idnits 2.17.1 draft-ietf-opsec-efforts-20.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 13, 2013) is 4023 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Missing reference section? 'Six' on line 347 looks like a reference Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Intended status: Informational Cisco Systems 5 Expires: October 15, 2013 April 13, 2013 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-20.txt 10 Abstract 12 This document provides a snapshot of the current efforts to define or 13 apply security requirements in various Standards Developing 14 Organizations (SDO). 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on October 15, 2013. 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 52 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 53 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 54 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 55 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 56 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 57 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 8 58 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 8 59 3.7. NIST - Glossary of Key Information Security Terms . . . . 8 60 3.8. RSA Information Security Glossary . . . . . . . . . . . . 9 61 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 62 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 63 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 64 4.3. ANSI - The American National Standards Institute . . . . . 11 65 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 66 4.4. ATIS - Alliance for Telecommunications Industry 67 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 68 4.4.1. ATIS NPRQ - Network Performance, Reliability, and 69 Quality of Service Committee, formerly T1A1 . . . . . 12 70 4.4.2. ATIS TMOC - Telecom Management and Operations 71 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 72 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 73 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 74 4.7. ETSI - The European Telecommunications Standard 75 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 76 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 77 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 78 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 79 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 80 4.9. IEEE - The Institute of Electrical and Electronics 81 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 82 4.9.1. IEEE Computer Society's Technical Committee on 83 Security and Privacy . . . . . . . . . . . . . . . . . 17 84 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 85 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 86 4.11. INCITS - InterNational Committee for Information 87 Technology Standards . . . . . . . . . . . . . . . . . . . 17 88 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 89 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 90 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 91 4.12. ISO - The International Organization for 92 Standardization . . . . . . . . . . . . . . . . . . . . . 18 93 4.13. ITU - International Telecommunication Union . . . . . . . 19 94 4.13.1. ITU Telecommunication Standardization Sector - 95 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 97 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 98 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 99 4.14. OASIS - Organization for the Advancement of 100 Structured Information Standards . . . . . . . . . . . . . 20 101 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 102 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 103 4.16. National Security Telecommunications Advisory 104 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 105 4.17. TIA - The Telecommunications Industry Association . . . . 22 106 4.17.1. APCO Project 25 Public Safety Standards . . . . . . . 22 107 4.18. TTA - Telecommunications Technology Association . . . . . 23 108 4.19. The World Wide Web Consortium . . . . . . . . . . . . . . 23 109 4.20. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 110 4.20.1. Security Management . . . . . . . . . . . . . . . . . 24 111 5. Security Best Practices Efforts and Documents . . . . . . . . 25 112 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 25 113 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 25 114 5.3. ATIS-0300276.2008 - Operations, Administration, 115 Maintenance, and Provisioning Security Requirements 116 for the Public Telecommunications Network: A Baseline 117 of Security Requirements for the Management Plane . . . . 25 118 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 26 119 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 26 120 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 121 5.7. Operational Security Requirements for IP Network 122 Infrastructure : Advanced Requirements . . . . . . . . . . 28 123 5.8. ISO JTC 1/SC 27 - Information security Technology 124 techniques . . . . . . . . . . . . . . . . . . . . . . . . 28 125 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 28 126 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 28 127 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 30 128 5.12. OASIS Security Technical Committees . . . . . . . . . . . 31 129 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 31 130 5.14. TIA - Critical Infrastructure Protection (CIP) and 131 Homeland Security (HS) . . . . . . . . . . . . . . . . . . 31 132 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 32 133 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 32 134 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 32 135 5.18. SANS Information Security Reading Room . . . . . . . . . . 32 136 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 137 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 138 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 139 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 37 140 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 142 1. Introduction 144 The Internet is being recognized as a critical infrastructure similar 145 in nature to the power grid and a potable water supply. Just like 146 those infrastructures, means are needed to provide resiliency and 147 adaptability to the Internet so that it remains consistently 148 available to the public throughout the world even during times of 149 duress or attack. For this reason, many SDOs are developing 150 standards with hopes of retaining an acceptable level, or even 151 improving this availability, to its users. These SDO efforts usually 152 define themselves as "security" efforts. It is the opinion of the 153 authors that there are many different definitions of the term 154 "security" and it may be applied in many diverse ways. As such, we 155 offer no assurance that the term is applied consistently throughout 156 this document. 158 Many of these SDOs have diverse charters and goals and will take 159 entirely different directions in their efforts to provide standards. 160 However, even with that, there will be overlaps in their produced 161 works. If there are overlaps then there is a potential for conflicts 162 and confusion. This may result in: 164 Vendors of networking equipment who are unsure of which standard 165 to follow. 167 Purchasers of networking equipment who are unsure of which 168 standard will best apply to the needs of their business or 169 ogranization. 171 Network Administrators and Operators unsure of which standard to 172 follow to attain the best security for their network. 174 For these reasons, the authors wish to encourage all SDOs who have an 175 interest in producing or in consuming standards relating to good 176 security practices to be consistent in their approach and their 177 recommendations. In many cases, the authors are aware that the SDOs 178 are making good efforts along these lines. However, the authors do 179 not participate in all SDO efforts and cannot know everything that is 180 happening. 182 The OpSec Working Group met at the 61st IETF and agreed that this 183 document could be a useful reference in producing the documents 184 described in the Working Group Charter. The authors have agreed to 185 keep this document current and request that those who read it will 186 submit corrections or comments. 188 Comments on this document may be addressed to the OpSec Working Group 189 or directly to the authors. 191 opsec@ops.ietf.org 193 This document will be updated in sections. The most recently updated 194 part of this document is Section 4. 196 2. Format of this Document 198 The body of this document has three sections. 200 The first part of the body of this document, Section 3, contains a 201 listing of online glossaries relating to networking and security. It 202 is very important that the definitions of words relating to security 203 and security events be consistent. Inconsistencies between the 204 useage of words on standards is unacceptable as it would prevent a 205 reader of two standards to appropriately relate their 206 recommendations. The authors of this document have not reviewed the 207 definitions of the words in the listed glossaries so can offer no 208 assurance of their alignment. 210 The second part, Section 4, contains a listing of SDOs that appear to 211 be working on security standards. 213 The third part, Section 5, lists the documents which have been found 214 to offer good practices or recommendations for securing networks and 215 networking devices. 217 The text used in sections 3, 4, and 5 have been copied from their 218 referring web sites. The authors make no claim about the validity or 219 accuracy of the information listed. 221 3. Online Security Glossaries 223 This section contains references to glossaries of network and 224 computer security terms. 226 3.1. ATIS Telecom Glossary 2007 228 http://www.atis.org/tg2k/ 230 This Glossary began as a 5800-entry, search-enabled hypertext 231 telecommunications glossary titled Federal Standard 1037C, Glossary 232 of Telecommunication Terms . Federal Standard 1037C was updated and 233 matured into an American National Standard (ANS): T1.523-2001, 234 Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523- 235 2001 has been revised and redesignated under the ATIS procedures for 236 ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007. 238 Date published: 2007 240 3.2. Internet Security Glossary - RFC 4949 242 http://www.ietf.org/rfc/rfc4949.txt 244 This document was originally created as RFC 2828 in May 2000. It was 245 revised as RFC 4949 and the document defines itself to be, "an 246 internally consistent, complementary set of abbreviations, 247 definitions, explanations, and recommendations for use of terminology 248 related to information system security." 250 Date published: August 2007 252 3.3. Compendium of Approved ITU-T Security Definitions 254 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 256 Addendum to the Compendium of the Approved ITU-T Security-related 257 Definitions 259 These extensive materials were created from approved ITU-T 260 Recommendations with a view toward establishing a common 261 understanding and use of security terms within ITU-T. The original 262 Compendium was compiled by SG 17, Lead Study Group on Communication 263 Systems Security (LSG-CSS). 264 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 266 Date published: 2003 268 3.4. Microsoft Malware Protection Center 270 http://www.microsoft.com/security/portal/threat/encyclopedia/ 271 glossary.aspx 273 The Microsoft Malware Protection Center, Threat Research and Response 274 Glossary was created to explain the concepts, technologies, and 275 products associated with computer security. 277 Date published: indeterminate 279 3.5. SANS Glossary of Security Terms 281 http://www.sans.org/security-resources/glossary-of-terms/ 283 The SANS Institute (SysAdmin, Audit, Network, Security) was created 284 in 1989 as, "a cooperative research and education organization." 285 This glossary was updated in May 2003. The SANS Institute is also 286 home to many other resources including the SANS Intrusion Detection 287 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 289 Date published: indeterminate 291 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 293 http://www.garlic.com/~lynn/secure.htm 295 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 296 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 297 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 298 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 299 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 300 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 301 RFC2647, RFC2828, TCSEC, TDI, and TNI. 303 Date updated: October 2010 305 3.7. NIST - Glossary of Key Information Security Terms 307 http://csrc.nist.gov/publications/nistir/ir7298-rev1/ 308 nistir-7298-revision1.pdf 310 This glossary of basic security terms has been extracted from NIST 311 Federal Information Processing Standards (FIPS) and the Special 312 Publication (SP) 800 series. The terms included are not all 313 inclusive of terms found in these publications, but are a subset of 314 basic terms that are most frequently used. The purpose of this 315 glossary is to provide a central resource of definitions most 316 commonly used in NIST security publications. 318 Date originally published: April 2006 320 Date of this update: February 2010 322 3.8. RSA Information Security Glossary 324 http://www.rsa.com/glossary/ 326 Welcome to the RSA Security Information Security Glossary. This 327 glossary is offered as an aid to understanding current concepts and 328 initiatives in the realm of Information Security. The terms were 329 chosen based on their importance in understanding the solutions, 330 services and products that RSA security provides for its customers. 332 Date originally published: 2005 334 4. Standards Developing Organizations 336 This section of this document lists the SDOs, or organizations that 337 appear to be developing security related standards. These SDOs are 338 listed in alphabetical order. 340 Note: The authors would appreciate corrections and additions. This 341 note will be removed before publication as an RFC. 343 4.1. 3GPP - Third Generation Partnership Project 345 http://www.3gpp.org/ 347 The 3rd Generation Partnership Project (3GPP) unites [Six] 348 telecommunications standards bodies, known as "Organizational 349 Partners" and provides their members with a stable environment to 350 produce the highly successful Reports and Specifications that define 351 3GPP technologies. 353 4.2. 3GPP2 - Third Generation Partnership Project 2 355 http://www.3gpp2.org/ 357 The Third Generation Partnership Project 2 (3GPP2) is: 359 a collaborative third generation (3G) telecommunications 360 specifications-setting project 362 comprising North American and Asian interests developing global 363 specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication 364 Intersystem Operations network evolution to 3G 366 and global specifications for the radio transmission technologies 367 (RTTs) supported by ANSI/TIA/EIA-41. 369 3GPP2 was born out of the International Telecommunication Union's 370 (ITU) International Mobile Telecommunications "IMT-2000" initiative, 371 covering high speed, broadband, and Internet Protocol (IP)-based 372 mobile systems featuring network-to-network interconnection, feature/ 373 service transparency, global roaming and seamless services 374 independent of location. IMT-2000 is intended to bring high-quality 375 mobile multimedia telecommunications to a worldwide mass market by 376 achieving the goals of increasing the speed and ease of wireless 377 communications, responding to the problems faced by the increased 378 demand to pass data via telecommunications, and providing "anytime, 379 anywhere" services. 381 4.3. ANSI - The American National Standards Institute 383 http://www.ansi.org/ 385 As the voice of the U.S. standards and conformity assessment system, 386 the American National Standards Institute (ANSI) empowers its members 387 and constituents to strengthen the U.S. marketplace position in the 388 global economy while helping to assure the safety and health of 389 consumers and the protection of the environment. 391 The Institute oversees the creation, promulgation and use of 392 thousands of norms and guidelines that directly impact businesses in 393 nearly every sector: from acoustical devices to construction 394 equipment, from dairy and livestock production to energy 395 distribution, and many more. ANSI is also actively engaged in 396 accrediting programs that assess conformance to standards - including 397 globally-recognized cross-sector programs such as the ISO 9000 398 (quality) and ISO 14000 (environmental) management systems. 400 4.3.1. Accredited Standards Committee X9 (ASC X9) 402 http://www.x9.org/ 404 The Accredited Standards Committee X9 (ASC X9) has the mission to 405 develop, establish, maintain, and promote standards for the Financial 406 Services Industry in order to facilitate the delivery of financial 407 services and products. Under this mission ASC X9 fulfills the 408 objectives of: (1) Supporting (maintain, enhance, and promote use of) 409 existing standards; (2) Facilitating development of new, open 410 standards based upon consensus; (3) Providing a common source for all 411 standards affecting the Financial Services Industry; (4) Focusing on 412 current and future standards needs of the Financial Services 413 Industry; (5) Promoting use of Financial Services Industry standards; 414 and (6) Participating and promoting the development of international 415 standards. 417 4.4. ATIS - Alliance for Telecommunications Industry Solutions 419 http://www.atis.org/ 421 ATIS member companies develop the standards and solutions that are 422 creating the future of the information and communications technology 423 (ICT) industry. From efforts to realize the cost benefits of cloud 424 services, to standards underpinning the nation's emergency 425 communications system, to improvements in data access to support 426 health care delivery, or developing new avenues to interactive 427 sources of entertainment, ATIS' work makes ICT innovation possible. 429 Through involvement in our committees and forums, ATIS member 430 companies achieve their technical potential and business objectives. 431 They also get a strategic view of the future of technology to help 432 them better position their products and services. ATIS members 433 further benefit from valuable networking opportunities with other 434 companies leading change in our industry, as well as the insights of 435 leading CIOs, CTOs and other thought leaders. 437 ATIS gives our members a place at the table where today's ICT 438 standards decisions are being made. Our work helps members prepare 439 for when the future becomes today. And, with the fast pace of 440 innovation, the gap between today's technologies and tomorrow's 441 networks is all but disappearing. 443 ATIS creates solutions that support the rollout of new products and 444 services into the information, entertainment and communications 445 marketplace. Its activities provide the basis for the industry's 446 delivery of: 448 Existing and next generation IP-based infrastructures; 450 Reliable converged multimedia services, including IPTV; 452 Enhanced Operations Support Systems and Business Support Systems; 453 and 455 Greater levels of service quality and performance. 457 ATIS is accredited by the American National Standards Institute 458 (ANSI). 460 4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of 461 Service Committee, formerly T1A1 463 http://www.atis.org/0010/index.asp 465 PRQC develops and recommends standards,requirements, and technical 466 reports related to the performance,reliability, and associated 467 security aspects of communications networks, as well as the 468 processing of voice, audio, data, image,and video signals, and their 469 multimedia integration. PRQC alsodevelops andrecommends positions 470 on, and foster consistency with, standards and related subjects under 471 consideration in other North American and international standards 472 bodies. 474 PRQC Focus Areas are: 476 Performance and Reliability of Networks (e.g. IP, ATM, OTN, and 477 PSTN), and Services (e.g. Frame Relay, Dedicated and Switched 478 Data), 480 Security-related aspects, 482 Emergency communications-related aspects, 484 Coding (e.g. video and speech), at and between carrier-to-carrier 485 and carrier-to-customer interfaces, with due consideration of end- 486 user applications. 488 4.4.2. ATIS TMOC - Telecom Management and Operations Committee, 489 formerly T1M1 OAM&P 491 http://www.atis.org/0130/index.asp 493 The Telecom Management and Operations Committee (TMOC) develops 494 operations, administration, maintenance and provisioning standards, 495 and other documentation related to Operations Support System (OSS) 496 and Network Element (NE) functions and interfaces for communications 497 networks - with an emphasis on standards development related to 498 U.S.A. communication networks in coordination with the development of 499 international standards. 501 The scope of the work in TMOC includes the development of standards 502 and other documentation for communications network operations and 503 management areas, such as: Configuration Management, Performance 504 Management (including in-service transport performance management), 505 Fault Management, Security Management (including management plane 506 security), Accounting Management, Coding/Language Data 507 Representation, Common/Underlying Management Functionality/ 508 Technology, and Ancillary Functions (such as network tones and 509 announcements). This work requires close and coordinated working 510 relationships with other domestic and international standards 511 development organizations and industry forums. 513 4.5. CC - Common Criteria 515 http://www.commoncriteriaportal.org/ 517 The Common Criteria for Information Technology Security Evaluation 518 (CC), and the companion Common Methodology for Information Technology 519 Security Evaluation (CEM) are the technical basis for an 520 international agreement, the Common Criteria Recognition Arrangement 521 (CCRA), which ensures that: 523 Products can be evaluated by competent and independent licensed 524 laboratories so as to determine the fulfilment of particular 525 security properties, to a certain extent or assurance; 527 Supporting documents, are used within the Common Criteria 528 certification process to define how the criteria and evaluation 529 methods are applied when certifying specific technologies; 531 The certification of the security properties of an evaluated 532 product can be issued by a number of Certificate Authorizing 533 Schemes, with this certification being based on the result of 534 their evaluation; 536 These certificates are recognized by all the signatories of the 537 CCRA. 539 The CC is the driving force for the widest available mutual 540 recognition of secure IT products. This web portal is available to 541 support the information on the status of the CCRA, the CC and the 542 certification schemes, licensed laboratories, certified products and 543 related information, news and events. 545 4.6. DMTF - Distributed Management Task Force, Inc. 547 http://www.dmtf.org/ 549 DMTF enables more effective management of millions of IT systems 550 worldwide by bringing the IT industry together to collaborate on the 551 development, validation and promotion of systems management 552 standards. 554 The group spans the industry with 160 member companies and 555 organizations, and more than 4,000 active participants crossing 43 556 countries. The DMTF board of directors is led by 15 innovative, 557 industry-leading technology companies. They include Advanced Micro 558 Devices (AMD); Broadcom Corporation; CA, Inc.; Cisco; Citrix Systems, 559 Inc.; EMC; Fujitsu; HP; Huawei; IBM; Intel Corporation; Microsoft 560 Corporation; Oracle; RedHat and VMware, Inc. 562 With this deep and broad reach, DMTF creates standards that enable 563 interoperable IT management. DMTF management standards are critical 564 to enabling management interoperability among multi-vendor systems, 565 tools and solutions within the enterprise. 567 4.7. ETSI - The European Telecommunications Standard Institute 569 http://www.etsi.org/ 570 The European Telecommunications Standards Institute (ETSI) produces 571 globally-applicable standards for Information and Communications 572 Technologies (ICT), including fixed, mobile, radio, converged, 573 broadcast and internet technologies. 575 We are officially recognized by the European Union as a European 576 Standards Organization. The high quality of our work and our open 577 approach to standardization has helped us evolve into a European 578 roots - global branches operation with a solid reputation for 579 technical excellence. 581 4.7.1. ETSI SEC 583 http://portal.etsi.org/portal/server.pt/gateway/ 584 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 586 Board#38 confirmed the closure of TC SEC. 588 At the same time it approved the creation of an OCG Ad Hoc group OCG 589 Security 591 TC SEC documents can be found in the SEC archive 593 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 594 LI were created to continue the work. 596 All documents and information relevant to ESI and LI are available 597 from the TC ESI and TC LI sites 599 4.7.2. ETSI OCG SEC 601 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 603 The creation of the OCG SEC was decided at the Board #38 on 30 May 604 2002. The group's primary role is to provide a horizontal co- 605 ordination structure for security issues that will ensure this work 606 is seriously considered in each ETSI TB and that any duplicate or 607 conflicting work is detected. To achieve this aim the group should 608 mainly conduct its work via email and, where appropriate, co-sited 609 "joint security" technical working meetings. 611 When scheduled, appropriate time at each "joint SEC" meeting should 612 be allocated during the meetings to allow for: 614 Individual committee activities as well as common work; 616 Coordination between the committees; and 617 Experts to contribute to more than one committee. 619 4.8. GGF - Global Grid Forum 621 http://www.gridforum.org/ 623 OGF is an open community committed to driving the rapid evolution and 624 adoption of applied distributed computing. Applied Distributed 625 Computing is critical to developing new, innovative and scalable 626 applications and infrastructures that are essential to productivity 627 in the enterprise and within the science community. OGF accomplishes 628 its work through open forums that build the community, explore 629 trends, share best practices and consolidate these best practices 630 into standards. 632 4.8.1. Global Grid Forum Security Area 634 http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 636 The Security Area is concerned with technical and operational 637 security issues in Grid environments, including authentication, 638 authorization, privacy, confidentiality, auditing, firewalls, trust 639 establishment, policy establishment, and dynamics, scalability and 640 management aspects of all of the above. 642 The Security Area is comprised of the following Working Groups and 643 Research Groups. 645 Certificate Authority Operations WG (CAOPS-WG) 647 Firewall Issues RG (FI-RG) 649 Levels Of Authentication Assurance Research Group (LOA-RG) 651 OGSA Authorization WG (OGSA-AUTHZ-WG) 653 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 655 http://www.ieee.org/ 657 IEEE is the world's largest professional association dedicated to 658 advancing technological innovation and excellence for the benefit of 659 humanity. IEEE and its members inspire a global community through 660 IEEE's highly cited publications, conferences, technology standards, 661 and professional and educational activities. 663 4.9.1. IEEE Computer Society's Technical Committee on Security and 664 Privacy 666 http://www.ieee-security.org/ 668 4.10. IETF - The Internet Engineering Task Force 670 http://www.ietf.org/ 672 The goal of the IETF is to make the Internet work better. 674 The mission of the IETF is to make the Internet work better by 675 producing high quality, relevant technical documents that influence 676 the way people design, use, and manage the Internet. 678 4.10.1. IETF Security Area 680 The Working Groups in the Security Area may be found from this page. 682 http://datatracker.ietf.org/wg/ 684 The wiki page for the IETF Security Area may be found here. 686 http://trac.tools.ietf.org/area/sec/trac/wiki 688 4.11. INCITS - InterNational Committee for Information Technology 689 Standards 691 http://www.incits.org/ 693 INCITS is the primary U.S. focus of standardization in the field of 694 Information and Communications Technologies (ICT), encompassing 695 storage, processing, transfer, display, management, organization, and 696 retrieval of information. As such, INCITS also serves as ANSI's 697 Technical Advisory Group for ISO/IEC Joint Technical Committee 1. 698 JTC 1 is responsible for International standardization in the field 699 of Information Technology. 701 There are three active Groups in the Security / ID Technical 702 Committee. 704 4.11.1. Identification Cards and Related Devices (B10) 706 http://standards.incits.org/a/public/group/b10 708 Development of national and international standards in the area of 709 identification cards and related devices for use in inter-industry 710 applications and international interchange. 712 4.11.2. Cyber Security (CS1) 714 http://standards.incits.org/a/public/group/cs1 716 INCITS/CS1 was established in April 2005 to serve as the US TAG for 717 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups. 719 The scope of CS1 explicitly excludes the areas of work on cyber 720 security standardization presently underway in INCITS B10, M1, T3, 721 T10 and T11; as well as other standard groups, such as ATIS, IEEE, 722 IETF, TIA, and X9. 724 4.11.3. Biometrics (M1) 726 http://standards.incits.org/a/public/group/m1 728 INCITS/M1, Biometrics Technical Committee was established by the 729 Executive Board of INCITS in November 2001 to ensure a high priority, 730 focused, and comprehensive approach in the United States for the 731 rapid development and approval of formal national and international 732 generic biometric standards. The M1 program of work includes 733 biometric standards for data interchange formats, common file 734 formats, application program interfaces, profiles, and performance 735 testing and reporting. The goal of M1's work is to accelerate the 736 deployment of significantly better, standards-based security 737 solutions for purposes, such as, homeland defense and the prevention 738 of identity theft as well as other government and commercial 739 applications based on biometric personal authentication. 741 4.12. ISO - The International Organization for Standardization 743 http://www.iso.org/ 745 ISO (International Organization for Standardization) is the world's 746 largest developer and publisher of International Standards. 748 ISO is a network of the national standards institutes of 163 749 countries, one member per country, with a Central Secretariat in 750 Geneva, Switzerland, that coordinates the system. 752 ISO is a non-governmental organization that forms a bridge between 753 the public and private sectors. On the one hand, many of its member 754 institutes are part of the governmental structure of their countries, 755 or are mandated by their government. On the other hand, other 756 members have their roots uniquely in the private sector, having been 757 set up by national partnerships of industry associations. 759 Therefore, ISO enables a consensus to be reached on solutions that 760 meet both the requirements of business and the broader needs of 761 society. 763 4.13. ITU - International Telecommunication Union 765 http://www.itu.int/ 767 ITU (International Telecommunication Union) is the United Nations 768 specialized agency for information and communication technologies - 769 ICTs. 771 We allocate global radio spectrum and satellite orbits, develop the 772 technical standards that ensure networks and technologies seamlessly 773 interconnect, and strive to improve access to ICTs to underserved 774 communities worldwide. 776 ITU is committed to connecting all the world's people - wherever they 777 live and whatever their means. Through our work, we protect and 778 support everyone's fundamental right to communicate. 780 The ITU is comprised of three sectors: 782 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 784 http://www.itu.int/ITU-T/ 786 ITU-T Recommendations are defining elements in information and 787 communication technologies (ICTs) infrastructure. Whether we 788 exchange voice, data or video messages, communications cannot take 789 place without standards linking the sender and the receiver. Today's 790 work extends well beyond the traditional areas of telephony to 791 encompass a far wider range of information and communications 792 technologies. 794 4.13.2. ITU Radiocommunication Sector - ITU-R 796 http://www.itu.int/ITU-R/ 798 The ITU Radiocommunication Sector (ITU-R) plays a vital role in the 799 global management of the radio-frequency spectrum and satellite 800 orbits - limited natural resources which are increasingly in demand 801 from a large and growing number of services such as fixed, mobile, 802 broadcasting, amateur, space research, emergency telecommunications, 803 meteorology, global positioning systems, environmental monitoring and 804 communication services - that ensure safety of life on land, at sea 805 and in the skies. 807 4.13.3. ITU Telecom Development - ITU-D 809 (also referred as ITU Telecommunication Development Bureau - BDT) 811 http://www.itu.int/ITU-D/ 813 The mission of the Telecommunication Development Sector (ITU-D) aims 814 at achieving the Sector's objectives based on the right to 815 communicate of all inhabitants of the planet through access to 816 infrastructure and information and communication services. 818 In this regard, the mission is to: 820 Assist countries in the field of information and communication 821 technologies (ICTs), in facilitating the mobilization of 822 technical, human and financial resources needed for their 823 implementation, as well as in promoting access to ICTs. 825 Promote the extension of the benefits of ICTs to all the world's 826 inhabitants. 828 Promote and participate in actions that contribute towards 829 narrowing the digital divide. 831 Develop and manage programmes that facilitate information flow 832 geared to the needs of developing countries. 834 The mission encompasses ITU's dual responsibility as a United 835 Nations specialized agency and an executing agency for 836 implementing projects under the United Nations development system 837 or other funding arrangements. 839 4.14. OASIS - Organization for the Advancement of Structured 840 Information Standards 842 http://www.oasis-open.org/ 844 OASIS (Organization for the Advancement of Structured Information 845 Standards) is a not-for-profit consortium that drives the 846 development, convergence and adoption of open standards for the 847 global information society. The consortium produces more Web 848 services standards than any other organization along with standards 849 for security, e-business, and standardization efforts in the public 850 sector and for application-specific markets. Founded in 1993, OASIS 851 has more than 5,000 participants representing over 600 organizations 852 and individual members in 100 countries. 854 OASIS promotes industry consensus and produces worldwide standards 855 for security, Cloud computing, SOA, Web services, the Smart Grid, 856 electronic publishing, emergency management, and other areas. OASIS 857 open standards offer the potential to lower cost, stimulate 858 innovation, grow global markets, and protect the right of free choice 859 of technology. 861 OASIS has several Technical Committees in the Security Category. 863 http://www.oasis-open.org/committees/tc_cat.php?cat=security 865 4.15. OIF - Optical Internetworking Forum 867 http://www.oiforum.com/ 869 "The Optical Internetworking Forum (OIF) promotes the development and 870 deployment of interoperable networking solutions and services through 871 the creation of Implementation Agreements (IAs) for optical 872 networking products, network processing elements, and component 873 technologies. Implementation agreements will be based on 874 requirements developed cooperatively by end-users, service providers, 875 equipment vendors and technology providers, and aligned with 876 worldwide standards, augmented if necessary. This is accomplished 877 through industry member participation working together to develop 878 specifications (IAs) for: 880 External network element interfaces 882 Software interfaces internal to network elements 884 Hardware component interfaces internal to network elements 886 The OIF will create Benchmarks, perform worldwide interoperability 887 testing, build market awareness and promote education for 888 technologies, services and solutions. The OIF will provide feedback 889 to worldwide standards organizations to help achieve a set of 890 implementable, interoperable solutions." 892 4.15.1. OAM&P Working Group 894 http://www.oiforum.com/public/oamp.html 896 In concert with the Carrier, Architecture & Signaling and other OIF 897 working groups, the Operations, Administration, Maintenance, & 898 Provisioning (OAM&P) working group develops architectures, 899 requirements, guidelines, and implementation agreements critical to 900 widespread deployment of interoperable optical networks by carriers. 901 The scope includes but is not limited to a) planning, engineering and 902 provisioning of network resources; b) operations, maintenance or 903 administration use cases and processes; and c) management 904 functionality and interfaces for operations support systems and 905 interoperable network equipment. Within its scope are Fault, 906 Configuration, Accounting, Performance and Security Management 907 (FCAPS) and Security. The OAM&P working group will also account for 908 work by related standards development organizations (SDOs), identify 909 gaps and formulate OIF input to other SDOs as may be appropriate. 911 4.16. National Security Telecommunications Advisory Committee (NSTAC) 913 http://www.ncs.gov/nstac/nstac.html 915 Meeting our Nation's critical national security and emergency 916 preparedness (NS/EP) challenges demands attention to many issues. 917 Among these, none could be more important than the availability and 918 reliability of telecommunication services. The President's National 919 Security Telecommunications Advisory Committee (NSTAC) mission is to 920 provide the U.S. Government the best possible industry advice in 921 these areas. 923 4.17. TIA - The Telecommunications Industry Association 925 http://www.tiaonline.org/ 927 The Telecommunications Industry Association (TIA) is the leading 928 trade association representing the global information and 929 communications technology (ICT) industry through Standards 930 development, Policy initiatives, business opportunities, market 931 intelligence and networking events. With support from hundreds of 932 members, TIA enhances the business environment for companies involved 933 in telecom, broadband, mobile wireless, information technology, 934 networks, cable, satellite, unified communications, emergency 935 communications and the greening of technology. TIA is accredited by 936 ANSI. 938 4.17.1. APCO Project 25 Public Safety Standards 940 http://www.tiaonline.org/all-standards/committees/tr-8 942 Recognizing the need for common standards for first responders and 943 homeland security/emergency response professionals, representatives 944 from the Association of Public Safety Communications Officials 945 International (APCO), the National Association of State 946 Telecommunications Directors (NASTD), selected federal agencies and 947 the National Communications System (NCS) established Project 25 948 (PDF), a steering committee for selecting voluntary common system 949 standards for digital public safety radio communications. TIA TR-8 950 facilitates such work through its role as an ANSI-accredited 951 Standards Development Organization (SDO) and has developed in TR-8 952 the 102 series of technical documents. These standards directly 953 address the guidelines of the Communications Assistance for Law 954 Enforcement Act (CALEA). 956 4.18. TTA - Telecommunications Technology Association 958 http://www.tta.or.kr/ 960 http://www.tta.or.kr/English/index.jsp (English) 962 The purpose of TTA is to contribute to the advancement of technology 963 and the promotion of information and telecommunications services and 964 industry as well as the development of national economy, by 965 effectively stablishing and providing technical standards that 966 reflect the latest domestic and international technological advances, 967 needed for the planning, design and operation of global end-to-end 968 telecommunications and related information services, in close 969 collaboration with companies, organizations and groups concerned with 970 information and telecommunications such as network operators, service 971 providers, equipment manufacturers, academia, R&D institutes, etc. 973 4.19. The World Wide Web Consortium 975 http://www.w3.org/Consortium/ 977 The World Wide Web Consortium (W3C) is an international community 978 where Member organizations, a full-time staff, and the public work 979 together to develop Web standards. Led by Web inventor Tim Berners- 980 Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its 981 full potential. 983 http://www.w3.org/Security/ 985 Security online is a vast field that is being worked on by a number 986 of organizations, including W3C. Mapping the entire field would be a 987 huge endeavor; hence, this page focuses on work that W3C is involved 988 in. 990 The traditional W3C Security Resources page is no longer maintained, 991 but remains online for archival purposes. 993 The Web Security Wiki serves as a place for interested parties in the 994 Web security community to collect information about security aspects 995 of specifications and implementations of Web technologies. 997 4.20. TM Forum 999 http://www.tmforum.org/ 1001 TM Forum is a global, non-profit industry association focused on 1002 simplifying the complexity of running a service provider's business. 1003 As an established industry thought-leader, the Forum serves as a 1004 unifying force, enabling more than 850 companies across 195 countries 1005 to solve critical business issues through access to a wealth of 1006 knowledge, intellectual capital and standards. 1008 4.20.1. Security Management 1010 http://www.tmforum.org/SecurityManagement/9152/home.html 1012 Securing networks, cyber, clouds, and identity against evolving and 1013 ever present threats has emerged as a top priority for TM Forum 1014 members. In response, the TM Forum's Security Management Initiative 1015 was formally launched in 2009. While some of our Security Management 1016 efforts, such as Identity Management, are well established and boast 1017 mature Business Agreements and Interfaces, a series of presentations, 1018 contributions, and multi-vendor technology demonstrations have jumped 1019 started work efforts on industry hot topics Network Defense, Cyber 1020 Security, and security for single and multi-regional enterprise 1021 application cloud bursting. Our aim is to produce Security 1022 Management rich frameworks, best practices, and guidebooks. 1024 5. Security Best Practices Efforts and Documents 1026 This section lists the works produced by the SDOs. 1028 5.1. 3GPP - SA3 - Security 1030 http://www.3gpp.org/SA3-Security 1032 The WG is responsible for security in 3GPP systems, determining the 1033 security requirements, and specifying the security architectures and 1034 protocols. The WG also ensures the availability of cryptographic 1035 algorithms which need to be part of the specifications. The sub-WG 1036 SA3-LI provides the requirements and specifications for lawful 1037 interception in 3GPP systems. 1039 Specifications: 1040 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 1042 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 1044 http://www.3gpp2.org/Public_html/S/index.cfm 1046 The Services and Systems Aspects TSG (TSG-S) is responsible for the 1047 development of service capability requirements for systems based on 1048 3GPP2 specifications. It is also responsible for high level 1049 architectural issues, as required, to coordinate service development 1050 across the various TSGs. In this role, the Services and Systems TSG 1051 shall track the activities within the various TSGs, as required, to 1052 meet the above service requirements. 1054 More specifically, TSG-S will address the following areas of work: 1055 Management, technical coordination, as well as architectural and 1056 requirements development associated with all end-to-end features, 1057 services and system capabilities including, but not limited to, 1058 security and QoS 1060 TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/tsgs.cfm 1062 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and 1063 Provisioning Security Requirements for the Public 1064 Telecommunications Network: A Baseline of Security Requirements 1065 for the Management Plane 1067 This document contains both the published and redline versions of 1068 ATIS-0300276.2008. This standard contains a set of baseline security 1069 requirements for the management plane. The requirements outlined in 1070 this standard allow equipment/system suppliers, government 1071 departments and agencies, and service providers to implement a secure 1072 telecommunications management infrastructure. 1074 Documents: http://www.atis.org/docstore/product.aspx?id=24660 1076 5.4. DMTF - Security Modeling Working Group 1078 http://www.dmtf.org/sites/default/files/SecurityWGCharter.pdf 1080 The Security Modeling Working Group of the Schema Subcommittee is 1081 responsible for developing the models and profiles required to 1082 provide interoperable security management interfaces for 1083 implementations, including the enabling of configuration and 1084 management of authentication, authorization, and auditing services. 1086 The operational security requirements for protocols and management 1087 initiatives are not addressed by this work group and should be 1088 addressed by the working groups responsible for them. Management of 1089 the underlying security capabilities utilized by such protocols and 1090 initiatives are addressed by this work group, (for example: 1091 interfaces for the management of keys and certificates). 1093 5.5. Common Criteria 1095 http://www.commoncriteriaportal.org/ 1097 The Common Criteria for Information Technology Security Evaluation 1098 (CC), and the companion Common Methodology for Information Technology 1099 Security Evaluation (CEM) are the technical basis for an 1100 international agreement, the Common Criteria Recognition Agreement 1101 (CCRA), which ensures that: 1103 Products can be evaluated by competent and independent licensed 1104 laboratories so as to determine the fulfilment of particular 1105 security properties, to a certain extent or assurance; 1107 Supporting documents, are used within the Common Criteria 1108 certification process to define how the criteria and evaluation 1109 methods are applied when certifying specific technologies; 1111 The certification of the security properties of an evaluated 1112 product can be issued by a number of Certificate Authorizing 1113 Schemes, with this certification being based on the result of 1114 their evaluation; 1116 These certificates are recognized by all the signatories of the 1117 CCRA. 1119 The CC is the driving force for the widest available mutual 1120 recognition of secure IT products. This web portal is available to 1121 support the information on the status of the CCRA, the CC and the 1122 certification schemes, licensed laboratories, certified products and 1123 related information, news and events. 1125 5.6. ETSI 1127 TC SEC 1129 http://portal.etsi.org/portal/server.pt/gateway/ 1130 PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp 1132 Board#38 confirmed the closure of TC SEC. 1134 At the same time it approved the creation of an OCG Ad Hoc group OCG 1135 Security 1137 TC SEC documents can be found in the SEC archive (members login 1138 required) 1140 The SEC Working groups (ESI and LI) were closed and TC ESI and a TC 1141 LI were created to continue the work. 1143 All documents and information relevant to ESI and LI are available 1144 from the TC ESI and TC LI sites 1146 TC ESI: http://portal.etsi.org/portal/server.pt/community/ESI/307 1148 TC LI: http://portal.etsi.org/portal/server.pt/community/LI/318 1150 OCG SEC 1152 http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp 1154 The group's primary role is to provide a light-weight horizontal co- 1155 ordination structure for security issues that will ensure this work 1156 is seriously considered in each ETSI TB and that any duplicate or 1157 conflicting work is detected. To achieve this aim the group should 1158 mainly conduct its work via email and, where appropriate, co-sited 1159 "joint security" technical working meetings. 1161 OCG documents may be found here: 1163 http://portal.etsi.org/ocg/Summary.asp (members login required) 1165 5.7. Operational Security Requirements for IP Network Infrastructure : 1166 Advanced Requirements 1168 IETF RFC 3871 1170 Abstract: This document defines a list of operational security 1171 requirements for the infrastructure of large ISP IP networks (routers 1172 and switches). A framework is defined for specifying "profiles", 1173 which are collections of requirements applicable to certain network 1174 topology contexts (all, core-only, edge-only...). The goal is to 1175 provide network operators a clear, concise way of communicating their 1176 security requirements to vendors. 1178 Documents: 1180 http://www.rfc-editor.org/rfc/rfc3871.txt 1182 5.8. ISO JTC 1/SC 27 - Information security Technology techniques 1184 http://www.iso.org/iso/iso_catalogue/catalogue_tc/ 1185 catalogue_tc_browse.htm?commid=45306 1187 Several security related ISO projects under JTC 1/SC 27 are listed 1188 here such as: 1190 IT security techniques -- Message Authentication Codes (MACs) 1192 IT Security techniques -- Key management 1194 IT Security techniques -- Entity authentication 1196 IT Security techniques -- Hash-functions 1198 IT Security techniques -- Non-repudiation 1200 IT Security techniques -- IT network security 1202 5.9. ITU-T Study Group 2 1204 http://www.itu.int/ITU-T/studygroups/com02/index.asp 1206 Security related recommendations currently under study: 1207 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=2 1209 5.10. ITU-T Study Group 17 1211 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1212 Security related recommendations currently under study: 1213 http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17 1215 The ICT Security Standards Roadmap 1216 http://www.itu.int/ITU-T/studygroups/com17/ict/index.html 1218 This ICT Security Standards Roadmap has been developed to assist in 1219 the development of security standards by bringing together 1220 information about existing standards and current standards work in 1221 key standards development organizations. 1223 In addition to aiding the process of standards development, the 1224 Roadmap will provide information that will help potential users of 1225 security standards, and other standards stakeholders, gain an 1226 understanding of what standards are available or under development as 1227 well as the key organizations that are working on these standards. 1229 The Roadmap was initiated by ITU-T Study Group 17. In January 2007 1230 the initiative became a collaborative effort when the European 1231 Network and Information Security Agency (ENISA) and the Network and 1232 Information Security Steering Group (NISSG) joined Study Group 17 in 1233 the project. 1235 The Roadmap is in five parts: 1237 Part 1: ICT Standards Development Organizations and Their Work 1238 http://www.itu.int/ITU-T/studygroups/com17/ict/part01.html 1240 Part 1 contains information about the Roadmap structure and about 1241 each of the listed standards organizations, their structure and the 1242 security standards work being undertaken. In addition it contains 1243 information on terminology by providing links to existing security 1244 glossaries and vocabularies. 1246 Part 2: Approved ICT Security Standards 1247 http://www.itu.int/ITU-T/studygroups/com17/ict/part02.html 1249 Part 2 contains a summary catalogue of approved standards. 1251 Part 3: Security standards under development 1252 http://www.itu.int/ITU-T/studygroups/com17/ict/part03.html 1254 Part 3 is structured with the same taxonomy as Part 2 but contains 1255 work in progress, rather than standards that have already been 1256 approved and published. Part 3 will also contain information on 1257 inter-relationships between groups undertaking the work and on 1258 potential overlaps between existing projects. 1260 Part 4: Future needs and proposed new security standards 1261 http://www.itu.int/ITU-T/studygroups/com17/ict/part04.html 1263 Part 4 is intended to capture possible future areas of security 1264 standards work where gaps or needs have been identified as well as 1265 areas where proposals have been made for specific new standards work. 1267 Part 4 includes provision for direct feedback, comments and 1268 suggestions. 1270 Part 5: Best practices 1271 http://www.itu.int/ITU-T/studygroups/com17/ict/part05.html 1273 Part 5 is a recent addition to the Roadmap (May 2007). It is 1274 intended to be a repository of security-related best practices 1275 contributed by our community of members. 1277 This section will be based on contributions from the security 1278 community. 1280 Where possible contributions should refer to best practices relating 1281 to standards-based security but other best practices will be 1282 considered for inclusion. 1284 It is important to note that the Roadmap is a work-in-progress. It 1285 is intended that it be developed and enhanced to include other 1286 standards organizations as well as a broader representation of the 1287 work from organizations already included. It is hoped that standards 1288 organizations whose work is not represented in this version of the 1289 Roadmap will provide information to ITU-T about their work so that it 1290 may be included in future editions. 1292 In May 2007, Part 2 of the Roadmap was converted to a searchable 1293 database format that allows direct links to the information of 1294 participating standards organizations. The database format will 1295 allow each participating organization to manage its own data within 1296 the Roadmap. This will enable more timely updating of the 1297 information and will also reduce the overhead in maintaining the 1298 information. 1300 http://www.itu.int/ITU-T/security/main_table.aspx 1302 5.11. NRIC VII Focus Groups 1304 http://www.nric.org/fg/index.html 1306 The mission of the NRIC is partner with the Federal Communications 1307 Commission, the communications industry and public safety to 1308 facilitate enhancement of emergency communications networks, homeland 1309 security, and best practices across the burgeoning telecommunications 1310 industry. 1312 By December 16, 2005, the Council shall present a final report that 1313 describes, in detail, any additions, deletions, or modifications that 1314 should be made to the Homeland Security Best Practices that were 1315 adopted by the preceding Council. 1317 Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: 1318 Cyber Security: 1320 Focus Group 2B Report - Homeland Security Cyber Security Best 1321 Practices Published 06-Dec-2004 1323 Focus Group 2B Report Appendices Published 06-Dec-2004 1325 Focus Group 2B Final Report - Summary of Activities, Guidance and 1326 Cybersecurity Issues Published 16-Dec-2005 1328 Focus Group 2B Final Best Practices Published 16-Dec-2005 1330 5.12. OASIS Security Technical Committees 1332 Many Technical Committees have produced standards. 1334 http://www.oasis-open.org/committees/tc_cat.php?cat=security 1336 5.13. OIF Implementation Agreements 1338 The OIF has 3 approved, and in-force Implementation Agreements (IAs) 1339 relating to security. They are: 1341 OIF-SEP-03.0 - Security Extension for UNI and E-NNI 2.0 (Nov 2010) 1342 http://www.oiforum.com/public/documents/OIF-SEP-03.0.pdf 1344 OIF-SMI-01.0 - Security for Management Interfaces to Network Elements 1345 (September 2003) 1346 http://www.oiforum.com/public/documents/SecurityMgmt-IA.pdf 1348 OIF-SMI-02.1 - Addendum to the Security for Management Interfaces to 1349 Network Elements (March 2006) 1350 http://www.oiforum.com/public/documents/OIF-SMI-02_1.pdf 1352 5.14. TIA - Critical Infrastructure Protection (CIP) and Homeland 1353 Security (HS) 1355 The TIA Cybersecurity Working Group advocates public policy positions 1356 related to the security of ICT equipment and services from a vendor 1357 perspective as it relates to critical infrastructure, supply chain 1358 and information sharing. 1360 http://www.tiaonline.org/policy/cybersecurity 1362 5.15. NIST Special Publications (800 Series) 1364 http://csrc.nist.gov/publications/PubsSPs.html 1366 Special Publications in the 800 series present documents of general 1367 interest to the computer security community. The Special Publication 1368 800 series was established in 1990 to provide a separate identity for 1369 information technology security publications. This Special 1370 Publication 800 series reports on ITL's research, guidelines, and 1371 outreach efforts in computer security, and its collaborative 1372 activities with industry, government, and academic organizations. 1374 5.16. NIST Interagency or Internal Reports (NISTIRs) 1376 http://csrc.nist.gov/publications/PubsNISTIRs.html 1378 NIST Interagency or Internal Reports (NISTIRs) describe research of a 1379 technical nature of interest to a specialized audience. The series 1380 includes interim or final reports on work performed by NIST for 1381 outside sponsors (both government and nongovernment). NISTIRs may 1382 also report results of NIST projects of transitory or limited 1383 interest, including those that will be published subsequently in more 1384 comprehensive form. 1386 5.17. NIST ITL Security Bulletins 1388 http://csrc.nist.gov/publications/PubsITLSB.html 1390 ITL Bulletins are published by NIST's Information Technology 1391 Laboratory, with most bulletins written by the Computer Security 1392 Division. These bulletins are published on the average of six times 1393 a year. Each bulletin presents an in-depth discussion of a single 1394 topic of significant interest to the information systems community. 1395 Not all of ITL Bulletins that are published relate to computer / 1396 network security. Only the computer security ITL Bulletins are found 1397 here. 1399 5.18. SANS Information Security Reading Room 1401 http://www.sans.org/reading_room/ 1403 Featuring over 1,969 original computer security white papers in 77 1404 different categories 1406 Most of the computer security white papers in the Reading Room have 1407 been written by students seeking GIAC certification to fulfill part 1408 of their certification requirements and are provided by SANS as a 1409 resource to benefit the security community at large. SANS attempts 1410 to ensure the accuracy of information, but papers are published "as 1411 is". Errors or inconsistencies may exist or may be introduced over 1412 time as material becomes dated. 1414 6. Security Considerations 1416 This document describes efforts to standardize security practices and 1417 documents. As such this document offers no security guidance 1418 whatsoever. 1420 Readers of this document should be aware of the date of publication 1421 of this document. It is feared that they may assume that the 1422 efforts, on-line material, and documents are current whereas they may 1423 not be. Please consider this when reading this document. 1425 7. IANA Considerations 1427 This document does not propose a standard and does not require the 1428 IANA to do anything. 1430 8. Acknowledgments 1432 The following people have contributed to this document. Listing 1433 their names here does not mean that they endorse the document, but 1434 that they have contributed to its substance. 1436 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1437 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1438 Moon, Stephen Kent, Steve Wolff, Bob Natale, Marek Lukaszuk. 1440 9. Changes from Prior Drafts 1442 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1444 -01 : Security Glossaries: 1446 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1447 Glossary of Terms and Acronyms, Microsoft Solutions for 1448 Security Glossary, and USC InfoSec Glossary. 1450 Standards Developing Organizations: 1452 Added DMTF, GGF, INCITS, OASIS, and WS-I 1454 Removal of Committee T1 and modifications to ATIS and former T1 1455 technical subcommittees due to the recent ATIS reorganization. 1457 Efforts and Documents: 1459 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1460 Area (SEC), INCITS Technical Committee T4 - Security 1461 Techniques, INCITS Technical Committee T11 - Fibre Channel 1462 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1463 Committee, OASIS Security Services TC, and WS-I Basic Security 1464 Profile. 1466 Updated Operational Security Requirements for IP Network 1467 Infrastructure : Advanced Requirements. 1469 -00 : as the WG ID 1471 Added more information about the ITU-T SG3 Q18 effort to modify 1472 ITU-T Recommendation M.3016. 1474 -01 : First revision as the WG ID. 1476 Added information about the NGN in the sections about ATIS, the 1477 NSTAC, and ITU-T. 1479 -02 : Second revision as the WG ID. 1481 Updated the date. 1483 Corrected some url's and the reference to George's RFC. 1485 -03 : Third revision of the WG ID. 1487 Updated the date. 1489 Updated the information about the CC 1491 Added a Conventions section (not sure how this document got to 1492 where it is without that) 1494 -04 : Fourth revision of the WG ID. 1496 Updated the date. 1498 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1500 CIAO glossary removed. CIAO has been absorbed by DHS and the 1501 glossary is no longer available. 1503 USC glossary removed, could not find it on the site or a reference 1504 to it elsewhere. 1506 Added TTA - Telecommunications Technology Association to SDO 1507 section. 1509 Removed ATIS Security & Emergency Preparedness Activities from 1510 Documents section. Could not find it or a reference to it. 1512 INCITS T4 incorporated into CS1 - T4 section removed 1514 X9 Added to SDO list under ANSI 1516 Various link or grammar fixes. 1518 -05 : Fifth revision of the WG ID. 1520 Updated the date. 1522 Removed the 2119 definitions; this is an informational document. 1524 -06 : Sixth revision of the WG ID. 1526 Updated the date. 1528 Added W3C information. 1530 -07 : Seventh revision of the WG ID. 1532 Updated the date. 1534 -08 : Eighth revision of the WG ID. 1536 Updated the reference to RFC 4949, found by Stephen Kent. 1538 -09 : Nineth revision of the WG ID. 1540 Updated the date. 1542 -10 : Tenth revision of the WG ID. 1544 Added references to NIST documents, recommended by Steve Wolff. 1545 Updated the date. 1547 -11 : Eleventh revision of the WG ID. 1549 Updated the date. 1551 -12 : Twelfth revision of the WG ID. 1553 Updated the date. 1555 -13 : Nothing new. 1557 Updated the date. 1559 -14 : Fourteenth revision of the WG ID. 1561 Updated the date and reviewed the accuracy of Section 3. 1563 Updated the section on Compendium of Approved ITU-T Security 1564 Definitions 1566 Updated the section on the Microsoft glossary. 1568 Updated the section on the SANS glossary. 1570 Added the NIST Security glossary. 1572 Added dates to all glossaries - where I could find them. 1574 Added the SANS Reading Room material to Section 5. 1576 -15 : Fifteenth revision of the WG ID. 1578 Updated the date and reviewed the accuracy of Section 4. Several 1579 changes made. 1581 Removed WS-I as they have merged with OASIS. 1583 Added TM Forum. 1585 -16 : Sixteenth revision of the WG ID. 1587 Updated the date and reviewed the accuracy of Section 5. Several 1588 changes made. 1590 -17 : Seventeenth revision of the WG ID. 1592 Updated the date and reviewed the accuracy of Section 3. A couple 1593 of changes made. 1595 -18 : Eighteenth revision of the WG ID. 1597 Updated the date and reviewed the accuracy of Section 4. Some 1598 changes made. 1600 -19 : Ninteenth revision of the WG ID. 1602 Updated the date and reviewed the accuracy of Section 5. Some 1603 changes made. 1605 -20 : Twentieth revision of the WG ID. 1607 Updated the date and reviewed the accuracy of Section 3. Some 1608 changes made. 1610 Note: This section will be removed before publication as an RFC. 1612 Authors' Addresses 1614 Chris Lonvick 1615 Cisco Systems 1616 12515 Research Blvd. 1617 Austin, Texas 78759 1618 US 1620 Phone: +1 512 378 1182 1621 Email: clonvick@cisco.com 1623 David Spak 1624 Cisco Systems 1625 12515 Research Blvd. 1626 Austin, Texas 78759 1627 US 1629 Phone: +1 512 378 1720 1630 Email: dspak@cisco.com