|Question J/17 - Security Management
(continuation of a part of Question 10/17 studied during 2001-2004)
For telecommunications bodies, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications bodies to appropriately manage these business assets and to correctly continue the business activity, information security management is extremely necessary. For this reason, Recommendation X.1051 is being developed to cover the requirements of information security management for the telecommunications bodies. Taking into account the above requirement on security management, new areas in relation with Recommendation X.1051 should be further investigated. More specifically, management technologies on risks and incidents need to be considered. The aim is to develop a set of Recommendations on security management for ITU-T.
In the course of the studies, a full collaborative effort between ITU-T and ISO/IEC JTC 1 will be continued to ensure the widest possible compatibility of security solutions. The commercial success of solutions developed as national standards in many countries also need to be considered.
a) How should security risks in telecommunications systems be identified and
b) How should information assets for telecommunications systems be identified and
c) How should specific management issues for telecommunications carriers be
d) How should information security management system (ISMS) for telecommunications carriers be properly constructed in line with the existing ISMS
e) How should occurrences of security incidents in telecommunications be handled and
1) Review the similarities and differences among the existing management Recommendations in ITU-T and ISO/IEC management standards as for risks and incidents management. (2Q2005);
2) Study and develop a methodology of risk management for telecommunications in line with the concept of information security management. (1Q2005 - 4Q2006);
3) Study and develop a handling and response procedure on security incidents for telecommunications in line with the concept of information security management. (1Q2005 - 4Q2006);
4) Propose outline of new Recommendations. (4Q2006);
5) Assess the outputs of risk management methodology and incident management procedure in view of usability for telecommunications facilities and services. Produce draft Recommendations. (4Q2006 - 4Q2007);
6) Consent new Recommendations (1Q2008).
It is expected that a decision on the pace of the study will be made 1Q2005, and at that point the milestones may be revised.
Expected results are:
a) one or more new Recommendations on risks and incidents management consolidating and harmonising the existing/ongoing texts of security management ITU-T Recommendations and ISO/IEC standards;
b) improved consistency of concepts and model for security management defined in ITU-T Recommendations and ISO/IEC standards.
Recommendations: X.200, X.273, X.274 and X.509
Questions: C/17, E/17, G/17, H/17, I/17, K/17, L/17 and M/17
Study Groups: ITU-T SGs 2, 4, 9, 11, 13, 15, 16 and SSG; ITU-R; ITU-D
Standardization bodies: ISO/IEC JTC 1/SC 27; ETSI; TTC
Other bodies: NIST