ISO/IEC JTC 1 SC 27Dr. Marijke De Soete Vice Chair ISO/IEC JTC 1/SC 27 “IT Security Techniques”

ETSI Security Workshop16-17 January 2007Sophia-Antipolis, France

2

Agenda

Introduction and scopeNew activities & evolving organisationNew initiatives

3

International Organization for Standardization (ISO)

Worldwide federation of national standards bodies from 146 countries, one from each country, established in 1947 (www.iso.org)

Missionto promote the development of standardization and related activities in the world with a view to facilitating the international exchange of goods and services, and to developing cooperation in the spheres of intellectual, scientific, technological and economic activity.

2.952 technical bodies190 technical committees (TCs)544 subcommittees (SCs)2.188 working groups (WGs)

ISO's work results in international agreements which are published as International Standards (IS)

More than 15.000 standards and standards-type documents

4

Interconnections

CEN CENELEC ETSI

TC ESI

regional(e.g., Europe)

EESSI

IEC ITU

JTC 1

SC 27

international

188 TCs550 SCs2.175 WGs30.000 experts

B037

SCII3A

national(e.g., B

elgium)

BINBIN

5

ISO/IEC JTC 1/SC 27 “IT Security Techniques”Scope & Organization

Standardization of generic IT security services and techniques, includingidentification of generic requirements for IT system security services,development of security techniques and mechanisms (cryptographic and non-cryptographic),development of security guidelines,development of management support documentation and standards,development of criteria for IT security evaluation and certification of IT systems, components, and products.

ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy

Vice-Chair: Ms. M. De Soete

ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy

Vice-Chair: Ms. M. De Soete

SC 27 SecretariatDIN

Ms. K. Passia

SC 27 SecretariatDIN

Ms. K. Passia

Working Group 1Requirements,

services, guidelines

ConvenerMr. T. Humphreys

Working Group 1Requirements,

services, guidelines

ConvenerMr. T. Humphreys

Working Group 2Security techniques

and mechanisms

ConvenerMr. K. Naemura

Working Group 2Security techniques

and mechanisms

ConvenerMr. K. Naemura

Working Group 3Security evaluation

criteria

ConvenerMr. M. Ohlin

Working Group 3Security evaluation

criteria

ConvenerMr. M. Ohlin

6

Membership of SC 27

Canada

USA

founding P-Members (in 1990)

Brazil

China

Japan

Belgium

Denmark

Finland

France

Germany

Italy

Netherlands

Norway

Spain

Sweden

Switzerland

UK

USSR

Korea

Australia

1994

Russian Federation

1996

Poland

1999

Malaysia

Czech Republic

Ukraine

2001

India

South Africa

2002

Austria

Kenya

2003

SingaporeLuxembourg

New Zealand

additional P-Members

Sri Lanka

2005/06

Uruguay

O-members:Argentina, Hong Kong, Indonesia, Belarus, Cyprus, Estonia, Hungary, Ireland, Israel, Lithuania, Serbia and Montenegro, Romania, Slovakia, Turkey

7

Selected Liaisons

SC37

ISSA

ISSEA TC65

TC215

TC68

ITU-T

SC27 Liaisons

telecoms

healthcare

banking

safety

informationsecurity

biometrics

8

Hierarchical Security Management Model(SC 27 View)

Terminology

Toolbox ofTechniques

Frameworksprovide a simplified description of interrelationships used to organize

concepts, methods and technologies

Principlesprovide generally accepted high-level basic rules used as a foundation to

guidance

Element Standards

provide specific requirements that apply to a defined area of security

management

Application Guidesand Supplements

provide detailed descriptions offering guidance on how element standards may

be applied in specific situations

9

Hierarchical Security Management Model(SC 27 View)

Application Guidesand Supplements

Element Standards

Frameworks

Principles

Terminology

Toolbox ofTechniques

ISMS Requirements

(NP 27001)

ISM Metrics & Measurements

(NP 27004)

Code of Practice for

ISM (IS 17799 /ITU-T X.1051)

MICTS-1:Models and

concepts

MICTS-2:Risk

management

InformationSecurity Management

Implementation Guidance(NP 27003)

InformationSecurity MgtFramework

IT Network Security

(IS 18028 /ITU-T X.???)

IT Intrusion Detection

Framework(TR 15947)

Guidelines for TTP Services

(IS 14516 /ITU-T X.842)

Healthcare ISMS Guide

(TC 215)

T-ISMS: Telecom ISMS

Guide (ITU-T X.1051)

Financial ISMS Guide (TC 68)

SC 27 SD 6Updated and harmonized

ISO Guide 73

IS 19011Auditing

Info Security Incident

Management(TR 18044)

10

SC 27 Standards –Cryptographic Techniques

Cryptographic Protocols

Message Authentication Digital Signatures

Encryption & Modes of Operation

Parameter Generation

Key Mgt(IS 11770)

Entity Authentica

tion (IS 9798)

Encryption(IS 18033)

Modes of Operation(IS 10116)

Hash Functions(IS 10118)

Message Authentication Codes(IS 9797)

Signatures giving msgrecovery(IS 9796)

Non-Repudiatio

n(IS 13888)

Signatures with

appendix(IS 14888)

Check Character Systems(IS 7064)

Crypto Techniques

based on Elliptic Curves

(IS 15946)

Time Stamping Services(IS 18014)

Random Bit

Generation(IS 18031)

Prime Number

Generation(IS 18032)

Biometric Template Protection(NP 24745)

Authenticated

Encryption(IS 19772)

11

SC 27 Standards –Security Evaluation

Framework for Security Evaluation & Testing of Biometric Technology

(IS 19792)

Security Assessment of Operational Systems

(TR 19791)

Evaluation Criteria forIT Security

(“Common Criteria”)(IS 15408)

Security Requirements for Cryptographic

Modules(IS 19790)

Protection Profile Registration Procedures

(IS 15292)

Systems Security Engineering – Capability

Maturity Model(IS 21827)

Methodology for IT Security Evaluation

(IS 18045)

Framework for IT Security Assurance

(TR 15443)

Guide on the Productionof Protection Profiles &

Security Targets(TR 15446)

Test Requirements for Cryptographic

Modules(IS 24759)

12

New security areas - restructuring

SC27 recently started new projects/studies in the following areas:BiometricsFull ISMS frameworkRequirements from new ISMS applications domains (health care, transport, …)Identification Privacy,…..

This required a revision and re-structuring of the SC 27 organisation in order toAttract new additional NB representatives to broaden the expertise availableCreating WGs with a clearly focused scope Increase the attractiveness for the experts to participateEnsure the appropriate level of detail, quality and customer orientation in the standards and technical reports producedImprove balance between WGs with respect to workload and participationImprove overall efficiency across work programme and WGs

13

Evolving Structure

WG 5“Privacy, Identity &Biometric Security”

WG 1“ISMS”

WG 4“Security Controls & Services”

WG 2“Cryptography & Security

Mechanisms”

WG 3“Security Evaluation”

WG 1“Security Guidelines”

Assessment

Guidelines

Techniques

Process EnvironmentSystemProduct

WGs in italics are new

14

ISO/IEC JTC 1/SC 27 “IT Security Techniques”Scope & Organization

ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy

Vice-Chair: Ms. M. De Soete

ISO/IEC JTC 1/SC 27: Information technology -Security techniquesChair: Mr. W. Fumy

Vice-Chair: Ms. M. De Soete

SC 27 SecretariatDIN

Ms. K. Passia

SC 27 SecretariatDIN

Ms. K. Passia

Working Group 1Information security

management systemsConvener

Mr. T. Humphreys

Working Group 1Information security

management systemsConvener

Mr. T. Humphreys

Working Group 2Cryptography and

security mechanisms

ConvenerMr. K. Naemura

Working Group 2Cryptography and

security mechanisms

ConvenerMr. K. Naemura

Working Group 3Security evaluation

criteria

ConvenerMr. M. Ohlin

Working Group 3Security evaluation

criteria

ConvenerMr. M. Ohlin

Standardization of generic IT security services and techniques, includingidentification of generic requirements for IT system security services,development of security techniques and mechanisms (cryptographic and non-cryptographic),development of security guidelines,development of management support documentation and standards,development of criteria for IT security evaluation and certification of IT systems, components, and products.

Working Group 4Security controls

and services

ConvenerMr. M.-C. Kang

Working Group 4Security controls

and services

ConvenerMr. M.-C. Kang

Working Group 5Identity

managementand privacy

technologiesActing ConvenerMr. John Snare

Working Group 5Identity

managementand privacy

technologiesActing ConvenerMr. John Snare

to be revised

15

Information Security Management Systems (WG 1) –Revised Scope

The scope of WG 1 covers the development of Information SecurityManagement System (ISMS) standards and guidelines.

Development and maintenance of the ISO/IEC 27000 ISMS standards family

Identification of requirements for future ISMS standards and guidelinesLiaison and collaboration with those organizations and committees dealing with specific requirements and guidelines for ISMS, e.g.:

ITU-T (Telecoms)TC 215 (Healthcare)TC 68 (Financial Services)TC 204 (Transportation) [in process]World Lottery Association (Gambling) [in process]

16

2700027000

2700627006

2700527005

2700427004

2700327003

2700227002

2700127001

ISMS Standards

ISMS Standards

27000 Principles and Vocabulary27000 Principles and Vocabulary

27001 ISMS Requirements27001 ISMS Requirements

27002 ISM Code of Practice27002 ISM Code of Practice

27003 ISMS Implementation Guidance27003 ISMS Implementation Guidance

27004 ISM Measurements27004 ISM Measurements

27005 ISMS Risk Assessment27005 ISMS Risk Assessment

27006 Accreditation Requirements27006 Accreditation Requirements 16

17

27001- ISMS requirements

Published 15th Oct 2005A specification for 3rd party certificationsBased on the PDCA (Plan, Do, Check, Act) modelReplaces BS 7799 Part 2

Design ISMS

Implement & use ISMS Monitor &

review ISMS

Maintain & improve ISMS

18

27002 - Code of Practice

Code of Practice for Information Security ManagementThe number to be given to ISO 17799 as of April 2007

Revision of ISO/IEC 17799:2000( e.g. on asset management, mobile & wireless, vulnerability management, human resources, incident handling, third party services,…)

Published 15th June 2005

19

27003 – ISMS Implementation

Objective: provide implementation guidance to support the ISMS requirements standard 27001

Guidance and detailed advice and regarding the PDCA processes e.g.,

ISMS Scope and policyIdentification of assetsMonitoring and reviewContinuous improvement

Working Draft level

20

27004 – ISM Measurements

Objective: to develop an information security management measurements standard aimed at addressing how to measure the EFFECTIVENESS of ISMS implementations (processes and controls)

Performance targets, benchmarking …What to measure, How to measure and When to measure

At CD levelExpected publication around the end of 2007

21

27005 – Risk Management

Objective: to cover risk management process that supports ISO 27001

Risk assessmentRisk treatmentSelection of controlsOn-going risk management activities e.g. re-assessment of risks

Includes MICTS Part 2 (GMITS Parts 3 and 4)Currently at FCD levelExpected publication end 2007

22

27006 – Accreditation requirements

Objective: to specify requirements for bodies providing audit and certification of information security management systems

Replaces EA 7/03Expected to be published Feb 07

23

27000 – Principles and vocabulary

Includes a reference model for the 27000 seriesIncludes MICTS Part 1 (GMITS Parts 1 and 2)Currently at working draft levelExpected publication 2008

24

Security Controls and Services (WG 4) –Scope

Established in May 2006, “spin-off” from WG 1

Scope covers the development and maintenance of standards and guidelines addressing security controls and services, including current SC 27 projects

Identification of requirements for and development of future service and applications standards and guidelines, for example in the areas of

ICT Readiness for Business Continuity Cyber SecurityApplication Security

25

Security Controls and Services (WG 4) –Scope

Network SecurityNetwork Security

TTP Services SecurityTTP Services Security

ICT Readiness for BC, DR, & ERICT Readiness for BC, DR, & ER

Application SecurityApplication Security

Forensic InvestigationForensic Investigation

CybersecurityCybersecurity

NP; Possibly include ISO/IEC 24762, Vulnerability Mgmt, IDS, & Incident Response related standards

Anti-Spyware, Anti-SPAM, Anti-Phishing

ISO 18028 revision

under study

Future NP

Includes outsourcing and off-shoring security

26

Identity Management and Privacy Technologies (WG 5) –Scope

Established May 2006Scope covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. This includes:

Current SC 27 projectsFramework for Identity Management (24760)Biometric template protection (24745)Authentication context for biometrics (24761)A privacy framework (NP 29100)A privacy reference architecture (NP 29101)

Identification of requirements for and development of future standards and guidelines in these areas. Potential topics include

Role based access control, provisioning, identifiers, and single sign-on in the area of identity management Privacy infrastructures, anonymity and credentials, specific Privacy Enhancing Technologies (PETs), and privacy engineering.

27

Personal Identification

WG 5 has undertaken a study on personal identification As a result of this study, matters concerning personal identification will be addressed in project 1.27.50 –CD 24760 “A Framework For Identity Management”.

This standard will define concepts associated with identity and identity management, provide a framework for the secure, reliable, and private management of identity information (including information related to personal identification) over the lifecycle of entity identities and identity information.

WG 5 is liaising with SC 17 and SC 37 on this subject.

28

Privacy Management

WG 5 has undertaken a study on Privacy Management Privacy Management will be addressed in new projects 1.27.54 “Privacy Framework (NP 29100)” and 1.27.55 “Privacy Reference Architecture (NP 29101)”.SC 27 has liaisons with SC 7, SC 17, SC 25, SC 36 and SC 37, andintends to establish liaison with SC 32. Through these liaisons SC 27 will take account of related work in these JTC 1 SCs.SC27 is in the process of establishing Cat C liaison to the International Conference of Data Protection and Privacy Commissioners

29

NP 29100 –A Privacy Framework

NP approved with 23 YES, 1 NO (Q.2)10 NB commitments for active participation (Q.3)

NB contributions received; editor proposed.The privacy framework standard will

provide a framework for defining privacy requirements as they relate to personally identifiable (PI) information processed by any information and communication system in any jurisdiction; set a common privacy terminology, define privacy principles whenprocessing PI information, categorize privacy features and relate all described privacy aspects to existing security guidelines;

1st WD expected for Q2 2007

30

NP 29101 –A Privacy Reference Architecture

NP approved with 22 YES, 1 NO (Q.2)9 NB commitments for active participation (Q.3)

NB contributions received; editor proposedThe privacy reference architecture will

describe best practices for a consistent, technical implementation of privacy requirements as they relate to the processing of personally identifiable (PI) information in information and communication systems;cover the various stages in data life cycle management and the required privacy functionalities for PI data in each data life cycle, as well as positioning the roles and responsibilities of all involved parties;present a target architecture and provide guidance for planning and building system architectures that facilitate the proper handling of PI data across system platforms;set out the necessary prerequisites to allow the categorization of data and control over specific sets of data within various data life cycles.

1st WD expected Q2 2007

31

New activities

Study Periods:Biometrics.Object identifiers and ASN.1 syntax.Transport system security.Low power encryption.Cyber security.Personal identification.ICT Readiness for Business Continuity (new 11/06).Application Security (new 11/06).

32

Low Power Encryption

WG2 Study Period establishedCall for NB contributionsWG2 reviewing contributions received

Further study necessary

33

Cyber Security

WG4 Study period established; Co-Rapporteurs appointedFirst call for contributions; no substantial input received

Clarify scopes and objectives Identify key issues to be addressed Establish liaison with relevant bodies, including ITU-T SG17, OECD

Specific call for contributions (NWI proposals) early 2007

34

Transportation Security

WG1 study period has been established NWI proposal by April 2007Start NP October 2007

Establish liaison with TC 204 in order to consider the development of sector-specific requirements for ISMS within the transportation sector.

Note: Similar activities are expected to take place for the automotive sector, aerospace industry, manufacturing sector, …

35

SC 27 - Summary

SC 27 is responsible for~ 90 projects, including over 40 active projects

Between 1990 and today, SC 27 has published 50+ International Standards (IS) and Technical Reports (TR)

Next MeetingsMay 2007 Moscow-St. Petersburg (Russia) WGs & PlenaryOctober 2007 Luzern (Switzerland) WGs April 2008 Kyoto (Japan) WGs & Plenary

More Information & ContactSC 27 web-page: scope, organization, work items, etc.http://www.ni.din.de/sc27 SD7: Catalogue of SC 27 Projects & StandardsSC 27 Secretariat: Krystyna.Passia@din.deSC 27 Chairman: Walter.Fumy@siemens.comSC27 Vice Chair: marijke.desoete@pandora.be

Thank YouContact: Marijke.De.Soete@nxp.com