|Work item||Subject / Title||Summary
|X.TRsuss||Technical Report on the successful use of security standards||This Technical Report on the successful use of security standards is intended to help users, especially those from developing countries, to gain a better understanding of the value of using security-related ITU-T Recommendations in a variety of contexts (e.g. business, commerce, government, industry). It covers the use of security standards in a variety of applications and also introduces readers to the relevance and importance of foundational security standards such as architectural standards, methodology, definitions, and other high-level guidance. The overall focus is to encourage successful and productive use of these standards.
|X.1038 (ex X.sdnsec-2)||Security requirements and reference architecture for software-defined networking||Recommendation ITU-T X.1038 supports security protection and provides security requirements and a reference architecture for software-defined networking (SDN). This Recommendation identifies new security threats as well as traditional network security threats to SDN, defines security requirements, provides possible security countermeasures against new security threats, and designs a security reference architecture for SDN.
|X.1039||Technical security measures for implementation of ITU-T X.805 security dimensions||Many organizations in developing countries as well as developed countries may have difficulties in implementing the high-level dimensions described in Recommendation ITU-T X.805. Recommendation ITU-T X.1039 is aimed at providing a set of security measures to implement the high-level dimensions. It also provides technical implementation guidance for security measures that can be used to improve organizations' security response capabilities. A set of security measures described in this Recommendation could assist organizations in managing information security risks and implementing technical dimensions. The audience of this Recommendation includes, but is not limited to, those individuals responsible for implementing an organization's information security dimensions.
|X.salcm||Security reference architecture for lifecycle management of e-commerce business data||Recommendation ITU-T X.salcm analyses the main features and typical threats for e-commerce service ecosystem, and provides security reference architecture for lifecycle management of e-commerce business data.
|X.sgmvno||ITU-T X.805 - Supplement on Security guideline for mobile virtual network operator (MVNO)||Security is very important for mobile virtual network operator (MVNO). Meanwhile, MVNOs have a lot of security similarities. This supplement provides security guideline for MVNOs. This Supplement also analyses the main features of MVNOs and typical threats to MVNOs. Based on the structure of MVNOs, this Supplement provides security framework of MVNOs, including security objectives and security requirements.
|X.voLTEsec-1||Security framework for voice-over-long-term-evolution (VoLTE) network operation||VoLTE is a VoIP service over LTE network, and it is the most promising telecommunication services for global operators in the future. VoLTE is a full IP network architecture based on SIP, which makes VoLTE network more vulnerable to be attacked. For example, the key equipment of SBC maybe suffers from denial of service attacks, hackers might launch defraud calling, etc.
Recommendation ITU-T X.voLTEsec-1 will set up a security framework for VoLTE network operation, and provide a guideline to strengthen the secure deployment and operation, and it will cover complementary technical and management aspects, such as:
- Security deployment via isolation of security domains.
- Standardized security configuration baseline for VoLTE network equipment and system.
- Deployment of dedicated security devices for depth defences.
- Network operation via specific O&M system.
- Security risk response and disposal.
This Recommendation will be helpful for all telecommunication operators to improve the security operation of VoLTE network service.
|X.1058 (ex X.gpim)||Information technology - Security techniques - Code of practice for Personally Identifiable Information protection||The number of organizations processing personally identifiable information (PII) is increasing, as is the amount of PII that these organizations deal with. At the same time, societal expectations for the protection of PII and the security of data relating to individuals are also increasing. A number of countries are augmenting their laws to address the increased number of high profile data breaches.
This Recommendation | International Standard establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
|X.sgsm||Code of practice for information security controls based on ITU-T X.1051 for small and medium-sized telecommunication organizations||Recommendation ITU-T X.sgsm:
(a) establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in small and medium-sized telecommunication organizations based on Rec. [ITU-T X.1051| ISO/IEC 27011];
(b) provides an implementation baseline of information security management for small and medium-sized telecommunication organizations to ensure the confidentiality, integrity and availability of telecommunication facilities and services.
The objectives of this Recommendation are to provide practical guidance suited for small and medium-sized telecommunication organizations on commonly-accepted goals of information security management specifically suited for small and medium-sized telecommunication organizations.
As a result of implementing this Recommendation, small and medium-sized telecommunication organizations, both within and between jurisdictions, will:
(a) be able to assure the confidentiality, integrity and availability of the specific small and medium-sized telecommunication facilities and services;
(b) have adopted secure collaborative processes and controls ensuring the reducing of risks in the delivery of telecommunication services;
(c) be able to redeploy resources for more productive activities;
(d) have adopted a consistent and holistic approach to information security;
(e) be able to improve personnel awareness and morale, and increase public trust.
|X.sup13-rev||Supplement 13 to ITU-T X-series Recommendations - Users' guide for Recommendation ITU-T X.1051||Supplement 13 to ITU-T X-series Recommendations provides interpretable guidance for users of Recommendation ITU-T X.1051. This Supplement gives additional explanations and further implementation guidance for each clause and control specified in Recommendation ITU-T X.1051 (2016) | International Standard ISO/IEC 27011:2016. This Supplement is intended to assist telecommunication organizations in the implementation of information security controls based on Rec. ITU-T X.1051 | ISO/IEC 27011.
Note: ITU-T SG17 and ISO/IEC JTC 1/SC 27 had jointly worked on major revisions of Rec. ITU-T X.1051 | ISO/IEC 27011 for several years, and completed them in July 2016.
Following the revision of Rec. ITU- T X.1051, Supplement 13 should be also revised.
|X.sup-gpim||ITU-T X.gpim - Supplement on Code of practice for personally identifiable information protection based on ITU-T X.gpim for telecommunications organizations||The number of telecommunications organizations which process personally identifiable information (PII) is on the rise. Accordingly, the expectation for the protection of a customer's privacy and for the security of personally identifiable information of the customers is also increasing.
There is a need for a set of additional controls and their implementation guidelines specific PII protection in addition to those in ITU-T X.gpim, which are applicable to telecommunications organizations. Its aim is to complement the ITU-T X.gpim | ISO/IEC 29151.
|X.sup-grm||Supplement to ITU-T X.1055
Risk management implementation guidance on the assets of telecommunication organizations accessible by global IP-based networks
||As telecommunication organizations' assets are accessible by global IP-based networks, they are exposed directly to hackers and attackers, and also as these assets may be connected to the traditional (and even old) assets of legacy telecommunication networks, which might have some design level vulnerabilities that could be hard to fix. Therefore, it would be an economic choice to consider all the assets of a telecommunication organization as a whole and introduce some specific security measures to reduce the overall risks continuously so as to strengthen the whole security of telecommunication services and networks. It is suggested that the assets accessible by global IP-based networks would have high priority to adopt these proposed measures, which might be also applicable to other assets.
This Supplement to ITU-T X.1055 provides the analysis of threats and challenges for such assets accessible by global IP-based networks and provides best practices and guidance for the implementation of security measures in the risk management processes on the assets accessible by global IP-based networks for telecommunication organizations.
|X.Suppl.27 (ex X.sup-gisb)||Supplement 27 to ITU-T X-series Recommendations - ITU-T X.1054
Best practice for implementation of Rec. ITU-T X.1054 | ISO /IEC 27014 on governance of information security - Case of Burkina Faso||To create value, the information should be governed within the organization so as to have a strategic alignment between the objectives of information security and those of the organization. Governance and management of information security should be conducted in complete synergy. The management should be responsible for the operation of information and reporting (idea of responsibility) to the governing body.
To achieve this, the organization can use standards, recommendations and other frameworks whose implementation will encourage its success.
It is in this spirit that the Recommendation ITU-T X.1054 | ISO /IEC 27014 is implemented to the governance of information security of e-Council of Ministers in Burkina Faso.
This approach aims to be a case of best practice in the implementation of Recommendation ITU-T X.1054 | ISO /IEC 27014. Here it is used as part of a unifying project gathering all members of the Government of Burkina Faso (Presidency, Prime Ministry, General Secretariat of Government and the Council of Ministers, all ministries). However, this recommendation could be applied to any type of organization.
|X.1212 (ex X.cogent)||Design considerations for improved end-user perception of trustworthiness indicators||Diverse kinds of attacks employ replicated content from trustworthy service providers, thereby deceiving end-users into believing its false trustworthiness.
Recommendation ITU-T X.1212 describes design consideration for improved end-user perception of trustworthiness indicators. The appendices describe representative techniques for measuring end-user perception of such indicators.
|X.1500 Amed.11||Overview of cybersecurity information exchange - Amendment 11 - Revised structured cybersecurity information exchange techniques||Amendment 10 to Recommendation ITU-T X.1500 (2011) provides a list of structured cybersecurity information techniques that have been created to be continually updated as these techniques evolve, expand, are newly identified or are replaced. The list follows the outline provided in the body of the Recommendation. This amendment reflects the situation of recommended techniques as of September 2016, including bibliographical references.
|X.1500 Amd.10||Overview of cybersecurity information exchange - Amendment 10 - Revised structured cybersecurity information exchange techniques||Amendment 10 to Recommendation ITU-T X.1500 (2011) provides a list of structured cybersecurity information techniques that have been created to be continually updated as these techniques evolve, expand, are newly identified or are replaced. The list follows the outline provided in the body of the Recommendation. This amendment reflects the situation of recommended techniques as of September 2016, including bibliographical references.
|X.1550 (ex X.nessa)||Access control models for incident exchange networks||Recommendation ITU-T X.1550 introduces existing approaches for implementing access control policies for incident exchange networks. This Recommendation introduces a variety of well-established access control models, sharing models as well as criteria for evaluating incident exchange network performance. Standards-based solutions are considered to facilitate implementation of different access control models within different cybersecurity information sharing models and under diverse trust environments.
|X.metric||Metrics for evaluating threat and resilience in cyberspace||Recommendation ITU-T X.metric describes possible quantification methods for threats and associated resilience mechanisms, along with applicable normalization methods, as well as discretization and simplification methods. The proposed threat metric is currently comprised of attack intensity, report confidence, level of sophistication, impact and persistence, each of which can be derived from measurable quantities that are elaborated in this Recommendation.
|X.samtn||Security assessment techniques in telecommunication/ICT networks||Recommendation ITU-T X.samtn describes global security assessment methodology and best practices for developers, manufacturers, operators and end users of the telecommunication domain. Both the traditional circuit-switched networks and the packet-based networks are exposed to different threats and attacks - from external as well as internal sources - that target the various parts of the telecommunications/ICT network. This Recommendation covers the following:
- Detection of vulnerabilities in telecommunications/ICT network
- Methodology of security assessment in telecommunications/ICT network.
|X.sbb||Security capability requirements for countering smartphone-based botnets||Along with the fast development of mobile Internet and the widespread use of smartphones, surveys from worldwide companies/organizations show the trend that the formerly personal computer (PC)-based botnets are being replicated very quickly on smartphones. Though currently in different continents/regions and under different national conditions there are different ecosystems that have different levels of constraints on the propagation of smartphone-based botnets, and in the meantime analytical reports from different security companies and investigation organizations show noticeably different statistical data on the severity of the propagation of smartphone-based botnets, the potential threats behind the curtain remains the same. The potential threat of smartphone-based botnets is increasing very quickly in some regions and it could possibly spread worldwide and turn from a regional issue into a serious global issue.
On the other hand, compared with PCs and servers, smartphones have less processing power, storage space and battery life. However, the adversarial influence of smartphone-based botnets might have more repercussions on users due to the following reasons: (1) much important personal identifiable information (PII) is stored on the smartphones; and (2) if attacks on smartphones or on the operator's infrastructure occur, user experience may degrade significantly due to the prevalence of and user dependence on smartphones.
Recommendation ITU-T X.sbb analyses the background and potential security threats of smartphone-based botnets, and provides security capability requirements.
|X.cspim||Technical requirements for countering instant messaging spam (SPIM)||Instant messaging is gaining large popularity and the proliferation of spam over instant messaging (SPIM) is becoming a serious problem. The characteristics of instant messaging, such as Internet protocol (IP)-based, free of charge and wide coverage, cause instant messaging spam (SPIM) spread widely and are out of control. If these problems are not carefully solved, it will have very negative impact on the utilization of instant messaging service itself.
Recommendation ITU-T X.cspim identifies characteristics of instant messaging spam and then specifies technical requirements for countering instant messaging spam.