and
oversees the U.S. voluntary standardization and conformity assessment oversees the U.S. voluntary standardization and conformity assessment
system. ANSI was founded October 19, 1918. system. ANSI was founded October 19, 1918.
5.3.1. Accredited Standards Committee X9 (ASC X9)
http://www.x9.org/
The Accredited Standards Committee X9 (ASC X9) has the mission to
develop, establish, maintain, and promote standards for the Financial
Services Industry in order to facilitate delivery of financial
services and products.
5.4. ATIS - Alliance for Telecommunications Industry Solutions 5.4. ATIS - Alliance for Telecommunications Industry Solutions
http://www.atis.org/ http://www.atis.org/
ATIS is a United States based body that is committed to rapidly ATIS is a United States based body that is committed to rapidly
developing and promoting technical and operations standards for the developing and promoting technical and operations standards for the
communications and related information technologies industry communications and related information technologies industry
worldwide using pragmatic, flexible and open approach. Committee T1 worldwide using pragmatic, flexible and open approach. Committee T1
as a group no longer exists as a result of the recent ATIS as a group no longer exists as a result of the recent ATIS
reorganization on January 1, 2004. ATIS has restructured the former reorganization on January 1, 2004. ATIS has restructured the former
T1 technical subcommittees into full ATIS standards committees to T1 technical subcommittees into full ATIS standards committees to
easily identify and promote the nature of standards work each easily identify and promote the nature of standards work each
committee performs. Due to the reorganization, some groups may have committee performs. Due to the reorganization, some groups may have
a new mission and scope statement. a new mission and scope statement.
5.4.1. ATIS Network Performance, Reliability and Quality of Service 5.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee,
Committee, formerly T1A1
http://www.atis.org/0010/index.asp
ATIS Network Performance, Reliability and Quality of Service
Committee develops and recommends standards, requirements, and
technical reports related to the performance, reliability, and
associated security aspects of communications networks, as well as
the processing of voice, audio, data, image, and video signals, and
their multimedia integration.
5.4.2. ATIS Network Interface, Power, and Protection Committee,
formerly T1E1 formerly T1E1
http://www.atis.org/0050/index.asp http://www.atis.org/0050/index.asp
ATIS Network Interface, Power, and Protection Committee develops and ATIS Network Interface, Power, and Protection Committee develops and
recommends standards and technical reports related to power systems, recommends standards and technical reports related to power systems,
electrical and physical protection for the exchange and interexchange electrical and physical protection for the exchange and interexchange
carrier networks, and interfaces associated with user access to carrier networks, and interfaces associated with user access to
telecommunications networks. telecommunications networks.
5.4.3. ATIS Telecom Management and Operations Committee, formerly T1M1 5.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of
OAM&P Service Committee, formerly T1A1
http://www.atis.org/0130/index.asp http://www.atis.org/0010/index.asp
ATIS Telecom Management and Operations Committee develops ATIS Network Performance, Reliability and Quality of Service
internetwork operations, administration, maintenance and provisioning Committee develops and recommends standards, requirements, and
standards, and technical reports related to interfaces for technical reports related to the performance, reliability, and
telecommunications networks. associated security aspects of communications networks, as well as
the processing of voice, audio, data, image, and video signals, and
their multimedia integration.
5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B 5.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1
O&B
http://www.atis.org/obf/index.asp http://www.atis.org/obf/index.asp
The T1M1 O&B subcommittee has become part of the ATIS Ordering and The T1M1 O&B subcommittee has become part of the ATIS Ordering and
Billing Forum. Billing Forum.
The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum
for customers and providers in the telecommunications industry to for customers and providers in the telecommunications industry to
identify, discuss and resolve national issues which affect ordering, identify, discuss and resolve national issues which affect ordering,
billing, provisioning and exchange of information about access billing, provisioning and exchange of information about access
services, other connectivity and related matters. services, other connectivity and related matters.
5.4.5. ATIS Wireless Technologies and Systems Committee, formerly T1P1 5.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee,
formerly T1X1
http://www.atis.org/0240/index.asp
ATIS Optical Transport and Synchronization Committee develops and
recommends standards and prepares technical reports related to
telecommunications network technology pertaining to network
synchronization interfaces and hierarchical structures including
optical technology.
5.4.5. ATIS TMOC - Telecom Management and Operations Committee,
formerly T1M1 OAM&P
http://www.atis.org/0130/index.asp
ATIS Telecom Management and Operations Committee develops
internetwork operations, administration, maintenance and provisioning
standards, and technical reports related to interfaces for
telecommunications networks.
5.4.6. ATIS WTSC - Wireless Technologies and Systems Committee,
formerly T1P1
http://www.atis.org/0160/index.asp http://www.atis.org/0160/index.asp
ATIS Wireless Technologies and Systems Committee develops and ATIS Wireless Technologies and Systems Committee develops and
recommends standards and technical reports related to wireless and/or recommends standards and technical reports related to wireless and/or
mobile services and systems, including service descriptions and mobile services and systems, including service descriptions and
wireless technologies. wireless technologies.
5.4.6. ATIS Packet Technologies and Systems Committee, formerly T1S1 5.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly
T1S1
http://www.atis.org/0191/index.asp
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. PTSC is responsible for producing standards to secure Committee. PTSC is responsible for producing standards to secure
signalling. signalling.
The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot
at this time. It is expected to move to an ANSI standard. at this time. It is expected to move to an ANSI standard.
5.4.7. ATIS Protocol Interworking Committee, regarding T1S1 5.4.8. ATIS Protocol Interworking Committee, regarding T1S1
T1S1 was split into two separate ATIS committees: the ATIS Packet T1S1 was split into two separate ATIS committees: the ATIS Packet
Technologies and Systems Committee and the ATIS Protocol Interworking Technologies and Systems Committee and the ATIS Protocol Interworking
Committee. As a result of the reorganization of T1S1, these groups Committee. As a result of the reorganization of T1S1, these groups
will also probably have a new mission and scope. will also probably have a new mission and scope.
5.4.8. ATIS Optical Transport and Synchronization Committee, formerly
T1X1
http://www.atis.org/0240/index.asp
ATIS Optical Transport and Synchronization Committee develops and
recommends standards and prepares technical reports related to
telecommunications network technology pertaining to network
synchronization interfaces and hierarchical structures including
optical technology.
5.5. CC - Common Criteria 5.5. CC - Common Criteria
http://www.commoncriteriaportal.org/ http://www.commoncriteriaportal.org/
In June 1993, the sponsoring organizations of the existing US, In June 1993, the sponsoring organizations of the existing US,
Canadian, and European criterias (TCSEC, ITSEC, and similar) started Canadian, and European criterias (TCSEC, ITSEC, and similar) started
the Common Criteria Project to align their separate criteria into a the Common Criteria Project to align their separate criteria into a
single set of IT security criteria. single set of IT security criteria.
5.6. DMTF - Distributed Management Task Force, Inc. 5.6. DMTF - Distributed Management Task Force, Inc.
skipping to change at page 14, line 24 skipping to change at page 14, line 40
5.7. ETSI - The European Telecommunications Standard Institute 5.7. ETSI - The European Telecommunications Standard Institute
http://www.etsi.org/ http://www.etsi.org/
ETSI is an independent, non-profit organization which produces ETSI is an independent, non-profit organization which produces
telecommunications standards. ETSI is based in Sophia-Antipolis in telecommunications standards. ETSI is based in Sophia-Antipolis in
the south of France and maintains a membership from 55 countries. the south of France and maintains a membership from 55 countries.
Joint work between ETSI and ITU-T SG-17 Joint work between ETSI and ITU-T SG-17
http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ http://www.tta.or.kr/gsc/upload/
GSC9_Joint_011_Security_Standardization_in_ITU.ppt GSC9_Joint_011_Security_Standardization_in_ITU.ppt
5.8. GGF - Global Grid Forum 5.8. GGF - Global Grid Forum
http://www.gridforum.org/ http://www.gridforum.org/
The Global Grid Forum (GGF) is a community-initiated forum of The Global Grid Forum (GGF) is a community-initiated forum of
thousands of individuals from industry and research leading the thousands of individuals from industry and research leading the
global standardization effort for grid computing. GGF's primary global standardization effort for grid computing. GGF's primary
objectives are to promote and support the development, deployment, objectives are to promote and support the development, deployment,
and implementation of Grid technologies and applications via the and implementation of grid technologies and applications via the
creation and documentation of "best practices" - technical creation and documentation of "best practices" - technical
specifications, user experiences, and implementation guidelines. specifications, user experiences, and implementation guidelines.
5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc.
http://www.ieee.org/ http://www.ieee.org/
IEEE is a non-profit, technical professional association of more than IEEE is a non-profit, professional association of more than 360,000
360,000 individual members in approximately 175 countries. The IEEE individual members in approximately 175 countries. The IEEE produces
produces 30 percent of the world's published literature in electrical 30 percent of the world's published literature in electrical
engineering, computers and control technology through its technical engineering, computers, and control technology through its technical
publishing, conferences and consensus-based standards activities. publishing, conferences, and consensus-based standards activities.
5.10. IETF - The Internet Engineering Task Force 5.10. IETF - The Internet Engineering Task Force
http://www.ietf.org/ http://www.ietf.org/
IETF is a large, international community open to any interested IETF is a large, international community open to any interested
individual concerned with the evolution of the Internet architecture individual concerned with the evolution of the Internet architecture
and the smooth operation of the Internet. and the smooth operation of the Internet.
5.11. INCITS - InterNational Committee for Information Technology 5.11. INCITS - InterNational Committee for Information Technology
Standards Standards
http://www.incits.org/ http://www.incits.org/
INCITS focuses upon standardization in the field of Information and INCITS focuses upon standardization in the field of Information and
skipping to change at page 15, line 18 skipping to change at page 15, line 34
5.11. INCITS - InterNational Committee for Information Technology 5.11. INCITS - InterNational Committee for Information Technology
Standards Standards
http://www.incits.org/ http://www.incits.org/
INCITS focuses upon standardization in the field of Information and INCITS focuses upon standardization in the field of Information and
Communications Technologies (ICT), encompassing storage, processing, Communications Technologies (ICT), encompassing storage, processing,
transfer, display, management, organization, and retrieval of transfer, display, management, organization, and retrieval of
information. information.
5.12. INCITS Technical Committee T11 - Fibre Channel Interfaces 5.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces
http://www.t11.org/index.htm http://www.t11.org/index.htm
T11 is responsible for standards development in the areas of T11 is responsible for standards development in the areas of
Intelligent Peripheral Interface (IPI), High-Performance Parallel Intelligent Peripheral Interface (IPI), High-Performance Parallel
Interface (HIPPI) and Fibre Channel (FC). T11 has a project called Interface (HIPPI) and Fibre Channel (FC). T11 has a project called
FC-SP to define Security Protocols for Fibre Channel. FC-SP to define Security Protocols for Fibre Channel.
FC-SP Project Proposal: FC-SP Project Proposal:
ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf
5.13. ISO - The International Organization for Standardization 5.12. ISO - The International Organization for Standardization
http://www.iso.org/ http://www.iso.org/
ISO is a network of the national standards institutes of 148 ISO is a network of the national standards institutes of 148
countries, on the basis of one member per country, with a Central countries, on the basis of one member per country, with a Central
Secretariat in Geneva, Switzerland, that coordinates the system. ISO Secretariat in Geneva, Switzerland, that coordinates the system. ISO
officially began operations on February 23, 1947. officially began operations on February 23, 1947.
5.14. ITU - International Telecommunication Union 5.13. ITU - International Telecommunication Union
http://www.itu.int/ http://www.itu.int/
The ITU is an international organization within the United Nations The ITU is an international organization within the United Nations
System headquartered in Geneva, Switzerland. The ITU is comprised of System headquartered in Geneva, Switzerland. The ITU is comprised of
three sectors: three sectors:
5.14.1. ITU Telecommunication Standardization Sector - ITU-T 5.13.1. ITU Telecommunication Standardization Sector - ITU-T
http://www.itu.int/ITU-T/ http://www.itu.int/ITU-T/
ITU-T's mission is to ensure an efficient and on-time production of ITU-T's mission is to ensure an efficient and on-time production of
high quality standards covering all fields of telecommunications. high quality standards covering all fields of telecommunications.
5.14.2. ITU Radiocommunication Sector - ITU-R 5.13.2. ITU Radiocommunication Sector - ITU-R
http://www.itu.int/ITU-R/ http://www.itu.int/ITU-R/
The ITU-R plays a vital role in the management of the radio-frequency The ITU-R plays a vital role in the management of the radio-frequency
spectrum and satellite orbits. spectrum and satellite orbits.
5.14.3. ITU Telecom Development - ITU-D 5.13.3. ITU Telecom Development - ITU-D
(also referred as ITU Telecommunication Development Bureau - BDT) (also referred as ITU Telecommunication Development Bureau - BDT)
http://www.itu.int/ITU-D/ http://www.itu.int/ITU-D/
The Telecommunication Development Bureau (BDT) is the executive arm The Telecommunication Development Bureau (BDT) is the executive arm
of the Telecommunication Development Sector. Its duties and of the Telecommunication Development Sector. Its duties and
responsibilities cover a variety of functions ranging from programme responsibilities cover a variety of functions ranging from programme
supervision and technical advice to the collection, processing and supervision and technical advice to the collection, processing and
publication of information relevant to telecommunication development. publication of information relevant to telecommunication development.
5.15. OASIS - Organization for the Advancement of Structured 5.14. OASIS - Organization for the Advancement of Structured
Information Standards Information Standards
http://www.oasis-open.org/ http://www.oasis-open.org/
OASIS is a not-for-profit, international consortium that drives the OASIS is a not-for-profit, international consortium that drives the
development, convergence, and adoption of e-business standards. development, convergence, and adoption of e-business standards.
5.16. OIF - Optical Internetworking Forum 5.15. OIF - Optical Internetworking Forum
http://www.oiforum.com/ http://www.oiforum.com/
On April 20, 1998 Cisco Systems and Ciena Corporation announced an On April 20, 1998 Cisco Systems and Ciena Corporation announced an
industry-wide initiative to create the Optical Internetworking Forum, industry-wide initiative to create the Optical Internetworking Forum,
an open forum focused on accelerating the deployment of optical an open forum focused on accelerating the deployment of optical
internetworks. internetworks.
5.17. NRIC - The Network Reliability and Interoperability Council 5.16. NRIC - The Network Reliability and Interoperability Council
http://www.nric.org/ http://www.nric.org/
The purposes of the Committee are to give telecommunications industry The purposes of the Committee are to give telecommunications industry
leaders the opportunity to provide recommendations to the FCC and to leaders the opportunity to provide recommendations to the FCC and to
the industry that assure optimal reliability and interoperability of the industry that assure optimal reliability and interoperability of
telecommunications networks. The Committee addresses topics in the telecommunications networks. The Committee addresses topics in the
area of Homeland Security, reliability, interoperability, and area of Homeland Security, reliability, interoperability, and
broadband deployment. broadband deployment.
5.18. National Security Telecommunications Advisory Committee (NSTAC) 5.17. National Security Telecommunications Advisory Committee (NSTAC)
http://www.ncs.gov/nstac/nstac.html http://www.ncs.gov/nstac/nstac.html
President Ronald Reagan created the National Security President Ronald Reagan created the National Security
Telecommunications Advisory Committee (NSTAC) by Executive Order Telecommunications Advisory Committee (NSTAC) by Executive Order
12382 in September 1982. Since then, the NSTAC has served four 12382 in September 1982. Since then, the NSTAC has served four
presidents. Composed of up to 30 industry chief executives presidents. Composed of up to 30 industry chief executives
representing the major communications and network service providers representing the major communications and network service providers
and information technology, finance, and aerospace companies, the and information technology, finance, and aerospace companies, the
NSTAC provides industry-based advice and expertise to the President NSTAC provides industry-based advice and expertise to the President
on issues and problems related to implementing national security and on issues and problems related to implementing national security and
emergency preparedness (NS/EP) communications policy. Since its emergency preparedness (NS/EP) communications policy. Since its
inception, the NSTAC has addressed a wide range of policy and inception, the NSTAC has addressed a wide range of policy and
technical issues regarding communications, information systems, technical issues regarding communications, information systems,
information assurance, critical infrastructure protection, and other information assurance, critical infrastructure protection, and other
NS/EP communications concerns. NS/EP communications concerns.
5.19. TIA - The Telecommunications Industry Association 5.18. TIA - The Telecommunications Industry Association
http://www.tiaonline.org/ http://www.tiaonline.org/
TIA is accredited by ANSI to develop voluntary industry standards for TIA is accredited by ANSI to develop voluntary industry standards for
a wide variety of telecommunications products. TIA's Standards and a wide variety of telecommunications products. TIA's Standards and
Technology Department is composed of five divisions: Fiber Optics, Technology Department is composed of five divisions: Fiber Optics,
User Premises Equipment, Network Equipment, Wireless Communications User Premises Equipment, Network Equipment, Wireless Communications
and Satellite Communications. and Satellite Communications.
5.19. TTA - Telecommunications Technology Association
http://www.tta.or.kr/Home2003/main/index.jsp
http://www.tta.or.kr/English/new/main/index.htm (English)
TTA (Telecommunications Technology Association) is a IT standards
organization that develops new standards and provides one-stop
services for the establishment of IT standards as well as providing
testing and certification for IT products.
5.20. Web Services Interoperability Organization (WS-I) 5.20. Web Services Interoperability Organization (WS-I)
http://www.ws-i.org/ http://www.ws-i.org/
WS-I is an open, industry organization chartered to promote Web WS-I is an open, industry organization chartered to promote Web
services interoperability across platforms, operating systems, and services interoperability across platforms, operating systems, and
programming languages. The organization works across the industry programming languages. The organization works across the industry
and standards organizations to respond to customer needs by providing and standards organizations to respond to customer needs by providing
guidance, best practices, and resources for developing Web services guidance, best practices, and resources for developing Web services
solutions. solutions.
skipping to change at page 19, line 28 skipping to change at page 20, line 28
Documents: Documents:
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003
6.4. DMTF - Security Protection and Management (SPAM) Working Group 6.4. DMTF - Security Protection and Management (SPAM) Working Group
http://www.dmtf.org/about/committees/spamWGCharter.pdf http://www.dmtf.org/about/committees/spamWGCharter.pdf
The Working Group will define a CIM Common Model that addresses The Working Group will define a CIM Common Model that addresses
security protection and detection technologies, which may include security protection and detection technologies, which may include
devices and services, and classifies security information, attacks devices and services, and classifies security information, attacks,
and responses. and responses.
6.5. DMTF - User and Security Working Group 6.5. DMTF - User and Security Working Group
http://www.dmtf.org/about/committees/userWGCharter.pdf http://www.dmtf.org/about/committees/userWGCharter.pdf
The User and Security Working Group defines objects and access The User and Security Working Group defines objects and access
methods required for principals - where principals include users, methods required for principals - where principals include users,
groups, software agents, systems, and organizations. groups, software agents, systems, and organizations.
6.6. ATIS Security & Emergency Preparedness Activities 6.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
http://www.atis.org/atis/atisinfo/emergency/
security_committee_activities_T1.htm
The link above contains the description of the ATIS Communications
Security Model, the scopes of the Technical Subcommittees in relation
to the security model, and a list of published documents produced by
ATIS addressed to various aspects of network security.
6.7. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
Standards and Solutions Standards and Solutions
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
The ATIS TOPS Security Focus Group has made recommendations on work The ATIS TOPS Security Focus Group has made recommendations on work
items needed to be performed by other SDOs. items needed to be performed by other SDOs.
6.7.1. ATIS Work on Packet Filtering 6.6.1. ATIS Work on Packet Filtering
A part of the ATIS Work Plan was to define how disruptions may be A part of the ATIS Work Plan was to define how disruptions may be
prevented by filtering unwanted traffic at the edges of the network. prevented by filtering unwanted traffic at the edges of the network.
ATIS is developing this work in a document titled, "Traffic Filtering ATIS is developing this work in a document titled, "Traffic Filtering
for the Prevention of Unwanted Traffic". for the Prevention of Unwanted Traffic".
6.8. ATIS Work on the NGN 6.7. ATIS Work on the NGN
http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/
Part%20I/ATIS_NGN_Part_1_Issue1.pdf Part%20I/ATIS_NGN_Part_1_Issue1.pdf
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts In November 2004, ATIS released Part I of the ATIS NGN-FG efforts
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN
Definitions, Requirements, and Architecture, Issue 1.0, November Definitions, Requirements, and Architecture, Issue 1.0, November
2004." 2004."
6.9. Common Criteria 6.8. Common Criteria
http://www.commoncriteriaportal.org/ http://www.commoncriteriaportal.org/
Version 1.0 of the CC was completed in January 1996. Based on a Version 1.0 of the CC was completed in January 1996. Based on a
number of trial evaluations and an extensive public review, Version number of trial evaluations and an extensive public review, Version
1.0 was extensively revised and CC Version 2.0 was produced in April 1.0 was extensively revised and CC Version 2.0 was produced in April
of 1998. This became ISO International Standard 15408 in 1999. The of 1998. This became ISO International Standard 15408 in 1999. The
CC Project subsequently incorporated the minor changes that had CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999. resulted in the ISO process, producing CC version 2.1 in August 1999.
Version 3.0 was published in June 2005 and is available for comment. Version 3.0 was published in June 2005 and is available for comment.
skipping to change at page 21, line 5 skipping to change at page 21, line 41
Part 1: Introduction and general model Part 1: Introduction and general model
Part 2: Security functional components Part 2: Security functional components
Part 3: Security assurance components Part 3: Security assurance components
Documents: Common Criteria V2.3 Documents: Common Criteria V2.3
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2
6.10. ETSI 6.9. ETSI
http://www.etsi.org/ http://www.etsi.org/
The ETSI hosted the ETSI Global Security Conference in late November, The ETSI hosted the ETSI Global Security Conference in late November,
2003, which could lead to a standard. 2003, which could lead to a standard.
Groups related to security located from the ETSI Groups Portal: Groups related to security located from the ETSI Groups Portal:
OCG Security OCG Security
3GPP SA3 3GPP SA3
TISPAN WG7 TISPAN WG7
6.11. GGF Security Area (SEC) 6.10. GGF Security Area (SEC)
https://forge.gridforum.org/projects/sec/ https://forge.gridforum.org/projects/sec/
The Security Area (SEC) is concerned with various issues relating to The Security Area (SEC) is concerned with various issues relating to
authentication and authorization in Grid environments. authentication and authorization in Grid environments.
Working groups: Working groups:
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
https://forge.gridforum.org/projects/authz-wg https://forge.gridforum.org/projects/authz-wg
Certificate Authority Operations Working Group (CAOPS-WG) - Certificate Authority Operations Working Group (CAOPS-WG) -
https://forge.gridforum.org/projects/caops-wg https://forge.gridforum.org/projects/caops-wg
OGSA Authorization Working Group (OGSA-AUTHZ) - OGSA Authorization Working Group (OGSA-AUTHZ) -
https://forge.gridforum.org/projects/ogsa-authz https://forge.gridforum.org/projects/ogsa-authz
Grid Security Infrastructure (GSI-WG) - Grid Security Infrastructure (GSI-WG) -
https://forge.gridforum.org/projects/gsi-wg https://forge.gridforum.org/projects/gsi-wg
6.12. Information System Security Assurance Architecture 6.11. Information System Security Assurance Architecture
IEEE Working Group - http://issaa.org/ IEEE Working Group - http://issaa.org/
Formerly the Security Certification and Accreditation of Information Formerly the Security Certification and Accreditation of Information
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
Standard for Information System Security Assurance Architecture for Standard for Information System Security Assurance Architecture for
ballot and during the process begin development of a suite of ballot and during the process begin development of a suite of
associated standards for components of that architecture. associated standards for components of that architecture.
Documents: http://issaa.org/documents/index.html Documents: http://issaa.org/documents/index.html
6.13. Operational Security Requirements for IP Network Infrastructure : 6.12. Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements Advanced Requirements
IETF RFC 3871 IETF RFC 3871
Abstract: This document defines a list of operational security Abstract: This document defines a list of operational security
requirements for the infrastructure of large ISP IP networks (routers requirements for the infrastructure of large ISP IP networks (routers
and switches). A framework is defined for specifying "profiles", and switches). A framework is defined for specifying "profiles",
which are collections of requirements applicable to certain network which are collections of requirements applicable to certain network
topology contexts (all, core-only, edge-only...). The goal is to topology contexts (all, core-only, edge-only...). The goal is to
provide network operators a clear, concise way of communicating their provide network operators a clear, concise way of communicating their
security requirements to vendors. security requirements to vendors.
Documents: Documents:
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt
6.14. INCITS Technical Committee T4 - Security Techniques 6.13. INCITS CS1 - Cyber Security
http://www.incits.org/tc_home/t4.htm
Technical Committee T4, Security Techniques, participates in the
standardization of generic methods for information technology
security. This includes development of: security techniques and
mechanisms; security guidelines; security evaluation criteria; and
identification of generic requirements for information technology
system security services.
6.15. INCITS CS1 - Cyber Security
http://www.incits.org/tc_home/cs1.htm http://cs1.incits.org/
INCITS/CS1 was established in April 2005 to serve as the US TAG for INCITS/CS1 was established in April 2005 to serve as the US TAG for
ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2
(INCITS/T4 serves as the US TAG to SC 27/WG 2). (INCITS/T4 serves as the US TAG to SC 27/WG 2).
The scope of CS1 explicitly excludes the areas of work on cyber The scope of CS1 explicitly excludes the areas of work on cyber
security standardization presently underway in INCITS B10, M1 and T3; security standardization presently underway in INCITS B10, M1 and T3;
as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and
X9. INCITS T4's area of work would be narrowed to cryptography X9. INCITS T4's area of work would be narrowed to cryptography
projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and
mechanisms). mechanisms).
6.16. ISO Guidelines for the Management of IT Security - GMITS 6.14. ISO Guidelines for the Management of IT Security - GMITS
Guidelines for the Management of IT Security -- Part 1: Concepts and Guidelines for the Management of IT Security -- Part 1: Concepts and
models for IT Security models for IT Security
http://www.iso.ch/iso/en/ http://www.iso.ch/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35
Guidelines for the Management of IT Security -- Part 2: Managing and Guidelines for the Management of IT Security -- Part 2: Managing and
planning IT Security planning IT Security
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
ICS3= ICS3=
skipping to change at page 23, line 41 skipping to change at page 24, line 19
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
ICS3= ICS3=
Open Systems Interconnection -- Network layer security protocol Open Systems Interconnection -- Network layer security protocol
http://www.iso.org/iso/en/ http://www.iso.org/iso/en/
CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
ICS3=30 ICS3=30
6.17. ISO JTC 1/SC 27 6.15. ISO JTC 1/SC 27
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143
Several security related ISO projects under JTC 1/SC 27 are listed Several security related ISO projects under JTC 1/SC 27 are listed
here such as: here such as:
IT security techniques -- Entity authentication IT security techniques -- Entity authentication
Security techniques -- Key management Security techniques -- Key management
Security techniques -- Evaluation criteria for IT security Security techniques -- Evaluation criteria for IT security
Security techniques -- A framework for IT security assurance Security techniques -- A framework for IT security assurance
IT Security techniques -- Code of practice for information IT Security techniques -- Code of practice for information
security management security management
Security techniques -- IT network security Security techniques -- IT network security
skipping to change at page 24, line 21 skipping to change at page 24, line 46
security management security management
Security techniques -- IT network security Security techniques -- IT network security
Guidelines for the implementation, operation and management of Guidelines for the implementation, operation and management of
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS)
International Security, Trust, and Privacy Alliance -- Privacy International Security, Trust, and Privacy Alliance -- Privacy
Framework Framework
6.18. ITU-T Study Group 2 6.16. ITU-T Study Group 2
http://www.itu.int/ITU-T/studygroups/com02/index.asp http://www.itu.int/ITU-T/studygroups/com02/index.asp
Security related recommendations currently under study: Security related recommendations currently under study:
E.408 Telecommunication networks security requirements Q.5/2 (was E.408 Telecommunication networks security requirements Q.5/2 (was
E.sec1) E.sec1)
E.409 Incident Organisation and Security Incident Handling Q.5/2 E.409 Incident Organisation and Security Incident Handling Q.5/2
(was E.sec2) (was E.sec2)
Note: Access requires TIES account. Note: Access requires TIES account.
6.19. ITU-T Recommendation M.3016 6.17. ITU-T Recommendation M.3016
http://www.itu.int/itudoc/itu-t/com4/contr/068.html http://www.itu.int/itudoc/itu-t/com4/contr/068.html
This recommendation provides an overview and framework that This recommendation provides an overview and framework that
identifies the security requirements of a TMN and outlines how identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the available security services and mechanisms can be applied within the
context of the TMN functional architecture. context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from have taken the original document and are incorporating thoughts from
skipping to change at page 25, line 4 skipping to change at page 25, line 28
identifies the security requirements of a TMN and outlines how identifies the security requirements of a TMN and outlines how
available security services and mechanisms can be applied within the available security services and mechanisms can be applied within the
context of the TMN functional architecture. context of the TMN functional architecture.
Question 18 of Study Group 3 is revising Recommendation M.3016. They Question 18 of Study Group 3 is revising Recommendation M.3016. They
have taken the original document and are incorporating thoughts from have taken the original document and are incorporating thoughts from
ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has
produced a new series of documents. produced a new series of documents.
M.3016.0 - Overview M.3016.0 - Overview
M.3016.1 - Requirements M.3016.1 - Requirements
M.3016.2 - Services M.3016.2 - Services
M.3016.3 - Mechanisms M.3016.3 - Mechanisms
M.3016.4 - Profiles M.3016.4 - Profiles
6.20. ITU-T Recommendation X.805 6.18. ITU-T Recommendation X.805
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
This Recommendation defines the general security-related This Recommendation defines the general security-related
architectural elements that, when appropriately applied, can provide architectural elements that, when appropriately applied, can provide
end-to-end network security. end-to-end network security.
6.21. ITU-T Study Group 16 6.19. ITU-T Study Group 16
http://www.itu.int/ITU-T/studygroups/com16/index.asp http://www.itu.int/ITU-T/studygroups/com16/index.asp
Security of Multimedia Systems and Services - Question G/16 Multimedia Security in Next-Generation Networks (NGN-MM-SEC)
http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html
6.22. ITU-T Study Group 17 6.20. ITU-T Study Group 17
http://www.itu.int/ITU-T/studygroups/com17/index.asp http://www.itu.int/ITU-T/studygroups/com17/index.asp
ITU-T Study Group 17 is the Lead Study Group on Communication System ITU-T Study Group 17 is the Lead Study Group on Communication System
Security Security
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
Study Group 17 Security Project: Study Group 17 Security Project:
http://www.itu.int/ITU-T/studygroups/com17/security/index.html http://www.itu.int/ITU-T/studygroups/com17/security/index.html
During its November 2002 meeting, Study Group 17 agreed to establish During its November 2002 meeting, Study Group 17 agreed to establish
a new project entitled "Security Project" under the leadership of a new project entitled "Security Project" under the leadership of
Q.10/17 to coordinate the ITU-T standardization effort on security. Q.10/17 to coordinate the ITU-T standardization effort on security.
An analysis of the status on ITU-T Study Group action on information An analysis of the status on ITU-T Study Group action on information
and communication network security may be found in TSB Circular 147 and communication network security may be found in TSB Circular 147
of 14 February 2003. of 14 February 2003.
6.23. Catalogue of ITU-T Recommendations related to Communications 6.21. Catalogue of ITU-T Recommendations related to Communications
System Security System Security
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html
The Catalogue of the approved security Recommendations include those, The Catalogue of the approved security Recommendations include those,
designed for security purposes and those, which describe or use of designed for security purposes and those, which describe or use of
functions of security interest and need. Although some of the functions of security interest and need. Although some of the
security related Recommendations includes the phrase "Open Systems security related Recommendations includes the phrase "Open Systems
Interconnection", much of the information contained in them is Interconnection", much of the information contained in them is
pertinent to the establishment of security functionality in any pertinent to the establishment of security functionality in any
communicating system. communicating system.
6.24. ITU-T Security Manual 6.22. ITU-T Security Manual
http://www.itu.int/ITU-T/edh/files/security-manual.pdf http://www.itu.int/ITU-T/edh/files/security-manual.pdf
TSB is preparing an "ITU-T Security Manual" to provide an overview on TSB is preparing an "ITU-T Security Manual" to provide an overview on
security in telecommunications and information technologies, describe security in telecommunications and information technologies, describe
practical issues, and indicate how the different aspects of security practical issues, and indicate how the different aspects of security
in today's applications are addressed by ITU-T Recommendations. This in today's applications are addressed by ITU-T Recommendations. This
manual has a tutorial character: it collects security related manual has a tutorial character: it collects security related
material from ITU-T Recommendations into one place and explains the material from ITU-T Recommendations into one place and explains the
respective relationships. The intended audience for this manual is respective relationships. The intended audience for this manual are
engineers and product managers, students and academia, as well as engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in regulators who want to better understand security aspects in
practical applications. practical applications.
6.25. ITU-T NGN Effort 6.23. ITU-T NGN Effort
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html
During its January 2002 meeting, SG13 decided to undertake the During its January 2002 meeting, SG13 decided to undertake the
preparation of a new ITU-T Project entitled "NGN 2004 Project". At preparation of a new ITU-T Project entitled "NGN 2004 Project". At
the November 2002 SG13 meeting, a preliminary description of the the November 2002 SG13 meeting, a preliminary description of the
Project was achieved and endorsed by SG13 with the goal to launch the Project was achieved and endorsed by SG13 with the goal to launch the
Project. It is regularly updated since then. Project. It is regularly updated since then.
The role of the NGN 2004 Project is to organize and to coordinate The role of the NGN 2004 Project is to organize and to coordinate
ITU-T activities on Next Generation Networks. Its target is to ITU-T activities on Next Generation Networks. Its target is to
produce a first set of Recommendations on NGN by the end of this produce a first set of Recommendations on NGN by the end of this
study period, i.e. mid-2004. study period, i.e. mid-2004.
6.26. NRIC VI Focus Groups 6.24. NRIC VI Focus Groups
http://www.nric.org/fg/index.html http://www.nric.org/fg/index.html
The Network Reliability and Interoperability Council (NRIC) was The Network Reliability and Interoperability Council (NRIC) was
formed with the purpose to provide recommendations to the FCC and to formed with the purpose to provide recommendations to the FCC and to
the industry to assure the reliability and interoperability of the industry to assure the reliability and interoperability of
wireless, wireline, satellite, and cable public telecommunications wireless, wireline, satellite, and cable public telecommunications
networks. These documents provide general information and guidance networks. These documents provide general information and guidance
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a prevention of cyberattack and for restoration following a
skipping to change at page 27, line 17 skipping to change at page 27, line 43
Documents: Documents:
Homeland Defense - Recommendations Published 14-Mar-03 Homeland Defense - Recommendations Published 14-Mar-03
Preventative Best Practices - Recommendations Published 14-Mar-03 Preventative Best Practices - Recommendations Published 14-Mar-03
Recovery Best Practices - Recommendations Published 14-Mar-03 Recovery Best Practices - Recommendations Published 14-Mar-03
Best Practice Appendices - Recommendations Published 14-Mar-03 Best Practice Appendices - Recommendations Published 14-Mar-03
6.27. OASIS Security Joint Committee 6.25. OASIS Security Joint Committee
http://www.oasis-open.org/committees/ http://www.oasis-open.org/committees/
tc_home.php?wg_abbrev=security-jc tc_home.php?wg_abbrev=security-jc
The purpose of the Security JC is to coordinate the technical The purpose of the Security JC is to coordinate the technical
activities of multiple security related TCs. The SJC is advisory activities of multiple security related TCs. The SJC is advisory
only, and has no deliverables. The Security JC will promote the use only, and has no deliverables. The Security JC will promote the use
of consistent terms, promote re-use, champion an OASIS security of consistent terms, promote re-use, champion an OASIS security
standards model, provide consistent PR, and promote mutuality, standards model, provide consistent PR, and promote mutuality,
operational independence and ethics. operational independence and ethics.
6.28. OASIS Security Services TC 6.26. OASIS Security Services (SAML) TC
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
The Security Services TC is working to advance the Security Assertion The Security Services TC is working to advance the Security Assertion
Markup Language (SAML) as an OASIS standard. SAML is an XML Markup Language (SAML) as an OASIS standard. SAML is an XML
framework for exchanging authentication and authorization framework for exchanging authentication and authorization
information. information.
6.29. OIF Implementation Agreements 6.27. OIF Implementation Agreements
The OIF has 2 approved Implementation Agreements (IAs) relating to The OIF has 2 approved Implementation Agreements (IAs) relating to
security. They are: security. They are:
OIF-SMI-01.0 - Security Management Interfaces to Network Elements OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces. security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified, It summarizes how well each of the systems, used as specified,
skipping to change at page 28, line 4 skipping to change at page 28, line 29
OIF-SMI-01.0 - Security Management Interfaces to Network Elements OIF-SMI-01.0 - Security Management Interfaces to Network Elements
This Implementation Agreement lists objectives for securing OAM&P This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using interfaces to a Network Element and then specifies ways of using
security systems (e.g., IPsec or TLS) for securing these interfaces. security systems (e.g., IPsec or TLS) for securing these interfaces.
It summarizes how well each of the systems, used as specified, It summarizes how well each of the systems, used as specified,
satisfies the objectives. satisfies the objectives.
OIF - SEP - 01.1 - Security Extension for UNI and NNI OIF - SEP - 01.1 - Security Extension for UNI and NNI
This Implementation Agreement defines a common Security Extension for This Implementation Agreement defines a common Security Extension for
securing the protocols used in UNI 1.0, UNI 2.0, and NNI. securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf Documents: http://www.oiforum.com/public/documents/Security-IA.pdf
6.30. TIA 6.28. TIA
The TIA has produced the "Compendium of Emergency Communications and The TIA has produced the "Compendium of Emergency Communications and
Communications Network Security-related Work Activities". This Communications Network Security-related Work Activities". This
document identifies standards, or other technical documents and document identifies standards, or other technical documents and
ongoing Emergency/Public Safety Communications and Communications ongoing Emergency/Public Safety Communications and Communications
Network Security-related work activities within TIA and it's Network Security-related work activities within TIA and it's
Engineering Committees. Many P25 documents are specifically Engineering Committees. Many P25 documents are specifically
detailed. This "living document" is presented for information, detailed. This "living document" is presented for information,
coordination and reference. coordination and reference.
Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf Documents: http://www.tiaonline.org/standards/technology/ciphs/
documents/EMTEL_sec.pdf
6.31. WS-I Basic Security Profile 6.29. WS-I Basic Security Profile
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
The WS-I Basic Security Profile 1.0 consists of a set of non- The WS-I Basic Security Profile 1.0 consists of a set of non-
proprietary Web services specifications, along with clarifications proprietary Web services specifications, along with clarifications
and amendments to those specifications which promote and amendments to those specifications which promote
interoperability. interoperability.
7. Security Considerations 7. Security Considerations
This document describes efforts to standardize security practices and This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance documents. As such this document offers no security guidance
whatsoever. whatsoever.
skipping to change at page 33, line 12 skipping to change at page 34, line 12
-03 : Third revision of the WG ID. -03 : Third revision of the WG ID.
Updated the date. Updated the date.
Updated the information about the CC Updated the information about the CC
Added a Conventions section (not sure how this document got to Added a Conventions section (not sure how this document got to
where it is without that) where it is without that)
-04 : Fourth revision of the WG ID.
Updated the date.
Added Anne & Lynn Wheeler Taxonomy & Security Glossary
CIAO glossary removed. CIAO has been absorbed by DHS and the
glossary is no longer available.
USC glossary removed, could not find it on the site or a reference
to it elsewhere.
Added TTA - Telecommunications Technology Association to SDO
section.
Removed ATIS Security & Emergency Preparedness Activities from
Documents section. Could not find it or a reference to it.
INCITS T4 incorporated into CS1 - T4 section removed
X9 Added to SDO list under ANSI
Various link or grammar fixes.
Note: This section will be removed before publication as an RFC. Note: This section will be removed before publication as an RFC.
11. Normative References 11. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, STD 14, March 1997. Levels", RFC 2119, STD 14, March 1997.
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
 End of changes. 92 change blocks. 
215 lines changed or deleted 241 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/