draft-ietf-opsec-efforts-13.txt | draft-ietf-opsec-efforts-14.txt | |||
---|---|---|---|---|
Network Working Group C. Lonvick | Network Working Group C. Lonvick | |||
Internet-Draft D. Spak | Internet-Draft D. Spak | |||
Intended status: Informational Cisco Systems | Intended status: Informational Cisco Systems | |||
Expires: May 15, 2011 November 11, 2010 | Expires: August 11, 2011 February 7, 2011 | |||
Security Best Practices Efforts and Documents | Security Best Practices Efforts and Documents | |||
draft-ietf-opsec-efforts-13.txt | draft-ietf-opsec-efforts-14.txt | |||
Abstract | Abstract | |||
This document provides a snapshot of the current efforts to define or | This document provides a snapshot of the current efforts to define or | |||
apply security requirements in various Standards Developing | apply security requirements in various Standards Developing | |||
Organizations (SDO). | Organizations (SDO). | |||
Status of this Memo | Status of this Memo | |||
This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on May 15, 2011. | This Internet-Draft will expire on August 11, 2011. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the BSD License. | described in the BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 | 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 | |||
3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 | 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 | |||
3.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 | 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 | |||
3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 | 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 | |||
3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 | 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 | |||
3.4. Microsoft Solutions for Security Glossary . . . . . . . . 8 | 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 | |||
3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 | 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 | |||
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 | 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 | |||
4. Standards Developing Organizations . . . . . . . . . . . . . . 10 | 3.7. NIST - Glossary of Key Information Security Terms . . . . 9 | |||
4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 | 4. Standards Developing Organizations . . . . . . . . . . . . . . 11 | |||
4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 | 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 | |||
4.3. ANSI - The American National Standards Institute . . . . . 10 | 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 | |||
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 10 | 4.3. ANSI - The American National Standards Institute . . . . . 11 | |||
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 | ||||
4.4. ATIS - Alliance for Telecommunications Industry | 4.4. ATIS - Alliance for Telecommunications Industry | |||
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 | Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
4.4.1. ATIS NIPP - Network Interface, Power, and | 4.4.1. ATIS NIPP - Network Interface, Power, and | |||
Protection Committee, formerly T1E1 . . . . . . . . . 11 | Protection Committee, formerly T1E1 . . . . . . . . . 12 | |||
4.4.2. ATIS NPRQ - Network Performance, Reliability, and | 4.4.2. ATIS NPRQ - Network Performance, Reliability, and | |||
Quality of Service Committee, formerly T1A1 . . . . . 11 | Quality of Service Committee, formerly T1A1 . . . . . 12 | |||
4.4.3. ATIS OBF - Ordering and Billing Forum, formerly | 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly | |||
regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11 | regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 12 | |||
4.4.4. ATIS OPTXS - Optical Transport and Synchronization | 4.4.4. ATIS OPTXS - Optical Transport and Synchronization | |||
Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 | Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 | |||
4.4.5. ATIS TMOC - Telecom Management and Operations | 4.4.5. ATIS TMOC - Telecom Management and Operations | |||
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12 | Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 | |||
4.4.6. ATIS WTSC - Wireless Technologies and Systems | 4.4.6. ATIS WTSC - Wireless Technologies and Systems | |||
Committee, formerly T1P1 . . . . . . . . . . . . . . . 12 | Committee, formerly T1P1 . . . . . . . . . . . . . . . 13 | |||
4.4.7. ATIS PTSC - Packet Technologies and Systems | 4.4.7. ATIS PTSC - Packet Technologies and Systems | |||
Committee, formerly T1S1 . . . . . . . . . . . . . . . 12 | Committee, formerly T1S1 . . . . . . . . . . . . . . . 13 | |||
4.4.8. ATIS Protocol Interworking Committee, regarding | 4.4.8. ATIS Protocol Interworking Committee, regarding | |||
T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 | T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 | 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 | |||
4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 | 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 | |||
4.7. ETSI - The European Telecommunications Standard | 4.7. ETSI - The European Telecommunications Standard | |||
Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 | Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 | 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 | |||
4.9. IEEE - The Institute of Electrical and Electronics | 4.9. IEEE - The Institute of Electrical and Electronics | |||
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 | Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 | ||||
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 15 | ||||
4.11. INCITS - InterNational Committee for Information | 4.11. INCITS - InterNational Committee for Information | |||
Technology Standards . . . . . . . . . . . . . . . . . . . 14 | Technology Standards . . . . . . . . . . . . . . . . . . . 15 | |||
4.11.1. INCITS Technical Committee T11 - Fibre Channel | 4.11.1. INCITS Technical Committee T11 - Fibre Channel | |||
Interfaces . . . . . . . . . . . . . . . . . . . . . . 14 | Interfaces . . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.12. ISO - The International Organization for | 4.12. ISO - The International Organization for | |||
Standardization . . . . . . . . . . . . . . . . . . . . . 14 | Standardization . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.13. ITU - International Telecommunication Union . . . . . . . 15 | 4.13. ITU - International Telecommunication Union . . . . . . . 16 | |||
4.13.1. ITU Telecommunication Standardization Sector - | 4.13.1. ITU Telecommunication Standardization Sector - | |||
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 | ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 15 | 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 | |||
4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 15 | 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 | |||
4.14. OASIS - Organization for the Advancement of | 4.14. OASIS - Organization for the Advancement of | |||
Structured Information Standards . . . . . . . . . . . . . 15 | Structured Information Standards . . . . . . . . . . . . . 16 | |||
4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 | 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 17 | |||
4.16. NRIC - The Network Reliability and Interoperability | 4.16. NRIC - The Network Reliability and Interoperability | |||
Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 | Council . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
4.17. National Security Telecommunications Advisory | 4.17. National Security Telecommunications Advisory | |||
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 16 | Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 | |||
4.18. TIA - The Telecommunications Industry Association . . . . 16 | 4.18. TIA - The Telecommunications Industry Association . . . . 17 | |||
4.19. TTA - Telecommunications Technology Association . . . . . 17 | 4.19. TTA - Telecommunications Technology Association . . . . . 18 | |||
4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 17 | 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 18 | |||
4.21. Web Services Interoperability Organization (WS-I) . . . . 17 | 4.21. Web Services Interoperability Organization (WS-I) . . . . 18 | |||
5. Security Best Practices Efforts and Documents . . . . . . . . 18 | 5. Security Best Practices Efforts and Documents . . . . . . . . 19 | |||
5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 | 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19 | |||
5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 | 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19 | |||
5.3. American National Standard T1.276-2003 - Baseline | 5.3. American National Standard T1.276-2003 - Baseline | |||
Security Requirements for the Management Plane . . . . . . 18 | Security Requirements for the Management Plane . . . . . . 19 | |||
5.4. DMTF - Security Protection and Management (SPAM) | 5.4. DMTF - Security Protection and Management (SPAM) | |||
Working Group . . . . . . . . . . . . . . . . . . . . . . 19 | Working Group . . . . . . . . . . . . . . . . . . . . . . 20 | |||
5.5. DMTF - User and Security Working Group . . . . . . . . . . 19 | 5.5. DMTF - User and Security Working Group . . . . . . . . . . 20 | |||
5.6. ATIS Work-Plan to Achieve Interoperable, | 5.6. ATIS Work-Plan to Achieve Interoperable, | |||
Implementable, End-To-End Standards and Solutions . . . . 19 | Implementable, End-To-End Standards and Solutions . . . . 20 | |||
5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 19 | 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 | |||
5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 | 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21 | |||
5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 | 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 21 | |||
5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 | 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 22 | |||
5.11. Information System Security Assurance Architecture . . . . 21 | 5.11. Information System Security Assurance Architecture . . . . 22 | |||
5.12. Operational Security Requirements for IP Network | 5.12. Operational Security Requirements for IP Network | |||
Infrastructure : Advanced Requirements . . . . . . . . . . 21 | Infrastructure : Advanced Requirements . . . . . . . . . . 22 | |||
5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 | 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 23 | |||
5.14. ISO Guidelines for the Management of IT Security - | 5.14. ISO Guidelines for the Management of IT Security - | |||
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 | 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 24 | |||
5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 23 | 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 | |||
5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 | 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 25 | |||
5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 24 | 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 | |||
5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24 | 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 | |||
5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 | 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26 | |||
5.21. Catalogue of ITU-T Recommendations related to | 5.21. Catalogue of ITU-T Recommendations related to | |||
Communications System Security . . . . . . . . . . . . . . 25 | Communications System Security . . . . . . . . . . . . . . 26 | |||
5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 25 | 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 | |||
5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 | 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27 | |||
5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 | 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27 | |||
5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26 | 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 | |||
5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 27 | 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 28 | |||
5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 27 | 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 28 | |||
5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 | 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 29 | |||
5.30. NIST Special Publications (800 Series) . . . . . . . . . . 28 | 5.30. NIST Special Publications (800 Series) . . . . . . . . . . 29 | |||
5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 28 | 5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 29 | |||
5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 28 | 5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 29 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | 5.33. SANS Information Security Reading Room . . . . . . . . . . 30 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 31 | |||
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | |||
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 34 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 | ||||
1. Introduction | 1. Introduction | |||
The Internet is being recognized as a critical infrastructure similar | The Internet is being recognized as a critical infrastructure similar | |||
in nature to the power grid and a potable water supply. Just like | in nature to the power grid and a potable water supply. Just like | |||
those infrastructures, means are needed to provide resiliency and | those infrastructures, means are needed to provide resiliency and | |||
adaptability to the Internet so that it remains consistently | adaptability to the Internet so that it remains consistently | |||
available to the public throughout the world even during times of | available to the public throughout the world even during times of | |||
duress or attack. For this reason, many SDOs are developing | duress or attack. For this reason, many SDOs are developing | |||
standards with hopes of retaining an acceptable level, or even | standards with hopes of retaining an acceptable level, or even | |||
skipping to change at page 7, line 5 | skipping to change at page 6, line 7 | |||
document could be a useful reference in producing the documents | document could be a useful reference in producing the documents | |||
described in the Working Group Charter. The authors have agreed to | described in the Working Group Charter. The authors have agreed to | |||
keep this document current and request that those who read it will | keep this document current and request that those who read it will | |||
submit corrections or comments. | submit corrections or comments. | |||
Comments on this document may be addressed to the OpSec Working Group | Comments on this document may be addressed to the OpSec Working Group | |||
or directly to the authors. | or directly to the authors. | |||
opsec@ops.ietf.org | opsec@ops.ietf.org | |||
This document will be updated in sections. The most recently updated | ||||
part of this document is Section 3. | ||||
2. Format of this Document | 2. Format of this Document | |||
The body of this document has three sections. | The body of this document has three sections. | |||
The first part of the body of this document, Section 3, contains a | The first part of the body of this document, Section 3, contains a | |||
listing of online glossaries relating to networking and security. It | listing of online glossaries relating to networking and security. It | |||
is very important that the definitions of words relating to security | is very important that the definitions of words relating to security | |||
and security events be consistent. Inconsistencies between the | and security events be consistent. Inconsistencies between the | |||
useage of words on standards is unacceptable as it would prevent a | useage of words on standards is unacceptable as it would prevent a | |||
reader of two standards to appropriately relate their | reader of two standards to appropriately relate their | |||
skipping to change at page 8, line 10 | skipping to change at page 8, line 10 | |||
The third part, Section 5, lists the documents which have been found | The third part, Section 5, lists the documents which have been found | |||
to offer good practices or recommendations for securing networks and | to offer good practices or recommendations for securing networks and | |||
networking devices. | networking devices. | |||
3. Online Security Glossaries | 3. Online Security Glossaries | |||
This section contains references to glossaries of network and | This section contains references to glossaries of network and | |||
computer security terms | computer security terms | |||
3.1. ATIS Telecom Glossary 2000 | 3.1. ATIS Telecom Glossary 2007 | |||
http://www.atis.org/tg2k/ | http://www.atis.org/tg2k/ | |||
Under an approved T1 standards project (T1A1-20), an existing 5800- | This Glossary began as a 5800-entry, search-enabled hypertext | |||
entry, search-enabled hypertext telecommunications glossary titled | telecommunications glossary titled Federal Standard 1037C, Glossary | |||
Federal Standard 1037C, Glossary of Telecommunication Terms was | of Telecommunication Terms . Federal Standard 1037C was updated and | |||
updated and matured into this glossary, T1.523-2001, Telecom Glossary | matured into an American National Standard (ANS): T1.523-2001, | |||
2000. This updated glossary was posted on the Web as an American | Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- | |||
National Standard (ANS). | 2001 has been revised and redesignated under the ATIS procedures for | |||
ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007. | ||||
Date published: 2007 | ||||
3.2. Internet Security Glossary - RFC 4949 | 3.2. Internet Security Glossary - RFC 4949 | |||
http://www.ietf.org/rfc/rfc4949.txt | http://www.ietf.org/rfc/rfc4949.txt | |||
This document was originally created as RFC 2828 in May 2000. It was | This document was originally created as RFC 2828 in May 2000. It was | |||
revised as RFC 4949 and the document defines itself to be, "an | revised as RFC 4949 and the document defines itself to be, "an | |||
internally consistent, complementary set of abbreviations, | internally consistent, complementary set of abbreviations, | |||
definitions, explanations, and recommendations for use of terminology | definitions, explanations, and recommendations for use of terminology | |||
related to information system security." | related to information system security." | |||
Date published: August 2007 | ||||
3.3. Compendium of Approved ITU-T Security Definitions | 3.3. Compendium of Approved ITU-T Security Definitions | |||
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html | http://www.itu.int/itudoc/itu-t/com17/activity/add002.html | |||
Addendum to the Compendium of the Approved ITU-T Security-related | Addendum to the Compendium of the Approved ITU-T Security-related | |||
Definitions | Definitions | |||
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html | ||||
These extensive materials were created from approved ITU-T | These extensive materials were created from approved ITU-T | |||
Recommendations with a view toward establishing a common | Recommendations with a view toward establishing a common | |||
understanding and use of security terms within ITU-T. | understanding and use of security terms within ITU-T. The original | |||
Compendium was compiled by SG 17, Lead Study Group on Communication | ||||
Systems Security (LSG-CSS). | ||||
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html | ||||
3.4. Microsoft Solutions for Security Glossary | Date published: 2003 | |||
3.4. Microsoft Malware Protection Center | ||||
http://www.microsoft.com/security/glossary.mspx | http://www.microsoft.com/security/glossary.mspx | |||
The Microsoft Solutions for Security Glossary was created to explain | The Microsoft Malware Protection Center, Threat Research and Response | |||
the concepts, technologies, and products associated with computer | Glossary was created to explain the concepts, technologies, and | |||
security. This glossary contains several definitions specific to | products associated with computer security. | |||
Microsoft proprietary technologies and product solutions. | ||||
Date published: indeterminate | ||||
3.5. SANS Glossary of Security Terms | 3.5. SANS Glossary of Security Terms | |||
http://www.sans.org/resources/glossary.php | http://www.sans.org/resources/glossary.php | |||
The SANS Institute (SysAdmin, Audit, Network, Security) was created | The SANS Institute (SysAdmin, Audit, Network, Security) was created | |||
in 1989 as, "a cooperative research and education organization." | in 1989 as, "a cooperative research and education organization." | |||
Updated in May 2003, SANS cites the NSA for their help in creating | This glossary was pdated in May 2003. The SANS Institute is also | |||
the online glossary of security terms. The SANS Institute is also | ||||
home to many other resources including the SANS Intrusion Detection | home to many other resources including the SANS Intrusion Detection | |||
FAQ and the SANS/FBI Top 20 Vulnerabilities List. | FAQ and the SANS/FBI Top 20 Vulnerabilities List. | |||
Date published: indeterminate | ||||
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler | 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler | |||
http://www.garlic.com/~lynn/secure.htm | http://www.garlic.com/~lynn/secure.htm | |||
Anne and Lynn Wheeler maintain a security taxonomy and glossary with | Anne and Lynn Wheeler maintain a security taxonomy and glossary with | |||
terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, | terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, | |||
FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ | FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ | |||
SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, | SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, | |||
800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA | 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA | |||
Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, | Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, | |||
RFC2647, RFC2828, TCSEC, TDI, and TNI. | RFC2647, RFC2828, TCSEC, TDI, and TNI. | |||
Date updated: October 2010 | ||||
3.7. NIST - Glossary of Key Information Security Terms | ||||
http://csrc.nist.gov/publications/nistir/ | ||||
NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf | ||||
This glossary of basic security terms has been extracted from NIST | ||||
Federal Information Processing Standards (FIPS) and the Special | ||||
Publication (SP) 800 series. The terms included are not all | ||||
inclusive of terms found in these publications, but are a subset of | ||||
basic terms that are most frequently used. The purpose of this | ||||
glossary is to provide a central resource of definitions most | ||||
commonly used in NIST security publications. | ||||
Date published: April 2006 | ||||
4. Standards Developing Organizations | 4. Standards Developing Organizations | |||
This section of this document lists the SDOs, or organizations that | This section of this document lists the SDOs, or organizations that | |||
appear to be developing security related standards. These SDOs are | appear to be developing security related standards. These SDOs are | |||
listed in alphabetical order. | listed in alphabetical order. | |||
Note: The authors would appreciate corrections and additions. This | Note: The authors would appreciate corrections and additions. This | |||
note will be removed before publication as an RFC. | note will be removed before publication as an RFC. | |||
4.1. 3GPP - Third Generation Partnership Project | 4.1. 3GPP - Third Generation Partnership Project | |||
skipping to change at page 29, line 5 | skipping to change at page 30, line 5 | |||
ITL Bulletins are published by NIST's Information Technology | ITL Bulletins are published by NIST's Information Technology | |||
Laboratory, with most bulletins written by the Computer Security | Laboratory, with most bulletins written by the Computer Security | |||
Division. These bulletins are published on the average of six times | Division. These bulletins are published on the average of six times | |||
a year. Each bulletin presents an in-depth discussion of a single | a year. Each bulletin presents an in-depth discussion of a single | |||
topic of significant interest to the information systems community. | topic of significant interest to the information systems community. | |||
Not all of ITL Bulletins that are published relate to computer / | Not all of ITL Bulletins that are published relate to computer / | |||
network security. Only the computer security ITL Bulletins are found | network security. Only the computer security ITL Bulletins are found | |||
here. | here. | |||
5.33. SANS Information Security Reading Room | ||||
http://www.sans.org/reading_room/ | ||||
Featuring over 1,885 original computer security white papers in 75 | ||||
different categories. | ||||
Most of the computer security white papers in the Reading Room have | ||||
been written by students seeking GIAC certification to fulfill part | ||||
of their certification requirements and are provided by SANS as a | ||||
resource to benefit the security community at large. SANS attempts | ||||
to ensure the accuracy of information, but papers are published "as | ||||
is". Errors or inconsistencies may exist or may be introduced over | ||||
time as material becomes dated. | ||||
6. Security Considerations | 6. Security Considerations | |||
This document describes efforts to standardize security practices and | This document describes efforts to standardize security practices and | |||
documents. As such this document offers no security guidance | documents. As such this document offers no security guidance | |||
whatsoever. | whatsoever. | |||
Readers of this document should be aware of the date of publication | Readers of this document should be aware of the date of publication | |||
of this document. It is feared that they may assume that the | of this document. It is feared that they may assume that the | |||
efforts, on-line material, and documents are current whereas they may | efforts, on-line material, and documents are current whereas they may | |||
not be. Please consider this when reading this document. | not be. Please consider this when reading this document. | |||
skipping to change at page 31, line 13 | skipping to change at page 33, line 13 | |||
IANA to do anything. | IANA to do anything. | |||
8. Acknowledgments | 8. Acknowledgments | |||
The following people have contributed to this document. Listing | The following people have contributed to this document. Listing | |||
their names here does not mean that they endorse the document, but | their names here does not mean that they endorse the document, but | |||
that they have contributed to its substance. | that they have contributed to its substance. | |||
David Black, Mark Ellison, George Jones, Keith McCloghrie, John | David Black, Mark Ellison, George Jones, Keith McCloghrie, John | |||
McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce | McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce | |||
Moon. | Moon, Stephen Kent, Steve Wolff. | |||
9. Changes from Prior Drafts | 9. Changes from Prior Drafts | |||
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | |||
-01 : Security Glossaries: | -01 : Security Glossaries: | |||
Added ATIS Telecom Glossary 2000, Critical Infrastructure | Added ATIS Telecom Glossary 2000, Critical Infrastructure | |||
Glossary of Terms and Acronyms, Microsoft Solutions for | Glossary of Terms and Acronyms, Microsoft Solutions for | |||
Security Glossary, and USC InfoSec Glossary. | Security Glossary, and USC InfoSec Glossary. | |||
skipping to change at page 34, line 20 | skipping to change at page 36, line 20 | |||
-10 : Tenth revision of the WG ID. | -10 : Tenth revision of the WG ID. | |||
Added references to NIST documents, recommended by Steve Wolff. | Added references to NIST documents, recommended by Steve Wolff. | |||
Updated the date. | Updated the date. | |||
-11 : Eleventh revision of the WG ID. | -11 : Eleventh revision of the WG ID. | |||
Updated the date. | Updated the date. | |||
-12 : Eleventh revision of the WG ID. | -12 : Twelfth revision of the WG ID. | |||
Updated the date. | Updated the date. | |||
-13 : Nothing new. | -13 : Nothing new. | |||
Updated the date. | Updated the date. | |||
-14 : Fourteenth revision of the WG ID. | ||||
Updated the date and reviewed the accuracy of Section 3. | ||||
Updated the section on Compendium of Approved ITU-T Security | ||||
Definitions | ||||
Updated the section on the Microsoft glossary. | ||||
Updated the section on the SANS glossary. | ||||
Added the NIST Security glossary. | ||||
Added dates to all glossaries - where I could find them. | ||||
Added the SANS Reading Room material to Section 5. | ||||
Note: This section will be removed before publication as an RFC. | Note: This section will be removed before publication as an RFC. | |||
Authors' Addresses | Authors' Addresses | |||
Chris Lonvick | Chris Lonvick | |||
Cisco Systems | Cisco Systems | |||
12515 Research Blvd. | 12515 Research Blvd. | |||
Austin, Texas 78759 | Austin, Texas 78759 | |||
US | US | |||
End of changes. 47 change blocks. | ||||
99 lines changed or deleted | 165 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |