idnits 2.17.1 draft-ietf-opsec-efforts-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 17, 2012) is 4207 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Missing reference section? 'Six' on line 332 looks like a reference Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Intended status: Informational Cisco Systems 5 Expires: April 20, 2013 October 17, 2012 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-19.txt 10 Abstract 12 This document provides a snapshot of the current efforts to define or 13 apply security requirements in various Standards Developing 14 Organizations (SDO). 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on April 20, 2013. 33 Copyright Notice 35 Copyright (c) 2012 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 52 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 53 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 54 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 55 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 56 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 57 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8 58 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8 59 3.7. NIST - Glossary of Key Information Security Terms . . . . 8 60 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 61 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 62 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 63 4.3. ANSI - The American National Standards Institute . . . . . 11 64 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 65 4.4. ATIS - Alliance for Telecommunications Industry 66 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 67 4.4.1. ATIS NPRQ - Network Performance, Reliability, and 68 Quality of Service Committee, formerly T1A1 . . . . . 12 69 4.4.2. ATIS TMOC - Telecom Management and Operations 70 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 71 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 72 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 73 4.7. ETSI - The European Telecommunications Standard 74 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 75 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 76 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 77 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 78 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 79 4.9. IEEE - The Institute of Electrical and Electronics 80 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 81 4.9.1. IEEE Computer Society's Technical Committee on 82 Security and Privacy . . . . . . . . . . . . . . . . . 17 83 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 84 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 85 4.11. INCITS - InterNational Committee for Information 86 Technology Standards . . . . . . . . . . . . . . . . . . . 17 87 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 88 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 89 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 90 4.12. ISO - The International Organization for 91 Standardization . . . . . . . . . . . . . . . . . . . . . 18 92 4.13. ITU - International Telecommunication Union . . . . . . . 19 93 4.13.1. ITU Telecommunication Standardization Sector - 94 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 95 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 96 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 97 4.14. OASIS - Organization for the Advancement of 98 Structured Information Standards . . . . . . . . . . . . . 20 99 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 100 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 101 4.16. National Security Telecommunications Advisory 102 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 103 4.17. TIA - The Telecommunications Industry Association . . . . 22 104 4.17.1. APCO Project 25 Public Safety Standards . . . . . . . 22 105 4.18. TTA - Telecommunications Technology Association . . . . . 23 106 4.19. The World Wide Web Consortium . . . . . . . . . . . . . . 23 107 4.20. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 108 4.20.1. Security Management . . . . . . . . . . . . . . . . . 24 109 5. Security Best Practices Efforts and Documents . . . . . . . . 25 110 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 25 111 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 25 112 5.3. ATIS-0300276.2008 - Operations, Administration, 113 Maintenance, and Provisioning Security Requirements 114 for the Public Telecommunications Network: A Baseline 115 of Security Requirements for the Management Plane . . . . 25 116 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 26 117 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 26 118 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 119 5.7. Operational Security Requirements for IP Network 120 Infrastructure : Advanced Requirements . . . . . . . . . . 28 121 5.8. ISO JTC 1/SC 27 - Information security Technology 122 techniques . . . . . . . . . . . . . . . . . . . . . . . . 28 123 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 28 124 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 28 125 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 30 126 5.12. OASIS Security Technical Committees . . . . . . . . . . . 31 127 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 31 128 5.14. TIA - Critical Infrastructure Protection (CIP) and 129 Homeland Security (HS) . . . . . . . . . . . . . . . . . . 31 130 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 32 131 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 32 132 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 32 133 5.18. SANS Information Security Reading Room . . . . . . . . . . 32 134 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 135 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 136 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 137 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 37 138 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 140 1. Introduction 142 The Internet is being recognized as a critical infrastructure similar 143 in nature to the power grid and a potable water supply. Just like 144 those infrastructures, means are needed to provide resiliency and 145 adaptability to the Internet so that it remains consistently 146 available to the public throughout the world even during times of 147 duress or attack. For this reason, many SDOs are developing 148 standards with hopes of retaining an acceptable level, or even 149 improving this availability, to its users. These SDO efforts usually 150 define themselves as "security" efforts. It is the opinion of the 151 authors that there are many different definitions of the term 152 "security" and it may be applied in many diverse ways. As such, we 153 offer no assurance that the term is applied consistently throughout 154 this document. 156 Many of these SDOs have diverse charters and goals and will take 157 entirely different directions in their efforts to provide standards. 158 However, even with that, there will be overlaps in their produced 159 works. If there are overlaps then there is a potential for conflicts 160 and confusion. This may result in: 162 Vendors of networking equipment who are unsure of which standard 163 to follow. 165 Purchasers of networking equipment who are unsure of which 166 standard will best apply to the needs of their business or 167 ogranization. 169 Network Administrators and Operators unsure of which standard to 170 follow to attain the best security for their network. 172 For these reasons, the authors wish to encourage all SDOs who have an 173 interest in producing or in consuming standards relating to good 174 security practices to be consistent in their approach and their 175 recommendations. In many cases, the authors are aware that the SDOs 176 are making good efforts along these lines. However, the authors do 177 not participate in all SDO efforts and cannot know everything that is 178 happening. 180 The OpSec Working Group met at the 61st IETF and agreed that this 181 document could be a useful reference in producing the documents 182 described in the Working Group Charter. The authors have agreed to 183 keep this document current and request that those who read it will 184 submit corrections or comments. 186 Comments on this document may be addressed to the OpSec Working Group 187 or directly to the authors. 189 opsec@ops.ietf.org 191 This document will be updated in sections. The most recently updated 192 part of this document is Section 4. 194 2. Format of this Document 196 The body of this document has three sections. 198 The first part of the body of this document, Section 3, contains a 199 listing of online glossaries relating to networking and security. It 200 is very important that the definitions of words relating to security 201 and security events be consistent. Inconsistencies between the 202 useage of words on standards is unacceptable as it would prevent a 203 reader of two standards to appropriately relate their 204 recommendations. The authors of this document have not reviewed the 205 definitions of the words in the listed glossaries so can offer no 206 assurance of their alignment. 208 The second part, Section 4, contains a listing of SDOs that appear to 209 be working on security standards. 211 The third part, Section 5, lists the documents which have been found 212 to offer good practices or recommendations for securing networks and 213 networking devices. 215 The text used in sections 3, 4, and 5 have been copied from their 216 referring web sites. The authors make no claim about the validity or 217 accuracy of the information listed. 219 3. Online Security Glossaries 221 This section contains references to glossaries of network and 222 computer security terms. 224 3.1. ATIS Telecom Glossary 2007 226 http://www.atis.org/tg2k/ 228 This Glossary began as a 5800-entry, search-enabled hypertext 229 telecommunications glossary titled Federal Standard 1037C, Glossary 230 of Telecommunication Terms . Federal Standard 1037C was updated and 231 matured into an American National Standard (ANS): T1.523-2001, 232 Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- 233 2001 has been revised and redesignated under the ATIS procedures for 234 ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007. 236 Date published: 2007 238 3.2. Internet Security Glossary - RFC 4949 240 http://www.ietf.org/rfc/rfc4949.txt 242 This document was originally created as RFC 2828 in May 2000. It was 243 revised as RFC 4949 and the document defines itself to be, "an 244 internally consistent, complementary set of abbreviations, 245 definitions, explanations, and recommendations for use of terminology 246 related to information system security." 248 Date published: August 2007 250 3.3. Compendium of Approved ITU-T Security Definitions 252 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 254 Addendum to the Compendium of the Approved ITU-T Security-related 255 Definitions 257 These extensive materials were created from approved ITU-T 258 Recommendations with a view toward establishing a common 259 understanding and use of security terms within ITU-T. The original 260 Compendium was compiled by SG 17, Lead Study Group on Communication 261 Systems Security (LSG-CSS). 262 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 264 Date published: 2003 266 3.4. Microsoft Malware Protection Center 268 http://www.microsoft.com/security/glossary.mspx 270 The Microsoft Malware Protection Center, Threat Research and Response 271 Glossary was created to explain the concepts, technologies, and 272 products associated with computer security. 274 Date published: indeterminate 276 3.5. SANS Glossary of Security Terms 278 http://www.sans.org/security-resources/glossary-of-terms/ 280 The SANS Institute (SysAdmin, Audit, Network, Security) was created 281 in 1989 as, "a cooperative research and education organization." 282 This glossary was updated in May 2003. The SANS Institute is also 283 home to many other resources including the SANS Intrusion Detection 284 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 286 Date published: indeterminate 288 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 290 http://www.garlic.com/~lynn/secure.htm 292 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 293 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 294 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 295 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 296 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 297 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 298 RFC2647, RFC2828, TCSEC, TDI, and TNI. 300 Date updated: October 2010 302 3.7. NIST - Glossary of Key Information Security Terms 304 http://csrc.nist.gov/publications/nistir/ir7298-rev1/ 305 nistir-7298-revision1.pdf 307 This glossary of basic security terms has been extracted from NIST 308 Federal Information Processing Standards (FIPS) and the Special 309 Publication (SP) 800 series. The terms included are not all 310 inclusive of terms found in these publications, but are a subset of 311 basic terms that are most frequently used. The purpose of this 312 glossary is to provide a central resource of definitions most 313 commonly used in NIST security publications. 315 Date originally published: April 2006 317 Date of this update: February 2100 319 4. Standards Developing Organizations 321 This section of this document lists the SDOs, or organizations that 322 appear to be developing security related standards. These SDOs are 323 listed in alphabetical order. 325 Note: The authors would appreciate corrections and additions. This 326 note will be removed before publication as an RFC. 328 4.1. 3GPP - Third Generation Partnership Project 330 http://www.3gpp.org/ 332 The 3rd Generation Partnership Project (3GPP) unites [Six] 333 telecommunications standards bodies, known as "Organizational 334 Partners" and provides their members with a stable environment to 335 produce the highly successful Reports and Specifications that define 336 3GPP technologies. 338 4.2. 3GPP2 - Third Generation Partnership Project 2 340 http://www.3gpp2.org/ 342 The Third Generation Partnership Project 2 (3GPP2) is: 344 a collaborative third generation (3G) telecommunications 345 specifications-setting project 347 comprising North American and Asian interests developing global 348 specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication 349 Intersystem Operations network evolution to 3G 351 and global specifications for the radio transmission technologies 352 (RTTs) supported by ANSI/TIA/EIA-41. 354 3GPP2 was born out of the International Telecommunication Union's 355 (ITU) International Mobile Telecommunications "IMT-2000" initiative, 356 covering high speed, broadband, and Internet Protocol (IP)-based 357 mobile systems featuring network-to-network interconnection, feature/ 358 service transparency, global roaming and seamless services 359 independent of location. IMT-2000 is intended to bring high-quality 360 mobile multimedia telecommunications to a worldwide mass market by 361 achieving the goals of increasing the speed and ease of wireless 362 communications, responding to the problems faced by the increased 363 demand to pass data via telecommunications, and providing "anytime, 364 anywhere" services. 366 4.3. ANSI - The American National Standards Institute 368 http://www.ansi.org/ 370 As the voice of the U.S. standards and conformity assessment system, 371 the American National Standards Institute (ANSI) empowers its members 372 and constituents to strengthen the U.S. marketplace position in the 373 global economy while helping to assure the safety and health of 374 consumers and the protection of the environment. 376 The Institute oversees the creation, promulgation and use of 377 thousands of norms and guidelines that directly impact businesses in 378 nearly every sector: from acoustical devices to construction 379 equipment, from dairy and livestock production to energy 380 distribution, and many more. ANSI is also actively engaged in 381 accrediting programs that assess conformance to standards - including 382 globally-recognized cross-sector programs such as the ISO 9000 383 (quality) and ISO 14000 (environmental) management systems. 385 4.3.1. Accredited Standards Committee X9 (ASC X9) 387 http://www.x9.org/ 389 The Accredited Standards Committee X9 (ASC X9) has the mission to 390 develop, establish, maintain, and promote standards for the Financial 391 Services Industry in order to facilitate the delivery of financial 392 services and products. Under this mission ASC X9 fulfills the 393 objectives of: (1) Supporting (maintain, enhance, and promote use of) 394 existing standards; (2) Facilitating development of new, open 395 standards based upon consensus; (3) Providing a common source for all 396 standards affecting the Financial Services Industry; (4) Focusing on 397 current and future standards needs of the Financial Services 398 Industry; (5) Promoting use of Financial Services Industry standards; 399 and (6) Participating and promoting the development of international 400 standards. 402 4.4. ATIS - Alliance for Telecommunications Industry Solutions 404 http://www.atis.org/ 406 ATIS member companies develop the standards and solutions that are 407 creating the future of the information and communications technology 408 (ICT) industry. From efforts to realize the cost benefits of cloud 409 services, to standards underpinning the nation's emergency 410 communications system, to improvements in data access to support 411 health care delivery, or developing new avenues to interactive 412 sources of entertainment, ATIS' work makes ICT innovation possible. 414 Through involvement in our committees and forums, ATIS member 415 companies achieve their technical potential and business objectives. 416 They also get a strategic view of the future of technology to help 417 them better position their products and services. ATIS members 418 further benefit from valuable networking opportunities with other 419 companies leading change in our industry, as well as the insights of 420 leading CIOs, CTOs and other thought leaders. 422 ATIS gives our members a place at the table where today's ICT 423 standards decisions are being made. Our work helps members prepare 424 for when the future becomes today. And, with the fast pace of 425 innovation, the gap between today's technologies and tomorrow's 426 networks is all but disappearing. 428 ATIS creates solutions that support the rollout of new products and 429 services into the information, entertainment and communications 430 marketplace. Its activities provide the basis for the industry's 431 delivery of: 433 Existing and next generation IP-based infrastructures; 435 Reliable converged multimedia services, including IPTV; 437 Enhanced Operations Support Systems and Business Support Systems; 438 and 440 Greater levels of service quality and performance. 442 ATIS is accredited by the American National Standards Institute 443 (ANSI). 445 4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of 446 Service Committee, formerly T1A1 448 http://www.atis.org/0010/index.asp 450 PRQC develops and recommends standards,requirements, and technical 451 reports related to the performance,reliability, and associated 452 security aspects of communications networks, as well as the 453 processing of voice, audio, data, image,and video signals, and their 454 multimedia integration. PRQC alsodevelops andrecommends positions 455 on, and foster consistency with, standards and related subjects under 456 consideration in other North American and international standards 457 bodies. 459 PRQC Focus Areas are: 461 Performance and Reliability of Networks (e.g. IP, ATM, OTN, and 462 PSTN), and Services (e.g. Frame Relay, Dedicated and Switched 463 Data), 465 Security-related aspects, 467 Emergency communications-related aspects, 469 Coding (e.g. video and speech), at and between carrier-to-carrier 470 and carrier-to-customer interfaces, with due consideration of end- 471 user applications. 473 4.4.2. ATIS TMOC - Telecom Management and Operations Committee, 474 formerly T1M1 OAM&P 476 http://www.atis.org/0130/index.asp 478 The Telecom Management and Operations Committee (TMOC) develops 479 operations, administration, maintenance and provisioning standards, 480 and other documentation related to Operations Support System (OSS) 481 and Network Element (NE) functions and interfaces for communications 482 networks - with an emphasis on standards development related to 483 U.S.A. communication networks in coordination with the development of 484 international standards. 486 The scope of the work in TMOC includes the development of standards 487 and other documentation for communications network operations and 488 management areas, such as: Configuration Management, Performance 489 Management (including in-service transport performance management), 490 Fault Management, Security Management (including management plane 491 security), Accounting Management, Coding/Language Data 492 Representation, Common/Underlying Management Functionality/ 493 Technology, and Ancillary Functions (such as network tones and 494 announcements). This work requires close and coordinated working 495 relationships with other domestic and international standards 496 development organizations and industry forums. 498 4.5. CC - Common Criteria 500 http://www.commoncriteriaportal.org/ 502 The Common Criteria for Information Technology Security Evaluation 503 (CC), and the companion Common Methodology for Information Technology 504 Security Evaluation (CEM) are the technical basis for an 505 international agreement, the Common Criteria Recognition Arrangement 506 (CCRA), which ensures that: 508 Products can be evaluated by competent and independent licensed 509 laboratories so as to determine the fulfilment of particular 510 security properties, to a certain extent or assurance; 512 Supporting documents, are used within the Common Criteria 513 certification process to define how the criteria and evaluation 514 methods are applied when certifying specific technologies; 516 The certification of the security properties of an evaluated 517 product can be issued by a number of Certificate Authorizing 518 Schemes, with this certification being based on the result of 519 their evaluation; 521 These certificates are recognized by all the signatories of the 522 CCRA. 524 The CC is the driving force for the widest available mutual 525 recognition of secure IT products. This web portal is available to 526 support the information on the status of the CCRA, the CC and the 527 certification schemes, licensed laboratories, certified products and 528 related information, news and events. 530 4.6. DMTF - Distributed Management Task Force, Inc. 532 http://www.dmtf.org/ 534 DMTF enables more effective management of millions of IT systems 535 worldwide by bringing the IT industry together to collaborate on the 536 development, validation and promotion of systems management 537 standards. 539 The group spans the industry with 160 member companies and 540 organizations, and more than 4,000 active participants crossing 43 541 countries. The DMTF board of directors is led by 15 innovative, 542 industry-leading technology companies. They include Advanced Micro 543 Devices (AMD); Broadcom Corporation; CA, Inc.; Cisco; Citrix Systems, 544 Inc.; EMC; Fujitsu; HP; Huawei; IBM; Intel Corporation; Microsoft 545 Corporation; Oracle; RedHat and VMware, Inc. 547 With this deep and broad reach, DMTF creates standards that enable 548 interoperable IT management. DMTF management standards are critical 549 to enabling management interoperability among multi-vendor systems, 550 tools and solutions within the enterprise. 552 4.7. ETSI - The European Telecommunications Standard Institute 554 http://www.etsi.org/ 555 The European Telecommunications Standards Institute (ETSI) produces 556 globally-applicable standards for Information and Communications 557 Technologies (ICT), including fixed, mobile, radio, converged, 558 broadcast and internet technologies. 560 We are officially recognized by the European Union as a European 561 Standards Organization. The high quality of our work and our open 562 approach to standardization has helped us evolve into a European 563 roots - global branches operation with a solid reputation for 564 technical excellence. 566 4.7.1. ETSI SEC 568 http://portal.etsi.org/portal/server.pt/gateway/ 569 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 571 Board#38 confirmed the closure of TC SEC. 573 At the same time it approved the creation of an OCG Ad Hoc group OCG 574 Security 576 TC SEC documents can be found in the SEC archive 578 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 579 LI were created to continue the work. 581 All documents and information relevant to ESI and LI are available 582 from the TC ESI and TC LI sites 584 4.7.2. ETSI OCG SEC 586 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 588 The creation of the OCG SEC was decided at the Board #38 on 30 May 589 2002. The group's primary role is to provide a horizontal co- 590 ordination structure for security issues that will ensure this work 591 is seriously considered in each ETSI TB and that any duplicate or 592 conflicting work is detected. To achieve this aim the group should 593 mainly conduct its work via email and, where appropriate, co-sited 594 "joint security" technical working meetings. 596 When scheduled, appropriate time at each "joint SEC" meeting should 597 be allocated during the meetings to allow for: 599 Individual committee activities as well as common work; 601 Coordination between the committees; and 602 Experts to contribute to more than one committee. 604 4.8. GGF - Global Grid Forum 606 http://www.gridforum.org/ 608 OGF is an open community committed to driving the rapid evolution and 609 adoption of applied distributed computing. Applied Distributed 610 Computing is critical to developing new, innovative and scalable 611 applications and infrastructures that are essential to productivity 612 in the enterprise and within the science community. OGF accomplishes 613 its work through open forums that build the community, explore 614 trends, share best practices and consolidate these best practices 615 into standards. 617 4.8.1. Global Grid Forum Security Area 619 http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 621 The Security Area is concerned with technical and operational 622 security issues in Grid environments, including authentication, 623 authorization, privacy, confidentiality, auditing, firewalls, trust 624 establishment, policy establishment, and dynamics, scalability and 625 management aspects of all of the above. 627 The Security Area is comprised of the following Working Groups and 628 Research Groups. 630 Certificate Authority Operations WG (CAOPS-WG) 632 Firewall Issues RG (FI-RG) 634 Levels Of Authentication Assurance Research Group (LOA-RG) 636 OGSA Authorization WG (OGSA-AUTHZ-WG) 638 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 640 http://www.ieee.org/ 642 IEEE is the world's largest professional association dedicated to 643 advancing technological innovation and excellence for the benefit of 644 humanity. IEEE and its members inspire a global community through 645 IEEE's highly cited publications, conferences, technology standards, 646 and professional and educational activities. 648 4.9.1. IEEE Computer Society's Technical Committee on Security and 649 Privacy 651 http://www.ieee-security.org/ 653 4.10. IETF - The Internet Engineering Task Force 655 http://www.ietf.org/ 657 The goal of the IETF is to make the Internet work better. 659 The mission of the IETF is to make the Internet work better by 660 producing high quality, relevant technical documents that influence 661 the way people design, use, and manage the Internet. 663 4.10.1. IETF Security Area 665 The Working Groups in the Security Area may be found from this page. 667 http://datatracker.ietf.org/wg/ 669 The wiki page for the IETF Security Area may be found here. 671 http://trac.tools.ietf.org/area/sec/trac/wiki 673 4.11. INCITS - InterNational Committee for Information Technology 674 Standards 676 http://www.incits.org/ 678 INCITS is the primary U.S. focus of standardization in the field of 679 Information and Communications Technologies (ICT), encompassing 680 storage, processing, transfer, display, management, organization, and 681 retrieval of information. As such, INCITS also serves as ANSI's 682 Technical Advisory Group for ISO/IEC Joint Technical Committee 1. 683 JTC 1 is responsible for International standardization in the field 684 of Information Technology. 686 There are three active Groups in the Security / ID Technical 687 Committee. 689 4.11.1. Identification Cards and Related Devices (B10) 691 http://standards.incits.org/a/public/group/b10 693 Development of national and international standards in the area of 694 identification cards and related devices for use in inter-industry 695 applications and international interchange. 697 4.11.2. Cyber Security (CS1) 699 http://standards.incits.org/a/public/group/cs1 701 INCITS/CS1 was established in April 2005 to serve as the US TAG for 702 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups. 704 The scope of CS1 explicitly excludes the areas of work on cyber 705 security standardization presently underway in INCITS B10, M1, T3, 706 T10 and T11; as well as other standard groups, such as ATIS, IEEE, 707 IETF, TIA, and X9. 709 4.11.3. Biometrics (M1) 711 http://standards.incits.org/a/public/group/m1 713 INCITS/M1, Biometrics Technical Committee was established by the 714 Executive Board of INCITS in November 2001 to ensure a high priority, 715 focused, and comprehensive approach in the United States for the 716 rapid development and approval of formal national and international 717 generic biometric standards. The M1 program of work includes 718 biometric standards for data interchange formats, common file 719 formats, application program interfaces, profiles, and performance 720 testing and reporting. The goal of M1's work is to accelerate the 721 deployment of significantly better, standards-based security 722 solutions for purposes, such as, homeland defense and the prevention 723 of identity theft as well as other government and commercial 724 applications based on biometric personal authentication. 726 4.12. ISO - The International Organization for Standardization 728 http://www.iso.org/ 730 ISO (International Organization for Standardization) is the world's 731 largest developer and publisher of International Standards. 733 ISO is a network of the national standards institutes of 163 734 countries, one member per country, with a Central Secretariat in 735 Geneva, Switzerland, that coordinates the system. 737 ISO is a non-governmental organization that forms a bridge between 738 the public and private sectors. On the one hand, many of its member 739 institutes are part of the governmental structure of their countries, 740 or are mandated by their government. On the other hand, other 741 members have their roots uniquely in the private sector, having been 742 set up by national partnerships of industry associations. 744 Therefore, ISO enables a consensus to be reached on solutions that 745 meet both the requirements of business and the broader needs of 746 society. 748 4.13. ITU - International Telecommunication Union 750 http://www.itu.int/ 752 ITU (International Telecommunication Union) is the United Nations 753 specialized agency for information and communication technologies - 754 ICTs. 756 We allocate global radio spectrum and satellite orbits, develop the 757 technical standards that ensure networks and technologies seamlessly 758 interconnect, and strive to improve access to ICTs to underserved 759 communities worldwide. 761 ITU is committed to connecting all the world's people - wherever they 762 live and whatever their means. Through our work, we protect and 763 support everyone's fundamental right to communicate. 765 The ITU is comprised of three sectors: 767 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 769 http://www.itu.int/ITU-T/ 771 ITU-T Recommendations are defining elements in information and 772 communication technologies (ICTs) infrastructure. Whether we 773 exchange voice, data or video messages, communications cannot take 774 place without standards linking the sender and the receiver. Today's 775 work extends well beyond the traditional areas of telephony to 776 encompass a far wider range of information and communications 777 technologies. 779 4.13.2. ITU Radiocommunication Sector - ITU-R 781 http://www.itu.int/ITU-R/ 783 The ITU Radiocommunication Sector (ITU-R) plays a vital role in the 784 global management of the radio-frequency spectrum and satellite 785 orbits - limited natural resources which are increasingly in demand 786 from a large and growing number of services such as fixed, mobile, 787 broadcasting, amateur, space research, emergency telecommunications, 788 meteorology, global positioning systems, environmental monitoring and 789 communication services - that ensure safety of life on land, at sea 790 and in the skies. 792 4.13.3. ITU Telecom Development - ITU-D 794 (also referred as ITU Telecommunication Development Bureau - BDT) 796 http://www.itu.int/ITU-D/ 798 The mission of the Telecommunication Development Sector (ITU-D) aims 799 at achieving the Sector's objectives based on the right to 800 communicate of all inhabitants of the planet through access to 801 infrastructure and information and communication services. 803 In this regard, the mission is to: 805 Assist countries in the field of information and communication 806 technologies (ICTs), in facilitating the mobilization of 807 technical, human and financial resources needed for their 808 implementation, as well as in promoting access to ICTs. 810 Promote the extension of the benefits of ICTs to all the world's 811 inhabitants. 813 Promote and participate in actions that contribute towards 814 narrowing the digital divide. 816 Develop and manage programmes that facilitate information flow 817 geared to the needs of developing countries. 819 The mission encompasses ITU's dual responsibility as a United 820 Nations specialized agency and an executing agency for 821 implementing projects under the United Nations development system 822 or other funding arrangements. 824 4.14. OASIS - Organization for the Advancement of Structured 825 Information Standards 827 http://www.oasis-open.org/ 829 OASIS (Organization for the Advancement of Structured Information 830 Standards) is a not-for-profit consortium that drives the 831 development, convergence and adoption of open standards for the 832 global information society. The consortium produces more Web 833 services standards than any other organization along with standards 834 for security, e-business, and standardization efforts in the public 835 sector and for application-specific markets. Founded in 1993, OASIS 836 has more than 5,000 participants representing over 600 organizations 837 and individual members in 100 countries. 839 OASIS promotes industry consensus and produces worldwide standards 840 for security, Cloud computing, SOA, Web services, the Smart Grid, 841 electronic publishing, emergency management, and other areas. OASIS 842 open standards offer the potential to lower cost, stimulate 843 innovation, grow global markets, and protect the right of free choice 844 of technology. 846 OASIS has several Technical Committees in the Security Category. 848 http://www.oasis-open.org/committees/tc_cat.php?cat=security 850 4.15. OIF - Optical Internetworking Forum 852 http://www.oiforum.com/ 854 "The Optical Internetworking Forum (OIF) promotes the development and 855 deployment of interoperable networking solutions and services through 856 the creation of Implementation Agreements (IAs) for optical 857 networking products, network processing elements, and component 858 technologies. Implementation agreements will be based on 859 requirements developed cooperatively by end-users, service providers, 860 equipment vendors and technology providers, and aligned with 861 worldwide standards, augmented if necessary. This is accomplished 862 through industry member participation working together to develop 863 specifications (IAs) for: 865 External network element interfaces 867 Software interfaces internal to network elements 869 Hardware component interfaces internal to network elements 871 The OIF will create Benchmarks, perform worldwide interoperability 872 testing, build market awareness and promote education for 873 technologies, services and solutions. The OIF will provide feedback 874 to worldwide standards organizations to help achieve a set of 875 implementable, interoperable solutions." 877 4.15.1. OAM&P Working Group 879 http://www.oiforum.com/public/oamp.html 881 In concert with the Carrier, Architecture & Signaling and other OIF 882 working groups, the Operations, Administration, Maintenance, & 883 Provisioning (OAM&P) working group develops architectures, 884 requirements, guidelines, and implementation agreements critical to 885 widespread deployment of interoperable optical networks by carriers. 886 The scope includes but is not limited to a) planning, engineering and 887 provisioning of network resources; b) operations, maintenance or 888 administration use cases and processes; and c) management 889 functionality and interfaces for operations support systems and 890 interoperable network equipment. Within its scope are Fault, 891 Configuration, Accounting, Performance and Security Management 892 (FCAPS) and Security. The OAM&P working group will also account for 893 work by related standards development organizations (SDOs), identify 894 gaps and formulate OIF input to other SDOs as may be appropriate. 896 4.16. National Security Telecommunications Advisory Committee (NSTAC) 898 http://www.ncs.gov/nstac/nstac.html 900 Meeting our Nation's critical national security and emergency 901 preparedness (NS/EP) challenges demands attention to many issues. 902 Among these, none could be more important than the availability and 903 reliability of telecommunication services. The President's National 904 Security Telecommunications Advisory Committee (NSTAC) mission is to 905 provide the U.S. Government the best possible industry advice in 906 these areas. 908 4.17. TIA - The Telecommunications Industry Association 910 http://www.tiaonline.org/ 912 The Telecommunications Industry Association (TIA) is the leading 913 trade association representing the global information and 914 communications technology (ICT) industry through Standards 915 development, Policy initiatives, business opportunities, market 916 intelligence and networking events. With support from hundreds of 917 members, TIA enhances the business environment for companies involved 918 in telecom, broadband, mobile wireless, information technology, 919 networks, cable, satellite, unified communications, emergency 920 communications and the greening of technology. TIA is accredited by 921 ANSI. 923 4.17.1. APCO Project 25 Public Safety Standards 925 http://www.tiaonline.org/all-standards/committees/tr-8 927 Recognizing the need for common standards for first responders and 928 homeland security/emergency response professionals, representatives 929 from the Association of Public Safety Communications Officials 930 International (APCO), the National Association of State 931 Telecommunications Directors (NASTD), selected federal agencies and 932 the National Communications System (NCS) established Project 25 933 (PDF), a steering committee for selecting voluntary common system 934 standards for digital public safety radio communications. TIA TR-8 935 facilitates such work through its role as an ANSI-accredited 936 Standards Development Organization (SDO) and has developed in TR-8 937 the 102 series of technical documents. These standards directly 938 address the guidelines of the Communications Assistance for Law 939 Enforcement Act (CALEA). 941 4.18. TTA - Telecommunications Technology Association 943 http://www.tta.or.kr/ 945 http://www.tta.or.kr/English/index.jsp (English) 947 The purpose of TTA is to contribute to the advancement of technology 948 and the promotion of information and telecommunications services and 949 industry as well as the development of national economy, by 950 effectively stablishing and providing technical standards that 951 reflect the latest domestic and international technological advances, 952 needed for the planning, design and operation of global end-to-end 953 telecommunications and related information services, in close 954 collaboration with companies, organizations and groups concerned with 955 information and telecommunications such as network operators, service 956 providers, equipment manufacturers, academia, R&D institutes, etc. 958 4.19. The World Wide Web Consortium 960 http://www.w3.org/Consortium/ 962 The World Wide Web Consortium (W3C) is an international community 963 where Member organizations, a full-time staff, and the public work 964 together to develop Web standards. Led by Web inventor Tim Berners- 965 Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its 966 full potential. 968 http://www.w3.org/Security/ 970 Security online is a vast field that is being worked on by a number 971 of organizations, including W3C. Mapping the entire field would be a 972 huge endeavor; hence, this page focuses on work that W3C is involved 973 in. 975 The traditional W3C Security Resources page is no longer maintained, 976 but remains online for archival purposes. 978 The Web Security Wiki serves as a place for interested parties in the 979 Web security community to collect information about security aspects 980 of specifications and implementations of Web technologies. 982 4.20. TM Forum 984 http://www.tmforum.org/ 986 TM Forum is a global, non-profit industry association focused on 987 simplifying the complexity of running a service provider's business. 988 As an established industry thought-leader, the Forum serves as a 989 unifying force, enabling more than 850 companies across 195 countries 990 to solve critical business issues through access to a wealth of 991 knowledge, intellectual capital and standards. 993 4.20.1. Security Management 995 http://www.tmforum.org/SecurityManagement/9152/home.html 997 Securing networks, cyber, clouds, and identity against evolving and 998 ever present threats has emerged as a top priority for TM Forum 999 members. In response, the TM Forum's Security Management Initiative 1000 was formally launched in 2009. While some of our Security Management 1001 efforts, such as Identity Management, are well established and boast 1002 mature Business Agreements and Interfaces, a series of presentations, 1003 contributions, and multi-vendor technology demonstrations have jumped 1004 started work efforts on industry hot topics Network Defense, Cyber 1005 Security, and security for single and multi-regional enterprise 1006 application cloud bursting. Our aim is to produce Security 1007 Management rich frameworks, best practices, and guidebooks. 1009 5. Security Best Practices Efforts and Documents 1011 This section lists the works produced by the SDOs. 1013 5.1. 3GPP - SA3 - Security 1015 http://www.3gpp.org/SA3-Security 1017 The WG is responsible for security in 3GPP systems, determining the 1018 security requirements, and specifying the security architectures and 1019 protocols. The WG also ensures the availability of cryptographic 1020 algorithms which need to be part of the specifications. The sub-WG 1021 SA3-LI provides the requirements and specifications for lawful 1022 interception in 3GPP systems. 1024 Specifications: 1025 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 1027 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 1029 http://www.3gpp2.org/Public_html/S/index.cfm 1031 The Services and Systems Aspects TSG (TSG-S) is responsible for the 1032 development of service capability requirements for systems based on 1033 3GPP2 specifications. It is also responsible for high level 1034 architectural issues, as required, to coordinate service development 1035 across the various TSGs. In this role, the Services and Systems TSG 1036 shall track the activities within the various TSGs, as required, to 1037 meet the above service requirements. 1039 More specifically, TSG-S will address the following areas of work: 1040 Management, technical coordination, as well as architectural and 1041 requirements development associated with all end-to-end features, 1042 services and system capabilities including, but not limited to, 1043 security and QoS 1045 TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm 1047 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and 1048 Provisioning Security Requirements for the Public 1049 Telecommunications Network: A Baseline of Security Requirements 1050 for the Management Plane 1052 This document contains both the published and redline versions of 1053 ATIS-0300276.2008. This standard contains a set of baseline security 1054 requirements for the management plane. The requirements outlined in 1055 this standard allow equipment/system suppliers, government 1056 departments and agencies, and service providers to implement a secure 1057 telecommunications management infrastructure. 1059 Documents: http://www.atis.org/docstore/product.aspx?id=24660 1061 5.4. DMTF - Security Modeling Working Group 1063 http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf 1065 The Security Modeling Working Group of the Schema Subcommittee is 1066 responsible for developing the models and profiles required to 1067 provide interoperable security management interfaces for 1068 implementations, including the enabling of configuration and 1069 management of authentication, authorization, and auditing services. 1071 The operational security requirements for protocols and management 1072 initiatives are not addressed by this work group and should be 1073 addressed by the working groups responsible for them. Management of 1074 the underlying security capabilities utilized by such protocols and 1075 initiatives are addressed by this work group, (for example: 1076 interfaces for the management of keys and certificates). 1078 5.5. Common Criteria 1080 http://www.commoncriteriaportal.org/ 1082 The Common Criteria for Information Technology Security Evaluation 1083 (CC), and the companion Common Methodology for Information Technology 1084 Security Evaluation (CEM) are the technical basis for an 1085 international agreement, the Common Criteria Recognition Agreement 1086 (CCRA), which ensures that: 1088 Products can be evaluated by competent and independent licensed 1089 laboratories so as to determine the fulfilment of particular 1090 security properties, to a certain extent or assurance; 1092 Supporting documents, are used within the Common Criteria 1093 certification process to define how the criteria and evaluation 1094 methods are applied when certifying specific technologies; 1096 The certification of the security properties of an evaluated 1097 product can be issued by a number of Certificate Authorizing 1098 Schemes, with this certification being based on the result of 1099 their evaluation; 1101 These certificates are recognized by all the signatories of the 1102 CCRA. 1104 The CC is the driving force for the widest available mutual 1105 recognition of secure IT products. This web portal is available to 1106 support the information on the status of the CCRA, the CC and the 1107 certification schemes, licensed laboratories, certified products and 1108 related information, news and events. 1110 5.6. ETSI 1112 TC SEC 1114 http://portal.etsi.org/portal/server.pt/gateway/ 1115 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 1117 Board#38 confirmed the closure of TC SEC. 1119 At the same time it approved the creation of an OCG Ad Hoc group OCG 1120 Security 1122 TC SEC documents can be found in the SEC archive (members login 1123 required) 1125 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 1126 LI were created to continue the work. 1128 All documents and information relevant to ESI and LI are available 1129 from the TC ESI and TC LI sites 1131 TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307 1133 TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318 1135 OCG SEC 1137 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 1139 The group's primary role is to provide a light-weight horizontal co- 1140 ordination structure for security issues that will ensure this work 1141 is seriously considered in each ETSI TB and that any duplicate or 1142 conflicting work is detected. To achieve this aim the group should 1143 mainly conduct its work via email and, where appropriate, co-sited 1144 "joint security" technical working meetings. 1146 OCG documents may be found here: 1148 http://portal.etsi.org/ocg/Summary.asp (members login required) 1150 5.7. Operational Security Requirements for IP Network Infrastructure : 1151 Advanced Requirements 1153 IETF RFC 3871 1155 Abstract: This document defines a list of operational security 1156 requirements for the infrastructure of large ISP IP networks (routers 1157 and switches). A framework is defined for specifying "profiles", 1158 which are collections of requirements applicable to certain network 1159 topology contexts (all, core-only, edge-only...). The goal is to 1160 provide network operators a clear, concise way of communicating their 1161 security requirements to vendors. 1163 Documents: 1165 http://www.rfc-editor.org/rfc/rfc3871.txt 1167 5.8. ISO JTC 1/SC 27 - Information security Technology techniques 1169 http://www.iso.org/iso/iso_catalogue/catalogue_tc/ 1170 catalogue_tc_browse.htm?commid=45306 1172 Several security related ISO projects under JTC 1/SC 27 are listed 1173 here such as: 1175 IT security techniques -- Message Authentication Codes (MACs) 1177 IT Security techniques -- Key management 1179 IT Security techniques -- Entity authentication 1181 IT Security techniques -- Hash-functions 1183 IT Security techniques -- Non-repudiation 1185 IT Security techniques -- IT network security 1187 5.9. ITU-T Study Group 2 1189 http://www.itu.int/ITU-T/studygroups/com02/index.asp 1191 Security related recommendations currently under study: 1192 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2 1194 5.10. ITU-T Study Group 17 1196 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1197 Security related recommendations currently under study: 1198 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17 1200 The ICT Security Standards Roadmap 1201 http://www.itu.int/ITU-T/studygroups/com17/ict/index.html 1203 This ICT Security Standards Roadmap has been developed to assist in 1204 the development of security standards by bringing together 1205 information about existing standards and current standards work in 1206 key standards development organizations. 1208 In addition to aiding the process of standards development, the 1209 Roadmap will provide information that will help potential users of 1210 security standards, and other standards stakeholders, gain an 1211 understanding of what standards are available or under development as 1212 well as the key organizations that are working on these standards. 1214 The Roadmap was initiated by ITU-T Study Group 17. In January 2007 1215 the initiative became a collaborative effort when the European 1216 Network and Information Security Agency (ENISA) and the Network and 1217 Information Security Steering Group (NISSG) joined Study Group 17 in 1218 the project. 1220 The Roadmap is in five parts: 1222 Part 1: ICT Standards Development Organizations and Their Work 1223 http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html 1225 Part 1 contains information about the Roadmap structure and about 1226 each of the listed standards organizations, their structure and the 1227 security standards work being undertaken. In addition it contains 1228 information on terminology by providing links to existing security 1229 glossaries and vocabularies. 1231 Part 2: Approved ICT Security Standards 1232 http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html 1234 Part 2 contains a summary catalogue of approved standards. 1236 Part 3: Security standards under development 1237 http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html 1239 Part 3 is structured with the same taxonomy as Part 2 but contains 1240 work in progress, rather than standards that have already been 1241 approved and published. Part 3 will also contain information on 1242 inter-relationships between groups undertaking the work and on 1243 potential overlaps between existing projects. 1245 Part 4: Future needs and proposed new security standards 1246 http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html 1248 Part 4 is intended to capture possible future areas of security 1249 standards work where gaps or needs have been identified as well as 1250 areas where proposals have been made for specific new standards work. 1252 Part 4 includes provision for direct feedback, comments and 1253 suggestions. 1255 Part 5: Best practices 1256 http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html 1258 Part 5 is a recent addition to the Roadmap (May 2007). It is 1259 intended to be a repository of security-related best practices 1260 contributed by our community of members. 1262 This section will be based on contributions from the security 1263 community. 1265 Where possible contributions should refer to best practices relating 1266 to standards-based security but other best practices will be 1267 considered for inclusion. 1269 It is important to note that the Roadmap is a work-in-progress. It 1270 is intended that it be developed and enhanced to include other 1271 standards organizations as well as a broader representation of the 1272 work from organizations already included. It is hoped that standards 1273 organizations whose work is not represented in this version of the 1274 Roadmap will provide information to ITU-T about their work so that it 1275 may be included in future editions. 1277 In May 2007, Part 2 of the Roadmap was converted to a searchable 1278 database format that allows direct links to the information of 1279 participating standards organizations. The database format will 1280 allow each participating organization to manage its own data within 1281 the Roadmap. This will enable more timely updating of the 1282 information and will also reduce the overhead in maintaining the 1283 information. 1285 http://www.itu.int/ITU-T/security/main_table.aspx 1287 5.11. NRIC VII Focus Groups 1289 http://www.nric.org/fg/index.html 1291 The mission of the NRIC is partner with the Federal Communications 1292 Commission, the communications industry and public safety to 1293 facilitate enhancement of emergency communications networks, homeland 1294 security, and best practices across the burgeoning telecommunications 1295 industry. 1297 By December 16, 2005, the Council shall present a final report that 1298 describes, in detail, any additions, deletions, or modifications that 1299 should be made to the Homeland Security Best Practices that were 1300 adopted by the preceding Council. 1302 Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: 1303 Cyber Security: 1305 Focus Group 2B Report - Homeland Security Cyber Security Best 1306 Practices Published 06-Dec-2004 1308 Focus Group 2B Report Appendices Published 06-Dec-2004 1310 Focus Group 2B Final Report - Summary of Activities, Guidance and 1311 Cybersecurity Issues Published 16-Dec-2005 1313 Focus Group 2B Final Best Practices Published 16-Dec-2005 1315 5.12. OASIS Security Technical Committees 1317 Many Technical Committees have produced standards. 1319 http://www.oasis-open.org/committees/tc_cat.php?cat=security 1321 5.13. OIF Implementation Agreements 1323 The OIF has 3 approved, and in-force Implementation Agreements (IAs) 1324 relating to security. They are: 1326 OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010) 1327 http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf 1329 OIF-SMI-01.0 - Security for Management Interfaces to Network Elements 1330 (September 2003) 1331 http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf 1333 OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to 1334 Network Elements (March 2006) 1335 http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf 1337 5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland 1338 Security (HS) 1340 The TIA Cybersecurity Working Group advocates public policy positions 1341 related to the security of ICT equipment and services from a vendor 1342 perspective as it relates to critical infrastructure, supply chain 1343 and information sharing. 1345 http://www.tiaonline.org/policy/cybersecurity 1347 5.15. NIST Special Publications (800 Series) 1349 http://csrc.nist.gov/publications/PubsSPs.html 1351 Special Publications in the 800 series present documents of general 1352 interest to the computer security community. The Special Publication 1353 800 series was established in 1990 to provide a separate identity for 1354 information technology security publications. This Special 1355 Publication 800 series reports on ITL's research, guidelines, and 1356 outreach efforts in computer security, and its collaborative 1357 activities with industry, government, and academic organizations. 1359 5.16. NIST Interagency or Internal Reports (NISTIRs) 1361 http://csrc.nist.gov/publications/PubsNISTIRs.html 1363 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1364 technical nature of interest to a specialized audience. The series 1365 includes interim or final reports on work performed by NIST for 1366 outside sponsors (both government and nongovernment). NISTIRs may 1367 also report results of NIST projects of transitory or limited 1368 interest, including those that will be published subsequently in more 1369 comprehensive form. 1371 5.17. NIST ITL Security Bulletins 1373 http://csrc.nist.gov/publications/PubsITLSB.html 1375 ITL Bulletins are published by NIST's Information Technology 1376 Laboratory, with most bulletins written by the Computer Security 1377 Division. These bulletins are published on the average of six times 1378 a year. Each bulletin presents an in-depth discussion of a single 1379 topic of significant interest to the information systems community. 1380 Not all of ITL Bulletins that are published relate to computer / 1381 network security. Only the computer security ITL Bulletins are found 1382 here. 1384 5.18. SANS Information Security Reading Room 1386 http://www.sans.org/reading_room/ 1388 Featuring over 1,969 original computer security white papers in 77 1389 different categories 1391 Most of the computer security white papers in the Reading Room have 1392 been written by students seeking GIAC certification to fulfill part 1393 of their certification requirements and are provided by SANS as a 1394 resource to benefit the security community at large. SANS attempts 1395 to ensure the accuracy of information, but papers are published "as 1396 is". Errors or inconsistencies may exist or may be introduced over 1397 time as material becomes dated. 1399 6. Security Considerations 1401 This document describes efforts to standardize security practices and 1402 documents. As such this document offers no security guidance 1403 whatsoever. 1405 Readers of this document should be aware of the date of publication 1406 of this document. It is feared that they may assume that the 1407 efforts, on-line material, and documents are current whereas they may 1408 not be. Please consider this when reading this document. 1410 7. IANA Considerations 1412 This document does not propose a standard and does not require the 1413 IANA to do anything. 1415 8. Acknowledgments 1417 The following people have contributed to this document. Listing 1418 their names here does not mean that they endorse the document, but 1419 that they have contributed to its substance. 1421 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1422 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1423 Moon, Stephen Kent, Steve Wolff, Bob Natale, Marek Lukaszuk. 1425 9. Changes from Prior Drafts 1427 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1429 -01 : Security Glossaries: 1431 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1432 Glossary of Terms and Acronyms, Microsoft Solutions for 1433 Security Glossary, and USC InfoSec Glossary. 1435 Standards Developing Organizations: 1437 Added DMTF, GGF, INCITS, OASIS, and WS-I 1439 Removal of Committee T1 and modifications to ATIS and former T1 1440 technical subcommittees due to the recent ATIS reorganization. 1442 Efforts and Documents: 1444 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1445 Area (SEC), INCITS Technical Committee T4 - Security 1446 Techniques, INCITS Technical Committee T11 - Fibre Channel 1447 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1448 Committee, OASIS Security Services TC, and WS-I Basic Security 1449 Profile. 1451 Updated Operational Security Requirements for IP Network 1452 Infrastructure : Advanced Requirements. 1454 -00 : as the WG ID 1456 Added more information about the ITU-T SG3 Q18 effort to modify 1457 ITU-T Recommendation M.3016. 1459 -01 : First revision as the WG ID. 1461 Added information about the NGN in the sections about ATIS, the 1462 NSTAC, and ITU-T. 1464 -02 : Second revision as the WG ID. 1466 Updated the date. 1468 Corrected some url's and the reference to George's RFC. 1470 -03 : Third revision of the WG ID. 1472 Updated the date. 1474 Updated the information about the CC 1476 Added a Conventions section (not sure how this document got to 1477 where it is without that) 1479 -04 : Fourth revision of the WG ID. 1481 Updated the date. 1483 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1485 CIAO glossary removed. CIAO has been absorbed by DHS and the 1486 glossary is no longer available. 1488 USC glossary removed, could not find it on the site or a reference 1489 to it elsewhere. 1491 Added TTA - Telecommunications Technology Association to SDO 1492 section. 1494 Removed ATIS Security & Emergency Preparedness Activities from 1495 Documents section. Could not find it or a reference to it. 1497 INCITS T4 incorporated into CS1 - T4 section removed 1499 X9 Added to SDO list under ANSI 1501 Various link or grammar fixes. 1503 -05 : Fifth revision of the WG ID. 1505 Updated the date. 1507 Removed the 2119 definitions; this is an informational document. 1509 -06 : Sixth revision of the WG ID. 1511 Updated the date. 1513 Added W3C information. 1515 -07 : Seventh revision of the WG ID. 1517 Updated the date. 1519 -08 : Eighth revision of the WG ID. 1521 Updated the reference to RFC 4949, found by Stephen Kent. 1523 -09 : Nineth revision of the WG ID. 1525 Updated the date. 1527 -10 : Tenth revision of the WG ID. 1529 Added references to NIST documents, recommended by Steve Wolff. 1530 Updated the date. 1532 -11 : Eleventh revision of the WG ID. 1534 Updated the date. 1536 -12 : Twelfth revision of the WG ID. 1538 Updated the date. 1540 -13 : Nothing new. 1542 Updated the date. 1544 -14 : Fourteenth revision of the WG ID. 1546 Updated the date and reviewed the accuracy of Section 3. 1548 Updated the section on Compendium of Approved ITU-T Security 1549 Definitions 1551 Updated the section on the Microsoft glossary. 1553 Updated the section on the SANS glossary. 1555 Added the NIST Security glossary. 1557 Added dates to all glossaries - where I could find them. 1559 Added the SANS Reading Room material to Section 5. 1561 -15 : Fifteenth revision of the WG ID. 1563 Updated the date and reviewed the accuracy of Section 4. Several 1564 changes made. 1566 Removed WS-I as they have merged with OASIS. 1568 Added TM Forum. 1570 -16 : Sixteenth revision of the WG ID. 1572 Updated the date and reviewed the accuracy of Section 5. Several 1573 changes made. 1575 -17 : Seventeenth revision of the WG ID. 1577 Updated the date and reviewed the accuracy of Section 3. A couple 1578 of changes made. 1580 -18 : Eighteenth revision of the WG ID. 1582 Updated the date and reviewed the accuracy of Section 4. Some 1583 changes made. 1585 -19 : Ninteenth revision of the WG ID. 1587 Updated the date and reviewed the accuracy of Section 5. Some 1588 changes made. 1590 Note: This section will be removed before publication as an RFC. 1592 Authors' Addresses 1594 Chris Lonvick 1595 Cisco Systems 1596 12515 Research Blvd. 1597 Austin, Texas 78759 1598 US 1600 Phone: +1 512 378 1182 1601 Email: clonvick@cisco.com 1603 David Spak 1604 Cisco Systems 1605 12515 Research Blvd. 1606 Austin, Texas 78759 1607 US 1609 Phone: +1 512 378 1720 1610 Email: dspak@cisco.com