>> Study Group 17
: Security, languages and telecommunication software
|
Question 7/17 - Security Management
(Continuation of Question J/17)
- Motivation
For telecommunications bodies, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications bodies to appropriately manage these business assets and to correctly continue the business activity, information security management is extremely necessary. For this reason, Recommendation X.1051 is being developed to cover the requirements of information security management for the telecommunications bodies. Taking into account the above requirement on security management, new areas in relation with Recommendation X.1051 should be further investigated. More specifically, management technologies on risks and incidents need to be considered. The aim is to develop a set of Recommendations on security management for
ITU-T.
In the course of the studies, a full collaborative effort between ITU-T and
ISO/IEC JTC 1 will be continued to ensure the widest possible compatibility of security solutions. The commercial success of solutions developed as national standards in many countries also need to be considered.
- Question
a. How should security risks in telecommunications systems be identified and managed?
b. How should information assets for telecommunications systems be identified and managed?
c. How should specific management issues for telecommunications carriers be identified?
d. How should information security management system (ISMS) for telecommunications carriers be properly constructed in line with the existing ISMS standards?
e. How should occurrences of security incidents in telecommunications be handled and managed?
- Tasks
a. Review the similarities and differences among the existing management Recommendations in ITU-T and ISO/IEC management standards as for risks and incidents management. (2Q2005);
b. Study and develop a methodology of risk management for telecommunications in line with the concept of information security management. (1Q2005 - 4Q2006);
c. Study and develop a handling and response procedure on security incidents for telecommunications in line with the concept of information security management. (1Q2005 - 4Q2006);
d. Propose outline of new Recommendations. (4Q2006);
e. Assess the outputs of risk management methodology and incident management procedure in view of usability for telecommunications facilities and services. Produce draft Recommendations. (4Q2006 - 4Q2007);
f. Consent new Recommendations (1Q2008).
It is expected that a decision on the pace of the study will be made 1Q2005, and at that point the milestones may be revised.
Expected results are:
a. one or more new Recommendations on risks and incidents management consolidating and harmonising the existing/ongoing texts of security management ITU-T Recommendations and ISO/IEC standards;
b. improved consistency of concepts and model for security management defined in ITU-T Recommendations and ISO/IEC standards.
- Relationships
Recommendations: X.200, X.273, X.274 and X.509
Questions: 14/13, 23/15, 2/17, 4/17, 5/17, 6/17, 8/17, 9/17 and 10/17
Study Groups: ITU-T SGs 2, 4, 9, 11, 13, 15, 16 and 19; ITU-R; ITU-D
Standardization bodies: ISO/IEC JTC 1/SC 27; ETSI; TTC
Other bodies: NIST
|
|
|
|
