draft-ietf-opsec-efforts-15.txt | draft-ietf-opsec-efforts-16.txt | |||
---|---|---|---|---|
Network Working Group C. Lonvick | Network Working Group C. Lonvick | |||
Internet-Draft D. Spak | Internet-Draft D. Spak | |||
Intended status: Informational Cisco Systems | Intended status: Informational Cisco Systems | |||
Expires: August 18, 2011 February 14, 2011 | Expires: September 27, 2011 March 26, 2011 | |||
Security Best Practices Efforts and Documents | Security Best Practices Efforts and Documents | |||
draft-ietf-opsec-efforts-15.txt | draft-ietf-opsec-efforts-16.txt | |||
Abstract | Abstract | |||
This document provides a snapshot of the current efforts to define or | This document provides a snapshot of the current efforts to define or | |||
apply security requirements in various Standards Developing | apply security requirements in various Standards Developing | |||
Organizations (SDO). | Organizations (SDO). | |||
Status of this Memo | Status of this Memo | |||
This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on August 18, 2011. | This Internet-Draft will expire on September 27, 2011. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the BSD License. | described in the BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 | 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 | |||
3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 | 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 | |||
3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 | 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 | |||
3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 | 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 | |||
3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 | 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 | |||
3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 | 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 | |||
3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 | 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8 | |||
3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 | 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8 | |||
3.7. NIST - Glossary of Key Information Security Terms . . . . 9 | 3.7. NIST - Glossary of Key Information Security Terms . . . . 8 | |||
4. Standards Developing Organizations . . . . . . . . . . . . . . 11 | 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 | |||
4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 | 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 | |||
4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 | 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 | |||
4.3. ANSI - The American National Standards Institute . . . . . 12 | 4.3. ANSI - The American National Standards Institute . . . . . 11 | |||
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 12 | 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 | |||
4.4. ATIS - Alliance for Telecommunications Industry | 4.4. ATIS - Alliance for Telecommunications Industry | |||
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 | Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
4.4.1. ATIS NPRQ - Network Performance, Reliability, and | 4.4.1. ATIS NPRQ - Network Performance, Reliability, and | |||
Quality of Service Committee, formerly T1A1 . . . . . 13 | Quality of Service Committee, formerly T1A1 . . . . . 12 | |||
4.4.2. ATIS TMOC - Telecom Management and Operations | 4.4.2. ATIS TMOC - Telecom Management and Operations | |||
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 14 | Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 | |||
4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 | 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 | |||
4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 | 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 | |||
4.7. ETSI - The European Telecommunications Standard | 4.7. ETSI - The European Telecommunications Standard | |||
Institute . . . . . . . . . . . . . . . . . . . . . . . . 15 | Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 | 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 | 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14 | |||
4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 | 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15 | |||
4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 | 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15 | |||
4.9. IEEE - The Institute of Electrical and Electronics | 4.9. IEEE - The Institute of Electrical and Electronics | |||
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 | Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 | |||
4.9.1. IEEE Computer Society's Technical Committee on | 4.9.1. IEEE Computer Society's Technical Committee on | |||
Security and Privacy . . . . . . . . . . . . . . . . . 17 | Security and Privacy . . . . . . . . . . . . . . . . . 16 | |||
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 | 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16 | |||
4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 | 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16 | |||
4.11. INCITS - InterNational Committee for Information | 4.11. INCITS - InterNational Committee for Information | |||
Technology Standards . . . . . . . . . . . . . . . . . . . 17 | Technology Standards . . . . . . . . . . . . . . . . . . . 16 | |||
4.11.1. Identification Cards and Related Devices (B10) . . . . 18 | 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 | |||
4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 | 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17 | |||
4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 | 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17 | |||
4.12. ISO - The International Organization for | 4.12. ISO - The International Organization for | |||
Standardization . . . . . . . . . . . . . . . . . . . . . 18 | Standardization . . . . . . . . . . . . . . . . . . . . . 17 | |||
4.13. ITU - International Telecommunication Union . . . . . . . 19 | 4.13. ITU - International Telecommunication Union . . . . . . . 18 | |||
4.13.1. ITU Telecommunication Standardization Sector - | 4.13.1. ITU Telecommunication Standardization Sector - | |||
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 | ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 20 | 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 | |||
4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 | 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19 | |||
4.14. OASIS - Organization for the Advancement of | 4.14. OASIS - Organization for the Advancement of | |||
Structured Information Standards . . . . . . . . . . . . . 21 | Structured Information Standards . . . . . . . . . . . . . 20 | |||
4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 | 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20 | |||
4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 22 | 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 | |||
4.16. NRIC - The Network Reliability and Interoperability | 4.16. NRIC - The Network Reliability and Interoperability | |||
Council . . . . . . . . . . . . . . . . . . . . . . . . . 22 | Council . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
4.17. National Security Telecommunications Advisory | 4.17. National Security Telecommunications Advisory | |||
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 | Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21 | |||
4.18. TIA - The Telecommunications Industry Association . . . . 23 | 4.18. TIA - The Telecommunications Industry Association . . . . 22 | |||
4.18.1. Critical Infrastructure Protection (CIP) and | 4.18.1. Critical Infrastructure Protection (CIP) and | |||
Homeland Security (HS) . . . . . . . . . . . . . . . . 23 | Homeland Security (HS) . . . . . . . . . . . . . . . . 22 | |||
4.18.2. Commercial Encryption Source Code and Related | 4.18.2. Commercial Encryption Source Code and Related | |||
Information . . . . . . . . . . . . . . . . . . . . . 24 | Information . . . . . . . . . . . . . . . . . . . . . 23 | |||
4.19. TTA - Telecommunications Technology Association . . . . . 24 | 4.19. TTA - Telecommunications Technology Association . . . . . 23 | |||
4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 24 | 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23 | |||
4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
4.21.1. Security Management . . . . . . . . . . . . . . . . . 25 | 4.21.1. Security Management . . . . . . . . . . . . . . . . . 24 | |||
5. Security Best Practices Efforts and Documents . . . . . . . . 27 | 5. Security Best Practices Efforts and Documents . . . . . . . . 26 | |||
5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 27 | 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26 | |||
5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 27 | 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26 | |||
5.3. American National Standard T1.276-2003 - Baseline | 5.3. ATIS-0300276.2008 - Operations, Administration, | |||
Security Requirements for the Management Plane . . . . . . 27 | Maintenance, and Provisioning Security Requirements | |||
5.4. DMTF - Security Protection and Management (SPAM) | for the Public Telecommunications Network: A Baseline | |||
Working Group . . . . . . . . . . . . . . . . . . . . . . 28 | of Security Requirements for the Management Plane . . . . 26 | |||
5.5. DMTF - User and Security Working Group . . . . . . . . . . 28 | 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27 | |||
5.6. ATIS Work-Plan to Achieve Interoperable, | 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27 | |||
Implementable, End-To-End Standards and Solutions . . . . 28 | 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 28 | 5.7. Operational Security Requirements for IP Network | |||
5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 29 | Infrastructure : Advanced Requirements . . . . . . . . . . 29 | |||
5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 29 | 5.8. ISO JTC 1/SC 27 - Information security Technology | |||
5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 | techniques . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 30 | 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29 | |||
5.11. Information System Security Assurance Architecture . . . . 30 | 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29 | |||
5.12. Operational Security Requirements for IP Network | 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31 | |||
Infrastructure : Advanced Requirements . . . . . . . . . . 30 | 5.12. OASIS Security Technical Committees . . . . . . . . . . . 32 | |||
5.13. ISO Guidelines for the Management of IT Security - | 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32 | |||
GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 31 | 5.14. TIA - Critical Infrastructure Protection (CIP) and | |||
5.14. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 32 | Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32 | |||
5.15. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 32 | 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33 | |||
5.16. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 32 | 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33 | |||
5.17. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 33 | 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33 | |||
5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 33 | 5.18. SANS Information Security Reading Room . . . . . . . . . . 33 | |||
5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 33 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 | |||
5.20. Catalogue of ITU-T Recommendations related to | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 | |||
Communications System Security . . . . . . . . . . . . . . 34 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
5.21. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 34 | 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38 | |||
5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 34 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 35 | ||||
5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 35 | ||||
5.25. OASIS Security Services (SAML) TC . . . . . . . . . . . . 35 | ||||
5.26. OIF Implementation Agreements . . . . . . . . . . . . . . 35 | ||||
5.27. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | ||||
5.28. WS-I Basic Security Profile . . . . . . . . . . . . . . . 36 | ||||
5.29. NIST Special Publications (800 Series) . . . . . . . . . . 36 | ||||
5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 37 | ||||
5.31. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 37 | ||||
5.32. SANS Information Security Reading Room . . . . . . . . . . 37 | ||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 | ||||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | ||||
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 41 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 | ||||
1. Introduction | 1. Introduction | |||
The Internet is being recognized as a critical infrastructure similar | The Internet is being recognized as a critical infrastructure similar | |||
in nature to the power grid and a potable water supply. Just like | in nature to the power grid and a potable water supply. Just like | |||
those infrastructures, means are needed to provide resiliency and | those infrastructures, means are needed to provide resiliency and | |||
adaptability to the Internet so that it remains consistently | adaptability to the Internet so that it remains consistently | |||
available to the public throughout the world even during times of | available to the public throughout the world even during times of | |||
duress or attack. For this reason, many SDOs are developing | duress or attack. For this reason, many SDOs are developing | |||
standards with hopes of retaining an acceptable level, or even | standards with hopes of retaining an acceptable level, or even | |||
skipping to change at page 6, line 8 | skipping to change at page 6, line 8 | |||
described in the Working Group Charter. The authors have agreed to | described in the Working Group Charter. The authors have agreed to | |||
keep this document current and request that those who read it will | keep this document current and request that those who read it will | |||
submit corrections or comments. | submit corrections or comments. | |||
Comments on this document may be addressed to the OpSec Working Group | Comments on this document may be addressed to the OpSec Working Group | |||
or directly to the authors. | or directly to the authors. | |||
opsec@ops.ietf.org | opsec@ops.ietf.org | |||
This document will be updated in sections. The most recently updated | This document will be updated in sections. The most recently updated | |||
part of this document is Section 3. | part of this document is Section 5. | |||
2. Format of this Document | 2. Format of this Document | |||
The body of this document has three sections. | The body of this document has three sections. | |||
The first part of the body of this document, Section 3, contains a | The first part of the body of this document, Section 3, contains a | |||
listing of online glossaries relating to networking and security. It | listing of online glossaries relating to networking and security. It | |||
is very important that the definitions of words relating to security | is very important that the definitions of words relating to security | |||
and security events be consistent. Inconsistencies between the | and security events be consistent. Inconsistencies between the | |||
useage of words on standards is unacceptable as it would prevent a | useage of words on standards is unacceptable as it would prevent a | |||
skipping to change at page 8, line 5 | skipping to change at page 7, line 26 | |||
definitions of the words in the listed glossaries so can offer no | definitions of the words in the listed glossaries so can offer no | |||
assurance of their alignment. | assurance of their alignment. | |||
The second part, Section 4, contains a listing of SDOs that appear to | The second part, Section 4, contains a listing of SDOs that appear to | |||
be working on security standards. | be working on security standards. | |||
The third part, Section 5, lists the documents which have been found | The third part, Section 5, lists the documents which have been found | |||
to offer good practices or recommendations for securing networks and | to offer good practices or recommendations for securing networks and | |||
networking devices. | networking devices. | |||
The text used in sections 3, 4, and 5 have been copied from their | ||||
referring web sites. The authors make no claim about the validity or | ||||
accuracy of the information listed. | ||||
3. Online Security Glossaries | 3. Online Security Glossaries | |||
This section contains references to glossaries of network and | This section contains references to glossaries of network and | |||
computer security terms | computer security terms. | |||
3.1. ATIS Telecom Glossary 2007 | 3.1. ATIS Telecom Glossary 2007 | |||
http://www.atis.org/tg2k/ | http://www.atis.org/tg2k/ | |||
This Glossary began as a 5800-entry, search-enabled hypertext | This Glossary began as a 5800-entry, search-enabled hypertext | |||
telecommunications glossary titled Federal Standard 1037C, Glossary | telecommunications glossary titled Federal Standard 1037C, Glossary | |||
of Telecommunication Terms . Federal Standard 1037C was updated and | of Telecommunication Terms . Federal Standard 1037C was updated and | |||
matured into an American National Standard (ANS): T1.523-2001, | matured into an American National Standard (ANS): T1.523-2001, | |||
Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- | Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- | |||
skipping to change at page 27, line 9 | skipping to change at page 27, line 9 | |||
contributions, and multi-vendor technology demonstrations have jumped | contributions, and multi-vendor technology demonstrations have jumped | |||
started work efforts on industry hot topics Network Defense, Cyber | started work efforts on industry hot topics Network Defense, Cyber | |||
Security, and security for single and multi-regional enterprise | Security, and security for single and multi-regional enterprise | |||
application cloud bursting. Our aim is to produce Security | application cloud bursting. Our aim is to produce Security | |||
Management rich frameworks, best practices, and guidebooks. | Management rich frameworks, best practices, and guidebooks. | |||
5. Security Best Practices Efforts and Documents | 5. Security Best Practices Efforts and Documents | |||
This section lists the works produced by the SDOs. | This section lists the works produced by the SDOs. | |||
5.1. 3GPP - TSG SA WG3 (Security) | 5.1. 3GPP - SA3 - Security | |||
http://www.3gpp.org/TB/SA/SA3/SA3.htm | http://www.3gpp.org/SA3-Security | |||
TSG SA WG3 Security is responsible for the security of the 3GPP | The WG is responsible for security in 3GPP systems, determining the | |||
system, performing analyses of potential security threats to the | security requirements, and specifying the security architectures and | |||
system, considering the new threats introduced by the IP based | protocols. The WG also ensures the availability of cryptographic | |||
services and systems and setting the security requirements for the | algorithms which need to be part of the specifications. The sub-WG | |||
overall 3GPP system. | SA3-LI provides the requirements and specifications for lawful | |||
interception in 3GPP systems. | ||||
Specifications: | Specifications: | |||
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm | http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm | |||
Work Items: | ||||
http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm | ||||
3GPP Confidentiality and Integrity algorithms: | ||||
http://www.3gpp.org/TB/Other/algorithms.htm | ||||
5.2. 3GPP2 - TSG-S Working Group 4 (Security) | 5.2. 3GPP2 - TSG-S Working Group 4 (Security) | |||
http://www.3gpp2.org/Public_html/S/index.cfm | http://www.3gpp2.org/Public_html/S/index.cfm | |||
The Services and Systems Aspects TSG (TSG-S) is responsible for the | The Services and Systems Aspects TSG (TSG-S) is responsible for the | |||
development of service capability requirements for systems based on | development of service capability requirements for systems based on | |||
3GPP2 specifications. Among its responsibilities TSG-S is addressing | 3GPP2 specifications. It is also responsible for high level | |||
management, technical coordination, as well as architectural and | architectural issues, as required, to coordinate service development | |||
across the various TSGs. In this role, the Services and Systems TSG | ||||
shall track the activities within the various TSGs, as required, to | ||||
meet the above service requirements. | ||||
More specifically, TSG-S will address the following areas of work: | ||||
Management, technical coordination, as well as architectural and | ||||
requirements development associated with all end-to-end features, | requirements development associated with all end-to-end features, | |||
services and system capabilities including, but not limited to, | services and system capabilities including, but not limited to, | |||
security and QoS. | security and QoS | |||
TSG-S Specifications: | ||||
http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs | ||||
5.3. American National Standard T1.276-2003 - Baseline Security | TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm | |||
Requirements for the Management Plane | ||||
Abstract: This standard contains a set of baseline security | 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and | |||
requirements for the management plane. The President's National | Provisioning Security Requirements for the Public | |||
Security Telecommunications Advisory Committee Network Security | Telecommunications Network: A Baseline of Security Requirements | |||
Information Exchange (NSIE) and Government NSIE jointly established a | for the Management Plane | |||
Security Requirements Working Group (SRWG) to examine the security | ||||
requirements for controlling access to the public switched network, | ||||
in particular with respect to the emerging next generation network. | ||||
In the telecommunications industry, this access incorporates | This document contains both the published and redline versions of | |||
operation, administration, maintenance, and provisioning for network | ATIS-0300276.2008. This standard contains a set of baseline security | |||
elements and various supporting systems and databases. Members of | requirements for the management plane. The requirements outlined in | |||
the SRWG, from a cross-section of telecommunications carriers and | this standard allow equipment/system suppliers, government | |||
vendors, developed an initial list of security requirements that | ||||
would allow vendors, government departments and agencies, and service | ||||
providers to implement a secure telecommunications network management | ||||
infrastructure. This initial list of security requirements was | ||||
submitted as a contribution to Committee T1 - Telecommunications, | ||||
Working Group T1M1.5 for consideration as a standard. The | ||||
requirements outlined in this document will allow vendors, government | ||||
departments and agencies, and service providers to implement a secure | departments and agencies, and service providers to implement a secure | |||
telecommunications network management infrastructure. | telecommunications management infrastructure. | |||
Documents: | ||||
http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 | ||||
5.4. DMTF - Security Protection and Management (SPAM) Working Group | ||||
http://www.dmtf.org/about/committees/spamWGCharter.pdf | ||||
The Working Group will define a CIM Common Model that addresses | ||||
security protection and detection technologies, which may include | ||||
devices and services, and classifies security information, attacks, | ||||
and responses. | ||||
5.5. DMTF - User and Security Working Group | ||||
http://www.dmtf.org/about/committees/userWGCharter.pdf | ||||
The User and Security Working Group defines objects and access | ||||
methods required for principals - where principals include users, | ||||
groups, software agents, systems, and organizations. | ||||
5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End | ||||
Standards and Solutions | ||||
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf | ||||
The ATIS TOPS Security Focus Group has made recommendations on work | ||||
items needed to be performed by other SDOs. | ||||
5.6.1. ATIS Work on Packet Filtering | Documents: http://www.atis.org/docstore/product.aspx?id=24660 | |||
A part of the ATIS Work Plan was to define how disruptions may be | 5.4. DMTF - Security Modeling Working Group | |||
prevented by filtering unwanted traffic at the edges of the network. | ||||
ATIS is developing this work in a document titled, "Traffic Filtering | ||||
for the Prevention of Unwanted Traffic". | ||||
5.7. ATIS Work on the NGN | http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf | |||
http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ | The Security Modeling Working Group of the Schema Subcommittee is | |||
Part%20I/ATIS_NGN_Part_1_Issue1.pdf | responsible for developing the models and profiles required to | |||
provide interoperable security management interfaces for | ||||
implementations, including the enabling of configuration and | ||||
management of authentication, authorization, and auditing services. | ||||
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts | The operational security requirements for protocols and management | |||
entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN | initiatives are not addressed by this work group and should be | |||
Definitions, Requirements, and Architecture, Issue 1.0, November | addressed by the working groups responsible for them. Management of | |||
2004." | the underlying security capabilities utilized by such protocols and | |||
initiatives are addressed by this work group, (for example: | ||||
interfaces for the management of keys and certificates). | ||||
5.8. Common Criteria | 5.5. Common Criteria | |||
http://www.commoncriteriaportal.org/ | http://www.commoncriteriaportal.org/ | |||
Version 1.0 of the CC was completed in January 1996. Based on a | The Common Criteria for Information Technology Security Evaluation | |||
number of trial evaluations and an extensive public review, Version | (CC), and the companion Common Methodology for Information Technology | |||
1.0 was extensively revised and CC Version 2.0 was produced in April | Security Evaluation (CEM) are the technical basis for an | |||
of 1998. This became ISO International Standard 15408 in 1999. The | international agreement, the Common Criteria Recognition Agreement | |||
CC Project subsequently incorporated the minor changes that had | (CCRA), which ensures that: | |||
resulted in the ISO process, producing CC version 2.1 in August 1999. | ||||
Version 3.0 was published in June 2005 and is available for comment. | ||||
The official version of the Common Criteria and of the Common | ||||
Evaluation Methodology is v2.3 which was published in August 2005. | ||||
All Common Criteria publications contain: | ||||
Part 1: Introduction and general model | ||||
Part 2: Security functional components | ||||
Part 3: Security assurance components | Products can be evaluated by competent and independent licensed | |||
laboratories so as to determine the fulfilment of particular | ||||
security properties, to a certain extent or assurance; | ||||
Documents: Common Criteria V2.3 | Supporting documents, are used within the Common Criteria | |||
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 | certification process to define how the criteria and evaluation | |||
methods are applied when certifying specific technologies; | ||||
5.9. ETSI | The certification of the security properties of an evaluated | |||
product can be issued by a number of Certificate Authorizing | ||||
Schemes, with this certification being based on the result of | ||||
their evaluation; | ||||
http://www.etsi.org/ | These certificates are recognized by all the signatories of the | |||
CCRA. | ||||
The ETSI hosted the ETSI Global Security Conference in late November, | The CC is the driving force for the widest available mutual | |||
2003, which could lead to a standard. | recognition of secure IT products. This web portal is available to | |||
support the information on the status of the CCRA, the CC and the | ||||
certification schemes, licensed laboratories, certified products and | ||||
related information, news and events. | ||||
Groups related to security located from the ETSI Groups Portal: | 5.6. ETSI | |||
OCG Security | TC SEC | |||
3GPP SA3 | ||||
TISPAN WG7 | http://portal.etsi.org/portal/server.pt/gateway/ | |||
PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp | ||||
5.10. GGF Security Area (SEC) | Board#38 confirmed the closure of TC SEC. | |||
https://forge.gridforum.org/projects/sec/ | At the same time it approved the creation of an OCG Ad Hoc group OCG | |||
Security | ||||
The Security Area (SEC) is concerned with various issues relating to | TC SEC documents can be found in the SEC archive (members login | |||
authentication and authorization in Grid environments. | required) | |||
Working groups: | The SEC Working groups (ESI and LI) were closed and TC ESI and a TC | |||
LI were created to continue the work. | ||||
Authorization Frameworks and Mechanisms WG (AuthZ-WG) - | All documents and information relevant to ESI and LI are available | |||
https://forge.gridforum.org/projects/authz-wg | from the TC ESI and TC LI sites | |||
Certificate Authority Operations Working Group (CAOPS-WG) - | TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307 | |||
https://forge.gridforum.org/projects/caops-wg | ||||
OGSA Authorization Working Group (OGSA-AUTHZ) - | TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318 | |||
https://forge.gridforum.org/projects/ogsa-authz | ||||
Grid Security Infrastructure (GSI-WG) - | OCG SEC | |||
https://forge.gridforum.org/projects/gsi-wg | ||||
5.11. Information System Security Assurance Architecture | http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp | |||
IEEE Working Group - http://issaa.org/ | The group's primary role is to provide a light-weight horizontal co- | |||
ordination structure for security issues that will ensure this work | ||||
is seriously considered in each ETSI TB and that any duplicate or | ||||
conflicting work is detected. To achieve this aim the group should | ||||
mainly conduct its work via email and, where appropriate, co-sited | ||||
"joint security" technical working meetings. | ||||
Formerly the Security Certification and Accreditation of Information | OCG documents may be found here: | |||
Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft | ||||
Standard for Information System Security Assurance Architecture for | ||||
ballot and during the process begin development of a suite of | ||||
associated standards for components of that architecture. | ||||
Documents: http://issaa.org/documents/index.html | http://portal.etsi.org/ocg/Summary.asp (members login required) | |||
5.12. Operational Security Requirements for IP Network Infrastructure : | 5.7. Operational Security Requirements for IP Network Infrastructure : | |||
Advanced Requirements | Advanced Requirements | |||
IETF RFC 3871 | IETF RFC 3871 | |||
Abstract: This document defines a list of operational security | Abstract: This document defines a list of operational security | |||
requirements for the infrastructure of large ISP IP networks (routers | requirements for the infrastructure of large ISP IP networks (routers | |||
and switches). A framework is defined for specifying "profiles", | and switches). A framework is defined for specifying "profiles", | |||
which are collections of requirements applicable to certain network | which are collections of requirements applicable to certain network | |||
topology contexts (all, core-only, edge-only...). The goal is to | topology contexts (all, core-only, edge-only...). The goal is to | |||
provide network operators a clear, concise way of communicating their | provide network operators a clear, concise way of communicating their | |||
security requirements to vendors. | security requirements to vendors. | |||
Documents: | Documents: | |||
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt | http://www.rfc-editor.org/rfc/rfc3871.txt | |||
5.13. ISO Guidelines for the Management of IT Security - GMITS | ||||
Guidelines for the Management of IT Security -- Part 1: Concepts and | ||||
models for IT Security | ||||
http://www.iso.ch/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 | ||||
Guidelines for the Management of IT Security -- Part 2: Managing and | ||||
planning IT Security | ||||
http://www.iso.org/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& | ||||
ICS3= | ||||
Guidelines for the Management of IT Security -- Part 3: Techniques | ||||
for the management of IT Security | ||||
http://www.iso.org/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& | ||||
ICS3= | ||||
Guidelines for the Management of IT Security -- Part 4: Selection of | ||||
safeguards | ||||
http://www.iso.org/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& | ||||
ICS3= | ||||
Guidelines for the Management of IT Security - Part 5: Management | ||||
guidance on network security | ||||
http://www.iso.org/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& | ||||
ICS3= | ||||
Open Systems Interconnection -- Network layer security protocol | ||||
http://www.iso.org/iso/en/ | ||||
CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& | ||||
ICS3=30 | ||||
5.14. ISO JTC 1/SC 27 | 5.8. ISO JTC 1/SC 27 - Information security Technology techniques | |||
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ | http://www.iso.org/iso/iso_catalogue/catalogue_tc/ | |||
TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 | catalogue_tc_browse.htm?commid=45306 | |||
Several security related ISO projects under JTC 1/SC 27 are listed | Several security related ISO projects under JTC 1/SC 27 are listed | |||
here such as: | here such as: | |||
IT security techniques -- Entity authentication | IT security techniques -- Message Authentication Codes (MACs) | |||
Security techniques -- Key management | ||||
Security techniques -- Evaluation criteria for IT security | ||||
Security techniques -- A framework for IT security assurance | IT Security techniques -- Key management | |||
IT Security techniques -- Code of practice for information | IT Security techniques -- Entity authentication | |||
security management | ||||
Security techniques -- IT network security | IT Security techniques -- Hash-functions | |||
Guidelines for the implementation, operation and management of | IT Security techniques -- Non-repudiation | |||
Intrusion Detection Systems (IDS) | ||||
International Security, Trust, and Privacy Alliance -- Privacy | IT Security techniques -- IT network security | |||
Framework | ||||
5.15. ITU-T Study Group 2 | 5.9. ITU-T Study Group 2 | |||
http://www.itu.int/ITU-T/studygroups/com02/index.asp | http://www.itu.int/ITU-T/studygroups/com02/index.asp | |||
Security related recommendations currently under study: | Security related recommendations currently under study: | |||
http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2 | ||||
E.408 Telecommunication networks security requirements Q.5/2 (was | 5.10. ITU-T Study Group 17 | |||
E.sec1) | ||||
E.409 Incident Organisation and Security Incident Handling Q.5/2 | ||||
(was E.sec2) | ||||
Note: Access requires TIES account. | ||||
5.16. ITU-T Recommendation M.3016 | ||||
http://www.itu.int/itudoc/itu-t/com4/contr/068.html | ||||
This recommendation provides an overview and framework that | ||||
identifies the security requirements of a TMN and outlines how | ||||
available security services and mechanisms can be applied within the | ||||
context of the TMN functional architecture. | ||||
Question 18 of Study Group 3 is revising Recommendation M.3016. They | ||||
have taken the original document and are incorporating thoughts from | ||||
ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has | ||||
produced a new series of documents. | ||||
M.3016.0 - Overview | ||||
M.3016.1 - Requirements | ||||
M.3016.2 - Services | ||||
M.3016.3 - Mechanisms | ||||
M.3016.4 - Profiles | ||||
5.17. ITU-T Recommendation X.805 | ||||
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html | ||||
This Recommendation defines the general security-related | ||||
architectural elements that, when appropriately applied, can provide | ||||
end-to-end network security. | ||||
5.18. ITU-T Study Group 16 | ||||
http://www.itu.int/ITU-T/studygroups/com16/index.asp | ||||
Multimedia Security in Next-Generation Networks (NGN-MM-SEC) | ||||
http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html | ||||
5.19. ITU-T Study Group 17 | ||||
http://www.itu.int/ITU-T/studygroups/com17/index.asp | http://www.itu.int/ITU-T/studygroups/com17/index.asp | |||
Security related recommendations currently under study: | ||||
http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17 | ||||
ITU-T Study Group 17 is the Lead Study Group on Communication System | The ICT Security Standards Roadmap | |||
Security | http://www.itu.int/ITU-T/studygroups/com17/ict/index.html | |||
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html | ||||
Study Group 17 Security Project: | ||||
http://www.itu.int/ITU-T/studygroups/com17/security/index.html | This ICT Security Standards Roadmap has been developed to assist in | |||
the development of security standards by bringing together | ||||
information about existing standards and current standards work in | ||||
key standards development organizations. | ||||
During its November 2002 meeting, Study Group 17 agreed to establish | In addition to aiding the process of standards development, the | |||
a new project entitled "Security Project" under the leadership of | Roadmap will provide information that will help potential users of | |||
Q.10/17 to coordinate the ITU-T standardization effort on security. | security standards, and other standards stakeholders, gain an | |||
An analysis of the status on ITU-T Study Group action on information | understanding of what standards are available or under development as | |||
and communication network security may be found in TSB Circular 147 | well as the key organizations that are working on these standards. | |||
of 14 February 2003. | ||||
5.20. Catalogue of ITU-T Recommendations related to Communications | The Roadmap was initiated by ITU-T Study Group 17. In January 2007 | |||
System Security | the initiative became a collaborative effort when the European | |||
Network and Information Security Agency (ENISA) and the Network and | ||||
Information Security Steering Group (NISSG) joined Study Group 17 in | ||||
the project. | ||||
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html | The Roadmap is in five parts: | |||
The Catalogue of the approved security Recommendations include those, | Part 1: ICT Standards Development Organizations and Their Work | |||
designed for security purposes and those, which describe or use of | http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html | |||
functions of security interest and need. Although some of the | ||||
security related Recommendations includes the phrase "Open Systems | ||||
Interconnection", much of the information contained in them is | ||||
pertinent to the establishment of security functionality in any | ||||
communicating system. | ||||
5.21. ITU-T Security Manual | Part 1 contains information about the Roadmap structure and about | |||
each of the listed standards organizations, their structure and the | ||||
security standards work being undertaken. In addition it contains | ||||
information on terminology by providing links to existing security | ||||
glossaries and vocabularies. | ||||
http://www.itu.int/ITU-T/edh/files/security-manual.pdf | Part 2: Approved ICT Security Standards | |||
http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html | ||||
TSB is preparing an "ITU-T Security Manual" to provide an overview on | Part 2 contains a summary catalogue of approved standards. | |||
security in telecommunications and information technologies, describe | ||||
practical issues, and indicate how the different aspects of security | ||||
in today's applications are addressed by ITU-T Recommendations. This | ||||
manual has a tutorial character: it collects security related | ||||
material from ITU-T Recommendations into one place and explains the | ||||
respective relationships. The intended audience for this manual are | ||||
engineers and product managers, students and academia, as well as | ||||
regulators who want to better understand security aspects in | ||||
practical applications. | ||||
5.22. ITU-T NGN Effort | Part 3: Security standards under development | |||
http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html | ||||
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html | Part 3 is structured with the same taxonomy as Part 2 but contains | |||
work in progress, rather than standards that have already been | ||||
approved and published. Part 3 will also contain information on | ||||
inter-relationships between groups undertaking the work and on | ||||
potential overlaps between existing projects. | ||||
During its January 2002 meeting, SG13 decided to undertake the | Part 4: Future needs and proposed new security standards | |||
preparation of a new ITU-T Project entitled "NGN 2004 Project". At | http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html | |||
the November 2002 SG13 meeting, a preliminary description of the | ||||
Project was achieved and endorsed by SG13 with the goal to launch the | ||||
Project. It is regularly updated since then. | ||||
The role of the NGN 2004 Project is to organize and to coordinate | Part 4 is intended to capture possible future areas of security | |||
ITU-T activities on Next Generation Networks. Its target is to | standards work where gaps or needs have been identified as well as | |||
produce a first set of Recommendations on NGN by the end of this | areas where proposals have been made for specific new standards work. | |||
study period, i.e. mid-2004. | ||||
5.23. NRIC VI Focus Groups | Part 4 includes provision for direct feedback, comments and | |||
suggestions. | ||||
http://www.nric.org/fg/index.html | Part 5: Best practices | |||
http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html | ||||
The Network Reliability and Interoperability Council (NRIC) was | Part 5 is a recent addition to the Roadmap (May 2007). It is | |||
formed with the purpose to provide recommendations to the FCC and to | intended to be a repository of security-related best practices | |||
the industry to assure the reliability and interoperability of | contributed by our community of members. | |||
wireless, wireline, satellite, and cable public telecommunications | ||||
networks. These documents provide general information and guidance | ||||
on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | ||||
prevention of cyberattack and for restoration following a | ||||
cyberattack. | ||||
Documents: | This section will be based on contributions from the security | |||
community. | ||||
Homeland Defense - Recommendations Published 14-Mar-03 | Where possible contributions should refer to best practices relating | |||
to standards-based security but other best practices will be | ||||
considered for inclusion. | ||||
Preventative Best Practices - Recommendations Published 14-Mar-03 | It is important to note that the Roadmap is a work-in-progress. It | |||
is intended that it be developed and enhanced to include other | ||||
standards organizations as well as a broader representation of the | ||||
work from organizations already included. It is hoped that standards | ||||
organizations whose work is not represented in this version of the | ||||
Roadmap will provide information to ITU-T about their work so that it | ||||
may be included in future editions. | ||||
Recovery Best Practices - Recommendations Published 14-Mar-03 | In May 2007, Part 2 of the Roadmap was converted to a searchable | |||
database format that allows direct links to the information of | ||||
participating standards organizations. The database format will | ||||
allow each participating organization to manage its own data within | ||||
the Roadmap. This will enable more timely updating of the | ||||
information and will also reduce the overhead in maintaining the | ||||
information. | ||||
Best Practice Appendices - Recommendations Published 14-Mar-03 | http://www.itu.int/ITU-T/security/main_table.aspx | |||
5.24. OASIS Security Joint Committee | 5.11. NRIC VII Focus Groups | |||
http://www.oasis-open.org/committees/ | http://www.nric.org/fg/index.html | |||
tc_home.php?wg_abbrev=security-jc | ||||
The purpose of the Security JC is to coordinate the technical | By December 16, 2005, the Council shall present a final report that | |||
activities of multiple security related TCs. The SJC is advisory | describes, in detail, any additions, deletions, or modifications that | |||
only, and has no deliverables. The Security JC will promote the use | should be made to the Homeland Security Best Practices that were | |||
of consistent terms, promote re-use, champion an OASIS security | adopted by the preceding Council. | |||
standards model, provide consistent PR, and promote mutuality, | ||||
operational independence and ethics. | ||||
5.25. OASIS Security Services (SAML) TC | Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: | |||
Cyber Security: | ||||
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security | Focus Group 2B Report - Homeland Security Cyber Security Best | |||
Practices Published 06-Dec-2004 | ||||
The Security Services TC is working to advance the Security Assertion | Focus Group 2B Report Appendices Published 06-Dec-2004 | |||
Markup Language (SAML) as an OASIS standard. SAML is an XML | ||||
framework for exchanging authentication and authorization | ||||
information. | ||||
5.26. OIF Implementation Agreements | Focus Group 2B Final Report - Summary of Activities, Guidance and | |||
Cybersecurity Issues Published 16-Dec-2005 | ||||
The OIF has 2 approved Implementation Agreements (IAs) relating to | Focus Group 2B Final Best Practices Published 16-Dec-2005 | |||
security. They are: | ||||
OIF-SMI-01.0 - Security Management Interfaces to Network Elements | 5.12. OASIS Security Technical Committees | |||
This Implementation Agreement lists objectives for securing OAM&P | Many Technical Committees have produced standards. | |||
interfaces to a Network Element and then specifies ways of using | ||||
security systems (e.g., IPsec or TLS) for securing these interfaces. | ||||
It summarizes how well each of the systems, used as specified, | ||||
satisfies the objectives. | ||||
OIF - SEP - 01.1 - Security Extension for UNI and NNI | http://www.oasis-open.org/committees/tc_cat.php?cat=security | |||
This Implementation Agreement defines a common Security Extension for | 5.13. OIF Implementation Agreements | |||
securing the protocols used in UNI 1.0, UNI 2.0, and NNI. | ||||
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf | The OIF has 3 approved, and in-force Implementation Agreements (IAs) | |||
relating to security. They are: | ||||
5.27. TIA | OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010) | |||
http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf | ||||
The TIA has produced the "Compendium of Emergency Communications and | OIF-SMI-01.0 - Security for Management Interfaces to Network Elements | |||
Communications Network Security-related Work Activities". This | (September 2003) | |||
document identifies standards, or other technical documents and | http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf | |||
ongoing Emergency/Public Safety Communications and Communications | ||||
Network Security-related work activities within TIA and it's | ||||
Engineering Committees. Many P25 documents are specifically | ||||
detailed. This "living document" is presented for information, | ||||
coordination and reference. | ||||
Documents: http://www.tiaonline.org/standards/technology/ciphs/ | OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to | |||
documents/EMTEL_sec.pdf | Network Elements (March 2006) | |||
http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf | ||||
5.28. WS-I Basic Security Profile | 5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland | |||
Security (HS) | ||||
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html | This TIA webpage identifies and links to many standards, other | |||
technical documents and ongoing activity involving or supporting | ||||
TIA's role in Public Safety and Homeland Security, Network Security, | ||||
Critical Infrastructure Protection and Assurance, National Security/ | ||||
Emergency Preparedness, Emergency Communications Services, Emergency | ||||
Calling and Location Identification Services, and the Needs of First | ||||
Responders. | ||||
The WS-I Basic Security Profile 1.0 consists of a set of non- | http://www.tiaonline.org/standards/technology/ciphs/ | |||
proprietary Web services specifications, along with clarifications | ||||
and amendments to those specifications which promote | ||||
interoperability. | ||||
5.29. NIST Special Publications (800 Series) | 5.15. NIST Special Publications (800 Series) | |||
http://csrc.nist.gov/publications/PubsSPs.html | http://csrc.nist.gov/publications/PubsSPs.html | |||
Special Publications in the 800 series present documents of general | Special Publications in the 800 series present documents of general | |||
interest to the computer security community. The Special Publication | interest to the computer security community. The Special Publication | |||
800 series was established in 1990 to provide a separate identity for | 800 series was established in 1990 to provide a separate identity for | |||
information technology security publications. This Special | information technology security publications. This Special | |||
Publication 800 series reports on ITL's research, guidelines, and | Publication 800 series reports on ITL's research, guidelines, and | |||
outreach efforts in computer security, and its collaborative | outreach efforts in computer security, and its collaborative | |||
activities with industry, government, and academic organizations. | activities with industry, government, and academic organizations. | |||
5.30. NIST Interagency or Internal Reports (NISTIRs) | 5.16. NIST Interagency or Internal Reports (NISTIRs) | |||
http://csrc.nist.gov/publications/PubsNISTIRs.html | http://csrc.nist.gov/publications/PubsNISTIRs.html | |||
NIST Interagency or Internal Reports (NISTIRs) describe research of a | NIST Interagency or Internal Reports (NISTIRs) describe research of a | |||
technical nature of interest to a specialized audience. The series | technical nature of interest to a specialized audience. The series | |||
includes interim or final reports on work performed by NIST for | includes interim or final reports on work performed by NIST for | |||
outside sponsors (both government and nongovernment). NISTIRs may | outside sponsors (both government and nongovernment). NISTIRs may | |||
also report results of NIST projects of transitory or limited | also report results of NIST projects of transitory or limited | |||
interest, including those that will be published subsequently in more | interest, including those that will be published subsequently in more | |||
comprehensive form. | comprehensive form. | |||
5.31. NIST ITL Security Bulletins | 5.17. NIST ITL Security Bulletins | |||
http://csrc.nist.gov/publications/PubsITLSB.html | http://csrc.nist.gov/publications/PubsITLSB.html | |||
ITL Bulletins are published by NIST's Information Technology | ITL Bulletins are published by NIST's Information Technology | |||
Laboratory, with most bulletins written by the Computer Security | Laboratory, with most bulletins written by the Computer Security | |||
Division. These bulletins are published on the average of six times | Division. These bulletins are published on the average of six times | |||
a year. Each bulletin presents an in-depth discussion of a single | a year. Each bulletin presents an in-depth discussion of a single | |||
topic of significant interest to the information systems community. | topic of significant interest to the information systems community. | |||
Not all of ITL Bulletins that are published relate to computer / | Not all of ITL Bulletins that are published relate to computer / | |||
network security. Only the computer security ITL Bulletins are found | network security. Only the computer security ITL Bulletins are found | |||
here. | here. | |||
5.32. SANS Information Security Reading Room | 5.18. SANS Information Security Reading Room | |||
http://www.sans.org/reading_room/ | http://www.sans.org/reading_room/ | |||
Featuring over 1,885 original computer security white papers in 75 | Featuring over 1,885 original computer security white papers in 75 | |||
different categories. | different categories. | |||
Most of the computer security white papers in the Reading Room have | Most of the computer security white papers in the Reading Room have | |||
been written by students seeking GIAC certification to fulfill part | been written by students seeking GIAC certification to fulfill part | |||
of their certification requirements and are provided by SANS as a | of their certification requirements and are provided by SANS as a | |||
resource to benefit the security community at large. SANS attempts | resource to benefit the security community at large. SANS attempts | |||
skipping to change at page 44, line 7 | skipping to change at page 42, line 7 | |||
-15 : Fifteenth revision of the WG ID. | -15 : Fifteenth revision of the WG ID. | |||
Updated the date and reviewed the accuracy of Section 4. Several | Updated the date and reviewed the accuracy of Section 4. Several | |||
changes made. | changes made. | |||
Removed WS-I as they have merged with OASIS. | Removed WS-I as they have merged with OASIS. | |||
Added TM Forum. | Added TM Forum. | |||
-16 : Sixteenth revision of the WG ID. | ||||
Updated the date and reviewed the accuracy of Section 5. Several | ||||
changes made. | ||||
Note: This section will be removed before publication as an RFC. | Note: This section will be removed before publication as an RFC. | |||
Authors' Addresses | Authors' Addresses | |||
Chris Lonvick | Chris Lonvick | |||
Cisco Systems | Cisco Systems | |||
12515 Research Blvd. | 12515 Research Blvd. | |||
Austin, Texas 78759 | Austin, Texas 78759 | |||
US | US | |||
End of changes. 117 change blocks. | ||||
450 lines changed or deleted | 308 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |