عربي | 中文 | Español | Français | Русский

Home : ITU-T Home : Study Groups : Study Group 17 : ICT Security Standards Roadmap

Part 1: ICT Standards Development Organizations and Their Work
(Version 4.3, February 2010)

1. Objectives of Roadmap

This ICT Security Standards Roadmap is intended to support the security standardization work of the ITU by identifying existing published security standards, standards that are in development, and areas where a need for standards has been identified but where work has not yet been initiated. Although the focus is primarily on standards in the ITU-T space (i.e. security standards relating to telecommunication networks), the standards and work of other formal and informal regional and international standards development organizations (SDOs) are included in this Roadmap. The Roadmap also identified existing collaborative projects and helps to identify possible opportunities for future collaboration. It is hoped that the Roadmap will contribute to the coordination of security standardization activities by providing an up-to-date summary of work that has been completed and work that is in progress across SDOs as well as identifying the major organizations participating in this work. By knowing what has been done already, and what work is in progress, it will be possible to avoid duplication of effort and also to identify gaps that need attention.

2. Structure and content

The Roadmap, which is considered a “work in progress” is currently structured with the intention that the primary publication medium will be the web. Although periodic paper publication is not precluded, it is important that the currency of the information be maintained and that the updating process be easy and timely. Publishing the Roadmap as a web document facilitates frequent updates and will make the document readily available to the widest possible audience at the lowest cost.

The information provided via Roadmap is expected to expand as the work of other SDOs is added. Currently, security standards of ATIS, ETSI, IEEE, IETF, ISO/IEC, ITU, OASIS, 3GPP and 3GPP2 are included. Further expansion to other organizations is anticipated as data is made available.

This part of the Roadmap provides summaries of the standards work in progress by identifying the respective organizations and their overall work programs. (The actual standards are listed in Part 2 of the Roadmap using a fairly simple classification scheme.) In addition, this part of the Roadmap includes a section devoted to the very important topic of security definitions. In general, information in the body of the Roadmap is in the form of brief summaries and headings; more detailed information may be obtained by following the hot links.

3. Key international and regional ICT security standards development organizations

Each international Standards Development Organization listed has a particular role in the development of ICT security standards.

Standards of the following organizations are currently included in the Roadmap:

3.1 Formal International Standards Development Organizations

International Telecommunication Union - Telecommunication Standardization Sector (ITU-T)

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

3.2 Other international standards bodies and forums

Internet Engineering Task Force (IETF)

Organization for the Advancement of Structured Information Standards (OASIS)

The 3rd Generation Partnership Project (3GPP)

The 3rd Generation Partnership Project 2 (3GPP2)

3.3 Regional standards development organizations

Alliance for Telecommunications Industry Solutions (ATIS)

The European Telecommunications Standards Institute (ETSI)

Institute of Electrical and Electronics Engineers

Regional Asia Information Security Standards Exchange (RAISS Forum)

4. IT Security Definitions

Terminology forms a very important part of any standard. It is essential that terms used be clear and unambiguous. However, the development of definitions can often generate much discussion and divert attention from the more important task of developing a technical specification. In addition, in IT security, where diverse groups of experts are developing standards relatively independently, there is a great risk that multiple definitions will be developed for the same term or that similar definitions will be appended to different terms. A number of security glossaries have already been developed by SDOs. References are provided below. ITU-T SG17 urges that experts who are engaged in the development utilize existing definitions from these glossaries wherever possible. New terms should be defined only where an acceptable definition does not already exist. Further, if it is necessary to define a new term, it should not duplicate, or conflict with, a term that has already been defined in an existing standard.

Existing security vocabularies

Compendium of ITU-T approved security definitions extracted from ITU-T recommendations

This document is a compendium of security-related definitions extracted from approved ITU-T Recommendations with a view toward establishing a common understanding (and use) of security terms within ITU-T. This listing will continue to be developed.

ISO/IEC JTC 1/SC 27 Terminology

This SC27 Standing Document (SD 6) contains terms and definitions that appear in SC 27 International Standards, Technical Reports and Drafts.

Internet Security Glossary

This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such
writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.

ETSI Glossary of security terminology ETR 232

Go to the sbove link and select “ETR” in the “Type” box and “232” in the “Number” box.

ISO/IEC JTC1 SC 37 Harmonized Biometric Vocabulary

This Standing Document (SD 2) of SC37 contains an extensive list of biometric-related definitions.

International Telecommunication Union

Telecommunication Standardization Sector (ITU-T)

The International Telecommunication Union – Telecommunication Standardization Sector (ITU-T) acts as a forum where governments and the private sector develop standards for global telecommunications networks and services. It is one of the Sectors of the International Telecommunication Union (ITU), an international specialized agency within the United Nations system.

A guide to the ITU-T and how it operates is available at itu.int/ITU-T/promotion

Key study groups with security responsibilities

Study Group 17: Security

(Lead Study Group on telecommunication security, identity management and languages and description techniques.)

SG 17 is responsible for studies relating to security, including cybersecurity, countering spam and identity management. Also responsible for the application of open system communications including directory and object identifiers, and for technical languages, the method for their usage and other issues related to the software aspects of telecommunication systems.

SG 17 has three Working Parties (WP): WP1 - Network and information security ; WP2 - Application security ; and WP3 - Identity management and languages

SG 17 has been designated the Lead Study Group in the ITU-T for telecommunication security and identity management issues. The ITU-T security standardization effort is coordinated via a Security Project managed under Question 1/17. Core activities of Q.1/17 are centred on project management activities involving the coordination, assignment and prioritization of efforts that will lead to timely communication system security Recommendations.

All SG 17 Questions have a specific security mandate or are security-related:

ITU-T Study Group 17 - Study Group Structure and complete list of SG17 Questions

Study Group 2: Operational aspects of service provision and telecommunications management

(Lead Study Group for service definition, numbering and routing, telecommunication for disaster relief/early warning, and telecommunication management)

Responsible for studies relating to:

principles of service provision, definition and operational requirements of service emulation;
numbering, naming, addressing requirements and resource assignment including criteria and procedures for reservation and assignment;
routing and interworking requirements;
human factors;
operational and management aspects of networks, including network traffic management, designations, and transport-related operations procedures;
operational aspects of interworking between traditional telecommunication networks and evolving networks;
evaluation of feedback from operators, manufacturing companies and users on different aspects of network operation;
management of telecommunication services, networks, and equipment via management systems, including support for next-generation networks (NGN) and the application and evolution of the telecommunication management network (TMN) framework;
ensuring the consistency of the format and structure of IdM identifiers; and
specifying interfaces to management systems to support the communication of identity information within or between organizational domains.

Security-related Questions:

Q.1/2 Application of numbering, naming, addressing and identification plans for fixed and mobile telecommunications services

Q.3/2 Service and operational aspects of telecommunications, including service definition Operational Aspects of Telecommunication Network Service Quality

Q.5.2 Network and service operations and maintenance procedures

Q.7/2 Requirements for business-to-business and customer-to-business management interfaces (M.3320)

Q.8/2 Management framework and architecture (M.3010, M.3016, M.3400)

Q.10/2 Specialized requirements, analysis and design for management interfaces (M3210.1)

Q11.2 Protocols and security for management (Q.813, Q.815, Q.817)

Study Group 5: Environment and Climate Change

(Lead study group on electromagnetic compatibility and electromagnetic effects, as wellas on ICTs and climate change)

Responsible for studies relating to protection of telecommunication networks and equipment from interference and lightning.

Also responsible for studies related to electromagnetic compatibility (EMC), to safety and to health effects connected with electromagnetic fields produced by telecommunication installations and devices, including cellular phones.

Responsible for studies on the existing copper network outside plant and related indoor installations.

Security-related Questions:

Q.2/5 EMC related to broadband access networks (Control of unwanted emissions from broadband access systems contributes to reducing the possibility of information leaks).

Q.4/5 Resistibility of communication equipment (Resistibility of equipment to lightning improves resistibility of equipment to HEMP-induced surges).

Q.5/5 Lightning protection of telecommunication systems (Techniques used for lightning protection also provide a degree of hardening of the facility against HEMP and HPE).

Q.6/5 Bonding configurations and earthing of telecommunication systems in the global environment (Appropriate bonding and earthing measures also help hardening of the facility against HEMP and HPE).

Q.12/5 Maintenance and enhancement of existing EMC Recommendations (EMC of telecommunication equipment improves the immunity of equipment against the conducted and radiated HEMP environment as well as radiated HPE environment. Also, EMC of telecommunication equipment reduces the possibility of information leaks).

Q.15/5 Security of telecommunication and information systems regarding electromagnetic environment (Resistibility of equipment to lightning improves resistibility of equipment to HEMP-induced surges).

Q.17/5 Coordination and planning of ICT&CC related standardization

Study Group 9: Television and sound transmission and integrated broadband cable networks
(Lead Study Group on integrated broadband cable and television networks.)

Responsible for studies relating to:

use of telecommunication systems for contribution, primary distribution and secondary distribution of television, sound programmes and related data services including interactive services.
use of cable and hybrid networks, primarily designed for television and sound programme delivery to the home, as integrated broadband networks to also carry voice or other time-critical services, video on demand, interactive services, etc.

Security-related Questions:

Q.3/9 Methods and practices for conditional access, protection against unauthorized copying and against unauthorized redistribution (“redistribution control” for digital cable television distribution to the home) (J.93, J.96 Amd 1)

Q.7/9 Cable television delivery of digital services and applications that use Internet Protocols (IP) and/or packet-based data (J.112)

Q.8/9 Voice and video IP applications over cable television networks (J.160, J.170, J.191)

Q.9/9 The extension of cable-based services over broadband in Home Networks

Q.10.9 Requirements and methods to delivery sound and television programmes and other multimedia services over IP networks for advanced service platforms

Study Group 11: Signalling requirements, protocols and test specifications

(Lead Study Group on Signalling and Protocols, Intelligent Networks and test Specifications.)

Responsible for studies relating to signalling requirements and protocols, including those for IP-based networks, NGN, mobility, some multimedia related signalling aspects, ad hoc networks (sensor networks, RFID, etc.), QoS, and internetwork signalling for ATM, N ISDN and PSTN networks. This also includes reference signalling architectures and test specifications for NGN and emerging networks (e.g., USN).

Most of SG 11's current Recommendations were developed for trusted TDM based networks in which point to point connections could be used to ensure communications security. SG 11 recognized that introduction of IP technology into the network would present new security challenges. In recognition of the introduction of IP technology and the need to be able to provide signalling and control information capability in this evolving network in a secure manner, SG 11 generated a suite of questions related to signalling requirements and protocol that took into account these new security challenges in 2004.

Security-related Questions:

Q 14/11 Security Coordination For NGN Protocols

Study Group 12: Performance, QoS and QoE
(Lead Study Group on Quality of Service and Quality of Experience)

Responsible for Recommendations on performance, Quality of Service (QoS) and Quality of Experience (QoE) for the full spectrum of terminals, networks and services ranging from speech over fixed circuit-based networks to multimedia applications over networks that are mobile and packet based. Included in this scope are the operational aspects of performance, QoS and QoE.

A special focus is given to interoperability to ensure end-to-end users' satisfaction

Security-related Questions:

Q.10/12 Transmission planning and performance considerations for voiceband, data and multimedia services

Q.13/12 QoE, QoS and performance requirements and assessment methods for multimedia including IPTV

Q.17/12 Performance of packet-based networks and other networking technologies

Study Group 13: Future networks including mobile and NGN

(Lead Study Group for future networks and NGN, and mobility management and fixed-mobile convergence.)

Responsible for studies relating to the requirements, architecture, evolution and convergence of future networks. Also includes NGN project management coordination across study groups and release planning, implementation scenarios and deployment models, network and service capabilities, interoperability, impact of IPv6, NGN mobility and network convergence, public data network aspects and network aspects of IdM. Responsible for studies relating to network aspects of mobile telecommunication networks, including International Mobile Telecommunications (IMT), wireless Internet, convergence of mobile and fixed networks, mobility management, mobile multimedia network functions, internetworking, interoperability and enhancements to existing ITU T Recommendations on IMT.

Recognizing that security is one of the defining features of NGN, SG 13 has established a special question for the detailed studies on security – Question 16, Security and identity management. The question is focused on studies of the NGN-specific security issues and development of the standard security solutions for NGN. One of the essential goals of SG 13 is to put in place a set of standards that will guarantee, to the maximum degree possible, the security of the telecommunications infrastructure as PSTNs evolve to NGNs.

Study Group 13 had also decided to incorporate in every new or eventually revised Recommendation a security section for references to those sections of the Recommendation in which security aspects are addressed.

Study Group 13 is developing its effort on NGN security-related matters in collaboration with other Study Groups, and also with other standards development organizations. The IETF (Internet, Security, and Transport Areas), 3GPP and 3GPP2, and DSL Forum are among most important external SDOs of importance to SG 13 for its security studies.

Security-related Questions:

Q.16/13 Security and identity management

Study Group 15: Optical transport networks and access network infrastructures
(Lead Study Group on access network transport, optical technology and optical transport networks.)

Study Group 15 is responsible in ITU T for the development of standards on optical transport networks and access network infrastructures, systems, equipment, optical fibres and cables, and their related installation, maintenance, test, instrumentation and measurement techniques, and control plane technologies to enable the evolution toward intelligent transport networks. This encompasses the development of related standards for the customer premises, access, metropolitan and long haul sections of communication networks.

Security-related Questions:

Q.3/15 General characteristics of optical transport networks (G.911)

Q.9/15 Transport equipment and network protection/restoration (G.808.1, G.841, G.842, G.873.1)

Q.14/15 Management and control of transport systems and equipment

Q 17/15 Maintenance and operation of optical fibre cable networks

Q 18/15 Development of optical networks in the access area

Study Group 16: Multimedia coding, systems and applications
(Lead Study Group on multimedia coding, systems and applications, ubiquitous applications (“e-everything”, such as e-health and e-business), and telecommunication/ICT accessibility for persons with disabilities)

Responsible for studies relating to ubiquitous applications, multimedia capabilities for services and applications for existing and future networks, including NGN and beyond. This encompasses accessibility, multimedia architectures, terminals, protocols, signal processing, media coding and systems (e.g. network signal processing equipment, multipoint conference units, gateways, and gatekeepers).

Security-related Questions:

Q.1/16 Multimedia systems, terminals and data conferencing (H.233, H.234)

Q.2/16 H.323 real-time multimedia system

Q.4/16 Advanced functions for H.300-series systems and beyond (H.350.2)

Q.24/16 Multimedia security in NGN and other networks (NGN-MM-SEC) (H.235)

International Organization for Standardization (ISO) and

International Electrotechnical Commission (IEC)

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National Bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, government and non-governmental, in liaison with ISO and IEC, also take part in the work.

In the field of information technology, ISO and IEC have established a Joint Technical Committee 1: ISO/IEC JTC 1. This committee has responsibility for standardization in the area of information technology. Within JTC 1 are a number of technical committees of which Subcommittee 27 (SC27) is the lead subcommittee (SC) on IT security.

Key ISO/IEC JTC 1 Subcommittees with security responsibilities

ISO/IEC JTC 1/SC 6 Telecommunications and Information Exchange Between Systems

Area of Work

Standardization in the field of telecommunications dealing with the exchange of information between open systems including system functions, procedures and parameters and equipment as well as the conditions for their use.

This standardization includes both the lower layers that support the physical, data link, network and transport services, including private integrated services networking, as well as the upper layers that support the application protocols and services.

A vital aspect of this work is done in effective cooperation with the ITU-T and other world-wide and regional standardization bodies.

SC 6 Website: www.iso.org/jtc1/sc6

SC6 Working Groups:

WG 1 Physical and Data Link Layers

WG 7 Network and Transport

WG 8 Directory

WG 9 ASN.1 and Registration Authorities

ISO/IEC JTC 1 SC 27 - IT Security Techniques

Area of Work

Standardization of generic methods, techniques and guidelines for information, IT and communication security. This includes the following areas:

requirements capture methodology;
security techniques and mechanisms, including procedures for the registration of security components;
management of information, IT and communication security;
management support documentation, including terminology, conformance assessments and security evaluation criteria standards.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure proper development and application of SC 27 standards and technical reports in relevant areas.

Specifically excluded from the scope is:

• the embedding of mechanisms in applications.

Note: The SC 27 Scope and Area of Work includes the standardization of cryptographic algorithms for integrity, authentication and non-repudiation services. Furthermore it includes the standardization of cryptographic algorithms for confidentiality services for use in accordance with internationally accepted policies.

SC27 web site:

http://www.jtc1sc27.din.de/en

Current activities of SC 27 are divided into five working groups:

Working Group 1: Information security management systems

The scope of WG 1 covers the development of ISMS (Information Security Management System) standards and guidelines (see SC 27 N5114). This includes:

Development and maintenance of the ISO/IEC 27000 ISMS standards family
Identification of requirements for future ISMS standards and guidelines
On-going maintenance of WG1 standing document SD WG 1/1 (WG 1 Roadmap)
Collaboration with other Working Groups in SC 27, in particular with WG 4 on standards addressing the implementation of control objectives and controls as defined in ISO/IEC 27001.

Working Group 2: Cryptography and security mechanisms

WG 2 provides a center of expertise for the standardization of IT Security techniques and mechanisms within JTC 1.

Terms of Reference:

- to identify the need and requirements for these techniques and mechanisms in IT systems and applications; and

- to develop terminology, general models and standards for these techniques and mechanisms for use in security services.

The scope covers both cryptographic and non-cryptographic techniques and mechanisms including:

- confidentiality;

- entity authentication;

- non-repudiation;

- key management;

- data integrity such as:

- message authentication;

- hash-functions;

- digital signatures.

The mechanisms in general include several options with respect to the techniques used including symmetric cryptographic, asymmetric cryptographic and non-cryptographic.

Working Group 3: Security evaluation criteria

Terms of reference:

- Standards for IT Security evaluation and certification of IT systems, components, and products. This will include consideration of computer networks, distributed systems, associated application services, etc.

Three aspects may be distinguished:

- evaluation criteria;

- methodology for application of the criteria;

- administrative procedures for evaluation, certification, and accreditation schemes.

This work will reflect the needs of relevant sectors in society, as represented through ISO/IEC national Bodies and other organizations in liaison, expressed in standards for security functionality and assurance.

Account will be taken of related ISO/IEC and ISO standards for quality management and testing so as not duplicate these efforts

Working Group 4: Security controls and services

The scope of WG4 covers the development and maintenance of standards and guidelines addressing services and applications supporting the implementation of control objectives and controls as defined in ISO/IEC 27001. This includes:

1. Current SC 27 projects:

IT Network security (ISO/IEC 18028)
Information security incident management (ISO/IEC TR 18044)
Guidelines for information and communications technology disaster recovery services (ISO/IEC 24762)
Selection, deployment and operation of Intrusion Detection Systems (IDS) (ISO/IEC 18043)
Guidelines on use and management of Trusted Third Party services (ITU-T X.842 I ISO/IEC TR 14516)
Specification of TTP services to support the application of digital signatures (ITU-T X.843 I ISO/IEC 15945)
Security information objects for access control (ITU-T X.841 I ISO/IEC 15816)

2. Identification of requirements for and development of future service and applications standards and guidelines, for example in the areas of

Business Continuity
Cyber Security
Outsourcing

3. On-going maintenance of WG4 standing document SD WG4/1 (WG4 Road Map)

4. Collaboration with other Working Groups in SC 27, in particular with WG1 on ISMS standards and guidelines

Working Group 5: Identity management and privacy technologies

The scope of SC27/WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. This includes:

1. Current SC 27 projects:

Framework for Identity Management (ISO/IEC 24760)
Biometric template protection (ISO/IEC 24745)
Authentication context for biometrics (ISO/IEC 24761)

2. Identification of requirements for and development of future standards and guidelines in these areas. For example in the area of Identity Management, topics such as

Role based access control
Provisioning
Identifiers
Single sign-on

In the area of Privacy, topics such as

A Privacy Framework
A Privacy Reference Architecture
Privacy infrastructures
Anonymity and credentials
Specific Privacy Enhancing Technologies (PETs)
Privacy Engineering

In the area of Biometrics, topics such as

Protection of biometric data
Authentication techniques

3. Collaboration with other Working Groups in SC 27, e.g., WG1 on management aspects, WG 2 on specific cryptographic techniques and WG 3 on evaluation aspects.

The SC27 Catalogue of Projects is available as SD7 under “documents” at:

http://www.jtc1sc27.din.de/sbe/SD7

ISO/IEC JTC 1 SC37 Biometrics

Area of Work

Standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks; biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteria to biometric technologies; methodologies for performance testing and reporting and cross jurisdictional and societal aspects.

Excluded is the work ISOIEC JTC 1/SC 17 to apply biometric technologies to cards and personal identification.

Also excluded is the work in ISO/IEC JTC 1/SC 27 for biometric data protections techniques, biometric security testing, evaluations, and evaluations methodologies.

SC37 working groups are as follows:

JTC 1/SC 37/WG 1 Harmonized biometric vocabulary

JTC 1/SC 37/WG 2 Biometric technical interfaces

JTC 1/SC 37/WG 3 Biometric data interchange formats

JTC 1/SC 37/WG 4 Biometric functional architecture and related profiles

JTC 1/SC 37/WG 5 Biometric testing and reporting

JTC 1/SC 37/WG 6 Cross-jurisdictional and societal aspects

SC37 website:

http://www.iso.org/iso/iso_technical_committee.html?commid=313770

IEC TC 57 Power systems management and associated information exchange

Scope

To prepare international standards for power systems control equipment and systems including EMS (Energy Management Systems), SCADA (Supervisory Control And Data Acquisition), distribution automation, teleprotection, and associated information exchange for real-time and non-real-time information, used in the planning, operation and maintenance of power systems. Power systems management comprises control within control centres, substations and individual pieces of primary equipment including telecontrol and interfaces to equipment, systems and databases, which may be outside the scope of TC 57. The special conditions in a high voltage environment have to be taken into consideration.

TC 57 has ten Working Groups of which the following is particularly relevant to security:

WG 15 : Data and communication security

A regularly-updated Whitepaper entitled “IEC TC57 Security Standards for the Power System’s Information Infrastructure – Beyond Simple Encryption” describes the work of WG15 and the current status of the standards. The Whitepaper is available at:

http://xanthus-consulting.com/pages/publications.htm

TC 57 website:

http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=dirdet.p&progdb=db1&committee=TC&css_color=purple&number=57

Other international security standards bodies and forums

Internet Engineering Task Force

The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.

The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). Much of the work is handled via mailing lists. The IETF holds meetings three times per year.

IETF website: http://www.ietf.org/

Key IETF groups with security responsibilities

The IETF Security Area

http://www.ietf.org/dyn/wg/charter.html#Security%20Area

The Security Area consists of the Security Area Directors who are assisted by a Security Area Directorate. The directorate is composed of the working group chairs in the Security Area and a group of individuals who act as advisers to other areas of the IETF at the request of the Security Area Directors.

The Directors and the Directorate is aided and advised by the Security Area Advisory Group (SAAG).

The SAAG acts as an open forum for Security Issues. Anyone can join the SAAG mailing list and are welcome at the SAAG meetings held at IETF meetings. The list archives are at http://jis.mit.edu/pipermail/saag.

Security Area Working Groups include the following:

• Better-Than-Nothing Security WG (btns)

• Domain Keys Identified Mail WG (dkim)

• EAP Method Update WG (emu)

• Handover Keying (hokey)

• IP Security Maintenance and Extensions (ipsecme)

• IETF X.509 Public Key Infrastructure WG (pkix)

• IETF Transport Layer Security (TLS) WG (tls)

• Integrated Security Model for SNMP WG (isms)

• Provisioning of Symmetric Keys (keyprov)

• Kerberos WG (krb-wg)

• Kitten (GSS-API Next Generation) WG (kitten)

• Long-Term Archive and Notary Services WG (ltans)

• Multicast Security WG (msec)

• Public Key Infrastructure (X.509) (pkix)

• Secure Multipurpose Internet Mail Extension (MIME) WG (smime)

• Securely Available Credentials WG (sacred)

• Security Issues in Network Event Logging (SYSLOG) WG (syslog)

• Simple Authentication and Security Layer WG (sasl)

• S/MIME Mail Security (smime)

• Security Issues in Network Event Logging (syslog)

• Transport Layer Security (tls)

Relevant security work in other areas include:

Operations and Management Area (O&M Area Web Page)

· Operational Security Capabilities for IP Network Infrastructure WG (opsec)

Routing Area (http://tools.ietf.org/area/rtg)

· Secure Inter-Domain Routing (sidr)

Organization for the Advancement of Structured Information Standards (OASIS)

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 4,000 participants, representing over 600 organizations and individual members in 100 countries.

OASIS is distinguished by its transparent governance and operating procedures. Members themselves set the OASIS technical agenda, using a lightweight process expressly designed to promote industry consensus and unite disparate efforts. Completed work is ratified by open ballot. Governance is accountable and unrestricted. Officers of both the OASIS Board of Directors and Technical Advisory Board are chosen by democratic election to serve two-year terms. Consortium leadership is based on individual merit and is not tied to financial contribution, corporate standing, or special appointment.

The Consortium hosts two of the most widely respected information portals on XML and Web services standards, Cover Pages and XML.org . OASIS Member Sections include CGM Open , DCML , LegalXML , PKI , and UDDI .

SGML Open

OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML). OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards.

Some OASIS committes:

Web Services and SOA

Web services allow applications to communicate across platforms and programming languages using standard protocols based on XML. OASIS members are defining many of the infrastructure standards that enable Web services as well as the implementation standards that are used in specific communities and across industries.

e-Commerce

OASIS members develop specifications that enable enterprises of any size, in any geographical location, to conduct business over the Internet.

Security

OASIS develops security standards needed in e-business and Web services applications. Members define foundational as well as application-level specifications.

Computing Management

In a service-oriented architecture, the providers and consumers of services must communicate clearly about their availability and location, and the services themselves must be able to talk to and depend on each other. OASIS members work on many fronts to standardize the reliable management of distributed resources, utility computing and grid systems.

Application Focus

Some OASIS Technical Committees focus on developing standards that meet the needs of a specific market or application area. These teams may concentrate on the unique requirements of one vertical industry, or on a specific function that can be applied across many industries.

Document-Centric Applications

From the consortium's roots as SGML Open, OASIS has been devoted to the device- and media-independent creation and management of documents. Today, OASIS members work on structured information standards for documents that run the gamut from online catalogs to data sheets, from technical manuals to office memoranda, whether output to paper, CD-ROM, wireless devices, the Web, or all of the above.

XML Processing

Covering the spectrum of XML applications, OASIS technical committees continue to work on the underlying architecture that facilitates XML processing.

Conformance/Interop

To facilitate adoption, OASIS members develop guidelines, best practices, test suites, and other tools that promote the interoperability and conformance of structured information standards.

Industry Domains

Not all OASIS Committees develop standards as their primary goal. OASIS Industry Domains provide forums that unite specific industries or communities of users, governments, vendors, industry groups, and other standards bodies. OASIS Industry Domains evaluate existing standards, articulate requirements, identify gaps, recognize overlaps, publish guidelines, and promote interoperability. They provide input to OASIS TCs (and other organizations) that develop pertinent specifications, and they recommend new efforts where needed.

For more information about OASIS and its committees see: www.OASIS-Open.org

The 3rd Generation Partnership Project (3GPP)

The 3rd Generation Partnership Project (3GPP) is a collaboration agreement that was established in December 1998. The collaboration agreement brings together a number of telecommunications standards bodies which are known as “Organizational Partners”. The current Organizational Partners are ARIB, CCSA, ETSI, ATIS, TTA, and TTC.

The establishment of 3GPP was formalized in December 1998 by the signing of the “ The 3rd Generation Partnership Project Agreement”.

The original scope of 3GPP was to produce globally applicable Technical Specifications and Technical Reports for a 3rd Generation Mobile System based on evolved GSM core networks and the radio access technologies that they support (i.e., Universal Terrestrial Radio Access (UTRA) both Frequency Division Duplex (FDD) and Time Division Duplex (TDD) modes). The scope was subsequently amended to include the maintenance and development of the Global System for Mobile communication (GSM) Technical Specifications and Technical Reports including evolved radio access technologies (e.g. General Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGE)).

The discussions that led to the signing of the 3GPP Agreement were recorded in a series of slides called the “Partnership Project Description” that describes the basic principles and ideas on which the project is based. The Partnership Project Description has not been maintained since it’s first creation but the principles of operation of the project still remain valid.

In order to obtain a consolidated view of market requirements a second category of partnership was created within the project called “Market Representation Partners”.

“Observer” status is also possible within 3GPP for those telecommunication standards bodies which have the potential to become Organizational Partners but which, for various reasons, have not yet done so.

A permanent project support group called the “Mobile Competence Centre (MCC)“ has been established to ensure the efficient day to day running of 3GPP. The MCC is based at the ETSI headquarters in Sophia Antipolis, France.

The term "3GPP specification" covers all GSM (including GPRS and EDGE) and W-CDMA specifications. The following terms are also used to describe networks using the 3G specifications: UTRAN, UMTS (in Europe) and FOMA (in Japan). Revised versions of many of these specifications are produced up to four times a year following the quarterly TSG plenary meetings. (TSG GERAN meets five times a year.)

Following each TSG SA plenary meeting, a complete set of specifications is produced. This set includes not only the new specifications generated at that meeting, but also the latest versions of each specification that was not changed at that meeting. i.e. each directory holds a complete set of specifications. Each set has an associated status list as detailed in the table below. Each set (and corresponding status list) includes the specs arising from the TSG GERAN meetings held since the preceding SA meeting. (GERAN meets asynchronously from the other TSGs.)

Specifications and their status are listed on the 3GPP web site.

Further information on 3GPP may be obtained from “ 3GPP Contact”

The Third Generation Partnership Project 2 (3GPP2)

The Third Generation Partnership Project 2 (3GPP2) is a collaborative third generation (3G) telecommunications specifications-setting project comprising North American and Asian interests developing global specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication Intersystem Operations network evolution to 3G and global specifications for the radio transmission technologies (RTTs) supported by ANSI/TIA/EIA-41.

3GPP2 was born out of the International Telecommunication Union's ( ITU ) International Mobile Telecommunications " IMT-2000 " initiative, covering high speed, broadband, and Internet Protocol (IP)-based mobile systems featuring network-to-network interconnection, feature/service transparency, global roaming and seamless services independent of location. IMT-2000 is intended to bring high-quality mobile multimedia telecommunications to a worldwide mass market by achieving the goals of increasing the speed and ease of wireless communications, responding to the problems faced by the increased demand to pass data via telecommunications, and providing "anytime, anywhere" services.

3GPP2 is a parallel, sister project to 3GPP.

3GPP2 is a collaborative effort between five officially recognized SDOs. They are:

ARIB - Association of Radio Industries and Businesses (Japan)
CCSA - China Communications Standards Association (China)
TIA - Telecommunications Industry Association (North America)
TTA - Telecommunications Technology Association (Korea)
TTC - Telecommunications Technology Committee (Japan)

These SDOs are known as the Project's Organizational Partners (OPs). 3GPP2 requires that a participating individual member company be affiliated with at least one of the Organizational Partners.

In addition, the Project has welcomed Market Representation Partners (MRPs) who offer market advice to 3GPP2 and bring a consensus view of market requirements (e.g., services, features and functionality) falling within the 3GPP2 scope. They are:

The CDMA Development Group (CDG)
IPv6 Forum
International 450 Association (IA 450)

The work of producing 3GPP2's specifications resides in the Project's four Technical Specification Groups (TSGs) comprised of representatives from the Project's Individual Member companies. The TSGs are:

TSG-A (Access Network Interfaces)
TSG-C (cdma2000^®)
TSG-S (Services and Systems Aspects)
TSG-X (Core Networks)

Each TSG meets, on average, ten times a year to produce technical specifications and reports. Since 3GPP2 has no legal status, ownership and copyright of these output documents is shared between the Organizational Partners. The documents cover all areas of the Project's charter, including cdma2000^® and its enhancements.

All TSGs report to the Project's Steering Committee , which is tasked with managing the overall work process and adopting the technical specifications forwarded by each of the TSGs.

Further information on 3GPP2 is available at: (3GPP2)Regional standards development organizations

Alliance for Telecommunications Industry Solutions (ATIS)

ATIS is a United States based body that is committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using a pragmatic, flexible and open approach..

ATIS prioritizes the industry’s most pressing, technical and operational issues, and creates interoperable, implementable, end to end solutions -- standards when the industry needs them and where they need them.

Over 1,100 industry professionals from more than 350 communications companies actively participate in ATIS’ 22 industry committees and incubator solutions programs. ATIS develops standards and solutions addressing a wide range of industry issues in a manner that allocates and coordinates industry resources and produces the greatest return for communications companies.

ATIS creates solutions that support the rollout of new products and services into the communications marketplace. Its standardization activities for wireless and wireline networks include interconnection standards, number portability, improved data transmission, Internet telephony, toll-free access, telecom fraud, and order and billing issues, among others. ATIS is accredited by the American National Standards Institute (ANSI).

Some ATIS committees and forums:

Network Reliability Steering Committee (NRSC)

The NRSC performs analyses of network outages and provides recommendations for corrective actions. NRSC issues quarterly and annual reports to the industry and the FCC, in liaison with the FCC's Network Reliability Council.

Optical Transport and Synchronization Committee (OPTXS)

OPTXS develops and recommends standards and prepares technical reports related to telecommunications network technology pertaining to network synchronization interfaces and hierarchical structures for U.S. telecommunications networks: some of which are associated with other telecommunications networks. OPTXS focuses on those functions and characteristics necessary to define and establish the interconnection of signals comprising network transport. This includes aspects of both asynchronous and synchronous networks. OPTXS also makes recommendations on related subject matter under consideration in various North American and international standards organizations.

Network Performance, Reliability and Quality of Service Committee (PRQC) (Formerly T1A1)
PRQC develops and recommends standards, requirements, and technical reports related to the performance, reliability, and associated security aspects of communications networks, as well as the processing of voice, audio, data, image, and video signals, and their multimedia integration. PRQC also develops and recommends positions on, and foster consistency with, standards and related subjects under consideration in other North American and international standards bodies.

Packet Technologies and Systems Committee (PTSC)

PTSC develops and recommends standards and technical reports related to services, architectures, and signaling, in addition to related subjects under consideration in other North American and international standards bodies.

Telecom Management and Operations Committee (TMOC)
The Telecom Management and Operations Committee (TMOC) develops operations, administration, maintenance and provisioning standards, and other documentation related to Operations Support System (OSS) and Network Element (NE) functions and interfaces for communications networks - with an emphasis on standards development related to U.S.A. communication networks in coordination with the development of international standards.

Wireless Technologies and Systems Committee (WTSC)

Develops and recommends standards and technical reports related to wireless and/or mobile services and systems, including service descriptions and wireless technologies.

For information on ATIS, plus a complete listing of forums and committees see ATIS Local Information

The European Telecommunications Standards Institute (ETSI)

The European Telecommunications Standards Institute (ETSI) is an independent, non-profit organization, whose mission is to produce telecommunications standards for today and for the future.

Based in Sophia Antipolis (France), ETSI is officially responsible for standardization of Information and Communication Technologies (ICT) within Europe. These technologies include telecommunications, broadcasting and related areas such as intelligent transportation and medical electronics.

ETSI unites 688 members from 55 countries inside and outside Europe, including manufacturers, network operators, administrations, service providers, research bodies and users - in fact, all the key players in the ICT arena.

ETSI plays a major role in developing a wide range of standards and other technical documentation as Europe's contribution to world-wide ICT standardization. This activity is supplemented by interoperability testing services and other specialisms. ETSI's prime objective is to support global harmonization by providing a forum in which all the key players can contribute actively. ETSI is officially recognized by the European Commission and the EFTA secretariat.

ETSI's Members determine the Institute’s work programme, allocate resources and approve its deliverables. As a result, ETSI's activities are closely aligned with market needs and there is wide acceptance of its products.

ETSI's standards are built on consensus.

The ETSI Technical Organization

In many ways, ETSI is typical of standardization bodies generally - the technical work (i.e. the creation of technical standards and specifications) is mostly done in committees. The Technical Committees and Projects form part of the ETSI Technical Organization. But ETSI differs from many other bodies in several important ways:

! there is direct participation by all members in the technical work

! the use of Specialist Task Forces (previously called Project Teams), meeting full-time or at least more frequently than the Technical Committees or Projects, has done much to accelerate the production process

! specialist studies in the areas of specification and testing methodologies help to ensure optimum quality and usability of ETSI's deliverables

! there is a strong trend to strategic alliances with other standardization/specification bodies around the world, which help to bring the skills and knowledge of the world's leading experts together to work on tasks for the common benefit of all participants.

The ETSI committee structure is shown in the following figure:

For more information on ETSI and its work see: www.etsi.org

Institute of Electrical and Electronics Engineers, Inc. (IEEE)

The IEEE, a non-profit organization, is the world's leading professional association for the advancement of technology.

Who the IEEE Serves

Through its global membership, the IEEE is a leading authority on areas ranging from aerospace systems, computers and telecommunications to biomedical engineering, electric power and consumer electronics among others.

Members rely on the IEEE as a source of technical and professional information, resources and services.

To foster an interest in the engineering profession, the IEEE also serves student members in colleges and universities around the world.

Other important constituencies include prospective members and organizations that purchase IEEE products and participate in conferences or other IEEE programs.

Current security-related work includes activities on public key cryptography.

Regional Asia Information Security Standards Exchange (RAISE Forum)

RAISE refers to Regional Asia Information Security Exchange, and is a Forum initiated by Mr Kang Meng Chow, the past Chairman of the Security & Privacy Standards Technical Committee. This initiative was mooted during Singapore's hosting of the ISO/IEC JTC1 SC27 Plenary and its Working Group meetings in April 2004. An online forum has since been set up with participation from various countries like Australia, Japan, Korea, Malaysia and Singapore.

The aims of this Forum are

to provide a platform for sharing of knowledge and learning experiences in regional economies on security standards development, adoption and deployment;
for the regional bodies to identify opportunities for regional collaborations to further the course of international security standards development and promulgation more effectively in the Asia region.

This Forum is currently co-chaired by Mr Koji Nakao of KDDI, Japan and Mr Kang Meng Chow of Singapore.

The name of the Forum was changed from RAISS to RAISE at the 6th meeting on 22 and 23 August in Singapore, where S for Standards is changed to E for Exchange. In general, members felt that there are a lot of exchanges and sharing during the meetings and the changes would better reflect the activities of the Forum.

More information on RAISE is available at: http://www.itsc.org.sg/raiss.html

<< Introduction (Main page) - Part 1 - Part 2 - Part 3 - Part 4 - Part 5 >>