| draft-ietf-opsec-efforts-00.txt | draft-ietf-opsec-efforts-01.txt | |||
|---|---|---|---|---|
| Network Working Group C. Lonvick | Network Working Group C. Lonvick | |||
| Internet-Draft D. Spak | Internet-Draft D. Spak | |||
| Expires: July 23, 2005 Cisco Systems | Expires: January 8, 2006 Cisco Systems | |||
| January 22, 2005 | July 7, 2005 | |||
| Security Best Practices Efforts and Documents | Security Best Practices Efforts and Documents | |||
| draft-ietf-opsec-efforts-00.txt | draft-ietf-opsec-efforts-01.txt | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | By submitting this Internet-Draft, each author represents that any | |||
| of section 3 of RFC 3667. By submitting this Internet-Draft, each | applicable patent or other IPR claims of which he or she is aware | |||
| author represents that any applicable patent or other IPR claims of | have been or will be disclosed, and any of which he or she becomes | |||
| which he or she is aware have been or will be disclosed, and any of | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| which he or she become aware will be disclosed, in accordance with | ||||
| RFC 3668. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as | other groups may also distribute working documents as Internet- | |||
| Internet-Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on July 23, 2005. | This Internet-Draft will expire on January 8, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document provides a snapshot of the current efforts to define or | This document provides a snapshot of the current efforts to define or | |||
| apply security requirements in various Standards Developing | apply security requirements in various Standards Developing | |||
| Organizations (SDO). | Organizations (SDO). | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Format of this Document . . . . . . . . . . . . . . . . . . 6 | 2. Format of this Document . . . . . . . . . . . . . . . . . . 7 | |||
| 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 7 | 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8 | |||
| 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 7 | 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 | |||
| 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 7 | 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8 | |||
| 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 7 | 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 | |||
| 3.4 Compendium of Approved ITU-T Security Definitions . . . . 7 | 3.4 Compendium of Approved ITU-T Security Definitions . . . . 9 | |||
| 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 8 | 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9 | |||
| 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 8 | 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9 | |||
| 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 8 | 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Standards Developing Organizations . . . . . . . . . . . . . 9 | 4. Standards Developing Organizations . . . . . . . . . . . . . 10 | |||
| 4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 9 | 4.1 3GPP - Third Generation Partnership Project . . . . . . . 10 | |||
| 4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 9 | 4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 | |||
| 4.3 ANSI - The American National Standards Institute . . . . . 9 | 4.3 ANSI - The American National Standards Institute . . . . . 10 | |||
| 4.4 ATIS - Alliance for Telecommunications Industry | 4.4 ATIS - Alliance for Telecommunications Industry | |||
| Solutions . . . . . . . . . . . . . . . . . . . . . . . . 9 | Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.4.1 ATIS Network Performance, Reliability and Quality | 4.4.1 ATIS Network Performance, Reliability and Quality | |||
| of Service Committee, formerly T1A1 . . . . . . . . . 10 | of Service Committee, formerly T1A1 . . . . . . . . . 11 | |||
| 4.4.2 ATIS Network Interface, Power, and Protection | 4.4.2 ATIS Network Interface, Power, and Protection | |||
| Committee, formerly T1E1 . . . . . . . . . . . . . . . 10 | Committee, formerly T1E1 . . . . . . . . . . . . . . . 11 | |||
| 4.4.3 ATIS Telecom Management and Operations Committee, | 4.4.3 ATIS Telecom Management and Operations Committee, | |||
| formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 10 | formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11 | |||
| 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 10 | 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11 | |||
| 4.4.5 ATIS Wireless Technologies and Systems Committee, | 4.4.5 ATIS Wireless Technologies and Systems Committee, | |||
| formerly T1P1 . . . . . . . . . . . . . . . . . . . . 11 | formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12 | |||
| 4.4.6 ATIS Packet Technologies and Systems Committee, | 4.4.6 ATIS Packet Technologies and Systems Committee, | |||
| regarding T1S1 . . . . . . . . . . . . . . . . . . . . 11 | formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12 | |||
| 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 11 | 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12 | |||
| 4.4.8 ATIS Optical Transport and Synchronization | 4.4.8 ATIS Optical Transport and Synchronization | |||
| Committee, formerly T1X1 . . . . . . . . . . . . . . . 11 | Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 | |||
| 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 11 | 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12 | |||
| 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 12 | 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13 | |||
| 4.7 ETSI - The European Telecommunications Standard | 4.7 ETSI - The European Telecommunications Standard | |||
| Institute . . . . . . . . . . . . . . . . . . . . . . . . 12 | Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 12 | 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 | |||
| 4.9 IEEE - The Institute of Electrical and Electronics | 4.9 IEEE - The Institute of Electrical and Electronics | |||
| Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 12 | Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.10 IETF - The Internet Engineering Task Force . . . . . . . 13 | 4.10 IETF - The Internet Engineering Task Force . . . . . . . 14 | |||
| 4.11 INCITS - InterNational Committee for Information | 4.11 INCITS - InterNational Committee for Information | |||
| Technology Standards . . . . . . . . . . . . . . . . . . 13 | Technology Standards . . . . . . . . . . . . . . . . . . 14 | |||
| 4.12 ISO - The International Organization for | 4.12 INCITS Technical Committee T11 - Fibre Channel | |||
| Standardization . . . . . . . . . . . . . . . . . . . . 13 | Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.13 ITU - International Telecommunication Union . . . . . . 13 | 4.13 ISO - The International Organization for | |||
| 4.13.1 ITU Telecommunication Standardization Sector - | Standardization . . . . . . . . . . . . . . . . . . . . 14 | |||
| ITU-T . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.14 ITU - International Telecommunication Union . . . . . . 14 | |||
| 4.13.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 13 | 4.14.1 ITU Telecommunication Standardization Sector - | |||
| 4.13.3 ITU Telecom Development - ITU-D . . . . . . . . . . 14 | ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.14 OASIS - Organization for the Advancement of | 4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15 | |||
| Structured Information Standards . . . . . . . . . . . . 14 | 4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15 | |||
| 4.15 OIF - Optical Internetworking Forum . . . . . . . . . . 14 | 4.15 OASIS - Organization for the Advancement of | |||
| 4.16 NRIC - The Network Reliability and Interoperability | Structured Information Standards . . . . . . . . . . . . 15 | |||
| Council . . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15 | |||
| 4.17 TIA - The Telecommunications Industry Association . . . 14 | 4.17 NRIC - The Network Reliability and Interoperability | |||
| 4.18 Web Services Interoperability Organization (WS-I) . . . 15 | Council . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5. Security Best Practices Efforts and Documents . . . . . . . 16 | 4.18 National Security Telecommunications Advisory | |||
| 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 16 | Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 16 | 4.19 TIA - The Telecommunications Industry Association . . . 16 | |||
| 4.20 Web Services Interoperability Organization (WS-I) . . . 16 | ||||
| 5. Security Best Practices Efforts and Documents . . . . . . . 17 | ||||
| 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17 | ||||
| 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17 | ||||
| 5.3 American National Standard T1.276-2003 - Baseline | 5.3 American National Standard T1.276-2003 - Baseline | |||
| Security Requirements for the Management Plane . . . . . . 16 | Security Requirements for the Management Plane . . . . . . 17 | |||
| 5.4 DMTF - Security Protection and Management (SPAM) | 5.4 DMTF - Security Protection and Management (SPAM) | |||
| Working Group . . . . . . . . . . . . . . . . . . . . . . 17 | Working Group . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.5 DMTF - User and Security Working Group . . . . . . . . . . 17 | 5.5 DMTF - User and Security Working Group . . . . . . . . . . 18 | |||
| 5.6 ATIS Security & Emergency Preparedness Activities . . . . 17 | 5.6 ATIS Security & Emergency Preparedness Activities . . . . 18 | |||
| 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, | 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, | |||
| End-To-End Standards and Solutions . . . . . . . . . . . . 17 | End-To-End Standards and Solutions . . . . . . . . . . . . 18 | |||
| 5.8 Common Criteria . . . . . . . . . . . . . . . . . . . . . 18 | 5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19 | |||
| 5.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.10 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 18 | 5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.11 Information System Security Assurance Architecture . . . 19 | 5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.12 Operational Security Requirements for IP Network | 5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20 | |||
| Infrastructure : Advanced Requirements . . . . . . . . . 19 | 5.12 Information System Security Assurance Architecture . . . 20 | |||
| 5.13 INCITS Technical Committee T4 - Security Techniques . . 19 | 5.13 Operational Security Requirements for IP Network | |||
| 5.14 INCITS Technical Committee T11 - Fibre Channel | Infrastructure : Advanced Requirements . . . . . . . . . 20 | |||
| Interfaces . . . . . . . . . . . . . . . . . . . . . . . 19 | 5.14 INCITS Technical Committee T4 - Security Techniques . . 21 | |||
| 5.15 ISO Guidelines for the Management of IT Security - | 5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21 | |||
| GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 5.16 ISO Guidelines for the Management of IT Security - | |||
| 5.16 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 20 | GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.17 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 21 | 5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22 | |||
| 5.18 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 21 | 5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23 | |||
| 5.19 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 22 | 5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23 | |||
| 5.20 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 22 | 5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24 | |||
| 5.21 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 22 | 5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24 | |||
| 5.22 Catalogue of ITU-T Recommendations related to | 5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24 | |||
| Communications System Security . . . . . . . . . . . . . 22 | 5.23 Catalogue of ITU-T Recommendations related to | |||
| 5.23 ITU-T Security Manual . . . . . . . . . . . . . . . . . 23 | Communications System Security . . . . . . . . . . . . . 24 | |||
| 5.24 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 23 | 5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25 | |||
| 5.25 OASIS Security Joint Committee . . . . . . . . . . . . . 23 | 5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5.26 OASIS Security Services TC . . . . . . . . . . . . . . . 24 | 5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25 | |||
| 5.27 OIF Implementation Agreements . . . . . . . . . . . . . 24 | 5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26 | |||
| 5.28 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26 | |||
| 5.29 WS-I Basic Security Profile . . . . . . . . . . . . . . 24 | 5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . 26 | 5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 27 | 5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 28 | 6. Security Considerations . . . . . . . . . . . . . . . . . . 28 | |||
| 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 29 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 10.1 Normative References . . . . . . . . . . . . . . . . . . . 30 | 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31 | |||
| 10.2 Informative References . . . . . . . . . . . . . . . . . . 30 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 | 10.1 Normative References . . . . . . . . . . . . . . . . . . 32 | |||
| Intellectual Property and Copyright Statements . . . . . . . 31 | 10.2 Informative References . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32 | ||||
| Intellectual Property and Copyright Statements . . . . . . . 33 | ||||
| 1. Introduction | 1. Introduction | |||
| The Internet is being recognized as a critical infrastructure similar | The Internet is being recognized as a critical infrastructure similar | |||
| in nature to the power grid and a potable water supply. Just like | in nature to the power grid and a potable water supply. Just like | |||
| those infrastructures, means are needed to provide resiliency and | those infrastructures, means are needed to provide resiliency and | |||
| adaptability to the Internet so that it remains consistently | adaptability to the Internet so that it remains consistently | |||
| available to the public throughout the world even during times of | available to the public throughout the world even during times of | |||
| duress or attack. For this reason, many SDOs are developing | duress or attack. For this reason, many SDOs are developing | |||
| standards with hopes of retaining an acceptable level, or even | standards with hopes of retaining an acceptable level, or even | |||
| skipping to change at page 7, line 14 | skipping to change at page 8, line 14 | |||
| 3. Online Security Glossaries | 3. Online Security Glossaries | |||
| This section contains references to glossaries of network and | This section contains references to glossaries of network and | |||
| computer security terms | computer security terms | |||
| 3.1 ATIS Telecom Glossary 2000 | 3.1 ATIS Telecom Glossary 2000 | |||
| http://www.atis.org/tg2k/ | http://www.atis.org/tg2k/ | |||
| Under an approved T1 standards project (T1A1-20), an existing | Under an approved T1 standards project (T1A1-20), an existing 5800- | |||
| 5800-entry, search-enabled hypertext telecommunications glossary | entry, search-enabled hypertext telecommunications glossary titled | |||
| titled Federal Standard 1037C, Glossary of Telecommunication Terms | Federal Standard 1037C, Glossary of Telecommunication Terms was | |||
| was updated and matured into this glossary, T1.523-2001, Telecom | updated and matured into this glossary, T1.523-2001, Telecom Glossary | |||
| Glossary 2000. This updated glossary was posted on the Web as a | 2000. This updated glossary was posted on the Web as a American | |||
| American National Standard (ANS). | National Standard (ANS). | |||
| 3.2 Critical Infrastructure Glossary of Terms and Acronyms | 3.2 Critical Infrastructure Glossary of Terms and Acronyms | |||
| http://www.ciao.gov/ciao_document_library/glossary/a.htm | http://www.ciao.gov/ciao_document_library/glossary/a.htm | |||
| The Critical Infrastructure Assurance Office (CIAO) was created to | The Critical Infrastructure Assurance Office (CIAO) was created to | |||
| coordinate the Federal Government's initiatives on critical | coordinate the Federal Government's initiatives on critical | |||
| infrastructure assurance. While the glossary was not created as a | infrastructure assurance. While the glossary was not created as a | |||
| glossary specifically for security terms, it is populated with many | glossary specifically for security terms, it is populated with many | |||
| security related definitions, abbreviations, organizations, and | security related definitions, abbreviations, organizations, and | |||
| skipping to change at page 9, line 14 | skipping to change at page 10, line 14 | |||
| 4. Standards Developing Organizations | 4. Standards Developing Organizations | |||
| This section of this document lists the SDOs, or organizations that | This section of this document lists the SDOs, or organizations that | |||
| appear to be developing security related standards. These SDOs are | appear to be developing security related standards. These SDOs are | |||
| listed in alphabetical order. | listed in alphabetical order. | |||
| Note: The authors would appreciate corrections and additions. This | Note: The authors would appreciate corrections and additions. This | |||
| note will be removed before publication as an RFC. | note will be removed before publication as an RFC. | |||
| 4.1 3GPP - Third Generation P P | 4.1 3GPP - Third Generation Partnership Project | |||
| http://www.3gpp.org | http://www.3gpp.org | |||
| The 3rd Generation Partnership Project (3GPP) is a collaboration | The 3rd Generation Partnership Project (3GPP) is a collaboration | |||
| agreement formed in December 1998. The collaboration agreement is | agreement formed in December 1998. The collaboration agreement is | |||
| comprised of several telecommunications standards bodies which are | comprised of several telecommunications standards bodies which are | |||
| known as "Organizational Partners". The current Organizational | known as "Organizational Partners". The current Organizational | |||
| Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. | Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. | |||
| 4.2 3GPP2 - Third Generation P P 2 | 4.2 3GPP2 - Third Generation Partnership Project 2 | |||
| http://www.3gpp2.org | http://www.3gpp2.org | |||
| Third Generation Partnership Project 2 (3GPP2) is a collaboration | Third Generation Partnership Project 2 (3GPP2) is a collaboration | |||
| among Organizational Partners much like its sister project 3GPP. The | among Organizational Partners much like its sister project 3GPP. The | |||
| Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, | Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, | |||
| CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes | CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes | |||
| the CDMA Development Group and IPv6 Forum as Market Representation | the CDMA Development Group and IPv6 Forum as Market Representation | |||
| Partners for market advice. | Partners for market advice. | |||
| 4.3 ANSI - The American National Standards Institute | 4.3 ANSI - The American National Standards Institute | |||
| http://www.ansi.org | http://www.ansi.org | |||
| ANSI is a private, non-profit organization that organizes and | ANSI is a private, non-profit organization that organizes and | |||
| oversees the U.S. voluntary standardization and conformity | oversees the U.S. voluntary standardization and conformity assessment | |||
| assessment system. ANSI was founded October 19, 1918. | system. ANSI was founded October 19, 1918. | |||
| 4.4 ATIS - Alliance for Telecommunications Industry Solutions | 4.4 ATIS - Alliance for Telecommunications Industry Solutions | |||
| http://www.atis.org | http://www.atis.org | |||
| ATIS is a United States based body that is committed to rapidly | ATIS is a United States based body that is committed to rapidly | |||
| developing and promoting technical and operations standards for the | developing and promoting technical and operations standards for the | |||
| communications and related information technologies industry | communications and related information technologies industry | |||
| worldwide using pragmatic, flexible and open approach. Committee T1 | worldwide using pragmatic, flexible and open approach. Committee T1 | |||
| as a group no longer exists as a result of the recent ATIS | as a group no longer exists as a result of the recent ATIS | |||
| skipping to change at page 11, line 16 | skipping to change at page 12, line 16 | |||
| 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 | 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 | |||
| http://www.atis.org/0160/index.asp | http://www.atis.org/0160/index.asp | |||
| ATIS Wireless Technologies and Systems Committee develops and | ATIS Wireless Technologies and Systems Committee develops and | |||
| recommends standards and technical reports related to wireless and/or | recommends standards and technical reports related to wireless and/or | |||
| mobile services and systems, including service descriptions and | mobile services and systems, including service descriptions and | |||
| wireless technologies. | wireless technologies. | |||
| 4.4.6 ATIS Packet Technologies and Systems Committee, regarding T1S1 | 4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1 | |||
| T1S1 was split into two separate ATIS committees: the ATIS Packet | T1S1 was split into two separate ATIS committees: the ATIS Packet | |||
| Technologies and Systems Committee and the ATIS Protocol Interworking | Technologies and Systems Committee and the ATIS Protocol Interworking | |||
| Committee. As a result of the reorganization of T1S1, these groups | Committee. PTSC is responsible for producing standards to secure | |||
| will also probably have a new mission and scope. | signalling. | |||
| The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot | ||||
| at this time. It is expected to move to an ANSI standard. | ||||
| 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 | 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 | |||
| T1S1 was split into two separate ATIS committees: the ATIS Packet | T1S1 was split into two separate ATIS committees: the ATIS Packet | |||
| Technologies and Systems Committee and the ATIS Protocol Interworking | Technologies and Systems Committee and the ATIS Protocol Interworking | |||
| Committee. As a result of the reorganization of T1S1, these groups | Committee. As a result of the reorganization of T1S1, these groups | |||
| will also probably have a new mission and scope. | will also probably have a new mission and scope. | |||
| 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly | 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly | |||
| T1X1 | T1X1 | |||
| skipping to change at page 13, line 23 | skipping to change at page 14, line 25 | |||
| 4.11 INCITS - InterNational Committee for Information Technology | 4.11 INCITS - InterNational Committee for Information Technology | |||
| Standards | Standards | |||
| http://www.incits.org | http://www.incits.org | |||
| INCITS focuses upon standardization in the field of Information and | INCITS focuses upon standardization in the field of Information and | |||
| Communications Technologies (ICT), encompassing storage, processing, | Communications Technologies (ICT), encompassing storage, processing, | |||
| transfer, display, management, organization, and retrieval of | transfer, display, management, organization, and retrieval of | |||
| information. | information. | |||
| 4.12 ISO - The International Organization for Standardization | 4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces | |||
| http://www.t11.org/index.htm | ||||
| T11 is responsible for standards development in the areas of | ||||
| Intelligent Peripheral Interface (IPI), High-Performance Parallel | ||||
| Interface (HIPPI) and Fibre Channel (FC). T11 has a project called | ||||
| FC-SP to define Security Protocols for Fibre Channel. | ||||
| FC-SP Project Proposal: | ||||
| ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf | ||||
| 4.13 ISO - The International Organization for Standardization | ||||
| http://www.iso.org | http://www.iso.org | |||
| ISO is a network of the national standards institutes of 148 | ISO is a network of the national standards institutes of 148 | |||
| countries, on the basis of one member per country, with a Central | countries, on the basis of one member per country, with a Central | |||
| Secretariat in Geneva, Switzerland, that coordinates the system. ISO | Secretariat in Geneva, Switzerland, that coordinates the system. ISO | |||
| officially began operations on February 23, 1947. | officially began operations on February 23, 1947. | |||
| 4.13 ITU - International Telecommunication Union | 4.14 ITU - International Telecommunication Union | |||
| http://www.itu.int/ | http://www.itu.int/ | |||
| The ITU is an international organization within the United Nations | The ITU is an international organization within the United Nations | |||
| System headquartered in Geneva, Switzerland. The ITU is comprised of | System headquartered in Geneva, Switzerland. The ITU is comprised of | |||
| three sectors: | three sectors: | |||
| 4.13.1 ITU Telecommunication Standardization Sector - ITU-T | 4.14.1 ITU Telecommunication Standardization Sector - ITU-T | |||
| http://www.itu.int/ITU-T/ | http://www.itu.int/ITU-T/ | |||
| ITU-T's mission is to ensure an efficient and on-time production of | ITU-T's mission is to ensure an efficient and on-time production of | |||
| high quality standards covering all fields of telecommunications. | high quality standards covering all fields of telecommunications. | |||
| 4.13.2 ITU Radiocommunication Sector - ITU-R | 4.14.2 ITU Radiocommunication Sector - ITU-R | |||
| http://www.itu.int/ITU-R/ | http://www.itu.int/ITU-R/ | |||
| The ITU-R plays a vital role in the management of the radio-frequency | The ITU-R plays a vital role in the management of the radio-frequency | |||
| spectrum and satellite orbits. | spectrum and satellite orbits. | |||
| 4.13.3 ITU Telecom Development - ITU-D | 4.14.3 ITU Telecom Development - ITU-D | |||
| (also referred as ITU Telecommunication Development Bureau - BDT) | (also referred as ITU Telecommunication Development Bureau - BDT) | |||
| http://www.itu.int/ITU-D/ | http://www.itu.int/ITU-D/ | |||
| The Telecommunication Development Bureau (BDT) is the executive arm | The Telecommunication Development Bureau (BDT) is the executive arm | |||
| of the Telecommunication Development Sector. Its duties and | of the Telecommunication Development Sector. Its duties and | |||
| responsibilities cover a variety of functions ranging from programme | responsibilities cover a variety of functions ranging from programme | |||
| supervision and technical advice to the collection, processing and | supervision and technical advice to the collection, processing and | |||
| publication of information relevant to telecommunication development. | publication of information relevant to telecommunication development. | |||
| 4.14 OASIS - Organization for the Advancement of Structured | 4.15 OASIS - Organization for the Advancement of Structured | |||
| Information Standards | Information Standards | |||
| http://www.oasis-open.org/ | http://www.oasis-open.org/ | |||
| OASIS is a not-for-profit, international consortium that drives the | OASIS is a not-for-profit, international consortium that drives the | |||
| development, convergence, and adoption of e-business standards. | development, convergence, and adoption of e-business standards. | |||
| 4.15 OIF - Optical Internetworking Forum | 4.16 OIF - Optical Internetworking Forum | |||
| http://www.oiforum.com/ | http://www.oiforum.com/ | |||
| On April 20, 1998 Cisco Systems and Ciena Corporation announced an | On April 20, 1998 Cisco Systems and Ciena Corporation announced an | |||
| industry-wide initiative to create the Optical Internetworking Forum, | industry-wide initiative to create the Optical Internetworking Forum, | |||
| an open forum focused on accelerating the deployment of optical | an open forum focused on accelerating the deployment of optical | |||
| internetworks. | internetworks. | |||
| 4.16 NRIC - The Network Reliability and Interoperability Council | 4.17 NRIC - The Network Reliability and Interoperability Council | |||
| http://www.nric.org/ | http://www.nric.org/ | |||
| The purposes of the Committee are to give telecommunications industry | The purposes of the Committee are to give telecommunications industry | |||
| leaders the opportunity to provide recommendations to the FCC and to | leaders the opportunity to provide recommendations to the FCC and to | |||
| the industry that assure optimal reliability and interoperability of | the industry that assure optimal reliability and interoperability of | |||
| telecommunications networks. The Committee addresses topics in the | telecommunications networks. The Committee addresses topics in the | |||
| area of Homeland Security, reliability, interoperability, and | area of Homeland Security, reliability, interoperability, and | |||
| broadband deployment. | broadband deployment. | |||
| 4.17 TIA - The Telecommunications Industry Association | 4.18 National Security Telecommunications Advisory Committee (NSTAC) | |||
| http://www.ncs.gov/nstac/nstac.html | ||||
| President Ronald Reagan created the National Security | ||||
| Telecommunications Advisory Committee (NSTAC) by Executive Order | ||||
| 12382 in September 1982. Since then, the NSTAC has served four | ||||
| presidents. Composed of up to 30 industry chief executives | ||||
| representing the major communications and network service providers | ||||
| and information technology, finance, and aerospace companies, the | ||||
| NSTAC provides industry-based advice and expertise to the President | ||||
| on issues and problems related to implementing national security and | ||||
| emergency preparedness (NS/EP) communications policy. Since its | ||||
| inception, the NSTAC has addressed a wide range of policy and | ||||
| technical issues regarding communications, information systems, | ||||
| information assurance, critical infrastructure protection, and other | ||||
| NS/EP communications concerns. | ||||
| 4.19 TIA - The Telecommunications Industry Association | ||||
| http://www.tiaonline.org | http://www.tiaonline.org | |||
| TIA is accredited by ANSI to develop voluntary industry standards for | TIA is accredited by ANSI to develop voluntary industry standards for | |||
| a wide variety of telecommunications products. TIA's Standards and | a wide variety of telecommunications products. TIA's Standards and | |||
| Technology Department is composed of five divisions: Fiber Optics, | Technology Department is composed of five divisions: Fiber Optics, | |||
| User Premises Equipment, Network Equipment, Wireless Communications | User Premises Equipment, Network Equipment, Wireless Communications | |||
| and Satellite Communications. | and Satellite Communications. | |||
| 4.18 Web Services Interoperability Organization (WS-I) | 4.20 Web Services Interoperability Organization (WS-I) | |||
| http://www.ws-i.org/ | http://www.ws-i.org/ | |||
| WS-I is an open, industry organization chartered to promote Web | WS-I is an open, industry organization chartered to promote Web | |||
| services interoperability across platforms, operating systems, and | services interoperability across platforms, operating systems, and | |||
| programming languages. The organization works across the industry | programming languages. The organization works across the industry | |||
| and standards organizations to respond to customer needs by providing | and standards organizations to respond to customer needs by providing | |||
| guidance, best practices, and resources for developing Web services | guidance, best practices, and resources for developing Web services | |||
| solutions. | solutions. | |||
| skipping to change at page 17, line 41 | skipping to change at page 18, line 41 | |||
| 5.5 DMTF - User and Security Working Group | 5.5 DMTF - User and Security Working Group | |||
| http://www.dmtf.org/about/committees/userWGCharter.pdf | http://www.dmtf.org/about/committees/userWGCharter.pdf | |||
| The User and Security Working Group defines objects and access | The User and Security Working Group defines objects and access | |||
| methods required for principals - where principals include users, | methods required for principals - where principals include users, | |||
| groups, software agents, systems, and organizations. | groups, software agents, systems, and organizations. | |||
| 5.6 ATIS Security & Emergency Preparedness Activities | 5.6 ATIS Security & Emergency Preparedness Activities | |||
| http://www.atis.org/atis/atisinfo/emergency/security_committee_activi | http://www.atis.org/atis/atisinfo/emergency/ | |||
| ties_T1.htm | security_committee_activities_T1.htm | |||
| The link above contains the description of the ATIS Communications | The link above contains the description of the ATIS Communications | |||
| Security Model, the scopes of the Technical Subcommittees in relation | Security Model, the scopes of the Technical Subcommittees in relation | |||
| to the security model, and a list of published documents produced by | to the security model, and a list of published documents produced by | |||
| ATIS addressed to various aspects of network security. | ATIS addressed to various aspects of network security. | |||
| 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End | 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End | |||
| Standards and Solutions | Standards and Solutions | |||
| ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf | ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf | |||
| The ATIS TOPS Security Focus Group has made recommendations on work | The ATIS TOPS Security Focus Group has made recommendations on work | |||
| items needed to be performed by other SDOs. | items needed to be performed by other SDOs. | |||
| 5.8 Common Criteria | 5.7.1 ATIS Work on Packet Filtering | |||
| A part of the ATIS Work Plan was to define how disruptions may be | ||||
| prevented by filtering unwanted traffic at the edges of the network. | ||||
| ATIS is developing this work in a document titled, "Traffic Filtering | ||||
| for the Prevention of Unwanted Traffic". | ||||
| 5.8 ATIS Work on the NGN | ||||
| http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ | ||||
| Part%20I/ATIS_NGN_Part_1_Issue1.pdf | ||||
| In November 2004, ATIS released Part I of the ATIS NGN-FG efforts | ||||
| entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN | ||||
| Definitions, Requirements, and Architecture, Issue 1.0, November | ||||
| 2004." | ||||
| 5.9 Common Criteria | ||||
| http://csrc.nist.gov/cc/ | http://csrc.nist.gov/cc/ | |||
| Version 1.0 of the CC was completed in January 1996. Based on a | Version 1.0 of the CC was completed in January 1996. Based on a | |||
| number of trial evaluations and an extensive public review, Version | number of trial evaluations and an extensive public review, Version | |||
| 1.0 was extensively revised and CC Version 2.0 was produced in April | 1.0 was extensively revised and CC Version 2.0 was produced in April | |||
| of 1998. This became ISO International Standard 15408 in 1999. The | of 1998. This became ISO International Standard 15408 in 1999. The | |||
| CC Project subsequently incorporated the minor changes that had | CC Project subsequently incorporated the minor changes that had | |||
| resulted in the ISO process, producing CC version 2.1 in August 1999. | resulted in the ISO process, producing CC version 2.1 in August 1999. | |||
| skipping to change at page 18, line 19 | skipping to change at page 19, line 36 | |||
| http://csrc.nist.gov/cc/ | http://csrc.nist.gov/cc/ | |||
| Version 1.0 of the CC was completed in January 1996. Based on a | Version 1.0 of the CC was completed in January 1996. Based on a | |||
| number of trial evaluations and an extensive public review, Version | number of trial evaluations and an extensive public review, Version | |||
| 1.0 was extensively revised and CC Version 2.0 was produced in April | 1.0 was extensively revised and CC Version 2.0 was produced in April | |||
| of 1998. This became ISO International Standard 15408 in 1999. The | of 1998. This became ISO International Standard 15408 in 1999. The | |||
| CC Project subsequently incorporated the minor changes that had | CC Project subsequently incorporated the minor changes that had | |||
| resulted in the ISO process, producing CC version 2.1 in August 1999. | resulted in the ISO process, producing CC version 2.1 in August 1999. | |||
| Common Criteria v2.1 contains: | Common Criteria v2.1 contains: | |||
| Part 1 - Intro & General Model | Part 1 - Intro & General Model | |||
| Part 2 - Functional Requirements (including Annexes) | Part 2 - Functional Requirements (including Annexes) | |||
| Part 3 - Assurance Requirements | Part 3 - Assurance Requirements | |||
| Documents: Common Criteria V2.1 | Documents: Common Criteria V2.1 | |||
| http://csrc.nist.gov/cc/CC-v2.1.html | http://csrc.nist.gov/cc/CC-v2.1.html | |||
| 5.9 ETSI | 5.10 ETSI | |||
| http://www.etsi.org | http://www.etsi.org | |||
| The ETSI hosted the ETSI Global Security Conference in late November, | The ETSI hosted the ETSI Global Security Conference in late November, | |||
| 2003, which could lead to a standard. | 2003, which could lead to a standard. | |||
| Groups related to security located from the ETSI Groups Portal: | Groups related to security located from the ETSI Groups Portal: | |||
| OCG Security | OCG Security | |||
| 3GPP SA3 | 3GPP SA3 | |||
| TISPAN WG7 | TISPAN WG7 | |||
| 5.10 GGF Security Area (SEC) | 5.11 GGF Security Area (SEC) | |||
| https://forge.gridforum.org/projects/sec/ | https://forge.gridforum.org/projects/sec/ | |||
| The Security Area (SEC) is concerned with various issues relating to | The Security Area (SEC) is concerned with various issues relating to | |||
| authentication and authorization in Grid environments. | authentication and authorization in Grid environments. | |||
| Working groups: | Working groups: | |||
| Authorization Frameworks and Mechanisms WG (AuthZ-WG) - | Authorization Frameworks and Mechanisms WG (AuthZ-WG) - | |||
| https://forge.gridforum.org/projects/authz-wg | https://forge.gridforum.org/projects/authz-wg | |||
| Certificate Authority Operations Working Group (CAOPS-WG) - | Certificate Authority Operations Working Group (CAOPS-WG) - | |||
| https://forge.gridforum.org/projects/caops-wg | https://forge.gridforum.org/projects/caops-wg | |||
| OGSA Authorization Working Group (OGSA-AUTHZ) - | OGSA Authorization Working Group (OGSA-AUTHZ) - | |||
| https://forge.gridforum.org/projects/ogsa-authz | https://forge.gridforum.org/projects/ogsa-authz | |||
| Grid Security Infrastructure (GSI-WG) - | Grid Security Infrastructure (GSI-WG) - | |||
| https://forge.gridforum.org/projects/gsi-wg | https://forge.gridforum.org/projects/gsi-wg | |||
| 5.11 Information System Security Assurance Architecture | 5.12 Information System Security Assurance Architecture | |||
| IEEE Working Group - http://issaa.org/ | IEEE Working Group - http://issaa.org/ | |||
| Formerly the Security Certification and Accreditation of Information | Formerly the Security Certification and Accreditation of Information | |||
| Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft | Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft | |||
| Standard for Information System Security Assurance Architecture for | Standard for Information System Security Assurance Architecture for | |||
| ballot and during the process begin development of a suite of | ballot and during the process begin development of a suite of | |||
| associated standards for components of that architecture. | associated standards for components of that architecture. | |||
| Documents: http://issaa.org/documents/index.html | Documents: http://issaa.org/documents/index.html | |||
| 5.12 Operational Security Requirements for IP Network Infrastructure : | 5.13 Operational Security Requirements for IP Network Infrastructure : | |||
| Advanced Requirements | Advanced Requirements | |||
| IETF Internet-Draft | IETF Internet-Draft | |||
| Abstract: This document defines a list of operational security | Abstract: This document defines a list of operational security | |||
| requirements for the infrastructure of large ISP IP networks (routers | requirements for the infrastructure of large ISP IP networks (routers | |||
| and switches). A framework is defined for specifying "profiles", | and switches). A framework is defined for specifying "profiles", | |||
| which are collections of requirements applicable to certain network | which are collections of requirements applicable to certain network | |||
| topology contexts (all, core-only, edge-only...). The goal is to | topology contexts (all, core-only, edge-only...). The goal is to | |||
| provide network operators a clear, concise way of communicating their | provide network operators a clear, concise way of communicating their | |||
| security requirements to vendors. | security requirements to vendors. | |||
| Documents: | Documents: | |||
| http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt | http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt | |||
| 5.13 INCITS Technical Committee T4 - Security Techniques | 5.14 INCITS Technical Committee T4 - Security Techniques | |||
| http://www.incits.org/tc_home/t4.htm | http://www.incits.org/tc_home/t4.htm | |||
| Technical Committee T4, Security Techniques, participates in the | Technical Committee T4, Security Techniques, participates in the | |||
| standardization of generic methods for information technology | standardization of generic methods for information technology | |||
| security. This includes development of: security techniques and | security. This includes development of: security techniques and | |||
| mechanisms; security guidelines; security evaluation criteria; and | mechanisms; security guidelines; security evaluation criteria; and | |||
| identification of generic requirements for information technology | identification of generic requirements for information technology | |||
| system security services. | system security services. | |||
| 5.14 INCITS Technical Committee T11 - Fibre Channel Interfaces | 5.15 INCITS CS1 - Cyber Security | |||
| http://www.t11.org/index.htm | http://www.incits.org/tc_home/cs1.htm | |||
| T11 is responsible for standards development in the areas of | INCITS/CS1 was established in April 2005 to serve as the US TAG for | |||
| Intelligent Peripheral Interface (IPI), High-Performance Parallel | ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 | |||
| Interface (HIPPI) and Fibre Channel (FC). T11 has a project called | (INCITS/T4 serves as the US TAG to SC 27/WG 2). | |||
| FC-SP to define Security Protocols for Fibre Channel. | ||||
| FC-SP Project Proposal: | The scope of CS1 explicitly excludes the areas of work on cyber | |||
| ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf | security standardization presently underway in INCITS B10, M1 and T3; | |||
| as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and | ||||
| X9. INCITS T4's area of work would be narrowed to cryptography | ||||
| projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and | ||||
| mechanisms). | ||||
| 5.15 ISO Guidelines for the Management of IT Security - GMITS | 5.16 ISO Guidelines for the Management of IT Security - GMITS | |||
| Guidelines for the Management of IT Security -- Part 1: Concepts and | Guidelines for the Management of IT Security -- Part 1: Concepts and | |||
| models for IT Security | models for IT Security | |||
| http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER | http://www.iso.ch/iso/en/ | |||
| =21733&ICS1=35 | CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 | |||
| Guidelines for the Management of IT Security -- Part 2: Managing and | Guidelines for the Management of IT Security -- Part 2: Managing and | |||
| planning IT Security | planning IT Security | |||
| http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE | http://www.iso.org/iso/en/ | |||
| R=21755&ICS1=35&ICS2=40&ICS3= | CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& | |||
| ICS3= | ||||
| Guidelines for the Management of IT Security -- Part 3: Techniques | Guidelines for the Management of IT Security -- Part 3: Techniques | |||
| for the management of IT Security | for the management of IT Security | |||
| http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE | http://www.iso.org/iso/en/ | |||
| R=21756&ICS1=35&ICS2=40&ICS3= | CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& | |||
| ICS3= | ||||
| Guidelines for the Management of IT Security -- Part 4: Selection of | Guidelines for the Management of IT Security -- Part 4: Selection of | |||
| safeguards | safeguards | |||
| http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE | http://www.iso.org/iso/en/ | |||
| R=29240&ICS1=35&ICS2=40&ICS3= | CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& | |||
| ICS3= | ||||
| Guidelines for the Management of IT Security - Part 5: Management | Guidelines for the Management of IT Security - Part 5: Management | |||
| guidance on network security | guidance on network security | |||
| http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE | http://www.iso.org/iso/en/ | |||
| R=31142&ICS1=35&ICS2=40&ICS3= | CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& | |||
| ICS3= | ||||
| Open Systems Interconnection -- Network layer security protocol | Open Systems Interconnection -- Network layer security protocol | |||
| http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE | http://www.iso.org/iso/en/ | |||
| R=22084&ICS1=35&ICS2=100&ICS3=30 | CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& | |||
| ICS3=30 | ||||
| 5.16 ISO JTC 1/SC 27 | 5.17 ISO JTC 1/SC 27 | |||
| http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ | ||||
| TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 | ||||
| http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/TechnicalP | ||||
| rogrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 | ||||
| Several security related ISO projects under JTC 1/SC 27 are listed | Several security related ISO projects under JTC 1/SC 27 are listed | |||
| here such as: | here such as: | |||
| IT security techniques -- Entity authentication | IT security techniques -- Entity authentication | |||
| Security techniques -- Key management | Security techniques -- Key management | |||
| Security techniques -- Evaluation criteria for IT security | Security techniques -- Evaluation criteria for IT security | |||
| Security techniques -- A framework for IT security assurance | Security techniques -- A framework for IT security assurance | |||
| IT Security techniques -- Code of practice for information | IT Security techniques -- Code of practice for information | |||
| security management | security management | |||
| Security techniques -- IT network security | Security techniques -- IT network security | |||
| Guidelines for the implementation, operation and management of | Guidelines for the implementation, operation and management of | |||
| Intrusion Detection Systems (IDS) | Intrusion Detection Systems (IDS) | |||
| International Security, Trust, and Privacy Alliance -- Privacy | International Security, Trust, and Privacy Alliance -- Privacy | |||
| Framework | Framework | |||
| 5.17 ITU-T Study Group 2 | 5.18 ITU-T Study Group 2 | |||
| http://www.itu.int/ITU-T/studygroups/com02/index.asp | http://www.itu.int/ITU-T/studygroups/com02/index.asp | |||
| Security related recommendations currently under study: | Security related recommendations currently under study: | |||
| E.408 Telecommunication networks security requirements Q.5/2 | E.408 Telecommunication networks security requirements Q.5/2 | |||
| (was E.sec1) | (was E.sec1) | |||
| E.409 Incident Organisation and Security Incident Handling | E.409 Incident Organisation and Security Incident Handling | |||
| Q.5/2 (was E.sec2) | Q.5/2 (was E.sec2) | |||
| Note: Access requires TIES account. | Note: Access requires TIES account. | |||
| 5.18 ITU-T Recommendation M.3016 | 5.19 ITU-T Recommendation M.3016 | |||
| http://www.itu.int/itudoc/itu-t/com4/contr/068.html | http://www.itu.int/itudoc/itu-t/com4/contr/068.html | |||
| This recommendation provides an overview and framework that | This recommendation provides an overview and framework that | |||
| identifies the security requirements of a TMN and outlines how | identifies the security requirements of a TMN and outlines how | |||
| available security services and mechanisms can be applied within the | available security services and mechanisms can be applied within the | |||
| context of the TMN functional architecture. | context of the TMN functional architecture. | |||
| Question 18 of Study Group 3 is revising Recommendation M.3016. They | Question 18 of Study Group 3 is revising Recommendation M.3016. They | |||
| have taken the original document and are incorporating thoughts from | have taken the original document and are incorporating thoughts from | |||
| ITU-T Recommendation X.805 and from ANSI T1.276-2003. This will | ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has | |||
| produce a series of documents. | produced a new series of documents. | |||
| Overview | ||||
| Requirements | ||||
| Services | ||||
| Mechanisms | ||||
| Profiles | ||||
| This document will be discussed at the ITU meetings in February 2005. | M.3016.0 - Overview | |||
| 5.19 ITU-T Recommendation X.805 | M.3016.1 - Requirements | |||
| M.3016.2 - Services | ||||
| M.3016.3 - Mechanisms | ||||
| M.3016.4 - Profiles | ||||
| 5.20 ITU-T Recommendation X.805 | ||||
| http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html | http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html | |||
| This Recommendation defines the general security-related | This Recommendation defines the general security-related | |||
| architectural elements that, when appropriately applied, can provide | architectural elements that, when appropriately applied, can provide | |||
| end-to-end network security. | end-to-end network security. | |||
| 5.20 ITU-T Study Group 16 | 5.21 ITU-T Study Group 16 | |||
| http://www.itu.int/ITU-T/studygroups/com16/index.asp | http://www.itu.int/ITU-T/studygroups/com16/index.asp | |||
| Security of Multimedia Systems and Services - Question G/16 | Security of Multimedia Systems and Services - Question G/16 | |||
| http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html | http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html | |||
| 5.21 ITU-T Study Group 17 | 5.22 ITU-T Study Group 17 | |||
| http://www.itu.int/ITU-T/studygroups/com17/index.asp | http://www.itu.int/ITU-T/studygroups/com17/index.asp | |||
| ITU-T Study Group 17 is the Lead Study Group on Communication System | ITU-T Study Group 17 is the Lead Study Group on Communication System | |||
| Security | Security | |||
| http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html | http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html | |||
| Study Group 17 Security Project: | Study Group 17 Security Project: | |||
| http://www.itu.int/ITU-T/studygroups/com17/security/index.html | http://www.itu.int/ITU-T/studygroups/com17/security/index.html | |||
| During its November 2002 meeting, Study Group 17 agreed to establish | During its November 2002 meeting, Study Group 17 agreed to establish | |||
| a new project entitled "Security Project" under the leadership of | a new project entitled "Security Project" under the leadership of | |||
| Q.10/17 to coordinate the ITU-T standardization effort on security. | Q.10/17 to coordinate the ITU-T standardization effort on security. | |||
| An analysis of the status on ITU-T Study Group action on information | An analysis of the status on ITU-T Study Group action on information | |||
| and communication network security may be found in TSB Circular 147 | and communication network security may be found in TSB Circular 147 | |||
| of 14 February 2003. | of 14 February 2003. | |||
| 5.22 Catalogue of ITU-T Recommendations related to Communications | 5.23 Catalogue of ITU-T Recommendations related to Communications | |||
| System Security | System Security | |||
| http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html | http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html | |||
| The Catalogue of the approved security Recommendations include those, | The Catalogue of the approved security Recommendations include those, | |||
| designed for security purposes and those, which describe or use of | designed for security purposes and those, which describe or use of | |||
| functions of security interest and need. Although some of the | functions of security interest and need. Although some of the | |||
| security related Recommendations includes the phrase "Open Systems | security related Recommendations includes the phrase "Open Systems | |||
| Interconnection", much of the information contained in them is | Interconnection", much of the information contained in them is | |||
| pertinent to the establishment of security functionality in any | pertinent to the establishment of security functionality in any | |||
| communicating system. | communicating system. | |||
| 5.23 ITU-T Security Manual | 5.24 ITU-T Security Manual | |||
| http://www.itu.int/ITU-T/edh/files/security-manual.pdf | http://www.itu.int/ITU-T/edh/files/security-manual.pdf | |||
| TSB is preparing an "ITU-T Security Manual" to provide an overview on | TSB is preparing an "ITU-T Security Manual" to provide an overview on | |||
| security in telecommunications and information technologies, describe | security in telecommunications and information technologies, describe | |||
| practical issues, and indicate how the different aspects of security | practical issues, and indicate how the different aspects of security | |||
| in today's applications are addressed by ITU-T Recommendations. This | in today's applications are addressed by ITU-T Recommendations. This | |||
| manual has a tutorial character: it collects security related | manual has a tutorial character: it collects security related | |||
| material from ITU-T Recommendations into one place and explains the | material from ITU-T Recommendations into one place and explains the | |||
| respective relationships. The intended audience for this manual is | respective relationships. The intended audience for this manual is | |||
| engineers and product managers, students and academia, as well as | engineers and product managers, students and academia, as well as | |||
| regulators who want to better understand security aspects in | regulators who want to better understand security aspects in | |||
| practical applications. | practical applications. | |||
| 5.24 NRIC VI Focus Groups | 5.25 ITU-T NGN Effort | |||
| http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html | ||||
| During its January 2002 meeting, SG13 decided to undertake the | ||||
| preparation of a new ITU-T Project entitled "NGN 2004 Project". At | ||||
| the November 2002 SG13 meeting, a preliminary description of the | ||||
| Project was achieved and endorsed by SG13 with the goal to launch the | ||||
| Project. It is regularly updated since then. | ||||
| The role of the NGN 2004 Project is to organize and to coordinate | ||||
| ITU-T activities on Next Generation Networks. Its target is to | ||||
| produce a first set of Recommendations on NGN by the end of this | ||||
| study period, i.e. mid-2004. | ||||
| 5.26 NRIC VI Focus Groups | ||||
| http://www.nric.org/fg/index.html | http://www.nric.org/fg/index.html | |||
| The Network Reliability and Interoperability Council (NRIC) was | The Network Reliability and Interoperability Council (NRIC) was | |||
| formed with the purpose to provide recommendations to the FCC and to | formed with the purpose to provide recommendations to the FCC and to | |||
| the industry to assure the reliability and interoperability of | the industry to assure the reliability and interoperability of | |||
| wireless, wireline, satellite, and cable public telecommunications | wireless, wireline, satellite, and cable public telecommunications | |||
| networks. These documents provide general information and guidance | networks. These documents provide general information and guidance | |||
| on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | |||
| prevention of cyberattack and for restoration following a | prevention of cyberattack and for restoration following a | |||
| skipping to change at page 23, line 34 | skipping to change at page 26, line 6 | |||
| The Network Reliability and Interoperability Council (NRIC) was | The Network Reliability and Interoperability Council (NRIC) was | |||
| formed with the purpose to provide recommendations to the FCC and to | formed with the purpose to provide recommendations to the FCC and to | |||
| the industry to assure the reliability and interoperability of | the industry to assure the reliability and interoperability of | |||
| wireless, wireline, satellite, and cable public telecommunications | wireless, wireline, satellite, and cable public telecommunications | |||
| networks. These documents provide general information and guidance | networks. These documents provide general information and guidance | |||
| on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | on NRIC Focus Group 1B (Cybersecurity) Best Practices for the | |||
| prevention of cyberattack and for restoration following a | prevention of cyberattack and for restoration following a | |||
| cyberattack. | cyberattack. | |||
| Documents: | Documents: | |||
| Homeland Defense - Recommendations Published 14-Mar-03 | Homeland Defense - Recommendations Published 14-Mar-03 | |||
| Preventative Best Practices - Recommendations Published 14-Mar-03 | Preventative Best Practices - Recommendations Published 14-Mar-03 | |||
| Recovery Best Practices - Recommendations Published 14-Mar-03 | Recovery Best Practices - Recommendations Published 14-Mar-03 | |||
| Best Practice Appendices - Recommendations Published 14-Mar-03 | Best Practice Appendices - Recommendations Published 14-Mar-03 | |||
| 5.25 OASIS Security Joint Committee | 5.27 OASIS Security Joint Committee | |||
| http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security-j | http://www.oasis-open.org/committees/ | |||
| c | tc_home.php?wg_abbrev=security-jc | |||
| The purpose of the Security JC is to coordinate the technical | The purpose of the Security JC is to coordinate the technical | |||
| activities of multiple security related TCs. The SJC is advisory | activities of multiple security related TCs. The SJC is advisory | |||
| only, and has no deliverables. The Security JC will promote the use | only, and has no deliverables. The Security JC will promote the use | |||
| of consistent terms, promote re-use, champion an OASIS security | of consistent terms, promote re-use, champion an OASIS security | |||
| standards model, provide consistent PR, and promote mutuality, | standards model, provide consistent PR, and promote mutuality, | |||
| operational independence and ethics. | operational independence and ethics. | |||
| 5.26 OASIS Security Services TC | 5.28 OASIS Security Services TC | |||
| http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security | http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security | |||
| The Security Services TC is working to advance the Security Assertion | The Security Services TC is working to advance the Security Assertion | |||
| Markup Language (SAML) as an OASIS standard. SAML is an XML | Markup Language (SAML) as an OASIS standard. SAML is an XML | |||
| framework for exchanging authentication and authorization | framework for exchanging authentication and authorization | |||
| information. | information. | |||
| 5.27 OIF Implementation Agreements | 5.29 OIF Implementation Agreements | |||
| The OIF has 2 approved Implementation Agreements (IAs) relating to | The OIF has 2 approved Implementation Agreements (IAs) relating to | |||
| security. They are: | security. They are: | |||
| OIF-SMI-01.0 - Security Management Interfaces to Network Elements | OIF-SMI-01.0 - Security Management Interfaces to Network Elements | |||
| This Implementation Agreement lists objectives for securing OAM&P | This Implementation Agreement lists objectives for securing OAM&P | |||
| interfaces to a Network Element and then specifies ways of using | interfaces to a Network Element and then specifies ways of using | |||
| security systems (e.g., IPsec or TLS) for securing these interfaces. | security systems (e.g., IPsec or TLS) for securing these interfaces. | |||
| It summarizes how well each of the systems, used as specified, | It summarizes how well each of the systems, used as specified, | |||
| satisfies the objectives. | satisfies the objectives. | |||
| OIF - SEP - 01.1 - Security Extension for UNI and NNI | OIF - SEP - 01.1 - Security Extension for UNI and NNI | |||
| This Implementation Agreement defines a common Security Extension for | This Implementation Agreement defines a common Security Extension for | |||
| securing the protocols used in UNI 1.0, UNI 2.0, and NNI. | securing the protocols used in UNI 1.0, UNI 2.0, and NNI. | |||
| Documents: http://www.oiforum.com/public/documents/Security-IA.pdf | Documents: http://www.oiforum.com/public/documents/Security-IA.pdf | |||
| 5.28 TIA | 5.30 TIA | |||
| The TIA has produced the "Compendium of Emergency Communications and | The TIA has produced the "Compendium of Emergency Communications and | |||
| Communications Network Security-related Work Activities". This | Communications Network Security-related Work Activities". This | |||
| document identifies standards, or other technical documents and | document identifies standards, or other technical documents and | |||
| ongoing Emergency/Public Safety Communications and Communications | ongoing Emergency/Public Safety Communications and Communications | |||
| Network Security-related work activities within TIA and it's | Network Security-related work activities within TIA and it's | |||
| Engineering Committees. Many P25 documents are specifically | Engineering Committees. Many P25 documents are specifically | |||
| detailed. This "living document" is presented for information, | detailed. This "living document" is presented for information, | |||
| coordination and reference. | coordination and reference. | |||
| Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf | Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf | |||
| 5.29 WS-I Basic Security Profile | 5.31 WS-I Basic Security Profile | |||
| http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html | http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html | |||
| The WS-I Basic Security Profile 1.0 consists of a set of | The WS-I Basic Security Profile 1.0 consists of a set of non- | |||
| non-proprietary Web services specifications, along with | proprietary Web services specifications, along with clarifications | |||
| clarifications and amendments to those specifications which promote | and amendments to those specifications which promote | |||
| interoperability. | interoperability. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This document describes efforts to standardize security practices and | This document describes efforts to standardize security practices and | |||
| documents. As such this document offers no security guidance | documents. As such this document offers no security guidance | |||
| whatsoever. | whatsoever. | |||
| Readers of this document should be aware of the date of publication | Readers of this document should be aware of the date of publication | |||
| of this document. It is feared that they may assume that the | of this document. It is feared that they may assume that the | |||
| skipping to change at page 29, line 14 | skipping to change at page 31, line 14 | |||
| 9. Changes from Prior Drafts | 9. Changes from Prior Drafts | |||
| -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt | |||
| -01 : Security Glossaries: | -01 : Security Glossaries: | |||
| Added ATIS Telecom Glossary 2000, Critical Infrastructure | Added ATIS Telecom Glossary 2000, Critical Infrastructure | |||
| Glossary of Terms and Acronyms, Microsoft Solutions for | Glossary of Terms and Acronyms, Microsoft Solutions for | |||
| Security Glossary, and USC InfoSec Glossary. | Security Glossary, and USC InfoSec Glossary. | |||
| Standards Developing Organizations: | Standards Developing Organizations: | |||
| Added DMTF, GGF, INCITS, OASIS, and WS-I | Added DMTF, GGF, INCITS, OASIS, and WS-I | |||
| Removal of Committee T1 and modifications to ATIS and former T1 | Removal of Committee T1 and modifications to ATIS and former T1 | |||
| technical subcommittees due to the recent ATIS reorganization. | technical subcommittees due to the recent ATIS reorganization. | |||
| Efforts and Documents: | Efforts and Documents: | |||
| Added DMTF User and Security WG, DMTF SPAM WG, GGF Security | Added DMTF User and Security WG, DMTF SPAM WG, GGF Security | |||
| Area (SEC), INCITS Technical Committee T4 - Security | Area (SEC), INCITS Technical Committee T4 - Security | |||
| Techniques, INCITS Technical Committee T11 - Fibre Channel | Techniques, INCITS Technical Committee T11 - Fibre Channel | |||
| Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint | Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint | |||
| Committee, OASIS Security Services TC, and WS-I Basic Security | Committee, OASIS Security Services TC, and WS-I Basic Security | |||
| Profile. | Profile. | |||
| Updated Operational Security Requirements for IP Network | Updated Operational Security Requirements for IP Network | |||
| Infrastructure : Advanced Requirements. | Infrastructure : Advanced Requirements. | |||
| -00 : as the WG ID | -00 : as the WG ID | |||
| Added more information about the ITU-T SG3 Q18 effort to modify | Added more information about the ITU-T SG3 Q18 effort to modify | |||
| ITU-T Recommendation M.3016. | ITU-T Recommendation M.3016. | |||
| -01 : First revision as the WG ID. | ||||
| Added information about the NGN in the sections about ATIS, the | ||||
| NSTAC, and ITU-T. | ||||
| Note: This section will be removed before publication as an RFC. | Note: This section will be removed before publication as an RFC. | |||
| 10. References | 10. References | |||
| 10.1 Normative References | 10.1 Normative References | |||
| [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", RFC 2119, STD 14, March 1997. | Levels", RFC 2119, STD 14, March 1997. | |||
| 10.2 Informative References | 10.2 Informative References | |||
| skipping to change at page 30, line 26 | skipping to change at page 32, line 26 | |||
| Authors' Addresses | Authors' Addresses | |||
| Chris Lonvick | Chris Lonvick | |||
| Cisco Systems | Cisco Systems | |||
| 12515 Research Blvd. | 12515 Research Blvd. | |||
| Austin, Texas 78759 | Austin, Texas 78759 | |||
| US | US | |||
| Phone: +1 512 378 1182 | Phone: +1 512 378 1182 | |||
| EMail: clonvick@cisco.com | Email: clonvick@cisco.com | |||
| David Spak | David Spak | |||
| Cisco Systems | Cisco Systems | |||
| 12515 Research Blvd. | 12515 Research Blvd. | |||
| Austin, Texas 78759 | Austin, Texas 78759 | |||
| US | US | |||
| Phone: +1 512 378 1720 | Phone: +1 512 378 1720 | |||
| EMail: dspak@cisco.com | Email: dspak@cisco.com | |||
| Intellectual Property Statement | Intellectual Property Statement | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.24, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||