Committed to connecting the world

Question 3/17

​​Telecommunication information security management

(Continuation of Q3/17)

 Motivation

For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and transmission media are important telecommunication business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly continue the business activity, information security management is extremely necessary. For this reason, Recommendation ITU-T X.1051 was developed to provide meaningful guidelines of information security management for telecommunications organizations.
Based on the guideline for information security management, detailed and specific management areas including governance, management framework, risks, incidents and assets have also been developed. New areas in relation with Recommendation ITU-T X.1051 should be investigated further. Meanwhile, the series of Recommendations have to be maintained and updated reflecting the latest information security management issues. The aim is to develop a set of Recommendations on security management for telecommunications based on Recommendation ITU-T X.1051 in ITU‑T.
In parallel with developing Recommendations for detailed and specific management areas based on Recommendation ITU-T X.1051, the new areas of telecommunication/ICT including cloud computing, transition from IPv4 to IPv6 and personally identifiable information protection which request emergent and global countermeasures should be considered. Therefore the studies particularly focusing on management aspects on above new areas should be considered.
In the course of the studies, a full collaborative effort between ITU-T and ISO/IEC JTC 1 will be continued to ensure the widest possible compatibility of security solutions. The success of solutions developed as national standards in many countries also need to be considered.
This Question differs from Questions in Study Group 2 in that Study Group 2 deals with the exchange of network management information between network elements and management systems and between management systems in TMN environment. This Question deals primarily with the protection of business assets, including information and processes in view of information security management.
Recommendations and Supplements under responsibility of this Question as of 23 March 2016: E.409 (in conjunction with SG2), X.1051, X.1052, X.1054, X.1055, X.1056, X.1057, and Supplement X.Suppl.13.
Texts under development: X.gpim, X.sgsm, X.sup-gisb, and X.sup-gpim.

Question

Study items to be considered include, but are not limited to:
a) How should specific security management issues for telecommunications organizations be identified?
b) How should specific security management issues for small and medium-sized telecommunication organizations (SMTOs) be implemented?
c) How should information security management for telecommunications organizations be properly implemented by using the existing standards (ITU-T, ISO/IEC and others)?
d) How should measurement of information security management in telecommunications be identified and managed?
e) How should appropriate information security management be implemented into cloud computing environment?
f) How should personally identifiable information be appropriately protected?
g) How should information security management be implemented in the IP environment including the transition from IPv4 to IPv6?
h) What enhancements to existing Recommendations under review or new Recommendations under development should be adopted to reduce impact on climate changes (e.g., energy savings, reduction of greenhouse gas emissions, implementation of monitoring systems) either directly or indirectly in telecommunication/ICT or in other industries?

Tasks

Tasks include, but are not limited to:
a) Study and develop a framework of information security management functions described in Recommendation ITU-T X.1051.
b) Study and develop a methodology to implement information security management for telecommunications organizations based on the existing standards (ITU-T, ISO/IEC and others).
c) Study and develop a guidance to implement information security management for small and medium-sized telecommunication organizations (SMTOs).
d) Study and develop a guideline to construct information security management for cloud computing.
e) Study and develop a guideline or framework to construct information security management in IPv6 environment.
f) Study and develop Recommendations for personally identifiable information protection guideline.
g) Propose outline of new Recommendations.
h) Assess the outputs of above activities in view of usability for telecommunications facilities and services.
i) Produce draft Recommendations.
j) Maintenance and enhancements of Recommendations in the X.105x-series.

Relationships

Recommendations:
• X.800-, X.1000-, X.1100- X.1200- and X.1300- series.
Questions:
•ITU-T Qs 1/17, 2/17, 4/17, 5/17, 6/17, 7/17, 8/17, 9/17, 10/17, 11/17, and 14/15.
Study Groups:
• ITU-D; ITU-R; ITU-T SGs 2, 9, 11, 13, 15 and 16.
Standardization bodies:
• Cloud Security Alliance (CSA); European Telecommunications Standards Institute (ETSI); ISO/IEC JTC 1/SC 27; ISO/TC 68, ISO/TC 215; National Institute of Standards and Technology (NIST); Telecommunication Technology Committee (TTC); Third Generation Partnership Project (3GPP).