|Work item||Subject / Title||Summary
|X.salcm||Security reference architecture for lifecycle management of e-commerce business data||Recommendation ITU-T X.salcm analyses the main features and typical threats for e-commerce service ecosystem, and provides security reference architecture for lifecycle management of e-commerce business data.
|X.sgmvno||ITU-T X.805 - Supplement on Security guideline for mobile virtual network operator (MVNO)||Security is very important for mobile virtual network operator (MVNO). Meanwhile, MVNOs have a lot of security similarities. This supplement provides security guideline for MVNOs. This Supplement also analyses the main features of MVNOs and typical threats to MVNOs. Based on the structure of MVNOs, this Supplement provides security framework of MVNOs, including security objectives and security requirements.
|X.voLTEsec-1||Security framework for voice-over-long-term-evolution (VoLTE) network operation||VoLTE is a VoIP service over LTE network, and it is the most promising telecommunication services for global operators in the future. VoLTE is a full IP network architecture based on SIP, which makes VoLTE network more vulnerable to be attacked. For example, the key equipment of SBC maybe suffers from denial of service attacks, hackers might launch defraud calling, etc.
Recommendation ITU-T X.voLTEsec-1 will set up a security framework for VoLTE network operation, and provide a guideline to strengthen the secure deployment and operation, and it will cover complementary technical and management aspects, such as:
- Security deployment via isolation of security domains.
- Standardized security configuration baseline for VoLTE network equipment and system.
- Deployment of dedicated security devices for depth defences.
- Network operation via specific O&M system.
- Security risk response and disposal.
This Recommendation will be helpful for all telecommunication operators to improve the security operation of VoLTE network service.
|X.1058 (ex X.gpim)||Information technology - Security techniques - Code of practice for Personally Identifiable Information protection||The number of organizations processing personally identifiable information (PII) is increasing, as is the amount of PII that these organizations deal with. At the same time, societal expectations for the protection of PII and the security of data relating to individuals are also increasing. A number of countries are augmenting their laws to address the increased number of high profile data breaches.
This Recommendation | International Standard establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
|X.sgsm||Code of practice for information security controls based on ITU-T X.1051 for small and medium-sized telecommunication organizations||Recommendation ITU-T X.sgsm:
(a) establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in small and medium-sized telecommunication organizations based on Rec. [ITU-T X.1051| ISO/IEC 27011];
(b) provides an implementation baseline of information security management for small and medium-sized telecommunication organizations to ensure the confidentiality, integrity and availability of telecommunication facilities and services.
The objectives of this Recommendation are to provide practical guidance suited for small and medium-sized telecommunication organizations on commonly-accepted goals of information security management specifically suited for small and medium-sized telecommunication organizations.
As a result of implementing this Recommendation, small and medium-sized telecommunication organizations, both within and between jurisdictions, will:
(a) be able to assure the confidentiality, integrity and availability of the specific small and medium-sized telecommunication facilities and services;
(b) have adopted secure collaborative processes and controls ensuring the reducing of risks in the delivery of telecommunication services;
(c) be able to redeploy resources for more productive activities;
(d) have adopted a consistent and holistic approach to information security;
(e) be able to improve personnel awareness and morale, and increase public trust.
|X.sup13-rev||Supplement 13 to ITU-T X-series Recommendations - Users' guide for Recommendation ITU-T X.1051||Supplement 13 to ITU-T X-series Recommendations provides interpretable guidance for users of Recommendation ITU-T X.1051. This Supplement gives additional explanations and further implementation guidance for each clause and control specified in Recommendation ITU-T X.1051 (2016) | International Standard ISO/IEC 27011:2016. This Supplement is intended to assist telecommunication organizations in the implementation of information security controls based on Rec. ITU-T X.1051 | ISO/IEC 27011.
Note: ITU-T SG17 and ISO/IEC JTC 1/SC 27 had jointly worked on major revisions of Rec. ITU-T X.1051 | ISO/IEC 27011 for several years, and completed them in July 2016.
Following the revision of Rec. ITU- T X.1051, Supplement 13 should be also revised.
|X.sup-gpim||ITU-T X.gpim - Supplement on Code of practice for personally identifiable information protection based on ITU-T X.gpim for telecommunications organizations||The number of telecommunications organizations which process personally identifiable information (PII) is on the rise. Accordingly, the expectation for the protection of a customer's privacy and for the security of personally identifiable information of the customers is also increasing.
There is a need for a set of additional controls and their implementation guidelines specific PII protection in addition to those in ITU-T X.gpim, which are applicable to telecommunications organizations. Its aim is to complement the ITU-T X.gpim | ISO/IEC 29151.
|X.sup-grm||Supplement to ITU-T X.1055
Risk management implementation guidance on the assets of telecommunication organizations accessible by global IP-based networks
||As telecommunication organizations' assets are accessible by global IP-based networks, they are exposed directly to hackers and attackers, and also as these assets may be connected to the traditional (and even old) assets of legacy telecommunication networks, which might have some design level vulnerabilities that could be hard to fix. Therefore, it would be an economic choice to consider all the assets of a telecommunication organization as a whole and introduce some specific security measures to reduce the overall risks continuously so as to strengthen the whole security of telecommunication services and networks. It is suggested that the assets accessible by global IP-based networks would have high priority to adopt these proposed measures, which might be also applicable to other assets.
This Supplement to ITU-T X.1055 provides the analysis of threats and challenges for such assets accessible by global IP-based networks and provides best practices and guidance for the implementation of security measures in the risk management processes on the assets accessible by global IP-based networks for telecommunication organizations.
|X.1212 (ex X.cogent)||Design considerations for improved end-user perception of trustworthiness indicators||Diverse kinds of attacks employ replicated content from trustworthy service providers, thereby deceiving end-users into believing its false trustworthiness.
Recommendation ITU-T X.1212 describes design consideration for improved end-user perception of trustworthiness indicators. The appendices describe representative techniques for measuring end-user perception of such indicators.
|X.1500 Amd.11||Overview of cybersecurity information exchange - Amendment 11 - Revised structured cybersecurity information exchange techniques||Amendment 10 to Recommendation ITU-T X.1500 (2011) provides a list of structured cybersecurity information techniques that have been created to be continually updated as these techniques evolve, expand, are newly identified or are replaced. The list follows the outline provided in the body of the Recommendation. This amendment reflects the situation of recommended techniques as of September 2016, including bibliographical references.
|X.1550 (ex X.nessa)||Access control models for incident exchange networks||Recommendation ITU-T X.1550 introduces existing approaches for implementing access control policies for incident exchange networks. This Recommendation introduces a variety of well-established access control models, sharing models as well as criteria for evaluating incident exchange network performance. Standards-based solutions are considered to facilitate implementation of different access control models within different cybersecurity information sharing models and under diverse trust environments.
|X.metric||Metrics for evaluating threat and resilience in cyberspace||Recommendation ITU-T X.metric describes possible quantification methods for threats and associated resilience mechanisms, along with applicable normalization methods, as well as discretization and simplification methods. The proposed threat metric is currently comprised of attack intensity, report confidence, level of sophistication, impact and persistence, each of which can be derived from measurable quantities that are elaborated in this Recommendation.
|X.samtn||Security assessment techniques in telecommunication/ICT networks||Recommendation ITU-T X.samtn describes global security assessment methodology and best practices for developers, manufacturers, operators and end users of the telecommunication domain. Both the traditional circuit-switched networks and the packet-based networks are exposed to different threats and attacks - from external as well as internal sources - that target the various parts of the telecommunications/ICT network. This Recommendation covers the following:
- Detection of vulnerabilities in telecommunications/ICT network
- Methodology of security assessment in telecommunications/ICT network.
|X.sbb||Security capability requirements for countering smartphone-based botnets||Along with the fast development of mobile Internet and the widespread use of smartphones, surveys from worldwide companies/organizations show the trend that the formerly personal computer (PC)-based botnets are being replicated very quickly on smartphones. Though currently in different continents/regions and under different national conditions there are different ecosystems that have different levels of constraints on the propagation of smartphone-based botnets, and in the meantime analytical reports from different security companies and investigation organizations show noticeably different statistical data on the severity of the propagation of smartphone-based botnets, the potential threats behind the curtain remains the same. The potential threat of smartphone-based botnets is increasing very quickly in some regions and it could possibly spread worldwide and turn from a regional issue into a serious global issue.
On the other hand, compared with PCs and servers, smartphones have less processing power, storage space and battery life. However, the adversarial influence of smartphone-based botnets might have more repercussions on users due to the following reasons: (1) much important personal identifiable information (PII) is stored on the smartphones; and (2) if attacks on smartphones or on the operator's infrastructure occur, user experience may degrade significantly due to the prevalence of and user dependence on smartphones.
Recommendation ITU-T X.sbb analyses the background and potential security threats of smartphone-based botnets, and provides security capability requirements.
|X.cspim||Technical requirements for countering instant messaging spam (SPIM)||Instant messaging is gaining large popularity and the proliferation of spam over instant messaging (SPIM) is becoming a serious problem. The characteristics of instant messaging, such as Internet protocol (IP)-based, free of charge and wide coverage, cause instant messaging spam (SPIM) spread widely and are out of control. If these problems are not carefully solved, it will have very negative impact on the utilization of instant messaging service itself.
Recommendation ITU-T X.cspim identifies characteristics of instant messaging spam and then specifies technical requirements for countering instant messaging spam.
|X.ctss||Supplement to ITU-T X.1231
Technical framework for countering telephone service scam||With the development of telecommunication network, recently, the telephone service scam is causing disturbances to customers' daily lives and has many negative effects. It is necessary to establish a practical framework for countering telephone service scam, which can reasonably integrate all the advantages of countermeasures. This Supplement to ITU-T X.1231 provides an overall framework and some practical technical methods for countering telephone service scam. Each functional entity in this framework implements independent functions. This Supplement to ITU-T X.1231 specifies the functionalities of these entities and the interfaces between them.
|X.gcspi||ITU-T X.1242 - Supplement on Guidelines on countermeasures against short message service (SMS) phishing and smishing attack||Short message service (SMS) phishing is a fraudulent technique through mobile phones by causing phishing frauds with smartphones, acquiring personal information on the smartphones, or by enabling small amounts of money to be approved and paid while the account holder is not aware of the approval. The purpose of this supplement to Rec. ITU-T X.1242 is to universalize the guideline for countermeasures against SMS phishing incident by defining a security guideline about security technology against SMS phishing incident and method, and specification of report contents.
|X.tfcma||Technical framework for countering mobile in-application advertising spam||Mobile in-application advertising spam is the unsolicited advertisement displayed within a mobile phone application. It can be shown on display units such as banner at the top or bottom of the screen, mobile interstitial, overlay and etc. With the fast development of mobile applications, mobile in-application advertisement has been developing rapidly. Filtering unwanted or malicious advertisements is often challenging. Although many countermeasures have been proposed and implemented, they all suffer from theoretical limitations and drawbacks, and we still face a high volume and a high portion of mobile in-application advertising spam. Therefore, it is necessary to establish a practical framework for countering mobile in-application advertising spam, which can reasonably integrate all the advantages of countermeasures.
Recommendation ITU-T X.ftcma provides a technical framework for countering mobile in-application advertising spam.
|X.1126 (ex X.msec-11)||Guidelines on mitigating the negative effects of infected terminals in mobile networks||Recommendation ITU-T X.1126 provides guidelines to mobile operators to restrain the infected terminals by utilizing technologies in the mobile network to protect both subscribers and mobile operators. This Recommendation describes the characteristics and effects of malicious software caused by unhealthy ecosystems in the mobile environment. Based on network-side technologies, this Recommendation focuses on mitigating the vicious effects caused by infected terminals. This Recommendation defines and organizes the mitigating measures and corresponding technologies.
|X.1362 (ex X.iotsec-1)||Simple encryption procedure for Internet of things (IoT) environments||It is considered that the Internet of things (IoT) is one of the most important areas for future standardization. From the ITU-T perspective, IoT is defined as a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things.
In certain IoT environments, especially for IoT devices, there is a real-time processing requirement where tasks are processed within a certain period of time. To ensure data confidentiality and integrity protection, one of the most basic countermeasures is the application of data encryption/authentication algorithms. The problem with the standard applications of data encryption/authentication algorithms is that this requirement could not be met.
Recommendation ITU-T X.1362 specifies encryption with associated mask data (EAMD) for the Internet of things (IoT) devices. It describes EAMD and how it provides a set of security services for traffic using it.