2006 INCITS Technical Committee Officers Symposium

1
2006 INCITS Technical Committee Officers
Symposium

• Panel Discussion
• IT Standards and
• Meeting the DHS/ANSI HSSP Objectives

2
INCITS CS1 and JTC1 SC 27 Projects Directly
Related to Homeland Security

• The short answer, according to Joe Jarzombek,
  Director for Software Assurance, National Cyber
  Security Division, Office of Infrastructure
  Protection at DHS in a talk to CS1 in June of
  2005, is that
• MOST of our SC 27 standards are needed by DHS
• DHS is an active, voting member of CS1

3
Current activities of SC 27 are divided into five
working groups

• Working Group 1 Information security management
  systems
• Working Group 2 Cryptography and security
  mechanisms
• Working Group 3 Security evaluation criteria
• Working Group 4 (NEW) Security controls and
  services
• Working Group 5 (NEW) Identity management and
  privacy technologies

4
WG 1 Information security management systems
Areas of Work

• Information security management systems (ISMS)
• Information security best practice
• Risk management
• Metrics and measurements
• Implementation guidance
• Intrusion Detection Systems
• Information security incident handling
• IT network security
• TTP services
• DR services

5
ISO 27000 ISMS Family of standards

• 27000 (WD) ISMS Fundamentals and vocabulary
• 27001 -- ISMS requirements
• 27002 (17799 from April 2007) --
• Code of practice for information security
  management
• 27003 (WD) ISMS implementation guidelines
• 27004 (WD) Information security management
  measurements
• 27005 (WD) ISMS Risk Management
• 27006 (FCD) Information technology Security
  techniques Requirements for the accreditation
  of bodies providing certification of information
  security management systems

6
WG 2 Cryptography and security mechanisms Areas
of Work

• Covers both cryptographic and non-cryptographic
  techniques and mechanisms including
• confidentiality
• entity authentication
• non-repudiation
• key management
• data integrity such as
• message authentication,
• hash-functions,
• ??digital signatures.
• The mechanisms in general include several options
  with respect to the techniques used including
  symmetric crypto-graphic, asymmetric
  cryptographic and non-cryptographic.

7
WG 2 Standards

• Encryption Standards (18033, 10116,19772)
• Entity Authentication Key Management (9798,
  11770)
• Non-repudiation and time stamping (13888, 18014)
• Digital signature standards (9796, 14888)
• Message authentication codes (MACs) and
  Hash-functions (9797, 10118)
• Mathematic and cryptographic techniques (18031,
  18032, 15946

8
WG 3 Security evaluation criteria Areas of Work

• Standards for IT Security evaluation and
  certification of IT systems, components, and
  products. This will include consideration of
  computer networks, distributed systems,
  associated application services, etc.
• Three aspects may be distinguished
• evaluation criteria
• methodology for application of the criteria
• administrative procedures for evaluation,
  certification, and accreditation schemes.

9
WG 3 Standards

• 154082005 Evaluation criteria for IT Security
• 152922001 Protection Profile registration
  procedure otection Profile registration procedure
  
• 54462004 Guide on the production of Protection
  Profiles and Security Targets (PPST Guide) and
  Security Targets (PPST Guide)
• 5443 A framework for IT security assurance
  (FRITSA) (A) parts 1 2 published
• 180452005 Methodology for IT security evaluation
  (CEM)
• 19790 Security requirements for cryptographic
  modules
• 19791 Security assessment of operational systems
  assessment of operational systems
• 9792 A framework for security evaluation and
  testing of biometric technology ic technology
• 218272002 Systems security engineering
  Capability maturity model (SSE CMM)
• 24759 Test requirements for cryptographic modules

10
WG 4 Security controls and services (NEW)

• Work Areas will include the development and
  maintenance of standards and guidelines
  addressing services and applications supporting
  the implementation of control objectives and
  controls as defined in ISO/IEC 27001.
• New work areas will include
• Business Continuity
• Cyber Security
• Outsourcing

11
Current WG 4 projects

• IT Network security (ISO/IEC 18028)
• Information security incident management (ISO/IEC
  TR 18044)
• Guidelines for information and communications
  technology disaster recovery services (ISO/IEC
  24762)
• Selection, deployment and operation of Intrusion
  Detection Systems (IDS) (ISO/IEC 18043)
• Guidelines on use and management of Trusted Third
  Party services (ITU-T X.842 I  ISO/IEC TR 14516)
• Specification of TTP services to support the
  application of digital signatures (ITU-T X.843 I
  ISO/IEC 15945)
• Security information objects for access control
  (ITU-T X.841 I ISO/IEC 15816)

12
WG 5 Identity Management and Privacy Technologies
(NEW)

• The scope of SC27/WG 5 covers the development and
  maintenance of standards and guidelines
  addressing security aspects of identity
  management, biometrics and the protection of
  personal data.

13
WG 5 New Areas of Work

• Identification of requirements for and
  development of future standards and guidelines in
  these areas. 
• In the area of Identity Management, topics such
  as
• Role based access control
• Provisioning
• Identifiers
• Single sign-on

14
WG 5 New Areas of Work (Contd)

• In the area of Privacy, topics such as
• A Privacy Framework (NWI Ballot)
• A Privacy Reference Architecture (NWI Ballot)
• Privacy infrastructures
• Anonymity and credentials
• Specific Privacy Enhancing Technologies (PETs)
• Privacy Engineering
• In the area of Biometrics, topics such as
• Protection of biometric data
• Authentication techniques

15
A Privacy Framework (NWI Ballot)

• Framework for defining privacy requirements as
  they relate to personally identifiable (PI)
  information processed by any information and
  communication system in any jurisdiction.
• Needs to be closely linked to existing security
  standards that have been widely implemented into
  practice.
• The framework should be applicable on an
  international scale and should set a common
  privacy terminology, define privacy principles
  when processing PI information, categorize
  privacy features and relate all described privacy
  aspects to existing security guidelines.

16
A Privacy Reference Architecture (NWI Ballot)

• Model that will describe best practices for a
  consistent, technical implementation of privacy
  requirements as they relate to the processing of
  personally identifiable (PI) information in
  information and communication systems.
• It will cover the various stages in data life
  cycle management and the required privacy
  functionalities for PI data in each data life
  cycle, as well as positioning the roles and
  responsibilities of all involved parties.
• The privacy reference architecture will present a
  target architecture and will provide guidance for
  planning and building system architectures that
  facilitate the proper handling of PI data across
  system platforms.
• It will set out the necessary prerequisites to
  allow the categorization of data and control over
  specific sets of data within various data life
  cycles.

17
Current WG 5 projects

• Framework for Identity Management (ISO/IEC 24760)
  
• Biometric template protection
• (ISO/IEC 24745)
• Authentication context for biometrics (ISO/IEC
  24761)

18
Framework for Identity Management (ISO/IEC 24760)

• Defines and establishes a framework for the
  accurate management of information associated
  with the identification of an entity within some
  context.
• The identified entity might be a person, a
  device, an object, or any group of entities.
• The context for identification might be within a
  transaction, within a business department
  (local), within an enterprise (corporate), or
  within national, global or universal boundaries.
• The identification process provides entities with
  unique identity references, the entity
  identities.
• The identity makes the entity existing and unique
  in its context.
• This standard covers a model and the life cycle
  descriptions of identities and identity
  information as they are established, modified,
  suspended, terminated or archived.