1. Objectives of Roadmap
This ICT Security Standards Roadmap is intended to support the
security standardization work of the ITU by identifying existing published
security standards, standards that are in development, and areas where a
need for standards has been identified but where work has not yet been
initiated. Although the focus is primarily on standards in the ITU-T space
(i.e. security standards relating to telecommunication networks), the
standards and work of other formal and informal regional and international
standards development organizations (SDOs) are included in this Roadmap. The
Roadmap also identified existing collaborative projects and helps to
identify possible opportunities for future collaboration. It is hoped that
the Roadmap will contribute to the coordination of security standardization
activities by providing an up-to-date summary of work that has been
completed and work that is in progress across SDOs as well as identifying
the major organizations participating in this work. By knowing what has been
done already, and what work is in progress, it will be possible to avoid
duplication of effort and also to identify gaps that need attention.
2. Structure and content
The Roadmap, which is considered a “work in progress” is currently
structured with the intention that the primary publication medium will be
the web. Although periodic paper publication is not precluded, it is
important that the currency of the information be maintained and that the
updating process be easy and timely. Publishing the Roadmap as a web
document facilitates frequent updates and will make the document readily
available to the widest possible audience at the lowest cost.
The information provided via Roadmap is expected to expand as the work of
other SDOs is added. Currently, security standards of ATIS, ETSI, IEEE,
IETF, ISO/IEC, ITU, OASIS, 3GPP and 3GPP2 are included. Further expansion to
other organizations is anticipated as data is made available.
This part of the Roadmap provides summaries of the standards work in
progress by identifying the respective organizations and their overall work
programs. (The actual standards are listed in Part 2 of the Roadmap using a
fairly simple classification scheme.) In addition, this part of the Roadmap
includes a section devoted to the very important topic of security
definitions. In general, information in the body of the Roadmap is in the
form of brief summaries and headings; more detailed information may be
obtained by following the hot links.
3. Key international and regional ICT security standards development
organizations
Each international Standards Development Organization listed has a
particular role in the development of ICT security standards.
Standards of the following organizations are currently included in the
Roadmap:
3.1 Formal International Standards Development Organizations
International Telecommunication Union - Telecommunication
Standardization Sector (ITU-T)
International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC)
3.2 Other international standards bodies and forums
Internet Engineering Task Force (IETF)
Organization for the Advancement of Structured
Information Standards (OASIS)
The 3rd Generation Partnership Project (3GPP)
The 3rd Generation Partnership Project 2 (3GPP2)
3.3 Regional standards development organizations
Alliance for Telecommunications Industry Solutions (ATIS)
The European Telecommunications Standards Institute (ETSI)
Institute of Electrical and Electronics Engineers
Regional Asia Information Security Standards Exchange (RAISS Forum)
4. IT Security Definitions
Terminology forms a very important part of any standard. It is essential
that terms used be clear and unambiguous. However, the development of
definitions can often generate much discussion and divert attention from the
more important task of developing a technical specification. In addition, in
IT security, where diverse groups of experts are developing standards
relatively independently, there is a great risk that multiple definitions
will be developed for the same term or that similar definitions will be
appended to different terms. A number of security glossaries have already
been developed by SDOs. References are provided below. ITU-T SG17 urges that
experts who are engaged in the development utilize existing definitions from
these glossaries wherever possible. New terms should be defined only where
an acceptable definition does not already exist. Further, if it is necessary
to define a new term, it should not duplicate, or conflict with, a term that
has already been defined in an existing standard.
Existing security vocabularies
Compendium of ITU-T approved security
definitions extracted from ITU-T recommendations
This document is a compendium of security-related definitions extracted
from approved ITU-T Recommendations with a view toward establishing a common
understanding (and use) of security terms within ITU-T. This listing will
continue to be developed.
ISO/IEC JTC 1/SC 27 Terminology
This SC27 Standing Document (SD 6) contains terms and definitions that
appear in SC 27 International Standards, Technical Reports and Drafts.
Internet Security Glossary
This Glossary provides definitions, abbreviations, and explanations of
terminology for information system security. The 334 pages of entries offer
recommendations to improve the comprehensibility of written material that is
generated in the Internet Standards Process (RFC 2026). The recommendations
follow the principles that such
writing should (a) use the same term or definition whenever the same concept
is mentioned; (b) use terms in their plainest, dictionary sense; (c) use
terms that are already well-established in open publications; and (d) avoid
terms that either favor a particular vendor or favor a particular technology
or mechanism over other, competing techniques that already exist or could be
developed.
ETSI Glossary of security terminology
ETR 232
Go to the above link and select “ETR” in the “Type” box and “232” in the
“Number” box.
ISO/IEC JTC1 SC 37 Harmonized Biometric
Vocabulary
This Standing Document (SD 2) of SC37 contains an extensive list of
biometric-related definitions.
ITU-T Recommendation X.1252: Baseline identity management terms and
definitions
This document contains key terms and concepts used in identity management.
The terms are drawn from many sources but all terms included are believed to
be in common use. An informative annex provides rationale for the some of
the key terms.
International Telecommunication Union
Telecommunication Standardization Sector (ITU-T)
The International Telecommunication Union – Telecommunication
Standardization Sector (ITU-T) acts as a forum where governments and the
private sector develop standards for global telecommunications networks and
services. It is one of the Sectors of the International Telecommunication
Union (ITU), an international specialized agency within the United Nations
system.
A guide to the ITU-T and how it operates is available at
itu.int/ITU-T/promotion
Key study groups with security responsibilities
Study Group 17: Security
(Lead Study Group on telecommunication security, identity management and
languages and description techniques.)
SG 17 is responsible for studies relating to security, including
cybersecurity, countering spam and identity management. Also responsible for
the application of open system communications including directory and object
identifiers, and for technical languages, the method for their usage and
other issues related to the software aspects of telecommunication systems.
SG 17 has three Working Parties (WP): WP1 -
Network and information security ; WP2 -
Application security ; and WP3 -
Identity management and languages
SG 17 has been designated the Lead Study Group in the ITU-T for
telecommunication security and identity management issues. The ITU-T
security standardization effort is coordinated via a Security Project
managed under Question 1/17. Core activities of Q.1/17 are centred on
project management activities involving the coordination, assignment and
prioritization of efforts that will lead to timely communication system
security Recommendations.
All SG 17 Questions have a specific security mandate or are
security-related:
ITU-T Study Group 17 - Study Group Structure
and complete list of SG17 Questions
Study Group 2:
Operational aspects of service
provision
and telecommunications management
(Lead Study Group for service definition, numbering and routing,
telecommunication for disaster relief/early warning, and telecommunication
management)
Responsible for studies relating to:
-
principles of service provision, definition and operational requirements
of service emulation;
-
numbering, naming, addressing requirements and resource assignment
including criteria and procedures for reservation and assignment;
-
routing and interworking requirements;
-
human factors;
-
operational and management aspects of networks, including network
traffic management, designations, and transport-related operations
procedures;
-
operational aspects of interworking between traditional
telecommunication networks and evolving networks;
-
evaluation of feedback from operators, manufacturing companies and users
on different aspects of network operation;
-
management of telecommunication services, networks, and equipment via
management systems, including support for next-generation networks (NGN)
and the application and evolution of the telecommunication management
network (TMN) framework;
-
ensuring the consistency of the format and structure of IdM identifiers;
and
-
specifying interfaces to management systems to support the communication
of identity information within or between organizational domains.
Security-related Questions:
Q.1/2
Application of numbering, naming, addressing and identification plans for
fixed and mobile telecommunications services
Q.3/2
Service and operational aspects of telecommunications, including service
definition Operational Aspects of Telecommunication Network Service Quality
Q.5.2
Network and service operations and maintenance procedures
Q.7/2
Requirements for business-to-business and customer-to-business management
interfaces (M.3320)
Q.8/2
Management framework and architecture (M.3010, M.3016, M.3400)
Q.10/2
Specialized requirements, analysis and design for management interfaces
(M3210.1)
Q11.2
Protocols and security for management (Q.813, Q.815, Q.817)
Study Group 5: Environment and Climate Change
(Lead study group on electromagnetic compatibility and electromagnetic
effects, as wellas on ICTs and climate change)
Responsible for studies relating to protection of telecommunication networks
and equipment from interference and lightning.
Also responsible for studies related to electromagnetic compatibility (EMC),
to safety and to health effects connected with electromagnetic fields
produced by telecommunication installations and devices, including cellular
phones.
Responsible for studies on the existing copper network outside plant and
related indoor installations.
Security-related Questions:
Q.2/5
EMC related to broadband access networks (Control of unwanted emissions from
broadband access systems contributes to reducing the possibility of
information leaks).
Q.4/5
Resistibility of communication equipment (Resistibility of equipment to
lightning improves resistibility of equipment to HEMP-induced surges).
Q.5/5
Lightning protection of telecommunication systems (Techniques used for
lightning protection also provide a degree of hardening of the facility
against HEMP and HPE).
Q.6/5
Bonding configurations and earthing of telecommunication systems in the
global environment (Appropriate bonding and earthing measures also help
hardening of the facility against HEMP and HPE).
Q.12/5
Maintenance and enhancement of existing EMC Recommendations (EMC of
telecommunication equipment improves the immunity of equipment against the
conducted and radiated HEMP environment as well as radiated HPE environment.
Also, EMC of telecommunication equipment reduces the possibility of
information leaks).
Q.15/5
Security of telecommunication and information systems regarding
electromagnetic environment (Resistibility of equipment to lightning
improves resistibility of equipment to HEMP-induced surges).
Q.17/5
Coordination and planning of ICT&CC related standardization
Study Group 9:
Television and sound transmission and
integrated broadband cable networks
(Lead Study Group on integrated broadband cable and television networks.)
Responsible for studies relating to:
-
use of telecommunication systems for contribution, primary distribution
and secondary distribution of television, sound programmes and related
data services including interactive services.
-
use of cable and hybrid networks, primarily designed for television and
sound programme delivery to the home, as integrated broadband networks
to also carry voice or other time-critical services, video on demand,
interactive services, etc.
Security-related Questions:
Q.3/9
Methods and practices for conditional access, protection against
unauthorized copying and against unauthorized redistribution
(“redistribution control” for digital cable television distribution to the
home) (J.93, J.96 Amd 1)
Q.7/9
Cable television delivery of digital services and applications that use
Internet Protocols (IP) and/or packet-based data (J.112)
Q.8/9
Voice and video IP applications over cable television networks (J.160,
J.170, J.191)
Q.9/9
The extension of cable-based services over broadband in Home Networks
Q.10.9
Requirements and methods to delivery sound and television programmes and
other multimedia services over IP networks for advanced service platforms
Study Group 11:
Signalling requirements, protocols
and test specifications
(Lead Study Group on Signalling and Protocols, Intelligent Networks and
test Specifications.)
Responsible for studies relating to signalling requirements and protocols,
including those for IP-based networks, NGN, mobility, some multimedia
related signalling aspects, ad hoc networks (sensor networks, RFID, etc.),
QoS, and internetwork signalling for ATM, N ISDN and PSTN networks. This
also includes reference signalling architectures and test specifications for
NGN and emerging networks (e.g., USN).
Most of SG 11's current Recommendations were developed for trusted TDM based
networks in which point to point connections could be used to ensure
communications security. SG 11 recognized that introduction of IP
technology into the network would present new security challenges. In
recognition of the introduction of IP technology and the need to be able to
provide signalling and control information capability in this evolving
network in a secure manner, SG 11 generated a suite of questions related to
signalling requirements and protocol that took into account these new
security challenges in 2004.
Security-related Questions:
Q 14/11
Security
Coordination For NGN Protocols
Study Group 12:
Performance, QoS and QoE
(Lead Study Group on Quality of Service and Quality of Experience)
Responsible for Recommendations on performance, Quality of Service (QoS) and
Quality of Experience (QoE) for the full spectrum of terminals, networks and
services ranging from speech over fixed circuit-based networks to multimedia
applications over networks that are mobile and packet based. Included in
this scope are the operational aspects of performance, QoS and QoE.
A special focus is given to interoperability to ensure end-to-end users'
satisfaction
Security-related Questions:
Q.10/12
Transmission planning and performance considerations for voiceband, data and
multimedia services
Q.13/12
QoE, QoS and performance requirements and assessment methods for multimedia
including IPTV
Q.17/12
Performance of packet-based networks and other networking technologies
Study Group 13: Future networks including mobile
and NGN
(Lead Study Group for future networks and NGN, and mobility management
and fixed-mobile convergence.)
Responsible for studies relating to the requirements, architecture,
evolution and convergence of future networks. Also includes NGN project
management coordination across study groups and release planning,
implementation scenarios and deployment models, network and service
capabilities, interoperability, impact of IPv6, NGN mobility and network
convergence, public data network aspects and network aspects of IdM.
Responsible for studies relating to network aspects of mobile
telecommunication networks, including International Mobile
Telecommunications (IMT), wireless Internet, convergence of mobile and fixed
networks, mobility management, mobile multimedia network functions,
internetworking, interoperability and enhancements to existing ITU T
Recommendations on IMT.
Recognizing that security is one of the defining features of NGN, SG 13 has
established a special question for the detailed studies on security –
Question 16, Security and identity management. The question is
focused on studies of the NGN-specific security issues and development of
the standard security solutions for NGN. One of the essential goals of SG 13
is to put in place a set of standards that will guarantee, to the maximum
degree possible, the security of the telecommunications infrastructure as
PSTNs evolve to NGNs.
Study Group 13 had also decided to incorporate in every new or eventually
revised Recommendation a security section for references to those sections
of the Recommendation in which security aspects are addressed.
Study Group 13 is developing its effort on NGN security-related matters in
collaboration with other Study Groups, and also with other standards
development organizations. The IETF (Internet, Security, and Transport
Areas), 3GPP and 3GPP2, and DSL Forum are among most important external SDOs
of importance to SG 13 for its security studies.
Security-related Questions:
Q.16/13
Security and identity management
Study Group 15: Optical transport networks
and access network infrastructures
(Lead Study Group on access network transport, optical technology and
optical transport networks.)
Study Group 15 is responsible in ITU T for the development of standards on
optical transport networks and access network infrastructures, systems,
equipment, optical fibres and cables, and their related installation,
maintenance, test, instrumentation and measurement techniques, and control
plane technologies to enable the evolution toward intelligent transport
networks. This encompasses the development of related standards for the
customer premises, access, metropolitan and long haul sections of
communication networks.
Security-related Questions:
Q.3/15
General characteristics of optical transport networks (G.911)
Q.9/15
Transport equipment and network protection/restoration (G.808.1, G.841,
G.842, G.873.1)
Q.14/15
Management and control of transport systems and equipment
Q 17/15
Maintenance and operation of optical fibre cable
networks
Q 18/15
Development of
optical networks in the access area
Study Group 16:
Multimedia
coding, systems and applications
(Lead Study Group on multimedia coding, systems and applications, ubiquitous
applications (“e-everything”, such as e-health and e-business), and
telecommunication/ICT accessibility for persons with disabilities)
Responsible for studies relating to ubiquitous applications, multimedia
capabilities for services and applications for existing and future networks,
including NGN and beyond. This encompasses accessibility, multimedia
architectures, terminals, protocols, signal processing, media coding and
systems (e.g. network signal processing equipment, multipoint conference
units, gateways, and gatekeepers).
Security-related Questions:
Q.1/16
Multimedia systems, terminals and data conferencing (H.233, H.234)
Q.2/16
H.323 real-time multimedia system
Q.4/16
Advanced functions for H.300-series systems and beyond
(H.350.2)
Q.24/16
Multimedia security in NGN and other networks (NGN-MM-SEC) (H.235)
International Organization for Standardization (ISO) and
International Electrotechnical Commission (IEC)
ISO (the International Organization for Standardization) and IEC (the
International Electrotechnical Commission) form the specialized system for
worldwide standardization. National Bodies that are members of ISO or IEC
participate in the development of International Standards through technical
committees established by the respective organization to deal with
particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations,
in liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a Joint
Technical Committee 1: ISO/IEC JTC 1. This committee has responsibility for
standardization in the area of information technology. Within JTC 1 are a
number of technical committees of which Subcommittee 27 (SC27) is the lead
subcommittee (SC) on IT security.
Key ISO/IEC JTC 1 Subcommittees with security responsibilities
ISO/IEC JTC 1/SC 6 Telecommunications and Information Exchange Between
Systems
Area of Work
Standardization in the field of telecommunications dealing with the exchange
of information between open systems including system functions, procedures
and parameters and equipment as well as the conditions for their use.
This standardization includes both the lower layers that support the
physical, data link, network and transport services, including private
integrated services networking, as well as the upper layers that support the
application protocols and services.
A vital aspect of this work is done in effective cooperation with the ITU-T
and other world-wide and regional standardization bodies.
SC 6 Website:
www.iso.org/jtc1/sc6
SC6 Working Groups:
WG 1 Physical and Data Link Layers
WG 7 Network and Transport
WG 8 Directory
WG 9 ASN.1 and Registration Authorities
ISO/IEC JTC 1 SC 27 - IT Security Techniques
Area of Work
The development of standards for the protection of information and ICT.
This includes generic methods, techniques and guidelines to address both
security and privacy aspects, such as:
-
Security requirements capture methodology;
-
Management of information and ICT security; in particular information
security management systems (ISMS), security processes, security
controls and services;
-
Cryptographic and other security mechanisms, including but not limited
to mechanisms for protecting the accountability, availability,
integrity and confidentiality of information;
-
Security management support documentation including terminology,
guidelines as well as procedures for the registration of security
components;
-
Security aspects of identity management, biometrics and privacy;
-
Conformance assessment, accreditation and auditing requirements in the
area of information security;
-
Security evaluation criteria and methodology.
SC 27 engages in active liaison and collaboration with appropriate bodies to
ensure the proper development and application of SC 27 standards and
technical reports in relevant areas.
SC27 web site:
http://www.jtc1sc27.din.de/en
Current activities of SC 27 are divided into five working groups:
Working Group 1: Information security management systems
The scope of WG 1 covers the development of ISMS (Information Security
Management System) standards and guidelines (see SC 27 N5114). This
includes:
-
Development and maintenance of the ISO/IEC 27000 ISMS standards family
-
Identification of requirements for future ISMS standards and guidelines
-
On-going maintenance of WG1 standing document SD WG 1/1 (WG 1 Roadmap)
-
Collaboration with other Working Groups in SC 27, in particular with WG
4 on standards addressing the implementation of control objectives and
controls as defined in ISO/IEC 27001.
Working Group 2: Cryptography and security mechanisms
WG 2 provides a center of expertise for the standardization of IT Security
techniques and mechanisms within JTC 1.
Terms of Reference:
- to identify the need and requirements for these techniques and
mechanisms in IT systems and applications; and
- to develop terminology, general models and standards for these techniques
and mechanisms for use in security services.
The scope covers both cryptographic and non-cryptographic techniques and
mechanisms including:
- confidentiality;
- entity authentication;
- non-repudiation;
- key management;
- data integrity such as:
- message authentication;
- hash-functions;
- digital signatures.
The mechanisms in general include several options with respect to the
techniques used including symmetric cryptographic, asymmetric cryptographic
and non-cryptographic.
Working Group 3: Security evaluation criteria
Terms of reference:
- Standards for IT Security evaluation and certification of IT systems,
components, and products. This will include consideration of computer
networks, distributed systems, associated application services, etc.
Three aspects may be distinguished:
- evaluation criteria;
- methodology for application of the criteria;
- administrative procedures for evaluation, certification, and accreditation
schemes.
This work will reflect the needs of relevant sectors in society, as
represented through ISO/IEC national Bodies and other organizations in
liaison, expressed in standards for security functionality and assurance.
Account will be taken of related ISO/IEC and ISO standards for quality
management and testing so as not duplicate these efforts
Working Group 4: Security controls and services
The scope of WG4 covers the development and maintenance of standards and
guidelines addressing services and applications supporting the
implementation of control objectives and controls as defined in ISO/IEC
27001. This includes:
1. Current SC 27 projects:
-
IT Network security (ISO/IEC 18028)
-
Information security incident management (ISO/IEC TR 18044)
-
Guidelines for information and communications technology disaster
recovery services (ISO/IEC 24762)
-
Selection, deployment and operation of Intrusion Detection Systems (IDS)
(ISO/IEC 18043)
-
Guidelines on use and management of Trusted Third Party services (ITU-T
X.842 I ISO/IEC TR 14516)
-
Specification of TTP services to support the application of digital
signatures (ITU-T X.843 I ISO/IEC 15945)
-
Security information objects for access control (ITU-T X.841 I ISO/IEC
15816)
2. Identification of requirements for and development of future service
and applications standards and guidelines, for example in the areas of
-
Business Continuity
-
Cyber Security
-
Outsourcing
3. On-going maintenance of WG4 standing document SD WG4/1 (WG4 Road Map)
4. Collaboration with other Working Groups in SC 27, in particular with
WG1 on ISMS standards and guidelines
Working Group 5: Identity management and privacy technologies
The scope of SC27/WG 5 covers the development and maintenance of standards
and guidelines addressing security aspects of identity management,
biometrics and the protection of personal data. This includes:
1. Current SC 27 projects:
-
Framework for Identity Management (ISO/IEC 24760)
-
Biometric template protection (ISO/IEC 24745)
-
Authentication context for biometrics (ISO/IEC 24761)
2. Identification of requirements for and development of future standards
and guidelines in these areas. For example in the area of Identity
Management, topics such as
In the area of Privacy, topics such as
-
A Privacy Framework
-
A Privacy Reference Architecture
-
Privacy infrastructures
-
Anonymity and credentials
-
Specific Privacy Enhancing Technologies (PETs)
-
Privacy Engineering
In the area of Biometrics, topics such as
3. Collaboration with other Working Groups in SC 27, e.g., WG1 on
management aspects, WG 2 on specific cryptographic techniques and WG 3 on
evaluation aspects.
The SC27 Catalogue of Projects is available as SD7 under “documents” at:
http://www.jtc1sc27.din.de/sbe/SD7
ISO/IEC JTC 1 SC37 Biometrics
Area of Work
Standardization of generic biometric technologies pertaining to human beings
to support interoperability and data interchange among applications and
systems. Generic human biometric standards include: common file frameworks;
biometric application programming interfaces; biometric data interchange
formats; related biometric profiles; application of evaluation criteria to
biometric technologies; methodologies for performance testing and reporting
and cross jurisdictional and societal aspects.
Excluded is the work ISOIEC JTC 1/SC 17 to apply biometric technologies to
cards and personal identification.
Also excluded is the work in ISO/IEC JTC 1/SC 27 for biometric data
protections techniques, biometric security testing, evaluations, and
evaluations methodologies.
SC37 working groups are as follows:
JTC 1/SC 37/WG 1 Harmonized biometric vocabulary
JTC 1/SC 37/WG 2 Biometric technical interfaces
JTC 1/SC 37/WG 3 Biometric data interchange formats
JTC 1/SC 37/WG 4 Biometric functional architecture and related
profiles
JTC 1/SC 37/WG 5 Biometric testing and reporting
JTC 1/SC 37/WG 6 Cross-jurisdictional and societal aspects
SC37 website:
http://www.iso.org/iso/iso_technical_committee.html?commid=313770
IEC TC 57 Power systems management and associated information exchange
Scope
To prepare international standards for power systems control equipment and
systems including EMS (Energy Management Systems), SCADA (Supervisory
Control And Data Acquisition), distribution automation, teleprotection, and
associated information exchange for real-time and non-real-time information,
used in the planning, operation and maintenance of power systems. Power
systems management comprises control within control centres, substations and
individual pieces of primary equipment including telecontrol and interfaces
to equipment, systems and databases, which may be outside the scope of TC
57. The special conditions in a high voltage environment have to be taken
into consideration.
TC 57 has ten Working Groups of which the following is particularly relevant
to security:
WG 15 : Data and communication security
A regularly-updated Whitepaper entitled “IEC TC57 Security Standards for the
Power System’s Information Infrastructure – Beyond Simple Encryption”
describes the work of WG15 and the current status of the standards. The
Whitepaper is available at:
http://xanthus-consulting.com/pages/publications.htm
TC 57 website:
http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=dirdet.p&progdb=db1&committee=TC&css_color=purple&number=57
Other international security standards bodies and forums
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a large open international
community of network designers, operators, vendors, and researchers
concerned with the evolution of the Internet architecture and the smooth
operation of the Internet. It is open to any interested individual.
The actual technical work of the IETF is done in its working groups, which
are organized by topic into several areas (e.g., routing, transport,
security, etc.). Much of the work is handled via mailing lists. The IETF
holds meetings three times per year.
IETF website:
http://www.ietf.org/
Key IETF groups with security responsibilities
The IETF Security Area
The Security Area consists of the Security Area Directors who are assisted
by a Security Area Directorate. The directorate is composed of the working
group chairs in the Security Area and a group of individuals who act as
advisers to other areas of the IETF at the request of the Security Area
Directors.
The Directors and the Directorate is aided and advised by the Security Area
Advisory Group (SAAG).
The SAAG acts as an open forum for Security Issues. Anyone can join the SAAG
mailing list and are welcome at the SAAG meetings held at IETF meetings. The
SAAG discussion archive is available at https://www.ietf.org/mail-archive/web/saag/
Security Area Working Groups include the following:
·
Domain Keys Identified Mail
·
EAP Method Update
·
Handover Keying
·
IP Security Maintenance and
Extensions
·
Integrated Security Model for
SNMP
·
Provisioning of Symmetric Keys
·
Kitten (GSS-API Next Generation)
·
Kerberos
·
Long-Term Archive and Notary
Services
·
Multicast Security
·
Network Endpoint Assessment
·
Public-Key Infrastructure
(X.509)
·
Transport Layer Security
Significant Working Groups in other Areas:
·
Keying and Authentication for
Routing Protocols
· Locator/ID Separation Protocol
·
Secure Inter-Domain Routing
·
Open Authentication
·
DNS Extensions
·
Routing Over Low power and Lossy
networks
Organization for the Advancement of Structured Information Standards (OASIS)
OASIS (Organization for the Advancement of Structured Information Standards)
is a not-for-profit, international consortium that drives the development,
convergence, and adoption of e-business standards. The consortium produces
more Web services standards than any other organization along with standards
for security, e-business, and standardization efforts in the public sector
and for application-specific markets. Founded in 1993, OASIS has more than
4,000 participants, representing over 600 organizations and individual
members in 100 countries.
OASIS is distinguished by its transparent governance and operating
procedures. Members themselves set the OASIS technical agenda, using a
lightweight process expressly designed to promote industry consensus and
unite disparate efforts. Completed work is ratified by open ballot.
Governance is accountable and unrestricted. Officers of both the OASIS Board
of Directors and Technical Advisory Board are chosen by democratic election
to serve two-year terms. Consortium leadership is based on individual merit
and is not tied to financial contribution, corporate standing, or special
appointment.
The Consortium hosts two of the most widely respected information portals on
XML and Web services standards,
Cover
Pages
and
XML.org
.
OASIS
Member Sections include Blue,
CGM Open,
COSL,
eGov,
Emergency,
IDtrust,
LegalXML,
Open CSA, and
Telecom.
SGML Open
OASIS was founded in 1993 under the name SGML Open as a consortium of
vendors and users devoted to developing guidelines for interoperability
among products that support the Standard Generalized Markup Language (SGML).
OASIS changed its name in 1998 to reflect an expanded scope of technical
work, including the Extensible Markup Language (XML) and other related
standards.
OASIS security committes:
For more information about OASIS and its committees see:
www.OASIS-Open.org
The 3rd Generation Partnership Project (3GPP)
The 3rd Generation Partnership Project (3GPP) is a collaboration agreement
that was established in December 1998. The collaboration agreement brings
together a number of telecommunications standards bodies which are known as
“Organizational Partners”. The current Organizational Partners are
ARIB,
CCSA,
ETSI,
ATIS,
TTA,
and
TTC.
The establishment of 3GPP was formalized in December 1998 by the signing of
the “
The 3rd Generation Partnership Project Agreement”.
The original scope of 3GPP was to produce globally applicable Technical
Specifications and Technical Reports for a 3rd Generation Mobile System
based on evolved GSM core networks and the radio access technologies that
they support (i.e., Universal Terrestrial Radio Access (UTRA) both Frequency
Division Duplex (FDD) and Time Division Duplex (TDD) modes). The scope was
subsequently amended to include the maintenance and development of the
Global System for Mobile communication (GSM) Technical Specifications and
Technical Reports including evolved radio access technologies (e.g. General
Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution
(EDGE)).
The discussions that led to the signing of the 3GPP Agreement were recorded
in a series of slides called the
“Partnership Project Description”
that describes the basic principles and ideas on which the project is based.
The Partnership Project Description has not been maintained since it’s first
creation but the principles of operation of the project still remain valid.
In order to obtain a consolidated view of market requirements a second
category of partnership was created within the project called “Market
Representation Partners”.
“Observer” status is also possible within 3GPP for those telecommunication
standards bodies which have the potential to become Organizational Partners
but which, for various reasons, have not yet done so.
A permanent project support group called the “Mobile Competence Centre
(MCC)“ has been established to ensure the efficient day to day running of
3GPP. The MCC is based at the ETSI headquarters in Sophia Antipolis, France.
The term "3GPP specification" covers all GSM (including
GPRS and EDGE) and W-CDMA specifications. The following
terms are also used to describe networks using the 3G specifications:
UTRAN, UMTS (in Europe) and FOMA (in Japan). Revised
versions of many of these specifications are produced up to four times a
year following the quarterly TSG plenary meetings. (TSG GERAN meets five
times a year.)
Following each TSG SA plenary meeting, a complete set of specifications is
produced. This set includes not only the new specifications generated at
that meeting, but also the latest versions of each specification that was
not changed at that meeting. i.e. each directory holds a complete set of
specifications. Each set has an associated status list as detailed in
the table below. Each set (and corresponding status list) includes the specs
arising from the TSG GERAN meetings held since the preceding SA meeting.
(GERAN meets asynchronously from the other TSGs.)
Specifications and their status are listed on the 3GPP web site.
Further information on 3GPP is available at
3GPP.
The Third Generation Partnership Project 2 (3GPP2)
The Third Generation Partnership Project 2
(3GPP2)
is a collaborative third generation (3G) telecommunications
specifications-setting project comprising North American and Asian interests
developing global specifications for ANSI/TIA/EIA-41 Cellular
Radiotelecommunication Intersystem Operations network evolution to 3G and
global specifications for the radio transmission technologies (RTTs)
supported by ANSI/TIA/EIA-41.
3GPP2 was born out of the International Telecommunication Union's (
ITU
) International Mobile Telecommunications "
IMT-2000
" initiative, covering high speed, broadband, and Internet Protocol
(IP)-based mobile systems featuring network-to-network interconnection,
feature/service transparency, global roaming and seamless services
independent of location. IMT-2000 is intended to bring high-quality mobile
multimedia telecommunications to a worldwide mass market by achieving the
goals of increasing the speed and ease of wireless communications,
responding to the problems faced by the increased demand to pass data via
telecommunications, and providing "anytime, anywhere" services.
3GPP2 is a parallel, sister project to 3GPP.
3GPP2 is a collaborative effort between five officially recognized SDOs.
They are:
ARIB
- Association of Radio Industries and Businesses (Japan)
CCSA
- China Communications Standards Association (China)
TIA
- Telecommunications Industry Association (North America)
TTA
- Telecommunications Technology Association (Korea)
TTC
- Telecommunications Technology Committee (Japan)
These SDOs are known as the Project's
Organizational Partners
(OPs). 3GPP2 requires that a participating individual member company be
affiliated with at least one of the Organizational Partners.
In addition, the Project has welcomed Market Representation Partners (MRPs)
who offer market advice to 3GPP2 and bring a consensus view of market
requirements (e.g., services, features and functionality) falling within the
3GPP2 scope. They are:
The CDMA
Development Group
(CDG)
IPv6
Forum
Mobile
Ignite
Femto ForumThe
work of producing 3GPP2's
specifications
resides in the Project's four
Technical Specification Groups
(TSGs) comprised of representatives from the Project's Individual Member
companies. The TSGs are:
TSG-A
(Access Network Interfaces)
TSG-C
(cdma2000®)
TSG-S
(Services and Systems Aspects)
TSG-X
(Core Networks)
Each TSG meets, on average, ten times a year to produce technical
specifications and reports. Since 3GPP2 has no legal status, ownership and
copyright of these output documents is shared between the Organizational
Partners. The documents cover all areas of the Project's charter, including
cdma2000® and its enhancements.
All TSGs report to the Project's
Steering Committee
, which is tasked with managing the overall work process and adopting the
technical specifications forwarded by each of the TSGs.
Further information on 3GPP2 is available at:
(3GPP2)Regional
standards development organizations
Alliance for Telecommunications Industry Solutions (ATIS)
ATIS is a United States based body that is committed to rapidly developing
and promoting technical and operations standards for the communications and
related information technologies industry worldwide using a pragmatic,
flexible and open approach..
ATIS prioritizes the industry’s most pressing, technical and operational
issues, and creates interoperable, implementable, end to end solutions --
standards when the industry needs them and where they need them.
Over 1,100 industry professionals from more than 350 communications
companies actively participate in ATIS’ 22 industry committees and incubator
solutions programs. ATIS develops standards and solutions addressing a wide
range of industry issues in a manner that allocates and coordinates industry
resources and produces the greatest return for communications companies.
ATIS creates solutions that support the rollout of new products and services
into the communications marketplace. Its standardization activities for
wireless and wireline networks include interconnection standards, number
portability, improved data transmission, Internet telephony, toll-free
access, telecom fraud, and order and billing issues, among others. ATIS is
accredited by the American National Standards Institute (ANSI).
Some ATIS committees and forums:
Network Reliability Steering Committee (NRSC)
The NRSC performs analyses of network outages and provides recommendations
for corrective actions. NRSC issues quarterly and annual reports to the
industry and the FCC, in liaison with the FCC's Network Reliability Council.
Optical Transport and Synchronization Committee (OPTXS)
OPTXS develops and recommends standards and prepares technical reports
related to telecommunications network technology pertaining to network
synchronization interfaces and hierarchical structures for U.S.
telecommunications networks: some of which are associated with other
telecommunications networks. OPTXS focuses on those functions and
characteristics necessary to define and establish the interconnection of
signals comprising network transport. This includes aspects of both
asynchronous and synchronous networks. OPTXS also makes recommendations on
related subject matter under consideration in various North American and
international standards organizations.
Network Performance,
Reliability and Quality of Service Committee (PRQC)
(Formerly T1A1)
PRQC develops and recommends standards, requirements, and technical reports
related to the performance, reliability, and associated security aspects of
communications networks, as well as the processing of voice, audio, data,
image, and video signals, and their multimedia integration. PRQC also
develops and recommends positions on, and foster consistency with, standards
and related subjects under consideration in other North American and
international standards bodies.
Packet Technologies and Systems Committee (PTSC)
PTSC develops and recommends standards and technical reports related to
services, architectures, and signaling, in addition to related subjects
under consideration in other North American and international standards
bodies.
Telecom Management and
Operations Committee (TMOC)
The Telecom Management and Operations Committee (TMOC) develops operations,
administration, maintenance and provisioning standards, and other
documentation related to Operations Support System (OSS) and Network Element
(NE) functions and interfaces for communications networks - with an emphasis
on standards development related to U.S.A. communication networks in
coordination with the development of international standards.
Wireless Technologies and Systems Committee (WTSC)
Develops and recommends standards and technical reports related to wireless
and/or mobile services and systems, including service descriptions and
wireless technologies.
For information on ATIS, plus a complete listing of forums and committees
see
ATIS Local
Information
The European Telecommunications Standards Institute (ETSI)
The European Telecommunications Standards Institute (ETSI) is an
independent, non-profit organization, whose mission is to produce
telecommunications standards for today and for the future.
Based in Sophia Antipolis (France), ETSI is officially responsible for
standardization of Information and Communication Technologies (ICT) within
Europe. These technologies include telecommunications, broadcasting and
related areas such as intelligent transportation and medical electronics.
ETSI has over 700 members from 62 countries around the world. Members
include manufacturers, network operators, administrations, service
providers, research bodies and users - in fact, all the key players in the
ICT arena.
ETSI plays a major role in developing a wide range of standards and other
technical documentation as Europe's contribution to world-wide ICT
standardization. This activity is supplemented by interoperability testing
services and other specialisms. ETSI's prime objective is to support global
harmonization by providing a forum in which all the key players can
contribute actively. ETSI is officially recognized by the European
Commission and the EFTA secretariat.
ETSI's Members determine the Institute’s work programme, allocate resources
and approve its deliverables. As a result, ETSI's activities are closely
aligned with market needs and there is wide acceptance of its products.
ETSI's standards are built on consensus.
The ETSI Technical Organization
In many ways, ETSI is typical of standardization bodies generally - the
technical work (i.e. the creation of technical standards and specifications)
is mostly done in committees. The Technical Committees and Projects form
part of the ETSI Technical Organization. But ETSI differs from many other
bodies in several important ways:
! there is direct participation by all members in the
technical work
! the use of Specialist Task Forces (previously called
Project Teams), meeting full-time or at least more frequently than the
Technical Committees or Projects, has done much to accelerate the production
process
! specialist studies in the areas of specification and
testing methodologies help to ensure optimum quality and usability of ETSI's
deliverables
! there is a strong trend to strategic alliances with
other standardization/specification bodies around the world, which help to
bring the skills and knowledge of the world's leading experts together to
work on tasks for the common benefit of all participants.
The ETSI committee structure is shown in the following figure:
For more information on ETSI and its work see:
www.etsi.org
Institute of Electrical and Electronics Engineers, Inc. (IEEE)
IEEE is the world’s largest professional association dedicated to advancing
technological innovation and excellence for the benefit of humanity. IEEE
and its members inspire a global community through IEEE's highly cited
publications, conferences, technology standards, and professional and
educational activities.
Who the IEEE Serves
Through its global membership, the IEEE is a leading authority on areas
ranging from aerospace systems, computers and telecommunications to
biomedical engineering, electric power and consumer electronics among
others.
Members rely on the IEEE as a source of technical and professional
information, resources and services.
To foster an interest in the engineering profession, the IEEE also serves
student members in colleges and universities around the world.
Other important constituencies include prospective members and
organizations that purchase IEEE products and participate in conferences or
other IEEE programs.
IEEE Standards Association (IEEE-SA) working groups aim to set priorities
and develop appropriate standards. IEEE-SA working groups are open to
everyone and participants need not be IEEE-SA members.
Current security-related work includes activities on
public key cryptography.
More information about the IEEE and its activities is available at
www.ieee.org
Regional Asia Information Security Standards Exchange (RAISE Forum)
RAISE refers to Regional Asia Information Security Exchange, and is a Forum
initiated by Mr Kang Meng Chow, the past Chairman of the Security & Privacy
Standards Technical Committee. This initiative was mooted during Singapore's
hosting of the ISO/IEC JTC1 SC27 Plenary and its Working Group meetings in
April 2004. An online forum has since been set up with participation from
various countries like Australia, Japan, Korea, Malaysia and Singapore.
The aims of this Forum are
-
to provide a platform for sharing of knowledge and learning experiences
in regional economies on security standards development, adoption and
deployment;
-
for the regional bodies to identify opportunities for regional
collaborations to further the course of international security standards
development and promulgation more effectively in the Asia region.
This Forum is currently co-chaired by Mr Koji Nakao of KDDI, Japan and Mr
Kang Meng Chow of Singapore.
More information on RAISE is available at:
RAISE Forum
Summary of Roadmap Updates
|
Roadmap part |
Release number |
Last update |
|
Introduction (Main page) |
2.4 |
25th January, 2011 |
|
Part 1 |
4.4 |
23rd February, 2011 |
|
Part 2 |
4.3 |
31st January, 2011 |
|
Part 3 |
5.1 |
25th January, 2011 |
|
Part 4 |
4.1 |
25th January, 2011 |
|
Part 5 |
5.1 |
25th January, 2011 |
