| Work group:
|
Q1/17 (Presentation Web page is available here)
|
| Title:
|
Security standardization strategy, incubation and coordination
|
| Description:
|
1 Motivation
Security threats to telecommunication, and information and communication technologies (ICTs) and infrastructure remain increasingly complex. Efforts over the years to secure the infrastructure have been somewhat fragmented and reactionary, and so far have not produced the desired level of protection against threats in a timely manner. The economic impact of such attacks and threats has been huge, resulting in several financial and organizational losses to governments and entities. Intensive, continuous and focused efforts are essential to combat these threats.
This effort is complex and requires the participation of a large number of organizations working on various aspects of security, each within their area of expertise and mandate. This requires coordination, collaboration and cooperation among the various stakeholders, which is a difficult and challenging task.
The subject of security is vast in scope. Security can be applied to almost every aspect of ICTs and networks. There are various approaches to addressing security requirements. These include:
- A bottom-up approach in which experts devise security measures to strengthen and protect a particular domain of the network using specific countermeasures and techniques such as biometrics and cryptography. While fairly common, this is a fragmented approach that often results in uneven determination and application of security measures.
- A top-down approach, which is a high-level and strategic way of addressing security. This approach requires knowledge of the overall picture. It is generally a more difficult approach because it is harder to find experts with comprehensive knowledge of every part of the network and its security requirements than it is to find experts with detailed knowledge of one or two specific areas.
- A combination of bottom-up and top-down approaches, with coordination effort to bring the different pieces together. This has often proved to be extremely challenging when dealing with varying interests and agendas.
This Question produces deliverables that ITU-T considers as fundamental in promoting its work. They also provide valuable resources to the ITU and external organizations. Examples include the ICT Security Standards Roadmap, the Security Manual, the Security Compendia, and the Successful Use of Security Standards. This Question will develop a vision and propose the organizational architecture of SG17. This Question will continue to focus on the coordination and organization of the entire range of telecommunication/ICT security activities within ITU-T and will continue to develop and maintain documentation to support coordination, incubation and outreach activities. A top-down approach to security will be used in collaboration and coordination with other study groups and standards development organizations (SDOs). This activity is directed at achieving a more focused effort at the projects and strategic level both internal and external to SG17. This Question supports SG17 activities to ensure that they reflect an efficient process capable of developing high quality, timely, market-driven telecommunication/ICT standards. This Question also addresses the needs of developing countries and Regional Study Groups through the implementation of WTSA Resolution 44 on Bridging the standardization gap.
The security standardization strategy is one of the most important topics across all Questions in SG17. SG17 needs to consider how security standardization architecture and design can improve the development of current and future security work items.
Controlled agility can be useful in deciding the best use of resources to study how to secure new emerging telecommunication/ICT-based services and applications. SG17 utilizes an incubation mechanism to enable such controlled agility.
This incubation mechanism enables SG17 to introduce new work items in an efficient manner in the emerging areas and encourages the creation of texts (Recommendations, technical papers and technical reports) as a proven best practice to allow SG17 community time to familiarize itself with these new emerging areas. In the development of the new work items, sometimes, the nature of the emerging security technology reveals it is closer to an existing Question and this work item can be transferred to maximize the coherency, efficiency and quality of SG17 work. Additionally, this incubation mechanism allows the identification of trends in emerging security technologies that are being developed in this Question.
SG17 work on security considers WTSA Resolutions 2, 7, 11, 18, 32, 40, 44, 50, 52, 54, 58, 64, 65, 67, 73, 75, 76, 77, 78, 80, 84, 86, 89, 90, 92, 93, 94, 96, 97 and 98; PP Resolutions 101, 123, 130, 136, 174, 177, 178, 179, 181; 188, 189, 197, 199, 200, 201, 204, 205 and 206; and WTDC Resolutions 30, 34, 43, 45, 47, 63, 67, 69, 79, 80, and 84.
SG17 also supports WSIS action line C5 "Building confidence and security in the use of ICTs" and ITU-D priorities of the Kigali Action Plan adopted at the 2022 World Telecommunication Development Conference on "Inclusive and secure telecommunications/ICTs for sustainable development."
Technical Reports under responsibility of this Question as of 12 September 2024: TR.sec-manual, XSTR-SUSS, Security Compendium, Security standards roadmap, SG17 reports of PP, WTSA, WTDC implementation.
Texts under development as of 12 Sept 2024: X.arch-design, X.arch-design, X.cs-ra, X.dtns, X.gcspcc, X.icd-schemas, X.ig-dw, X.pg-cla, X.rm-sup, X.sc-sscti, X.SecaaS, X.secadef, X.sgGenAI, X.so-sap, X.sr-ai, X.sr-da-gai, X.srm-fml, X.ssc-sa; Technical Reports TR.cs-sc, TR.cs-uc, TR.se-ai, TR.smpa, TR.srsec, TR.Sussrev; and other non-normative texts (CRAMM Roadmap, Security Compendium, Security standards roadmap).
2 Question
Study items to be considered include, but are not limited to:
- What are the deliverables for this Question?
- What are the processes, work items, work methods and timeline for the Question to achieve the deliverables?
- What outreach documents (roadmap, security compendia, technical reports, flyers, webpages, etc.) need to be produced and maintained by ITU?
- What security workshops are needed and how they can be organized?
- What is needed to build effective relationships with other SDOs in order to advance the work on security?
- What are the key milestones, success criteria and supporting performance metrics?
- How can Sector Member and Administration interest in security work be stimulated and how can momentum be sustained?
- How could telecommunication/ICT security features become more relevant to the marketplace?
- How can the crucial importance of security and the urgent need to protect global economic interests, which depend on a robust and secure telecommunication/ICT infrastructure, best be promoted to governments and the private sector?
- What are the security activities under development in other ITU Study Groups and other SDOs?
- How to address the needs of developing countries and Regional Study Groups in the implementation of WTSA Resolution 44?
- What is the standardization strategy in support of a comprehensive, coherent telecommunications security solution?
- How should standardization strategy embrace existing Recommendations on security?
- What are the most effective mechanisms for implementing an incubation mechanism?
3 Tasks
Tasks include, but are not limited to:
- Act as primary SG17 contact for telecommunication/ICT security coordination matters.
- Develop and maintain an organizational architecture roadmap - to provide a vision and a detailed plan that determines the level and scope of the security domain for study. The roadmap shall identify all related components (structure, processes) and their inter-relationships, participating organizations and roles. Distinction needs to be made between emerging systems/networks and existing systems/networks.
- Maintain and update the ICT Security Standards Roadmap.
- Maintain and update the ITU-T Security Compendia.
- Assist and provide input to TSB in maintaining the Security Manual published as technical report "Security in telecommunications and information technology".
- Maintain and update the technical report on the successful use of security standards.
- Provide guidance on the implementation of telecommunication/ICT security standards.
- Promote cooperation and collaboration between groups working on telecommunication/ICT security standards development.
- Review Recommendations and liaisons from other study groups and SDOs as appropriate to assess security coordination implications.
- Assist in efforts to ensure effective security coordination where necessary.
- Help direct liaisons from external groups to appropriate study groups in ITU-T.
- Take ITU-T lead in organizing and planning security workshops and seminars as appropriate.
- Ensure effective and efficient participation in security coordination efforts with other organizations.
- Assist in improving the efficiency of SG17 work (e.g., by creating templates, tools, or procedures, performance metrics).
- Encourage national authorities and operators from developing countries in regions to work together and better contribute to ITU-T SG17 activities in line with the SG17 mandate and in implementing SG17 security Recommendations.
- Assist SG17 in Bridging Standardization Gap with the aim of supporting WTSA Res. 44, PP Res. 123, and WTDC Res. 47.
- Achieve effective and efficient participation in security coordination efforts within SG17 to ensure the SG17 work programme reflects the current SG17 security activities and addresses the concerns of the ITU-T membership.
- Development of a comprehensive set of security standardization strategy documents, including architecture documents, for supporting the standardization of security solutions in collaboration with other standards development organizations and ITU-T study groups.
- Implement an incubation mechanism to address the new emerging areas in ITU-T SG17.
- Potentially reallocate NWI to other question should their development make clearer the match with an existing Question.
An up-to-date status of work under this Question is contained in the SG17 work programme at https://www.itu.int/ITU-T/workprog/wp_search.aspx?sp=18&q=1/17.
4 Relationships
Recommendations:
- X-series and others related to telecommunication/ICT security
Questions:
- All ITU-T SG17 Questions
Study groups:
- ITU-T SG 2
- ITU-T SG 3
- ITU-T SG 5
- ITU-T SG 11
- ITU-T SG 13
- ITU-T SG 15
- ITU-T SG20
- ITU-T SG 21
- TSAG
- Relevant JCAs and FGs
- ITU-R
- ITU-D
Standardization bodies:
- Alliance for Telecommunications Industry Solutions (ATIS)
- Cloud Security Alliance (CSA)
- European Telecommunications Standards Institute (ETSI)
- Institute of Electrical and Electronics Engineers (IEEE)
- Internet Engineering Task Force (IETF)
- ISO/IEC JTC 1/SCs 6 and SC 27
- ISO TC 292
- ISO TMB
- Organization for the Advancement of Structured Information Standards (OASIS)
- Third Generation Partnership Project (3GPP)
- Asia-Pacific Telecommunity Standardization Program (ASTAP)
Other bodies:
- European Network and Information Security Agency (ENISA)
- National Institute of Standards and Technology (NIST)
- oneM2M
- Regional Asia Information Security Exchange (RAISE) Forum
WSIS Action Lines:
- C5
Sustainable Development Goals:
- 8, 9, 17
|
| Comment:
|
Continuation of Q1/17
|
|
Co-rapporteur:
| Ms. | Zoe Sungchae | PARK |
|
Co-rapporteur:
| Mr. | Chen | ZHANG |
|
Associate rapporteur:
| Ms. | Juhee | KI |
|
Associate rapporteur:
| Ms. | Yiwen | WANG |
|
|
