--- 1/draft-ietf-opsec-efforts-14.txt 2011-02-15 04:16:29.000000000 +0100 +++ 2/draft-ietf-opsec-efforts-15.txt 2011-02-15 04:16:29.000000000 +0100 @@ -1,18 +1,18 @@ Network Working Group C. Lonvick Internet-Draft D. Spak Intended status: Informational Cisco Systems -Expires: August 11, 2011 February 7, 2011 +Expires: August 18, 2011 February 14, 2011 Security Best Practices Efforts and Documents - draft-ietf-opsec-efforts-14.txt + draft-ietf-opsec-efforts-15.txt Abstract This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the @@ -27,21 +27,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 11, 2011. + This Internet-Draft will expire on August 18, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -59,117 +59,117 @@ 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 3.7. NIST - Glossary of Key Information Security Terms . . . . 9 4. Standards Developing Organizations . . . . . . . . . . . . . . 11 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 - 4.3. ANSI - The American National Standards Institute . . . . . 11 - 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 + 4.3. ANSI - The American National Standards Institute . . . . . 12 + 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 12 4.4. ATIS - Alliance for Telecommunications Industry Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 - 4.4.1. ATIS NIPP - Network Interface, Power, and - Protection Committee, formerly T1E1 . . . . . . . . . 12 - 4.4.2. ATIS NPRQ - Network Performance, Reliability, and - Quality of Service Committee, formerly T1A1 . . . . . 12 - 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly - regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 12 - 4.4.4. ATIS OPTXS - Optical Transport and Synchronization - Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 - 4.4.5. ATIS TMOC - Telecom Management and Operations - Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 - 4.4.6. ATIS WTSC - Wireless Technologies and Systems - Committee, formerly T1P1 . . . . . . . . . . . . . . . 13 - 4.4.7. ATIS PTSC - Packet Technologies and Systems - Committee, formerly T1S1 . . . . . . . . . . . . . . . 13 - 4.4.8. ATIS Protocol Interworking Committee, regarding - T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 4.4.1. ATIS NPRQ - Network Performance, Reliability, and + Quality of Service Committee, formerly T1A1 . . . . . 13 + 4.4.2. ATIS TMOC - Telecom Management and Operations + Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 14 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 4.7. ETSI - The European Telecommunications Standard - Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 - 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 + Institute . . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 + 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 + 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 4.9. IEEE - The Institute of Electrical and Electronics - Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 - - 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 15 + Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 + 4.9.1. IEEE Computer Society's Technical Committee on + Security and Privacy . . . . . . . . . . . . . . . . . 17 + 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 + 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 4.11. INCITS - InterNational Committee for Information - Technology Standards . . . . . . . . . . . . . . . . . . . 15 - 4.11.1. INCITS Technical Committee T11 - Fibre Channel - Interfaces . . . . . . . . . . . . . . . . . . . . . . 15 + Technology Standards . . . . . . . . . . . . . . . . . . . 17 + 4.11.1. Identification Cards and Related Devices (B10) . . . . 18 + 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 + 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 + 4.12. ISO - The International Organization for - Standardization . . . . . . . . . . . . . . . . . . . . . 15 - 4.13. ITU - International Telecommunication Union . . . . . . . 16 + Standardization . . . . . . . . . . . . . . . . . . . . . 18 + 4.13. ITU - International Telecommunication Union . . . . . . . 19 4.13.1. ITU Telecommunication Standardization Sector - - ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 16 - 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 - 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 + ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 + 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 20 + 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 4.14. OASIS - Organization for the Advancement of - Structured Information Standards . . . . . . . . . . . . . 16 - 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 17 + Structured Information Standards . . . . . . . . . . . . . 21 + 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 + 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 22 4.16. NRIC - The Network Reliability and Interoperability - Council . . . . . . . . . . . . . . . . . . . . . . . . . 17 + Council . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.17. National Security Telecommunications Advisory - Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 - 4.18. TIA - The Telecommunications Industry Association . . . . 17 - 4.19. TTA - Telecommunications Technology Association . . . . . 18 - 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 18 - 4.21. Web Services Interoperability Organization (WS-I) . . . . 18 - 5. Security Best Practices Efforts and Documents . . . . . . . . 19 - 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19 - 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19 + Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 + 4.18. TIA - The Telecommunications Industry Association . . . . 23 + 4.18.1. Critical Infrastructure Protection (CIP) and + Homeland Security (HS) . . . . . . . . . . . . . . . . 23 + 4.18.2. Commercial Encryption Source Code and Related + Information . . . . . . . . . . . . . . . . . . . . . 24 + 4.19. TTA - Telecommunications Technology Association . . . . . 24 + 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 24 + 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 25 + 4.21.1. Security Management . . . . . . . . . . . . . . . . . 25 + 5. Security Best Practices Efforts and Documents . . . . . . . . 27 + 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 27 + 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 27 5.3. American National Standard T1.276-2003 - Baseline - Security Requirements for the Management Plane . . . . . . 19 + Security Requirements for the Management Plane . . . . . . 27 5.4. DMTF - Security Protection and Management (SPAM) - Working Group . . . . . . . . . . . . . . . . . . . . . . 20 - 5.5. DMTF - User and Security Working Group . . . . . . . . . . 20 + Working Group . . . . . . . . . . . . . . . . . . . . . . 28 + 5.5. DMTF - User and Security Working Group . . . . . . . . . . 28 5.6. ATIS Work-Plan to Achieve Interoperable, - Implementable, End-To-End Standards and Solutions . . . . 20 - 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 - 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21 - 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 21 - 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 22 - 5.11. Information System Security Assurance Architecture . . . . 22 + Implementable, End-To-End Standards and Solutions . . . . 28 + 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 28 + 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 29 + 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 29 + 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 + 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 30 + 5.11. Information System Security Assurance Architecture . . . . 30 5.12. Operational Security Requirements for IP Network - Infrastructure : Advanced Requirements . . . . . . . . . . 22 - 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 23 - 5.14. ISO Guidelines for the Management of IT Security - - GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 23 - 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 24 - 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 - 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 25 - 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 - 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 - 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26 - 5.21. Catalogue of ITU-T Recommendations related to - Communications System Security . . . . . . . . . . . . . . 26 - 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 - 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27 - 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27 - 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 - 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 28 - 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 28 - 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 - 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 29 - 5.30. NIST Special Publications (800 Series) . . . . . . . . . . 29 - 5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 29 - 5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 29 - 5.33. SANS Information Security Reading Room . . . . . . . . . . 30 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 31 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33 - 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 34 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 + Infrastructure : Advanced Requirements . . . . . . . . . . 30 + 5.13. ISO Guidelines for the Management of IT Security - + GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 5.14. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 32 + 5.15. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 32 + 5.16. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 32 + 5.17. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 33 + 5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 33 + 5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 33 + 5.20. Catalogue of ITU-T Recommendations related to + Communications System Security . . . . . . . . . . . . . . 34 + 5.21. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 34 + 5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 34 + 5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 35 + 5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 35 + 5.25. OASIS Security Services (SAML) TC . . . . . . . . . . . . 35 + 5.26. OIF Implementation Agreements . . . . . . . . . . . . . . 35 + 5.27. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 5.28. WS-I Basic Security Profile . . . . . . . . . . . . . . . 36 + 5.29. NIST Special Publications (800 Series) . . . . . . . . . . 36 + 5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 37 + 5.31. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 37 + 5.32. SANS Information Security Reading Room . . . . . . . . . . 37 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 + 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 41 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 1. Introduction The Internet is being recognized as a critical infrastructure similar in nature to the power grid and a potable water supply. Just like those infrastructures, means are needed to provide resiliency and adaptability to the Internet so that it remains consistently available to the public throughout the world even during times of duress or attack. For this reason, many SDOs are developing standards with hopes of retaining an acceptable level, or even @@ -353,363 +353,716 @@ The 3rd Generation Partnership Project (3GPP) is a collaboration agreement formed in December 1998. The collaboration agreement is comprised of several telecommunications standards bodies which are known as "Organizational Partners". The current Organizational Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 4.2. 3GPP2 - Third Generation Partnership Project 2 http://www.3gpp2.org/ - Third Generation Partnership Project 2 (3GPP2) is a collaboration - among Organizational Partners much like its sister project 3GPP. The - Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, - CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes - the CDMA Development Group and IPv6 Forum as Market Representation - Partners for market advice. + The Third Generation Partnership Project 2 (3GPP2) is: + + a collaborative third generation (3G) telecommunications + specifications-setting project + + comprising North American and Asian interests developing global + specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication + Intersystem Operations network evolution to 3G + + and global specifications for the radio transmission technologies + (RTTs) supported by ANSI/TIA/EIA-41. + + 3GPP2 was born out of the International Telecommunication Union's + (ITU) International Mobile Telecommunications "IMT-2000" initiative, + covering high speed, broadband, and Internet Protocol (IP)-based + mobile systems featuring network-to-network interconnection, feature/ + service transparency, global roaming and seamless services + independent of location. IMT-2000 is intended to bring high-quality + mobile multimedia telecommunications to a worldwide mass market by + achieving the goals of increasing the speed and ease of wireless + communications, responding to the problems faced by the increased + demand to pass data via telecommunications, and providing "anytime, + anywhere" services. 4.3. ANSI - The American National Standards Institute http://www.ansi.org/ - ANSI is a private, non-profit organization that organizes and - oversees the U.S. voluntary standardization and conformity assessment - system. ANSI was founded October 19, 1918. + As the voice of the U.S. standards and conformity assessment system, + the American National Standards Institute (ANSI) empowers its members + and constituents to strengthen the U.S. marketplace position in the + global economy while helping to assure the safety and health of + consumers and the protection of the environment. + + The Institute oversees the creation, promulgation and use of + thousands of norms and guidelines that directly impact businesses in + nearly every sector: from acoustical devices to construction + equipment, from dairy and livestock production to energy + distribution, and many more. ANSI is also actively engaged in + accrediting programs that assess conformance to standards - including + globally-recognized cross-sector programs such as the ISO 9000 + (quality) and ISO 14000 (environmental) management systems. 4.3.1. Accredited Standards Committee X9 (ASC X9) http://www.x9.org/ The Accredited Standards Committee X9 (ASC X9) has the mission to develop, establish, maintain, and promote standards for the Financial - Services Industry in order to facilitate delivery of financial - services and products. + Services Industry in order to facilitate the delivery of financial + services and products. Under this mission ASC X9 fulfills the + objectives of: (1) Supporting (maintain, enhance, and promote use of) + existing standards; (2) Facilitating development of new, open + standards based upon consensus; (3) Providing a common source for all + standards affecting the Financial Services Industry; (4) Focusing on + current and future standards needs of the Financial Services + Industry; (5) Promoting use of Financial Services Industry standards; + and (6) Participating and promoting the development of international + standards. 4.4. ATIS - Alliance for Telecommunications Industry Solutions http://www.atis.org/ - ATIS is a United States based body that is committed to rapidly - developing and promoting technical and operations standards for the - communications and related information technologies industry - worldwide using pragmatic, flexible and open approach. Committee T1 - as a group no longer exists as a result of the recent ATIS - reorganization on January 1, 2004. ATIS has restructured the former - T1 technical subcommittees into full ATIS standards committees to - easily identify and promote the nature of standards work each - committee performs. Due to the reorganization, some groups may have - a new mission and scope statement. + ATIS prioritizes the industry's most pressing, technical and + operational issues, and creates interoperable, implementable, end to + end solutions -- standards when the industry needs them and where + they need them. -4.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee, - formerly T1E1 + Over 600 industry professionals from more than 250 communications + companies actively participate in ATIS committees and incubator + solutions programs. - http://www.atis.org/0050/index.asp + ATIS develops standards and solutions addressing a wide range of + industry issues in a manner that allocates and coordinates industry + resources and produces the greatest return for communications + companies. - ATIS Network Interface, Power, and Protection Committee develops and - recommends standards and technical reports related to power systems, - electrical and physical protection for the exchange and interexchange - carrier networks, and interfaces associated with user access to - telecommunications networks. + ATIS creates solutions that support the rollout of new products and + services into the information, entertainment and communications + marketplace. Its activities provide the basis for the industry's + delivery of: -4.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of - Service Committee, formerly T1A1 + Existing and next generation IP-based infrastructures; - http://www.atis.org/0010/index.asp + Reliable converged multimedia services, including IPTV; - ATIS Network Performance, Reliability and Quality of Service - Committee develops and recommends standards, requirements, and - technical reports related to the performance, reliability, and - associated security aspects of communications networks, as well as - the processing of voice, audio, data, image, and video signals, and - their multimedia integration. + Enhanced Operations Support Systems and Business Support Systems; + and -4.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1 - O&B + Greater levels of service quality and performance. - http://www.atis.org/obf/index.asp + ATIS is accredited by the American National Standards Institute + (ANSI). - The T1M1 O&B subcommittee has become part of the ATIS Ordering and - Billing Forum. +4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of + Service Committee, formerly T1A1 - The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum - for customers and providers in the telecommunications industry to - identify, discuss and resolve national issues which affect ordering, - billing, provisioning and exchange of information about access - services, other connectivity and related matters. + http://www.atis.org/0010/index.asp -4.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee, - formerly T1X1 + PRQC develops and recommends standards,requirements, and technical + reports related to the performance,reliability, and associated + security aspects of communications networks, as well as the + processing of voice, audio, data, image,and video signals, and their + multimedia integration. PRQC alsodevelops andrecommends positions + on, and foster consistency with, standards and related subjects under + consideration in other North American and international standards + bodies. - http://www.atis.org/0240/index.asp + PRQC Focus Areas are: - ATIS Optical Transport and Synchronization Committee develops and - recommends standards and prepares technical reports related to - telecommunications network technology pertaining to network - synchronization interfaces and hierarchical structures including - optical technology. + Performance and Reliability of Networks (e.g. IP, ATM, OTN, and + PSTN), and Services (e.g. Frame Relay, Dedicated and Switched + Data), -4.4.5. ATIS TMOC - Telecom Management and Operations Committee, + Security-related aspects, + + Emergency communications-related aspects, + + Coding (e.g. video and speech), at and between carrier-to-carrier + and carrier-to-customer interfaces, with due consideration of end- + user applications. + +4.4.2. ATIS TMOC - Telecom Management and Operations Committee, formerly T1M1 OAM&P http://www.atis.org/0130/index.asp - ATIS Telecom Management and Operations Committee develops - internetwork operations, administration, maintenance and provisioning - standards, and technical reports related to interfaces for - telecommunications networks. + The Telecom Management and Operations Committee (TMOC) develops + operations, administration, maintenance and provisioning standards, + and other documentation related to Operations Support System (OSS) + and Network Element (NE) functions and interfaces for communications + networks - with an emphasis on standards development related to + U.S.A. communication networks in coordination with the development of + international standards. -4.4.6. ATIS WTSC - Wireless Technologies and Systems Committee, - formerly T1P1 + The scope of the work in TMOC includes the development of standards + and other documentation for communications network operations and + management areas, such as: Configuration Management, Performance + Management (including in-service transport performance management), + Fault Management, Security Management (including management plane + security), Accounting Management, Coding/Language Data + Representation, Common/Underlying Management Functionality/ + Technology, and Ancillary Functions (such as network tones and + announcements). This work requires close and coordinated working + relationships with other domestic and international standards + development organizations and industry forums. - http://www.atis.org/0160/index.asp +4.5. CC - Common Criteria - ATIS Wireless Technologies and Systems Committee develops and - recommends standards and technical reports related to wireless and/or - mobile services and systems, including service descriptions and - wireless technologies. + http://www.commoncriteriaportal.org/ -4.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly - T1S1 + Common Criteria is a framework in which computer system users can + specify their security functional and assurance requirements, vendors + can then implement and/or make claims about the security attributes + of their products, and testing laboratories can evaluate the products + to determine if they actually meet the claims. In other words, + Common Criteria provides assurance that the process of specification, + implementation and evaluation of a computer security product has been + conducted in a rigorous and standard manner. [attribute wikipedia] - http://www.atis.org/0191/index.asp +4.6. DMTF - Distributed Management Task Force, Inc. - T1S1 was split into two separate ATIS committees: the ATIS Packet - Technologies and Systems Committee and the ATIS Protocol Interworking - Committee. PTSC is responsible for producing standards to secure - signalling. + http://www.dmtf.org/ - The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot - at this time. It is expected to move to an ANSI standard. + DMTF enables more effective management of millions of IT systems + worldwide by bringing the IT industry together to collaborate on the + development, validation and promotion of systems management + standards. DMTF management standards are critical to enabling + management interoperability among multi-vendor systems, tools and + solutions within the enterprise. We are committed to protecting + companies' IT investments by creating standards that promote multi- + vendor interoperability. Our dedication to fostering collaboration + within the industry provides a win-win situation for vendors and IT + personnel alike. -4.4.8. ATIS Protocol Interworking Committee, regarding T1S1 +4.7. ETSI - The European Telecommunications Standard Institute - T1S1 was split into two separate ATIS committees: the ATIS Packet - Technologies and Systems Committee and the ATIS Protocol Interworking - Committee. As a result of the reorganization of T1S1, these groups - will also probably have a new mission and scope. + http://www.etsi.org/ -4.5. CC - Common Criteria + The European Telecommunications Standards Institute (ETSI) produces + globally-applicable standards for Information and Communications + Technologies (ICT), including fixed, mobile, radio, converged, + broadcast and internet technologies. - http://www.commoncriteriaportal.org/ + ETSI is officially recognized by the European Union as a European + Standards Organization. - In June 1993, the sponsoring organizations of the existing US, - Canadian, and European criterias (TCSEC, ITSEC, and similar) started - the Common Criteria Project to align their separate criteria into a - single set of IT security criteria. +4.7.1. ETSI SEC -4.6. DMTF - Distributed Management Task Force, Inc. + http://portal.etsi.org/portal/server.pt/gateway/ + PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp - http://www.dmtf.org/ + Board#38 confirmed the closure of TC SEC. - Founded in 1992, the DMTF brings the technology industry's customers - and top vendors together in a collaborative, working group approach - that involves DMTF members in all aspects of specification - development and refinement. + At the same time it approved the creation of an OCG Ad Hoc group OCG + Security -4.7. ETSI - The European Telecommunications Standard Institute + TC SEC documents can be found in the SEC archive - http://www.etsi.org/ + The SEC Working groups (ESI and LI) were closed and TC ESI and a TC + LI were created to continue the work. - ETSI is an independent, non-profit organization which produces - telecommunications standards. ETSI is based in Sophia-Antipolis in - the south of France and maintains a membership from 55 countries. + All documents and information relevant to ESI and LI are available + from the TC ESI and TC LI sites - Joint work between ETSI and ITU-T SG-17 +4.7.2. ETSI OCG SEC - http://www.tta.or.kr/gsc/upload/ - GSC9_Joint_011_Security_Standardization_in_ITU.ppt + http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp + + The group's primary role is to provide a light-weight horizontal co- + ordination structure for security issues that will ensure this work + is seriously considered in each ETSI TB and that any duplicate or + conflicting work is detected. To achieve this aim the group should + mainly conduct its work via email and, where appropriate, co-sited + "joint security" technical working meetings. + + When scheduled, appropriate time at each "joint SEC" meeting should + be allocated during the meetings to allow for: + + Individual committee activities as well as common work; + + Coordination between the committees; and + + Experts to contribute to more than one committee. 4.8. GGF - Global Grid Forum http://www.gridforum.org/ The Global Grid Forum (GGF) is a community-initiated forum of thousands of individuals from industry and research leading the global standardization effort for grid computing. GGF's primary objectives are to promote and support the development, deployment, and implementation of grid technologies and applications via the creation and documentation of "best practices" - technical specifications, user experiences, and implementation guidelines. +4.8.1. Global Grid Forum Security Area + + http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 + + The Security Area is concerned with technical and operational + security issues in Grid environments, including authentication, + authorization, privacy, confidentiality, auditing, firewalls, trust + establishment, policy establishment, and dynamics, scalability and + management aspects of all of the above. + + The Security Area is comprised of the following Working Groups and + Research Groups. + + Certificate Authority Operations WG (CAOPS-WG) + + Firewall Issues RG (FI-RG) + + Levels Of Authentication Assurance Research Group (LOA-RG) + + OGSA Authorization WG (OGSA-AUTHZ-WG) + 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. http://www.ieee.org/ - IEEE is a non-profit, professional association of more than 360,000 - individual members in approximately 175 countries. The IEEE produces - 30 percent of the world's published literature in electrical - engineering, computers, and control technology through its technical - publishing, conferences, and consensus-based standards activities. + IEEE is the world's largest professional association dedicated to + advancing technological innovation and excellence for the benefit of + humanity. IEEE and its members inspire a global community through + IEEE's highly cited publications, conferences, technology standards, + and professional and educational activities. + +4.9.1. IEEE Computer Society's Technical Committee on Security and + Privacy + + http://www.ieee-security.org/ 4.10. IETF - The Internet Engineering Task Force http://www.ietf.org/ - IETF is a large, international community open to any interested - individual concerned with the evolution of the Internet architecture - and the smooth operation of the Internet. + The goal of the IETF is to make the Internet work better. + + The mission of the IETF is to make the Internet work better by + producing high quality, relevant technical documents that influence + the way people design, use, and manage the Internet. + +4.10.1. IETF Security Area + + The Working Groups in the Security Area may be found from this page. + + http://datatracker.ietf.org/wg/ + + The wiki page for the IETF Security Area may be found here. + + http://trac.tools.ietf.org/area/sec/trac/wiki 4.11. INCITS - InterNational Committee for Information Technology Standards http://www.incits.org/ - INCITS focuses upon standardization in the field of Information and - Communications Technologies (ICT), encompassing storage, processing, - transfer, display, management, organization, and retrieval of - information. + INCITS is the primary U.S. focus of standardization in the field of + Information and Communications Technologies (ICT), encompassing + storage, processing, transfer, display, management, organization, and + retrieval of information. As such, INCITS also serves as ANSI's + Technical Advisory Group for ISO/IEC Joint Technical Committee 1. + JTC 1 is responsible for International standardization in the field + of Information Technology. -4.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces + There are three active Groups in the Security / ID Technical + Committee. - http://www.t11.org/index.htm +4.11.1. Identification Cards and Related Devices (B10) - T11 is responsible for standards development in the areas of - Intelligent Peripheral Interface (IPI), High-Performance Parallel - Interface (HIPPI) and Fibre Channel (FC). T11 has a project called - FC-SP to define Security Protocols for Fibre Channel. + http://standards.incits.org/a/public/group/b10 - FC-SP Project Proposal: - ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf + Development of national and international standards in the area of + identification cards and related devices for use in inter-industry + applications and international interchange. + +4.11.2. Cyber Security (CS1) + + http://standards.incits.org/a/public/group/cs1 + + INCITS/CS1 was established in April 2005 to serve as the US TAG for + ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups. + + The scope of CS1 explicitly excludes the areas of work on cyber + security standardization presently underway in INCITS B10, M1, T3, + T10 and T11; as well as other standard groups, such as ATIS, IEEE, + IETF, TIA, and X9. + +4.11.3. Biometrics (M1) + + http://standards.incits.org/a/public/group/m1 + + INCITS/M1, Biometrics Technical Committee was established by the + Executive Board of INCITS in November 2001 to ensure a high priority, + focused, and comprehensive approach in the United States for the + rapid development and approval of formal national and international + generic biometric standards. The M1 program of work includes + biometric standards for data interchange formats, common file + formats, application program interfaces, profiles, and performance + testing and reporting. The goal of M1's work is to accelerate the + deployment of significantly better, standards-based security + solutions for purposes, such as, homeland defense and the prevention + of identity theft as well as other government and commercial + applications based on biometric personal authentication. 4.12. ISO - The International Organization for Standardization http://www.iso.org/ - ISO is a network of the national standards institutes of 148 - countries, on the basis of one member per country, with a Central - Secretariat in Geneva, Switzerland, that coordinates the system. ISO - officially began operations on February 23, 1947. + SO (International Organization for Standardization) is the world's + largest developer and publisher of International Standards. + + ISO is a network of the national standards institutes of 160 + countries, one member per country, with a Central Secretariat in + Geneva, Switzerland, that coordinates the system. + + ISO is a non-governmental organization that forms a bridge between + the public and private sectors. On the one hand, many of its member + institutes are part of the governmental structure of their countries, + or are mandated by their government. On the other hand, other + members have their roots uniquely in the private sector, having been + set up by national partnerships of industry associations. + + Therefore, ISO enables a consensus to be reached on solutions that + meet both the requirements of business and the broader needs of + society. 4.13. ITU - International Telecommunication Union http://www.itu.int/ - The ITU is an international organization within the United Nations - System headquartered in Geneva, Switzerland. The ITU is comprised of - three sectors: + ITU is the leading United Nations agency for information and + communication technology issues, and the global focal point for + governments and the private sector in developing networks and + services. For 145 years, ITU has coordinated the shared global use + of the radio spectrum, promoted international cooperation in + assigning satellite orbits, worked to improve telecommunication + infrastructure in the developing world, established the worldwide + standards that foster seamless interconnection of a vast range of + communications systems and addressed the global challenges of our + times, such as mitigating climate change and strengthening + cybersecurity. + + ITU also organizes worldwide and regional exhibitions and forums, + such as ITU TELECOM WORLD, bringing together the most influential + representatives of government and the telecommunications and ICT + industry to exchange ideas, knowledge and technology for the benefit + of the global community, and in particular the developing world. + + From broadband Internet to latest-generation wireless technologies, + from aeronautical and maritime navigation to radio astronomy and + satellite-based meteorology, from convergence in fixed-mobile phone, + Internet access, data, voice and TV broadcasting to next-generation + networks, ITU is committed to connecting the world. + + The ITU is comprised of three sectors: 4.13.1. ITU Telecommunication Standardization Sector - ITU-T http://www.itu.int/ITU-T/ - ITU-T's mission is to ensure an efficient and on-time production of - high quality standards covering all fields of telecommunications. + ITU-T Recommendations are defining elements in information and + communication technologies (ICTs) infrastructure. Whether we + exchange voice, data or video messages, communications cannot take + place without standards linking the sender and the receiver. Today's + work extends well beyond the traditional areas of telephony to + encompass a far wider range of information and communications + technologies. 4.13.2. ITU Radiocommunication Sector - ITU-R http://www.itu.int/ITU-R/ - The ITU-R plays a vital role in the management of the radio-frequency - spectrum and satellite orbits. + The ITU Radiocommunication Sector (ITU-R) plays a vital role in the + global management of the radio-frequency spectrum and satellite + orbits - limited natural resources which are increasingly in demand + from a large and growing number of services such as fixed, mobile, + broadcasting, amateur, space research, emergency telecommunications, + meteorology, global positioning systems, environmental monitoring and + communication services - that ensure safety of life on land, at sea + and in the skies. 4.13.3. ITU Telecom Development - ITU-D (also referred as ITU Telecommunication Development Bureau - BDT) http://www.itu.int/ITU-D/ - The Telecommunication Development Bureau (BDT) is the executive arm - of the Telecommunication Development Sector. Its duties and - responsibilities cover a variety of functions ranging from programme - supervision and technical advice to the collection, processing and - publication of information relevant to telecommunication development. + The mission of the Telecommunication Development Sector (ITU-D) aims + at achieving the Sector's objectives based on the right to + communicate of all inhabitants of the planet through access to + infrastructure and information and communication services. + + In this regard, the mission is to: + + Assist countries in the field of information and communication + technologies (ICTs), in facilitating the mobilization of + technical, human and financial resources needed for their + implementation, as well as in promoting access to ICTs. + + Promote the extension of the benefits of ICTs to all the world's + inhabitants. + + Promote and participate in actions that contribute towards + narrowing the digital divide. + + Develop and manage programmes that facilitate information flow + geared to the needs of developing countries. + + The mission encompasses ITU's dual responsibility as a United + Nations specialized agency and an executing agency for + implementing projects under the United Nations development system + or other funding arrangements. 4.14. OASIS - Organization for the Advancement of Structured Information Standards http://www.oasis-open.org/ - OASIS is a not-for-profit, international consortium that drives the - development, convergence, and adoption of e-business standards. + OASIS (Organization for the Advancement of Structured Information + Standards) is a not-for-profit consortium that drives the + development, convergence and adoption of open standards for the + global information society. The consortium produces more Web + services standards than any other organization along with standards + for security, e-business, and standardization efforts in the public + sector and for application-specific markets. Founded in 1993, OASIS + has more than 5,000 participants representing over 600 organizations + and individual members in 100 countries. + + OASIS is distinguished by its transparent governance and operating + procedures. Members themselves set the OASIS technical agenda, using + a lightweight process expressly designed to promote industry + consensus and unite disparate efforts. Completed work is ratified by + open ballot. Governance is accountable and unrestricted. Officers + of both the OASIS Board of Directors and Technical Advisory Board are + chosen by democratic election to serve two-year terms. Consortium + leadership is based on individual merit and is not tied to financial + contribution, corporate standing, or special appointment. + + OASIS has several Technical Committees in the Security Category. + + http://www.oasis-open.org/committees/tc_cat.php?cat=security 4.15. OIF - Optical Internetworking Forum http://www.oiforum.com/ - On April 20, 1998 Cisco Systems and Ciena Corporation announced an - industry-wide initiative to create the Optical Internetworking Forum, - an open forum focused on accelerating the deployment of optical - internetworks. + "The Optical Internetworking Forum (OIF) promotes the development and + deployment of interoperable networking solutions and services through + the creation of Implementation Agreements (IAs) for optical + networking products, network processing elements, and component + technologies. Implementation agreements will be based on + requirements developed cooperatively by end-users, service providers, + equipment vendors and technology providers, and aligned with + worldwide standards, augmented if necessary. This is accomplished + through industry member participation working together to develop + specifications (IAs) for: + + External network element interfaces + Software interfaces internal to network elements + + Hardware component interfaces internal to network elements + + The OIF will create Benchmarks, perform worldwide interoperability + testing, build market awareness and promote education for + technologies, services and solutions. The OIF will provide feedback + to worldwide standards organizations to help achieve a set of + implementable, interoperable solutions." + +4.15.1. OAM&P Working Group + + http://www.oiforum.com/public/oamp.html + + In concert with the Carrier, Architecture & Signaling and other OIF + working groups, the Operations, Administration, Maintenance, & + Provisioning (OAM&P) working group develops architectures, + requirements, guidelines, and implementation agreements critical to + widespread deployment of interoperable optical networks by carriers. + The scope includes but is not limited to a) planning, engineering and + provisioning of network resources; b) operations, maintenance or + administration use cases and processes; and c) management + functionality and interfaces for operations support systems and + interoperable network equipment. Within its scope are Fault, + Configuration, Accounting, Performance and Security Management + (FCAPS) and Security. The OAM&P working group will also account for + work by related standards development organizations (SDOs), identify + gaps and formulate OIF input to other SDOs as may be appropriate. 4.16. NRIC - The Network Reliability and Interoperability Council http://www.nric.org/ - The purposes of the Committee are to give telecommunications industry - leaders the opportunity to provide recommendations to the FCC and to - the industry that assure optimal reliability and interoperability of - telecommunications networks. The Committee addresses topics in the - area of Homeland Security, reliability, interoperability, and - broadband deployment. + The mission of the NRIC is partner with the Federal Communications + Commission, the communications industry and public safety to + facilitate enhancement of emergency communications networks, homeland + security, and best practices across the burgeoning telecommunications + industry. + + It appears that the last NRIC Council concluded in 2005. 4.17. National Security Telecommunications Advisory Committee (NSTAC) http://www.ncs.gov/nstac/nstac.html President Ronald Reagan created the National Security Telecommunications Advisory Committee (NSTAC) by Executive Order - 12382 in September 1982. Since then, the NSTAC has served four - presidents. Composed of up to 30 industry chief executives - representing the major communications and network service providers - and information technology, finance, and aerospace companies, the - NSTAC provides industry-based advice and expertise to the President - on issues and problems related to implementing national security and - emergency preparedness (NS/EP) communications policy. Since its - inception, the NSTAC has addressed a wide range of policy and - technical issues regarding communications, information systems, + 12382 in September 1982. Composed of up to 30 industry chief + executives representing the major communications and network service + providers and information technology, finance, and aerospace + companies, the NSTAC provides industry-based advice and expertise to + the President on issues and problems related to implementing national + security and emergency preparedness (NS/EP) communications policy. + Since its inception, the NSTAC has addressed a wide range of policy + and technical issues regarding communications, information systems, information assurance, critical infrastructure protection, and other NS/EP communications concerns. + The mission of the NSTAC: Meeting our Nation's critical national + security and emergency preparedness (NS/EP) challenges demands + attention to many issues. Among these, none could be more important + than the availability and reliability of telecommunication services. + The President's National Security Telecommunications Advisory + Committee (NSTAC) mission is to provide the U.S. Government the best + possible industry advice in these areas. + 4.18. TIA - The Telecommunications Industry Association http://www.tiaonline.org/ - TIA is accredited by ANSI to develop voluntary industry standards for - a wide variety of telecommunications products. TIA's Standards and - Technology Department is composed of five divisions: Fiber Optics, - User Premises Equipment, Network Equipment, Wireless Communications - and Satellite Communications. + The Telecommunications Industry Association (TIA) is the leading + trade association representing the global information and + communications technology (ICT) industries through standards + development, government affairs, business opportunities, market + intelligence, certification and world-wide environmental regulatory + compliance. With support from its 600 members, TIA enhances the + business environment for companies involved in telecommunications, + broadband, mobile wireless, information technology, networks, cable, + satellite, unified communications, emergency communications and the + greening of technology. TIA is accredited by ANSI. + +4.18.1. Critical Infrastructure Protection (CIP) and Homeland Security + (HS) + + http://www.tiaonline.org/standards/technology/ciphs/ + + This TIA webpage identifies and links to many standards, other + technical documents and ongoing activity involving or supporting + TIA's role in Public Safety and Homeland Security, Network Security, + Critical Infrastructure Protection and Assurance, National Security/ + Emergency Preparedness, Emergency Communications Services, Emergency + Calling and Location Identification Services, and the Needs of First + Responders. For the purpose of this webpage, national/international + terms relating to public safety and disaster response can be + considered synonymous (and interchangeable) with terms relating to + public protection and disaster relief. + +4.18.2. Commercial Encryption Source Code and Related Information + + http://www.tiaonline.org/standards/technology/ahag/index.cfm + + This section seems to link to commercial encryption source code. + Access requires agreement to terms and conditions and then + registration. 4.19. TTA - Telecommunications Technology Association - http://www.tta.or.kr/Home2003/main/index.jsp - http://www.tta.or.kr/English/new/main/index.htm (English) + http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp + (English) - TTA (Telecommunications Technology Association) is a IT standards - organization that develops new standards and provides one-stop - services for the establishment of IT standards as well as providing - testing and certification for IT products. + The purpose of TTA is to contribute to the advancement of technology + and the promotion of information and telecommunications services and + industry as well as the development of national economy, by + effectively stablishing and providing technical standards that + reflect the latest domestic and international technological advances, + needed for the planning, design and operation of global end-to-end + telecommunications and related information services, in close + collaboration with companies, organizations and groups concerned with + information and telecommunications such as network operators, service + providers, equipment manufacturers, academia, R&D institutes, etc. 4.20. The World Wide Web Consortium http://www.w3.org/Consortium/ - The World Wide Web Consortium (W3C) is an international consortium + The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work - together to develop Web standards. W3C's mission is: To lead the - World Wide Web to its full potential by developing protocols and - guidelines that ensure long-term growth for the Web. - - The security work within the W3C + together to develop Web standards. Led by Web inventor Tim Berners- + Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its + full potential. http://www.w3.org/Security/Activity -4.21. Web Services Interoperability Organization (WS-I) + The work in the W3C Security Activity currently comprises two Working + Groups, the Web Security Context Working Group and the XML Security + Working Group. - http://www.ws-i.org/ + The Web Security Context Working Group focuses on the challenges that + arise when users encounter currently deployed security technology, + such as TLS: While this technology achieves its goals on a technical + level, attackers' strategies shift towards bypassing the security + technology instead of breaking it. When users do not understand the + security context in which they operate, then it becomes easy to + deceive and defraud them. This Working Group is planning to see its + main deliverable, the User Interface Guidelines, through to + Recommendation, but will not engage in additional recommendation + track work beyond this deliverable. The Working Group is currently + operating at reduced Team effort (compared to the initial effort + reserved to this Working Group). Initial (and informal) + conversations about forming an Interest Group that could serve as a + place for community-building and specification review have not led as + far as we had hoped at the previous Advisory Committee Meeting, but + are still on the Team's agenda. - WS-I is an open, industry organization chartered to promote Web - services interoperability across platforms, operating systems, and - programming languages. The organization works across the industry - and standards organizations to respond to customer needs by providing - guidance, best practices, and resources for developing Web services - solutions. + The XML Security Working Group started up in summer 2008, and has + decided to publish an interim set of 1.1 specifications as it works + towards producing a more radical change to XML Signature. The XML + Signature 1.1 and XML Encryption 1.1 specifications clarify and + enhance the previous specifications without introducing breaking + changes, although they do introduce new algorithms. + +4.21. TM Forum + + http://www.tmforum.org/ + + With more than 700 corporate members in 195 countries, TM Forum is + the world's leading industry association focused on enabling best-in- + class IT for service providers in the communications, media and cloud + service markets. The Forum provides business-critical industry + standards and expertise to enable the creation, delivery and + monetization of digital services. + + TM Forum brings together the world's largest communications, + technology and media companies, providing an innovative, industry- + leading approach to collaborative R&D, along with wide range of + support services including benchmarking, training and certification. + The Forum produces the renowned international Management World + conference series, as well as thought-leading industry research and + publications. + +4.21.1. Security Management + + http://www.tmforum.org/SecurityManagement/9152/home.html + + Securing networks, cyber, clouds, and identity against evolving and + ever present threats has emerged as a top priority for TM Forum + members. In response, the TM Forum's Security Management Initiative + was formally launched in 2009. While some of our Security Management + efforts, such as Identity Management, are well established and boast + mature Business Agreements and Interfaces, a series of presentations, + contributions, and multi-vendor technology demonstrations have jumped + started work efforts on industry hot topics Network Defense, Cyber + Security, and security for single and multi-regional enterprise + application cloud bursting. Our aim is to produce Security + Management rich frameworks, best practices, and guidebooks. 5. Security Best Practices Efforts and Documents This section lists the works produced by the SDOs. 5.1. 3GPP - TSG SA WG3 (Security) http://www.3gpp.org/TB/SA/SA3/SA3.htm TSG SA WG3 Security is responsible for the security of the 3GPP @@ -895,36 +1248,21 @@ and switches). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a clear, concise way of communicating their security requirements to vendors. Documents: ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt -5.13. INCITS CS1 - Cyber Security - - http://cs1.incits.org/ - - INCITS/CS1 was established in April 2005 to serve as the US TAG for - ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 - (INCITS/T4 serves as the US TAG to SC 27/WG 2). - - The scope of CS1 explicitly excludes the areas of work on cyber - security standardization presently underway in INCITS B10, M1 and T3; - as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and - X9. INCITS T4's area of work would be narrowed to cryptography - projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and - mechanisms). - -5.14. ISO Guidelines for the Management of IT Security - GMITS +5.13. ISO Guidelines for the Management of IT Security - GMITS Guidelines for the Management of IT Security -- Part 1: Concepts and models for IT Security http://www.iso.ch/iso/en/ CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 Guidelines for the Management of IT Security -- Part 2: Managing and planning IT Security @@ -952,21 +1290,21 @@ http://www.iso.org/iso/en/ CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& ICS3= Open Systems Interconnection -- Network layer security protocol http://www.iso.org/iso/en/ CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& ICS3=30 -5.15. ISO JTC 1/SC 27 +5.14. ISO JTC 1/SC 27 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 Several security related ISO projects under JTC 1/SC 27 are listed here such as: IT security techniques -- Entity authentication Security techniques -- Key management @@ -979,35 +1317,35 @@ security management Security techniques -- IT network security Guidelines for the implementation, operation and management of Intrusion Detection Systems (IDS) International Security, Trust, and Privacy Alliance -- Privacy Framework -5.16. ITU-T Study Group 2 +5.15. ITU-T Study Group 2 http://www.itu.int/ITU-T/studygroups/com02/index.asp Security related recommendations currently under study: E.408 Telecommunication networks security requirements Q.5/2 (was E.sec1) E.409 Incident Organisation and Security Incident Handling Q.5/2 (was E.sec2) Note: Access requires TIES account. -5.17. ITU-T Recommendation M.3016 +5.16. ITU-T Recommendation M.3016 http://www.itu.int/itudoc/itu-t/com4/contr/068.html This recommendation provides an overview and framework that identifies the security requirements of a TMN and outlines how available security services and mechanisms can be applied within the context of the TMN functional architecture. Question 18 of Study Group 3 is revising Recommendation M.3016. They have taken the original document and are incorporating thoughts from @@ -1017,100 +1355,100 @@ M.3016.0 - Overview M.3016.1 - Requirements M.3016.2 - Services M.3016.3 - Mechanisms M.3016.4 - Profiles -5.18. ITU-T Recommendation X.805 +5.17. ITU-T Recommendation X.805 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html This Recommendation defines the general security-related architectural elements that, when appropriately applied, can provide end-to-end network security. -5.19. ITU-T Study Group 16 +5.18. ITU-T Study Group 16 http://www.itu.int/ITU-T/studygroups/com16/index.asp Multimedia Security in Next-Generation Networks (NGN-MM-SEC) http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html -5.20. ITU-T Study Group 17 +5.19. ITU-T Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp ITU-T Study Group 17 is the Lead Study Group on Communication System Security http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html Study Group 17 Security Project: http://www.itu.int/ITU-T/studygroups/com17/security/index.html During its November 2002 meeting, Study Group 17 agreed to establish a new project entitled "Security Project" under the leadership of Q.10/17 to coordinate the ITU-T standardization effort on security. An analysis of the status on ITU-T Study Group action on information and communication network security may be found in TSB Circular 147 of 14 February 2003. -5.21. Catalogue of ITU-T Recommendations related to Communications +5.20. Catalogue of ITU-T Recommendations related to Communications System Security http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html The Catalogue of the approved security Recommendations include those, designed for security purposes and those, which describe or use of functions of security interest and need. Although some of the security related Recommendations includes the phrase "Open Systems Interconnection", much of the information contained in them is pertinent to the establishment of security functionality in any communicating system. -5.22. ITU-T Security Manual +5.21. ITU-T Security Manual http://www.itu.int/ITU-T/edh/files/security-manual.pdf TSB is preparing an "ITU-T Security Manual" to provide an overview on security in telecommunications and information technologies, describe practical issues, and indicate how the different aspects of security in today's applications are addressed by ITU-T Recommendations. This manual has a tutorial character: it collects security related material from ITU-T Recommendations into one place and explains the respective relationships. The intended audience for this manual are engineers and product managers, students and academia, as well as regulators who want to better understand security aspects in practical applications. -5.23. ITU-T NGN Effort +5.22. ITU-T NGN Effort http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html During its January 2002 meeting, SG13 decided to undertake the preparation of a new ITU-T Project entitled "NGN 2004 Project". At the November 2002 SG13 meeting, a preliminary description of the Project was achieved and endorsed by SG13 with the goal to launch the Project. It is regularly updated since then. The role of the NGN 2004 Project is to organize and to coordinate ITU-T activities on Next Generation Networks. Its target is to produce a first set of Recommendations on NGN by the end of this study period, i.e. mid-2004. -5.24. NRIC VI Focus Groups +5.23. NRIC VI Focus Groups http://www.nric.org/fg/index.html The Network Reliability and Interoperability Council (NRIC) was formed with the purpose to provide recommendations to the FCC and to the industry to assure the reliability and interoperability of wireless, wireline, satellite, and cable public telecommunications networks. These documents provide general information and guidance on NRIC Focus Group 1B (Cybersecurity) Best Practices for the prevention of cyberattack and for restoration following a @@ -1119,122 +1457,122 @@ Documents: Homeland Defense - Recommendations Published 14-Mar-03 Preventative Best Practices - Recommendations Published 14-Mar-03 Recovery Best Practices - Recommendations Published 14-Mar-03 Best Practice Appendices - Recommendations Published 14-Mar-03 -5.25. OASIS Security Joint Committee +5.24. OASIS Security Joint Committee http://www.oasis-open.org/committees/ tc_home.php?wg_abbrev=security-jc The purpose of the Security JC is to coordinate the technical activities of multiple security related TCs. The SJC is advisory only, and has no deliverables. The Security JC will promote the use of consistent terms, promote re-use, champion an OASIS security standards model, provide consistent PR, and promote mutuality, operational independence and ethics. -5.26. OASIS Security Services (SAML) TC +5.25. OASIS Security Services (SAML) TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security The Security Services TC is working to advance the Security Assertion Markup Language (SAML) as an OASIS standard. SAML is an XML framework for exchanging authentication and authorization information. -5.27. OIF Implementation Agreements +5.26. OIF Implementation Agreements The OIF has 2 approved Implementation Agreements (IAs) relating to security. They are: OIF-SMI-01.0 - Security Management Interfaces to Network Elements This Implementation Agreement lists objectives for securing OAM&P interfaces to a Network Element and then specifies ways of using security systems (e.g., IPsec or TLS) for securing these interfaces. It summarizes how well each of the systems, used as specified, satisfies the objectives. OIF - SEP - 01.1 - Security Extension for UNI and NNI This Implementation Agreement defines a common Security Extension for securing the protocols used in UNI 1.0, UNI 2.0, and NNI. Documents: http://www.oiforum.com/public/documents/Security-IA.pdf -5.28. TIA +5.27. TIA The TIA has produced the "Compendium of Emergency Communications and Communications Network Security-related Work Activities". This document identifies standards, or other technical documents and ongoing Emergency/Public Safety Communications and Communications Network Security-related work activities within TIA and it's Engineering Committees. Many P25 documents are specifically detailed. This "living document" is presented for information, coordination and reference. Documents: http://www.tiaonline.org/standards/technology/ciphs/ documents/EMTEL_sec.pdf -5.29. WS-I Basic Security Profile +5.28. WS-I Basic Security Profile http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html The WS-I Basic Security Profile 1.0 consists of a set of non- proprietary Web services specifications, along with clarifications and amendments to those specifications which promote interoperability. -5.30. NIST Special Publications (800 Series) +5.29. NIST Special Publications (800 Series) http://csrc.nist.gov/publications/PubsSPs.html Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. -5.31. NIST Interagency or Internal Reports (NISTIRs) +5.30. NIST Interagency or Internal Reports (NISTIRs) http://csrc.nist.gov/publications/PubsNISTIRs.html NIST Interagency or Internal Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form. -5.32. NIST ITL Security Bulletins +5.31. NIST ITL Security Bulletins http://csrc.nist.gov/publications/PubsITLSB.html ITL Bulletins are published by NIST's Information Technology Laboratory, with most bulletins written by the Computer Security Division. These bulletins are published on the average of six times a year. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Not all of ITL Bulletins that are published relate to computer / network security. Only the computer security ITL Bulletins are found here. -5.33. SANS Information Security Reading Room +5.32. SANS Information Security Reading Room http://www.sans.org/reading_room/ Featuring over 1,885 original computer security white papers in 75 different categories. Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts @@ -1259,21 +1597,21 @@ IANA to do anything. 8. Acknowledgments The following people have contributed to this document. Listing their names here does not mean that they endorse the document, but that they have contributed to its substance. David Black, Mark Ellison, George Jones, Keith McCloghrie, John McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce - Moon, Stephen Kent, Steve Wolff. + Moon, Stephen Kent, Steve Wolff, Bob Natale. 9. Changes from Prior Drafts -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt -01 : Security Glossaries: Added ATIS Telecom Glossary 2000, Critical Infrastructure Glossary of Terms and Acronyms, Microsoft Solutions for Security Glossary, and USC InfoSec Glossary. @@ -1397,20 +1735,29 @@ Updated the section on the Microsoft glossary. Updated the section on the SANS glossary. Added the NIST Security glossary. Added dates to all glossaries - where I could find them. Added the SANS Reading Room material to Section 5. + -15 : Fifteenth revision of the WG ID. + + Updated the date and reviewed the accuracy of Section 4. Several + changes made. + + Removed WS-I as they have merged with OASIS. + + Added TM Forum. + Note: This section will be removed before publication as an RFC. Authors' Addresses Chris Lonvick Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US