idnits 2.17.1 draft-ietf-opsec-efforts-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 13, 2010) is 5094 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Intended status: Informational Cisco Systems 5 Expires: November 14, 2010 May 13, 2010 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-12.txt 10 Abstract 12 This document provides a snapshot of the current efforts to define or 13 apply security requirements in various Standards Developing 14 Organizations (SDO). 16 Status of this Memo 18 This Internet-Draft is submitted to IETF in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on November 14, 2010. 39 Copyright Notice 41 Copyright (c) 2010 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 58 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 59 3.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 60 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 61 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 62 3.4. Microsoft Solutions for Security Glossary . . . . . . . . 8 63 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 64 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 65 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 66 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 67 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 68 4.3. ANSI - The American National Standards Institute . . . . . 10 69 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 10 70 4.4. ATIS - Alliance for Telecommunications Industry 71 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 72 4.4.1. ATIS NIPP - Network Interface, Power, and 73 Protection Committee, formerly T1E1 . . . . . . . . . 11 74 4.4.2. ATIS NPRQ - Network Performance, Reliability, and 75 Quality of Service Committee, formerly T1A1 . . . . . 11 76 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly 77 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11 78 4.4.4. ATIS OPTXS - Optical Transport and Synchronization 79 Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 80 4.4.5. ATIS TMOC - Telecom Management and Operations 81 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12 82 4.4.6. ATIS WTSC - Wireless Technologies and Systems 83 Committee, formerly T1P1 . . . . . . . . . . . . . . . 12 84 4.4.7. ATIS PTSC - Packet Technologies and Systems 85 Committee, formerly T1S1 . . . . . . . . . . . . . . . 12 86 4.4.8. ATIS Protocol Interworking Committee, regarding 87 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 88 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 89 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 90 4.7. ETSI - The European Telecommunications Standard 91 Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 92 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 93 4.9. IEEE - The Institute of Electrical and Electronics 94 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 95 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 96 4.11. INCITS - InterNational Committee for Information 97 Technology Standards . . . . . . . . . . . . . . . . . . . 14 98 4.11.1. INCITS Technical Committee T11 - Fibre Channel 99 Interfaces . . . . . . . . . . . . . . . . . . . . . . 14 100 4.12. ISO - The International Organization for 101 Standardization . . . . . . . . . . . . . . . . . . . . . 14 102 4.13. ITU - International Telecommunication Union . . . . . . . 15 103 4.13.1. ITU Telecommunication Standardization Sector - 104 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 105 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 15 106 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 15 107 4.14. OASIS - Organization for the Advancement of 108 Structured Information Standards . . . . . . . . . . . . . 15 109 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 110 4.16. NRIC - The Network Reliability and Interoperability 111 Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 112 4.17. National Security Telecommunications Advisory 113 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 16 114 4.18. TIA - The Telecommunications Industry Association . . . . 16 115 4.19. TTA - Telecommunications Technology Association . . . . . 17 116 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 17 117 4.21. Web Services Interoperability Organization (WS-I) . . . . 17 118 5. Security Best Practices Efforts and Documents . . . . . . . . 18 119 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 120 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 121 5.3. American National Standard T1.276-2003 - Baseline 122 Security Requirements for the Management Plane . . . . . . 18 123 5.4. DMTF - Security Protection and Management (SPAM) 124 Working Group . . . . . . . . . . . . . . . . . . . . . . 19 125 5.5. DMTF - User and Security Working Group . . . . . . . . . . 19 126 5.6. ATIS Work-Plan to Achieve Interoperable, 127 Implementable, End-To-End Standards and Solutions . . . . 19 128 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 19 129 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 130 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 131 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 132 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 133 5.11. Information System Security Assurance Architecture . . . . 21 134 5.12. Operational Security Requirements for IP Network 135 Infrastructure : Advanced Requirements . . . . . . . . . . 21 136 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 137 5.14. ISO Guidelines for the Management of IT Security - 138 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 139 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 140 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 23 141 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 142 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 24 143 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24 144 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 145 5.21. Catalogue of ITU-T Recommendations related to 146 Communications System Security . . . . . . . . . . . . . . 25 147 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 25 148 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 149 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 150 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26 151 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 27 152 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 27 153 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 154 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 155 5.30. NIST Special Publications (800 Series) . . . . . . . . . . 28 156 5.31. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 28 157 5.32. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 28 158 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 159 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 160 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 161 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 162 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 164 1. Introduction 166 The Internet is being recognized as a critical infrastructure similar 167 in nature to the power grid and a potable water supply. Just like 168 those infrastructures, means are needed to provide resiliency and 169 adaptability to the Internet so that it remains consistently 170 available to the public throughout the world even during times of 171 duress or attack. For this reason, many SDOs are developing 172 standards with hopes of retaining an acceptable level, or even 173 improving this availability, to its users. These SDO efforts usually 174 define themselves as "security" efforts. It is the opinion of the 175 authors that there are many different definitions of the term 176 "security" and it may be applied in many diverse ways. As such, we 177 offer no assurance that the term is applied consistently throughout 178 this document. 180 Many of these SDOs have diverse charters and goals and will take 181 entirely different directions in their efforts to provide standards. 182 However, even with that, there will be overlaps in their produced 183 works. If there are overlaps then there is a potential for conflicts 184 and confusion. This may result in: 186 Vendors of networking equipment who are unsure of which standard 187 to follow. 189 Purchasers of networking equipment who are unsure of which 190 standard will best apply to the needs of their business or 191 ogranization. 193 Network Administrators and Operators unsure of which standard to 194 follow to attain the best security for their network. 196 For these reasons, the authors wish to encourage all SDOs who have an 197 interest in producing or in consuming standards relating to good 198 security practices to be consistent in their approach and their 199 recommendations. In many cases, the authors are aware that the SDOs 200 are making good efforts along these lines. However, the authors do 201 not participate in all SDO efforts and cannot know everything that is 202 happening. 204 The OpSec Working Group met at the 61st IETF and agreed that this 205 document could be a useful reference in producing the documents 206 described in the Working Group Charter. The authors have agreed to 207 keep this document current and request that those who read it will 208 submit corrections or comments. 210 Comments on this document may be addressed to the OpSec Working Group 211 or directly to the authors. 213 opsec@ops.ietf.org 215 2. Format of this Document 217 The body of this document has three sections. 219 The first part of the body of this document, Section 3, contains a 220 listing of online glossaries relating to networking and security. It 221 is very important that the definitions of words relating to security 222 and security events be consistent. Inconsistencies between the 223 useage of words on standards is unacceptable as it would prevent a 224 reader of two standards to appropriately relate their 225 recommendations. The authors of this document have not reviewed the 226 definitions of the words in the listed glossaries so can offer no 227 assurance of their alignment. 229 The second part, Section 4, contains a listing of SDOs that appear to 230 be working on security standards. 232 The third part, Section 5, lists the documents which have been found 233 to offer good practices or recommendations for securing networks and 234 networking devices. 236 3. Online Security Glossaries 238 This section contains references to glossaries of network and 239 computer security terms 241 3.1. ATIS Telecom Glossary 2000 243 http://www.atis.org/tg2k/ 245 Under an approved T1 standards project (T1A1-20), an existing 5800- 246 entry, search-enabled hypertext telecommunications glossary titled 247 Federal Standard 1037C, Glossary of Telecommunication Terms was 248 updated and matured into this glossary, T1.523-2001, Telecom Glossary 249 2000. This updated glossary was posted on the Web as an American 250 National Standard (ANS). 252 3.2. Internet Security Glossary - RFC 4949 254 http://www.ietf.org/rfc/rfc4949.txt 256 This document was originally created as RFC 2828 in May 2000. It was 257 revised as RFC 4949 and the document defines itself to be, "an 258 internally consistent, complementary set of abbreviations, 259 definitions, explanations, and recommendations for use of terminology 260 related to information system security." 262 3.3. Compendium of Approved ITU-T Security Definitions 264 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 266 Addendum to the Compendium of the Approved ITU-T Security-related 267 Definitions 268 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 270 These extensive materials were created from approved ITU-T 271 Recommendations with a view toward establishing a common 272 understanding and use of security terms within ITU-T. 274 3.4. Microsoft Solutions for Security Glossary 276 http://www.microsoft.com/security/glossary.mspx 278 The Microsoft Solutions for Security Glossary was created to explain 279 the concepts, technologies, and products associated with computer 280 security. This glossary contains several definitions specific to 281 Microsoft proprietary technologies and product solutions. 283 3.5. SANS Glossary of Security Terms 285 http://www.sans.org/resources/glossary.php 287 The SANS Institute (SysAdmin, Audit, Network, Security) was created 288 in 1989 as, "a cooperative research and education organization." 289 Updated in May 2003, SANS cites the NSA for their help in creating 290 the online glossary of security terms. The SANS Institute is also 291 home to many other resources including the SANS Intrusion Detection 292 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 294 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 296 http://www.garlic.com/~lynn/secure.htm 298 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 299 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 300 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 301 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 302 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 303 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 304 RFC2647, RFC2828, TCSEC, TDI, and TNI. 306 4. Standards Developing Organizations 308 This section of this document lists the SDOs, or organizations that 309 appear to be developing security related standards. These SDOs are 310 listed in alphabetical order. 312 Note: The authors would appreciate corrections and additions. This 313 note will be removed before publication as an RFC. 315 4.1. 3GPP - Third Generation Partnership Project 317 http://www.3gpp.org/ 319 The 3rd Generation Partnership Project (3GPP) is a collaboration 320 agreement formed in December 1998. The collaboration agreement is 321 comprised of several telecommunications standards bodies which are 322 known as "Organizational Partners". The current Organizational 323 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 325 4.2. 3GPP2 - Third Generation Partnership Project 2 327 http://www.3gpp2.org/ 329 Third Generation Partnership Project 2 (3GPP2) is a collaboration 330 among Organizational Partners much like its sister project 3GPP. The 331 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 332 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 333 the CDMA Development Group and IPv6 Forum as Market Representation 334 Partners for market advice. 336 4.3. ANSI - The American National Standards Institute 338 http://www.ansi.org/ 340 ANSI is a private, non-profit organization that organizes and 341 oversees the U.S. voluntary standardization and conformity assessment 342 system. ANSI was founded October 19, 1918. 344 4.3.1. Accredited Standards Committee X9 (ASC X9) 346 http://www.x9.org/ 348 The Accredited Standards Committee X9 (ASC X9) has the mission to 349 develop, establish, maintain, and promote standards for the Financial 350 Services Industry in order to facilitate delivery of financial 351 services and products. 353 4.4. ATIS - Alliance for Telecommunications Industry Solutions 355 http://www.atis.org/ 357 ATIS is a United States based body that is committed to rapidly 358 developing and promoting technical and operations standards for the 359 communications and related information technologies industry 360 worldwide using pragmatic, flexible and open approach. Committee T1 361 as a group no longer exists as a result of the recent ATIS 362 reorganization on January 1, 2004. ATIS has restructured the former 363 T1 technical subcommittees into full ATIS standards committees to 364 easily identify and promote the nature of standards work each 365 committee performs. Due to the reorganization, some groups may have 366 a new mission and scope statement. 368 4.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee, 369 formerly T1E1 371 http://www.atis.org/0050/index.asp 373 ATIS Network Interface, Power, and Protection Committee develops and 374 recommends standards and technical reports related to power systems, 375 electrical and physical protection for the exchange and interexchange 376 carrier networks, and interfaces associated with user access to 377 telecommunications networks. 379 4.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of 380 Service Committee, formerly T1A1 382 http://www.atis.org/0010/index.asp 384 ATIS Network Performance, Reliability and Quality of Service 385 Committee develops and recommends standards, requirements, and 386 technical reports related to the performance, reliability, and 387 associated security aspects of communications networks, as well as 388 the processing of voice, audio, data, image, and video signals, and 389 their multimedia integration. 391 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1 392 O&B 394 http://www.atis.org/obf/index.asp 396 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 397 Billing Forum. 399 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 400 for customers and providers in the telecommunications industry to 401 identify, discuss and resolve national issues which affect ordering, 402 billing, provisioning and exchange of information about access 403 services, other connectivity and related matters. 405 4.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee, 406 formerly T1X1 408 http://www.atis.org/0240/index.asp 410 ATIS Optical Transport and Synchronization Committee develops and 411 recommends standards and prepares technical reports related to 412 telecommunications network technology pertaining to network 413 synchronization interfaces and hierarchical structures including 414 optical technology. 416 4.4.5. ATIS TMOC - Telecom Management and Operations Committee, 417 formerly T1M1 OAM&P 419 http://www.atis.org/0130/index.asp 421 ATIS Telecom Management and Operations Committee develops 422 internetwork operations, administration, maintenance and provisioning 423 standards, and technical reports related to interfaces for 424 telecommunications networks. 426 4.4.6. ATIS WTSC - Wireless Technologies and Systems Committee, 427 formerly T1P1 429 http://www.atis.org/0160/index.asp 431 ATIS Wireless Technologies and Systems Committee develops and 432 recommends standards and technical reports related to wireless and/or 433 mobile services and systems, including service descriptions and 434 wireless technologies. 436 4.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly 437 T1S1 439 http://www.atis.org/0191/index.asp 441 T1S1 was split into two separate ATIS committees: the ATIS Packet 442 Technologies and Systems Committee and the ATIS Protocol Interworking 443 Committee. PTSC is responsible for producing standards to secure 444 signalling. 446 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 447 at this time. It is expected to move to an ANSI standard. 449 4.4.8. ATIS Protocol Interworking Committee, regarding T1S1 451 T1S1 was split into two separate ATIS committees: the ATIS Packet 452 Technologies and Systems Committee and the ATIS Protocol Interworking 453 Committee. As a result of the reorganization of T1S1, these groups 454 will also probably have a new mission and scope. 456 4.5. CC - Common Criteria 458 http://www.commoncriteriaportal.org/ 460 In June 1993, the sponsoring organizations of the existing US, 461 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 462 the Common Criteria Project to align their separate criteria into a 463 single set of IT security criteria. 465 4.6. DMTF - Distributed Management Task Force, Inc. 467 http://www.dmtf.org/ 469 Founded in 1992, the DMTF brings the technology industry's customers 470 and top vendors together in a collaborative, working group approach 471 that involves DMTF members in all aspects of specification 472 development and refinement. 474 4.7. ETSI - The European Telecommunications Standard Institute 476 http://www.etsi.org/ 478 ETSI is an independent, non-profit organization which produces 479 telecommunications standards. ETSI is based in Sophia-Antipolis in 480 the south of France and maintains a membership from 55 countries. 482 Joint work between ETSI and ITU-T SG-17 484 http://www.tta.or.kr/gsc/upload/ 485 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 487 4.8. GGF - Global Grid Forum 489 http://www.gridforum.org/ 491 The Global Grid Forum (GGF) is a community-initiated forum of 492 thousands of individuals from industry and research leading the 493 global standardization effort for grid computing. GGF's primary 494 objectives are to promote and support the development, deployment, 495 and implementation of grid technologies and applications via the 496 creation and documentation of "best practices" - technical 497 specifications, user experiences, and implementation guidelines. 499 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 501 http://www.ieee.org/ 503 IEEE is a non-profit, professional association of more than 360,000 504 individual members in approximately 175 countries. The IEEE produces 505 30 percent of the world's published literature in electrical 506 engineering, computers, and control technology through its technical 507 publishing, conferences, and consensus-based standards activities. 509 4.10. IETF - The Internet Engineering Task Force 511 http://www.ietf.org/ 513 IETF is a large, international community open to any interested 514 individual concerned with the evolution of the Internet architecture 515 and the smooth operation of the Internet. 517 4.11. INCITS - InterNational Committee for Information Technology 518 Standards 520 http://www.incits.org/ 522 INCITS focuses upon standardization in the field of Information and 523 Communications Technologies (ICT), encompassing storage, processing, 524 transfer, display, management, organization, and retrieval of 525 information. 527 4.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces 529 http://www.t11.org/index.htm 531 T11 is responsible for standards development in the areas of 532 Intelligent Peripheral Interface (IPI), High-Performance Parallel 533 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 534 FC-SP to define Security Protocols for Fibre Channel. 536 FC-SP Project Proposal: 537 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 539 4.12. ISO - The International Organization for Standardization 541 http://www.iso.org/ 543 ISO is a network of the national standards institutes of 148 544 countries, on the basis of one member per country, with a Central 545 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 546 officially began operations on February 23, 1947. 548 4.13. ITU - International Telecommunication Union 550 http://www.itu.int/ 552 The ITU is an international organization within the United Nations 553 System headquartered in Geneva, Switzerland. The ITU is comprised of 554 three sectors: 556 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 558 http://www.itu.int/ITU-T/ 560 ITU-T's mission is to ensure an efficient and on-time production of 561 high quality standards covering all fields of telecommunications. 563 4.13.2. ITU Radiocommunication Sector - ITU-R 565 http://www.itu.int/ITU-R/ 567 The ITU-R plays a vital role in the management of the radio-frequency 568 spectrum and satellite orbits. 570 4.13.3. ITU Telecom Development - ITU-D 572 (also referred as ITU Telecommunication Development Bureau - BDT) 574 http://www.itu.int/ITU-D/ 576 The Telecommunication Development Bureau (BDT) is the executive arm 577 of the Telecommunication Development Sector. Its duties and 578 responsibilities cover a variety of functions ranging from programme 579 supervision and technical advice to the collection, processing and 580 publication of information relevant to telecommunication development. 582 4.14. OASIS - Organization for the Advancement of Structured 583 Information Standards 585 http://www.oasis-open.org/ 587 OASIS is a not-for-profit, international consortium that drives the 588 development, convergence, and adoption of e-business standards. 590 4.15. OIF - Optical Internetworking Forum 592 http://www.oiforum.com/ 594 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 595 industry-wide initiative to create the Optical Internetworking Forum, 596 an open forum focused on accelerating the deployment of optical 597 internetworks. 599 4.16. NRIC - The Network Reliability and Interoperability Council 601 http://www.nric.org/ 603 The purposes of the Committee are to give telecommunications industry 604 leaders the opportunity to provide recommendations to the FCC and to 605 the industry that assure optimal reliability and interoperability of 606 telecommunications networks. The Committee addresses topics in the 607 area of Homeland Security, reliability, interoperability, and 608 broadband deployment. 610 4.17. National Security Telecommunications Advisory Committee (NSTAC) 612 http://www.ncs.gov/nstac/nstac.html 614 President Ronald Reagan created the National Security 615 Telecommunications Advisory Committee (NSTAC) by Executive Order 616 12382 in September 1982. Since then, the NSTAC has served four 617 presidents. Composed of up to 30 industry chief executives 618 representing the major communications and network service providers 619 and information technology, finance, and aerospace companies, the 620 NSTAC provides industry-based advice and expertise to the President 621 on issues and problems related to implementing national security and 622 emergency preparedness (NS/EP) communications policy. Since its 623 inception, the NSTAC has addressed a wide range of policy and 624 technical issues regarding communications, information systems, 625 information assurance, critical infrastructure protection, and other 626 NS/EP communications concerns. 628 4.18. TIA - The Telecommunications Industry Association 630 http://www.tiaonline.org/ 632 TIA is accredited by ANSI to develop voluntary industry standards for 633 a wide variety of telecommunications products. TIA's Standards and 634 Technology Department is composed of five divisions: Fiber Optics, 635 User Premises Equipment, Network Equipment, Wireless Communications 636 and Satellite Communications. 638 4.19. TTA - Telecommunications Technology Association 640 http://www.tta.or.kr/Home2003/main/index.jsp 641 http://www.tta.or.kr/English/new/main/index.htm (English) 643 TTA (Telecommunications Technology Association) is a IT standards 644 organization that develops new standards and provides one-stop 645 services for the establishment of IT standards as well as providing 646 testing and certification for IT products. 648 4.20. The World Wide Web Consortium 650 http://www.w3.org/Consortium/ 652 The World Wide Web Consortium (W3C) is an international consortium 653 where Member organizations, a full-time staff, and the public work 654 together to develop Web standards. W3C's mission is: To lead the 655 World Wide Web to its full potential by developing protocols and 656 guidelines that ensure long-term growth for the Web. 658 The security work within the W3C 660 http://www.w3.org/Security/Activity 662 4.21. Web Services Interoperability Organization (WS-I) 664 http://www.ws-i.org/ 666 WS-I is an open, industry organization chartered to promote Web 667 services interoperability across platforms, operating systems, and 668 programming languages. The organization works across the industry 669 and standards organizations to respond to customer needs by providing 670 guidance, best practices, and resources for developing Web services 671 solutions. 673 5. Security Best Practices Efforts and Documents 675 This section lists the works produced by the SDOs. 677 5.1. 3GPP - TSG SA WG3 (Security) 679 http://www.3gpp.org/TB/SA/SA3/SA3.htm 681 TSG SA WG3 Security is responsible for the security of the 3GPP 682 system, performing analyses of potential security threats to the 683 system, considering the new threats introduced by the IP based 684 services and systems and setting the security requirements for the 685 overall 3GPP system. 687 Specifications: 688 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 690 Work Items: 691 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 693 3GPP Confidentiality and Integrity algorithms: 694 http://www.3gpp.org/TB/Other/algorithms.htm 696 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 698 http://www.3gpp2.org/Public_html/S/index.cfm 700 The Services and Systems Aspects TSG (TSG-S) is responsible for the 701 development of service capability requirements for systems based on 702 3GPP2 specifications. Among its responsibilities TSG-S is addressing 703 management, technical coordination, as well as architectural and 704 requirements development associated with all end-to-end features, 705 services and system capabilities including, but not limited to, 706 security and QoS. 708 TSG-S Specifications: 709 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 711 5.3. American National Standard T1.276-2003 - Baseline Security 712 Requirements for the Management Plane 714 Abstract: This standard contains a set of baseline security 715 requirements for the management plane. The President's National 716 Security Telecommunications Advisory Committee Network Security 717 Information Exchange (NSIE) and Government NSIE jointly established a 718 Security Requirements Working Group (SRWG) to examine the security 719 requirements for controlling access to the public switched network, 720 in particular with respect to the emerging next generation network. 722 In the telecommunications industry, this access incorporates 723 operation, administration, maintenance, and provisioning for network 724 elements and various supporting systems and databases. Members of 725 the SRWG, from a cross-section of telecommunications carriers and 726 vendors, developed an initial list of security requirements that 727 would allow vendors, government departments and agencies, and service 728 providers to implement a secure telecommunications network management 729 infrastructure. This initial list of security requirements was 730 submitted as a contribution to Committee T1 - Telecommunications, 731 Working Group T1M1.5 for consideration as a standard. The 732 requirements outlined in this document will allow vendors, government 733 departments and agencies, and service providers to implement a secure 734 telecommunications network management infrastructure. 736 Documents: 737 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 739 5.4. DMTF - Security Protection and Management (SPAM) Working Group 741 http://www.dmtf.org/about/committees/spamWGCharter.pdf 743 The Working Group will define a CIM Common Model that addresses 744 security protection and detection technologies, which may include 745 devices and services, and classifies security information, attacks, 746 and responses. 748 5.5. DMTF - User and Security Working Group 750 http://www.dmtf.org/about/committees/userWGCharter.pdf 752 The User and Security Working Group defines objects and access 753 methods required for principals - where principals include users, 754 groups, software agents, systems, and organizations. 756 5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 757 Standards and Solutions 759 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 761 The ATIS TOPS Security Focus Group has made recommendations on work 762 items needed to be performed by other SDOs. 764 5.6.1. ATIS Work on Packet Filtering 766 A part of the ATIS Work Plan was to define how disruptions may be 767 prevented by filtering unwanted traffic at the edges of the network. 768 ATIS is developing this work in a document titled, "Traffic Filtering 769 for the Prevention of Unwanted Traffic". 771 5.7. ATIS Work on the NGN 773 http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ 774 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 776 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 777 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 778 Definitions, Requirements, and Architecture, Issue 1.0, November 779 2004." 781 5.8. Common Criteria 783 http://www.commoncriteriaportal.org/ 785 Version 1.0 of the CC was completed in January 1996. Based on a 786 number of trial evaluations and an extensive public review, Version 787 1.0 was extensively revised and CC Version 2.0 was produced in April 788 of 1998. This became ISO International Standard 15408 in 1999. The 789 CC Project subsequently incorporated the minor changes that had 790 resulted in the ISO process, producing CC version 2.1 in August 1999. 791 Version 3.0 was published in June 2005 and is available for comment. 793 The official version of the Common Criteria and of the Common 794 Evaluation Methodology is v2.3 which was published in August 2005. 796 All Common Criteria publications contain: 798 Part 1: Introduction and general model 800 Part 2: Security functional components 802 Part 3: Security assurance components 804 Documents: Common Criteria V2.3 805 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 807 5.9. ETSI 809 http://www.etsi.org/ 811 The ETSI hosted the ETSI Global Security Conference in late November, 812 2003, which could lead to a standard. 814 Groups related to security located from the ETSI Groups Portal: 816 OCG Security 817 3GPP SA3 819 TISPAN WG7 821 5.10. GGF Security Area (SEC) 823 https://forge.gridforum.org/projects/sec/ 825 The Security Area (SEC) is concerned with various issues relating to 826 authentication and authorization in Grid environments. 828 Working groups: 830 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 831 https://forge.gridforum.org/projects/authz-wg 833 Certificate Authority Operations Working Group (CAOPS-WG) - 834 https://forge.gridforum.org/projects/caops-wg 836 OGSA Authorization Working Group (OGSA-AUTHZ) - 837 https://forge.gridforum.org/projects/ogsa-authz 839 Grid Security Infrastructure (GSI-WG) - 840 https://forge.gridforum.org/projects/gsi-wg 842 5.11. Information System Security Assurance Architecture 844 IEEE Working Group - http://issaa.org/ 846 Formerly the Security Certification and Accreditation of Information 847 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 848 Standard for Information System Security Assurance Architecture for 849 ballot and during the process begin development of a suite of 850 associated standards for components of that architecture. 852 Documents: http://issaa.org/documents/index.html 854 5.12. Operational Security Requirements for IP Network Infrastructure : 855 Advanced Requirements 857 IETF RFC 3871 859 Abstract: This document defines a list of operational security 860 requirements for the infrastructure of large ISP IP networks (routers 861 and switches). A framework is defined for specifying "profiles", 862 which are collections of requirements applicable to certain network 863 topology contexts (all, core-only, edge-only...). The goal is to 864 provide network operators a clear, concise way of communicating their 865 security requirements to vendors. 867 Documents: 869 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 871 5.13. INCITS CS1 - Cyber Security 873 http://cs1.incits.org/ 875 INCITS/CS1 was established in April 2005 to serve as the US TAG for 876 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 877 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 879 The scope of CS1 explicitly excludes the areas of work on cyber 880 security standardization presently underway in INCITS B10, M1 and T3; 881 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 882 X9. INCITS T4's area of work would be narrowed to cryptography 883 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 884 mechanisms). 886 5.14. ISO Guidelines for the Management of IT Security - GMITS 888 Guidelines for the Management of IT Security -- Part 1: Concepts and 889 models for IT Security 891 http://www.iso.ch/iso/en/ 892 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 894 Guidelines for the Management of IT Security -- Part 2: Managing and 895 planning IT Security 897 http://www.iso.org/iso/en/ 898 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 899 ICS3= 901 Guidelines for the Management of IT Security -- Part 3: Techniques 902 for the management of IT Security 904 http://www.iso.org/iso/en/ 905 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 906 ICS3= 908 Guidelines for the Management of IT Security -- Part 4: Selection of 909 safeguards 911 http://www.iso.org/iso/en/ 912 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 913 ICS3= 915 Guidelines for the Management of IT Security - Part 5: Management 916 guidance on network security 918 http://www.iso.org/iso/en/ 919 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 920 ICS3= 922 Open Systems Interconnection -- Network layer security protocol 924 http://www.iso.org/iso/en/ 925 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 926 ICS3=30 928 5.15. ISO JTC 1/SC 27 930 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 931 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 933 Several security related ISO projects under JTC 1/SC 27 are listed 934 here such as: 936 IT security techniques -- Entity authentication 938 Security techniques -- Key management 940 Security techniques -- Evaluation criteria for IT security 942 Security techniques -- A framework for IT security assurance 944 IT Security techniques -- Code of practice for information 945 security management 947 Security techniques -- IT network security 949 Guidelines for the implementation, operation and management of 950 Intrusion Detection Systems (IDS) 952 International Security, Trust, and Privacy Alliance -- Privacy 953 Framework 955 5.16. ITU-T Study Group 2 957 http://www.itu.int/ITU-T/studygroups/com02/index.asp 959 Security related recommendations currently under study: 961 E.408 Telecommunication networks security requirements Q.5/2 (was 962 E.sec1) 964 E.409 Incident Organisation and Security Incident Handling Q.5/2 965 (was E.sec2) 967 Note: Access requires TIES account. 969 5.17. ITU-T Recommendation M.3016 971 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 973 This recommendation provides an overview and framework that 974 identifies the security requirements of a TMN and outlines how 975 available security services and mechanisms can be applied within the 976 context of the TMN functional architecture. 978 Question 18 of Study Group 3 is revising Recommendation M.3016. They 979 have taken the original document and are incorporating thoughts from 980 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 981 produced a new series of documents. 983 M.3016.0 - Overview 985 M.3016.1 - Requirements 987 M.3016.2 - Services 989 M.3016.3 - Mechanisms 991 M.3016.4 - Profiles 993 5.18. ITU-T Recommendation X.805 995 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 997 This Recommendation defines the general security-related 998 architectural elements that, when appropriately applied, can provide 999 end-to-end network security. 1001 5.19. ITU-T Study Group 16 1003 http://www.itu.int/ITU-T/studygroups/com16/index.asp 1005 Multimedia Security in Next-Generation Networks (NGN-MM-SEC) 1007 http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html 1009 5.20. ITU-T Study Group 17 1011 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1013 ITU-T Study Group 17 is the Lead Study Group on Communication System 1014 Security 1016 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1018 Study Group 17 Security Project: 1020 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1022 During its November 2002 meeting, Study Group 17 agreed to establish 1023 a new project entitled "Security Project" under the leadership of 1024 Q.10/17 to coordinate the ITU-T standardization effort on security. 1025 An analysis of the status on ITU-T Study Group action on information 1026 and communication network security may be found in TSB Circular 147 1027 of 14 February 2003. 1029 5.21. Catalogue of ITU-T Recommendations related to Communications 1030 System Security 1032 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1034 The Catalogue of the approved security Recommendations include those, 1035 designed for security purposes and those, which describe or use of 1036 functions of security interest and need. Although some of the 1037 security related Recommendations includes the phrase "Open Systems 1038 Interconnection", much of the information contained in them is 1039 pertinent to the establishment of security functionality in any 1040 communicating system. 1042 5.22. ITU-T Security Manual 1044 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1046 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1047 security in telecommunications and information technologies, describe 1048 practical issues, and indicate how the different aspects of security 1049 in today's applications are addressed by ITU-T Recommendations. This 1050 manual has a tutorial character: it collects security related 1051 material from ITU-T Recommendations into one place and explains the 1052 respective relationships. The intended audience for this manual are 1053 engineers and product managers, students and academia, as well as 1054 regulators who want to better understand security aspects in 1055 practical applications. 1057 5.23. ITU-T NGN Effort 1059 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1061 During its January 2002 meeting, SG13 decided to undertake the 1062 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1063 the November 2002 SG13 meeting, a preliminary description of the 1064 Project was achieved and endorsed by SG13 with the goal to launch the 1065 Project. It is regularly updated since then. 1067 The role of the NGN 2004 Project is to organize and to coordinate 1068 ITU-T activities on Next Generation Networks. Its target is to 1069 produce a first set of Recommendations on NGN by the end of this 1070 study period, i.e. mid-2004. 1072 5.24. NRIC VI Focus Groups 1074 http://www.nric.org/fg/index.html 1076 The Network Reliability and Interoperability Council (NRIC) was 1077 formed with the purpose to provide recommendations to the FCC and to 1078 the industry to assure the reliability and interoperability of 1079 wireless, wireline, satellite, and cable public telecommunications 1080 networks. These documents provide general information and guidance 1081 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1082 prevention of cyberattack and for restoration following a 1083 cyberattack. 1085 Documents: 1087 Homeland Defense - Recommendations Published 14-Mar-03 1089 Preventative Best Practices - Recommendations Published 14-Mar-03 1091 Recovery Best Practices - Recommendations Published 14-Mar-03 1093 Best Practice Appendices - Recommendations Published 14-Mar-03 1095 5.25. OASIS Security Joint Committee 1097 http://www.oasis-open.org/committees/ 1098 tc_home.php?wg_abbrev=security-jc 1100 The purpose of the Security JC is to coordinate the technical 1101 activities of multiple security related TCs. The SJC is advisory 1102 only, and has no deliverables. The Security JC will promote the use 1103 of consistent terms, promote re-use, champion an OASIS security 1104 standards model, provide consistent PR, and promote mutuality, 1105 operational independence and ethics. 1107 5.26. OASIS Security Services (SAML) TC 1109 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1111 The Security Services TC is working to advance the Security Assertion 1112 Markup Language (SAML) as an OASIS standard. SAML is an XML 1113 framework for exchanging authentication and authorization 1114 information. 1116 5.27. OIF Implementation Agreements 1118 The OIF has 2 approved Implementation Agreements (IAs) relating to 1119 security. They are: 1121 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1123 This Implementation Agreement lists objectives for securing OAM&P 1124 interfaces to a Network Element and then specifies ways of using 1125 security systems (e.g., IPsec or TLS) for securing these interfaces. 1126 It summarizes how well each of the systems, used as specified, 1127 satisfies the objectives. 1129 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1131 This Implementation Agreement defines a common Security Extension for 1132 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1134 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1136 5.28. TIA 1138 The TIA has produced the "Compendium of Emergency Communications and 1139 Communications Network Security-related Work Activities". This 1140 document identifies standards, or other technical documents and 1141 ongoing Emergency/Public Safety Communications and Communications 1142 Network Security-related work activities within TIA and it's 1143 Engineering Committees. Many P25 documents are specifically 1144 detailed. This "living document" is presented for information, 1145 coordination and reference. 1147 Documents: http://www.tiaonline.org/standards/technology/ciphs/ 1148 documents/EMTEL_sec.pdf 1150 5.29. WS-I Basic Security Profile 1152 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1154 The WS-I Basic Security Profile 1.0 consists of a set of non- 1155 proprietary Web services specifications, along with clarifications 1156 and amendments to those specifications which promote 1157 interoperability. 1159 5.30. NIST Special Publications (800 Series) 1161 http://csrc.nist.gov/publications/PubsSPs.html 1163 Special Publications in the 800 series present documents of general 1164 interest to the computer security community. The Special Publication 1165 800 series was established in 1990 to provide a separate identity for 1166 information technology security publications. This Special 1167 Publication 800 series reports on ITL's research, guidelines, and 1168 outreach efforts in computer security, and its collaborative 1169 activities with industry, government, and academic organizations. 1171 5.31. NIST Interagency or Internal Reports (NISTIRs) 1173 http://csrc.nist.gov/publications/PubsNISTIRs.html 1175 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1176 technical nature of interest to a specialized audience. The series 1177 includes interim or final reports on work performed by NIST for 1178 outside sponsors (both government and nongovernment). NISTIRs may 1179 also report results of NIST projects of transitory or limited 1180 interest, including those that will be published subsequently in more 1181 comprehensive form. 1183 5.32. NIST ITL Security Bulletins 1185 http://csrc.nist.gov/publications/PubsITLSB.html 1187 ITL Bulletins are published by NIST's Information Technology 1188 Laboratory, with most bulletins written by the Computer Security 1189 Division. These bulletins are published on the average of six times 1190 a year. Each bulletin presents an in-depth discussion of a single 1191 topic of significant interest to the information systems community. 1192 Not all of ITL Bulletins that are published relate to computer / 1193 network security. Only the computer security ITL Bulletins are found 1194 here. 1196 6. Security Considerations 1198 This document describes efforts to standardize security practices and 1199 documents. As such this document offers no security guidance 1200 whatsoever. 1202 Readers of this document should be aware of the date of publication 1203 of this document. It is feared that they may assume that the 1204 efforts, on-line material, and documents are current whereas they may 1205 not be. Please consider this when reading this document. 1207 7. IANA Considerations 1209 This document does not propose a standard and does not require the 1210 IANA to do anything. 1212 8. Acknowledgments 1214 The following people have contributed to this document. Listing 1215 their names here does not mean that they endorse the document, but 1216 that they have contributed to its substance. 1218 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1219 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1220 Moon. 1222 9. Changes from Prior Drafts 1224 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1226 -01 : Security Glossaries: 1228 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1229 Glossary of Terms and Acronyms, Microsoft Solutions for 1230 Security Glossary, and USC InfoSec Glossary. 1232 Standards Developing Organizations: 1234 Added DMTF, GGF, INCITS, OASIS, and WS-I 1236 Removal of Committee T1 and modifications to ATIS and former T1 1237 technical subcommittees due to the recent ATIS reorganization. 1239 Efforts and Documents: 1241 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1242 Area (SEC), INCITS Technical Committee T4 - Security 1243 Techniques, INCITS Technical Committee T11 - Fibre Channel 1244 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1245 Committee, OASIS Security Services TC, and WS-I Basic Security 1246 Profile. 1248 Updated Operational Security Requirements for IP Network 1249 Infrastructure : Advanced Requirements. 1251 -00 : as the WG ID 1253 Added more information about the ITU-T SG3 Q18 effort to modify 1254 ITU-T Recommendation M.3016. 1256 -01 : First revision as the WG ID. 1258 Added information about the NGN in the sections about ATIS, the 1259 NSTAC, and ITU-T. 1261 -02 : Second revision as the WG ID. 1263 Updated the date. 1265 Corrected some url's and the reference to George's RFC. 1267 -03 : Third revision of the WG ID. 1269 Updated the date. 1271 Updated the information about the CC 1273 Added a Conventions section (not sure how this document got to 1274 where it is without that) 1276 -04 : Fourth revision of the WG ID. 1278 Updated the date. 1280 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1282 CIAO glossary removed. CIAO has been absorbed by DHS and the 1283 glossary is no longer available. 1285 USC glossary removed, could not find it on the site or a reference 1286 to it elsewhere. 1288 Added TTA - Telecommunications Technology Association to SDO 1289 section. 1291 Removed ATIS Security & Emergency Preparedness Activities from 1292 Documents section. Could not find it or a reference to it. 1294 INCITS T4 incorporated into CS1 - T4 section removed 1296 X9 Added to SDO list under ANSI 1298 Various link or grammar fixes. 1300 -05 : Fifth revision of the WG ID. 1302 Updated the date. 1304 Removed the 2119 definitions; this is an informational document. 1306 -06 : Sixth revision of the WG ID. 1308 Updated the date. 1310 Added W3C information. 1312 -07 : Seventh revision of the WG ID. 1314 Updated the date. 1316 -08 : Eighth revision of the WG ID. 1318 Updated the reference to RFC 4949, found by Stephen Kent. 1320 -09 : Nineth revision of the WG ID. 1322 Updated the date. 1324 -10 : Tenth revision of the WG ID. 1326 Added references to NIST documents, recommended by Steve Wolff. 1327 Updated the date. 1329 -11 : Eleventh revision of the WG ID. 1331 Updated the date. 1333 -12 : Eleventh revision of the WG ID. 1335 Updated the date. 1337 Note: This section will be removed before publication as an RFC. 1339 Authors' Addresses 1341 Chris Lonvick 1342 Cisco Systems 1343 12515 Research Blvd. 1344 Austin, Texas 78759 1345 US 1347 Phone: +1 512 378 1182 1348 Email: clonvick@cisco.com 1350 David Spak 1351 Cisco Systems 1352 12515 Research Blvd. 1353 Austin, Texas 78759 1354 US 1356 Phone: +1 512 378 1720 1357 Email: dspak@cisco.com