idnits 2.17.1 draft-ietf-opsec-efforts-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 13, 2009) is 5485 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Expires: October 15, 2009 Cisco Systems 5 April 13, 2009 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-10.txt 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on October 15, 2009. 33 Copyright Notice 35 Copyright (c) 2009 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents in effect on the date of 40 publication of this document (http://trustee.ietf.org/license-info). 41 Please review these documents carefully, as they describe your rights 42 and restrictions with respect to this document. 44 Abstract 46 This document provides a snapshot of the current efforts to define or 47 apply security requirements in various Standards Developing 48 Organizations (SDO). 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 54 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 55 3.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 56 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 57 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 58 3.4. Microsoft Solutions for Security Glossary . . . . . . . . 8 59 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 60 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 61 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 62 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 63 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 64 4.3. ANSI - The American National Standards Institute . . . . . 10 65 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 10 66 4.4. ATIS - Alliance for Telecommunications Industry 67 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 68 4.4.1. ATIS NIPP - Network Interface, Power, and 69 Protection Committee, formerly T1E1 . . . . . . . . . 11 70 4.4.2. ATIS NPRQ - Network Performance, Reliability, and 71 Quality of Service Committee, formerly T1A1 . . . . . 11 72 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly 73 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11 74 4.4.4. ATIS OPTXS - Optical Transport and Synchronization 75 Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 76 4.4.5. ATIS TMOC - Telecom Management and Operations 77 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12 78 4.4.6. ATIS WTSC - Wireless Technologies and Systems 79 Committee, formerly T1P1 . . . . . . . . . . . . . . . 12 80 4.4.7. ATIS PTSC - Packet Technologies and Systems 81 Committee, formerly T1S1 . . . . . . . . . . . . . . . 12 82 4.4.8. ATIS Protocol Interworking Committee, regarding 83 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 84 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 85 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 86 4.7. ETSI - The European Telecommunications Standard 87 Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 88 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 89 4.9. IEEE - The Institute of Electrical and Electronics 90 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 92 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 93 4.11. INCITS - InterNational Committee for Information 94 Technology Standards . . . . . . . . . . . . . . . . . . . 14 95 4.11.1. INCITS Technical Committee T11 - Fibre Channel 96 Interfaces . . . . . . . . . . . . . . . . . . . . . . 14 97 4.12. ISO - The International Organization for 98 Standardization . . . . . . . . . . . . . . . . . . . . . 14 99 4.13. ITU - International Telecommunication Union . . . . . . . 15 100 4.13.1. ITU Telecommunication Standardization Sector - 101 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 102 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 15 103 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 15 104 4.14. OASIS - Organization for the Advancement of 105 Structured Information Standards . . . . . . . . . . . . . 15 106 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 107 4.16. NRIC - The Network Reliability and Interoperability 108 Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 109 4.17. National Security Telecommunications Advisory 110 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 16 111 4.18. TIA - The Telecommunications Industry Association . . . . 16 112 4.19. TTA - Telecommunications Technology Association . . . . . 17 113 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 17 114 4.21. Web Services Interoperability Organization (WS-I) . . . . 17 115 5. Security Best Practices Efforts and Documents . . . . . . . . 18 116 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 117 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 118 5.3. American National Standard T1.276-2003 - Baseline 119 Security Requirements for the Management Plane . . . . . . 18 120 5.4. DMTF - Security Protection and Management (SPAM) 121 Working Group . . . . . . . . . . . . . . . . . . . . . . 19 122 5.5. DMTF - User and Security Working Group . . . . . . . . . . 19 123 5.6. ATIS Work-Plan to Achieve Interoperable, 124 Implementable, End-To-End Standards and Solutions . . . . 19 125 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 19 126 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 127 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 128 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 129 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 130 5.11. Information System Security Assurance Architecture . . . . 21 131 5.12. Operational Security Requirements for IP Network 132 Infrastructure : Advanced Requirements . . . . . . . . . . 21 133 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 134 5.14. ISO Guidelines for the Management of IT Security - 135 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 136 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 137 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 23 138 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 139 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 24 140 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24 141 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 142 5.21. Catalogue of ITU-T Recommendations related to 143 Communications System Security . . . . . . . . . . . . . . 25 144 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 25 145 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 146 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 147 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26 148 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 27 149 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 27 150 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 151 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 152 5.30. NIST Special Publications (800 Series) . . . . . . . . . . 28 153 5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 28 154 5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 28 155 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 156 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 157 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 158 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 159 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 161 1. Introduction 163 The Internet is being recognized as a critical infrastructure similar 164 in nature to the power grid and a potable water supply. Just like 165 those infrastructures, means are needed to provide resiliency and 166 adaptability to the Internet so that it remains consistently 167 available to the public throughout the world even during times of 168 duress or attack. For this reason, many SDOs are developing 169 standards with hopes of retaining an acceptable level, or even 170 improving this availability, to its users. These SDO efforts usually 171 define themselves as "security" efforts. It is the opinion of the 172 authors that there are many different definitions of the term 173 "security" and it may be applied in many diverse ways. As such, we 174 offer no assurance that the term is applied consistently throughout 175 this document. 177 Many of these SDOs have diverse charters and goals and will take 178 entirely different directions in their efforts to provide standards. 179 However, even with that, there will be overlaps in their produced 180 works. If there are overlaps then there is a potential for conflicts 181 and confusion. This may result in: 183 Vendors of networking equipment who are unsure of which standard 184 to follow. 186 Purchasers of networking equipment who are unsure of which 187 standard will best apply to the needs of their business or 188 ogranization. 190 Network Administrators and Operators unsure of which standard to 191 follow to attain the best security for their network. 193 For these reasons, the authors wish to encourage all SDOs who have an 194 interest in producing or in consuming standards relating to good 195 security practices to be consistent in their approach and their 196 recommendations. In many cases, the authors are aware that the SDOs 197 are making good efforts along these lines. However, the authors do 198 not participate in all SDO efforts and cannot know everything that is 199 happening. 201 The OpSec Working Group met at the 61st IETF and agreed that this 202 document could be a useful reference in producing the documents 203 described in the Working Group Charter. The authors have agreed to 204 keep this document current and request that those who read it will 205 submit corrections or comments. 207 Comments on this document may be addressed to the OpSec Working Group 208 or directly to the authors. 210 opsec@ops.ietf.org 212 2. Format of this Document 214 The body of this document has three sections. 216 The first part of the body of this document, Section 3, contains a 217 listing of online glossaries relating to networking and security. It 218 is very important that the definitions of words relating to security 219 and security events be consistent. Inconsistencies between the 220 useage of words on standards is unacceptable as it would prevent a 221 reader of two standards to appropriately relate their 222 recommendations. The authors of this document have not reviewed the 223 definitions of the words in the listed glossaries so can offer no 224 assurance of their alignment. 226 The second part, Section 4, contains a listing of SDOs that appear to 227 be working on security standards. 229 The third part, Section 5, lists the documents which have been found 230 to offer good practices or recommendations for securing networks and 231 networking devices. 233 3. Online Security Glossaries 235 This section contains references to glossaries of network and 236 computer security terms 238 3.1. ATIS Telecom Glossary 2000 240 http://www.atis.org/tg2k/ 242 Under an approved T1 standards project (T1A1-20), an existing 5800- 243 entry, search-enabled hypertext telecommunications glossary titled 244 Federal Standard 1037C, Glossary of Telecommunication Terms was 245 updated and matured into this glossary, T1.523-2001, Telecom Glossary 246 2000. This updated glossary was posted on the Web as an American 247 National Standard (ANS). 249 3.2. Internet Security Glossary - RFC 4949 251 http://www.ietf.org/rfc/rfc4949.txt 253 This document was originally created as RFC 2828 in May 2000. It was 254 revised as RFC 4949 and the document defines itself to be, "an 255 internally consistent, complementary set of abbreviations, 256 definitions, explanations, and recommendations for use of terminology 257 related to information system security." 259 3.3. Compendium of Approved ITU-T Security Definitions 261 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 263 Addendum to the Compendium of the Approved ITU-T Security-related 264 Definitions 265 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 267 These extensive materials were created from approved ITU-T 268 Recommendations with a view toward establishing a common 269 understanding and use of security terms within ITU-T. 271 3.4. Microsoft Solutions for Security Glossary 273 http://www.microsoft.com/security/glossary.mspx 275 The Microsoft Solutions for Security Glossary was created to explain 276 the concepts, technologies, and products associated with computer 277 security. This glossary contains several definitions specific to 278 Microsoft proprietary technologies and product solutions. 280 3.5. SANS Glossary of Security Terms 282 http://www.sans.org/resources/glossary.php 284 The SANS Institute (SysAdmin, Audit, Network, Security) was created 285 in 1989 as, "a cooperative research and education organization." 286 Updated in May 2003, SANS cites the NSA for their help in creating 287 the online glossary of security terms. The SANS Institute is also 288 home to many other resources including the SANS Intrusion Detection 289 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 291 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 293 http://www.garlic.com/~lynn/secure.htm 295 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 296 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 297 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 298 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 299 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 300 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 301 RFC2647, RFC2828, TCSEC, TDI, and TNI. 303 4. Standards Developing Organizations 305 This section of this document lists the SDOs, or organizations that 306 appear to be developing security related standards. These SDOs are 307 listed in alphabetical order. 309 Note: The authors would appreciate corrections and additions. This 310 note will be removed before publication as an RFC. 312 4.1. 3GPP - Third Generation Partnership Project 314 http://www.3gpp.org/ 316 The 3rd Generation Partnership Project (3GPP) is a collaboration 317 agreement formed in December 1998. The collaboration agreement is 318 comprised of several telecommunications standards bodies which are 319 known as "Organizational Partners". The current Organizational 320 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 322 4.2. 3GPP2 - Third Generation Partnership Project 2 324 http://www.3gpp2.org/ 326 Third Generation Partnership Project 2 (3GPP2) is a collaboration 327 among Organizational Partners much like its sister project 3GPP. The 328 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 329 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 330 the CDMA Development Group and IPv6 Forum as Market Representation 331 Partners for market advice. 333 4.3. ANSI - The American National Standards Institute 335 http://www.ansi.org/ 337 ANSI is a private, non-profit organization that organizes and 338 oversees the U.S. voluntary standardization and conformity assessment 339 system. ANSI was founded October 19, 1918. 341 4.3.1. Accredited Standards Committee X9 (ASC X9) 343 http://www.x9.org/ 345 The Accredited Standards Committee X9 (ASC X9) has the mission to 346 develop, establish, maintain, and promote standards for the Financial 347 Services Industry in order to facilitate delivery of financial 348 services and products. 350 4.4. ATIS - Alliance for Telecommunications Industry Solutions 352 http://www.atis.org/ 354 ATIS is a United States based body that is committed to rapidly 355 developing and promoting technical and operations standards for the 356 communications and related information technologies industry 357 worldwide using pragmatic, flexible and open approach. Committee T1 358 as a group no longer exists as a result of the recent ATIS 359 reorganization on January 1, 2004. ATIS has restructured the former 360 T1 technical subcommittees into full ATIS standards committees to 361 easily identify and promote the nature of standards work each 362 committee performs. Due to the reorganization, some groups may have 363 a new mission and scope statement. 365 4.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee, 366 formerly T1E1 368 http://www.atis.org/0050/index.asp 370 ATIS Network Interface, Power, and Protection Committee develops and 371 recommends standards and technical reports related to power systems, 372 electrical and physical protection for the exchange and interexchange 373 carrier networks, and interfaces associated with user access to 374 telecommunications networks. 376 4.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of 377 Service Committee, formerly T1A1 379 http://www.atis.org/0010/index.asp 381 ATIS Network Performance, Reliability and Quality of Service 382 Committee develops and recommends standards, requirements, and 383 technical reports related to the performance, reliability, and 384 associated security aspects of communications networks, as well as 385 the processing of voice, audio, data, image, and video signals, and 386 their multimedia integration. 388 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1 389 O&B 391 http://www.atis.org/obf/index.asp 393 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 394 Billing Forum. 396 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 397 for customers and providers in the telecommunications industry to 398 identify, discuss and resolve national issues which affect ordering, 399 billing, provisioning and exchange of information about access 400 services, other connectivity and related matters. 402 4.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee, 403 formerly T1X1 405 http://www.atis.org/0240/index.asp 407 ATIS Optical Transport and Synchronization Committee develops and 408 recommends standards and prepares technical reports related to 409 telecommunications network technology pertaining to network 410 synchronization interfaces and hierarchical structures including 411 optical technology. 413 4.4.5. ATIS TMOC - Telecom Management and Operations Committee, 414 formerly T1M1 OAM&P 416 http://www.atis.org/0130/index.asp 418 ATIS Telecom Management and Operations Committee develops 419 internetwork operations, administration, maintenance and provisioning 420 standards, and technical reports related to interfaces for 421 telecommunications networks. 423 4.4.6. ATIS WTSC - Wireless Technologies and Systems Committee, 424 formerly T1P1 426 http://www.atis.org/0160/index.asp 428 ATIS Wireless Technologies and Systems Committee develops and 429 recommends standards and technical reports related to wireless and/or 430 mobile services and systems, including service descriptions and 431 wireless technologies. 433 4.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly 434 T1S1 436 http://www.atis.org/0191/index.asp 438 T1S1 was split into two separate ATIS committees: the ATIS Packet 439 Technologies and Systems Committee and the ATIS Protocol Interworking 440 Committee. PTSC is responsible for producing standards to secure 441 signalling. 443 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 444 at this time. It is expected to move to an ANSI standard. 446 4.4.8. ATIS Protocol Interworking Committee, regarding T1S1 448 T1S1 was split into two separate ATIS committees: the ATIS Packet 449 Technologies and Systems Committee and the ATIS Protocol Interworking 450 Committee. As a result of the reorganization of T1S1, these groups 451 will also probably have a new mission and scope. 453 4.5. CC - Common Criteria 455 http://www.commoncriteriaportal.org/ 457 In June 1993, the sponsoring organizations of the existing US, 458 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 459 the Common Criteria Project to align their separate criteria into a 460 single set of IT security criteria. 462 4.6. DMTF - Distributed Management Task Force, Inc. 464 http://www.dmtf.org/ 466 Founded in 1992, the DMTF brings the technology industry's customers 467 and top vendors together in a collaborative, working group approach 468 that involves DMTF members in all aspects of specification 469 development and refinement. 471 4.7. ETSI - The European Telecommunications Standard Institute 473 http://www.etsi.org/ 475 ETSI is an independent, non-profit organization which produces 476 telecommunications standards. ETSI is based in Sophia-Antipolis in 477 the south of France and maintains a membership from 55 countries. 479 Joint work between ETSI and ITU-T SG-17 481 http://www.tta.or.kr/gsc/upload/ 482 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 484 4.8. GGF - Global Grid Forum 486 http://www.gridforum.org/ 488 The Global Grid Forum (GGF) is a community-initiated forum of 489 thousands of individuals from industry and research leading the 490 global standardization effort for grid computing. GGF's primary 491 objectives are to promote and support the development, deployment, 492 and implementation of grid technologies and applications via the 493 creation and documentation of "best practices" - technical 494 specifications, user experiences, and implementation guidelines. 496 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 498 http://www.ieee.org/ 500 IEEE is a non-profit, professional association of more than 360,000 501 individual members in approximately 175 countries. The IEEE produces 502 30 percent of the world's published literature in electrical 503 engineering, computers, and control technology through its technical 504 publishing, conferences, and consensus-based standards activities. 506 4.10. IETF - The Internet Engineering Task Force 508 http://www.ietf.org/ 510 IETF is a large, international community open to any interested 511 individual concerned with the evolution of the Internet architecture 512 and the smooth operation of the Internet. 514 4.11. INCITS - InterNational Committee for Information Technology 515 Standards 517 http://www.incits.org/ 519 INCITS focuses upon standardization in the field of Information and 520 Communications Technologies (ICT), encompassing storage, processing, 521 transfer, display, management, organization, and retrieval of 522 information. 524 4.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces 526 http://www.t11.org/index.htm 528 T11 is responsible for standards development in the areas of 529 Intelligent Peripheral Interface (IPI), High-Performance Parallel 530 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 531 FC-SP to define Security Protocols for Fibre Channel. 533 FC-SP Project Proposal: 534 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 536 4.12. ISO - The International Organization for Standardization 538 http://www.iso.org/ 540 ISO is a network of the national standards institutes of 148 541 countries, on the basis of one member per country, with a Central 542 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 543 officially began operations on February 23, 1947. 545 4.13. ITU - International Telecommunication Union 547 http://www.itu.int/ 549 The ITU is an international organization within the United Nations 550 System headquartered in Geneva, Switzerland. The ITU is comprised of 551 three sectors: 553 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 555 http://www.itu.int/ITU-T/ 557 ITU-T's mission is to ensure an efficient and on-time production of 558 high quality standards covering all fields of telecommunications. 560 4.13.2. ITU Radiocommunication Sector - ITU-R 562 http://www.itu.int/ITU-R/ 564 The ITU-R plays a vital role in the management of the radio-frequency 565 spectrum and satellite orbits. 567 4.13.3. ITU Telecom Development - ITU-D 569 (also referred as ITU Telecommunication Development Bureau - BDT) 571 http://www.itu.int/ITU-D/ 573 The Telecommunication Development Bureau (BDT) is the executive arm 574 of the Telecommunication Development Sector. Its duties and 575 responsibilities cover a variety of functions ranging from programme 576 supervision and technical advice to the collection, processing and 577 publication of information relevant to telecommunication development. 579 4.14. OASIS - Organization for the Advancement of Structured 580 Information Standards 582 http://www.oasis-open.org/ 584 OASIS is a not-for-profit, international consortium that drives the 585 development, convergence, and adoption of e-business standards. 587 4.15. OIF - Optical Internetworking Forum 589 http://www.oiforum.com/ 591 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 592 industry-wide initiative to create the Optical Internetworking Forum, 593 an open forum focused on accelerating the deployment of optical 594 internetworks. 596 4.16. NRIC - The Network Reliability and Interoperability Council 598 http://www.nric.org/ 600 The purposes of the Committee are to give telecommunications industry 601 leaders the opportunity to provide recommendations to the FCC and to 602 the industry that assure optimal reliability and interoperability of 603 telecommunications networks. The Committee addresses topics in the 604 area of Homeland Security, reliability, interoperability, and 605 broadband deployment. 607 4.17. National Security Telecommunications Advisory Committee (NSTAC) 609 http://www.ncs.gov/nstac/nstac.html 611 President Ronald Reagan created the National Security 612 Telecommunications Advisory Committee (NSTAC) by Executive Order 613 12382 in September 1982. Since then, the NSTAC has served four 614 presidents. Composed of up to 30 industry chief executives 615 representing the major communications and network service providers 616 and information technology, finance, and aerospace companies, the 617 NSTAC provides industry-based advice and expertise to the President 618 on issues and problems related to implementing national security and 619 emergency preparedness (NS/EP) communications policy. Since its 620 inception, the NSTAC has addressed a wide range of policy and 621 technical issues regarding communications, information systems, 622 information assurance, critical infrastructure protection, and other 623 NS/EP communications concerns. 625 4.18. TIA - The Telecommunications Industry Association 627 http://www.tiaonline.org/ 629 TIA is accredited by ANSI to develop voluntary industry standards for 630 a wide variety of telecommunications products. TIA's Standards and 631 Technology Department is composed of five divisions: Fiber Optics, 632 User Premises Equipment, Network Equipment, Wireless Communications 633 and Satellite Communications. 635 4.19. TTA - Telecommunications Technology Association 637 http://www.tta.or.kr/Home2003/main/index.jsp 638 http://www.tta.or.kr/English/new/main/index.htm (English) 640 TTA (Telecommunications Technology Association) is a IT standards 641 organization that develops new standards and provides one-stop 642 services for the establishment of IT standards as well as providing 643 testing and certification for IT products. 645 4.20. The World Wide Web Consortium 647 http://www.w3.org/Consortium/ 649 The World Wide Web Consortium (W3C) is an international consortium 650 where Member organizations, a full-time staff, and the public work 651 together to develop Web standards. W3C's mission is: To lead the 652 World Wide Web to its full potential by developing protocols and 653 guidelines that ensure long-term growth for the Web. 655 The security work within the W3C 657 http://www.w3.org/Security/Activity 659 4.21. Web Services Interoperability Organization (WS-I) 661 http://www.ws-i.org/ 663 WS-I is an open, industry organization chartered to promote Web 664 services interoperability across platforms, operating systems, and 665 programming languages. The organization works across the industry 666 and standards organizations to respond to customer needs by providing 667 guidance, best practices, and resources for developing Web services 668 solutions. 670 5. Security Best Practices Efforts and Documents 672 This section lists the works produced by the SDOs. 674 5.1. 3GPP - TSG SA WG3 (Security) 676 http://www.3gpp.org/TB/SA/SA3/SA3.htm 678 TSG SA WG3 Security is responsible for the security of the 3GPP 679 system, performing analyses of potential security threats to the 680 system, considering the new threats introduced by the IP based 681 services and systems and setting the security requirements for the 682 overall 3GPP system. 684 Specifications: 685 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 687 Work Items: 688 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 690 3GPP Confidentiality and Integrity algorithms: 691 http://www.3gpp.org/TB/Other/algorithms.htm 693 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 695 http://www.3gpp2.org/Public_html/S/index.cfm 697 The Services and Systems Aspects TSG (TSG-S) is responsible for the 698 development of service capability requirements for systems based on 699 3GPP2 specifications. Among its responsibilities TSG-S is addressing 700 management, technical coordination, as well as architectural and 701 requirements development associated with all end-to-end features, 702 services and system capabilities including, but not limited to, 703 security and QoS. 705 TSG-S Specifications: 706 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 708 5.3. American National Standard T1.276-2003 - Baseline Security 709 Requirements for the Management Plane 711 Abstract: This standard contains a set of baseline security 712 requirements for the management plane. The President's National 713 Security Telecommunications Advisory Committee Network Security 714 Information Exchange (NSIE) and Government NSIE jointly established a 715 Security Requirements Working Group (SRWG) to examine the security 716 requirements for controlling access to the public switched network, 717 in particular with respect to the emerging next generation network. 719 In the telecommunications industry, this access incorporates 720 operation, administration, maintenance, and provisioning for network 721 elements and various supporting systems and databases. Members of 722 the SRWG, from a cross-section of telecommunications carriers and 723 vendors, developed an initial list of security requirements that 724 would allow vendors, government departments and agencies, and service 725 providers to implement a secure telecommunications network management 726 infrastructure. This initial list of security requirements was 727 submitted as a contribution to Committee T1 - Telecommunications, 728 Working Group T1M1.5 for consideration as a standard. The 729 requirements outlined in this document will allow vendors, government 730 departments and agencies, and service providers to implement a secure 731 telecommunications network management infrastructure. 733 Documents: 734 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 736 5.4. DMTF - Security Protection and Management (SPAM) Working Group 738 http://www.dmtf.org/about/committees/spamWGCharter.pdf 740 The Working Group will define a CIM Common Model that addresses 741 security protection and detection technologies, which may include 742 devices and services, and classifies security information, attacks, 743 and responses. 745 5.5. DMTF - User and Security Working Group 747 http://www.dmtf.org/about/committees/userWGCharter.pdf 749 The User and Security Working Group defines objects and access 750 methods required for principals - where principals include users, 751 groups, software agents, systems, and organizations. 753 5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 754 Standards and Solutions 756 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 758 The ATIS TOPS Security Focus Group has made recommendations on work 759 items needed to be performed by other SDOs. 761 5.6.1. ATIS Work on Packet Filtering 763 A part of the ATIS Work Plan was to define how disruptions may be 764 prevented by filtering unwanted traffic at the edges of the network. 765 ATIS is developing this work in a document titled, "Traffic Filtering 766 for the Prevention of Unwanted Traffic". 768 5.7. ATIS Work on the NGN 770 http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ 771 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 773 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 774 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 775 Definitions, Requirements, and Architecture, Issue 1.0, November 776 2004." 778 5.8. Common Criteria 780 http://www.commoncriteriaportal.org/ 782 Version 1.0 of the CC was completed in January 1996. Based on a 783 number of trial evaluations and an extensive public review, Version 784 1.0 was extensively revised and CC Version 2.0 was produced in April 785 of 1998. This became ISO International Standard 15408 in 1999. The 786 CC Project subsequently incorporated the minor changes that had 787 resulted in the ISO process, producing CC version 2.1 in August 1999. 788 Version 3.0 was published in June 2005 and is available for comment. 790 The official version of the Common Criteria and of the Common 791 Evaluation Methodology is v2.3 which was published in August 2005. 793 All Common Criteria publications contain: 795 Part 1: Introduction and general model 797 Part 2: Security functional components 799 Part 3: Security assurance components 801 Documents: Common Criteria V2.3 802 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 804 5.9. ETSI 806 http://www.etsi.org/ 808 The ETSI hosted the ETSI Global Security Conference in late November, 809 2003, which could lead to a standard. 811 Groups related to security located from the ETSI Groups Portal: 813 OCG Security 814 3GPP SA3 816 TISPAN WG7 818 5.10. GGF Security Area (SEC) 820 https://forge.gridforum.org/projects/sec/ 822 The Security Area (SEC) is concerned with various issues relating to 823 authentication and authorization in Grid environments. 825 Working groups: 827 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 828 https://forge.gridforum.org/projects/authz-wg 830 Certificate Authority Operations Working Group (CAOPS-WG) - 831 https://forge.gridforum.org/projects/caops-wg 833 OGSA Authorization Working Group (OGSA-AUTHZ) - 834 https://forge.gridforum.org/projects/ogsa-authz 836 Grid Security Infrastructure (GSI-WG) - 837 https://forge.gridforum.org/projects/gsi-wg 839 5.11. Information System Security Assurance Architecture 841 IEEE Working Group - http://issaa.org/ 843 Formerly the Security Certification and Accreditation of Information 844 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 845 Standard for Information System Security Assurance Architecture for 846 ballot and during the process begin development of a suite of 847 associated standards for components of that architecture. 849 Documents: http://issaa.org/documents/index.html 851 5.12. Operational Security Requirements for IP Network Infrastructure : 852 Advanced Requirements 854 IETF RFC 3871 856 Abstract: This document defines a list of operational security 857 requirements for the infrastructure of large ISP IP networks (routers 858 and switches). A framework is defined for specifying "profiles", 859 which are collections of requirements applicable to certain network 860 topology contexts (all, core-only, edge-only...). The goal is to 861 provide network operators a clear, concise way of communicating their 862 security requirements to vendors. 864 Documents: 866 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 868 5.13. INCITS CS1 - Cyber Security 870 http://cs1.incits.org/ 872 INCITS/CS1 was established in April 2005 to serve as the US TAG for 873 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 874 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 876 The scope of CS1 explicitly excludes the areas of work on cyber 877 security standardization presently underway in INCITS B10, M1 and T3; 878 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 879 X9. INCITS T4's area of work would be narrowed to cryptography 880 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 881 mechanisms). 883 5.14. ISO Guidelines for the Management of IT Security - GMITS 885 Guidelines for the Management of IT Security -- Part 1: Concepts and 886 models for IT Security 888 http://www.iso.ch/iso/en/ 889 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 891 Guidelines for the Management of IT Security -- Part 2: Managing and 892 planning IT Security 894 http://www.iso.org/iso/en/ 895 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 896 ICS3= 898 Guidelines for the Management of IT Security -- Part 3: Techniques 899 for the management of IT Security 901 http://www.iso.org/iso/en/ 902 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 903 ICS3= 905 Guidelines for the Management of IT Security -- Part 4: Selection of 906 safeguards 908 http://www.iso.org/iso/en/ 909 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 910 ICS3= 912 Guidelines for the Management of IT Security - Part 5: Management 913 guidance on network security 915 http://www.iso.org/iso/en/ 916 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 917 ICS3= 919 Open Systems Interconnection -- Network layer security protocol 921 http://www.iso.org/iso/en/ 922 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 923 ICS3=30 925 5.15. ISO JTC 1/SC 27 927 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 928 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 930 Several security related ISO projects under JTC 1/SC 27 are listed 931 here such as: 933 IT security techniques -- Entity authentication 935 Security techniques -- Key management 937 Security techniques -- Evaluation criteria for IT security 939 Security techniques -- A framework for IT security assurance 941 IT Security techniques -- Code of practice for information 942 security management 944 Security techniques -- IT network security 946 Guidelines for the implementation, operation and management of 947 Intrusion Detection Systems (IDS) 949 International Security, Trust, and Privacy Alliance -- Privacy 950 Framework 952 5.16. ITU-T Study Group 2 954 http://www.itu.int/ITU-T/studygroups/com02/index.asp 956 Security related recommendations currently under study: 958 E.408 Telecommunication networks security requirements Q.5/2 (was 959 E.sec1) 961 E.409 Incident Organisation and Security Incident Handling Q.5/2 962 (was E.sec2) 964 Note: Access requires TIES account. 966 5.17. ITU-T Recommendation M.3016 968 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 970 This recommendation provides an overview and framework that 971 identifies the security requirements of a TMN and outlines how 972 available security services and mechanisms can be applied within the 973 context of the TMN functional architecture. 975 Question 18 of Study Group 3 is revising Recommendation M.3016. They 976 have taken the original document and are incorporating thoughts from 977 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 978 produced a new series of documents. 980 M.3016.0 - Overview 982 M.3016.1 - Requirements 984 M.3016.2 - Services 986 M.3016.3 - Mechanisms 988 M.3016.4 - Profiles 990 5.18. ITU-T Recommendation X.805 992 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 994 This Recommendation defines the general security-related 995 architectural elements that, when appropriately applied, can provide 996 end-to-end network security. 998 5.19. ITU-T Study Group 16 1000 http://www.itu.int/ITU-T/studygroups/com16/index.asp 1002 Multimedia Security in Next-Generation Networks (NGN-MM-SEC) 1004 http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html 1006 5.20. ITU-T Study Group 17 1008 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1010 ITU-T Study Group 17 is the Lead Study Group on Communication System 1011 Security 1013 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1015 Study Group 17 Security Project: 1017 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1019 During its November 2002 meeting, Study Group 17 agreed to establish 1020 a new project entitled "Security Project" under the leadership of 1021 Q.10/17 to coordinate the ITU-T standardization effort on security. 1022 An analysis of the status on ITU-T Study Group action on information 1023 and communication network security may be found in TSB Circular 147 1024 of 14 February 2003. 1026 5.21. Catalogue of ITU-T Recommendations related to Communications 1027 System Security 1029 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1031 The Catalogue of the approved security Recommendations include those, 1032 designed for security purposes and those, which describe or use of 1033 functions of security interest and need. Although some of the 1034 security related Recommendations includes the phrase "Open Systems 1035 Interconnection", much of the information contained in them is 1036 pertinent to the establishment of security functionality in any 1037 communicating system. 1039 5.22. ITU-T Security Manual 1041 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1043 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1044 security in telecommunications and information technologies, describe 1045 practical issues, and indicate how the different aspects of security 1046 in today's applications are addressed by ITU-T Recommendations. This 1047 manual has a tutorial character: it collects security related 1048 material from ITU-T Recommendations into one place and explains the 1049 respective relationships. The intended audience for this manual are 1050 engineers and product managers, students and academia, as well as 1051 regulators who want to better understand security aspects in 1052 practical applications. 1054 5.23. ITU-T NGN Effort 1056 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1058 During its January 2002 meeting, SG13 decided to undertake the 1059 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1060 the November 2002 SG13 meeting, a preliminary description of the 1061 Project was achieved and endorsed by SG13 with the goal to launch the 1062 Project. It is regularly updated since then. 1064 The role of the NGN 2004 Project is to organize and to coordinate 1065 ITU-T activities on Next Generation Networks. Its target is to 1066 produce a first set of Recommendations on NGN by the end of this 1067 study period, i.e. mid-2004. 1069 5.24. NRIC VI Focus Groups 1071 http://www.nric.org/fg/index.html 1073 The Network Reliability and Interoperability Council (NRIC) was 1074 formed with the purpose to provide recommendations to the FCC and to 1075 the industry to assure the reliability and interoperability of 1076 wireless, wireline, satellite, and cable public telecommunications 1077 networks. These documents provide general information and guidance 1078 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1079 prevention of cyberattack and for restoration following a 1080 cyberattack. 1082 Documents: 1084 Homeland Defense - Recommendations Published 14-Mar-03 1086 Preventative Best Practices - Recommendations Published 14-Mar-03 1088 Recovery Best Practices - Recommendations Published 14-Mar-03 1090 Best Practice Appendices - Recommendations Published 14-Mar-03 1092 5.25. OASIS Security Joint Committee 1094 http://www.oasis-open.org/committees/ 1095 tc_home.php?wg_abbrev=security-jc 1097 The purpose of the Security JC is to coordinate the technical 1098 activities of multiple security related TCs. The SJC is advisory 1099 only, and has no deliverables. The Security JC will promote the use 1100 of consistent terms, promote re-use, champion an OASIS security 1101 standards model, provide consistent PR, and promote mutuality, 1102 operational independence and ethics. 1104 5.26. OASIS Security Services (SAML) TC 1106 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1108 The Security Services TC is working to advance the Security Assertion 1109 Markup Language (SAML) as an OASIS standard. SAML is an XML 1110 framework for exchanging authentication and authorization 1111 information. 1113 5.27. OIF Implementation Agreements 1115 The OIF has 2 approved Implementation Agreements (IAs) relating to 1116 security. They are: 1118 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1120 This Implementation Agreement lists objectives for securing OAM&P 1121 interfaces to a Network Element and then specifies ways of using 1122 security systems (e.g., IPsec or TLS) for securing these interfaces. 1123 It summarizes how well each of the systems, used as specified, 1124 satisfies the objectives. 1126 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1128 This Implementation Agreement defines a common Security Extension for 1129 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1131 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1133 5.28. TIA 1135 The TIA has produced the "Compendium of Emergency Communications and 1136 Communications Network Security-related Work Activities". This 1137 document identifies standards, or other technical documents and 1138 ongoing Emergency/Public Safety Communications and Communications 1139 Network Security-related work activities within TIA and it's 1140 Engineering Committees. Many P25 documents are specifically 1141 detailed. This "living document" is presented for information, 1142 coordination and reference. 1144 Documents: http://www.tiaonline.org/standards/technology/ciphs/ 1145 documents/EMTEL_sec.pdf 1147 5.29. WS-I Basic Security Profile 1149 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1151 The WS-I Basic Security Profile 1.0 consists of a set of non- 1152 proprietary Web services specifications, along with clarifications 1153 and amendments to those specifications which promote 1154 interoperability. 1156 5.30. NIST Special Publications (800 Series) 1158 http://csrc.nist.gov/publications/PubsSPs.html 1160 Special Publications in the 800 series present documents of general 1161 interest to the computer security community. The Special Publication 1162 800 series was established in 1990 to provide a separate identity for 1163 information technology security publications. This Special 1164 Publication 800 series reports on ITL's research, guidelines, and 1165 outreach efforts in computer security, and its collaborative 1166 activities with industry, government, and academic organizations. 1168 5.31. NIST Interagency or Internal Reports (NISTIRs) 1170 http://csrc.nist.gov/publications/PubsNISTIRs.html 1172 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1173 technical nature of interest to a specialized audience. The series 1174 includes interim or final reports on work performed by NIST for 1175 outside sponsors (both government and nongovernment). NISTIRs may 1176 also report results of NIST projects of transitory or limited 1177 interest, including those that will be published subsequently in more 1178 comprehensive form. 1180 5.32. NIST ITL Security Bulletins 1182 http://csrc.nist.gov/publications/PubsITLSB.html 1184 ITL Bulletins are published by NIST's Information Technology 1185 Laboratory, with most bulletins written by the Computer Security 1186 Division. These bulletins are published on the average of six times 1187 a year. Each bulletin presents an in-depth discussion of a single 1188 topic of significant interest to the information systems community. 1189 Not all of ITL Bulletins that are published relate to computer / 1190 network security. Only the computer security ITL Bulletins are found 1191 here. 1193 6. Security Considerations 1195 This document describes efforts to standardize security practices and 1196 documents. As such this document offers no security guidance 1197 whatsoever. 1199 Readers of this document should be aware of the date of publication 1200 of this document. It is feared that they may assume that the 1201 efforts, on-line material, and documents are current whereas they may 1202 not be. Please consider this when reading this document. 1204 7. IANA Considerations 1206 This document does not propose a standard and does not require the 1207 IANA to do anything. 1209 8. Acknowledgments 1211 The following people have contributed to this document. Listing 1212 their names here does not mean that they endorse the document, but 1213 that they have contributed to its substance. 1215 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1216 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1217 Moon. 1219 9. Changes from Prior Drafts 1221 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1223 -01 : Security Glossaries: 1225 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1226 Glossary of Terms and Acronyms, Microsoft Solutions for 1227 Security Glossary, and USC InfoSec Glossary. 1229 Standards Developing Organizations: 1231 Added DMTF, GGF, INCITS, OASIS, and WS-I 1233 Removal of Committee T1 and modifications to ATIS and former T1 1234 technical subcommittees due to the recent ATIS reorganization. 1236 Efforts and Documents: 1238 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1239 Area (SEC), INCITS Technical Committee T4 - Security 1240 Techniques, INCITS Technical Committee T11 - Fibre Channel 1241 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1242 Committee, OASIS Security Services TC, and WS-I Basic Security 1243 Profile. 1245 Updated Operational Security Requirements for IP Network 1246 Infrastructure : Advanced Requirements. 1248 -00 : as the WG ID 1250 Added more information about the ITU-T SG3 Q18 effort to modify 1251 ITU-T Recommendation M.3016. 1253 -01 : First revision as the WG ID. 1255 Added information about the NGN in the sections about ATIS, the 1256 NSTAC, and ITU-T. 1258 -02 : Second revision as the WG ID. 1260 Updated the date. 1262 Corrected some url's and the reference to George's RFC. 1264 -03 : Third revision of the WG ID. 1266 Updated the date. 1268 Updated the information about the CC 1270 Added a Conventions section (not sure how this document got to 1271 where it is without that) 1273 -04 : Fourth revision of the WG ID. 1275 Updated the date. 1277 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1279 CIAO glossary removed. CIAO has been absorbed by DHS and the 1280 glossary is no longer available. 1282 USC glossary removed, could not find it on the site or a reference 1283 to it elsewhere. 1285 Added TTA - Telecommunications Technology Association to SDO 1286 section. 1288 Removed ATIS Security & Emergency Preparedness Activities from 1289 Documents section. Could not find it or a reference to it. 1291 INCITS T4 incorporated into CS1 - T4 section removed 1293 X9 Added to SDO list under ANSI 1295 Various link or grammar fixes. 1297 -05 : Fifth revision of the WG ID. 1299 Updated the date. 1301 Removed the 2119 definitions; this is an informational document. 1303 -06 : Sixth revision of the WG ID. 1305 Updated the date. 1307 Added W3C information. 1309 -07 : Seventh revision of the WG ID. 1311 Updated the date. 1313 -08 : Eighth revision of the WG ID. 1315 Updated the reference to RFC 4949, found by Stephen Kent. 1317 -09 : Nineth revision of the WG ID. 1319 Updated the date. 1321 -10 : Tenth revision of the WG ID. 1323 Added references to NIST documents, recommended by Steve Wolff. 1324 Updated the date. 1326 Note: This section will be removed before publication as an RFC. 1328 Authors' Addresses 1330 Chris Lonvick 1331 Cisco Systems 1332 12515 Research Blvd. 1333 Austin, Texas 78759 1334 US 1336 Phone: +1 512 378 1182 1337 Email: clonvick@cisco.com 1339 David Spak 1340 Cisco Systems 1341 12515 Research Blvd. 1342 Austin, Texas 78759 1343 US 1345 Phone: +1 512 378 1720 1346 Email: dspak@cisco.com