| Description:
|
1 Motivation
Telecommunications organizations rely on crucial assets like information, facilities, networks, and transmission media. Managing and securing these assets is vital for the smooth operation of their business activities. To address this, Recommendation ITU-T X.1051 provides information security controls for telecommunications organizations.
Based on the information security controls, detailed and specific management areas e.g., risk management, assets management, governance, incident management have also been studied. It also introduces best practices as Supplements and implementation guides. Areas related to Recommendation ITU-T X.1051 should be explored further, and a continuous effort is needed to maintain and update Recommendations based on the latest information security management issues.
In parallel, new areas of telecommunication and ICT security services, such as Cyber Defence Center (CDC), Security Operation Center (SOC), Managed Security Services (MSSs), and various Incident Response Teams (IRTs), such as CIRT, CSIRT and xSIRT require attention. Additionally, urgent focus should be on lifecycle management for security controls, effective risk management, and the protection of personally identifiable information (PII) Security, and human capability development in information security.
Collaboration between ITU-T and ISO/IEC JTC 1 is ongoing to ensure the compatibility of security solutions. It is essential to consider the success of solutions developed as national standards in various countries.
This question, distinct from those in Study Group 2, centres on safeguarding business assets, emphasizing information and processes within the realm of information security management. While Study Group 2 deals with network management information exchange, this question concentrates on the broader aspect of protecting business assets in the context of information security management.
Recommendations and Supplements under responsibility of this Question as of 12 September 2024: E.409 (in conjunction with SG2), X.1051, X.1052, X.1053, X.1054, X.1055, X.1056, X.1057, X.1058, X.1059, X.1060, X.1061 and Supplements 13, 27, 32, 34, and 36 to the X-series Recommendations.
Texts under development as of 12 September 2024: X.1053rev, X.1058rev, X.1060rev, X.cdc-csirt, X.gsm-cdc, X.shcd, and Supplement X.sup-cdc.
2 Question
Study items to be considered include, but are not limited to:
- How should specific security management issues for telecommunications organizations be identified?
- How should the measurement of security management in telecommunications be identified and managed for organizations, including SMEs?
- How should control objectives and controls be mapped and integrated into organizational management and operational aspects in telecommunication organizations?
- How should concepts and principles for the governance of information security be applied, allowing organizations to evaluate, direct, monitor, and communicate information security-related activities?
- How should the adoption of risk treatment options be managed to mitigate the impact of a security incident?
- How should best practices be applied to guide security services within organizations, such as CDC, SOC, MSSs, and various forms of IRTs?
- How should information security management for telecommunications organizations be properly implemented using existing standards (ITU-T, ISO/IEC, and others)?
- How should the management of personally identifiable information be effectively implemented?
- What enhancements to existing Recommendations under review or new Recommendations under development should be adopted to reduce the impact on climate changes (e.g. energy savings, reduction of greenhouse gas emissions, implementation of monitoring systems) by telecommunication, ICTs, or other industries, either directly or indirectly?
- How should an organization enhance its personnel capability and skills for security?
- How the organization identify the relationships between CDC and CSIRTs?
3 Tasks
Tasks include, but are not limited to:
- Develop an information security management framework based on ITU-T X.1051.
- Develop a methodology for implementing information security management in telecommunication organizations based on established standards (ITU-T, ISO/IEC, etc.).
- Establish frameworks/guidelines for security services in organizations, such as CDC, SOC, MSS, and various forms of IRTs.
- Develop guidelines for effective risk management, including considerations for cyber insurance acquisition for risk management.
- Develop guidelines for managing personally identifiable information.
- Develop guidelines for development for personnel capability and skills for security.
- Develop guidelines for relationships between CDC and CSIRTs.
- Propose outlines of new Recommendations.
- Evaluate the practicality of the above activities for telecommunications facilities and services.
- Draft Recommendations based on the Question's studies.
- Maintain and enhance Recommendations in the X.105x and X.106x series.
An up-to-date status of work under this Question is contained in the SG17 work programme at https://www.itu.int/ITU-T/workprog/wp_search.aspx?sp=18&q=3/17.
4 Relationships
Recommendations:
- X.800-, X.1000-, X.1100- X.1200- and X.1300- series
Questions:
- All ITU-T SG17 Questions
Study groups:
- All ITU-T SGs
- ITU-R
- ITU-D
Standardization bodies:
- Asia Pacific Telecommunity Standardization Programme (ASTAP)
- European Telecommunications Standards Institute (ETSI)
- ISO/IEC JTC 1/SC 27, ISO/IEC JTC1 SC40
- ISO/TC 68, ISO/TC 215, ISO/TC 307
- National Institute of Standards and Technology (NIST)
- Telecommunication Technology Committee (TTC)
- Third Generation Partnership Project (3GPP)
- Forum Incident Response and Security Teams (FIRST)
WSIS Action Lines:
- C5
Sustainable Development Goals:
- 8, 9
|
