idnits 2.17.1 

draft-ietf-opsec-efforts-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 1309.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1320.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1327.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1333.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (June 6, 2008) is 5802 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                         C. Lonvick
3	Internet-Draft                                                   D. Spak
4	Expires: December 8, 2008                                  Cisco Systems
5	                                                            June 6, 2008

7	             Security Best Practices Efforts and Documents
8	                    draft-ietf-opsec-efforts-08.txt

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on December 8, 2008.

35	Copyright Notice

37	   Copyright (C) The IETF Trust (2008).

39	Abstract

41	   This document provides a snapshot of the current efforts to define or
42	   apply security requirements in various Standards Developing
43	   Organizations (SDO).

45	Table of Contents

47	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
48	   2.  Format of this Document  . . . . . . . . . . . . . . . . . . .  7
49	   3.  Online Security Glossaries . . . . . . . . . . . . . . . . . .  8
50	     3.1.  ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . .  8
51	     3.2.  Internet Security Glossary - RFC 4949  . . . . . . . . . .  8
52	     3.3.  Compendium of Approved ITU-T Security Definitions  . . . .  8
53	     3.4.  Microsoft Solutions for Security Glossary  . . . . . . . .  8
54	     3.5.  SANS Glossary of Security Terms  . . . . . . . . . . . . .  9
55	     3.6.  Security Taxonomy and Glossary - Anne & Lynn Wheeler . . .  9
56	   4.  Standards Developing Organizations . . . . . . . . . . . . . . 10
57	     4.1.  3GPP - Third Generation Partnership Project  . . . . . . . 10
58	     4.2.  3GPP2 - Third Generation Partnership Project 2 . . . . . . 10
59	     4.3.  ANSI - The American National Standards Institute . . . . . 10
60	       4.3.1.  Accredited Standards Committee X9 (ASC X9) . . . . . . 10
61	     4.4.  ATIS - Alliance for Telecommunications Industry
62	           Solutions  . . . . . . . . . . . . . . . . . . . . . . . . 11
63	       4.4.1.  ATIS NIPP - Network Interface, Power, and
64	               Protection Committee, formerly T1E1  . . . . . . . . . 11
65	       4.4.2.  ATIS NPRQ - Network Performance, Reliability, and
66	               Quality of Service Committee, formerly T1A1  . . . . . 11
67	       4.4.3.  ATIS OBF - Ordering and Billing Forum, formerly
68	               regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11
69	       4.4.4.  ATIS OPTXS - Optical Transport and Synchronization
70	               Committee, formerly T1X1 . . . . . . . . . . . . . . . 12
71	       4.4.5.  ATIS TMOC - Telecom Management and Operations
72	               Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12
73	       4.4.6.  ATIS WTSC - Wireless Technologies and Systems
74	               Committee, formerly T1P1 . . . . . . . . . . . . . . . 12
75	       4.4.7.  ATIS PTSC - Packet Technologies and Systems
76	               Committee, formerly T1S1 . . . . . . . . . . . . . . . 12
77	       4.4.8.  ATIS Protocol Interworking Committee, regarding
78	               T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13
79	     4.5.  CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13
80	     4.6.  DMTF - Distributed Management Task Force, Inc. . . . . . . 13
81	     4.7.  ETSI - The European Telecommunications Standard
82	           Institute  . . . . . . . . . . . . . . . . . . . . . . . . 13
83	     4.8.  GGF - Global Grid Forum  . . . . . . . . . . . . . . . . . 13
84	     4.9.  IEEE - The Institute of Electrical and Electronics
85	           Engineers, Inc.  . . . . . . . . . . . . . . . . . . . . . 14

87	     4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14
88	     4.11. INCITS - InterNational Committee for Information
89	           Technology Standards . . . . . . . . . . . . . . . . . . . 14
90	       4.11.1. INCITS Technical Committee T11 - Fibre Channel
91	               Interfaces . . . . . . . . . . . . . . . . . . . . . . 14
92	     4.12. ISO - The International Organization for
93	           Standardization  . . . . . . . . . . . . . . . . . . . . . 14
94	     4.13. ITU - International Telecommunication Union  . . . . . . . 15
95	       4.13.1. ITU Telecommunication Standardization Sector -
96	               ITU-T  . . . . . . . . . . . . . . . . . . . . . . . . 15
97	       4.13.2. ITU Radiocommunication Sector - ITU-R  . . . . . . . . 15
98	       4.13.3. ITU Telecom Development - ITU-D  . . . . . . . . . . . 15
99	     4.14. OASIS -  Organization for the Advancement of
100	           Structured Information Standards . . . . . . . . . . . . . 15
101	     4.15. OIF - Optical Internetworking Forum  . . . . . . . . . . . 16
102	     4.16. NRIC - The Network Reliability and Interoperability
103	           Council  . . . . . . . . . . . . . . . . . . . . . . . . . 16
104	     4.17. National Security Telecommunications Advisory
105	           Committee (NSTAC)  . . . . . . . . . . . . . . . . . . . . 16
106	     4.18. TIA - The Telecommunications Industry Association  . . . . 16
107	     4.19. TTA - Telecommunications Technology Association  . . . . . 17
108	     4.20. The World Wide Web Consortium  . . . . . . . . . . . . . . 17
109	     4.21. Web Services Interoperability Organization (WS-I)  . . . . 17
110	   5.  Security Best Practices Efforts and Documents  . . . . . . . . 18
111	     5.1.  3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18
112	     5.2.  3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18
113	     5.3.  American National Standard T1.276-2003 - Baseline
114	           Security Requirements for the Management Plane . . . . . . 18
115	     5.4.  DMTF - Security Protection and Management (SPAM)
116	           Working Group  . . . . . . . . . . . . . . . . . . . . . . 19
117	     5.5.  DMTF - User and Security Working Group . . . . . . . . . . 19
118	     5.6.  ATIS Work-Plan to Achieve Interoperable,
119	           Implementable, End-To-End Standards and Solutions  . . . . 19
120	       5.6.1.  ATIS Work on Packet Filtering  . . . . . . . . . . . . 19
121	     5.7.  ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20
122	     5.8.  Common Criteria  . . . . . . . . . . . . . . . . . . . . . 20
123	     5.9.  ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
124	     5.10. GGF Security Area (SEC)  . . . . . . . . . . . . . . . . . 21
125	     5.11. Information System Security Assurance Architecture . . . . 21
126	     5.12. Operational Security Requirements for IP Network
127	           Infrastructure : Advanced Requirements . . . . . . . . . . 21
128	     5.13. INCITS CS1 - Cyber Security  . . . . . . . . . . . . . . . 22
129	     5.14. ISO Guidelines for the Management of IT Security -
130	           GMITS  . . . . . . . . . . . . . . . . . . . . . . . . . . 22
131	     5.15. ISO JTC 1/SC 27  . . . . . . . . . . . . . . . . . . . . . 23
132	     5.16. ITU-T Study Group 2  . . . . . . . . . . . . . . . . . . . 23
133	     5.17. ITU-T Recommendation M.3016  . . . . . . . . . . . . . . . 24
134	     5.18. ITU-T  Recommendation X.805  . . . . . . . . . . . . . . . 24
135	     5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24
136	     5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25
137	     5.21. Catalogue of ITU-T Recommendations related to
138	           Communications System Security . . . . . . . . . . . . . . 25
139	     5.22. ITU-T Security Manual  . . . . . . . . . . . . . . . . . . 25
140	     5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26
141	     5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26
142	     5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26
143	     5.26. OASIS Security Services (SAML) TC  . . . . . . . . . . . . 27
144	     5.27. OIF Implementation Agreements  . . . . . . . . . . . . . . 27
145	     5.28. TIA  . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
146	     5.29. WS-I Basic Security Profile  . . . . . . . . . . . . . . . 28
147	   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 29
148	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 30
149	   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 31
150	   9.  Changes from Prior Drafts  . . . . . . . . . . . . . . . . . . 32
151	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
152	   Intellectual Property and Copyright Statements . . . . . . . . . . 36

154	1.  Introduction

156	   The Internet is being recognized as a critical infrastructure similar
157	   in nature to the power grid and a potable water supply.  Just like
158	   those infrastructures, means are needed to provide resiliency and
159	   adaptability to the Internet so that it remains consistently
160	   available to the public throughout the world even during times of
161	   duress or attack.  For this reason, many SDOs are developing
162	   standards with hopes of retaining an acceptable level, or even
163	   improving this availability, to its users.  These SDO efforts usually
164	   define themselves as "security" efforts.  It is the opinion of the
165	   authors that there are many different definitions of the term
166	   "security" and it may be applied in many diverse ways.  As such, we
167	   offer no assurance that the term is applied consistently throughout
168	   this document.

170	   Many of these SDOs have diverse charters and goals and will take
171	   entirely different directions in their efforts to provide standards.
172	   However, even with that, there will be overlaps in their produced
173	   works.  If there are overlaps then there is a potential for conflicts
174	   and confusion.  This may result in:

176	      Vendors of networking equipment who are unsure of which standard
177	      to follow.

179	      Purchasers of networking equipment who are unsure of which
180	      standard will best apply to the needs of their business or
181	      ogranization.

183	      Network Administrators and Operators unsure of which standard to
184	      follow to attain the best security for their network.

186	   For these reasons, the authors wish to encourage all SDOs who have an
187	   interest in producing or in consuming standards relating to good
188	   security practices to be consistent in their approach and their
189	   recommendations.  In many cases, the authors are aware that the SDOs
190	   are making good efforts along these lines.  However, the authors do
191	   not participate in all SDO efforts and cannot know everything that is
192	   happening.

194	   The OpSec Working Group met at the 61st IETF and agreed that this
195	   document could be a useful reference in producing the documents
196	   described in the Working Group Charter.  The authors have agreed to
197	   keep this document current and request that those who read it will
198	   submit corrections or comments.

200	   Comments on this document may be addressed to the OpSec Working Group
201	   or directly to the authors.

203	      opsec@ops.ietf.org

205	2.  Format of this Document

207	   The body of this document has three sections.

209	   The first part of the body of this document, Section 3, contains a
210	   listing of online glossaries relating to networking and security.  It
211	   is very important that the definitions of words relating to security
212	   and security events be consistent.  Inconsistencies between the
213	   useage of words on standards is unacceptable as it would prevent a
214	   reader of two standards to appropriately relate their
215	   recommendations.  The authors of this document have not reviewed the
216	   definitions of the words in the listed glossaries so can offer no
217	   assurance of their alignment.

219	   The second part, Section 4, contains a listing of SDOs that appear to
220	   be working on security standards.

222	   The third part, Section 5, lists the documents which have been found
223	   to offer good practices or recommendations for securing networks and
224	   networking devices.

226	3.  Online Security Glossaries

228	   This section contains references to glossaries of network and
229	   computer security terms

231	3.1.  ATIS Telecom Glossary 2000

233	   http://www.atis.org/tg2k/

235	   Under an approved T1 standards project (T1A1-20), an existing 5800-
236	   entry, search-enabled hypertext telecommunications glossary titled
237	   Federal Standard 1037C, Glossary of Telecommunication Terms was
238	   updated and matured into this glossary, T1.523-2001, Telecom Glossary
239	   2000.  This updated glossary was posted on the Web as an American
240	   National Standard (ANS).

242	3.2.  Internet Security Glossary - RFC 4949

244	   http://www.ietf.org/rfc/rfc4949.txt

246	   This document was originally created as RFC 2828 in May 2000.  It was
247	   revised as RFC 4949 and the document defines itself to be, "an
248	   internally consistent, complementary set of abbreviations,
249	   definitions, explanations, and recommendations for use of terminology
250	   related to information system security."

252	3.3.  Compendium of Approved ITU-T Security Definitions

254	   http://www.itu.int/itudoc/itu-t/com17/activity/def004.html

256	   Addendum to the Compendium of the Approved ITU-T Security-related
257	   Definitions
258	   http://www.itu.int/itudoc/itu-t/com17/activity/add002.html

260	   These extensive materials were created from approved ITU-T
261	   Recommendations with a view toward establishing a common
262	   understanding and use of security terms within ITU-T.

264	3.4.  Microsoft Solutions for Security Glossary

266	   http://www.microsoft.com/security/glossary.mspx

268	   The Microsoft Solutions for Security Glossary was created to explain
269	   the concepts, technologies, and products associated with computer
270	   security.  This glossary contains several definitions specific to
271	   Microsoft proprietary technologies and product solutions.

273	3.5.  SANS Glossary of Security Terms

275	   http://www.sans.org/resources/glossary.php

277	   The SANS Institute (SysAdmin, Audit, Network, Security) was created
278	   in 1989 as, "a cooperative research and education organization."
279	   Updated in May 2003, SANS cites the NSA for their help in creating
280	   the online glossary of security terms.  The SANS Institute is also
281	   home to many other resources including the SANS Intrusion Detection
282	   FAQ and the SANS/FBI Top 20 Vulnerabilities List.

284	3.6.  Security Taxonomy and Glossary - Anne & Lynn Wheeler

286	   http://www.garlic.com/~lynn/secure.htm

288	   Anne and Lynn Wheeler maintain a security taxonomy and glossary with
289	   terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1,
290	   FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/
291	   SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53,
292	   800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA
293	   Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504,
294	   RFC2647, RFC2828, TCSEC, TDI, and TNI.

296	4.  Standards Developing Organizations

298	   This section of this document lists the SDOs, or organizations that
299	   appear to be developing security related standards.  These SDOs are
300	   listed in alphabetical order.

302	   Note: The authors would appreciate corrections and additions.  This
303	   note will be removed before publication as an RFC.

305	4.1.  3GPP - Third Generation Partnership Project

307	   http://www.3gpp.org/

309	   The 3rd Generation Partnership Project (3GPP) is a collaboration
310	   agreement formed in December 1998.  The collaboration agreement is
311	   comprised of several telecommunications standards bodies which are
312	   known as "Organizational Partners".  The current Organizational
313	   Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.

315	4.2.  3GPP2 - Third Generation Partnership Project 2

317	   http://www.3gpp2.org/

319	   Third Generation Partnership Project 2 (3GPP2) is a collaboration
320	   among Organizational Partners much like its sister project 3GPP.  The
321	   Organizational Partners (OPs) currently involved with 3GPP2 are ARIB,
322	   CCSA, TIA, TTA, and TTC.  In addition to the OPs, 3GPP2 also welcomes
323	   the CDMA Development Group and IPv6 Forum as Market Representation
324	   Partners for market advice.

326	4.3.  ANSI - The American National Standards Institute

328	   http://www.ansi.org/

330	   ANSI is a private, non-profit organization that organizes and
331	   oversees the U.S. voluntary standardization and conformity assessment
332	   system.  ANSI was founded October 19, 1918.

334	4.3.1.  Accredited Standards Committee X9 (ASC X9)

336	   http://www.x9.org/

338	   The Accredited Standards Committee X9 (ASC X9) has the mission to
339	   develop, establish, maintain, and promote standards for the Financial
340	   Services Industry in order to facilitate delivery of financial
341	   services and products.

343	4.4.  ATIS - Alliance for Telecommunications Industry Solutions

345	   http://www.atis.org/

347	   ATIS is a United States based body that is committed to rapidly
348	   developing and promoting technical and operations standards for the
349	   communications and related information technologies industry
350	   worldwide using pragmatic, flexible and open approach.  Committee T1
351	   as a group no longer exists as a result of the recent ATIS
352	   reorganization on January 1, 2004.  ATIS has restructured the former
353	   T1 technical subcommittees into full ATIS standards committees to
354	   easily identify and promote the nature of standards work each
355	   committee performs.  Due to the reorganization, some groups may have
356	   a new mission and scope statement.

358	4.4.1.  ATIS NIPP - Network Interface, Power, and Protection Committee,
359	        formerly T1E1

361	   http://www.atis.org/0050/index.asp

363	   ATIS Network Interface, Power, and Protection Committee develops and
364	   recommends standards and technical reports related to power systems,
365	   electrical and physical protection for the exchange and interexchange
366	   carrier networks, and interfaces associated with user access to
367	   telecommunications networks.

369	4.4.2.  ATIS NPRQ - Network Performance, Reliability, and Quality of
370	        Service Committee, formerly T1A1

372	   http://www.atis.org/0010/index.asp

374	   ATIS Network Performance, Reliability and Quality of Service
375	   Committee develops and recommends standards, requirements, and
376	   technical reports related to the performance, reliability, and
377	   associated security aspects of communications networks, as well as
378	   the processing of voice, audio, data, image, and video signals, and
379	   their multimedia integration.

381	4.4.3.  ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1
382	        O&B

384	   http://www.atis.org/obf/index.asp

386	   The T1M1 O&B subcommittee has become part of the ATIS Ordering and
387	   Billing Forum.

389	   The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum
390	   for customers and providers in the telecommunications industry to
391	   identify, discuss and resolve national issues which affect ordering,
392	   billing, provisioning and exchange of information about access
393	   services, other connectivity and related matters.

395	4.4.4.  ATIS OPTXS - Optical Transport and Synchronization Committee,
396	        formerly T1X1

398	   http://www.atis.org/0240/index.asp

400	   ATIS Optical Transport and Synchronization Committee develops and
401	   recommends standards and prepares technical reports related to
402	   telecommunications network technology pertaining to network
403	   synchronization interfaces and hierarchical structures including
404	   optical technology.

406	4.4.5.  ATIS TMOC - Telecom Management and Operations Committee,
407	        formerly T1M1 OAM&P

409	   http://www.atis.org/0130/index.asp

411	   ATIS Telecom Management and Operations Committee develops
412	   internetwork operations, administration, maintenance and provisioning
413	   standards, and technical reports related to interfaces for
414	   telecommunications networks.

416	4.4.6.  ATIS WTSC - Wireless Technologies and Systems Committee,
417	        formerly T1P1

419	   http://www.atis.org/0160/index.asp

421	   ATIS Wireless Technologies and Systems Committee develops and
422	   recommends standards and technical reports related to wireless and/or
423	   mobile services and systems, including service descriptions and
424	   wireless technologies.

426	4.4.7.  ATIS PTSC - Packet Technologies and Systems Committee, formerly
427	        T1S1

429	   http://www.atis.org/0191/index.asp

431	   T1S1 was split into two separate ATIS committees: the ATIS Packet
432	   Technologies and Systems Committee and the ATIS Protocol Interworking
433	   Committee.  PTSC is responsible for producing standards to secure
434	   signalling.

436	   The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot
437	   at this time.  It is expected to move to an ANSI standard.

439	4.4.8.  ATIS Protocol Interworking Committee, regarding T1S1

441	   T1S1 was split into two separate ATIS committees: the ATIS Packet
442	   Technologies and Systems Committee and the ATIS Protocol Interworking
443	   Committee.  As a result of the reorganization of T1S1, these groups
444	   will also probably have a new mission and scope.

446	4.5.  CC - Common Criteria

448	   http://www.commoncriteriaportal.org/

450	   In June 1993, the sponsoring organizations of the existing US,
451	   Canadian, and European criterias (TCSEC, ITSEC, and similar) started
452	   the Common Criteria Project to align their separate criteria into a
453	   single set of IT security criteria.

455	4.6.  DMTF - Distributed Management Task Force, Inc.

457	   http://www.dmtf.org/

459	   Founded in 1992, the DMTF brings the technology industry's customers
460	   and top vendors together in a collaborative, working group approach
461	   that involves DMTF members in all aspects of specification
462	   development and refinement.

464	4.7.  ETSI - The European Telecommunications Standard Institute

466	   http://www.etsi.org/

468	   ETSI is an independent, non-profit organization which produces
469	   telecommunications standards.  ETSI is based in Sophia-Antipolis in
470	   the south of France and maintains a membership from 55 countries.

472	   Joint work between ETSI and ITU-T SG-17

474	   http://www.tta.or.kr/gsc/upload/
475	   GSC9_Joint_011_Security_Standardization_in_ITU.ppt

477	4.8.  GGF - Global Grid Forum

479	   http://www.gridforum.org/

481	   The Global Grid Forum (GGF) is a community-initiated forum of
482	   thousands of individuals from industry and research leading the
483	   global standardization effort for grid computing.  GGF's primary
484	   objectives are to promote and support the development, deployment,
485	   and implementation of grid technologies and applications via the
486	   creation and documentation of "best practices" - technical
487	   specifications, user experiences, and implementation guidelines.

489	4.9.  IEEE - The Institute of Electrical and Electronics Engineers, Inc.

491	   http://www.ieee.org/

493	   IEEE is a non-profit, professional association of more than 360,000
494	   individual members in approximately 175 countries.  The IEEE produces
495	   30 percent of the world's published literature in electrical
496	   engineering, computers, and control technology through its technical
497	   publishing, conferences, and consensus-based standards activities.

499	4.10.  IETF - The Internet Engineering Task Force

501	   http://www.ietf.org/

503	   IETF is a large, international community open to any interested
504	   individual concerned with the evolution of the Internet architecture
505	   and the smooth operation of the Internet.

507	4.11.  INCITS - InterNational Committee for Information Technology
508	       Standards

510	   http://www.incits.org/

512	   INCITS focuses upon standardization in the field of Information and
513	   Communications Technologies (ICT), encompassing storage, processing,
514	   transfer, display, management, organization, and retrieval of
515	   information.

517	4.11.1.  INCITS Technical Committee T11 - Fibre Channel Interfaces

519	   http://www.t11.org/index.htm

521	   T11 is responsible for standards development in the areas of
522	   Intelligent Peripheral Interface (IPI), High-Performance Parallel
523	   Interface (HIPPI) and Fibre Channel (FC).  T11 has a project called
524	   FC-SP to define Security Protocols for Fibre Channel.

526	   FC-SP Project Proposal:
527	   ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf

529	4.12.  ISO - The International Organization for Standardization

531	   http://www.iso.org/

533	   ISO is a network of the national standards institutes of 148
534	   countries, on the basis of one member per country, with a Central
535	   Secretariat in Geneva, Switzerland, that coordinates the system.  ISO
536	   officially began operations on February 23, 1947.

538	4.13.  ITU - International Telecommunication Union

540	   http://www.itu.int/

542	   The ITU is an international organization within the United Nations
543	   System headquartered in Geneva, Switzerland.  The ITU is comprised of
544	   three sectors:

546	4.13.1.  ITU Telecommunication Standardization Sector - ITU-T

548	   http://www.itu.int/ITU-T/

550	   ITU-T's mission is to ensure an efficient and on-time production of
551	   high quality standards covering all fields of telecommunications.

553	4.13.2.  ITU Radiocommunication Sector - ITU-R

555	   http://www.itu.int/ITU-R/

557	   The ITU-R plays a vital role in the management of the radio-frequency
558	   spectrum and satellite orbits.

560	4.13.3.  ITU Telecom Development - ITU-D

562	   (also referred as ITU Telecommunication Development Bureau - BDT)

564	   http://www.itu.int/ITU-D/

566	   The Telecommunication Development Bureau (BDT) is the executive arm
567	   of the Telecommunication Development Sector.  Its duties and
568	   responsibilities cover a variety of functions ranging from programme
569	   supervision and technical advice to the collection, processing and
570	   publication of information relevant to telecommunication development.

572	4.14.  OASIS -  Organization for the Advancement of Structured
573	       Information Standards

575	   http://www.oasis-open.org/

577	   OASIS is a not-for-profit, international consortium that drives the
578	   development, convergence, and adoption of e-business standards.

580	4.15.  OIF - Optical Internetworking Forum

582	   http://www.oiforum.com/

584	   On April 20, 1998 Cisco Systems and Ciena Corporation announced an
585	   industry-wide initiative to create the Optical Internetworking Forum,
586	   an open forum focused on accelerating the deployment of optical
587	   internetworks.

589	4.16.  NRIC - The Network Reliability and Interoperability Council

591	   http://www.nric.org/

593	   The purposes of the Committee are to give telecommunications industry
594	   leaders the opportunity to provide recommendations to the FCC and to
595	   the industry that assure optimal reliability and interoperability of
596	   telecommunications networks.  The Committee addresses topics in the
597	   area of Homeland Security, reliability, interoperability, and
598	   broadband deployment.

600	4.17.  National Security Telecommunications Advisory Committee (NSTAC)

602	   http://www.ncs.gov/nstac/nstac.html

604	   President Ronald Reagan created the National Security
605	   Telecommunications Advisory Committee (NSTAC) by Executive Order
606	   12382 in September 1982.  Since then, the NSTAC has served four
607	   presidents.  Composed of up to 30 industry chief executives
608	   representing the major communications and network service providers
609	   and information technology, finance, and aerospace companies, the
610	   NSTAC provides industry-based advice and expertise to the President
611	   on issues and problems related to implementing national security and
612	   emergency preparedness (NS/EP) communications policy.  Since its
613	   inception, the NSTAC has addressed a wide range of policy and
614	   technical issues regarding communications, information systems,
615	   information assurance, critical infrastructure protection, and other
616	   NS/EP communications concerns.

618	4.18.  TIA - The Telecommunications Industry Association

620	   http://www.tiaonline.org/

622	   TIA is accredited by ANSI to develop voluntary industry standards for
623	   a wide variety of telecommunications products.  TIA's Standards and
624	   Technology Department is composed of five divisions: Fiber Optics,
625	   User Premises Equipment, Network Equipment, Wireless Communications
626	   and Satellite Communications.

628	4.19.  TTA - Telecommunications Technology Association

630	   http://www.tta.or.kr/Home2003/main/index.jsp
631	   http://www.tta.or.kr/English/new/main/index.htm (English)

633	   TTA (Telecommunications Technology Association) is a IT standards
634	   organization that develops new standards and provides one-stop
635	   services for the establishment of IT standards as well as providing
636	   testing and certification for IT products.

638	4.20.  The World Wide Web Consortium

640	   http://www.w3.org/Consortium/

642	   The World Wide Web Consortium (W3C) is an international consortium
643	   where Member organizations, a full-time staff, and the public work
644	   together to develop Web standards.  W3C's mission is: To lead the
645	   World Wide Web to its full potential by developing protocols and
646	   guidelines that ensure long-term growth for the Web.

648	   The security work within the W3C

650	   http://www.w3.org/Security/Activity

652	4.21.  Web Services Interoperability Organization (WS-I)

654	   http://www.ws-i.org/

656	   WS-I is an open, industry organization chartered to promote Web
657	   services interoperability across platforms, operating systems, and
658	   programming languages.  The organization works across the industry
659	   and standards organizations to respond to customer needs by providing
660	   guidance, best practices, and resources for developing Web services
661	   solutions.

663	5.  Security Best Practices Efforts and Documents

665	   This section lists the works produced by the SDOs.

667	5.1.  3GPP - TSG SA WG3 (Security)

669	   http://www.3gpp.org/TB/SA/SA3/SA3.htm

671	   TSG SA WG3 Security is responsible for the security of the 3GPP
672	   system, performing analyses of potential security threats to the
673	   system, considering the new threats introduced by the IP based
674	   services and systems and setting the security requirements for the
675	   overall 3GPP system.

677	   Specifications:
678	   http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm

680	   Work Items:
681	   http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm

683	   3GPP Confidentiality and Integrity algorithms:
684	   http://www.3gpp.org/TB/Other/algorithms.htm

686	5.2.  3GPP2 - TSG-S Working Group 4 (Security)

688	   http://www.3gpp2.org/Public_html/S/index.cfm

690	   The Services and Systems Aspects TSG (TSG-S) is responsible for the
691	   development of service capability requirements for systems based on
692	   3GPP2 specifications.  Among its responsibilities TSG-S is addressing
693	   management, technical coordination, as well as architectural and
694	   requirements development associated with all end-to-end features,
695	   services and system capabilities including, but not limited to,
696	   security and QoS.

698	   TSG-S Specifications:
699	   http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs

701	5.3.  American National Standard T1.276-2003 - Baseline Security
702	      Requirements for the Management Plane

704	   Abstract: This standard contains a set of baseline security
705	   requirements for the management plane.  The President's National
706	   Security Telecommunications Advisory Committee Network Security
707	   Information Exchange (NSIE) and Government NSIE jointly established a
708	   Security Requirements Working Group (SRWG) to examine the security
709	   requirements for controlling access to the public switched network,
710	   in particular with respect to the emerging next generation network.

712	   In the telecommunications industry, this access incorporates
713	   operation, administration, maintenance, and provisioning for network
714	   elements and various supporting systems and databases.  Members of
715	   the SRWG, from a cross-section of telecommunications carriers and
716	   vendors, developed an initial list of security requirements that
717	   would allow vendors, government departments and agencies, and service
718	   providers to implement a secure telecommunications network management
719	   infrastructure.  This initial list of security requirements was
720	   submitted as a contribution to Committee T1 - Telecommunications,
721	   Working Group T1M1.5 for consideration as a standard.  The
722	   requirements outlined in this document will allow vendors, government
723	   departments and agencies, and service providers to implement a secure
724	   telecommunications network management infrastructure.

726	   Documents:
727	   http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003

729	5.4.  DMTF - Security Protection and Management (SPAM) Working Group

731	   http://www.dmtf.org/about/committees/spamWGCharter.pdf

733	   The Working Group will define a CIM Common Model that addresses
734	   security protection and detection technologies, which may include
735	   devices and services, and classifies security information, attacks,
736	   and responses.

738	5.5.  DMTF - User and Security Working Group

740	   http://www.dmtf.org/about/committees/userWGCharter.pdf

742	   The User and Security Working Group defines objects and access
743	   methods required for principals - where principals include users,
744	   groups, software agents, systems, and organizations.

746	5.6.  ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End
747	      Standards and Solutions

749	   ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf

751	   The ATIS TOPS Security Focus Group has made recommendations on work
752	   items needed to be performed by other SDOs.

754	5.6.1.  ATIS Work on Packet Filtering

756	   A part of the ATIS Work Plan was to define how disruptions may be
757	   prevented by filtering unwanted traffic at the edges of the network.
758	   ATIS is developing this work in a document titled, "Traffic Filtering
759	   for the Prevention of Unwanted Traffic".

761	5.7.  ATIS Work on the NGN

763	   http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/
764	   Part%20I/ATIS_NGN_Part_1_Issue1.pdf

766	   In November 2004, ATIS released Part I of the ATIS NGN-FG efforts
767	   entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN
768	   Definitions, Requirements, and Architecture, Issue 1.0, November
769	   2004."

771	5.8.  Common Criteria

773	   http://www.commoncriteriaportal.org/

775	   Version 1.0 of the CC was completed in January 1996.  Based on a
776	   number of trial evaluations and an extensive public review, Version
777	   1.0 was extensively revised and CC Version 2.0 was produced in April
778	   of 1998.  This became ISO International Standard 15408 in 1999.  The
779	   CC Project subsequently incorporated the minor changes that had
780	   resulted in the ISO process, producing CC version 2.1 in August 1999.
781	   Version 3.0 was published in June 2005 and is available for comment.

783	   The official version of the Common Criteria and of the Common
784	   Evaluation Methodology is v2.3 which was published in August 2005.

786	   All Common Criteria publications contain:

788	      Part 1: Introduction and general model

790	      Part 2: Security functional components

792	      Part 3: Security assurance components

794	   Documents: Common Criteria V2.3
795	   http://www.commoncriteriaportal.org/public/expert/index.php?menu=2

797	5.9.  ETSI

799	   http://www.etsi.org/

801	   The ETSI hosted the ETSI Global Security Conference in late November,
802	   2003, which could lead to a standard.

804	   Groups related to security located from the ETSI Groups Portal:

806	      OCG Security
807	      3GPP SA3

809	      TISPAN WG7

811	5.10.  GGF Security Area (SEC)

813	   https://forge.gridforum.org/projects/sec/

815	   The Security Area (SEC) is concerned with various issues relating to
816	   authentication and authorization in Grid environments.

818	   Working groups:

820	      Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
821	      https://forge.gridforum.org/projects/authz-wg

823	      Certificate Authority Operations Working Group (CAOPS-WG) -
824	      https://forge.gridforum.org/projects/caops-wg

826	      OGSA Authorization Working Group (OGSA-AUTHZ) -
827	      https://forge.gridforum.org/projects/ogsa-authz

829	      Grid Security Infrastructure (GSI-WG) -
830	      https://forge.gridforum.org/projects/gsi-wg

832	5.11.  Information System Security Assurance Architecture

834	   IEEE Working Group - http://issaa.org/

836	   Formerly the Security Certification and Accreditation of Information
837	   Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft
838	   Standard for Information System Security Assurance Architecture for
839	   ballot and during the process begin development of a suite of
840	   associated standards for components of that architecture.

842	   Documents: http://issaa.org/documents/index.html

844	5.12.  Operational Security Requirements for IP Network Infrastructure :
845	       Advanced Requirements

847	   IETF RFC 3871

849	   Abstract: This document defines a list of operational security
850	   requirements for the infrastructure of large ISP IP networks (routers
851	   and switches).  A framework is defined for specifying "profiles",
852	   which are collections of requirements applicable to certain network
853	   topology contexts (all, core-only, edge-only...).  The goal is to
854	   provide network operators a clear, concise way of communicating their
855	   security requirements to vendors.

857	   Documents:

859	      ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt

861	5.13.  INCITS CS1 - Cyber Security

863	   http://cs1.incits.org/

865	   INCITS/CS1 was established in April 2005 to serve as the US TAG for
866	   ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2
867	   (INCITS/T4 serves as the US TAG to SC 27/WG 2).

869	   The scope of CS1 explicitly excludes the areas of work on cyber
870	   security standardization presently underway in INCITS B10, M1 and T3;
871	   as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and
872	   X9.  INCITS T4's area of work would be narrowed to cryptography
873	   projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and
874	   mechanisms).

876	5.14.  ISO Guidelines for the Management of IT Security - GMITS

878	   Guidelines for the Management of IT Security -- Part 1: Concepts and
879	   models for IT Security

881	   http://www.iso.ch/iso/en/
882	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35

884	   Guidelines for the Management of IT Security -- Part 2: Managing and
885	   planning IT Security

887	   http://www.iso.org/iso/en/
888	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&
889	   ICS3=

891	   Guidelines for the Management of IT Security -- Part 3: Techniques
892	   for the management of IT Security

894	   http://www.iso.org/iso/en/
895	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&
896	   ICS3=

898	   Guidelines for the Management of IT Security -- Part 4: Selection of
899	   safeguards

901	   http://www.iso.org/iso/en/
902	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&
903	   ICS3=

905	   Guidelines for the Management of IT Security - Part 5: Management
906	   guidance on network security

908	   http://www.iso.org/iso/en/
909	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&
910	   ICS3=

912	   Open Systems Interconnection -- Network layer security protocol

914	   http://www.iso.org/iso/en/
915	   CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&
916	   ICS3=30

918	5.15.  ISO JTC 1/SC 27

920	   http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/
921	   TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143

923	   Several security related ISO projects under JTC 1/SC 27 are listed
924	   here such as:

926	      IT security techniques -- Entity authentication

928	      Security techniques -- Key management

930	      Security techniques -- Evaluation criteria for IT security

932	      Security techniques -- A framework for IT security assurance

934	      IT Security techniques -- Code of practice for information
935	      security management

937	      Security techniques -- IT network security

939	      Guidelines for the implementation, operation and management of
940	      Intrusion Detection Systems (IDS)

942	      International Security, Trust, and Privacy Alliance -- Privacy
943	      Framework

945	5.16.  ITU-T Study Group 2

947	   http://www.itu.int/ITU-T/studygroups/com02/index.asp

949	   Security related recommendations currently under study:

951	      E.408 Telecommunication networks security requirements Q.5/2 (was
952	      E.sec1)

954	      E.409 Incident Organisation and Security Incident Handling Q.5/2
955	      (was E.sec2)

957	   Note: Access requires TIES account.

959	5.17.  ITU-T Recommendation M.3016

961	   http://www.itu.int/itudoc/itu-t/com4/contr/068.html

963	   This recommendation provides an overview and framework that
964	   identifies the security requirements of a TMN and outlines how
965	   available security services and mechanisms can be applied within the
966	   context of the TMN functional architecture.

968	   Question 18 of Study Group 3 is revising Recommendation M.3016.  They
969	   have taken the original document and are incorporating thoughts from
970	   ITU-T Recommendation X.805 and from ANSI T1.276-2003.  The group has
971	   produced a new series of documents.

973	      M.3016.0 - Overview

975	      M.3016.1 - Requirements

977	      M.3016.2 - Services

979	      M.3016.3 - Mechanisms

981	      M.3016.4 - Profiles

983	5.18.  ITU-T  Recommendation X.805

985	   http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html

987	   This Recommendation defines the general security-related
988	   architectural elements that, when appropriately applied, can provide
989	   end-to-end network security.

991	5.19.  ITU-T Study Group 16

993	   http://www.itu.int/ITU-T/studygroups/com16/index.asp

995	   Multimedia Security in Next-Generation Networks (NGN-MM-SEC)

997	   http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html

999	5.20.  ITU-T Study Group 17

1001	   http://www.itu.int/ITU-T/studygroups/com17/index.asp

1003	   ITU-T Study Group 17 is the Lead Study Group on Communication System
1004	   Security

1006	   http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html

1008	   Study Group 17 Security Project:

1010	   http://www.itu.int/ITU-T/studygroups/com17/security/index.html

1012	   During its November 2002 meeting, Study Group 17 agreed to establish
1013	   a new project entitled "Security Project" under the leadership of
1014	   Q.10/17 to coordinate the ITU-T standardization effort on security.
1015	   An analysis of the status on ITU-T Study Group action on information
1016	   and communication network security may be found in TSB Circular 147
1017	   of 14 February 2003.

1019	5.21.  Catalogue of ITU-T Recommendations related to Communications
1020	       System Security

1022	   http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html

1024	   The Catalogue of the approved security Recommendations include those,
1025	   designed for security purposes and those, which describe or use of
1026	   functions of security interest and need.  Although some of the
1027	   security related Recommendations includes the phrase "Open Systems
1028	   Interconnection", much of the information contained in them is
1029	   pertinent to the establishment of security functionality in any
1030	   communicating system.

1032	5.22.  ITU-T Security Manual

1034	   http://www.itu.int/ITU-T/edh/files/security-manual.pdf

1036	   TSB is preparing an "ITU-T Security Manual" to provide an overview on
1037	   security in telecommunications and information technologies, describe
1038	   practical issues, and indicate how the different aspects of security
1039	   in today's applications are addressed by ITU-T Recommendations.  This
1040	   manual has a tutorial character: it collects security related
1041	   material from ITU-T Recommendations into one place and explains the
1042	   respective relationships.  The intended audience for this manual are
1043	   engineers and product managers, students and academia, as well as
1044	   regulators who want to better understand security aspects in
1045	   practical applications.

1047	5.23.  ITU-T NGN Effort

1049	   http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html

1051	   During its January 2002 meeting, SG13 decided to undertake the
1052	   preparation of a new ITU-T Project entitled "NGN 2004 Project".  At
1053	   the November 2002 SG13 meeting, a preliminary description of the
1054	   Project was achieved and endorsed by SG13 with the goal to launch the
1055	   Project.  It is regularly updated since then.

1057	   The role of the NGN 2004 Project is to organize and to coordinate
1058	   ITU-T activities on Next Generation Networks.  Its target is to
1059	   produce a first set of Recommendations on NGN by the end of this
1060	   study period, i.e. mid-2004.

1062	5.24.  NRIC VI Focus Groups

1064	   http://www.nric.org/fg/index.html

1066	   The Network Reliability and Interoperability Council (NRIC) was
1067	   formed with the purpose to provide recommendations to the FCC and to
1068	   the industry to assure the reliability and interoperability of
1069	   wireless, wireline, satellite, and cable public telecommunications
1070	   networks.  These documents provide general information and guidance
1071	   on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
1072	   prevention of cyberattack and for restoration following a
1073	   cyberattack.

1075	   Documents:

1077	      Homeland Defense - Recommendations Published 14-Mar-03

1079	      Preventative Best Practices - Recommendations Published 14-Mar-03

1081	      Recovery Best Practices - Recommendations Published 14-Mar-03

1083	      Best Practice Appendices - Recommendations Published 14-Mar-03

1085	5.25.  OASIS Security Joint Committee

1087	   http://www.oasis-open.org/committees/
1088	   tc_home.php?wg_abbrev=security-jc

1090	   The purpose of the Security JC is to coordinate the technical
1091	   activities of multiple security related TCs.  The SJC is advisory
1092	   only, and has no deliverables.  The Security JC will promote the use
1093	   of consistent terms, promote re-use, champion an OASIS security
1094	   standards model, provide consistent PR, and promote mutuality,
1095	   operational independence and ethics.

1097	5.26.  OASIS Security Services (SAML) TC

1099	   http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

1101	   The Security Services TC is working to advance the Security Assertion
1102	   Markup Language (SAML) as an OASIS standard.  SAML is an XML
1103	   framework for exchanging authentication and authorization
1104	   information.

1106	5.27.  OIF Implementation Agreements

1108	   The OIF has 2 approved Implementation Agreements (IAs) relating to
1109	   security.  They are:

1111	   OIF-SMI-01.0 - Security Management Interfaces to Network Elements

1113	   This Implementation Agreement lists objectives for securing OAM&P
1114	   interfaces to a Network Element and then specifies ways of using
1115	   security systems (e.g., IPsec or TLS) for securing these interfaces.
1116	   It summarizes how well each of the systems, used as specified,
1117	   satisfies the objectives.

1119	   OIF - SEP - 01.1 - Security Extension for UNI and NNI

1121	   This Implementation Agreement defines a common Security Extension for
1122	   securing the protocols used in UNI 1.0, UNI 2.0, and NNI.

1124	   Documents: http://www.oiforum.com/public/documents/Security-IA.pdf

1126	5.28.  TIA

1128	   The TIA has produced the "Compendium of Emergency Communications and
1129	   Communications Network Security-related Work Activities".  This
1130	   document identifies standards, or other technical documents and
1131	   ongoing Emergency/Public Safety Communications and Communications
1132	   Network Security-related work activities within TIA and it's
1133	   Engineering Committees.  Many P25 documents are specifically
1134	   detailed.  This "living document" is presented for information,
1135	   coordination and reference.

1137	   Documents: http://www.tiaonline.org/standards/technology/ciphs/
1138	   documents/EMTEL_sec.pdf

1140	5.29.  WS-I Basic Security Profile

1142	   http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

1144	   The WS-I Basic Security Profile 1.0 consists of a set of non-
1145	   proprietary Web services specifications, along with clarifications
1146	   and amendments to those specifications which promote
1147	   interoperability.

1149	6.  Security Considerations

1151	   This document describes efforts to standardize security practices and
1152	   documents.  As such this document offers no security guidance
1153	   whatsoever.

1155	   Readers of this document should be aware of the date of publication
1156	   of this document.  It is feared that they may assume that the
1157	   efforts, on-line material, and documents are current whereas they may
1158	   not be.  Please consider this when reading this document.

1160	7.  IANA Considerations

1162	   This document does not propose a standard and does not require the
1163	   IANA to do anything.

1165	8.  Acknowledgments

1167	   The following people have contributed to this document.  Listing
1168	   their names here does not mean that they endorse the document, but
1169	   that they have contributed to its substance.

1171	   David Black, Mark Ellison, George Jones, Keith McCloghrie, John
1172	   McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce
1173	   Moon.

1175	9.  Changes from Prior Drafts

1177	   -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt

1179	   -01 : Security Glossaries:

1181	         Added ATIS Telecom Glossary 2000, Critical Infrastructure
1182	         Glossary of Terms and Acronyms, Microsoft Solutions for
1183	         Security Glossary, and USC InfoSec Glossary.

1185	      Standards Developing Organizations:

1187	         Added DMTF, GGF, INCITS, OASIS, and WS-I

1189	         Removal of Committee T1 and modifications to ATIS and former T1
1190	         technical subcommittees due to the recent ATIS reorganization.

1192	      Efforts and Documents:

1194	         Added DMTF User and Security WG, DMTF SPAM WG, GGF Security
1195	         Area (SEC), INCITS Technical Committee T4 - Security
1196	         Techniques, INCITS Technical Committee T11 - Fibre Channel
1197	         Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint
1198	         Committee, OASIS Security Services TC, and WS-I Basic Security
1199	         Profile.

1201	         Updated Operational Security Requirements for IP Network
1202	         Infrastructure : Advanced Requirements.

1204	   -00 : as the WG ID

1206	      Added more information about the ITU-T SG3 Q18 effort to modify
1207	      ITU-T Recommendation M.3016.

1209	   -01 : First revision as the WG ID.

1211	      Added information about the NGN in the sections about ATIS, the
1212	      NSTAC, and ITU-T.

1214	   -02 : Second revision as the WG ID.

1216	      Updated the date.

1218	      Corrected some url's and the reference to George's RFC.

1220	   -03 : Third revision of the WG ID.

1222	      Updated the date.

1224	      Updated the information about the CC

1226	      Added a Conventions section (not sure how this document got to
1227	      where it is without that)

1229	   -04 : Fourth revision of the WG ID.

1231	      Updated the date.

1233	      Added Anne & Lynn Wheeler Taxonomy & Security Glossary

1235	      CIAO glossary removed.  CIAO has been absorbed by DHS and the
1236	      glossary is no longer available.

1238	      USC glossary removed, could not find it on the site or a reference
1239	      to it elsewhere.

1241	      Added TTA - Telecommunications Technology Association to SDO
1242	      section.

1244	      Removed ATIS Security & Emergency Preparedness Activities from
1245	      Documents section.  Could not find it or a reference to it.

1247	      INCITS T4 incorporated into CS1 - T4 section removed

1249	      X9 Added to SDO list under ANSI

1251	      Various link or grammar fixes.

1253	   -05 : Fifth revision of the WG ID.

1255	      Updated the date.

1257	      Removed the 2119 definitions; this is an informational document.

1259	   -06 : Sixth revision of the WG ID.

1261	      Updated the date.

1263	      Added W3C information.

1265	   -07 : Seventh revision of the WG ID.

1267	      Updated the date.

1269	   -08 : Eighth revision of the WG ID.

1271	      Updated the reference to RFC 4949, found by Stephen Kent.

1273	   Note: This section will be removed before publication as an RFC.

1275	Authors' Addresses

1277	   Chris Lonvick
1278	   Cisco Systems
1279	   12515 Research Blvd.
1280	   Austin, Texas  78759
1281	   US

1283	   Phone: +1 512 378 1182
1284	   Email: clonvick@cisco.com

1286	   David Spak
1287	   Cisco Systems
1288	   12515 Research Blvd.
1289	   Austin, Texas  78759
1290	   US

1292	   Phone: +1 512 378 1720
1293	   Email: dspak@cisco.com

1295	Full Copyright Statement

1297	   Copyright (C) The IETF Trust (2008).

1299	   This document is subject to the rights, licenses and restrictions
1300	   contained in BCP 78, and except as set forth therein, the authors
1301	   retain all their rights.

1303	   This document and the information contained herein are provided on an
1304	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1305	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1306	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1307	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1308	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1309	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1311	Intellectual Property

1313	   The IETF takes no position regarding the validity or scope of any
1314	   Intellectual Property Rights or other rights that might be claimed to
1315	   pertain to the implementation or use of the technology described in
1316	   this document or the extent to which any license under such rights
1317	   might or might not be available; nor does it represent that it has
1318	   made any independent effort to identify any such rights.  Information
1319	   on the procedures with respect to rights in RFC documents can be
1320	   found in BCP 78 and BCP 79.

1322	   Copies of IPR disclosures made to the IETF Secretariat and any
1323	   assurances of licenses to be made available, or the result of an
1324	   attempt made to obtain a general license or permission for the use of
1325	   such proprietary rights by implementers or users of this
1326	   specification can be obtained from the IETF on-line IPR repository at
1327	   http://www.ietf.org/ipr.

1329	   The IETF invites any interested party to bring to its attention any
1330	   copyrights, patents or patent applications, or other proprietary
1331	   rights that may cover technology that may be required to implement
1332	   this standard.  Please address the information to the IETF at
1333	   ietf-ipr@ietf.org.

1335	Acknowledgment

1337	   Funding for the RFC Editor function is provided by the IETF
1338	   Administrative Support Activity (IASA).