1. Objectives of the Roadmap
This ICT Security Standards Roadmap is intended to support the security standardization work of the ITU by identifying existing published security standards, standards that are in development, and areas where a need for standards has been identified but where work has not yet been initiated. Although the focus is primarily on standards in the ITU-T space (i.e. security standards relating to telecommunication networks), the standards and work of other formal and informal regional and international standards development organizations (SDOs) are included in this Roadmap. The Roadmap also identified existing collaborative projects and helps to identify possible opportunities for future collaboration. It is hoped that the Roadmap will contribute to the coordination of security standardization activities by providing an up-to-date summary of work that has been completed and work that is in progress across SDOs as well as identifying the major organizations participating in this work. By knowing what has been done already, and what work is in progress, it will be possible to avoid duplication of effort and also to identify gaps that need attention.
2. Structure and contentThe Roadmap, which is considered a “work in progress” is currently structured with the intention that the primary publication medium will be the web. Although periodic paper publication is not precluded, it is important that the currency of the information be maintained and that the updating process be easy and timely. Publishing the Roadmap as a web document facilitates frequent updates and will make the document readily available to the widest possible audience at the lowest cost. The information provided is expected to expand as the work of other SDOs is added. Currently, security standards of ATIS, ETSI, IEEE, IETF, ISO/IEC, ITU, OASIS, 3GPP and 3GPP2 are included. Further expansion to other organizations is anticipated as data is made available.
This part of the Roadmap provides summaries of the standards work in progress by identifying the respective organizations and their overall work programs. (The actual standards are listed in Part 2 of the Roadmap using a fairly simple classification scheme.) In addition, this part of the Roadmap includes a section devoted to the very important topic of security definitions. In general, information in the body of the Roadmap is in the form of brief summaries and headings; more detailed information may be obtained by following the links.
3. IT Security Definitions
Terminology forms a very important part of any standard. It is essential that terms used be clear and unambiguous. However, the development of definitions can often generate much discussion and divert attention from the more important task of developing a technical specification. In addition, in IT security, where diverse groups of experts are developing standards relatively independently, there is a great risk that multiple definitions will be developed for the same term or that similar definitions will be appended to different terms. A number of security glossaries have already been developed by SDOs. References are provided below. ITU-T SG17 urges that experts who are engaged in the development utilize existing definitions from these glossaries wherever possible. New terms should be defined only where an acceptable definition does not already exist. Further, if it is necessary to define a new term, it should not duplicate, or conflict with, a term that has already been defined in an existing standard.
Existing security vocabulary includes:
- Compendium of ITU-T approved security definitions extracted from ITU-T recommendations
This document is a compendium of security-related definitions extracted from approved ITU-T Recommendations with a view toward establishing a common understanding (and use) of security terms within ITU-T. This listing will continue to be developed. -
ISO/IEC JTC 1/SC 27 Terminology
This Standing Document (SD 6) of SC27 contains terms and definitions that appear in SC 27 International Standards, Technical Reports and Drafts. -
Internet Security Glossary
This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. -
ETSI Glossary of security terminology ETR 232
Go to the above link and select “ETR” in the “Type” box and “232” in the “Number” box. (NOTE: ETR 232 was published in 1995) -
ISO/IEC JTC1 SC 37 Harmonized Biometric Vocabulary
This Standing Document (SD 2) of SC37 contains an extensive list of biometric-related definitions.
4. Key international and regional ICT security standards development organizationsEach international Standards Development Organization listed has a particular role in the development of ICT security standards.
The standards of the following organizations are currently included in the Roadmap:
4.1 Formal International Standards Development Organizations-
The International Telecommunication Union – Telecommunication Standardization Sector (ITU-T) acts as a forum where governments and the private sector develop standards for global telecommunications networks and services. It is one of the Sectors of the International Telecommunication Union (ITU), an international specialized agency within the United Nations system. A guide on the ITU-T and how it operates is available at: https://www.itu.int/en/about/Pages/default.aspx.
Key Study Groups with security responsibilities:
-
ITU-T Study Group 17: Security
SG17 is responsible for building confidence and security in the use of Information and Communication Technologies (ICTs). This includes studies relating to cybersecurity, security management, countering spam and identity management. It also includes security architecture and framework, protection of personally identifiable information, and security of applications and services for the Internet of Things, smart grid, smartphone, IPTV, web services, social network, cloud computing, mobile financial systems, and telebiometrics. Also responsible for the application of open system communications including directory and object identifiers, and for technical languages, the method for their usage and other issues related to the software aspects of telecommunication systems, and for conformance testing to improve quality of Recommendations. SG17 has been designated the Lead Study Group in the ITU-T for security and identity management issues. The ITU-T security standardization effort is coordinated via its Question 1/17. Core activities of Q1/17 are centered on coordination, assignment and prioritization of efforts that will lead to ICT security Recommendations. All SG17 Questions have a specific security mandate or are security-related, see the
full list here. -
ITU-T Study Group 2: Operational aspects of telecommunications and ICTs
Lead Study Group for service definition, numbering and routing, telecommunication for disaster relief/early warning, network resilience and recovery, and telecommunication management. Security-related Questions include: Q1/2 (Application of numbering, naming, addressing and identification plans for fixed and mobile telecommunications services), Q3/2 (Service and operational aspects of telecommunications, including service definition) and Q6/2 (Architecture, security, and evaluation of networks for operations, management and maintenance). -
ITU-T Study Group 5: Environment and climate change
Lead study group on electromagnetic compatibility and electromagnetic effects, as well as on ICTs and climate change responsible for studying ICT environmental aspects of electromagnetic phenomena and climate change, studies relating to protection of telecommunication networks and equipment from interference and lightning, studies related to electromagnetic compatibility (EMC), to safety and to health effects connected with electromagnetic fields produced by telecommunication installations and devices, including cellular phones, studies on the existing copper network outside plant and related indoor installations, studies on methodologies for assessing the environmental impact of ICT, publishing guidelines for using ICTs in an eco-friendly way, tackling e-waste issues, and energy efficiency of the power feeding system and studies on how to use ICT to help countries and the ICT sector to adapt to the effects of environmental challenges, including climate change. It is also identifying the needs for more consistent and standardised eco-friendly practices for the ICT sector (e.g. labelling, procurement practices, eco-rating schemes for mobile phones).
-
ITU-T Study Group 11: Signalling requirements, protocols, test specifications and combating counterfeit
Lead Study Group on signalling and protocols, machine-tomachine (M2M) signalling and protocol and test pecifications,
conformance and interoperability testing responsible for studies relating to signalling requirements and protocols, including those for IP-based network technologies, NGN, M2M, IoT, FNs, Cloud Computing, mobility, some multimedia related signalling aspects, ad hoc networks (sensor networks, RFID, etc.), QoS, and internetwork signalling for legacy networks ATM, N ISDN and PSTN networks. In addition, studies relating to reference signalling architectures and test specifications for NGN and emerging network technologies (e.g., IoT etc.). -
ITU-T Study Group 12: Performance, QoS and QoE
Lead study group on quality of service and quality of experience, performance and quality assessment of speech and multimedia communication systems, including vehicle communication systems and video quality assessment of communications, applications and system components. Security-related Questions include:
Q13/12 (QoE, QoS and performance requirements and assessment methods for multimedia applications) and
Q17/12 (Performance of packet-based networks and other networking technologies). -
ITU-T Study Group 13: Future networks
Lead study group on future networks such as IMT systems, including IMT-2030 networks (non-radio related parts), fixed, mobile and satellite convergence, computing, including cloud computing and data handling and artificial intelligence, including machine learning for future networks. Security-related Questions include:
Q16/13 (Future networks: Trustworthy and quantum enhanced networking and services) and
Q19/13 (End-to-end management, governance, and security for computing including cloud computing and data handling).
-
ITU-T Study Group 15: Networks, technologies and infrastructures for transport, access and home
Lead Study Group on access network transport, optical technology and optical transport networks, and on smart grid. ITU-T Study Group 15 is responsible for the development of standards on optical transport network, access network, home network and power utility network infrastructures, systems, equipment, optical fibres and cables, and their related installation, maintenance, management, test, instrumentation and measurement techniques, and control plane technologies to enable the evolution toward intelligent transport networks, including the support of smart-grid applications. This encompasses the development of related standards for the customer premises, access, metropolitan and long-haul sections of communication networks, as well as for power utility networks and infrastructures from transmission to load.
-
ITU-T Study Group 21: Technologies for multimedia, content delivery and cable television
Responsible for studies relating to multimedia technologies, capabilities, systems, applications and services for existing and future networks, including Internet Protocol (IP)-based and cable-based networks.
-
 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. National Bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, in liaison with ISO and IEC, also take part in the work. For more information, visit: https://jtc1info.org/.In the field of information technology, ISO and IEC have established a Joint Technical Committee 1: ISO/IEC JTC 1. This committee has responsibility for standardization in the area of information technology. Within JTC 1 are a number of technical committees of which Subcommittee 27 (SC27) is the lead subcommittee (SC) on IT security. Key ISO/IEC JTC 1 subcommittees with security responsibilities are:
-
ISO/IEC JTC 1/SC 6: Telecommunications and information exchange between systems
Works on standardization in the field of telecommunications dealing with the exchange of information between open systems including system functions, procedures and parameters and equipment as well as the conditions for their use. This standardization includes both the lower layers that support the physical, data link, network and transport services, including private integrated services networking, as well as the upper layers that support the application protocols and services. A vital aspect of this work is done in effective cooperation with the ITU-T and other world-wide and regional standardization bodies. Its Working Groups are:
WG1 (Physical and data link layers),
WG7 (Network, transport and future network) and
WG10 (Directoty, ASN.1 and registration). -
ISO/IEC JTC 1/SC 27: Information security, cybersecurity and privacy protection
Develops standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: security requirements capture methodology; management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; security management support documentation including terminology, guidelines as well as procedures for the registration of security components; security aspects of identity management, biometrics and privacy; conformance assessment, accreditation and auditing requirements in the area of information security; and security evaluation criteria and methodology. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of
standards and technical reports in relevant areas. Its Working Groups are: WG1 (Information security management systems), WG2 (Cryptography and security mechanisms), WG3 (Security evaluation, testing and specification), WG4 (Security controls and services) and WG5 (Identity management and privacy technologies). -
ISO/IEC JTC 1/SC 37: Biometrics
Works on standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks; biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteria to biometric technologies; methodologies for performance testing and reporting and cross jurisdictional and societal aspects. Excluded is the work ISOIEC JTC 1/SC 17 to apply biometric technologies to cards and personal identification. Also excluded is the work in ISO/IEC JTC 1/SC 27 for biometric data protections techniques, biometric security testing, evaluations, and evaluations methodologies.Its Working Groups are:
WG1 (Harmonized biometric vocabulary),
WG2 (Biometric technical interfaces),
WG3 (Biometric data interchange formats),
WG4 (Technical implementation of biometric systems),
WG5 (Biometric testing and reporting) and
WG6 (Cross-jurisdictional and societal aspects of biometrics).
-
 The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). Much of the work is handled via mailing lists. The IETF holds meetings three times per year.
The
IETF security area is the home for working groups focused on security protocols.
The Security Area intersects with all other IETF Areas, and the participants are frequently involved with activities in the working groups from other areas. This involvement focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas. A full list of all groups in the security area are available here: https://datatracker.ietf.org/group/sec/about/.
The Security Area consists of the Security Area Directors who are assisted by a Security Area Directorate. The directorate is composed of the working group chairs in the Security Area and a group of individuals who act as advisers to other areas of the IETF at the request of the Security Area Directors. The Directors and the Directorate is aided and advised by the Security Area Advisory Group (SAAG) which acts as an open forum for Security Issues. Anyone can join the SAAG mailing list and are welcome at the SAAG meetings held at IETF meetings. The SAAG discussion archive is available at: https://mailarchive.ietf.org/arch/browse/saag/.
Significant working groups in other Areas are Locator/ID Separation Protocol (lisp) and
Routing Over Low power and Lossy networks (roll).
-
 The
Organization for the Advancement of Structured Information Standards (OASIS) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 4,000 participants, representing over 600 organizations and individual members in 100 countries.
OASIS is distinguished by its transparent governance and operating procedures. Members themselves set the OASIS technical agenda, using a lightweight process expressly designed to promote industry consensus and unite disparate efforts. Completed work is ratified by open ballot. Governance is accountable and unrestricted. Officers of both the OASIS Board of Directors and Technical Advisory Board are chosen by democratic election to serve two-year terms. Consortium leadership is based on individual merit and is not tied to financial contribution, corporate standing, or special appointment.
The consortium hosts two of the most widely respected information portals on XML and web services standards:
cover pages and
XML.org.
OASIS member sections include
Blue,
CGM Open,
COSL,
eGov,
Emergency,
IDtrust,
LegalXML,
Open CSA and
Telecom.
OASIS security committees include:
-
CACAO: Collaborative Automated Course of Action Operations of Cyber Security
-
CSAF: Common Security Advisory Framework
-
CTI: Cyber Threat Intelligence
-
DSS-X: Digital Signature Services eXtended
-
ESAT: Electronic Secure Authentication
-
KMIP: Key Management Interoperability Protocol
-
OHDF: OASIS Heimdall Data Format
-
OpenC2: Open Command and Control
-
OSIM: Open SupplyChain Information Modeling
-
PKCS 11
-
SAM: Security Algorithms and Methods
-
SATIS: Space Automated Threat Intelligence Sharing
-
SARIF: Static Analysis Results Interchange Format
-
TAC: Threat Actor Context
-
XACML: eXtensible Access Control Markup Language
-
 The 3rd Generation Partnership Project (3GPP) is a collaboration agreement that was established in December 1998. Its establishment was formalized by the signing of the "the third generation partnership project agreement". The collaboration agreement brings together a number of telecommunications standards bodies which are known as “Organizational Partners”. The current Organizational Partners are
ARIB,
CCSA,
ETSI,
ATIS,
TTA and
TTC.
The original scope of 3GPP was to produce globally applicable Technical Specifications and Technical Reports for a 3rd Generation Mobile System based on evolved GSM core networks and the radio access technologies that they support (i.e., Universal Terrestrial Radio Access (UTRA) both Frequency Division Duplex (FDD) and Time Division Duplex (TDD) modes). The scope was subsequently amended to include the maintenance and development of the Global System for Mobile communication (GSM) Technical Specifications and Technical Reports including evolved radio access technologies (e.g. General Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGE)).
The discussion that led to the signing of the 3GPP agreement were recorded in a series of slides called the "partnership project description" that describes the basic principles and ideas on which the project is based. The Partnership Project Description has not been maintained since it’s first creation but the principles of operation of the project still remain valid. In order to obtain a consolidated view of market requirements a second category of partnership was created within the project called “Market Representation Partners”. “Observer” status is also possible within 3GPP for those telecommunication standards bodies which have the potential to become Organizational Partners but which, for various reasons, have not yet done so. A permanent project support group called the "Mobile Competence Centre (MCC)" has been established to ensure the efficient day to day running of 3GPP. The MCC is based at the ETSI headquarters in Sophia Antipolis, France.
The term "3GPP specification" covers all GSM (including GPRS and EDGE) and W-CDMA specifications. The following terms are also used to describe networks using the 3G specifications: UTRAN, UMTS (in Europe) and FOMA (in Japan). Revised versions of many of these specifications are produced up to four times a year following the quarterly TSG plenary meetings. (TSG GERAN meets five times a year.)
Following each TSG SA plenary meeting, a complete set of specifications is produced. This set includes not only the new specifications generated at that meeting, but also the latest versions of each specification that was not changed at that meeting. i.e. each directory holds a complete set of specifications. Each set has an associated status list as detailed in the table below. Each set (and corresponding status list) includes the specs arising from the TSG GERAN meetings held since the preceding SA meeting. (GERAN meets asynchronously from the other TSGs.)
Specifications and their status are listed on the 3GPP website:
https://www.3gpp.org/.
-
 ATIS is a United States based body that is committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using a pragmatic, flexible and open approach. ATIS prioritizes the industry's most pressing technical and operational issues and creates interoperable, implementable, end to end solutions - standards when the industry needs them and where they need them. Over 1,100 industry professionals from more than 350 communications companies actively participate in ATIS' industry committees and incubator solutions programs. ATIS develops standards and solutions addressing a wide range of industry issues in a manner that allocates and coordinates industry resources and produces the greatest return for communication companies. ATIS creates solutions that support the rollour of new products and services into the communications marketplace. Its standardization activities for wireless and wireline networks include interconnection standards, number portability, improved data transmission, Internet telephony, toll-free access, telecom fraud and order and billing issues, among others. ATIS is accredited by the American National Standards Institute (ANSI).
Some ATIS committees and forums include:
-
NRSC: Network Reliability Steering Committee
The NRSC performs analyses of network outages and provides recommendations for corrective actions. NRSC issues quarterly and annual reports to the industry and the FCC, in liaison with the FCC's Network Reliability Council.
-
PTSC: Packet Technologies and Systems Committee
The PTSC develops standards related to services, architectures, signaling, network interfaces, next generation carrier interconnect, cybersecurity, lawful intercept, and government emergency telecommunications service within next generation networks. As networks transition to all-IP, PTSC will evaluate the impact of this transition and develop solutions and recommendations where necessary to facilitate and reflect this evolution.
-
TMOC: Telecom Management and Operations Committee
The TMOC develops operations, administration, maintenance and provisioning standards, and other documentation related to Operations Support System (OSS) and Network Element (NE) functions and interfaces for communications networks - with an emphasis on standards development related to U.S.A. communication networks in coordination with the development of international standards.
-
WTSC: Wireless Technologies and Systems Committee
The WTSC develops and recommends standards and technical reports related to wireless and/or mobile services and systems, includeing service descriptions and wireless technologies.
For more information on ATIS and a complete list of its committees and initiatives, see: https://atis.org/.
-
 The European Telecommunications Standards Institute (ETSI) is an independent non-profit organization whose mission is to produce telecommunications standards for today and for the future. Based in Sophia Antipolis (France), ETSI is officially responsible for standardization of information and communication technologies (ICTs) within Europe. These technoloiges include telecommunications, broadcasting and related areas such as intelligent transportation and medical electronics. ETSI has over 700 members from over 60 countries worldwide composed of manufacturers, network operators, administrations, service providers, research bodies and users - in fact, all key players in the ICT arena. ETSI's members determine the work programme, allocate resources and approve its deliverables. As a result, ETSI's activities are closely aligned with market needs and there is wide acceptance of its products.
ETSI plays a major role in developing a wide range of standards and other technical documentation as Europer's contribution to worldwide ICT standardization. This activity is supplemented by interoperability testing services and other specialisms. ETSI's prime objective is to support global harmonization by providing a forum in which all the key players can contribute actively. ETSI is officially recognized by the European Commission and the EFTA secretariat.
The technical work is mostly done under Technical Committees (TCs) and Industry Specification Groups (ISGs) which form part of ETSI's technical organization. However, ETSI differs from many other bodies in several important ways:
- there is direct participation by all members in the technical work
-
the use of specialist task forces (previously called Project Teams), meeting full-time or at least more frequently than the Technical Committees or Projects, has done much to accelerate the production process
-
specialist studies in the areas of specification and testing methodologies help to ensure optimum quality and usability of ETSI's deliverables
-
there is a strong trend to strategically alliance with other standardization bodies / specification bodies around the world, which help to bring the skills and knowledge of the world's leading experts together to work on tasks for the common benefit of all participants.
The ETSI committee structure is shown in the following figure:
More information on ETSI and its work is available at:
www.etsi.org.
-
 IEEE is the world's largest professional association dedicated to advancing technological innovation and excellence for teh benefit of humanity. IEEE and its members inspire a global community through IEEE's highly cited publications, conferences, technology standards and professional and educational activities. Through its global membership, the IEEE is a leading authority on areas ranging from aerospace systems, computers and telecommunications to biomedical engineering, electric power and consumer electronics, among others. To foster an interest in the engineering profession, the IEEE also serves student members in colleges and universities around the world. Other important constituencies include prospective members and organizations that purchase IEEE products and participate in conferences or other IEEE programs.
The IEEE Standards Association (IEEE-SA) working groups aim to set priorities and develop appropriate standards. IEEE-SA working groups are open to everyong and participants need not be IEEE-SA members. More information about the IEEE and its activities is avialable at:
www.ieee.org.
RAISE refers to the Regional Asia Information Security Exchange and is a forum initiated by Mr Kang Meng Chow, the past chair of the security and privacy standards technical committee. This initiative was suggested during Singapore's hosting of the ISO/IEC JTC1 SC27 plenary and its Working Group meetings in April 2004. An online forum has since been set up with the participation of various countries like Australia, Japan, Korea (Rep. of), Malaysia and Singapore. More information available
here.
The aims of this forum are:
- to provide a platform for sharing of knowledge and learning experiences in regional economies on security standards development, adoption and deployment;
- for the regional bodies to identify oppportunities for regional collaboration to further the course of international security standards development and promulgation more effectively in the Asia region.
|
