idnits 2.17.1 draft-ietf-opsec-efforts-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 14, 2011) is 4813 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Intended status: Informational Cisco Systems 5 Expires: August 18, 2011 February 14, 2011 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-15.txt 10 Abstract 12 This document provides a snapshot of the current efforts to define or 13 apply security requirements in various Standards Developing 14 Organizations (SDO). 16 Status of this Memo 18 This Internet-Draft is submitted to IETF in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on August 18, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 58 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 59 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 8 60 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 8 61 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 62 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 9 63 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 64 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 65 3.7. NIST - Glossary of Key Information Security Terms . . . . 9 66 4. Standards Developing Organizations . . . . . . . . . . . . . . 11 67 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 68 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 69 4.3. ANSI - The American National Standards Institute . . . . . 12 70 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 12 71 4.4. ATIS - Alliance for Telecommunications Industry 72 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 73 4.4.1. ATIS NPRQ - Network Performance, Reliability, and 74 Quality of Service Committee, formerly T1A1 . . . . . 13 75 4.4.2. ATIS TMOC - Telecom Management and Operations 76 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 14 77 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 78 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 79 4.7. ETSI - The European Telecommunications Standard 80 Institute . . . . . . . . . . . . . . . . . . . . . . . . 15 81 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 82 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 83 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 84 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 85 4.9. IEEE - The Institute of Electrical and Electronics 86 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 87 4.9.1. IEEE Computer Society's Technical Committee on 88 Security and Privacy . . . . . . . . . . . . . . . . . 17 89 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 90 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 91 4.11. INCITS - InterNational Committee for Information 92 Technology Standards . . . . . . . . . . . . . . . . . . . 17 93 4.11.1. Identification Cards and Related Devices (B10) . . . . 18 94 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 95 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 97 4.12. ISO - The International Organization for 98 Standardization . . . . . . . . . . . . . . . . . . . . . 18 99 4.13. ITU - International Telecommunication Union . . . . . . . 19 100 4.13.1. ITU Telecommunication Standardization Sector - 101 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 102 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 20 103 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 104 4.14. OASIS - Organization for the Advancement of 105 Structured Information Standards . . . . . . . . . . . . . 21 106 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 107 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 22 108 4.16. NRIC - The Network Reliability and Interoperability 109 Council . . . . . . . . . . . . . . . . . . . . . . . . . 22 110 4.17. National Security Telecommunications Advisory 111 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 112 4.18. TIA - The Telecommunications Industry Association . . . . 23 113 4.18.1. Critical Infrastructure Protection (CIP) and 114 Homeland Security (HS) . . . . . . . . . . . . . . . . 23 115 4.18.2. Commercial Encryption Source Code and Related 116 Information . . . . . . . . . . . . . . . . . . . . . 24 117 4.19. TTA - Telecommunications Technology Association . . . . . 24 118 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 24 119 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 25 120 4.21.1. Security Management . . . . . . . . . . . . . . . . . 25 121 5. Security Best Practices Efforts and Documents . . . . . . . . 27 122 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 27 123 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 27 124 5.3. American National Standard T1.276-2003 - Baseline 125 Security Requirements for the Management Plane . . . . . . 27 126 5.4. DMTF - Security Protection and Management (SPAM) 127 Working Group . . . . . . . . . . . . . . . . . . . . . . 28 128 5.5. DMTF - User and Security Working Group . . . . . . . . . . 28 129 5.6. ATIS Work-Plan to Achieve Interoperable, 130 Implementable, End-To-End Standards and Solutions . . . . 28 131 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 28 132 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 29 133 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 29 134 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 135 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 30 136 5.11. Information System Security Assurance Architecture . . . . 30 137 5.12. Operational Security Requirements for IP Network 138 Infrastructure : Advanced Requirements . . . . . . . . . . 30 139 5.13. ISO Guidelines for the Management of IT Security - 140 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 31 141 5.14. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 32 142 5.15. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 32 143 5.16. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 32 144 5.17. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 33 145 5.18. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 33 146 5.19. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 33 147 5.20. Catalogue of ITU-T Recommendations related to 148 Communications System Security . . . . . . . . . . . . . . 34 149 5.21. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 34 150 5.22. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 34 151 5.23. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 35 152 5.24. OASIS Security Joint Committee . . . . . . . . . . . . . . 35 153 5.25. OASIS Security Services (SAML) TC . . . . . . . . . . . . 35 154 5.26. OIF Implementation Agreements . . . . . . . . . . . . . . 35 155 5.27. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 156 5.28. WS-I Basic Security Profile . . . . . . . . . . . . . . . 36 157 5.29. NIST Special Publications (800 Series) . . . . . . . . . . 36 158 5.30. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 37 159 5.31. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 37 160 5.32. SANS Information Security Reading Room . . . . . . . . . . 37 161 6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 162 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 163 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 164 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 41 165 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 167 1. Introduction 169 The Internet is being recognized as a critical infrastructure similar 170 in nature to the power grid and a potable water supply. Just like 171 those infrastructures, means are needed to provide resiliency and 172 adaptability to the Internet so that it remains consistently 173 available to the public throughout the world even during times of 174 duress or attack. For this reason, many SDOs are developing 175 standards with hopes of retaining an acceptable level, or even 176 improving this availability, to its users. These SDO efforts usually 177 define themselves as "security" efforts. It is the opinion of the 178 authors that there are many different definitions of the term 179 "security" and it may be applied in many diverse ways. As such, we 180 offer no assurance that the term is applied consistently throughout 181 this document. 183 Many of these SDOs have diverse charters and goals and will take 184 entirely different directions in their efforts to provide standards. 185 However, even with that, there will be overlaps in their produced 186 works. If there are overlaps then there is a potential for conflicts 187 and confusion. This may result in: 189 Vendors of networking equipment who are unsure of which standard 190 to follow. 192 Purchasers of networking equipment who are unsure of which 193 standard will best apply to the needs of their business or 194 ogranization. 196 Network Administrators and Operators unsure of which standard to 197 follow to attain the best security for their network. 199 For these reasons, the authors wish to encourage all SDOs who have an 200 interest in producing or in consuming standards relating to good 201 security practices to be consistent in their approach and their 202 recommendations. In many cases, the authors are aware that the SDOs 203 are making good efforts along these lines. However, the authors do 204 not participate in all SDO efforts and cannot know everything that is 205 happening. 207 The OpSec Working Group met at the 61st IETF and agreed that this 208 document could be a useful reference in producing the documents 209 described in the Working Group Charter. The authors have agreed to 210 keep this document current and request that those who read it will 211 submit corrections or comments. 213 Comments on this document may be addressed to the OpSec Working Group 214 or directly to the authors. 216 opsec@ops.ietf.org 218 This document will be updated in sections. The most recently updated 219 part of this document is Section 3. 221 2. Format of this Document 223 The body of this document has three sections. 225 The first part of the body of this document, Section 3, contains a 226 listing of online glossaries relating to networking and security. It 227 is very important that the definitions of words relating to security 228 and security events be consistent. Inconsistencies between the 229 useage of words on standards is unacceptable as it would prevent a 230 reader of two standards to appropriately relate their 231 recommendations. The authors of this document have not reviewed the 232 definitions of the words in the listed glossaries so can offer no 233 assurance of their alignment. 235 The second part, Section 4, contains a listing of SDOs that appear to 236 be working on security standards. 238 The third part, Section 5, lists the documents which have been found 239 to offer good practices or recommendations for securing networks and 240 networking devices. 242 3. Online Security Glossaries 244 This section contains references to glossaries of network and 245 computer security terms 247 3.1. ATIS Telecom Glossary 2007 249 http://www.atis.org/tg2k/ 251 This Glossary began as a 5800-entry, search-enabled hypertext 252 telecommunications glossary titled Federal Standard 1037C, Glossary 253 of Telecommunication Terms . Federal Standard 1037C was updated and 254 matured into an American National Standard (ANS): T1.523-2001, 255 Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- 256 2001 has been revised and redesignated under the ATIS procedures for 257 ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007. 259 Date published: 2007 261 3.2. Internet Security Glossary - RFC 4949 263 http://www.ietf.org/rfc/rfc4949.txt 265 This document was originally created as RFC 2828 in May 2000. It was 266 revised as RFC 4949 and the document defines itself to be, "an 267 internally consistent, complementary set of abbreviations, 268 definitions, explanations, and recommendations for use of terminology 269 related to information system security." 271 Date published: August 2007 273 3.3. Compendium of Approved ITU-T Security Definitions 275 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 277 Addendum to the Compendium of the Approved ITU-T Security-related 278 Definitions 280 These extensive materials were created from approved ITU-T 281 Recommendations with a view toward establishing a common 282 understanding and use of security terms within ITU-T. The original 283 Compendium was compiled by SG 17, Lead Study Group on Communication 284 Systems Security (LSG-CSS). 285 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 287 Date published: 2003 289 3.4. Microsoft Malware Protection Center 291 http://www.microsoft.com/security/glossary.mspx 293 The Microsoft Malware Protection Center, Threat Research and Response 294 Glossary was created to explain the concepts, technologies, and 295 products associated with computer security. 297 Date published: indeterminate 299 3.5. SANS Glossary of Security Terms 301 http://www.sans.org/resources/glossary.php 303 The SANS Institute (SysAdmin, Audit, Network, Security) was created 304 in 1989 as, "a cooperative research and education organization." 305 This glossary was pdated in May 2003. The SANS Institute is also 306 home to many other resources including the SANS Intrusion Detection 307 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 309 Date published: indeterminate 311 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 313 http://www.garlic.com/~lynn/secure.htm 315 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 316 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 317 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 318 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 319 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 320 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 321 RFC2647, RFC2828, TCSEC, TDI, and TNI. 323 Date updated: October 2010 325 3.7. NIST - Glossary of Key Information Security Terms 327 http://csrc.nist.gov/publications/nistir/ 328 NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf 330 This glossary of basic security terms has been extracted from NIST 331 Federal Information Processing Standards (FIPS) and the Special 332 Publication (SP) 800 series. The terms included are not all 333 inclusive of terms found in these publications, but are a subset of 334 basic terms that are most frequently used. The purpose of this 335 glossary is to provide a central resource of definitions most 336 commonly used in NIST security publications. 338 Date published: April 2006 340 4. Standards Developing Organizations 342 This section of this document lists the SDOs, or organizations that 343 appear to be developing security related standards. These SDOs are 344 listed in alphabetical order. 346 Note: The authors would appreciate corrections and additions. This 347 note will be removed before publication as an RFC. 349 4.1. 3GPP - Third Generation Partnership Project 351 http://www.3gpp.org/ 353 The 3rd Generation Partnership Project (3GPP) is a collaboration 354 agreement formed in December 1998. The collaboration agreement is 355 comprised of several telecommunications standards bodies which are 356 known as "Organizational Partners". The current Organizational 357 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 359 4.2. 3GPP2 - Third Generation Partnership Project 2 361 http://www.3gpp2.org/ 363 The Third Generation Partnership Project 2 (3GPP2) is: 365 a collaborative third generation (3G) telecommunications 366 specifications-setting project 368 comprising North American and Asian interests developing global 369 specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication 370 Intersystem Operations network evolution to 3G 372 and global specifications for the radio transmission technologies 373 (RTTs) supported by ANSI/TIA/EIA-41. 375 3GPP2 was born out of the International Telecommunication Union's 376 (ITU) International Mobile Telecommunications "IMT-2000" initiative, 377 covering high speed, broadband, and Internet Protocol (IP)-based 378 mobile systems featuring network-to-network interconnection, feature/ 379 service transparency, global roaming and seamless services 380 independent of location. IMT-2000 is intended to bring high-quality 381 mobile multimedia telecommunications to a worldwide mass market by 382 achieving the goals of increasing the speed and ease of wireless 383 communications, responding to the problems faced by the increased 384 demand to pass data via telecommunications, and providing "anytime, 385 anywhere" services. 387 4.3. ANSI - The American National Standards Institute 389 http://www.ansi.org/ 391 As the voice of the U.S. standards and conformity assessment system, 392 the American National Standards Institute (ANSI) empowers its members 393 and constituents to strengthen the U.S. marketplace position in the 394 global economy while helping to assure the safety and health of 395 consumers and the protection of the environment. 397 The Institute oversees the creation, promulgation and use of 398 thousands of norms and guidelines that directly impact businesses in 399 nearly every sector: from acoustical devices to construction 400 equipment, from dairy and livestock production to energy 401 distribution, and many more. ANSI is also actively engaged in 402 accrediting programs that assess conformance to standards - including 403 globally-recognized cross-sector programs such as the ISO 9000 404 (quality) and ISO 14000 (environmental) management systems. 406 4.3.1. Accredited Standards Committee X9 (ASC X9) 408 http://www.x9.org/ 410 The Accredited Standards Committee X9 (ASC X9) has the mission to 411 develop, establish, maintain, and promote standards for the Financial 412 Services Industry in order to facilitate the delivery of financial 413 services and products. Under this mission ASC X9 fulfills the 414 objectives of: (1) Supporting (maintain, enhance, and promote use of) 415 existing standards; (2) Facilitating development of new, open 416 standards based upon consensus; (3) Providing a common source for all 417 standards affecting the Financial Services Industry; (4) Focusing on 418 current and future standards needs of the Financial Services 419 Industry; (5) Promoting use of Financial Services Industry standards; 420 and (6) Participating and promoting the development of international 421 standards. 423 4.4. ATIS - Alliance for Telecommunications Industry Solutions 425 http://www.atis.org/ 427 ATIS prioritizes the industry's most pressing, technical and 428 operational issues, and creates interoperable, implementable, end to 429 end solutions -- standards when the industry needs them and where 430 they need them. 432 Over 600 industry professionals from more than 250 communications 433 companies actively participate in ATIS committees and incubator 434 solutions programs. 436 ATIS develops standards and solutions addressing a wide range of 437 industry issues in a manner that allocates and coordinates industry 438 resources and produces the greatest return for communications 439 companies. 441 ATIS creates solutions that support the rollout of new products and 442 services into the information, entertainment and communications 443 marketplace. Its activities provide the basis for the industry's 444 delivery of: 446 Existing and next generation IP-based infrastructures; 448 Reliable converged multimedia services, including IPTV; 450 Enhanced Operations Support Systems and Business Support Systems; 451 and 453 Greater levels of service quality and performance. 455 ATIS is accredited by the American National Standards Institute 456 (ANSI). 458 4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of 459 Service Committee, formerly T1A1 461 http://www.atis.org/0010/index.asp 463 PRQC develops and recommends standards,requirements, and technical 464 reports related to the performance,reliability, and associated 465 security aspects of communications networks, as well as the 466 processing of voice, audio, data, image,and video signals, and their 467 multimedia integration. PRQC alsodevelops andrecommends positions 468 on, and foster consistency with, standards and related subjects under 469 consideration in other North American and international standards 470 bodies. 472 PRQC Focus Areas are: 474 Performance and Reliability of Networks (e.g. IP, ATM, OTN, and 475 PSTN), and Services (e.g. Frame Relay, Dedicated and Switched 476 Data), 478 Security-related aspects, 480 Emergency communications-related aspects, 482 Coding (e.g. video and speech), at and between carrier-to-carrier 483 and carrier-to-customer interfaces, with due consideration of end- 484 user applications. 486 4.4.2. ATIS TMOC - Telecom Management and Operations Committee, 487 formerly T1M1 OAM&P 489 http://www.atis.org/0130/index.asp 491 The Telecom Management and Operations Committee (TMOC) develops 492 operations, administration, maintenance and provisioning standards, 493 and other documentation related to Operations Support System (OSS) 494 and Network Element (NE) functions and interfaces for communications 495 networks - with an emphasis on standards development related to 496 U.S.A. communication networks in coordination with the development of 497 international standards. 499 The scope of the work in TMOC includes the development of standards 500 and other documentation for communications network operations and 501 management areas, such as: Configuration Management, Performance 502 Management (including in-service transport performance management), 503 Fault Management, Security Management (including management plane 504 security), Accounting Management, Coding/Language Data 505 Representation, Common/Underlying Management Functionality/ 506 Technology, and Ancillary Functions (such as network tones and 507 announcements). This work requires close and coordinated working 508 relationships with other domestic and international standards 509 development organizations and industry forums. 511 4.5. CC - Common Criteria 513 http://www.commoncriteriaportal.org/ 515 Common Criteria is a framework in which computer system users can 516 specify their security functional and assurance requirements, vendors 517 can then implement and/or make claims about the security attributes 518 of their products, and testing laboratories can evaluate the products 519 to determine if they actually meet the claims. In other words, 520 Common Criteria provides assurance that the process of specification, 521 implementation and evaluation of a computer security product has been 522 conducted in a rigorous and standard manner. [attribute wikipedia] 524 4.6. DMTF - Distributed Management Task Force, Inc. 526 http://www.dmtf.org/ 528 DMTF enables more effective management of millions of IT systems 529 worldwide by bringing the IT industry together to collaborate on the 530 development, validation and promotion of systems management 531 standards. DMTF management standards are critical to enabling 532 management interoperability among multi-vendor systems, tools and 533 solutions within the enterprise. We are committed to protecting 534 companies' IT investments by creating standards that promote multi- 535 vendor interoperability. Our dedication to fostering collaboration 536 within the industry provides a win-win situation for vendors and IT 537 personnel alike. 539 4.7. ETSI - The European Telecommunications Standard Institute 541 http://www.etsi.org/ 543 The European Telecommunications Standards Institute (ETSI) produces 544 globally-applicable standards for Information and Communications 545 Technologies (ICT), including fixed, mobile, radio, converged, 546 broadcast and internet technologies. 548 ETSI is officially recognized by the European Union as a European 549 Standards Organization. 551 4.7.1. ETSI SEC 553 http://portal.etsi.org/portal/server.pt/gateway/ 554 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 556 Board#38 confirmed the closure of TC SEC. 558 At the same time it approved the creation of an OCG Ad Hoc group OCG 559 Security 561 TC SEC documents can be found in the SEC archive 563 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 564 LI were created to continue the work. 566 All documents and information relevant to ESI and LI are available 567 from the TC ESI and TC LI sites 569 4.7.2. ETSI OCG SEC 571 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 573 The group's primary role is to provide a light-weight horizontal co- 574 ordination structure for security issues that will ensure this work 575 is seriously considered in each ETSI TB and that any duplicate or 576 conflicting work is detected. To achieve this aim the group should 577 mainly conduct its work via email and, where appropriate, co-sited 578 "joint security" technical working meetings. 580 When scheduled, appropriate time at each "joint SEC" meeting should 581 be allocated during the meetings to allow for: 583 Individual committee activities as well as common work; 585 Coordination between the committees; and 587 Experts to contribute to more than one committee. 589 4.8. GGF - Global Grid Forum 591 http://www.gridforum.org/ 593 The Global Grid Forum (GGF) is a community-initiated forum of 594 thousands of individuals from industry and research leading the 595 global standardization effort for grid computing. GGF's primary 596 objectives are to promote and support the development, deployment, 597 and implementation of grid technologies and applications via the 598 creation and documentation of "best practices" - technical 599 specifications, user experiences, and implementation guidelines. 601 4.8.1. Global Grid Forum Security Area 603 http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 605 The Security Area is concerned with technical and operational 606 security issues in Grid environments, including authentication, 607 authorization, privacy, confidentiality, auditing, firewalls, trust 608 establishment, policy establishment, and dynamics, scalability and 609 management aspects of all of the above. 611 The Security Area is comprised of the following Working Groups and 612 Research Groups. 614 Certificate Authority Operations WG (CAOPS-WG) 616 Firewall Issues RG (FI-RG) 618 Levels Of Authentication Assurance Research Group (LOA-RG) 620 OGSA Authorization WG (OGSA-AUTHZ-WG) 622 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 624 http://www.ieee.org/ 626 IEEE is the world's largest professional association dedicated to 627 advancing technological innovation and excellence for the benefit of 628 humanity. IEEE and its members inspire a global community through 629 IEEE's highly cited publications, conferences, technology standards, 630 and professional and educational activities. 632 4.9.1. IEEE Computer Society's Technical Committee on Security and 633 Privacy 635 http://www.ieee-security.org/ 637 4.10. IETF - The Internet Engineering Task Force 639 http://www.ietf.org/ 641 The goal of the IETF is to make the Internet work better. 643 The mission of the IETF is to make the Internet work better by 644 producing high quality, relevant technical documents that influence 645 the way people design, use, and manage the Internet. 647 4.10.1. IETF Security Area 649 The Working Groups in the Security Area may be found from this page. 651 http://datatracker.ietf.org/wg/ 653 The wiki page for the IETF Security Area may be found here. 655 http://trac.tools.ietf.org/area/sec/trac/wiki 657 4.11. INCITS - InterNational Committee for Information Technology 658 Standards 660 http://www.incits.org/ 662 INCITS is the primary U.S. focus of standardization in the field of 663 Information and Communications Technologies (ICT), encompassing 664 storage, processing, transfer, display, management, organization, and 665 retrieval of information. As such, INCITS also serves as ANSI's 666 Technical Advisory Group for ISO/IEC Joint Technical Committee 1. 667 JTC 1 is responsible for International standardization in the field 668 of Information Technology. 670 There are three active Groups in the Security / ID Technical 671 Committee. 673 4.11.1. Identification Cards and Related Devices (B10) 675 http://standards.incits.org/a/public/group/b10 677 Development of national and international standards in the area of 678 identification cards and related devices for use in inter-industry 679 applications and international interchange. 681 4.11.2. Cyber Security (CS1) 683 http://standards.incits.org/a/public/group/cs1 685 INCITS/CS1 was established in April 2005 to serve as the US TAG for 686 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups. 688 The scope of CS1 explicitly excludes the areas of work on cyber 689 security standardization presently underway in INCITS B10, M1, T3, 690 T10 and T11; as well as other standard groups, such as ATIS, IEEE, 691 IETF, TIA, and X9. 693 4.11.3. Biometrics (M1) 695 http://standards.incits.org/a/public/group/m1 697 INCITS/M1, Biometrics Technical Committee was established by the 698 Executive Board of INCITS in November 2001 to ensure a high priority, 699 focused, and comprehensive approach in the United States for the 700 rapid development and approval of formal national and international 701 generic biometric standards. The M1 program of work includes 702 biometric standards for data interchange formats, common file 703 formats, application program interfaces, profiles, and performance 704 testing and reporting. The goal of M1's work is to accelerate the 705 deployment of significantly better, standards-based security 706 solutions for purposes, such as, homeland defense and the prevention 707 of identity theft as well as other government and commercial 708 applications based on biometric personal authentication. 710 4.12. ISO - The International Organization for Standardization 712 http://www.iso.org/ 714 SO (International Organization for Standardization) is the world's 715 largest developer and publisher of International Standards. 717 ISO is a network of the national standards institutes of 160 718 countries, one member per country, with a Central Secretariat in 719 Geneva, Switzerland, that coordinates the system. 721 ISO is a non-governmental organization that forms a bridge between 722 the public and private sectors. On the one hand, many of its member 723 institutes are part of the governmental structure of their countries, 724 or are mandated by their government. On the other hand, other 725 members have their roots uniquely in the private sector, having been 726 set up by national partnerships of industry associations. 728 Therefore, ISO enables a consensus to be reached on solutions that 729 meet both the requirements of business and the broader needs of 730 society. 732 4.13. ITU - International Telecommunication Union 734 http://www.itu.int/ 736 ITU is the leading United Nations agency for information and 737 communication technology issues, and the global focal point for 738 governments and the private sector in developing networks and 739 services. For 145 years, ITU has coordinated the shared global use 740 of the radio spectrum, promoted international cooperation in 741 assigning satellite orbits, worked to improve telecommunication 742 infrastructure in the developing world, established the worldwide 743 standards that foster seamless interconnection of a vast range of 744 communications systems and addressed the global challenges of our 745 times, such as mitigating climate change and strengthening 746 cybersecurity. 748 ITU also organizes worldwide and regional exhibitions and forums, 749 such as ITU TELECOM WORLD, bringing together the most influential 750 representatives of government and the telecommunications and ICT 751 industry to exchange ideas, knowledge and technology for the benefit 752 of the global community, and in particular the developing world. 754 From broadband Internet to latest-generation wireless technologies, 755 from aeronautical and maritime navigation to radio astronomy and 756 satellite-based meteorology, from convergence in fixed-mobile phone, 757 Internet access, data, voice and TV broadcasting to next-generation 758 networks, ITU is committed to connecting the world. 760 The ITU is comprised of three sectors: 762 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 764 http://www.itu.int/ITU-T/ 766 ITU-T Recommendations are defining elements in information and 767 communication technologies (ICTs) infrastructure. Whether we 768 exchange voice, data or video messages, communications cannot take 769 place without standards linking the sender and the receiver. Today's 770 work extends well beyond the traditional areas of telephony to 771 encompass a far wider range of information and communications 772 technologies. 774 4.13.2. ITU Radiocommunication Sector - ITU-R 776 http://www.itu.int/ITU-R/ 778 The ITU Radiocommunication Sector (ITU-R) plays a vital role in the 779 global management of the radio-frequency spectrum and satellite 780 orbits - limited natural resources which are increasingly in demand 781 from a large and growing number of services such as fixed, mobile, 782 broadcasting, amateur, space research, emergency telecommunications, 783 meteorology, global positioning systems, environmental monitoring and 784 communication services - that ensure safety of life on land, at sea 785 and in the skies. 787 4.13.3. ITU Telecom Development - ITU-D 789 (also referred as ITU Telecommunication Development Bureau - BDT) 791 http://www.itu.int/ITU-D/ 793 The mission of the Telecommunication Development Sector (ITU-D) aims 794 at achieving the Sector's objectives based on the right to 795 communicate of all inhabitants of the planet through access to 796 infrastructure and information and communication services. 798 In this regard, the mission is to: 800 Assist countries in the field of information and communication 801 technologies (ICTs), in facilitating the mobilization of 802 technical, human and financial resources needed for their 803 implementation, as well as in promoting access to ICTs. 805 Promote the extension of the benefits of ICTs to all the world's 806 inhabitants. 808 Promote and participate in actions that contribute towards 809 narrowing the digital divide. 811 Develop and manage programmes that facilitate information flow 812 geared to the needs of developing countries. 814 The mission encompasses ITU's dual responsibility as a United 815 Nations specialized agency and an executing agency for 816 implementing projects under the United Nations development system 817 or other funding arrangements. 819 4.14. OASIS - Organization for the Advancement of Structured 820 Information Standards 822 http://www.oasis-open.org/ 824 OASIS (Organization for the Advancement of Structured Information 825 Standards) is a not-for-profit consortium that drives the 826 development, convergence and adoption of open standards for the 827 global information society. The consortium produces more Web 828 services standards than any other organization along with standards 829 for security, e-business, and standardization efforts in the public 830 sector and for application-specific markets. Founded in 1993, OASIS 831 has more than 5,000 participants representing over 600 organizations 832 and individual members in 100 countries. 834 OASIS is distinguished by its transparent governance and operating 835 procedures. Members themselves set the OASIS technical agenda, using 836 a lightweight process expressly designed to promote industry 837 consensus and unite disparate efforts. Completed work is ratified by 838 open ballot. Governance is accountable and unrestricted. Officers 839 of both the OASIS Board of Directors and Technical Advisory Board are 840 chosen by democratic election to serve two-year terms. Consortium 841 leadership is based on individual merit and is not tied to financial 842 contribution, corporate standing, or special appointment. 844 OASIS has several Technical Committees in the Security Category. 846 http://www.oasis-open.org/committees/tc_cat.php?cat=security 848 4.15. OIF - Optical Internetworking Forum 850 http://www.oiforum.com/ 852 "The Optical Internetworking Forum (OIF) promotes the development and 853 deployment of interoperable networking solutions and services through 854 the creation of Implementation Agreements (IAs) for optical 855 networking products, network processing elements, and component 856 technologies. Implementation agreements will be based on 857 requirements developed cooperatively by end-users, service providers, 858 equipment vendors and technology providers, and aligned with 859 worldwide standards, augmented if necessary. This is accomplished 860 through industry member participation working together to develop 861 specifications (IAs) for: 863 External network element interfaces 864 Software interfaces internal to network elements 866 Hardware component interfaces internal to network elements 868 The OIF will create Benchmarks, perform worldwide interoperability 869 testing, build market awareness and promote education for 870 technologies, services and solutions. The OIF will provide feedback 871 to worldwide standards organizations to help achieve a set of 872 implementable, interoperable solutions." 874 4.15.1. OAM&P Working Group 876 http://www.oiforum.com/public/oamp.html 878 In concert with the Carrier, Architecture & Signaling and other OIF 879 working groups, the Operations, Administration, Maintenance, & 880 Provisioning (OAM&P) working group develops architectures, 881 requirements, guidelines, and implementation agreements critical to 882 widespread deployment of interoperable optical networks by carriers. 883 The scope includes but is not limited to a) planning, engineering and 884 provisioning of network resources; b) operations, maintenance or 885 administration use cases and processes; and c) management 886 functionality and interfaces for operations support systems and 887 interoperable network equipment. Within its scope are Fault, 888 Configuration, Accounting, Performance and Security Management 889 (FCAPS) and Security. The OAM&P working group will also account for 890 work by related standards development organizations (SDOs), identify 891 gaps and formulate OIF input to other SDOs as may be appropriate. 893 4.16. NRIC - The Network Reliability and Interoperability Council 895 http://www.nric.org/ 897 The mission of the NRIC is partner with the Federal Communications 898 Commission, the communications industry and public safety to 899 facilitate enhancement of emergency communications networks, homeland 900 security, and best practices across the burgeoning telecommunications 901 industry. 903 It appears that the last NRIC Council concluded in 2005. 905 4.17. National Security Telecommunications Advisory Committee (NSTAC) 907 http://www.ncs.gov/nstac/nstac.html 909 President Ronald Reagan created the National Security 910 Telecommunications Advisory Committee (NSTAC) by Executive Order 911 12382 in September 1982. Composed of up to 30 industry chief 912 executives representing the major communications and network service 913 providers and information technology, finance, and aerospace 914 companies, the NSTAC provides industry-based advice and expertise to 915 the President on issues and problems related to implementing national 916 security and emergency preparedness (NS/EP) communications policy. 917 Since its inception, the NSTAC has addressed a wide range of policy 918 and technical issues regarding communications, information systems, 919 information assurance, critical infrastructure protection, and other 920 NS/EP communications concerns. 922 The mission of the NSTAC: Meeting our Nation's critical national 923 security and emergency preparedness (NS/EP) challenges demands 924 attention to many issues. Among these, none could be more important 925 than the availability and reliability of telecommunication services. 926 The President's National Security Telecommunications Advisory 927 Committee (NSTAC) mission is to provide the U.S. Government the best 928 possible industry advice in these areas. 930 4.18. TIA - The Telecommunications Industry Association 932 http://www.tiaonline.org/ 934 The Telecommunications Industry Association (TIA) is the leading 935 trade association representing the global information and 936 communications technology (ICT) industries through standards 937 development, government affairs, business opportunities, market 938 intelligence, certification and world-wide environmental regulatory 939 compliance. With support from its 600 members, TIA enhances the 940 business environment for companies involved in telecommunications, 941 broadband, mobile wireless, information technology, networks, cable, 942 satellite, unified communications, emergency communications and the 943 greening of technology. TIA is accredited by ANSI. 945 4.18.1. Critical Infrastructure Protection (CIP) and Homeland Security 946 (HS) 948 http://www.tiaonline.org/standards/technology/ciphs/ 950 This TIA webpage identifies and links to many standards, other 951 technical documents and ongoing activity involving or supporting 952 TIA's role in Public Safety and Homeland Security, Network Security, 953 Critical Infrastructure Protection and Assurance, National Security/ 954 Emergency Preparedness, Emergency Communications Services, Emergency 955 Calling and Location Identification Services, and the Needs of First 956 Responders. For the purpose of this webpage, national/international 957 terms relating to public safety and disaster response can be 958 considered synonymous (and interchangeable) with terms relating to 959 public protection and disaster relief. 961 4.18.2. Commercial Encryption Source Code and Related Information 963 http://www.tiaonline.org/standards/technology/ahag/index.cfm 965 This section seems to link to commercial encryption source code. 966 Access requires agreement to terms and conditions and then 967 registration. 969 4.19. TTA - Telecommunications Technology Association 971 http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp 972 (English) 974 The purpose of TTA is to contribute to the advancement of technology 975 and the promotion of information and telecommunications services and 976 industry as well as the development of national economy, by 977 effectively stablishing and providing technical standards that 978 reflect the latest domestic and international technological advances, 979 needed for the planning, design and operation of global end-to-end 980 telecommunications and related information services, in close 981 collaboration with companies, organizations and groups concerned with 982 information and telecommunications such as network operators, service 983 providers, equipment manufacturers, academia, R&D institutes, etc. 985 4.20. The World Wide Web Consortium 987 http://www.w3.org/Consortium/ 989 The World Wide Web Consortium (W3C) is an international community 990 where Member organizations, a full-time staff, and the public work 991 together to develop Web standards. Led by Web inventor Tim Berners- 992 Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its 993 full potential. 995 http://www.w3.org/Security/Activity 997 The work in the W3C Security Activity currently comprises two Working 998 Groups, the Web Security Context Working Group and the XML Security 999 Working Group. 1001 The Web Security Context Working Group focuses on the challenges that 1002 arise when users encounter currently deployed security technology, 1003 such as TLS: While this technology achieves its goals on a technical 1004 level, attackers' strategies shift towards bypassing the security 1005 technology instead of breaking it. When users do not understand the 1006 security context in which they operate, then it becomes easy to 1007 deceive and defraud them. This Working Group is planning to see its 1008 main deliverable, the User Interface Guidelines, through to 1009 Recommendation, but will not engage in additional recommendation 1010 track work beyond this deliverable. The Working Group is currently 1011 operating at reduced Team effort (compared to the initial effort 1012 reserved to this Working Group). Initial (and informal) 1013 conversations about forming an Interest Group that could serve as a 1014 place for community-building and specification review have not led as 1015 far as we had hoped at the previous Advisory Committee Meeting, but 1016 are still on the Team's agenda. 1018 The XML Security Working Group started up in summer 2008, and has 1019 decided to publish an interim set of 1.1 specifications as it works 1020 towards producing a more radical change to XML Signature. The XML 1021 Signature 1.1 and XML Encryption 1.1 specifications clarify and 1022 enhance the previous specifications without introducing breaking 1023 changes, although they do introduce new algorithms. 1025 4.21. TM Forum 1027 http://www.tmforum.org/ 1029 With more than 700 corporate members in 195 countries, TM Forum is 1030 the world's leading industry association focused on enabling best-in- 1031 class IT for service providers in the communications, media and cloud 1032 service markets. The Forum provides business-critical industry 1033 standards and expertise to enable the creation, delivery and 1034 monetization of digital services. 1036 TM Forum brings together the world's largest communications, 1037 technology and media companies, providing an innovative, industry- 1038 leading approach to collaborative R&D, along with wide range of 1039 support services including benchmarking, training and certification. 1040 The Forum produces the renowned international Management World 1041 conference series, as well as thought-leading industry research and 1042 publications. 1044 4.21.1. Security Management 1046 http://www.tmforum.org/SecurityManagement/9152/home.html 1048 Securing networks, cyber, clouds, and identity against evolving and 1049 ever present threats has emerged as a top priority for TM Forum 1050 members. In response, the TM Forum's Security Management Initiative 1051 was formally launched in 2009. While some of our Security Management 1052 efforts, such as Identity Management, are well established and boast 1053 mature Business Agreements and Interfaces, a series of presentations, 1054 contributions, and multi-vendor technology demonstrations have jumped 1055 started work efforts on industry hot topics Network Defense, Cyber 1056 Security, and security for single and multi-regional enterprise 1057 application cloud bursting. Our aim is to produce Security 1058 Management rich frameworks, best practices, and guidebooks. 1060 5. Security Best Practices Efforts and Documents 1062 This section lists the works produced by the SDOs. 1064 5.1. 3GPP - TSG SA WG3 (Security) 1066 http://www.3gpp.org/TB/SA/SA3/SA3.htm 1068 TSG SA WG3 Security is responsible for the security of the 3GPP 1069 system, performing analyses of potential security threats to the 1070 system, considering the new threats introduced by the IP based 1071 services and systems and setting the security requirements for the 1072 overall 3GPP system. 1074 Specifications: 1075 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 1077 Work Items: 1078 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 1080 3GPP Confidentiality and Integrity algorithms: 1081 http://www.3gpp.org/TB/Other/algorithms.htm 1083 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 1085 http://www.3gpp2.org/Public_html/S/index.cfm 1087 The Services and Systems Aspects TSG (TSG-S) is responsible for the 1088 development of service capability requirements for systems based on 1089 3GPP2 specifications. Among its responsibilities TSG-S is addressing 1090 management, technical coordination, as well as architectural and 1091 requirements development associated with all end-to-end features, 1092 services and system capabilities including, but not limited to, 1093 security and QoS. 1095 TSG-S Specifications: 1096 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 1098 5.3. American National Standard T1.276-2003 - Baseline Security 1099 Requirements for the Management Plane 1101 Abstract: This standard contains a set of baseline security 1102 requirements for the management plane. The President's National 1103 Security Telecommunications Advisory Committee Network Security 1104 Information Exchange (NSIE) and Government NSIE jointly established a 1105 Security Requirements Working Group (SRWG) to examine the security 1106 requirements for controlling access to the public switched network, 1107 in particular with respect to the emerging next generation network. 1109 In the telecommunications industry, this access incorporates 1110 operation, administration, maintenance, and provisioning for network 1111 elements and various supporting systems and databases. Members of 1112 the SRWG, from a cross-section of telecommunications carriers and 1113 vendors, developed an initial list of security requirements that 1114 would allow vendors, government departments and agencies, and service 1115 providers to implement a secure telecommunications network management 1116 infrastructure. This initial list of security requirements was 1117 submitted as a contribution to Committee T1 - Telecommunications, 1118 Working Group T1M1.5 for consideration as a standard. The 1119 requirements outlined in this document will allow vendors, government 1120 departments and agencies, and service providers to implement a secure 1121 telecommunications network management infrastructure. 1123 Documents: 1124 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 1126 5.4. DMTF - Security Protection and Management (SPAM) Working Group 1128 http://www.dmtf.org/about/committees/spamWGCharter.pdf 1130 The Working Group will define a CIM Common Model that addresses 1131 security protection and detection technologies, which may include 1132 devices and services, and classifies security information, attacks, 1133 and responses. 1135 5.5. DMTF - User and Security Working Group 1137 http://www.dmtf.org/about/committees/userWGCharter.pdf 1139 The User and Security Working Group defines objects and access 1140 methods required for principals - where principals include users, 1141 groups, software agents, systems, and organizations. 1143 5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 1144 Standards and Solutions 1146 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 1148 The ATIS TOPS Security Focus Group has made recommendations on work 1149 items needed to be performed by other SDOs. 1151 5.6.1. ATIS Work on Packet Filtering 1153 A part of the ATIS Work Plan was to define how disruptions may be 1154 prevented by filtering unwanted traffic at the edges of the network. 1155 ATIS is developing this work in a document titled, "Traffic Filtering 1156 for the Prevention of Unwanted Traffic". 1158 5.7. ATIS Work on the NGN 1160 http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ 1161 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 1163 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 1164 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 1165 Definitions, Requirements, and Architecture, Issue 1.0, November 1166 2004." 1168 5.8. Common Criteria 1170 http://www.commoncriteriaportal.org/ 1172 Version 1.0 of the CC was completed in January 1996. Based on a 1173 number of trial evaluations and an extensive public review, Version 1174 1.0 was extensively revised and CC Version 2.0 was produced in April 1175 of 1998. This became ISO International Standard 15408 in 1999. The 1176 CC Project subsequently incorporated the minor changes that had 1177 resulted in the ISO process, producing CC version 2.1 in August 1999. 1178 Version 3.0 was published in June 2005 and is available for comment. 1180 The official version of the Common Criteria and of the Common 1181 Evaluation Methodology is v2.3 which was published in August 2005. 1183 All Common Criteria publications contain: 1185 Part 1: Introduction and general model 1187 Part 2: Security functional components 1189 Part 3: Security assurance components 1191 Documents: Common Criteria V2.3 1192 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 1194 5.9. ETSI 1196 http://www.etsi.org/ 1198 The ETSI hosted the ETSI Global Security Conference in late November, 1199 2003, which could lead to a standard. 1201 Groups related to security located from the ETSI Groups Portal: 1203 OCG Security 1204 3GPP SA3 1206 TISPAN WG7 1208 5.10. GGF Security Area (SEC) 1210 https://forge.gridforum.org/projects/sec/ 1212 The Security Area (SEC) is concerned with various issues relating to 1213 authentication and authorization in Grid environments. 1215 Working groups: 1217 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 1218 https://forge.gridforum.org/projects/authz-wg 1220 Certificate Authority Operations Working Group (CAOPS-WG) - 1221 https://forge.gridforum.org/projects/caops-wg 1223 OGSA Authorization Working Group (OGSA-AUTHZ) - 1224 https://forge.gridforum.org/projects/ogsa-authz 1226 Grid Security Infrastructure (GSI-WG) - 1227 https://forge.gridforum.org/projects/gsi-wg 1229 5.11. Information System Security Assurance Architecture 1231 IEEE Working Group - http://issaa.org/ 1233 Formerly the Security Certification and Accreditation of Information 1234 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 1235 Standard for Information System Security Assurance Architecture for 1236 ballot and during the process begin development of a suite of 1237 associated standards for components of that architecture. 1239 Documents: http://issaa.org/documents/index.html 1241 5.12. Operational Security Requirements for IP Network Infrastructure : 1242 Advanced Requirements 1244 IETF RFC 3871 1246 Abstract: This document defines a list of operational security 1247 requirements for the infrastructure of large ISP IP networks (routers 1248 and switches). A framework is defined for specifying "profiles", 1249 which are collections of requirements applicable to certain network 1250 topology contexts (all, core-only, edge-only...). The goal is to 1251 provide network operators a clear, concise way of communicating their 1252 security requirements to vendors. 1254 Documents: 1256 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 1258 5.13. ISO Guidelines for the Management of IT Security - GMITS 1260 Guidelines for the Management of IT Security -- Part 1: Concepts and 1261 models for IT Security 1263 http://www.iso.ch/iso/en/ 1264 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 1266 Guidelines for the Management of IT Security -- Part 2: Managing and 1267 planning IT Security 1269 http://www.iso.org/iso/en/ 1270 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 1271 ICS3= 1273 Guidelines for the Management of IT Security -- Part 3: Techniques 1274 for the management of IT Security 1276 http://www.iso.org/iso/en/ 1277 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 1278 ICS3= 1280 Guidelines for the Management of IT Security -- Part 4: Selection of 1281 safeguards 1283 http://www.iso.org/iso/en/ 1284 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 1285 ICS3= 1287 Guidelines for the Management of IT Security - Part 5: Management 1288 guidance on network security 1290 http://www.iso.org/iso/en/ 1291 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 1292 ICS3= 1294 Open Systems Interconnection -- Network layer security protocol 1296 http://www.iso.org/iso/en/ 1297 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 1298 ICS3=30 1300 5.14. ISO JTC 1/SC 27 1302 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 1303 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 1305 Several security related ISO projects under JTC 1/SC 27 are listed 1306 here such as: 1308 IT security techniques -- Entity authentication 1310 Security techniques -- Key management 1312 Security techniques -- Evaluation criteria for IT security 1314 Security techniques -- A framework for IT security assurance 1316 IT Security techniques -- Code of practice for information 1317 security management 1319 Security techniques -- IT network security 1321 Guidelines for the implementation, operation and management of 1322 Intrusion Detection Systems (IDS) 1324 International Security, Trust, and Privacy Alliance -- Privacy 1325 Framework 1327 5.15. ITU-T Study Group 2 1329 http://www.itu.int/ITU-T/studygroups/com02/index.asp 1331 Security related recommendations currently under study: 1333 E.408 Telecommunication networks security requirements Q.5/2 (was 1334 E.sec1) 1336 E.409 Incident Organisation and Security Incident Handling Q.5/2 1337 (was E.sec2) 1339 Note: Access requires TIES account. 1341 5.16. ITU-T Recommendation M.3016 1343 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 1345 This recommendation provides an overview and framework that 1346 identifies the security requirements of a TMN and outlines how 1347 available security services and mechanisms can be applied within the 1348 context of the TMN functional architecture. 1350 Question 18 of Study Group 3 is revising Recommendation M.3016. They 1351 have taken the original document and are incorporating thoughts from 1352 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 1353 produced a new series of documents. 1355 M.3016.0 - Overview 1357 M.3016.1 - Requirements 1359 M.3016.2 - Services 1361 M.3016.3 - Mechanisms 1363 M.3016.4 - Profiles 1365 5.17. ITU-T Recommendation X.805 1367 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 1369 This Recommendation defines the general security-related 1370 architectural elements that, when appropriately applied, can provide 1371 end-to-end network security. 1373 5.18. ITU-T Study Group 16 1375 http://www.itu.int/ITU-T/studygroups/com16/index.asp 1377 Multimedia Security in Next-Generation Networks (NGN-MM-SEC) 1379 http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html 1381 5.19. ITU-T Study Group 17 1383 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1385 ITU-T Study Group 17 is the Lead Study Group on Communication System 1386 Security 1388 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1390 Study Group 17 Security Project: 1392 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1394 During its November 2002 meeting, Study Group 17 agreed to establish 1395 a new project entitled "Security Project" under the leadership of 1396 Q.10/17 to coordinate the ITU-T standardization effort on security. 1397 An analysis of the status on ITU-T Study Group action on information 1398 and communication network security may be found in TSB Circular 147 1399 of 14 February 2003. 1401 5.20. Catalogue of ITU-T Recommendations related to Communications 1402 System Security 1404 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1406 The Catalogue of the approved security Recommendations include those, 1407 designed for security purposes and those, which describe or use of 1408 functions of security interest and need. Although some of the 1409 security related Recommendations includes the phrase "Open Systems 1410 Interconnection", much of the information contained in them is 1411 pertinent to the establishment of security functionality in any 1412 communicating system. 1414 5.21. ITU-T Security Manual 1416 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1418 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1419 security in telecommunications and information technologies, describe 1420 practical issues, and indicate how the different aspects of security 1421 in today's applications are addressed by ITU-T Recommendations. This 1422 manual has a tutorial character: it collects security related 1423 material from ITU-T Recommendations into one place and explains the 1424 respective relationships. The intended audience for this manual are 1425 engineers and product managers, students and academia, as well as 1426 regulators who want to better understand security aspects in 1427 practical applications. 1429 5.22. ITU-T NGN Effort 1431 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1433 During its January 2002 meeting, SG13 decided to undertake the 1434 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1435 the November 2002 SG13 meeting, a preliminary description of the 1436 Project was achieved and endorsed by SG13 with the goal to launch the 1437 Project. It is regularly updated since then. 1439 The role of the NGN 2004 Project is to organize and to coordinate 1440 ITU-T activities on Next Generation Networks. Its target is to 1441 produce a first set of Recommendations on NGN by the end of this 1442 study period, i.e. mid-2004. 1444 5.23. NRIC VI Focus Groups 1446 http://www.nric.org/fg/index.html 1448 The Network Reliability and Interoperability Council (NRIC) was 1449 formed with the purpose to provide recommendations to the FCC and to 1450 the industry to assure the reliability and interoperability of 1451 wireless, wireline, satellite, and cable public telecommunications 1452 networks. These documents provide general information and guidance 1453 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1454 prevention of cyberattack and for restoration following a 1455 cyberattack. 1457 Documents: 1459 Homeland Defense - Recommendations Published 14-Mar-03 1461 Preventative Best Practices - Recommendations Published 14-Mar-03 1463 Recovery Best Practices - Recommendations Published 14-Mar-03 1465 Best Practice Appendices - Recommendations Published 14-Mar-03 1467 5.24. OASIS Security Joint Committee 1469 http://www.oasis-open.org/committees/ 1470 tc_home.php?wg_abbrev=security-jc 1472 The purpose of the Security JC is to coordinate the technical 1473 activities of multiple security related TCs. The SJC is advisory 1474 only, and has no deliverables. The Security JC will promote the use 1475 of consistent terms, promote re-use, champion an OASIS security 1476 standards model, provide consistent PR, and promote mutuality, 1477 operational independence and ethics. 1479 5.25. OASIS Security Services (SAML) TC 1481 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1483 The Security Services TC is working to advance the Security Assertion 1484 Markup Language (SAML) as an OASIS standard. SAML is an XML 1485 framework for exchanging authentication and authorization 1486 information. 1488 5.26. OIF Implementation Agreements 1490 The OIF has 2 approved Implementation Agreements (IAs) relating to 1491 security. They are: 1493 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1495 This Implementation Agreement lists objectives for securing OAM&P 1496 interfaces to a Network Element and then specifies ways of using 1497 security systems (e.g., IPsec or TLS) for securing these interfaces. 1498 It summarizes how well each of the systems, used as specified, 1499 satisfies the objectives. 1501 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1503 This Implementation Agreement defines a common Security Extension for 1504 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1506 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1508 5.27. TIA 1510 The TIA has produced the "Compendium of Emergency Communications and 1511 Communications Network Security-related Work Activities". This 1512 document identifies standards, or other technical documents and 1513 ongoing Emergency/Public Safety Communications and Communications 1514 Network Security-related work activities within TIA and it's 1515 Engineering Committees. Many P25 documents are specifically 1516 detailed. This "living document" is presented for information, 1517 coordination and reference. 1519 Documents: http://www.tiaonline.org/standards/technology/ciphs/ 1520 documents/EMTEL_sec.pdf 1522 5.28. WS-I Basic Security Profile 1524 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1526 The WS-I Basic Security Profile 1.0 consists of a set of non- 1527 proprietary Web services specifications, along with clarifications 1528 and amendments to those specifications which promote 1529 interoperability. 1531 5.29. NIST Special Publications (800 Series) 1533 http://csrc.nist.gov/publications/PubsSPs.html 1535 Special Publications in the 800 series present documents of general 1536 interest to the computer security community. The Special Publication 1537 800 series was established in 1990 to provide a separate identity for 1538 information technology security publications. This Special 1539 Publication 800 series reports on ITL's research, guidelines, and 1540 outreach efforts in computer security, and its collaborative 1541 activities with industry, government, and academic organizations. 1543 5.30. NIST Interagency or Internal Reports (NISTIRs) 1545 http://csrc.nist.gov/publications/PubsNISTIRs.html 1547 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1548 technical nature of interest to a specialized audience. The series 1549 includes interim or final reports on work performed by NIST for 1550 outside sponsors (both government and nongovernment). NISTIRs may 1551 also report results of NIST projects of transitory or limited 1552 interest, including those that will be published subsequently in more 1553 comprehensive form. 1555 5.31. NIST ITL Security Bulletins 1557 http://csrc.nist.gov/publications/PubsITLSB.html 1559 ITL Bulletins are published by NIST's Information Technology 1560 Laboratory, with most bulletins written by the Computer Security 1561 Division. These bulletins are published on the average of six times 1562 a year. Each bulletin presents an in-depth discussion of a single 1563 topic of significant interest to the information systems community. 1564 Not all of ITL Bulletins that are published relate to computer / 1565 network security. Only the computer security ITL Bulletins are found 1566 here. 1568 5.32. SANS Information Security Reading Room 1570 http://www.sans.org/reading_room/ 1572 Featuring over 1,885 original computer security white papers in 75 1573 different categories. 1575 Most of the computer security white papers in the Reading Room have 1576 been written by students seeking GIAC certification to fulfill part 1577 of their certification requirements and are provided by SANS as a 1578 resource to benefit the security community at large. SANS attempts 1579 to ensure the accuracy of information, but papers are published "as 1580 is". Errors or inconsistencies may exist or may be introduced over 1581 time as material becomes dated. 1583 6. Security Considerations 1585 This document describes efforts to standardize security practices and 1586 documents. As such this document offers no security guidance 1587 whatsoever. 1589 Readers of this document should be aware of the date of publication 1590 of this document. It is feared that they may assume that the 1591 efforts, on-line material, and documents are current whereas they may 1592 not be. Please consider this when reading this document. 1594 7. IANA Considerations 1596 This document does not propose a standard and does not require the 1597 IANA to do anything. 1599 8. Acknowledgments 1601 The following people have contributed to this document. Listing 1602 their names here does not mean that they endorse the document, but 1603 that they have contributed to its substance. 1605 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1606 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1607 Moon, Stephen Kent, Steve Wolff, Bob Natale. 1609 9. Changes from Prior Drafts 1611 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1613 -01 : Security Glossaries: 1615 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1616 Glossary of Terms and Acronyms, Microsoft Solutions for 1617 Security Glossary, and USC InfoSec Glossary. 1619 Standards Developing Organizations: 1621 Added DMTF, GGF, INCITS, OASIS, and WS-I 1623 Removal of Committee T1 and modifications to ATIS and former T1 1624 technical subcommittees due to the recent ATIS reorganization. 1626 Efforts and Documents: 1628 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1629 Area (SEC), INCITS Technical Committee T4 - Security 1630 Techniques, INCITS Technical Committee T11 - Fibre Channel 1631 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1632 Committee, OASIS Security Services TC, and WS-I Basic Security 1633 Profile. 1635 Updated Operational Security Requirements for IP Network 1636 Infrastructure : Advanced Requirements. 1638 -00 : as the WG ID 1640 Added more information about the ITU-T SG3 Q18 effort to modify 1641 ITU-T Recommendation M.3016. 1643 -01 : First revision as the WG ID. 1645 Added information about the NGN in the sections about ATIS, the 1646 NSTAC, and ITU-T. 1648 -02 : Second revision as the WG ID. 1650 Updated the date. 1652 Corrected some url's and the reference to George's RFC. 1654 -03 : Third revision of the WG ID. 1656 Updated the date. 1658 Updated the information about the CC 1660 Added a Conventions section (not sure how this document got to 1661 where it is without that) 1663 -04 : Fourth revision of the WG ID. 1665 Updated the date. 1667 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1669 CIAO glossary removed. CIAO has been absorbed by DHS and the 1670 glossary is no longer available. 1672 USC glossary removed, could not find it on the site or a reference 1673 to it elsewhere. 1675 Added TTA - Telecommunications Technology Association to SDO 1676 section. 1678 Removed ATIS Security & Emergency Preparedness Activities from 1679 Documents section. Could not find it or a reference to it. 1681 INCITS T4 incorporated into CS1 - T4 section removed 1683 X9 Added to SDO list under ANSI 1685 Various link or grammar fixes. 1687 -05 : Fifth revision of the WG ID. 1689 Updated the date. 1691 Removed the 2119 definitions; this is an informational document. 1693 -06 : Sixth revision of the WG ID. 1695 Updated the date. 1697 Added W3C information. 1699 -07 : Seventh revision of the WG ID. 1701 Updated the date. 1703 -08 : Eighth revision of the WG ID. 1705 Updated the reference to RFC 4949, found by Stephen Kent. 1707 -09 : Nineth revision of the WG ID. 1709 Updated the date. 1711 -10 : Tenth revision of the WG ID. 1713 Added references to NIST documents, recommended by Steve Wolff. 1714 Updated the date. 1716 -11 : Eleventh revision of the WG ID. 1718 Updated the date. 1720 -12 : Twelfth revision of the WG ID. 1722 Updated the date. 1724 -13 : Nothing new. 1726 Updated the date. 1728 -14 : Fourteenth revision of the WG ID. 1730 Updated the date and reviewed the accuracy of Section 3. 1732 Updated the section on Compendium of Approved ITU-T Security 1733 Definitions 1735 Updated the section on the Microsoft glossary. 1737 Updated the section on the SANS glossary. 1739 Added the NIST Security glossary. 1741 Added dates to all glossaries - where I could find them. 1743 Added the SANS Reading Room material to Section 5. 1745 -15 : Fifteenth revision of the WG ID. 1747 Updated the date and reviewed the accuracy of Section 4. Several 1748 changes made. 1750 Removed WS-I as they have merged with OASIS. 1752 Added TM Forum. 1754 Note: This section will be removed before publication as an RFC. 1756 Authors' Addresses 1758 Chris Lonvick 1759 Cisco Systems 1760 12515 Research Blvd. 1761 Austin, Texas 78759 1762 US 1764 Phone: +1 512 378 1182 1765 Email: clonvick@cisco.com 1767 David Spak 1768 Cisco Systems 1769 12515 Research Blvd. 1770 Austin, Texas 78759 1771 US 1773 Phone: +1 512 378 1720 1774 Email: dspak@cisco.com