idnits 2.17.1 draft-ietf-opsec-efforts-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 26, 2011) is 4780 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Intended status: Informational Cisco Systems 5 Expires: September 27, 2011 March 26, 2011 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-16.txt 10 Abstract 12 This document provides a snapshot of the current efforts to define or 13 apply security requirements in various Standards Developing 14 Organizations (SDO). 16 Status of this Memo 18 This Internet-Draft is submitted to IETF in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on September 27, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 58 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 59 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 60 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 61 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 62 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 63 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8 64 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8 65 3.7. NIST - Glossary of Key Information Security Terms . . . . 8 66 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 67 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 68 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 69 4.3. ANSI - The American National Standards Institute . . . . . 11 70 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 71 4.4. ATIS - Alliance for Telecommunications Industry 72 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 73 4.4.1. ATIS NPRQ - Network Performance, Reliability, and 74 Quality of Service Committee, formerly T1A1 . . . . . 12 75 4.4.2. ATIS TMOC - Telecom Management and Operations 76 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 77 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 78 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 79 4.7. ETSI - The European Telecommunications Standard 80 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 81 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14 82 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14 83 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15 84 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15 85 4.9. IEEE - The Institute of Electrical and Electronics 86 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 87 4.9.1. IEEE Computer Society's Technical Committee on 88 Security and Privacy . . . . . . . . . . . . . . . . . 16 89 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16 90 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16 91 4.11. INCITS - InterNational Committee for Information 92 Technology Standards . . . . . . . . . . . . . . . . . . . 16 93 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 94 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17 95 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17 97 4.12. ISO - The International Organization for 98 Standardization . . . . . . . . . . . . . . . . . . . . . 17 99 4.13. ITU - International Telecommunication Union . . . . . . . 18 100 4.13.1. ITU Telecommunication Standardization Sector - 101 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18 102 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 103 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19 104 4.14. OASIS - Organization for the Advancement of 105 Structured Information Standards . . . . . . . . . . . . . 20 106 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20 107 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 108 4.16. NRIC - The Network Reliability and Interoperability 109 Council . . . . . . . . . . . . . . . . . . . . . . . . . 21 110 4.17. National Security Telecommunications Advisory 111 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21 112 4.18. TIA - The Telecommunications Industry Association . . . . 22 113 4.18.1. Critical Infrastructure Protection (CIP) and 114 Homeland Security (HS) . . . . . . . . . . . . . . . . 22 115 4.18.2. Commercial Encryption Source Code and Related 116 Information . . . . . . . . . . . . . . . . . . . . . 23 117 4.19. TTA - Telecommunications Technology Association . . . . . 23 118 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23 119 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 120 4.21.1. Security Management . . . . . . . . . . . . . . . . . 24 121 5. Security Best Practices Efforts and Documents . . . . . . . . 26 122 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26 123 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26 124 5.3. ATIS-0300276.2008 - Operations, Administration, 125 Maintenance, and Provisioning Security Requirements 126 for the Public Telecommunications Network: A Baseline 127 of Security Requirements for the Management Plane . . . . 26 128 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27 129 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27 130 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 131 5.7. Operational Security Requirements for IP Network 132 Infrastructure : Advanced Requirements . . . . . . . . . . 29 133 5.8. ISO JTC 1/SC 27 - Information security Technology 134 techniques . . . . . . . . . . . . . . . . . . . . . . . . 29 135 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29 136 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29 137 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31 138 5.12. OASIS Security Technical Committees . . . . . . . . . . . 32 139 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32 140 5.14. TIA - Critical Infrastructure Protection (CIP) and 141 Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32 142 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33 143 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33 144 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33 145 5.18. SANS Information Security Reading Room . . . . . . . . . . 33 146 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 147 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 148 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 149 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38 150 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 152 1. Introduction 154 The Internet is being recognized as a critical infrastructure similar 155 in nature to the power grid and a potable water supply. Just like 156 those infrastructures, means are needed to provide resiliency and 157 adaptability to the Internet so that it remains consistently 158 available to the public throughout the world even during times of 159 duress or attack. For this reason, many SDOs are developing 160 standards with hopes of retaining an acceptable level, or even 161 improving this availability, to its users. These SDO efforts usually 162 define themselves as "security" efforts. It is the opinion of the 163 authors that there are many different definitions of the term 164 "security" and it may be applied in many diverse ways. As such, we 165 offer no assurance that the term is applied consistently throughout 166 this document. 168 Many of these SDOs have diverse charters and goals and will take 169 entirely different directions in their efforts to provide standards. 170 However, even with that, there will be overlaps in their produced 171 works. If there are overlaps then there is a potential for conflicts 172 and confusion. This may result in: 174 Vendors of networking equipment who are unsure of which standard 175 to follow. 177 Purchasers of networking equipment who are unsure of which 178 standard will best apply to the needs of their business or 179 ogranization. 181 Network Administrators and Operators unsure of which standard to 182 follow to attain the best security for their network. 184 For these reasons, the authors wish to encourage all SDOs who have an 185 interest in producing or in consuming standards relating to good 186 security practices to be consistent in their approach and their 187 recommendations. In many cases, the authors are aware that the SDOs 188 are making good efforts along these lines. However, the authors do 189 not participate in all SDO efforts and cannot know everything that is 190 happening. 192 The OpSec Working Group met at the 61st IETF and agreed that this 193 document could be a useful reference in producing the documents 194 described in the Working Group Charter. The authors have agreed to 195 keep this document current and request that those who read it will 196 submit corrections or comments. 198 Comments on this document may be addressed to the OpSec Working Group 199 or directly to the authors. 201 opsec@ops.ietf.org 203 This document will be updated in sections. The most recently updated 204 part of this document is Section 5. 206 2. Format of this Document 208 The body of this document has three sections. 210 The first part of the body of this document, Section 3, contains a 211 listing of online glossaries relating to networking and security. It 212 is very important that the definitions of words relating to security 213 and security events be consistent. Inconsistencies between the 214 useage of words on standards is unacceptable as it would prevent a 215 reader of two standards to appropriately relate their 216 recommendations. The authors of this document have not reviewed the 217 definitions of the words in the listed glossaries so can offer no 218 assurance of their alignment. 220 The second part, Section 4, contains a listing of SDOs that appear to 221 be working on security standards. 223 The third part, Section 5, lists the documents which have been found 224 to offer good practices or recommendations for securing networks and 225 networking devices. 227 The text used in sections 3, 4, and 5 have been copied from their 228 referring web sites. The authors make no claim about the validity or 229 accuracy of the information listed. 231 3. Online Security Glossaries 233 This section contains references to glossaries of network and 234 computer security terms. 236 3.1. ATIS Telecom Glossary 2007 238 http://www.atis.org/tg2k/ 240 This Glossary began as a 5800-entry, search-enabled hypertext 241 telecommunications glossary titled Federal Standard 1037C, Glossary 242 of Telecommunication Terms . Federal Standard 1037C was updated and 243 matured into an American National Standard (ANS): T1.523-2001, 244 Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- 245 2001 has been revised and redesignated under the ATIS procedures for 246 ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007. 248 Date published: 2007 250 3.2. Internet Security Glossary - RFC 4949 252 http://www.ietf.org/rfc/rfc4949.txt 254 This document was originally created as RFC 2828 in May 2000. It was 255 revised as RFC 4949 and the document defines itself to be, "an 256 internally consistent, complementary set of abbreviations, 257 definitions, explanations, and recommendations for use of terminology 258 related to information system security." 260 Date published: August 2007 262 3.3. Compendium of Approved ITU-T Security Definitions 264 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 266 Addendum to the Compendium of the Approved ITU-T Security-related 267 Definitions 269 These extensive materials were created from approved ITU-T 270 Recommendations with a view toward establishing a common 271 understanding and use of security terms within ITU-T. The original 272 Compendium was compiled by SG 17, Lead Study Group on Communication 273 Systems Security (LSG-CSS). 274 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 276 Date published: 2003 278 3.4. Microsoft Malware Protection Center 280 http://www.microsoft.com/security/glossary.mspx 282 The Microsoft Malware Protection Center, Threat Research and Response 283 Glossary was created to explain the concepts, technologies, and 284 products associated with computer security. 286 Date published: indeterminate 288 3.5. SANS Glossary of Security Terms 290 http://www.sans.org/resources/glossary.php 292 The SANS Institute (SysAdmin, Audit, Network, Security) was created 293 in 1989 as, "a cooperative research and education organization." 294 This glossary was pdated in May 2003. The SANS Institute is also 295 home to many other resources including the SANS Intrusion Detection 296 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 298 Date published: indeterminate 300 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 302 http://www.garlic.com/~lynn/secure.htm 304 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 305 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 306 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 307 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 308 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 309 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 310 RFC2647, RFC2828, TCSEC, TDI, and TNI. 312 Date updated: October 2010 314 3.7. NIST - Glossary of Key Information Security Terms 316 http://csrc.nist.gov/publications/nistir/ 317 NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf 319 This glossary of basic security terms has been extracted from NIST 320 Federal Information Processing Standards (FIPS) and the Special 321 Publication (SP) 800 series. The terms included are not all 322 inclusive of terms found in these publications, but are a subset of 323 basic terms that are most frequently used. The purpose of this 324 glossary is to provide a central resource of definitions most 325 commonly used in NIST security publications. 327 Date published: April 2006 329 4. Standards Developing Organizations 331 This section of this document lists the SDOs, or organizations that 332 appear to be developing security related standards. These SDOs are 333 listed in alphabetical order. 335 Note: The authors would appreciate corrections and additions. This 336 note will be removed before publication as an RFC. 338 4.1. 3GPP - Third Generation Partnership Project 340 http://www.3gpp.org/ 342 The 3rd Generation Partnership Project (3GPP) is a collaboration 343 agreement formed in December 1998. The collaboration agreement is 344 comprised of several telecommunications standards bodies which are 345 known as "Organizational Partners". The current Organizational 346 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 348 4.2. 3GPP2 - Third Generation Partnership Project 2 350 http://www.3gpp2.org/ 352 The Third Generation Partnership Project 2 (3GPP2) is: 354 a collaborative third generation (3G) telecommunications 355 specifications-setting project 357 comprising North American and Asian interests developing global 358 specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication 359 Intersystem Operations network evolution to 3G 361 and global specifications for the radio transmission technologies 362 (RTTs) supported by ANSI/TIA/EIA-41. 364 3GPP2 was born out of the International Telecommunication Union's 365 (ITU) International Mobile Telecommunications "IMT-2000" initiative, 366 covering high speed, broadband, and Internet Protocol (IP)-based 367 mobile systems featuring network-to-network interconnection, feature/ 368 service transparency, global roaming and seamless services 369 independent of location. IMT-2000 is intended to bring high-quality 370 mobile multimedia telecommunications to a worldwide mass market by 371 achieving the goals of increasing the speed and ease of wireless 372 communications, responding to the problems faced by the increased 373 demand to pass data via telecommunications, and providing "anytime, 374 anywhere" services. 376 4.3. ANSI - The American National Standards Institute 378 http://www.ansi.org/ 380 As the voice of the U.S. standards and conformity assessment system, 381 the American National Standards Institute (ANSI) empowers its members 382 and constituents to strengthen the U.S. marketplace position in the 383 global economy while helping to assure the safety and health of 384 consumers and the protection of the environment. 386 The Institute oversees the creation, promulgation and use of 387 thousands of norms and guidelines that directly impact businesses in 388 nearly every sector: from acoustical devices to construction 389 equipment, from dairy and livestock production to energy 390 distribution, and many more. ANSI is also actively engaged in 391 accrediting programs that assess conformance to standards - including 392 globally-recognized cross-sector programs such as the ISO 9000 393 (quality) and ISO 14000 (environmental) management systems. 395 4.3.1. Accredited Standards Committee X9 (ASC X9) 397 http://www.x9.org/ 399 The Accredited Standards Committee X9 (ASC X9) has the mission to 400 develop, establish, maintain, and promote standards for the Financial 401 Services Industry in order to facilitate the delivery of financial 402 services and products. Under this mission ASC X9 fulfills the 403 objectives of: (1) Supporting (maintain, enhance, and promote use of) 404 existing standards; (2) Facilitating development of new, open 405 standards based upon consensus; (3) Providing a common source for all 406 standards affecting the Financial Services Industry; (4) Focusing on 407 current and future standards needs of the Financial Services 408 Industry; (5) Promoting use of Financial Services Industry standards; 409 and (6) Participating and promoting the development of international 410 standards. 412 4.4. ATIS - Alliance for Telecommunications Industry Solutions 414 http://www.atis.org/ 416 ATIS prioritizes the industry's most pressing, technical and 417 operational issues, and creates interoperable, implementable, end to 418 end solutions -- standards when the industry needs them and where 419 they need them. 421 Over 600 industry professionals from more than 250 communications 422 companies actively participate in ATIS committees and incubator 423 solutions programs. 425 ATIS develops standards and solutions addressing a wide range of 426 industry issues in a manner that allocates and coordinates industry 427 resources and produces the greatest return for communications 428 companies. 430 ATIS creates solutions that support the rollout of new products and 431 services into the information, entertainment and communications 432 marketplace. Its activities provide the basis for the industry's 433 delivery of: 435 Existing and next generation IP-based infrastructures; 437 Reliable converged multimedia services, including IPTV; 439 Enhanced Operations Support Systems and Business Support Systems; 440 and 442 Greater levels of service quality and performance. 444 ATIS is accredited by the American National Standards Institute 445 (ANSI). 447 4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of 448 Service Committee, formerly T1A1 450 http://www.atis.org/0010/index.asp 452 PRQC develops and recommends standards,requirements, and technical 453 reports related to the performance,reliability, and associated 454 security aspects of communications networks, as well as the 455 processing of voice, audio, data, image,and video signals, and their 456 multimedia integration. PRQC alsodevelops andrecommends positions 457 on, and foster consistency with, standards and related subjects under 458 consideration in other North American and international standards 459 bodies. 461 PRQC Focus Areas are: 463 Performance and Reliability of Networks (e.g. IP, ATM, OTN, and 464 PSTN), and Services (e.g. Frame Relay, Dedicated and Switched 465 Data), 467 Security-related aspects, 469 Emergency communications-related aspects, 471 Coding (e.g. video and speech), at and between carrier-to-carrier 472 and carrier-to-customer interfaces, with due consideration of end- 473 user applications. 475 4.4.2. ATIS TMOC - Telecom Management and Operations Committee, 476 formerly T1M1 OAM&P 478 http://www.atis.org/0130/index.asp 480 The Telecom Management and Operations Committee (TMOC) develops 481 operations, administration, maintenance and provisioning standards, 482 and other documentation related to Operations Support System (OSS) 483 and Network Element (NE) functions and interfaces for communications 484 networks - with an emphasis on standards development related to 485 U.S.A. communication networks in coordination with the development of 486 international standards. 488 The scope of the work in TMOC includes the development of standards 489 and other documentation for communications network operations and 490 management areas, such as: Configuration Management, Performance 491 Management (including in-service transport performance management), 492 Fault Management, Security Management (including management plane 493 security), Accounting Management, Coding/Language Data 494 Representation, Common/Underlying Management Functionality/ 495 Technology, and Ancillary Functions (such as network tones and 496 announcements). This work requires close and coordinated working 497 relationships with other domestic and international standards 498 development organizations and industry forums. 500 4.5. CC - Common Criteria 502 http://www.commoncriteriaportal.org/ 504 Common Criteria is a framework in which computer system users can 505 specify their security functional and assurance requirements, vendors 506 can then implement and/or make claims about the security attributes 507 of their products, and testing laboratories can evaluate the products 508 to determine if they actually meet the claims. In other words, 509 Common Criteria provides assurance that the process of specification, 510 implementation and evaluation of a computer security product has been 511 conducted in a rigorous and standard manner. [attribute wikipedia] 513 4.6. DMTF - Distributed Management Task Force, Inc. 515 http://www.dmtf.org/ 517 DMTF enables more effective management of millions of IT systems 518 worldwide by bringing the IT industry together to collaborate on the 519 development, validation and promotion of systems management 520 standards. DMTF management standards are critical to enabling 521 management interoperability among multi-vendor systems, tools and 522 solutions within the enterprise. We are committed to protecting 523 companies' IT investments by creating standards that promote multi- 524 vendor interoperability. Our dedication to fostering collaboration 525 within the industry provides a win-win situation for vendors and IT 526 personnel alike. 528 4.7. ETSI - The European Telecommunications Standard Institute 530 http://www.etsi.org/ 532 The European Telecommunications Standards Institute (ETSI) produces 533 globally-applicable standards for Information and Communications 534 Technologies (ICT), including fixed, mobile, radio, converged, 535 broadcast and internet technologies. 537 ETSI is officially recognized by the European Union as a European 538 Standards Organization. 540 4.7.1. ETSI SEC 542 http://portal.etsi.org/portal/server.pt/gateway/ 543 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 545 Board#38 confirmed the closure of TC SEC. 547 At the same time it approved the creation of an OCG Ad Hoc group OCG 548 Security 550 TC SEC documents can be found in the SEC archive 552 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 553 LI were created to continue the work. 555 All documents and information relevant to ESI and LI are available 556 from the TC ESI and TC LI sites 558 4.7.2. ETSI OCG SEC 560 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 562 The group's primary role is to provide a light-weight horizontal co- 563 ordination structure for security issues that will ensure this work 564 is seriously considered in each ETSI TB and that any duplicate or 565 conflicting work is detected. To achieve this aim the group should 566 mainly conduct its work via email and, where appropriate, co-sited 567 "joint security" technical working meetings. 569 When scheduled, appropriate time at each "joint SEC" meeting should 570 be allocated during the meetings to allow for: 572 Individual committee activities as well as common work; 574 Coordination between the committees; and 576 Experts to contribute to more than one committee. 578 4.8. GGF - Global Grid Forum 580 http://www.gridforum.org/ 582 The Global Grid Forum (GGF) is a community-initiated forum of 583 thousands of individuals from industry and research leading the 584 global standardization effort for grid computing. GGF's primary 585 objectives are to promote and support the development, deployment, 586 and implementation of grid technologies and applications via the 587 creation and documentation of "best practices" - technical 588 specifications, user experiences, and implementation guidelines. 590 4.8.1. Global Grid Forum Security Area 592 http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 594 The Security Area is concerned with technical and operational 595 security issues in Grid environments, including authentication, 596 authorization, privacy, confidentiality, auditing, firewalls, trust 597 establishment, policy establishment, and dynamics, scalability and 598 management aspects of all of the above. 600 The Security Area is comprised of the following Working Groups and 601 Research Groups. 603 Certificate Authority Operations WG (CAOPS-WG) 605 Firewall Issues RG (FI-RG) 607 Levels Of Authentication Assurance Research Group (LOA-RG) 609 OGSA Authorization WG (OGSA-AUTHZ-WG) 611 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 613 http://www.ieee.org/ 615 IEEE is the world's largest professional association dedicated to 616 advancing technological innovation and excellence for the benefit of 617 humanity. IEEE and its members inspire a global community through 618 IEEE's highly cited publications, conferences, technology standards, 619 and professional and educational activities. 621 4.9.1. IEEE Computer Society's Technical Committee on Security and 622 Privacy 624 http://www.ieee-security.org/ 626 4.10. IETF - The Internet Engineering Task Force 628 http://www.ietf.org/ 630 The goal of the IETF is to make the Internet work better. 632 The mission of the IETF is to make the Internet work better by 633 producing high quality, relevant technical documents that influence 634 the way people design, use, and manage the Internet. 636 4.10.1. IETF Security Area 638 The Working Groups in the Security Area may be found from this page. 640 http://datatracker.ietf.org/wg/ 642 The wiki page for the IETF Security Area may be found here. 644 http://trac.tools.ietf.org/area/sec/trac/wiki 646 4.11. INCITS - InterNational Committee for Information Technology 647 Standards 649 http://www.incits.org/ 651 INCITS is the primary U.S. focus of standardization in the field of 652 Information and Communications Technologies (ICT), encompassing 653 storage, processing, transfer, display, management, organization, and 654 retrieval of information. As such, INCITS also serves as ANSI's 655 Technical Advisory Group for ISO/IEC Joint Technical Committee 1. 656 JTC 1 is responsible for International standardization in the field 657 of Information Technology. 659 There are three active Groups in the Security / ID Technical 660 Committee. 662 4.11.1. Identification Cards and Related Devices (B10) 664 http://standards.incits.org/a/public/group/b10 666 Development of national and international standards in the area of 667 identification cards and related devices for use in inter-industry 668 applications and international interchange. 670 4.11.2. Cyber Security (CS1) 672 http://standards.incits.org/a/public/group/cs1 674 INCITS/CS1 was established in April 2005 to serve as the US TAG for 675 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups. 677 The scope of CS1 explicitly excludes the areas of work on cyber 678 security standardization presently underway in INCITS B10, M1, T3, 679 T10 and T11; as well as other standard groups, such as ATIS, IEEE, 680 IETF, TIA, and X9. 682 4.11.3. Biometrics (M1) 684 http://standards.incits.org/a/public/group/m1 686 INCITS/M1, Biometrics Technical Committee was established by the 687 Executive Board of INCITS in November 2001 to ensure a high priority, 688 focused, and comprehensive approach in the United States for the 689 rapid development and approval of formal national and international 690 generic biometric standards. The M1 program of work includes 691 biometric standards for data interchange formats, common file 692 formats, application program interfaces, profiles, and performance 693 testing and reporting. The goal of M1's work is to accelerate the 694 deployment of significantly better, standards-based security 695 solutions for purposes, such as, homeland defense and the prevention 696 of identity theft as well as other government and commercial 697 applications based on biometric personal authentication. 699 4.12. ISO - The International Organization for Standardization 701 http://www.iso.org/ 703 SO (International Organization for Standardization) is the world's 704 largest developer and publisher of International Standards. 706 ISO is a network of the national standards institutes of 160 707 countries, one member per country, with a Central Secretariat in 708 Geneva, Switzerland, that coordinates the system. 710 ISO is a non-governmental organization that forms a bridge between 711 the public and private sectors. On the one hand, many of its member 712 institutes are part of the governmental structure of their countries, 713 or are mandated by their government. On the other hand, other 714 members have their roots uniquely in the private sector, having been 715 set up by national partnerships of industry associations. 717 Therefore, ISO enables a consensus to be reached on solutions that 718 meet both the requirements of business and the broader needs of 719 society. 721 4.13. ITU - International Telecommunication Union 723 http://www.itu.int/ 725 ITU is the leading United Nations agency for information and 726 communication technology issues, and the global focal point for 727 governments and the private sector in developing networks and 728 services. For 145 years, ITU has coordinated the shared global use 729 of the radio spectrum, promoted international cooperation in 730 assigning satellite orbits, worked to improve telecommunication 731 infrastructure in the developing world, established the worldwide 732 standards that foster seamless interconnection of a vast range of 733 communications systems and addressed the global challenges of our 734 times, such as mitigating climate change and strengthening 735 cybersecurity. 737 ITU also organizes worldwide and regional exhibitions and forums, 738 such as ITU TELECOM WORLD, bringing together the most influential 739 representatives of government and the telecommunications and ICT 740 industry to exchange ideas, knowledge and technology for the benefit 741 of the global community, and in particular the developing world. 743 From broadband Internet to latest-generation wireless technologies, 744 from aeronautical and maritime navigation to radio astronomy and 745 satellite-based meteorology, from convergence in fixed-mobile phone, 746 Internet access, data, voice and TV broadcasting to next-generation 747 networks, ITU is committed to connecting the world. 749 The ITU is comprised of three sectors: 751 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 753 http://www.itu.int/ITU-T/ 755 ITU-T Recommendations are defining elements in information and 756 communication technologies (ICTs) infrastructure. Whether we 757 exchange voice, data or video messages, communications cannot take 758 place without standards linking the sender and the receiver. Today's 759 work extends well beyond the traditional areas of telephony to 760 encompass a far wider range of information and communications 761 technologies. 763 4.13.2. ITU Radiocommunication Sector - ITU-R 765 http://www.itu.int/ITU-R/ 767 The ITU Radiocommunication Sector (ITU-R) plays a vital role in the 768 global management of the radio-frequency spectrum and satellite 769 orbits - limited natural resources which are increasingly in demand 770 from a large and growing number of services such as fixed, mobile, 771 broadcasting, amateur, space research, emergency telecommunications, 772 meteorology, global positioning systems, environmental monitoring and 773 communication services - that ensure safety of life on land, at sea 774 and in the skies. 776 4.13.3. ITU Telecom Development - ITU-D 778 (also referred as ITU Telecommunication Development Bureau - BDT) 780 http://www.itu.int/ITU-D/ 782 The mission of the Telecommunication Development Sector (ITU-D) aims 783 at achieving the Sector's objectives based on the right to 784 communicate of all inhabitants of the planet through access to 785 infrastructure and information and communication services. 787 In this regard, the mission is to: 789 Assist countries in the field of information and communication 790 technologies (ICTs), in facilitating the mobilization of 791 technical, human and financial resources needed for their 792 implementation, as well as in promoting access to ICTs. 794 Promote the extension of the benefits of ICTs to all the world's 795 inhabitants. 797 Promote and participate in actions that contribute towards 798 narrowing the digital divide. 800 Develop and manage programmes that facilitate information flow 801 geared to the needs of developing countries. 803 The mission encompasses ITU's dual responsibility as a United 804 Nations specialized agency and an executing agency for 805 implementing projects under the United Nations development system 806 or other funding arrangements. 808 4.14. OASIS - Organization for the Advancement of Structured 809 Information Standards 811 http://www.oasis-open.org/ 813 OASIS (Organization for the Advancement of Structured Information 814 Standards) is a not-for-profit consortium that drives the 815 development, convergence and adoption of open standards for the 816 global information society. The consortium produces more Web 817 services standards than any other organization along with standards 818 for security, e-business, and standardization efforts in the public 819 sector and for application-specific markets. Founded in 1993, OASIS 820 has more than 5,000 participants representing over 600 organizations 821 and individual members in 100 countries. 823 OASIS is distinguished by its transparent governance and operating 824 procedures. Members themselves set the OASIS technical agenda, using 825 a lightweight process expressly designed to promote industry 826 consensus and unite disparate efforts. Completed work is ratified by 827 open ballot. Governance is accountable and unrestricted. Officers 828 of both the OASIS Board of Directors and Technical Advisory Board are 829 chosen by democratic election to serve two-year terms. Consortium 830 leadership is based on individual merit and is not tied to financial 831 contribution, corporate standing, or special appointment. 833 OASIS has several Technical Committees in the Security Category. 835 http://www.oasis-open.org/committees/tc_cat.php?cat=security 837 4.15. OIF - Optical Internetworking Forum 839 http://www.oiforum.com/ 841 "The Optical Internetworking Forum (OIF) promotes the development and 842 deployment of interoperable networking solutions and services through 843 the creation of Implementation Agreements (IAs) for optical 844 networking products, network processing elements, and component 845 technologies. Implementation agreements will be based on 846 requirements developed cooperatively by end-users, service providers, 847 equipment vendors and technology providers, and aligned with 848 worldwide standards, augmented if necessary. This is accomplished 849 through industry member participation working together to develop 850 specifications (IAs) for: 852 External network element interfaces 853 Software interfaces internal to network elements 855 Hardware component interfaces internal to network elements 857 The OIF will create Benchmarks, perform worldwide interoperability 858 testing, build market awareness and promote education for 859 technologies, services and solutions. The OIF will provide feedback 860 to worldwide standards organizations to help achieve a set of 861 implementable, interoperable solutions." 863 4.15.1. OAM&P Working Group 865 http://www.oiforum.com/public/oamp.html 867 In concert with the Carrier, Architecture & Signaling and other OIF 868 working groups, the Operations, Administration, Maintenance, & 869 Provisioning (OAM&P) working group develops architectures, 870 requirements, guidelines, and implementation agreements critical to 871 widespread deployment of interoperable optical networks by carriers. 872 The scope includes but is not limited to a) planning, engineering and 873 provisioning of network resources; b) operations, maintenance or 874 administration use cases and processes; and c) management 875 functionality and interfaces for operations support systems and 876 interoperable network equipment. Within its scope are Fault, 877 Configuration, Accounting, Performance and Security Management 878 (FCAPS) and Security. The OAM&P working group will also account for 879 work by related standards development organizations (SDOs), identify 880 gaps and formulate OIF input to other SDOs as may be appropriate. 882 4.16. NRIC - The Network Reliability and Interoperability Council 884 http://www.nric.org/ 886 The mission of the NRIC is partner with the Federal Communications 887 Commission, the communications industry and public safety to 888 facilitate enhancement of emergency communications networks, homeland 889 security, and best practices across the burgeoning telecommunications 890 industry. 892 It appears that the last NRIC Council concluded in 2005. 894 4.17. National Security Telecommunications Advisory Committee (NSTAC) 896 http://www.ncs.gov/nstac/nstac.html 898 President Ronald Reagan created the National Security 899 Telecommunications Advisory Committee (NSTAC) by Executive Order 900 12382 in September 1982. Composed of up to 30 industry chief 901 executives representing the major communications and network service 902 providers and information technology, finance, and aerospace 903 companies, the NSTAC provides industry-based advice and expertise to 904 the President on issues and problems related to implementing national 905 security and emergency preparedness (NS/EP) communications policy. 906 Since its inception, the NSTAC has addressed a wide range of policy 907 and technical issues regarding communications, information systems, 908 information assurance, critical infrastructure protection, and other 909 NS/EP communications concerns. 911 The mission of the NSTAC: Meeting our Nation's critical national 912 security and emergency preparedness (NS/EP) challenges demands 913 attention to many issues. Among these, none could be more important 914 than the availability and reliability of telecommunication services. 915 The President's National Security Telecommunications Advisory 916 Committee (NSTAC) mission is to provide the U.S. Government the best 917 possible industry advice in these areas. 919 4.18. TIA - The Telecommunications Industry Association 921 http://www.tiaonline.org/ 923 The Telecommunications Industry Association (TIA) is the leading 924 trade association representing the global information and 925 communications technology (ICT) industries through standards 926 development, government affairs, business opportunities, market 927 intelligence, certification and world-wide environmental regulatory 928 compliance. With support from its 600 members, TIA enhances the 929 business environment for companies involved in telecommunications, 930 broadband, mobile wireless, information technology, networks, cable, 931 satellite, unified communications, emergency communications and the 932 greening of technology. TIA is accredited by ANSI. 934 4.18.1. Critical Infrastructure Protection (CIP) and Homeland Security 935 (HS) 937 http://www.tiaonline.org/standards/technology/ciphs/ 939 This TIA webpage identifies and links to many standards, other 940 technical documents and ongoing activity involving or supporting 941 TIA's role in Public Safety and Homeland Security, Network Security, 942 Critical Infrastructure Protection and Assurance, National Security/ 943 Emergency Preparedness, Emergency Communications Services, Emergency 944 Calling and Location Identification Services, and the Needs of First 945 Responders. For the purpose of this webpage, national/international 946 terms relating to public safety and disaster response can be 947 considered synonymous (and interchangeable) with terms relating to 948 public protection and disaster relief. 950 4.18.2. Commercial Encryption Source Code and Related Information 952 http://www.tiaonline.org/standards/technology/ahag/index.cfm 954 This section seems to link to commercial encryption source code. 955 Access requires agreement to terms and conditions and then 956 registration. 958 4.19. TTA - Telecommunications Technology Association 960 http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp 961 (English) 963 The purpose of TTA is to contribute to the advancement of technology 964 and the promotion of information and telecommunications services and 965 industry as well as the development of national economy, by 966 effectively stablishing and providing technical standards that 967 reflect the latest domestic and international technological advances, 968 needed for the planning, design and operation of global end-to-end 969 telecommunications and related information services, in close 970 collaboration with companies, organizations and groups concerned with 971 information and telecommunications such as network operators, service 972 providers, equipment manufacturers, academia, R&D institutes, etc. 974 4.20. The World Wide Web Consortium 976 http://www.w3.org/Consortium/ 978 The World Wide Web Consortium (W3C) is an international community 979 where Member organizations, a full-time staff, and the public work 980 together to develop Web standards. Led by Web inventor Tim Berners- 981 Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its 982 full potential. 984 http://www.w3.org/Security/Activity 986 The work in the W3C Security Activity currently comprises two Working 987 Groups, the Web Security Context Working Group and the XML Security 988 Working Group. 990 The Web Security Context Working Group focuses on the challenges that 991 arise when users encounter currently deployed security technology, 992 such as TLS: While this technology achieves its goals on a technical 993 level, attackers' strategies shift towards bypassing the security 994 technology instead of breaking it. When users do not understand the 995 security context in which they operate, then it becomes easy to 996 deceive and defraud them. This Working Group is planning to see its 997 main deliverable, the User Interface Guidelines, through to 998 Recommendation, but will not engage in additional recommendation 999 track work beyond this deliverable. The Working Group is currently 1000 operating at reduced Team effort (compared to the initial effort 1001 reserved to this Working Group). Initial (and informal) 1002 conversations about forming an Interest Group that could serve as a 1003 place for community-building and specification review have not led as 1004 far as we had hoped at the previous Advisory Committee Meeting, but 1005 are still on the Team's agenda. 1007 The XML Security Working Group started up in summer 2008, and has 1008 decided to publish an interim set of 1.1 specifications as it works 1009 towards producing a more radical change to XML Signature. The XML 1010 Signature 1.1 and XML Encryption 1.1 specifications clarify and 1011 enhance the previous specifications without introducing breaking 1012 changes, although they do introduce new algorithms. 1014 4.21. TM Forum 1016 http://www.tmforum.org/ 1018 With more than 700 corporate members in 195 countries, TM Forum is 1019 the world's leading industry association focused on enabling best-in- 1020 class IT for service providers in the communications, media and cloud 1021 service markets. The Forum provides business-critical industry 1022 standards and expertise to enable the creation, delivery and 1023 monetization of digital services. 1025 TM Forum brings together the world's largest communications, 1026 technology and media companies, providing an innovative, industry- 1027 leading approach to collaborative R&D, along with wide range of 1028 support services including benchmarking, training and certification. 1029 The Forum produces the renowned international Management World 1030 conference series, as well as thought-leading industry research and 1031 publications. 1033 4.21.1. Security Management 1035 http://www.tmforum.org/SecurityManagement/9152/home.html 1037 Securing networks, cyber, clouds, and identity against evolving and 1038 ever present threats has emerged as a top priority for TM Forum 1039 members. In response, the TM Forum's Security Management Initiative 1040 was formally launched in 2009. While some of our Security Management 1041 efforts, such as Identity Management, are well established and boast 1042 mature Business Agreements and Interfaces, a series of presentations, 1043 contributions, and multi-vendor technology demonstrations have jumped 1044 started work efforts on industry hot topics Network Defense, Cyber 1045 Security, and security for single and multi-regional enterprise 1046 application cloud bursting. Our aim is to produce Security 1047 Management rich frameworks, best practices, and guidebooks. 1049 5. Security Best Practices Efforts and Documents 1051 This section lists the works produced by the SDOs. 1053 5.1. 3GPP - SA3 - Security 1055 http://www.3gpp.org/SA3-Security 1057 The WG is responsible for security in 3GPP systems, determining the 1058 security requirements, and specifying the security architectures and 1059 protocols. The WG also ensures the availability of cryptographic 1060 algorithms which need to be part of the specifications. The sub-WG 1061 SA3-LI provides the requirements and specifications for lawful 1062 interception in 3GPP systems. 1064 Specifications: 1065 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 1067 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 1069 http://www.3gpp2.org/Public_html/S/index.cfm 1071 The Services and Systems Aspects TSG (TSG-S) is responsible for the 1072 development of service capability requirements for systems based on 1073 3GPP2 specifications. It is also responsible for high level 1074 architectural issues, as required, to coordinate service development 1075 across the various TSGs. In this role, the Services and Systems TSG 1076 shall track the activities within the various TSGs, as required, to 1077 meet the above service requirements. 1079 More specifically, TSG-S will address the following areas of work: 1080 Management, technical coordination, as well as architectural and 1081 requirements development associated with all end-to-end features, 1082 services and system capabilities including, but not limited to, 1083 security and QoS 1085 TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm 1087 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and 1088 Provisioning Security Requirements for the Public 1089 Telecommunications Network: A Baseline of Security Requirements 1090 for the Management Plane 1092 This document contains both the published and redline versions of 1093 ATIS-0300276.2008. This standard contains a set of baseline security 1094 requirements for the management plane. The requirements outlined in 1095 this standard allow equipment/system suppliers, government 1096 departments and agencies, and service providers to implement a secure 1097 telecommunications management infrastructure. 1099 Documents: http://www.atis.org/docstore/product.aspx?id=24660 1101 5.4. DMTF - Security Modeling Working Group 1103 http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf 1105 The Security Modeling Working Group of the Schema Subcommittee is 1106 responsible for developing the models and profiles required to 1107 provide interoperable security management interfaces for 1108 implementations, including the enabling of configuration and 1109 management of authentication, authorization, and auditing services. 1111 The operational security requirements for protocols and management 1112 initiatives are not addressed by this work group and should be 1113 addressed by the working groups responsible for them. Management of 1114 the underlying security capabilities utilized by such protocols and 1115 initiatives are addressed by this work group, (for example: 1116 interfaces for the management of keys and certificates). 1118 5.5. Common Criteria 1120 http://www.commoncriteriaportal.org/ 1122 The Common Criteria for Information Technology Security Evaluation 1123 (CC), and the companion Common Methodology for Information Technology 1124 Security Evaluation (CEM) are the technical basis for an 1125 international agreement, the Common Criteria Recognition Agreement 1126 (CCRA), which ensures that: 1128 Products can be evaluated by competent and independent licensed 1129 laboratories so as to determine the fulfilment of particular 1130 security properties, to a certain extent or assurance; 1132 Supporting documents, are used within the Common Criteria 1133 certification process to define how the criteria and evaluation 1134 methods are applied when certifying specific technologies; 1136 The certification of the security properties of an evaluated 1137 product can be issued by a number of Certificate Authorizing 1138 Schemes, with this certification being based on the result of 1139 their evaluation; 1141 These certificates are recognized by all the signatories of the 1142 CCRA. 1144 The CC is the driving force for the widest available mutual 1145 recognition of secure IT products. This web portal is available to 1146 support the information on the status of the CCRA, the CC and the 1147 certification schemes, licensed laboratories, certified products and 1148 related information, news and events. 1150 5.6. ETSI 1152 TC SEC 1154 http://portal.etsi.org/portal/server.pt/gateway/ 1155 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 1157 Board#38 confirmed the closure of TC SEC. 1159 At the same time it approved the creation of an OCG Ad Hoc group OCG 1160 Security 1162 TC SEC documents can be found in the SEC archive (members login 1163 required) 1165 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 1166 LI were created to continue the work. 1168 All documents and information relevant to ESI and LI are available 1169 from the TC ESI and TC LI sites 1171 TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307 1173 TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318 1175 OCG SEC 1177 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 1179 The group's primary role is to provide a light-weight horizontal co- 1180 ordination structure for security issues that will ensure this work 1181 is seriously considered in each ETSI TB and that any duplicate or 1182 conflicting work is detected. To achieve this aim the group should 1183 mainly conduct its work via email and, where appropriate, co-sited 1184 "joint security" technical working meetings. 1186 OCG documents may be found here: 1188 http://portal.etsi.org/ocg/Summary.asp (members login required) 1190 5.7. Operational Security Requirements for IP Network Infrastructure : 1191 Advanced Requirements 1193 IETF RFC 3871 1195 Abstract: This document defines a list of operational security 1196 requirements for the infrastructure of large ISP IP networks (routers 1197 and switches). A framework is defined for specifying "profiles", 1198 which are collections of requirements applicable to certain network 1199 topology contexts (all, core-only, edge-only...). The goal is to 1200 provide network operators a clear, concise way of communicating their 1201 security requirements to vendors. 1203 Documents: 1205 http://www.rfc-editor.org/rfc/rfc3871.txt 1207 5.8. ISO JTC 1/SC 27 - Information security Technology techniques 1209 http://www.iso.org/iso/iso_catalogue/catalogue_tc/ 1210 catalogue_tc_browse.htm?commid=45306 1212 Several security related ISO projects under JTC 1/SC 27 are listed 1213 here such as: 1215 IT security techniques -- Message Authentication Codes (MACs) 1217 IT Security techniques -- Key management 1219 IT Security techniques -- Entity authentication 1221 IT Security techniques -- Hash-functions 1223 IT Security techniques -- Non-repudiation 1225 IT Security techniques -- IT network security 1227 5.9. ITU-T Study Group 2 1229 http://www.itu.int/ITU-T/studygroups/com02/index.asp 1231 Security related recommendations currently under study: 1232 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2 1234 5.10. ITU-T Study Group 17 1236 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1237 Security related recommendations currently under study: 1238 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17 1240 The ICT Security Standards Roadmap 1241 http://www.itu.int/ITU-T/studygroups/com17/ict/index.html 1243 This ICT Security Standards Roadmap has been developed to assist in 1244 the development of security standards by bringing together 1245 information about existing standards and current standards work in 1246 key standards development organizations. 1248 In addition to aiding the process of standards development, the 1249 Roadmap will provide information that will help potential users of 1250 security standards, and other standards stakeholders, gain an 1251 understanding of what standards are available or under development as 1252 well as the key organizations that are working on these standards. 1254 The Roadmap was initiated by ITU-T Study Group 17. In January 2007 1255 the initiative became a collaborative effort when the European 1256 Network and Information Security Agency (ENISA) and the Network and 1257 Information Security Steering Group (NISSG) joined Study Group 17 in 1258 the project. 1260 The Roadmap is in five parts: 1262 Part 1: ICT Standards Development Organizations and Their Work 1263 http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html 1265 Part 1 contains information about the Roadmap structure and about 1266 each of the listed standards organizations, their structure and the 1267 security standards work being undertaken. In addition it contains 1268 information on terminology by providing links to existing security 1269 glossaries and vocabularies. 1271 Part 2: Approved ICT Security Standards 1272 http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html 1274 Part 2 contains a summary catalogue of approved standards. 1276 Part 3: Security standards under development 1277 http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html 1279 Part 3 is structured with the same taxonomy as Part 2 but contains 1280 work in progress, rather than standards that have already been 1281 approved and published. Part 3 will also contain information on 1282 inter-relationships between groups undertaking the work and on 1283 potential overlaps between existing projects. 1285 Part 4: Future needs and proposed new security standards 1286 http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html 1288 Part 4 is intended to capture possible future areas of security 1289 standards work where gaps or needs have been identified as well as 1290 areas where proposals have been made for specific new standards work. 1292 Part 4 includes provision for direct feedback, comments and 1293 suggestions. 1295 Part 5: Best practices 1296 http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html 1298 Part 5 is a recent addition to the Roadmap (May 2007). It is 1299 intended to be a repository of security-related best practices 1300 contributed by our community of members. 1302 This section will be based on contributions from the security 1303 community. 1305 Where possible contributions should refer to best practices relating 1306 to standards-based security but other best practices will be 1307 considered for inclusion. 1309 It is important to note that the Roadmap is a work-in-progress. It 1310 is intended that it be developed and enhanced to include other 1311 standards organizations as well as a broader representation of the 1312 work from organizations already included. It is hoped that standards 1313 organizations whose work is not represented in this version of the 1314 Roadmap will provide information to ITU-T about their work so that it 1315 may be included in future editions. 1317 In May 2007, Part 2 of the Roadmap was converted to a searchable 1318 database format that allows direct links to the information of 1319 participating standards organizations. The database format will 1320 allow each participating organization to manage its own data within 1321 the Roadmap. This will enable more timely updating of the 1322 information and will also reduce the overhead in maintaining the 1323 information. 1325 http://www.itu.int/ITU-T/security/main_table.aspx 1327 5.11. NRIC VII Focus Groups 1329 http://www.nric.org/fg/index.html 1331 By December 16, 2005, the Council shall present a final report that 1332 describes, in detail, any additions, deletions, or modifications that 1333 should be made to the Homeland Security Best Practices that were 1334 adopted by the preceding Council. 1336 Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: 1337 Cyber Security: 1339 Focus Group 2B Report - Homeland Security Cyber Security Best 1340 Practices Published 06-Dec-2004 1342 Focus Group 2B Report Appendices Published 06-Dec-2004 1344 Focus Group 2B Final Report - Summary of Activities, Guidance and 1345 Cybersecurity Issues Published 16-Dec-2005 1347 Focus Group 2B Final Best Practices Published 16-Dec-2005 1349 5.12. OASIS Security Technical Committees 1351 Many Technical Committees have produced standards. 1353 http://www.oasis-open.org/committees/tc_cat.php?cat=security 1355 5.13. OIF Implementation Agreements 1357 The OIF has 3 approved, and in-force Implementation Agreements (IAs) 1358 relating to security. They are: 1360 OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010) 1361 http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf 1363 OIF-SMI-01.0 - Security for Management Interfaces to Network Elements 1364 (September 2003) 1365 http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf 1367 OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to 1368 Network Elements (March 2006) 1369 http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf 1371 5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland 1372 Security (HS) 1374 This TIA webpage identifies and links to many standards, other 1375 technical documents and ongoing activity involving or supporting 1376 TIA's role in Public Safety and Homeland Security, Network Security, 1377 Critical Infrastructure Protection and Assurance, National Security/ 1378 Emergency Preparedness, Emergency Communications Services, Emergency 1379 Calling and Location Identification Services, and the Needs of First 1380 Responders. 1382 http://www.tiaonline.org/standards/technology/ciphs/ 1384 5.15. NIST Special Publications (800 Series) 1386 http://csrc.nist.gov/publications/PubsSPs.html 1388 Special Publications in the 800 series present documents of general 1389 interest to the computer security community. The Special Publication 1390 800 series was established in 1990 to provide a separate identity for 1391 information technology security publications. This Special 1392 Publication 800 series reports on ITL's research, guidelines, and 1393 outreach efforts in computer security, and its collaborative 1394 activities with industry, government, and academic organizations. 1396 5.16. NIST Interagency or Internal Reports (NISTIRs) 1398 http://csrc.nist.gov/publications/PubsNISTIRs.html 1400 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1401 technical nature of interest to a specialized audience. The series 1402 includes interim or final reports on work performed by NIST for 1403 outside sponsors (both government and nongovernment). NISTIRs may 1404 also report results of NIST projects of transitory or limited 1405 interest, including those that will be published subsequently in more 1406 comprehensive form. 1408 5.17. NIST ITL Security Bulletins 1410 http://csrc.nist.gov/publications/PubsITLSB.html 1412 ITL Bulletins are published by NIST's Information Technology 1413 Laboratory, with most bulletins written by the Computer Security 1414 Division. These bulletins are published on the average of six times 1415 a year. Each bulletin presents an in-depth discussion of a single 1416 topic of significant interest to the information systems community. 1417 Not all of ITL Bulletins that are published relate to computer / 1418 network security. Only the computer security ITL Bulletins are found 1419 here. 1421 5.18. SANS Information Security Reading Room 1423 http://www.sans.org/reading_room/ 1425 Featuring over 1,885 original computer security white papers in 75 1426 different categories. 1428 Most of the computer security white papers in the Reading Room have 1429 been written by students seeking GIAC certification to fulfill part 1430 of their certification requirements and are provided by SANS as a 1431 resource to benefit the security community at large. SANS attempts 1432 to ensure the accuracy of information, but papers are published "as 1433 is". Errors or inconsistencies may exist or may be introduced over 1434 time as material becomes dated. 1436 6. Security Considerations 1438 This document describes efforts to standardize security practices and 1439 documents. As such this document offers no security guidance 1440 whatsoever. 1442 Readers of this document should be aware of the date of publication 1443 of this document. It is feared that they may assume that the 1444 efforts, on-line material, and documents are current whereas they may 1445 not be. Please consider this when reading this document. 1447 7. IANA Considerations 1449 This document does not propose a standard and does not require the 1450 IANA to do anything. 1452 8. Acknowledgments 1454 The following people have contributed to this document. Listing 1455 their names here does not mean that they endorse the document, but 1456 that they have contributed to its substance. 1458 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1459 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1460 Moon, Stephen Kent, Steve Wolff, Bob Natale. 1462 9. Changes from Prior Drafts 1464 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1466 -01 : Security Glossaries: 1468 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1469 Glossary of Terms and Acronyms, Microsoft Solutions for 1470 Security Glossary, and USC InfoSec Glossary. 1472 Standards Developing Organizations: 1474 Added DMTF, GGF, INCITS, OASIS, and WS-I 1476 Removal of Committee T1 and modifications to ATIS and former T1 1477 technical subcommittees due to the recent ATIS reorganization. 1479 Efforts and Documents: 1481 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1482 Area (SEC), INCITS Technical Committee T4 - Security 1483 Techniques, INCITS Technical Committee T11 - Fibre Channel 1484 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1485 Committee, OASIS Security Services TC, and WS-I Basic Security 1486 Profile. 1488 Updated Operational Security Requirements for IP Network 1489 Infrastructure : Advanced Requirements. 1491 -00 : as the WG ID 1493 Added more information about the ITU-T SG3 Q18 effort to modify 1494 ITU-T Recommendation M.3016. 1496 -01 : First revision as the WG ID. 1498 Added information about the NGN in the sections about ATIS, the 1499 NSTAC, and ITU-T. 1501 -02 : Second revision as the WG ID. 1503 Updated the date. 1505 Corrected some url's and the reference to George's RFC. 1507 -03 : Third revision of the WG ID. 1509 Updated the date. 1511 Updated the information about the CC 1513 Added a Conventions section (not sure how this document got to 1514 where it is without that) 1516 -04 : Fourth revision of the WG ID. 1518 Updated the date. 1520 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1522 CIAO glossary removed. CIAO has been absorbed by DHS and the 1523 glossary is no longer available. 1525 USC glossary removed, could not find it on the site or a reference 1526 to it elsewhere. 1528 Added TTA - Telecommunications Technology Association to SDO 1529 section. 1531 Removed ATIS Security & Emergency Preparedness Activities from 1532 Documents section. Could not find it or a reference to it. 1534 INCITS T4 incorporated into CS1 - T4 section removed 1536 X9 Added to SDO list under ANSI 1538 Various link or grammar fixes. 1540 -05 : Fifth revision of the WG ID. 1542 Updated the date. 1544 Removed the 2119 definitions; this is an informational document. 1546 -06 : Sixth revision of the WG ID. 1548 Updated the date. 1550 Added W3C information. 1552 -07 : Seventh revision of the WG ID. 1554 Updated the date. 1556 -08 : Eighth revision of the WG ID. 1558 Updated the reference to RFC 4949, found by Stephen Kent. 1560 -09 : Nineth revision of the WG ID. 1562 Updated the date. 1564 -10 : Tenth revision of the WG ID. 1566 Added references to NIST documents, recommended by Steve Wolff. 1567 Updated the date. 1569 -11 : Eleventh revision of the WG ID. 1571 Updated the date. 1573 -12 : Twelfth revision of the WG ID. 1575 Updated the date. 1577 -13 : Nothing new. 1579 Updated the date. 1581 -14 : Fourteenth revision of the WG ID. 1583 Updated the date and reviewed the accuracy of Section 3. 1585 Updated the section on Compendium of Approved ITU-T Security 1586 Definitions 1588 Updated the section on the Microsoft glossary. 1590 Updated the section on the SANS glossary. 1592 Added the NIST Security glossary. 1594 Added dates to all glossaries - where I could find them. 1596 Added the SANS Reading Room material to Section 5. 1598 -15 : Fifteenth revision of the WG ID. 1600 Updated the date and reviewed the accuracy of Section 4. Several 1601 changes made. 1603 Removed WS-I as they have merged with OASIS. 1605 Added TM Forum. 1607 -16 : Sixteenth revision of the WG ID. 1609 Updated the date and reviewed the accuracy of Section 5. Several 1610 changes made. 1612 Note: This section will be removed before publication as an RFC. 1614 Authors' Addresses 1616 Chris Lonvick 1617 Cisco Systems 1618 12515 Research Blvd. 1619 Austin, Texas 78759 1620 US 1622 Phone: +1 512 378 1182 1623 Email: clonvick@cisco.com 1625 David Spak 1626 Cisco Systems 1627 12515 Research Blvd. 1628 Austin, Texas 78759 1629 US 1631 Phone: +1 512 378 1720 1632 Email: dspak@cisco.com