Network Working Group                                         C. Lonvick
Internet-Draft                                                   D. Spak
Intended status: Informational                             Cisco Systems
Expires: August 11, 18, 2011                               February 7, 14, 2011

             Security Best Practices Efforts and Documents
                    draft-ietf-opsec-efforts-14.txt
                    draft-ietf-opsec-efforts-15.txt

Abstract

   This document provides a snapshot of the current efforts to define or
   apply security requirements in various Standards Developing
   Organizations (SDO).

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 11, 18, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Format of this Document  . . . . . . . . . . . . . . . . . . .  7
   3.  Online Security Glossaries . . . . . . . . . . . . . . . . . .  8
     3.1.  ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . .  8
     3.2.  Internet Security Glossary - RFC 4949  . . . . . . . . . .  8
     3.3.  Compendium of Approved ITU-T Security Definitions  . . . .  8
     3.4.  Microsoft Malware Protection Center  . . . . . . . . . . .  9
     3.5.  SANS Glossary of Security Terms  . . . . . . . . . . . . .  9
     3.6.  Security Taxonomy and Glossary - Anne & Lynn Wheeler . . .  9
     3.7.  NIST - Glossary of Key Information Security Terms  . . . .  9
   4.  Standards Developing Organizations . . . . . . . . . . . . . . 11
     4.1.  3GPP - Third Generation Partnership Project  . . . . . . . 11
     4.2.  3GPP2 - Third Generation Partnership Project 2 . . . . . . 11
     4.3.  ANSI - The American National Standards Institute . . . . . 11 12
       4.3.1.  Accredited Standards Committee X9 (ASC X9) . . . . . . 11 12
     4.4.  ATIS - Alliance for Telecommunications Industry
           Solutions  . . . . . . . . . . . . . . . . . . . . . . . . 12
       4.4.1.  ATIS NIPP - Network Interface, Power, and
               Protection Committee, formerly T1E1  . . . . . . . . . 12
       4.4.2.  ATIS NPRQ - Network Performance, Reliability, and
               Quality of Service Committee, formerly T1A1  . . . . . 12
       4.4.3. 13
       4.4.2.  ATIS OBF TMOC - Ordering Telecom Management and Billing Forum, Operations
               Committee, formerly
               regarding T1M1 O&B OAM&P . . . . . . . . . . . . 14
     4.5.  CC - Common Criteria . . . . . . . . . 12
       4.4.4.  ATIS OPTXS - Optical Transport and Synchronization
               Committee, formerly T1X1 . . . . . . . . . . 14
     4.6.  DMTF - Distributed Management Task Force, Inc. . . . . . 13
       4.4.5.  ATIS TMOC . 14
     4.7.  ETSI - Telecom Management and Operations
               Committee, formerly T1M1 OAM&P The European Telecommunications Standard
           Institute  . . . . . . . . . . . . 13
       4.4.6.  ATIS WTSC - Wireless Technologies and Systems
               Committee, formerly T1P1 . . . . . . . . . . . . 15
       4.7.1.  ETSI SEC . . . . 13
       4.4.7.  ATIS PTSC - Packet Technologies and Systems
               Committee, formerly T1S1 . . . . . . . . . . . . . . . 13
       4.4.8.  ATIS Protocol Interworking Committee, regarding
               T1S1 . . . . 15
       4.7.2.  ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14
     4.5.  CC 15
     4.8.  GGF - Common Criteria Global Grid Forum  . . . . . . . . . . . . . . . . . 16
       4.8.1.  Global Grid Forum Security Area  . . 14
     4.6.  DMTF - Distributed Management Task Force, Inc. . . . . . . 14
     4.7.  ETSI - The European Telecommunications Standard
           Institute . . . 16
     4.9.  IEEE - The Institute of Electrical and Electronics
           Engineers, Inc.  . . . . . . . . . . . . . . . . . . . . . 14
     4.8.  GGF - Global Grid Forum 16
       4.9.1.  IEEE Computer Society's Technical Committee on
               Security and Privacy . . . . . . . . . . . . . . . . . 14
     4.9.  IEEE 17
     4.10. IETF - The Institute of Electrical and Electronics
           Engineers, Inc.  . . . Internet Engineering Task Force . . . . . . . . 17
       4.10.1. IETF Security Area . . . . . . . . . . 15

     4.10. IETF - The Internet Engineering Task Force . . . . . . . . 15 17
     4.11. INCITS - InterNational Committee for Information
           Technology Standards . . . . . . . . . . . . . . . . . . . 15 17
       4.11.1. INCITS Technical Committee T11 - Fibre Channel
               Interfaces Identification Cards and Related Devices (B10) . . . . 18
       4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18
       4.11.3. Biometrics (M1)  . . . . 15 . . . . . . . . . . . . . . . 18

     4.12. ISO - The International Organization for
           Standardization  . . . . . . . . . . . . . . . . . . . . . 15 18
     4.13. ITU - International Telecommunication Union  . . . . . . . 16 19
       4.13.1. ITU Telecommunication Standardization Sector -
               ITU-T  . . . . . . . . . . . . . . . . . . . . . . . . 16 19
       4.13.2. ITU Radiocommunication Sector - ITU-R  . . . . . . . . 16 20
       4.13.3. ITU Telecom Development - ITU-D  . . . . . . . . . . . 16 20
     4.14. OASIS -  Organization for the Advancement of
           Structured Information Standards . . . . . . . . . . . . . 16 21
     4.15. OIF - Optical Internetworking Forum  . . . . . . . . . . . 17
     4.16. NRIC - The Network 21
       4.15.1. OAM&P Working Group  . . . . . . . . . . . . . . . . . 22
     4.16. NRIC - The Network Reliability and Interoperability
           Council  . . . . . . . . . . . . . . . . . . . . . . . . . 17 22
     4.17. National Security Telecommunications Advisory
           Committee (NSTAC)  . . . . . . . . . . . . . . . . . . . . 17 22
     4.18. TIA - The Telecommunications Industry Association  . . . . 17 23
       4.18.1. Critical Infrastructure Protection (CIP) and
               Homeland Security (HS) . . . . . . . . . . . . . . . . 23
       4.18.2. Commercial Encryption Source Code and Related
               Information  . . . . . . . . . . . . . . . . . . . . . 24
     4.19. TTA - Telecommunications Technology Association  . . . . . 18 24
     4.20. The World Wide Web Consortium  . . . . . . . . . . . . . . 18 24
     4.21. Web Services Interoperability Organization (WS-I) TM Forum . . . . 18 . . . . . . . . . . . . . . . . . . . . . 25
       4.21.1. Security Management  . . . . . . . . . . . . . . . . . 25
   5.  Security Best Practices Efforts and Documents  . . . . . . . . 19 27
     5.1.  3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19 27
     5.2.  3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19 27
     5.3.  American National Standard T1.276-2003 - Baseline
           Security Requirements for the Management Plane . . . . . . 19 27
     5.4.  DMTF - Security Protection and Management (SPAM)
           Working Group  . . . . . . . . . . . . . . . . . . . . . . 20 28
     5.5.  DMTF - User and Security Working Group . . . . . . . . . . 20 28
     5.6.  ATIS Work-Plan to Achieve Interoperable,
           Implementable, End-To-End Standards and Solutions  . . . . 20 28
       5.6.1.  ATIS Work on Packet Filtering  . . . . . . . . . . . . 20 28
     5.7.  ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21 29
     5.8.  Common Criteria  . . . . . . . . . . . . . . . . . . . . . 21 29
     5.9.  ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 29
     5.10. GGF Security Area (SEC)  . . . . . . . . . . . . . . . . . 22 30
     5.11. Information System Security Assurance Architecture . . . . 22 30
     5.12. Operational Security Requirements for IP Network
           Infrastructure : Advanced Requirements . . . . . . . . . . 22 30
     5.13. INCITS CS1 - Cyber Security  . . . . . . . . . . . . . . . 23
     5.14. ISO Guidelines for the Management of IT Security -
           GMITS  . . . . . . . . . . . . . . . . . . . . . . . . . . 23
     5.15. 31
     5.14. ISO JTC 1/SC 27  . . . . . . . . . . . . . . . . . . . . . 24
     5.16. 32
     5.15. ITU-T Study Group 2  . . . . . . . . . . . . . . . . . . . 24
     5.17. 32
     5.16. ITU-T Recommendation M.3016  . . . . . . . . . . . . . . . 25
     5.18. 32
     5.17. ITU-T  Recommendation X.805  . . . . . . . . . . . . . . . 25
     5.19. 33
     5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25
     5.20. 33
     5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26
     5.21. 33
     5.20. Catalogue of ITU-T Recommendations related to
           Communications System Security . . . . . . . . . . . . . . 26
     5.22. 34
     5.21. ITU-T Security Manual  . . . . . . . . . . . . . . . . . . 26
     5.23. 34
     5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27
     5.24. 34
     5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27
     5.25. 35
     5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 27
     5.26. 35
     5.25. OASIS Security Services (SAML) TC  . . . . . . . . . . . . 28
     5.27. 35
     5.26. OIF Implementation Agreements  . . . . . . . . . . . . . . 28
     5.28. 35
     5.27. TIA  . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
     5.29. 36
     5.28. WS-I Basic Security Profile  . . . . . . . . . . . . . . . 29
     5.30. 36
     5.29. NIST Special Publications (800 Series) . . . . . . . . . . 29
     5.31. 36
     5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 29
     5.32. 37
     5.31. NIST ITL Security Bulletins  . . . . . . . . . . . . . . . 29
     5.33. 37
     5.32. SANS Information Security Reading Room . . . . . . . . . . 30 37
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 31 38
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 32 39
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 33 40
   9.  Changes from Prior Drafts  . . . . . . . . . . . . . . . . . . 34 41
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 45

1.  Introduction

   The Internet is being recognized as a critical infrastructure similar
   in nature to the power grid and a potable water supply.  Just like
   those infrastructures, means are needed to provide resiliency and
   adaptability to the Internet so that it remains consistently
   available to the public throughout the world even during times of
   duress or attack.  For this reason, many SDOs are developing
   standards with hopes of retaining an acceptable level, or even
   improving this availability, to its users.  These SDO efforts usually
   define themselves as "security" efforts.  It is the opinion of the
   authors that there are many different definitions of the term
   "security" and it may be applied in many diverse ways.  As such, we
   offer no assurance that the term is applied consistently throughout
   this document.

   Many of these SDOs have diverse charters and goals and will take
   entirely different directions in their efforts to provide standards.
   However, even with that, there will be overlaps in their produced
   works.  If there are overlaps then there is a potential for conflicts
   and confusion.  This may result in:

      Vendors of networking equipment who are unsure of which standard
      to follow.

      Purchasers of networking equipment who are unsure of which
      standard will best apply to the needs of their business or
      ogranization.

      Network Administrators and Operators unsure of which standard to
      follow to attain the best security for their network.

   For these reasons, the authors wish to encourage all SDOs who have an
   interest in producing or in consuming standards relating to good
   security practices to be consistent in their approach and their
   recommendations.  In many cases, the authors are aware that the SDOs
   are making good efforts along these lines.  However, the authors do
   not participate in all SDO efforts and cannot know everything that is
   happening.

   The OpSec Working Group met at the 61st IETF and agreed that this
   document could be a useful reference in producing the documents
   described in the Working Group Charter.  The authors have agreed to
   keep this document current and request that those who read it will
   submit corrections or comments.

   Comments on this document may be addressed to the OpSec Working Group
   or directly to the authors.

      opsec@ops.ietf.org

   This document will be updated in sections.  The most recently updated
   part of this document is Section 3.

2.  Format of this Document

   The body of this document has three sections.

   The first part of the body of this document, Section 3, contains a
   listing of online glossaries relating to networking and security.  It
   is very important that the definitions of words relating to security
   and security events be consistent.  Inconsistencies between the
   useage of words on standards is unacceptable as it would prevent a
   reader of two standards to appropriately relate their
   recommendations.  The authors of this document have not reviewed the
   definitions of the words in the listed glossaries so can offer no
   assurance of their alignment.

   The second part, Section 4, contains a listing of SDOs that appear to
   be working on security standards.

   The third part, Section 5, lists the documents which have been found
   to offer good practices or recommendations for securing networks and
   networking devices.

3.  Online Security Glossaries

   This section contains references to glossaries of network and
   computer security terms

3.1.  ATIS Telecom Glossary 2007

   http://www.atis.org/tg2k/

   This Glossary began as a 5800-entry, search-enabled hypertext
   telecommunications glossary titled Federal Standard 1037C, Glossary
   of Telecommunication Terms .  Federal Standard 1037C was updated and
   matured into an American National Standard (ANS): T1.523-2001,
   Telecom Glossary 2000 , under the aegis of ASC T1.  In turn, T1.523-
   2001 has been revised and redesignated under the ATIS procedures for
   ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007.

   Date published: 2007

3.2.  Internet Security Glossary - RFC 4949

   http://www.ietf.org/rfc/rfc4949.txt

   This document was originally created as RFC 2828 in May 2000.  It was
   revised as RFC 4949 and the document defines itself to be, "an
   internally consistent, complementary set of abbreviations,
   definitions, explanations, and recommendations for use of terminology
   related to information system security."

   Date published: August 2007

3.3.  Compendium of Approved ITU-T Security Definitions

   http://www.itu.int/itudoc/itu-t/com17/activity/add002.html

   Addendum to the Compendium of the Approved ITU-T Security-related
   Definitions

   These extensive materials were created from approved ITU-T
   Recommendations with a view toward establishing a common
   understanding and use of security terms within ITU-T.  The original
   Compendium was compiled by SG 17, Lead Study Group on Communication
   Systems Security (LSG-CSS).
   http://www.itu.int/itudoc/itu-t/com17/activity/def004.html

   Date published: 2003

3.4.  Microsoft Malware Protection Center

   http://www.microsoft.com/security/glossary.mspx

   The Microsoft Malware Protection Center, Threat Research and Response
   Glossary was created to explain the concepts, technologies, and
   products associated with computer security.

   Date published: indeterminate

3.5.  SANS Glossary of Security Terms

   http://www.sans.org/resources/glossary.php

   The SANS Institute (SysAdmin, Audit, Network, Security) was created
   in 1989 as, "a cooperative research and education organization."
   This glossary was pdated in May 2003.  The SANS Institute is also
   home to many other resources including the SANS Intrusion Detection
   FAQ and the SANS/FBI Top 20 Vulnerabilities List.

   Date published: indeterminate

3.6.  Security Taxonomy and Glossary - Anne & Lynn Wheeler

   http://www.garlic.com/~lynn/secure.htm

   Anne and Lynn Wheeler maintain a security taxonomy and glossary with
   terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1,
   FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/
   SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53,
   800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA
   Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504,
   RFC2647, RFC2828, TCSEC, TDI, and TNI.

   Date updated: October 2010

3.7.  NIST - Glossary of Key Information Security Terms

   http://csrc.nist.gov/publications/nistir/
   NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf

   This glossary of basic security terms has been extracted from NIST
   Federal Information Processing Standards (FIPS) and the Special
   Publication (SP) 800 series.  The terms included are not all
   inclusive of terms found in these publications, but are a subset of
   basic terms that are most frequently used.  The purpose of this
   glossary is to provide a central resource of definitions most
   commonly used in NIST security publications.

   Date published: April 2006

4.  Standards Developing Organizations

   This section of this document lists the SDOs, or organizations that
   appear to be developing security related standards.  These SDOs are
   listed in alphabetical order.

   Note: The authors would appreciate corrections and additions.  This
   note will be removed before publication as an RFC.

4.1.  3GPP - Third Generation Partnership Project

   http://www.3gpp.org/

   The 3rd Generation Partnership Project (3GPP) is a collaboration
   agreement formed in December 1998.  The collaboration agreement is
   comprised of several telecommunications standards bodies which are
   known as "Organizational Partners".  The current Organizational
   Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.

4.2.  3GPP2 - Third Generation Partnership Project 2

   http://www.3gpp2.org/

   The Third Generation Partnership Project 2 (3GPP2) is is:

      a collaboration
   among Organizational Partners much like its sister collaborative third generation (3G) telecommunications
      specifications-setting project 3GPP.  The
   Organizational Partners (OPs) currently involved with 3GPP2 are ARIB,
   CCSA, TIA, TTA,

      comprising North American and TTC.  In addition Asian interests developing global
      specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication
      Intersystem Operations network evolution to 3G

      and global specifications for the OPs, radio transmission technologies
      (RTTs) supported by ANSI/TIA/EIA-41.

   3GPP2 also welcomes was born out of the CDMA Development Group International Telecommunication Union's
   (ITU) International Mobile Telecommunications "IMT-2000" initiative,
   covering high speed, broadband, and IPv6 Forum as Market Representation
   Partners for Internet Protocol (IP)-based
   mobile systems featuring network-to-network interconnection, feature/
   service transparency, global roaming and seamless services
   independent of location.  IMT-2000 is intended to bring high-quality
   mobile multimedia telecommunications to a worldwide mass market advice. by
   achieving the goals of increasing the speed and ease of wireless
   communications, responding to the problems faced by the increased
   demand to pass data via telecommunications, and providing "anytime,
   anywhere" services.

4.3.  ANSI - The American National Standards Institute

   http://www.ansi.org/

   ANSI is a private, non-profit organization that organizes and
   oversees

   As the voice of the U.S. voluntary standardization standards and conformity assessment
   system. system,
   the American National Standards Institute (ANSI) empowers its members
   and constituents to strengthen the U.S. marketplace position in the
   global economy while helping to assure the safety and health of
   consumers and the protection of the environment.

   The Institute oversees the creation, promulgation and use of
   thousands of norms and guidelines that directly impact businesses in
   nearly every sector: from acoustical devices to construction
   equipment, from dairy and livestock production to energy
   distribution, and many more.  ANSI was founded October 19, 1918. is also actively engaged in
   accrediting programs that assess conformance to standards - including
   globally-recognized cross-sector programs such as the ISO 9000
   (quality) and ISO 14000 (environmental) management systems.

4.3.1.  Accredited Standards Committee X9 (ASC X9)

   http://www.x9.org/

   The Accredited Standards Committee X9 (ASC X9) has the mission to
   develop, establish, maintain, and promote standards for the Financial
   Services Industry in order to facilitate the delivery of financial
   services and products.  Under this mission ASC X9 fulfills the
   objectives of: (1) Supporting (maintain, enhance, and promote use of)
   existing standards; (2) Facilitating development of new, open
   standards based upon consensus; (3) Providing a common source for all
   standards affecting the Financial Services Industry; (4) Focusing on
   current and future standards needs of the Financial Services
   Industry; (5) Promoting use of Financial Services Industry standards;
   and (6) Participating and promoting the development of international
   standards.

4.4.  ATIS - Alliance for Telecommunications Industry Solutions

   http://www.atis.org/

   ATIS is a United States based body that is committed to rapidly
   developing and promoting prioritizes the industry's most pressing, technical and operations
   operational issues, and creates interoperable, implementable, end to
   end solutions -- standards for when the
   communications and related information technologies industry
   worldwide using pragmatic, flexible needs them and open approach.  Committee T1
   as a group no longer exists as a result of the recent ATIS
   reorganization on January 1, 2004. where
   they need them.

   Over 600 industry professionals from more than 250 communications
   companies actively participate in ATIS has restructured the former
   T1 technical subcommittees into full committees and incubator
   solutions programs.

   ATIS develops standards committees to
   easily identify and promote the nature solutions addressing a wide range of standards work each
   committee performs.  Due to the reorganization, some groups may have
   industry issues in a new mission manner that allocates and scope statement.

4.4.1.  ATIS NIPP - Network Interface, Power, coordinates industry
   resources and Protection Committee,
        formerly T1E1

   http://www.atis.org/0050/index.asp produces the greatest return for communications
   companies.

   ATIS Network Interface, Power, and Protection Committee develops and
   recommends standards creates solutions that support the rollout of new products and technical reports related to power systems,
   electrical
   services into the information, entertainment and physical protection communications
   marketplace.  Its activities provide the basis for the exchange industry's
   delivery of:

      Existing and interexchange
   carrier networks, next generation IP-based infrastructures;

      Reliable converged multimedia services, including IPTV;

      Enhanced Operations Support Systems and interfaces associated with user access to
   telecommunications networks.

4.4.2. Business Support Systems;
      and

      Greater levels of service quality and performance.

      ATIS is accredited by the American National Standards Institute
      (ANSI).

4.4.1.  ATIS NPRQ - Network Performance, Reliability, and Quality of
        Service Committee, formerly T1A1

   http://www.atis.org/0010/index.asp

   ATIS Network Performance, Reliability and Quality of Service
   Committee

   PRQC develops and recommends standards, requirements, standards,requirements, and technical
   reports related to the performance, reliability, performance,reliability, and associated
   security aspects of communications networks, as well as the
   processing of voice, audio, data, image, and image,and video signals, and their
   multimedia integration.

4.4.3.  ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1
        O&B

   http://www.atis.org/obf/index.asp

   The T1M1 O&B subcommittee has become part of the ATIS Ordering and
   Billing Forum.

   The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum
   for customers  PRQC alsodevelops andrecommends positions
   on, and foster consistency with, standards and providers related subjects under
   consideration in the telecommunications industry to
   identify, discuss other North American and resolve national issues which affect ordering,
   billing, provisioning international standards
   bodies.

   PRQC Focus Areas are:

      Performance and exchange Reliability of information about access
   services, other connectivity Networks (e.g.  IP, ATM, OTN, and related matters.

4.4.4.  ATIS OPTXS - Optical Transport
      PSTN), and Synchronization Committee,
        formerly T1X1

   http://www.atis.org/0240/index.asp

   ATIS Optical Transport Services (e.g.  Frame Relay, Dedicated and Synchronization Committee develops Switched
      Data),

      Security-related aspects,

      Emergency communications-related aspects,

      Coding (e.g. video and
   recommends standards speech), at and prepares technical reports related to
   telecommunications network technology pertaining to network
   synchronization interfaces between carrier-to-carrier
      and hierarchical structures including
   optical technology.

4.4.5. carrier-to-customer interfaces, with due consideration of end-
      user applications.

4.4.2.  ATIS TMOC - Telecom Management and Operations Committee,
        formerly T1M1 OAM&P

   http://www.atis.org/0130/index.asp

   ATIS

   The Telecom Management and Operations Committee (TMOC) develops
   internetwork
   operations, administration, maintenance and provisioning standards,
   and technical reports other documentation related to Operations Support System (OSS)
   and Network Element (NE) functions and interfaces for
   telecommunications networks.

4.4.6.  ATIS WTSC communications
   networks - Wireless Technologies and Systems Committee,
        formerly T1P1

   http://www.atis.org/0160/index.asp

   ATIS Wireless Technologies and Systems Committee develops and
   recommends with an emphasis on standards and technical reports development related to wireless and/or
   mobile services and systems, including service descriptions and
   wireless technologies.

4.4.7.  ATIS PTSC - Packet Technologies and Systems Committee, formerly
        T1S1

   http://www.atis.org/0191/index.asp

   T1S1 was split into two separate ATIS committees: the ATIS Packet
   Technologies and Systems Committee and
   U.S.A. communication networks in coordination with the ATIS Protocol Interworking
   Committee.  PTSC is responsible for producing standards to secure
   signalling. development of
   international standards.

   The basic document is PTSC-SEC-2005-059.doc which is scope of the work in Letter Ballot
   at this time.  It is expected to move to an ANSI standard.

4.4.8.  ATIS Protocol Interworking Committee, regarding T1S1

   T1S1 was split into two separate ATIS committees: TMOC includes the ATIS Packet
   Technologies development of standards
   and Systems Committee other documentation for communications network operations and the ATIS Protocol Interworking
   Committee.  As a result of the reorganization of T1S1, these groups
   will also probably have a new mission
   management areas, such as: Configuration Management, Performance
   Management (including in-service transport performance management),
   Fault Management, Security Management (including management plane
   security), Accounting Management, Coding/Language Data
   Representation, Common/Underlying Management Functionality/
   Technology, and Ancillary Functions (such as network tones and
   announcements).  This work requires close and coordinated working
   relationships with other domestic and international standards
   development organizations and scope. industry forums.

4.5.  CC - Common Criteria

   http://www.commoncriteriaportal.org/

   In June 1993,

   Common Criteria is a framework in which computer system users can
   specify their security functional and assurance requirements, vendors
   can then implement and/or make claims about the sponsoring organizations security attributes
   of the existing US,
   Canadian, and European criterias (TCSEC, ITSEC, their products, and similar) started testing laboratories can evaluate the products
   to determine if they actually meet the claims.  In other words,
   Common Criteria Project to align their separate criteria into a
   single set provides assurance that the process of IT specification,
   implementation and evaluation of a computer security criteria. product has been
   conducted in a rigorous and standard manner. [attribute wikipedia]

4.6.  DMTF - Distributed Management Task Force, Inc.

   http://www.dmtf.org/

   Founded in 1992, the

   DMTF brings enables more effective management of millions of IT systems
   worldwide by bringing the technology industry's customers
   and top vendors IT industry together in a collaborative, working group approach
   that involves DMTF members in all aspects to collaborate on the
   development, validation and promotion of specification
   development systems management
   standards.  DMTF management standards are critical to enabling
   management interoperability among multi-vendor systems, tools and
   solutions within the enterprise.  We are committed to protecting
   companies' IT investments by creating standards that promote multi-
   vendor interoperability.  Our dedication to fostering collaboration
   within the industry provides a win-win situation for vendors and refinement. IT
   personnel alike.

4.7.  ETSI - The European Telecommunications Standard Institute

   http://www.etsi.org/

   ETSI is an independent, non-profit organization which

   The European Telecommunications Standards Institute (ETSI) produces
   telecommunications standards.
   globally-applicable standards for Information and Communications
   Technologies (ICT), including fixed, mobile, radio, converged,
   broadcast and internet technologies.

   ETSI is based in Sophia-Antipolis in officially recognized by the European Union as a European
   Standards Organization.

4.7.1.  ETSI SEC

   http://portal.etsi.org/portal/server.pt/gateway/
   PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp

   Board#38 confirmed the closure of TC SEC.

   At the south same time it approved the creation of France an OCG Ad Hoc group OCG
   Security

   TC SEC documents can be found in the SEC archive

   The SEC Working groups (ESI and LI) were closed and TC ESI and maintains a membership TC
   LI were created to continue the work.

   All documents and information relevant to ESI and LI are available
   from 55 countries.

   Joint the TC ESI and TC LI sites

4.7.2.  ETSI OCG SEC

   http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp

   The group's primary role is to provide a light-weight horizontal co-
   ordination structure for security issues that will ensure this work between
   is seriously considered in each ETSI TB and ITU-T SG-17

   http://www.tta.or.kr/gsc/upload/
   GSC9_Joint_011_Security_Standardization_in_ITU.ppt that any duplicate or
   conflicting work is detected.  To achieve this aim the group should
   mainly conduct its work via email and, where appropriate, co-sited
   "joint security" technical working meetings.

   When scheduled, appropriate time at each "joint SEC" meeting should
   be allocated during the meetings to allow for:

      Individual committee activities as well as common work;

      Coordination between the committees; and

      Experts to contribute to more than one committee.

4.8.  GGF - Global Grid Forum

   http://www.gridforum.org/

   The Global Grid Forum (GGF) is a community-initiated forum of
   thousands of individuals from industry and research leading the
   global standardization effort for grid computing.  GGF's primary
   objectives are to promote and support the development, deployment,
   and implementation of grid technologies and applications via the
   creation and documentation of "best practices" - technical
   specifications, user experiences, and implementation guidelines.

4.8.1.  Global Grid Forum Security Area

   http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7

   The Security Area is concerned with technical and operational
   security issues in Grid environments, including authentication,
   authorization, privacy, confidentiality, auditing, firewalls, trust
   establishment, policy establishment, and dynamics, scalability and
   management aspects of all of the above.

   The Security Area is comprised of the following Working Groups and
   Research Groups.

      Certificate Authority Operations WG (CAOPS-WG)

      Firewall Issues RG (FI-RG)

      Levels Of Authentication Assurance Research Group (LOA-RG)

      OGSA Authorization WG (OGSA-AUTHZ-WG)

4.9.  IEEE - The Institute of Electrical and Electronics Engineers, Inc.

   http://www.ieee.org/

   IEEE is a non-profit, the world's largest professional association dedicated to
   advancing technological innovation and excellence for the benefit of more than 360,000
   individual members in approximately 175 countries.  The
   humanity.  IEEE produces
   30 percent of the world's published literature in electrical
   engineering, computers, and control technology through its technical
   publishing, members inspire a global community through
   IEEE's highly cited publications, conferences, technology standards,
   and consensus-based standards professional and educational activities.

4.9.1.  IEEE Computer Society's Technical Committee on Security and
        Privacy

   http://www.ieee-security.org/

4.10.  IETF - The Internet Engineering Task Force

   http://www.ietf.org/

   The goal of the IETF is a large, international community open to any interested
   individual concerned with make the evolution Internet work better.

   The mission of the IETF is to make the Internet architecture
   and work better by
   producing high quality, relevant technical documents that influence
   the smooth operation of way people design, use, and manage the Internet.

4.10.1.  IETF Security Area

   The Working Groups in the Security Area may be found from this page.

   http://datatracker.ietf.org/wg/

   The wiki page for the IETF Security Area may be found here.

   http://trac.tools.ietf.org/area/sec/trac/wiki

4.11.  INCITS - InterNational Committee for Information Technology
       Standards

   http://www.incits.org/

   INCITS focuses upon is the primary U.S. focus of standardization in the field of
   Information and Communications Technologies (ICT), encompassing
   storage, processing, transfer, display, management, organization, and
   retrieval of information.

4.11.1.  As such, INCITS also serves as ANSI's
   Technical Advisory Group for ISO/IEC Joint Technical Committee T11 - Fibre Channel Interfaces

   http://www.t11.org/index.htm

   T11 1.
   JTC 1 is responsible for International standardization in the field
   of Information Technology.

   There are three active Groups in the Security / ID Technical
   Committee.

4.11.1.  Identification Cards and Related Devices (B10)

   http://standards.incits.org/a/public/group/b10

   Development of national and international standards development in the areas area of
   Intelligent Peripheral Interface (IPI), High-Performance Parallel
   Interface (HIPPI)
   identification cards and Fibre Channel (FC).  T11 has a project called
   FC-SP to define related devices for use in inter-industry
   applications and international interchange.

4.11.2.  Cyber Security Protocols (CS1)

   http://standards.incits.org/a/public/group/cs1

   INCITS/CS1 was established in April 2005 to serve as the US TAG for Fibre Channel.

   FC-SP Project Proposal:
   ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf

4.12.  ISO -
   ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups.

   The International Organization for Standardization

   http://www.iso.org/

   ISO is a network scope of CS1 explicitly excludes the national standards institutes areas of 148
   countries, work on cyber
   security standardization presently underway in INCITS B10, M1, T3,
   T10 and T11; as well as other standard groups, such as ATIS, IEEE,
   IETF, TIA, and X9.

4.11.3.  Biometrics (M1)

   http://standards.incits.org/a/public/group/m1

   INCITS/M1, Biometrics Technical Committee was established by the basis
   Executive Board of one member per country, with a Central
   Secretariat INCITS in Geneva, Switzerland, that coordinates the system.  ISO
   officially began operations November 2001 to ensure a high priority,
   focused, and comprehensive approach in the United States for the
   rapid development and approval of formal national and international
   generic biometric standards.  The M1 program of work includes
   biometric standards for data interchange formats, common file
   formats, application program interfaces, profiles, and performance
   testing and reporting.  The goal of M1's work is to accelerate the
   deployment of significantly better, standards-based security
   solutions for purposes, such as, homeland defense and the prevention
   of identity theft as well as other government and commercial
   applications based on February 23, 1947. biometric personal authentication.

4.12.  ISO - The International Organization for Standardization

   http://www.iso.org/

   SO (International Organization for Standardization) is the world's
   largest developer and publisher of International Standards.

   ISO is a network of the national standards institutes of 160
   countries, one member per country, with a Central Secretariat in
   Geneva, Switzerland, that coordinates the system.

   ISO is a non-governmental organization that forms a bridge between
   the public and private sectors.  On the one hand, many of its member
   institutes are part of the governmental structure of their countries,
   or are mandated by their government.  On the other hand, other
   members have their roots uniquely in the private sector, having been
   set up by national partnerships of industry associations.

   Therefore, ISO enables a consensus to be reached on solutions that
   meet both the requirements of business and the broader needs of
   society.

4.13.  ITU - International Telecommunication Union

   http://www.itu.int/

   The

   ITU is an international organization within the leading United Nations
   System headquartered agency for information and
   communication technology issues, and the global focal point for
   governments and the private sector in Geneva, Switzerland. developing networks and
   services.  For 145 years, ITU has coordinated the shared global use
   of the radio spectrum, promoted international cooperation in
   assigning satellite orbits, worked to improve telecommunication
   infrastructure in the developing world, established the worldwide
   standards that foster seamless interconnection of a vast range of
   communications systems and addressed the global challenges of our
   times, such as mitigating climate change and strengthening
   cybersecurity.

   ITU also organizes worldwide and regional exhibitions and forums,
   such as ITU TELECOM WORLD, bringing together the most influential
   representatives of government and the telecommunications and ICT
   industry to exchange ideas, knowledge and technology for the benefit
   of the global community, and in particular the developing world.

   From broadband Internet to latest-generation wireless technologies,
   from aeronautical and maritime navigation to radio astronomy and
   satellite-based meteorology, from convergence in fixed-mobile phone,
   Internet access, data, voice and TV broadcasting to next-generation
   networks, ITU is committed to connecting the world.

   The ITU is comprised of three sectors:

4.13.1.  ITU Telecommunication Standardization Sector - ITU-T

   http://www.itu.int/ITU-T/

   ITU-T's mission is to ensure an efficient

   ITU-T Recommendations are defining elements in information and on-time production of
   high quality
   communication technologies (ICTs) infrastructure.  Whether we
   exchange voice, data or video messages, communications cannot take
   place without standards covering all fields linking the sender and the receiver.  Today's
   work extends well beyond the traditional areas of telephony to
   encompass a far wider range of telecommunications. information and communications
   technologies.

4.13.2.  ITU Radiocommunication Sector - ITU-R

   http://www.itu.int/ITU-R/

   The ITU-R ITU Radiocommunication Sector (ITU-R) plays a vital role in the
   global management of the radio-frequency spectrum and satellite orbits.
   orbits - limited natural resources which are increasingly in demand
   from a large and growing number of services such as fixed, mobile,
   broadcasting, amateur, space research, emergency telecommunications,
   meteorology, global positioning systems, environmental monitoring and
   communication services - that ensure safety of life on land, at sea
   and in the skies.

4.13.3.  ITU Telecom Development - ITU-D

   (also referred as ITU Telecommunication Development Bureau - BDT)

   http://www.itu.int/ITU-D/

   The mission of the Telecommunication Development Bureau (BDT) Sector (ITU-D) aims
   at achieving the Sector's objectives based on the right to
   communicate of all inhabitants of the planet through access to
   infrastructure and information and communication services.

   In this regard, the mission is to:

      Assist countries in the executive arm field of information and communication
      technologies (ICTs), in facilitating the Telecommunication Development Sector.  Its duties mobilization of
      technical, human and
   responsibilities cover financial resources needed for their
      implementation, as well as in promoting access to ICTs.

      Promote the extension of the benefits of ICTs to all the world's
      inhabitants.

      Promote and participate in actions that contribute towards
      narrowing the digital divide.

      Develop and manage programmes that facilitate information flow
      geared to the needs of developing countries.

      The mission encompasses ITU's dual responsibility as a United
      Nations specialized agency and an executing agency for
      implementing projects under the United Nations development system
      or other funding arrangements.

4.14.  OASIS -  Organization for the Advancement of Structured
       Information Standards

   http://www.oasis-open.org/

   OASIS (Organization for the Advancement of Structured Information
   Standards) is a variety not-for-profit consortium that drives the
   development, convergence and adoption of functions ranging from programme
   supervision open standards for the
   global information society.  The consortium produces more Web
   services standards than any other organization along with standards
   for security, e-business, and standardization efforts in the public
   sector and for application-specific markets.  Founded in 1993, OASIS
   has more than 5,000 participants representing over 600 organizations
   and individual members in 100 countries.

   OASIS is distinguished by its transparent governance and operating
   procedures.  Members themselves set the OASIS technical advice agenda, using
   a lightweight process expressly designed to promote industry
   consensus and unite disparate efforts.  Completed work is ratified by
   open ballot.  Governance is accountable and unrestricted.  Officers
   of both the collection, processing OASIS Board of Directors and Technical Advisory Board are
   chosen by democratic election to serve two-year terms.  Consortium
   leadership is based on individual merit and
   publication of information relevant is not tied to telecommunication development.

4.14.  OASIS -  Organization for the Advancement of Structured
       Information Standards

   http://www.oasis-open.org/ financial
   contribution, corporate standing, or special appointment.

   OASIS is a not-for-profit, international consortium that drives has several Technical Committees in the
   development, convergence, and adoption of e-business standards. Security Category.

   http://www.oasis-open.org/committees/tc_cat.php?cat=security

4.15.  OIF - Optical Internetworking Forum

   http://www.oiforum.com/

   On April 20, 1998 Cisco Systems

   "The Optical Internetworking Forum (OIF) promotes the development and Ciena Corporation announced an
   industry-wide initiative
   deployment of interoperable networking solutions and services through
   the creation of Implementation Agreements (IAs) for optical
   networking products, network processing elements, and component
   technologies.  Implementation agreements will be based on
   requirements developed cooperatively by end-users, service providers,
   equipment vendors and technology providers, and aligned with
   worldwide standards, augmented if necessary.  This is accomplished
   through industry member participation working together to develop
   specifications (IAs) for:

      External network element interfaces
      Software interfaces internal to network elements

      Hardware component interfaces internal to network elements

   The OIF will create Benchmarks, perform worldwide interoperability
   testing, build market awareness and promote education for
   technologies, services and solutions.  The OIF will provide feedback
   to worldwide standards organizations to help achieve a set of
   implementable, interoperable solutions."

4.15.1.  OAM&P Working Group

   http://www.oiforum.com/public/oamp.html

   In concert with the Optical Internetworking Forum,
   an open forum focused on accelerating Carrier, Architecture & Signaling and other OIF
   working groups, the Operations, Administration, Maintenance, &
   Provisioning (OAM&P) working group develops architectures,
   requirements, guidelines, and implementation agreements critical to
   widespread deployment of interoperable optical
   internetworks. networks by carriers.
   The scope includes but is not limited to a) planning, engineering and
   provisioning of network resources; b) operations, maintenance or
   administration use cases and processes; and c) management
   functionality and interfaces for operations support systems and
   interoperable network equipment.  Within its scope are Fault,
   Configuration, Accounting, Performance and Security Management
   (FCAPS) and Security.  The OAM&P working group will also account for
   work by related standards development organizations (SDOs), identify
   gaps and formulate OIF input to other SDOs as may be appropriate.

4.16.  NRIC - The Network Reliability and Interoperability Council

   http://www.nric.org/

   The purposes mission of the Committee are to give telecommunications industry
   leaders the opportunity to provide recommendations to NRIC is partner with the FCC and to Federal Communications
   Commission, the communications industry that assure optimal reliability and interoperability of
   telecommunications networks.  The Committee addresses topics in the
   area public safety to
   facilitate enhancement of Homeland Security, reliability, interoperability, emergency communications networks, homeland
   security, and
   broadband deployment. best practices across the burgeoning telecommunications
   industry.

   It appears that the last NRIC Council concluded in 2005.

4.17.  National Security Telecommunications Advisory Committee (NSTAC)

   http://www.ncs.gov/nstac/nstac.html

   President Ronald Reagan created the National Security
   Telecommunications Advisory Committee (NSTAC) by Executive Order
   12382 in September 1982.  Since then, the NSTAC has served four
   presidents.  Composed of up to 30 industry chief
   executives representing the major communications and network service
   providers and information technology, finance, and aerospace
   companies, the NSTAC provides industry-based advice and expertise to
   the President on issues and problems related to implementing national
   security and emergency preparedness (NS/EP) communications policy.
   Since its inception, the NSTAC has addressed a wide range of policy
   and technical issues regarding communications, information systems,
   information assurance, critical infrastructure protection, and other
   NS/EP communications concerns.

   The mission of the NSTAC: Meeting our Nation's critical national
   security and emergency preparedness (NS/EP) challenges demands
   attention to many issues.  Among these, none could be more important
   than the availability and reliability of telecommunication services.
   The President's National Security Telecommunications Advisory
   Committee (NSTAC) mission is to provide the U.S. Government the best
   possible industry advice in these areas.

4.18.  TIA - The Telecommunications Industry Association

   http://www.tiaonline.org/

   The Telecommunications Industry Association (TIA) is the leading
   trade association representing the global information and
   communications technology (ICT) industries through standards
   development, government affairs, business opportunities, market
   intelligence, certification and world-wide environmental regulatory
   compliance.  With support from its 600 members, TIA enhances the
   business environment for companies involved in telecommunications,
   broadband, mobile wireless, information technology, networks, cable,
   satellite, unified communications, emergency communications and the
   greening of technology.  TIA is accredited by ANSI ANSI.

4.18.1.  Critical Infrastructure Protection (CIP) and Homeland Security
         (HS)

   http://www.tiaonline.org/standards/technology/ciphs/

   This TIA webpage identifies and links to develop voluntary industry standards for
   a wide variety of telecommunications products. many standards, other
   technical documents and ongoing activity involving or supporting
   TIA's Standards role in Public Safety and
   Technology Department is composed of five divisions: Fiber Optics,
   User Premises Equipment, Homeland Security, Network Equipment, Wireless Security,
   Critical Infrastructure Protection and Assurance, National Security/
   Emergency Preparedness, Emergency Communications Services, Emergency
   Calling and Location Identification Services, and the Needs of First
   Responders.  For the purpose of this webpage, national/international
   terms relating to public safety and disaster response can be
   considered synonymous (and interchangeable) with terms relating to
   public protection and disaster relief.

4.18.2.  Commercial Encryption Source Code and Related Information

   http://www.tiaonline.org/standards/technology/ahag/index.cfm

   This section seems to link to commercial encryption source code.
   Access requires agreement to terms and conditions and Satellite Communications. then
   registration.

4.19.  TTA - Telecommunications Technology Association

   http://www.tta.or.kr/Home2003/main/index.jsp
   http://www.tta.or.kr/English/new/main/index.htm

   http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp
   (English)

   The purpose of TTA (Telecommunications Technology Association) is a IT to contribute to the advancement of technology
   and the promotion of information and telecommunications services and
   industry as well as the development of national economy, by
   effectively stablishing and providing technical standards
   organization that develops new standards
   reflect the latest domestic and international technological advances,
   needed for the planning, design and operation of global end-to-end
   telecommunications and related information services, in close
   collaboration with companies, organizations and provides one-stop
   services for the establishment of IT standards as well as providing
   testing groups concerned with
   information and certification for IT products. telecommunications such as network operators, service
   providers, equipment manufacturers, academia, R&D institutes, etc.

4.20.  The World Wide Web Consortium

   http://www.w3.org/Consortium/

   The World Wide Web Consortium (W3C) is an international consortium community
   where Member organizations, a full-time staff, and the public work
   together to develop Web standards.  Led by Web inventor Tim Berners-
   Lee and CEO Jeffrey Jaffe, W3C's mission is: To is to lead the
   World Wide Web to its
   full potential by developing protocols potential.

   http://www.w3.org/Security/Activity

   The work in the W3C Security Activity currently comprises two Working
   Groups, the Web Security Context Working Group and
   guidelines that ensure long-term growth for the Web. XML Security
   Working Group.

   The Web Security Context Working Group focuses on the challenges that
   arise when users encounter currently deployed security technology,
   such as TLS: While this technology achieves its goals on a technical
   level, attackers' strategies shift towards bypassing the security
   technology instead of breaking it.  When users do not understand the
   security context in which they operate, then it becomes easy to
   deceive and defraud them.  This Working Group is planning to see its
   main deliverable, the User Interface Guidelines, through to
   Recommendation, but will not engage in additional recommendation
   track work within beyond this deliverable.  The Working Group is currently
   operating at reduced Team effort (compared to the W3C

   http://www.w3.org/Security/Activity initial effort
   reserved to this Working Group).  Initial (and informal)
   conversations about forming an Interest Group that could serve as a
   place for community-building and specification review have not led as
   far as we had hoped at the previous Advisory Committee Meeting, but
   are still on the Team's agenda.

   The XML Security Working Group started up in summer 2008, and has
   decided to publish an interim set of 1.1 specifications as it works
   towards producing a more radical change to XML Signature.  The XML
   Signature 1.1 and XML Encryption 1.1 specifications clarify and
   enhance the previous specifications without introducing breaking
   changes, although they do introduce new algorithms.

4.21.  Web Services Interoperability Organization (WS-I)

   http://www.ws-i.org/

   WS-I  TM Forum

   http://www.tmforum.org/

   With more than 700 corporate members in 195 countries, TM Forum is
   the world's leading industry association focused on enabling best-in-
   class IT for service providers in the communications, media and cloud
   service markets.  The Forum provides business-critical industry
   standards and expertise to enable the creation, delivery and
   monetization of digital services.

   TM Forum brings together the world's largest communications,
   technology and media companies, providing an open, industry organization chartered innovative, industry-
   leading approach to promote Web collaborative R&D, along with wide range of
   support services interoperability across platforms, operating systems, including benchmarking, training and
   programming languages. certification.
   The organization works across Forum produces the renowned international Management World
   conference series, as well as thought-leading industry research and standards organizations to respond
   publications.

4.21.1.  Security Management

   http://www.tmforum.org/SecurityManagement/9152/home.html

   Securing networks, cyber, clouds, and identity against evolving and
   ever present threats has emerged as a top priority for TM Forum
   members.  In response, the TM Forum's Security Management Initiative
   was formally launched in 2009.  While some of our Security Management
   efforts, such as Identity Management, are well established and boast
   mature Business Agreements and Interfaces, a series of presentations,
   contributions, and multi-vendor technology demonstrations have jumped
   started work efforts on industry hot topics Network Defense, Cyber
   Security, and security for single and multi-regional enterprise
   application cloud bursting.  Our aim is to customer needs by providing
   guidance, produce Security
   Management rich frameworks, best practices, and resources for developing Web services
   solutions. guidebooks.

5.  Security Best Practices Efforts and Documents

   This section lists the works produced by the SDOs.

5.1.  3GPP - TSG SA WG3 (Security)

   http://www.3gpp.org/TB/SA/SA3/SA3.htm

   TSG SA WG3 Security is responsible for the security of the 3GPP
   system, performing analyses of potential security threats to the
   system, considering the new threats introduced by the IP based
   services and systems and setting the security requirements for the
   overall 3GPP system.

   Specifications:
   http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm

   Work Items:
   http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm

   3GPP Confidentiality and Integrity algorithms:
   http://www.3gpp.org/TB/Other/algorithms.htm

5.2.  3GPP2 - TSG-S Working Group 4 (Security)

   http://www.3gpp2.org/Public_html/S/index.cfm

   The Services and Systems Aspects TSG (TSG-S) is responsible for the
   development of service capability requirements for systems based on
   3GPP2 specifications.  Among its responsibilities TSG-S is addressing
   management, technical coordination, as well as architectural and
   requirements development associated with all end-to-end features,
   services and system capabilities including, but not limited to,
   security and QoS.

   TSG-S Specifications:
   http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs

5.3.  American National Standard T1.276-2003 - Baseline Security
      Requirements for the Management Plane

   Abstract: This standard contains a set of baseline security
   requirements for the management plane.  The President's National
   Security Telecommunications Advisory Committee Network Security
   Information Exchange (NSIE) and Government NSIE jointly established a
   Security Requirements Working Group (SRWG) to examine the security
   requirements for controlling access to the public switched network,
   in particular with respect to the emerging next generation network.

   In the telecommunications industry, this access incorporates
   operation, administration, maintenance, and provisioning for network
   elements and various supporting systems and databases.  Members of
   the SRWG, from a cross-section of telecommunications carriers and
   vendors, developed an initial list of security requirements that
   would allow vendors, government departments and agencies, and service
   providers to implement a secure telecommunications network management
   infrastructure.  This initial list of security requirements was
   submitted as a contribution to Committee T1 - Telecommunications,
   Working Group T1M1.5 for consideration as a standard.  The
   requirements outlined in this document will allow vendors, government
   departments and agencies, and service providers to implement a secure
   telecommunications network management infrastructure.

   Documents:
   http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003

5.4.  DMTF - Security Protection and Management (SPAM) Working Group

   http://www.dmtf.org/about/committees/spamWGCharter.pdf

   The Working Group will define a CIM Common Model that addresses
   security protection and detection technologies, which may include
   devices and services, and classifies security information, attacks,
   and responses.

5.5.  DMTF - User and Security Working Group

   http://www.dmtf.org/about/committees/userWGCharter.pdf

   The User and Security Working Group defines objects and access
   methods required for principals - where principals include users,
   groups, software agents, systems, and organizations.

5.6.  ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
      Standards and Solutions

   ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf

   The ATIS TOPS Security Focus Group has made recommendations on work
   items needed to be performed by other SDOs.

5.6.1.  ATIS Work on Packet Filtering

   A part of the ATIS Work Plan was to define how disruptions may be
   prevented by filtering unwanted traffic at the edges of the network.
   ATIS is developing this work in a document titled, "Traffic Filtering
   for the Prevention of Unwanted Traffic".

5.7.  ATIS Work on the NGN

   http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/
   Part%20I/ATIS_NGN_Part_1_Issue1.pdf

   In November 2004, ATIS released Part I of the ATIS NGN-FG efforts
   entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN
   Definitions, Requirements, and Architecture, Issue 1.0, November
   2004."

5.8.  Common Criteria

   http://www.commoncriteriaportal.org/

   Version 1.0 of the CC was completed in January 1996.  Based on a
   number of trial evaluations and an extensive public review, Version
   1.0 was extensively revised and CC Version 2.0 was produced in April
   of 1998.  This became ISO International Standard 15408 in 1999.  The
   CC Project subsequently incorporated the minor changes that had
   resulted in the ISO process, producing CC version 2.1 in August 1999.
   Version 3.0 was published in June 2005 and is available for comment.

   The official version of the Common Criteria and of the Common
   Evaluation Methodology is v2.3 which was published in August 2005.

   All Common Criteria publications contain:

      Part 1: Introduction and general model

      Part 2: Security functional components

      Part 3: Security assurance components

   Documents: Common Criteria V2.3
   http://www.commoncriteriaportal.org/public/expert/index.php?menu=2

5.9.  ETSI

   http://www.etsi.org/

   The ETSI hosted the ETSI Global Security Conference in late November,
   2003, which could lead to a standard.

   Groups related to security located from the ETSI Groups Portal:

      OCG Security
      3GPP SA3

      TISPAN WG7

5.10.  GGF Security Area (SEC)

   https://forge.gridforum.org/projects/sec/

   The Security Area (SEC) is concerned with various issues relating to
   authentication and authorization in Grid environments.

   Working groups:

      Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
      https://forge.gridforum.org/projects/authz-wg

      Certificate Authority Operations Working Group (CAOPS-WG) -
      https://forge.gridforum.org/projects/caops-wg

      OGSA Authorization Working Group (OGSA-AUTHZ) -
      https://forge.gridforum.org/projects/ogsa-authz

      Grid Security Infrastructure (GSI-WG) -
      https://forge.gridforum.org/projects/gsi-wg

5.11.  Information System Security Assurance Architecture

   IEEE Working Group - http://issaa.org/

   Formerly the Security Certification and Accreditation of Information
   Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
   Standard for Information System Security Assurance Architecture for
   ballot and during the process begin development of a suite of
   associated standards for components of that architecture.

   Documents: http://issaa.org/documents/index.html

5.12.  Operational Security Requirements for IP Network Infrastructure :
       Advanced Requirements

   IETF RFC 3871

   Abstract: This document defines a list of operational security
   requirements for the infrastructure of large ISP IP networks (routers
   and switches).  A framework is defined for specifying "profiles",
   which are collections of requirements applicable to certain network
   topology contexts (all, core-only, edge-only...).  The goal is to
   provide network operators a clear, concise way of communicating their
   security requirements to vendors.

   Documents:

      ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt

5.13.  INCITS CS1 - Cyber Security

   http://cs1.incits.org/

   INCITS/CS1 was established in April 2005 to serve as the US TAG for
   ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2
   (INCITS/T4 serves as the US TAG to SC 27/WG 2).

   The scope of CS1 explicitly excludes the areas of work on cyber
   security standardization presently underway in INCITS B10, M1 and T3;
   as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and
   X9.  INCITS T4's area of work would be narrowed to cryptography
   projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and
   mechanisms).

5.14.  ISO Guidelines for the Management of IT Security - GMITS

   Guidelines for the Management of IT Security -- Part 1: Concepts and
   models for IT Security

   http://www.iso.ch/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35

   Guidelines for the Management of IT Security -- Part 2: Managing and
   planning IT Security

   http://www.iso.org/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
   ICS3=

   Guidelines for the Management of IT Security -- Part 3: Techniques
   for the management of IT Security

   http://www.iso.org/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&
   ICS3=

   Guidelines for the Management of IT Security -- Part 4: Selection of
   safeguards

   http://www.iso.org/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&
   ICS3=

   Guidelines for the Management of IT Security - Part 5: Management
   guidance on network security

   http://www.iso.org/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
   ICS3=

   Open Systems Interconnection -- Network layer security protocol

   http://www.iso.org/iso/en/
   CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
   ICS3=30

5.15.

5.14.  ISO JTC 1/SC 27

   http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/
   TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143

   Several security related ISO projects under JTC 1/SC 27 are listed
   here such as:

      IT security techniques -- Entity authentication

      Security techniques -- Key management

      Security techniques -- Evaluation criteria for IT security

      Security techniques -- A framework for IT security assurance

      IT Security techniques -- Code of practice for information
      security management

      Security techniques -- IT network security

      Guidelines for the implementation, operation and management of
      Intrusion Detection Systems (IDS)

      International Security, Trust, and Privacy Alliance -- Privacy
      Framework

5.16.

5.15.  ITU-T Study Group 2

   http://www.itu.int/ITU-T/studygroups/com02/index.asp

   Security related recommendations currently under study:

      E.408 Telecommunication networks security requirements Q.5/2 (was
      E.sec1)

      E.409 Incident Organisation and Security Incident Handling Q.5/2
      (was E.sec2)

   Note: Access requires TIES account.

5.17.

5.16.  ITU-T Recommendation M.3016

   http://www.itu.int/itudoc/itu-t/com4/contr/068.html

   This recommendation provides an overview and framework that
   identifies the security requirements of a TMN and outlines how
   available security services and mechanisms can be applied within the
   context of the TMN functional architecture.

   Question 18 of Study Group 3 is revising Recommendation M.3016.  They
   have taken the original document and are incorporating thoughts from
   ITU-T Recommendation X.805 and from ANSI T1.276-2003.  The group has
   produced a new series of documents.

      M.3016.0 - Overview

      M.3016.1 - Requirements

      M.3016.2 - Services

      M.3016.3 - Mechanisms

      M.3016.4 - Profiles

5.18.

5.17.  ITU-T  Recommendation X.805

   http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html

   This Recommendation defines the general security-related
   architectural elements that, when appropriately applied, can provide
   end-to-end network security.

5.19.

5.18.  ITU-T Study Group 16

   http://www.itu.int/ITU-T/studygroups/com16/index.asp

   Multimedia Security in Next-Generation Networks (NGN-MM-SEC)

   http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html

5.20.

5.19.  ITU-T Study Group 17

   http://www.itu.int/ITU-T/studygroups/com17/index.asp

   ITU-T Study Group 17 is the Lead Study Group on Communication System
   Security

   http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html

   Study Group 17 Security Project:

   http://www.itu.int/ITU-T/studygroups/com17/security/index.html

   During its November 2002 meeting, Study Group 17 agreed to establish
   a new project entitled "Security Project" under the leadership of
   Q.10/17 to coordinate the ITU-T standardization effort on security.
   An analysis of the status on ITU-T Study Group action on information
   and communication network security may be found in TSB Circular 147
   of 14 February 2003.

5.21.

5.20.  Catalogue of ITU-T Recommendations related to Communications
       System Security

   http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html

   The Catalogue of the approved security Recommendations include those,
   designed for security purposes and those, which describe or use of
   functions of security interest and need.  Although some of the
   security related Recommendations includes the phrase "Open Systems
   Interconnection", much of the information contained in them is
   pertinent to the establishment of security functionality in any
   communicating system.

5.22.

5.21.  ITU-T Security Manual

   http://www.itu.int/ITU-T/edh/files/security-manual.pdf

   TSB is preparing an "ITU-T Security Manual" to provide an overview on
   security in telecommunications and information technologies, describe
   practical issues, and indicate how the different aspects of security
   in today's applications are addressed by ITU-T Recommendations.  This
   manual has a tutorial character: it collects security related
   material from ITU-T Recommendations into one place and explains the
   respective relationships.  The intended audience for this manual are
   engineers and product managers, students and academia, as well as
   regulators who want to better understand security aspects in
   practical applications.

5.23.

5.22.  ITU-T NGN Effort

   http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html

   During its January 2002 meeting, SG13 decided to undertake the
   preparation of a new ITU-T Project entitled "NGN 2004 Project".  At
   the November 2002 SG13 meeting, a preliminary description of the
   Project was achieved and endorsed by SG13 with the goal to launch the
   Project.  It is regularly updated since then.

   The role of the NGN 2004 Project is to organize and to coordinate
   ITU-T activities on Next Generation Networks.  Its target is to
   produce a first set of Recommendations on NGN by the end of this
   study period, i.e. mid-2004.

5.24.

5.23.  NRIC VI Focus Groups

   http://www.nric.org/fg/index.html

   The Network Reliability and Interoperability Council (NRIC) was
   formed with the purpose to provide recommendations to the FCC and to
   the industry to assure the reliability and interoperability of
   wireless, wireline, satellite, and cable public telecommunications
   networks.  These documents provide general information and guidance
   on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
   prevention of cyberattack and for restoration following a
   cyberattack.

   Documents:

      Homeland Defense - Recommendations Published 14-Mar-03

      Preventative Best Practices - Recommendations Published 14-Mar-03

      Recovery Best Practices - Recommendations Published 14-Mar-03

      Best Practice Appendices - Recommendations Published 14-Mar-03

5.25.

5.24.  OASIS Security Joint Committee

   http://www.oasis-open.org/committees/
   tc_home.php?wg_abbrev=security-jc

   The purpose of the Security JC is to coordinate the technical
   activities of multiple security related TCs.  The SJC is advisory
   only, and has no deliverables.  The Security JC will promote the use
   of consistent terms, promote re-use, champion an OASIS security
   standards model, provide consistent PR, and promote mutuality,
   operational independence and ethics.

5.26.

5.25.  OASIS Security Services (SAML) TC

   http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

   The Security Services TC is working to advance the Security Assertion
   Markup Language (SAML) as an OASIS standard.  SAML is an XML
   framework for exchanging authentication and authorization
   information.

5.27.

5.26.  OIF Implementation Agreements

   The OIF has 2 approved Implementation Agreements (IAs) relating to
   security.  They are:

   OIF-SMI-01.0 - Security Management Interfaces to Network Elements

   This Implementation Agreement lists objectives for securing OAM&P
   interfaces to a Network Element and then specifies ways of using
   security systems (e.g., IPsec or TLS) for securing these interfaces.
   It summarizes how well each of the systems, used as specified,
   satisfies the objectives.

   OIF - SEP - 01.1 - Security Extension for UNI and NNI

   This Implementation Agreement defines a common Security Extension for
   securing the protocols used in UNI 1.0, UNI 2.0, and NNI.

   Documents: http://www.oiforum.com/public/documents/Security-IA.pdf

5.28.

5.27.  TIA

   The TIA has produced the "Compendium of Emergency Communications and
   Communications Network Security-related Work Activities".  This
   document identifies standards, or other technical documents and
   ongoing Emergency/Public Safety Communications and Communications
   Network Security-related work activities within TIA and it's
   Engineering Committees.  Many P25 documents are specifically
   detailed.  This "living document" is presented for information,
   coordination and reference.

   Documents: http://www.tiaonline.org/standards/technology/ciphs/
   documents/EMTEL_sec.pdf

5.29.

5.28.  WS-I Basic Security Profile

   http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

   The WS-I Basic Security Profile 1.0 consists of a set of non-
   proprietary Web services specifications, along with clarifications
   and amendments to those specifications which promote
   interoperability.

5.30.

5.29.  NIST Special Publications (800 Series)

   http://csrc.nist.gov/publications/PubsSPs.html

   Special Publications in the 800 series present documents of general
   interest to the computer security community.  The Special Publication
   800 series was established in 1990 to provide a separate identity for
   information technology security publications.  This Special
   Publication 800 series reports on ITL's research, guidelines, and
   outreach efforts in computer security, and its collaborative
   activities with industry, government, and academic organizations.

5.31.

5.30.  NIST Interagency or Internal Reports (NISTIRs)

   http://csrc.nist.gov/publications/PubsNISTIRs.html

   NIST Interagency or Internal Reports (NISTIRs) describe research of a
   technical nature of interest to a specialized audience.  The series
   includes interim or final reports on work performed by NIST for
   outside sponsors (both government and nongovernment).  NISTIRs may
   also report results of NIST projects of transitory or limited
   interest, including those that will be published subsequently in more
   comprehensive form.

5.32.

5.31.  NIST ITL Security Bulletins

   http://csrc.nist.gov/publications/PubsITLSB.html

   ITL Bulletins are published by NIST's Information Technology
   Laboratory, with most bulletins written by the Computer Security
   Division.  These bulletins are published on the average of six times
   a year.  Each bulletin presents an in-depth discussion of a single
   topic of significant interest to the information systems community.
   Not all of ITL Bulletins that are published relate to computer /
   network security.  Only the computer security ITL Bulletins are found
   here.

5.33.

5.32.  SANS Information Security Reading Room

   http://www.sans.org/reading_room/

   Featuring over 1,885 original computer security white papers in 75
   different categories.

   Most of the computer security white papers in the Reading Room have
   been written by students seeking GIAC certification to fulfill part
   of their certification requirements and are provided by SANS as a
   resource to benefit the security community at large.  SANS attempts
   to ensure the accuracy of information, but papers are published "as
   is".  Errors or inconsistencies may exist or may be introduced over
   time as material becomes dated.

6.  Security Considerations

   This document describes efforts to standardize security practices and
   documents.  As such this document offers no security guidance
   whatsoever.

   Readers of this document should be aware of the date of publication
   of this document.  It is feared that they may assume that the
   efforts, on-line material, and documents are current whereas they may
   not be.  Please consider this when reading this document.

7.  IANA Considerations

   This document does not propose a standard and does not require the
   IANA to do anything.

8.  Acknowledgments

   The following people have contributed to this document.  Listing
   their names here does not mean that they endorse the document, but
   that they have contributed to its substance.

   David Black, Mark Ellison, George Jones, Keith McCloghrie, John
   McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce
   Moon, Stephen Kent, Steve Wolff. Wolff, Bob Natale.

9.  Changes from Prior Drafts

   -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt

   -01 : Security Glossaries:

         Added ATIS Telecom Glossary 2000, Critical Infrastructure
         Glossary of Terms and Acronyms, Microsoft Solutions for
         Security Glossary, and USC InfoSec Glossary.

      Standards Developing Organizations:

         Added DMTF, GGF, INCITS, OASIS, and WS-I

         Removal of Committee T1 and modifications to ATIS and former T1
         technical subcommittees due to the recent ATIS reorganization.

      Efforts and Documents:

         Added DMTF User and Security WG, DMTF SPAM WG, GGF Security
         Area (SEC), INCITS Technical Committee T4 - Security
         Techniques, INCITS Technical Committee T11 - Fibre Channel
         Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint
         Committee, OASIS Security Services TC, and WS-I Basic Security
         Profile.

         Updated Operational Security Requirements for IP Network
         Infrastructure : Advanced Requirements.

   -00 : as the WG ID

      Added more information about the ITU-T SG3 Q18 effort to modify
      ITU-T Recommendation M.3016.

   -01 : First revision as the WG ID.

      Added information about the NGN in the sections about ATIS, the
      NSTAC, and ITU-T.

   -02 : Second revision as the WG ID.

      Updated the date.

      Corrected some url's and the reference to George's RFC.

   -03 : Third revision of the WG ID.

      Updated the date.

      Updated the information about the CC

      Added a Conventions section (not sure how this document got to
      where it is without that)

   -04 : Fourth revision of the WG ID.

      Updated the date.

      Added Anne & Lynn Wheeler Taxonomy & Security Glossary

      CIAO glossary removed.  CIAO has been absorbed by DHS and the
      glossary is no longer available.

      USC glossary removed, could not find it on the site or a reference
      to it elsewhere.

      Added TTA - Telecommunications Technology Association to SDO
      section.

      Removed ATIS Security & Emergency Preparedness Activities from
      Documents section.  Could not find it or a reference to it.

      INCITS T4 incorporated into CS1 - T4 section removed

      X9 Added to SDO list under ANSI

      Various link or grammar fixes.

   -05 : Fifth revision of the WG ID.

      Updated the date.

      Removed the 2119 definitions; this is an informational document.

   -06 : Sixth revision of the WG ID.

      Updated the date.

      Added W3C information.

   -07 : Seventh revision of the WG ID.

      Updated the date.

   -08 : Eighth revision of the WG ID.

      Updated the reference to RFC 4949, found by Stephen Kent.

   -09 : Nineth revision of the WG ID.

      Updated the date.

   -10 : Tenth revision of the WG ID.

      Added references to NIST documents, recommended by Steve Wolff.
      Updated the date.

   -11 : Eleventh revision of the WG ID.

      Updated the date.

   -12 : Twelfth revision of the WG ID.

      Updated the date.

   -13 : Nothing new.

      Updated the date.

   -14 : Fourteenth revision of the WG ID.

      Updated the date and reviewed the accuracy of Section 3.

      Updated the section on Compendium of Approved ITU-T Security
      Definitions

      Updated the section on the Microsoft glossary.

      Updated the section on the SANS glossary.

      Added the NIST Security glossary.

      Added dates to all glossaries - where I could find them.

      Added the SANS Reading Room material to Section 5.

   -15 : Fifteenth revision of the WG ID.

      Updated the date and reviewed the accuracy of Section 4.  Several
      changes made.

      Removed WS-I as they have merged with OASIS.

      Added TM Forum.

   Note: This section will be removed before publication as an RFC.

Authors' Addresses

   Chris Lonvick
   Cisco Systems
   12515 Research Blvd.
   Austin, Texas  78759
   US

   Phone: +1 512 378 1182
   Email: clonvick@cisco.com

   David Spak
   Cisco Systems
   12515 Research Blvd.
   Austin, Texas  78759
   US

   Phone: +1 512 378 1720
   Email: dspak@cisco.com