(Continuation of Q.7/17)
For telecommunications organizations, information and the supporting
processes, telecommunications facilities, networks and transmission media are
important telecommunication business assets. In order for telecommunications
organizations to appropriately manage these business assets and to correctly
continue the business activity, information security management is extremely
necessary. For this reason, Recommendation X.1051 has been developed to cover
meaningful guidelines of information security management for telecommunications
Based on the guideline for information security management, more detailed
management technologies on risks and incidents have also been developed.
Furthermore, new areas in relation with Recommendation X.1051 should be
investigated and more specific management technologies such as asset
identification and security policy need to be considered. The aim is to develop
a set of Recommendations on security management for telecommunications based on
Recommendation X.1051 in ITU-T.
On the other hand, corporate governance requirements place increasing demands
on telecommunications organizations to demonstrate that they have effective
internal control arrangements in place. One significant development is the
inclusion of information security as part of operational risk in the wider
corporate governance definition. To meet this requirement, organizations need to
develop a framework of accountability and control to address the rising number
of security threats and to demonstrate effective corporate control and
compliance with related laws and regulations. Therefore, in parallel with the
approach to study on the above detailed implementation methodologies based on
Recommendation X.1051, an information security governance framework that
encompasses information technology and information security should also be
In the course of the studies, a full collaborative effort between ITU-T and
ISO/IEC JTC 1 will be continued to ensure the widest possible compatibility of
security solutions. The success of solutions developed as national standards in
many countries also need to be considered.
This Question differs from Questions in Study Group 2 in that Study Group 2
deals with the exchange of network management information between network
elements and management systems and between management systems in TMN
environment. This Question deals primarily with the protection of business
assets, including information and processes in view of information security
Recommendations under responsibility of this Question as of 1 December 2008:
E.409 (in conjunction with SG 2), X.1051 and X.1055.
Study items to be considered include, but are not limited to:
- How should information assets in telecommunications systems be identified
- How should information security policy for telecommunications systems be
identified and managed?
- How should specific security management issues for telecommunications
organizations be identified?
- How should information security management system (ISMS) for
telecommunications organizations be properly constructed by using the existing
standards (ISO/IEC and ITU-T)?
- How should measurement of information security management in
telecommunications be identified and managed?
- How should an information security governance framework be identified and
- What enhancements to existing Recommendations under review or new
Recommendations under development should be adopted to reduce impact on climate
changes (e.g., energy savings, reduction of green house gas emissions,
implementation of monitoring systems, etc.) either directly or indirectly in
telecommunication/ICT or in other industries?
Tasks include, but are not limited to:
- Review the existing management Recommendations/Standards in ITU-T and ISO/IEC
as for assets identification and security policy management. (2Q2009).
- Study and develop a framework of information security management functions
described in Recommendation X.1051. (1Q2009 - 2Q2009).
- Study and develop a methodology of assets identification management for
telecommunications based on the concept of Recommendation X.1051. (1Q2009 -
- Study and develop security policy management for telecommunications based on
the concept of Recommendation X.1051. (1Q2009 - 4Q2010).
- Study and develop information security management for small and medium
telecommunications organizations based on the concept of Recommendation X.1051.
(1Q2009 - 4Q2010).
- Study and develop a methodology to construct information security management
system (ISMS) for telecommunications organizations based on the existing
standards (ISO/IEC and ITU-T). (1Q2009 - 4Q2010).
- Study and develop an information security governance which includes the
framework and implementation guidelines for telecommunications. (1Q2009 -
- Propose outline of new Recommendations. (4Q2010).
- Assess the outputs of above activities in view of usability for
telecommunications facilities and services. Produce draft Recommendations.
(4Q2010 - 4Q2011).
- Maintenance and enhancements of Recommendations in the X.105x-series.
(1Q2009 - 4Q2011).
- Consent new Recommendations. (1Q2012).
Recommendations: X.800-, X.1000-, X.1100- and X.1200-series
Questions: ITU-T Qs 1, 2, 4, 5, 6, 7, 8, 9, 10, 11/17, 16/13 and 14/15
Study groups: ITU-T SGs 2, 9, 11, 13, 15 and 16; ITU-R; ITU-D
Standardization bodies: ISO/IEC JTC 1/SC 27; ETSI; TTC; NIST