One document matched: draft-ietf-opsec-efforts-15.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<rfc category="info" ipr="trust200902" docName="draft-ietf-opsec-efforts-15.txt">
<front>
<title abbrev='Security Efforts and Documents'>
Security Best Practices Efforts and Documents
</title>
<author initials="C.M." surname="Lonvick"
fullname="Chris Lonvick">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>12515 Research Blvd.</street>
<city>Austin</city><region>Texas</region>
<code>78759</code>
<country>US</country>
</postal>
<phone>+1 512 378 1182</phone>
<email>clonvick@cisco.com</email>
</address>
</author>
<author initials="D." surname="Spak"
fullname="David Spak">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>12515 Research Blvd.</street>
<city>Austin</city><region>Texas</region>
<code>78759</code>
<country>US</country>
</postal>
<phone>+1 512 378 1720</phone>
<email>dspak@cisco.com</email>
</address>
</author>
<date month="February" year="2011" />
<keyword>Security</keyword>
<keyword>Standards</keyword>
<keyword>SDO</keyword>
<keyword>Standards Developing Organization</keyword>
<abstract>
<t>
This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing Organizations (SDO).
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>
The Internet is being recognized as a critical infrastructure similar in nature to
the power grid and a potable water supply. Just like those infrastructures, means are
needed to provide resiliency and adaptability to the Internet so that it remains
consistently available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are
developing standards with hopes of retaining an acceptable level, or even improving
this availability, to its users.
These SDO efforts usually define themselves as "security" efforts. It is the opinion
of the authors that there are many different definitions of the term "security" and
it may be applied in many diverse ways. As such, we offer no assurance that the
term is applied consistently throughout this document.
</t>
<t>
Many of these SDOs have diverse charters and goals and will take entirely different
directions in their efforts to provide standards. However, even with that, there
will be overlaps in their produced works. If there are overlaps then there is a
potential for conflicts and confusion. This may result in:
<list>
<t>
Vendors of networking equipment who are unsure of which standard to follow.
</t>
<t>
Purchasers of networking equipment who are unsure of which standard will
best apply to the needs of their business or ogranization.
</t>
<t>
Network Administrators and Operators unsure of which standard to follow
to attain the best security for their network.
</t>
</list>
For these reasons, the authors wish to encourage all SDOs who have an interest
in producing or in consuming standards relating to good security practices to
be consistent in their approach and their recommendations. In many cases, the
authors are aware that the SDOs are making good efforts along these lines.
However, the authors do not participate in all SDO efforts and cannot know
everything that is happening.
</t>
<t>
The OpSec Working Group met at the 61st IETF and agreed that this document
could be a useful reference in producing the documents described in the
Working Group Charter. The authors have agreed to keep this document current
and request that those who read it will submit corrections or comments.
</t>
<t>
Comments on this document may be addressed to the OpSec Working Group or
directly to the authors.
<list>
<t>
opsec@ops.ietf.org
</t>
</list>
</t>
<t>
This document will be updated in sections. The most recently updated part of this document
is Section 3.
</t>
</section>
<section anchor="format" title="Format of this Document">
<t>
The body of this document has three sections.
</t>
<t>
The first part of the body of this document, <xref target="glossaries" />,
contains a listing of online glossaries relating to networking
and security. It is very important that the definitions of words relating to
security and security events be consistent. Inconsistencies between the useage
of words on standards is unacceptable as it would prevent a reader of two
standards to appropriately relate their recommendations. The authors of this
document have not reviewed the definitions of the words in the listed glossaries
so can offer no assurance of their alignment.
</t>
<t>
The second part, <xref target="sdo" />, contains a listing of SDOs
that appear to be working on security standards.
</t>
<t>
The third part, <xref target="docs" />, lists the documents which have been found to offer good practices
or recommendations for securing networks and networking devices.
</t>
</section>
<section anchor="glossaries" title="Online Security Glossaries">
<t>
This section contains references to glossaries of network and computer security terms
</t>
<section anchor="atis2kglossary" title="ATIS Telecom Glossary 2007">
<t>
http://www.atis.org/tg2k/
</t>
<t>
This Glossary began as a 5800-entry, search-enabled hypertext telecommunications glossary titled Federal Standard 1037C, Glossary of Telecommunication Terms . Federal Standard 1037C was updated and matured into an American National Standard (ANS): T1.523-2001, Telecom Glossary 2000 , under the aegis of ASC T1. In turn, T1.523-2001 has been revised and redesignated under the ATIS procedures for ANS development as ATIS-0100523.2007, ATIS Telecom Glossary 2007.
</t>
<t>
Date published: 2007
</t>
</section>
<section anchor="ietfgloss" title="Internet Security Glossary - RFC 4949">
<t>
http://www.ietf.org/rfc/rfc4949.txt
</t>
<t>
This document was originally created as RFC 2828 in May 2000.
It was revised as RFC 4949 and the document defines itself to be,
"an internally consistent, complementary set of abbreviations, definitions,
explanations, and recommendations for use of terminology related to
information system security."
</t>
<t>
Date published: August 2007
</t>
</section>
<section anchor="itugloss" title="Compendium of Approved ITU-T Security Definitions">
<t>
http://www.itu.int/itudoc/itu-t/com17/activity/add002.html
</t>
<t>
Addendum to the Compendium of the Approved ITU-T Security-related Definitions
</t>
<t>
These extensive materials were created from approved ITU-T Recommendations with
a view toward establishing a common understanding and use of security terms within ITU-T.
The original Compendium was compiled by SG 17, Lead Study Group on Communication
Systems Security (LSG-CSS).
http://www.itu.int/itudoc/itu-t/com17/activity/def004.html
</t>
<t>
Date published: 2003
</t>
</section>
<section anchor="MSglossary" title="Microsoft Malware Protection Center">
<t>
http://www.microsoft.com/security/glossary.mspx
</t>
<t>
The Microsoft Malware Protection Center, Threat Research and Response
Glossary was created to explain the
concepts, technologies, and products associated with computer security.
</t>
<t>
Date published: indeterminate
</t>
</section>
<section anchor="sans" title="SANS Glossary of Security Terms">
<t>
http://www.sans.org/resources/glossary.php
</t>
<t>
The SANS Institute (SysAdmin, Audit, Network, Security) was created in 1989
as, "a cooperative research and education organization." This glossary was pdated in May
2003. The SANS Institute is also home to many other resources
including the SANS Intrusion Detection FAQ and the SANS/FBI Top 20 Vulnerabilities
List.
</t>
<t>
Date published: indeterminate
</t>
</section>
<section anchor="wheeler" title="Security Taxonomy and Glossary - Anne & Lynn Wheeler">
<t>
http://www.garlic.com/~lynn/secure.htm
</t>
<t>
Anne and Lynn Wheeler maintain a security taxonomy and glossary with terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, RFC2647, RFC2828, TCSEC, TDI, and TNI.
</t>
<t>
Date updated: October 2010
</t>
</section>
<section anchor="NISTIR7298" title="NIST - Glossary of Key Information Security Terms">
<t>
http://csrc.nist.gov/publications/nistir/NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf
</t>
<t>
This glossary of basic security
terms has been extracted from NIST Federal Information Processing Standards (FIPS) and the
Special Publication (SP) 800 series. The terms included are not all inclusive of terms found in
these publications, but are a subset of basic terms that are most frequently used. The purpose of
this glossary is to provide a central resource of definitions most commonly used in NIST security
publications.
</t>
<t>
Date published: April 2006
</t>
</section>
</section>
<section anchor="sdo" title="Standards Developing Organizations">
<t>
This section of this document lists the SDOs, or organizations that appear to be
developing security related standards. These SDOs are listed in alphabetical order.
</t>
<t>
Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC.
</t>
<section anchor="3gpp" title="3GPP - Third Generation Partnership Project">
<t>
http://www.3gpp.org/
</t>
<t>
The 3rd Generation Partnership Project (3GPP) is a collaboration agreement
formed in December 1998. The collaboration agreement is comprised of several
telecommunications standards bodies which are known as "Organizational
Partners". The current Organizational Partners involved with 3GPP are ARIB,
CCSA, ETSI, ATIS, TTA, and TTC.
</t>
</section>
<section anchor="3gpp2" title="3GPP2 - Third Generation Partnership Project 2">
<t>
http://www.3gpp2.org/
</t>
<t>
The Third Generation Partnership Project 2 (3GPP2) is:
<list>
<t>
a collaborative third generation (3G) telecommunications specifications-setting project
</t>
<t>
comprising North American and Asian interests developing global specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication Intersystem Operations network evolution to 3G
</t>
<t>
and global specifications for the radio transmission technologies (RTTs) supported by ANSI/TIA/EIA-41.
</t>
</list>
</t>
<t>
3GPP2 was born out of the International Telecommunication Union's (ITU) International Mobile Telecommunications "IMT-2000" initiative, covering high speed, broadband, and Internet Protocol (IP)-based mobile systems featuring network-to-network interconnection, feature/service transparency, global roaming and seamless services independent of location. IMT-2000 is intended to bring high-quality mobile multimedia telecommunications to a worldwide mass market by achieving the goals of increasing the speed and ease of wireless communications, responding to the problems faced by the increased demand to pass data via telecommunications, and providing "anytime, anywhere" services.
</t>
</section>
<section anchor="ansi" title="ANSI - The American National Standards Institute">
<t>
http://www.ansi.org/
</t>
<t>
As the voice of the U.S. standards and conformity assessment system, the American National Standards Institute (ANSI) empowers its members and constituents to strengthen the U.S. marketplace position in the global economy while helping to assure the safety and health of consumers and the protection of the environment.
</t>
<t>
The Institute oversees the creation, promulgation and use of thousands of norms and guidelines that directly impact businesses in nearly every sector: from acoustical devices to construction equipment, from dairy and livestock production to energy distribution, and many more. ANSI is also actively engaged in accrediting programs that assess conformance to standards – including globally-recognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environmental) management systems.
</t>
<section anchor="x9" title="Accredited Standards Committee X9 (ASC X9)">
<t>
http://www.x9.org/
</t>
<t>
The Accredited Standards Committee X9 (ASC X9) has the mission to develop, establish, maintain, and promote standards for the Financial Services Industry in order to facilitate the delivery of financial services and products. Under this mission ASC X9 fulfills the objectives of: (1) Supporting (maintain, enhance, and promote use of) existing standards; (2) Facilitating development of new, open standards based upon consensus; (3) Providing a common source for all standards affecting the Financial Services Industry; (4) Focusing on current and future standards needs of the Financial Services Industry; (5) Promoting use of Financial Services Industry standards; and (6) Participating and promoting the development of international standards.
</t>
</section>
</section>
<section anchor="atis" title="ATIS - Alliance for Telecommunications Industry Solutions">
<t>
http://www.atis.org/
</t>
<t>
ATIS prioritizes the industry's most pressing, technical and operational issues, and creates interoperable, implementable, end to end solutions -- standards when the industry needs them and where they need them.
</t>
<t>
Over 600 industry professionals from more than 250 communications companies actively participate in ATIS committees and incubator solutions programs.
</t>
<t>
ATIS develops standards and solutions addressing a wide range of industry issues in a manner that allocates and coordinates industry resources and produces the greatest return for communications companies.
</t>
<t>
ATIS creates solutions that support the rollout of new products and services into the information, entertainment and communications marketplace. Its activities provide the basis for the industry's delivery of:
<list>
<t>
Existing and next generation IP-based infrastructures;
</t><t>
Reliable converged multimedia services, including IPTV;
</t><t>
Enhanced Operations Support Systems and Business Support Systems; and
</t><t>
Greater levels of service quality and performance.
</t><t>
ATIS is accredited by the American National Standards Institute (ANSI).
</t>
</list>
</t>
<section anchor="nprq" title="ATIS NPRQ - Network Performance, Reliability, and
Quality of Service Committee, formerly T1A1">
<t>
http://www.atis.org/0010/index.asp
</t>
<t>
PRQC develops and recommends standards,requirements, and technical reports related to the performance,reliability, and associated security aspects of communications networks, as well as the processing of voice, audio, data, image,and video signals, and their multimedia integration. PRQC alsodevelops andrecommends positions on, and foster consistency with, standards and related subjects under consideration in other North American and international standards bodies.
</t><t>
PRQC Focus Areas are:
<list><t>
Performance and Reliability of Networks (e.g. IP, ATM, OTN, and PSTN), and Services (e.g. Frame Relay, Dedicated and Switched Data),
</t><t>
Security-related aspects,
</t><t>
Emergency communications-related aspects,
</t><t>
Coding (e.g. video and speech), at and between carrier-to-carrier and carrier-to-customer interfaces, with due consideration of end-user applications.
</t></list>
</t>
</section>
<section anchor="tmoc" title="ATIS TMOC - Telecom Management and Operations
Committee, formerly T1M1 OAM&P">
<t>
http://www.atis.org/0130/index.asp
</t>
<t>
The Telecom Management and Operations Committee (TMOC) develops operations, administration, maintenance and provisioning standards, and other documentation related to Operations Support System (OSS) and Network Element (NE) functions and interfaces for communications networks - with an emphasis on standards development related to U.S.A. communication networks in coordination with the development of international standards.
</t><t>
The scope of the work in TMOC includes the development of standards and other documentation for communications network operations and management areas, such as: Configuration Management, Performance Management (including in-service transport performance management), Fault Management, Security Management (including management plane security), Accounting Management, Coding/Language Data Representation, Common/Underlying Management Functionality/Technology, and Ancillary Functions (such as network tones and announcements). This work requires close and coordinated working relationships with other domestic and international standards development organizations and industry forums.
</t>
</section>
</section>
<section anchor="cc" title="CC - Common Criteria">
<t>
http://www.commoncriteriaportal.org/
</t>
<t>
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner. [attribute wikipedia]
</t>
</section>
<section anchor="dmtf" title="DMTF - Distributed Management Task Force, Inc.">
<t>
http://www.dmtf.org/
</t>
<t>
DMTF enables more effective management of millions of IT systems worldwide by bringing the IT industry together to collaborate on the development, validation and promotion of systems management standards. DMTF management standards are critical to enabling management interoperability among multi-vendor systems, tools and solutions within the enterprise. We are committed to protecting companies' IT investments by creating standards that promote multi-vendor interoperability. Our dedication to fostering collaboration within the industry provides a win-win situation for vendors and IT personnel alike.
</t>
</section>
<section anchor="etsi" title="ETSI - The European Telecommunications Standard Institute">
<t>
http://www.etsi.org/
</t>
<t>
The European Telecommunications Standards Institute (ETSI) produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies.
</t><t>
ETSI is officially recognized by the European Union as a European Standards Organization.
</t>
<section anchor="etsisec" title="ETSI SEC">
<t>
http://portal.etsi.org/portal/server.pt/gateway/PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp
</t><t>
Board#38 confirmed the closure of TC SEC.
</t><t>
At the same time it approved the creation of an OCG Ad Hoc group OCG Security
</t><t>
TC SEC documents can be found in the SEC archive
</t><t>
The SEC Working groups (ESI and LI) were closed and TC ESI and a TC LI were created to continue the work.
</t><t>
All documents and information relevant to ESI and LI are available from the TC ESI and TC LI sites
</t>
</section>
<section anchor="etsiogc" title="ETSI OCG SEC">
<t>
http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp
</t><t>
The group’s primary role is to provide a light-weight horizontal co-ordination structure for security issues that will ensure this work is seriously considered in each ETSI TB and that any duplicate or conflicting work is detected. To achieve this aim the group should mainly conduct its work via email and, where appropriate, co-sited “joint security” technical working meetings.
</t><t>
When scheduled, appropriate time at each “joint SEC” meeting should be allocated during the meetings to allow for:
<list><t>
Individual committee activities as well as common work;
</t><t>
Coordination between the committees; and
</t><t>
Experts to contribute to more than one committee.
</t>
</list></t>
</section>
</section>
<section anchor="ggf" title="GGF - Global Grid Forum">
<t>
http://www.gridforum.org/
</t>
<t>
The Global Grid Forum (GGF) is a community-initiated forum of thousands of
individuals from industry and research leading the global standardization
effort for grid computing. GGF's primary objectives are to promote and
support the development, deployment, and implementation of grid technologies
and applications via the creation and documentation of "best practices" -
technical specifications, user experiences, and implementation guidelines.
</t>
<section anchor="ggfsec" title="Global Grid Forum Security Area">
<t>
http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7
</t><t>
The Security Area is concerned with technical and operational security issues in Grid environments, including authentication, authorization, privacy, confidentiality, auditing, firewalls, trust establishment, policy establishment, and dynamics, scalability and management aspects of all of the above.
</t><t>
The Security Area is comprised of the following Working Groups and Research Groups.
<list>
<t>
Certificate Authority Operations WG (CAOPS-WG)
</t><t>
Firewall Issues RG (FI-RG)
</t><t>
Levels Of Authentication Assurance Research Group (LOA-RG)
</t><t>
OGSA Authorization WG (OGSA-AUTHZ-WG)
</t>
</list></t>
</section>
</section>
<section anchor="ieee" title="IEEE - The Institute of Electrical and Electronics Engineers, Inc.">
<t>
http://www.ieee.org/
</t>
<t>
IEEE is the world’s largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity. IEEE and its members inspire a global community through IEEE's highly cited publications, conferences, technology standards, and professional and educational activities.
</t>
<section anchor="ieeesec" title="IEEE Computer Society's Technical Committee on Security and Privacy">
<t>
http://www.ieee-security.org/
</t>
</section>
</section>
<section anchor="ietforg" title="IETF - The Internet Engineering Task Force">
<t>
http://www.ietf.org/
</t>
<t>
The goal of the IETF is to make the Internet work better.
</t><t>
The mission of the IETF is to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet.
</t>
<section anchor="ietfsec" title="IETF Security Area">
<t>
The Working Groups in the Security Area may be found from this page.
</t>
<t>
http://datatracker.ietf.org/wg/
</t><t>
The wiki page for the IETF Security Area may be found here.
</t>
<t>
http://trac.tools.ietf.org/area/sec/trac/wiki
</t>
</section>
</section>
<section anchor="incits" title="INCITS - InterNational Committee for Information Technology
Standards">
<t>
http://www.incits.org/
</t>
<t>
INCITS is the primary U.S. focus of standardization in the field of Information and Communications Technologies (ICT), encompassing storage, processing, transfer, display, management, organization, and retrieval of information. As such, INCITS also serves as ANSI's Technical Advisory Group for ISO/IEC Joint Technical Committee 1. JTC 1 is responsible for International standardization in the field of Information Technology.
</t><t>
There are three active Groups in the Security / ID Technical Committee.
</t>
<section anchor="incitsb10" title="Identification Cards and Related Devices (B10)">
<t>
http://standards.incits.org/a/public/group/b10
</t>
<t>
Development of national and international standards in the area of identification cards and related devices for use in inter-industry applications and international interchange.
</t>
</section>
<section anchor="incitscs1" title="Cyber Security (CS1)">
<t>
http://standards.incits.org/a/public/group/cs1
</t>
<t>
INCITS/CS1 was established in April 2005 to serve as the US TAG for ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups.
</t><t>
The scope of CS1 explicitly excludes the areas of work on cyber security standardization presently underway in INCITS B10, M1, T3, T10 and T11; as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and X9.
</t>
</section>
<section anchor="incitsm1" title="Biometrics (M1)">
<t>
http://standards.incits.org/a/public/group/m1
</t>
<t>
INCITS/M1, Biometrics Technical Committee was established by the Executive Board of INCITS in November 2001 to ensure a high priority, focused, and comprehensive approach in the United States for the rapid development and approval of formal national and international generic biometric standards. The M1 program of work includes biometric standards for data interchange formats, common file formats, application program interfaces, profiles, and performance testing and reporting. The goal of M1's work is to accelerate the deployment of significantly better, standards-based security solutions for purposes, such as, homeland defense and the prevention of identity theft as well as other government and commercial applications based on biometric personal authentication.
</t>
</section>
</section>
<section anchor="iso" title="ISO - The International Organization for Standardization">
<t>
http://www.iso.org/
</t>
<t>
SO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
</t><t>
ISO is a network of the national standards institutes of 160 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
</t><t>
ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.
</t><t>
Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society.
</t>
</section>
<section anchor="ituorg" title="ITU - International Telecommunication Union">
<t>
http://www.itu.int/
</t><t>
ITU is the leading United Nations agency for information and communication technology issues, and the global focal point for governments and the private sector in developing networks and services. For 145 years, ITU has coordinated the shared global use of the radio spectrum, promoted international cooperation in assigning satellite orbits, worked to improve telecommunication infrastructure in the developing world, established the worldwide standards that foster seamless interconnection of a vast range of communications systems and addressed the global challenges of our times, such as mitigating climate change and strengthening cybersecurity.
</t><t>
ITU also organizes worldwide and regional exhibitions and forums, such as ITU TELECOM WORLD, bringing together the most influential representatives of government and the telecommunications and ICT industry to exchange ideas, knowledge and technology for the benefit of the global community, and in particular the developing world.
</t><t>
From broadband Internet to latest-generation wireless technologies, from aeronautical and maritime navigation to radio astronomy and satellite-based meteorology, from convergence in fixed-mobile phone, Internet access, data, voice and TV broadcasting to next-generation networks, ITU is committed to connecting the world.
</t>
<t>
The ITU is comprised of three sectors:
</t>
<section anchor="itut" title="ITU Telecommunication Standardization Sector - ITU-T">
<t>
http://www.itu.int/ITU-T/
</t>
<t>
ITU-T Recommendations are defining elements in information and communication technologies (ICTs) infrastructure. Whether we exchange voice, data or video messages, communications cannot take place without standards linking the sender and the receiver. Today’s work extends well beyond the traditional areas of telephony to encompass a far wider range of information and communications technologies.
</t>
</section>
<section anchor="itur" title="ITU Radiocommunication Sector - ITU-R">
<t>
http://www.itu.int/ITU-R/
</t>
<t>
The ITU Radiocommunication Sector (ITU-R) plays a vital role in the global management of the radio-frequency spectrum and satellite orbits - limited natural resources which are increasingly in demand from a large and growing number of services such as fixed, mobile, broadcasting, amateur, space research, emergency telecommunications, meteorology, global positioning systems, environmental monitoring and communication services - that ensure safety of life on land, at sea and in the skies.
</t>
</section>
<section anchor="itud" title="ITU Telecom Development - ITU-D">
<t>
(also referred as ITU Telecommunication Development Bureau - BDT)
</t>
<t>
http://www.itu.int/ITU-D/
</t>
<t>
The mission of the Telecommunication Development Sector (ITU-D) aims at achieving the Sector's objectives based on the right to communicate of all inhabitants of the planet through access to infrastructure and information and communication services.
</t><t>
In this regard, the mission is to:
<list>
<t>
Assist countries in the field of information and communication technologies (ICTs), in facilitating the mobilization of technical, human and financial resources needed for their implementation, as well as in promoting access to ICTs.
</t><t>
Promote the extension of the benefits of ICTs to all the world’s inhabitants.
</t><t>
Promote and participate in actions that contribute towards narrowing the digital divide.
</t><t>
Develop and manage programmes that facilitate information flow geared to the needs of developing countries.
</t><t>
The mission encompasses ITU’s dual responsibility as a United Nations specialized agency and an executing agency for implementing projects under the United Nations development system or other funding arrangements.
</t>
</list>
</t>
</section>
</section>
<section anchor="oasis" title="OASIS - Organization for the Advancement of Structured
Information Standards">
<t>
http://www.oasis-open.org/
</t>
<t>
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries.
</t><t>
OASIS is distinguished by its transparent governance and operating procedures. Members themselves set the OASIS technical agenda, using a lightweight process expressly designed to promote industry consensus and unite disparate efforts. Completed work is ratified by open ballot. Governance is accountable and unrestricted. Officers of both the OASIS Board of Directors and Technical Advisory Board are chosen by democratic election to serve two-year terms. Consortium leadership is based on individual merit and is not tied to financial contribution, corporate standing, or special appointment.
</t>
<t>
OASIS has several Technical Committees in the Security Category.
</t>
<t>
http://www.oasis-open.org/committees/tc_cat.php?cat=security
</t>
</section>
<section anchor="oif" title="OIF - Optical Internetworking Forum">
<t>
http://www.oiforum.com/
</t>
<t>
"The Optical Internetworking Forum (OIF) promotes the development and deployment of interoperable networking solutions and services through the creation of Implementation Agreements (IAs) for optical networking products, network processing elements, and component technologies. Implementation agreements will be based on requirements developed cooperatively by end-users, service providers, equipment vendors and technology providers, and aligned with worldwide standards, augmented if necessary. This is accomplished through industry member participation working together to develop specifications (IAs) for:
<list><t>
External network element interfaces
</t><t>
Software interfaces internal to network elements
</t><t>
Hardware component interfaces internal to network elements
</t></list></t><t>
The OIF will create Benchmarks, perform worldwide interoperability testing, build market awareness and promote education for technologies, services and solutions. The OIF will provide feedback to worldwide standards organizations to help achieve a set of implementable, interoperable solutions."
</t>
<section anchor="oifoamp" title="OAM&P Working Group">
<t>
http://www.oiforum.com/public/oamp.html
</t>
<t>
In concert with the Carrier, Architecture & Signaling and other OIF working groups, the Operations, Administration, Maintenance, & Provisioning (OAM&P) working group develops architectures, requirements, guidelines, and implementation agreements critical to widespread deployment of interoperable optical networks by carriers. The scope includes but is not limited to a) planning, engineering and provisioning of network resources; b) operations, maintenance or administration use cases and processes; and c) management functionality and interfaces for operations support systems and interoperable network equipment. Within its scope are Fault, Configuration, Accounting, Performance and Security Management (FCAPS) and Security. The OAM&P working group will also account for work by related standards development organizations (SDOs), identify gaps and formulate OIF input to other SDOs as may be appropriate.
</t>
</section>
</section>
<section anchor="nric" title="NRIC - The Network Reliability and Interoperability Council">
<t>
http://www.nric.org/
</t>
<t>
The mission of the NRIC is partner with the Federal Communications Commission, the communications industry and public safety to facilitate enhancement of emergency communications networks, homeland security, and best practices across the burgeoning telecommunications industry.
</t>
<t>
It appears that the last NRIC Council concluded in 2005.
</t>
</section>
<section anchor="nstac" title="National Security Telecommunications Advisory Committee (NSTAC)">
<t>
http://www.ncs.gov/nstac/nstac.html
</t>
<t>
President Ronald Reagan created the National Security Telecommunications Advisory
Committee (NSTAC) by Executive Order 12382 in September 1982.
Composed of up to 30 industry chief executives representing
the major communications and network service providers and information technology,
finance, and aerospace companies, the NSTAC provides industry-based advice and
expertise to the President on issues and problems related to implementing national
security and emergency preparedness (NS/EP) communications policy. Since its inception,
the NSTAC has addressed a wide range of policy and technical issues regarding
communications, information systems, information assurance, critical infrastructure
protection, and other NS/EP communications concerns.
</t>
<t>
The mission of the NSTAC:
Meeting our Nation’s critical national security and emergency preparedness (NS/EP) challenges demands attention to many issues. Among these, none could be more important than the availability and reliability of telecommunication services. The President’s National Security Telecommunications Advisory Committee (NSTAC) mission is to provide the U.S. Government the best possible industry advice in these areas.
</t>
</section>
<section anchor="tia" title="TIA - The Telecommunications Industry Association">
<t>
http://www.tiaonline.org/
</t>
<t>
The Telecommunications Industry Association (TIA) is the leading trade association representing the global information and communications technology (ICT) industries through standards development, government affairs, business opportunities, market intelligence, certification and world-wide environmental regulatory compliance. With support from its 600 members, TIA enhances the business environment for companies involved in telecommunications, broadband, mobile wireless, information technology, networks, cable, satellite, unified communications, emergency communications and the greening of technology. TIA is accredited by ANSI.
</t>
<section anchor="cip_hs" title="Critical Infrastructure Protection (CIP) and Homeland Security (HS)">
<t>
http://www.tiaonline.org/standards/technology/ciphs/
</t><t>
This TIA webpage identifies and links to many standards, other technical documents and ongoing activity involving or supporting TIA's role in Public Safety and Homeland Security, Network Security, Critical Infrastructure Protection and Assurance, National Security/Emergency Preparedness, Emergency Communications Services, Emergency Calling and Location Identification Services, and the Needs of First Responders. For the purpose of this webpage, national/international terms relating to public safety and disaster response can be considered synonymous (and interchangeable) with terms relating to public protection and disaster relief.
</t>
</section>
<section anchor="cfm" title="Commercial Encryption Source Code and Related Information">
<t>
http://www.tiaonline.org/standards/technology/ahag/index.cfm
</t><t>
This section seems to link to commercial encryption source code. Access requires agreement to terms and conditions and then registration.
</t>
</section>
</section>
<section anchor="tta" title="TTA - Telecommunications Technology Association">
<t>
http://www.tta.or.kr/
http://www.tta.or.kr/English/index.jsp (English)
</t>
<t>
The purpose of TTA is to contribute to the advancement of technology and the promotion of information and telecommunications services and industry as well as the development of national economy, by effectively stablishing and providing technical standards that reflect the latest domestic and international technological advances, needed for the planning, design and operation of global end-to-end telecommunications and related information services, in close collaboration with companies, organizations and groups concerned with information and telecommunications such as network operators, service providers, equipment manufacturers, academia, R&D institutes, etc.
</t>
</section>
<section anchor="w3c" title="The World Wide Web Consortium">
<t>
http://www.w3.org/Consortium/
</t>
<t>
The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential.
</t>
<t>
http://www.w3.org/Security/Activity
</t>
<t>
The work in the W3C Security Activity currently comprises two Working Groups, the Web Security Context Working Group and the XML Security Working Group.
</t><t>
The Web Security Context Working Group focuses on the challenges that arise when users encounter currently deployed security technology, such as TLS: While this technology achieves its goals on a technical level, attackers' strategies shift towards bypassing the security technology instead of breaking it. When users do not understand the security context in which they operate, then it becomes easy to deceive and defraud them. This Working Group is planning to see its main deliverable, the User Interface Guidelines, through to Recommendation, but will not engage in additional recommendation track work beyond this deliverable. The Working Group is currently operating at reduced Team effort (compared to the initial effort reserved to this Working Group). Initial (and informal) conversations about forming an Interest Group that could serve as a place for community-building and specification review have not led as far as we had hoped at the previous Advisory Committee Meeting, but are still on the Team's agenda.
</t><t>
The XML Security Working Group started up in summer 2008, and has decided to publish an interim set of 1.1 specifications as it works towards producing a more radical change to XML Signature. The XML Signature 1.1 and XML Encryption 1.1 specifications clarify and enhance the previous specifications without introducing breaking changes, although they do introduce new algorithms.
</t>
</section>
<section anchor="tmforum" title="TM Forum">
<t>
http://www.tmforum.org/
</t>
<t>
With more than 700 corporate members in 195 countries, TM Forum is the world’s leading industry association focused on enabling best-in-class IT for service providers in the communications, media and cloud service markets. The Forum provides business-critical industry standards and expertise to enable the creation, delivery and monetization of digital services.
</t><t>
TM Forum brings together the world’s largest communications, technology and media companies, providing an innovative, industry-leading approach to collaborative R&D, along with wide range of support services including benchmarking, training and certification. The Forum produces the renowned international Management World conference series, as well as thought-leading industry research and publications.
</t>
<section anchor="tmforumsec" title="Security Management">
<t>
http://www.tmforum.org/SecurityManagement/9152/home.html
</t>
<t>
Securing networks, cyber, clouds, and identity against evolving and ever present threats has emerged as a top priority for TM Forum members. In response, the TM Forum’s Security Management Initiative was formally launched in 2009. While some of our Security Management efforts, such as Identity Management, are well established and boast mature Business Agreements and Interfaces, a series of presentations, contributions, and multi-vendor technology demonstrations have jumped started work efforts on industry hot topics Network Defense, Cyber Security, and security for single and multi-regional enterprise application cloud bursting. Our aim is to produce Security Management rich frameworks, best practices, and guidebooks.
</t>
</section>
</section>
</section>
<section anchor="docs" title="Security Best Practices Efforts and Documents">
<t>
This section lists the works produced by the SDOs.
</t>
<section anchor="3gppSA3" title="3GPP - TSG SA WG3 (Security)">
<t>
http://www.3gpp.org/TB/SA/SA3/SA3.htm
</t>
<t>
TSG SA WG3 Security is responsible for the security of the 3GPP system,
performing analyses of potential security threats to the system, considering
the new threats introduced by the IP based services and systems and setting
the security requirements for the overall 3GPP system.
</t>
<t>
Specifications: http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm
</t>
<t>
Work Items: http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm
</t>
<t>
3GPP Confidentiality and Integrity algorithms:
http://www.3gpp.org/TB/Other/algorithms.htm
</t>
</section>
<section anchor="3gpp2TSGS" title="3GPP2 - TSG-S Working Group 4 (Security)">
<t>
http://www.3gpp2.org/Public_html/S/index.cfm
</t>
<t>
The Services and Systems Aspects TSG (TSG-S) is responsible for the
development of service capability requirements for systems based on 3GPP2
specifications. Among its responsibilities TSG-S is addressing management,
technical coordination, as well as architectural and requirements development
associated with all end-to-end features, services and system capabilities
including, but not limited to, security and QoS.
</t>
<t>
TSG-S Specifications: http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs
</t>
</section>
<section anchor="t1.276" title="American National Standard T1.276-2003 - Baseline Security Requirements for the Management Plane">
<t>
Abstract: This standard contains a set of baseline security requirements for the
management plane. The President's National Security Telecommunications Advisory
Committee Network Security Information Exchange (NSIE) and Government NSIE jointly
established a Security Requirements Working Group (SRWG) to examine the security
requirements for controlling access to the public switched network, in particular
with respect to the emerging next generation network. In the telecommunications
industry, this access incorporates operation, administration, maintenance, and
provisioning for network elements and various supporting systems and databases.
Members of the SRWG, from a cross-section of telecommunications carriers and
vendors, developed an initial list of security requirements that would allow
vendors, government departments and agencies, and service providers to implement
a secure telecommunications network management infrastructure. This initial list
of security requirements was submitted as a contribution to Committee
T1 - Telecommunications, Working Group T1M1.5 for consideration as a standard.
The requirements outlined in this document will allow vendors, government
departments and agencies, and service providers to implement a secure
telecommunications network management infrastructure.
</t>
<t>
Documents: http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003
</t>
</section>
<section anchor="dmtfSPAM" title="DMTF - Security Protection and Management (SPAM)
Working Group">
<t>
http://www.dmtf.org/about/committees/spamWGCharter.pdf
</t>
<t>
The Working Group will define a CIM Common Model that addresses security
protection and detection technologies, which may include devices and services,
and classifies security information, attacks, and responses.
</t>
</section>
<section anchor="dmtfUser" title="DMTF - User and Security Working Group">
<t>
http://www.dmtf.org/about/committees/userWGCharter.pdf
</t>
<t>
The User and Security Working Group defines objects and access methods
required for principals - where principals include users, groups, software
agents, systems, and organizations.
</t>
</section>
<section anchor="TOPSworkplan" title="ATIS Work-Plan to Achieve Interoperable,
Implementable, End-To-End Standards and Solutions">
<t>
ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf
</t>
<t>
The ATIS TOPS Security Focus Group has made
recommendations on work items needed to be performed by other SDOs.
</t>
<section anchor="atisfilter" title="ATIS Work on Packet Filtering">
<t>
A part of the ATIS Work Plan was to define how disruptions may be
prevented by filtering unwanted traffic at the edges of the network.
ATIS is developing this work in a document titled, "Traffic Filtering
for the Prevention of Unwanted Traffic".
</t>
</section>
</section>
<section anchor="atisngn" title="ATIS Work on the NGN">
<t>
http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/Part%20I/ATIS_NGN_Part_1_Issue1.pdf
</t>
<t>
In November 2004, ATIS released Part I of the ATIS NGN-FG efforts entitled,
"ATIS Next Generation Network (NGN) Framework Part I: NGN Definitions, Requirements,
and Architecture, Issue 1.0, November 2004."
</t>
</section>
<section anchor="ccVx" title="Common Criteria">
<t>
http://www.commoncriteriaportal.org/
</t>
<t>
Version 1.0 of the CC was completed in January 1996. Based on a number of trial
evaluations and an extensive public review, Version 1.0 was extensively revised and
CC Version 2.0 was produced in April of 1998. This became ISO International Standard
15408 in 1999. The CC Project subsequently incorporated the minor changes that had
resulted in the ISO process, producing CC version 2.1 in August 1999. Version 3.0
was published in June 2005 and is available for comment.
</t>
<t>
The official version of the Common Criteria and of the Common Evaluation Methodology
is v2.3 which was published in August 2005.
</t>
<t>
All Common Criteria publications contain:
<list>
<t>
Part 1: Introduction and general model
</t><t>
Part 2: Security functional components
</t><t>
Part 3: Security assurance components
</t>
</list>
</t>
<t>
Documents: Common Criteria V2.3 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2
</t>
</section>
<section anchor="etsigsc" title="ETSI">
<t>
http://www.etsi.org/
</t>
<t>
The ETSI hosted the ETSI Global Security Conference in late November, 2003, which
could lead to a standard.
</t>
<t>
Groups related to security located from the ETSI Groups Portal:
<list>
<t>
OCG Security
</t>
<t>
3GPP SA3
</t>
<t>
TISPAN WG7
</t>
</list>
</t>
</section>
<section anchor="ggfSEC" title="GGF Security Area (SEC)">
<t>
https://forge.gridforum.org/projects/sec/
</t>
<t>
The Security Area (SEC) is concerned with various issues relating to
authentication and authorization in Grid environments.
</t>
<t>Working groups:
<list>
<t>
Authorization Frameworks and Mechanisms WG (AuthZ-WG) -
https://forge.gridforum.org/projects/authz-wg
</t>
<t>
Certificate Authority Operations Working Group (CAOPS-WG) -
https://forge.gridforum.org/projects/caops-wg
</t>
<t>
OGSA Authorization Working Group (OGSA-AUTHZ) -
https://forge.gridforum.org/projects/ogsa-authz
</t>
<t>
Grid Security Infrastructure (GSI-WG) -
https://forge.gridforum.org/projects/gsi-wg
</t>
</list>
</t>
</section>
<section anchor="ieeeia" title="Information System Security Assurance Architecture">
<t>
IEEE Working Group - http://issaa.org/
</t>
<t>
Formerly the Security Certification and Accreditation of Information Systems (SCAISWG),
IEEE Project 1700's purpose is to develop a draft Standard for Information System
Security Assurance Architecture for ballot and during the process begin development of a
suite of associated standards for components of that architecture.
</t>
<t>
Documents: http://issaa.org/documents/index.html
</t>
</section>
<section anchor="jones" title="Operational Security Requirements for IP Network Infrastructure :
Advanced Requirements">
<t>
IETF RFC 3871
</t>
<t>
Abstract: This document defines a list of operational security requirements
for the infrastructure of large ISP IP networks (routers and switches). A
framework is defined for specifying "profiles", which are collections of
requirements applicable to certain network topology contexts (all, core-only,
edge-only...). The goal is to provide network operators a clear, concise way
of communicating their security requirements to vendors.
</t>
<t>
Documents:
<list>
<t>
ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt
</t>
</list>
</t>
</section>
<section anchor="isomgmt" title="ISO Guidelines for the Management of IT Security -
GMITS">
<t>
Guidelines for the Management of IT Security -- Part 1: Concepts and models
for IT Security
</t>
<t>
http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35
</t>
<t>
Guidelines for the Management of IT Security -- Part 2: Managing and planning
IT Security
</t>
<t>
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40&ICS3=
</t>
<t>
Guidelines for the Management of IT Security -- Part 3: Techniques for the
management of IT Security
</t>
<t>
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40&ICS3=
</t>
<t>
Guidelines for the Management of IT Security -- Part 4: Selection of
safeguards
</t>
<t>
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40&ICS3=
</t>
<t>
Guidelines for the Management of IT Security - Part 5: Management guidance on
network security
</t>
<t>
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40&ICS3=
</t>
<t>
Open Systems Interconnection -- Network layer security protocol
</t>
<t>
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100&ICS3=30
</t>
</section>
<section anchor="isoSC27" title="ISO JTC 1/SC 27">
<t>
http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143
</t>
<t>
Several security related ISO projects under JTC 1/SC 27 are listed here
such as:
<list>
<t>
IT security techniques -- Entity authentication
</t>
<t>
Security techniques -- Key management
</t>
<t>
Security techniques -- Evaluation criteria for IT security
</t>
<t>
Security techniques -- A framework for IT security assurance
</t>
<t>
IT Security techniques -- Code of practice for information security
management
</t>
<t>
Security techniques -- IT network security
</t>
<t>
Guidelines for the implementation, operation and management of
Intrusion Detection Systems (IDS)
</t>
<t>
International Security, Trust, and Privacy Alliance -- Privacy
Framework
</t>
</list>
</t>
</section>
<section anchor="itutsg2" title="ITU-T Study Group 2">
<t>
http://www.itu.int/ITU-T/studygroups/com02/index.asp
</t>
<t>
Security related recommendations currently under study:
<list>
<t>
E.408 Telecommunication networks security requirements Q.5/2 (was E.sec1)
</t>
<t>
E.409 Incident Organisation and Security Incident Handling Q.5/2 (was E.sec2)
</t>
</list>
</t>
<t>
Note: Access requires TIES account.
</t>
</section>
<section anchor="itutm3016" title="ITU-T Recommendation M.3016">
<t>
http://www.itu.int/itudoc/itu-t/com4/contr/068.html
</t>
<t>
This recommendation provides an overview and framework that identifies the
security requirements of a TMN and outlines how available security services
and mechanisms can be
applied within the context of the TMN functional architecture.
</t>
<t>
Question 18 of Study Group 3 is revising Recommendation M.3016. They have taken
the original document and are incorporating thoughts from ITU-T Recommendation
X.805 and from ANSI T1.276-2003. The group has produced a new series of documents.
<list>
<t>
M.3016.0 - Overview
</t>
<t>
M.3016.1 - Requirements
</t>
<t>
M.3016.2 - Services
</t>
<t>
M.3016.3 - Mechanisms
</t>
<t>
M.3016.4 - Profiles
</t>
</list>
</t>
</section>
<section anchor="itutx805" title="ITU-T Recommendation X.805">
<t>
http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html
</t>
<t>
This Recommendation defines the general security-related architectural
elements that, when appropriately applied, can provide end-to-end network
security.
</t>
</section>
<section anchor="itutsg16" title="ITU-T Study Group 16">
<t>
http://www.itu.int/ITU-T/studygroups/com16/index.asp
</t>
<t>
Multimedia Security in Next-Generation Networks (NGN-MM-SEC)
</t>
<t>
http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html
</t>
</section>
<section anchor="itutsg17" title="ITU-T Study Group 17">
<t>
http://www.itu.int/ITU-T/studygroups/com17/index.asp
</t>
<t>
ITU-T Study Group 17 is the Lead Study Group on Communication System Security
</t>
<t>
http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html
</t>
<t>
Study Group 17 Security Project:
</t>
<t>
http://www.itu.int/ITU-T/studygroups/com17/security/index.html
</t>
<t>
During its November 2002 meeting, Study Group 17 agreed to establish a
new project entitled "Security Project" under the leadership of Q.10/17 to
coordinate the ITU-T standardization effort on security. An analysis of
the status on ITU-T Study Group action on information and communication
network security may be found in TSB Circular 147 of 14 February 2003.
</t>
</section>
<section anchor="itutrec" title="Catalogue of ITU-T Recommendations related to Communications System Security">
<t>
http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html
</t>
<t>
The Catalogue of the approved security Recommendations include those, designed
for security purposes and those, which describe or use of functions of security
interest and need. Although some of the security related Recommendations
includes the phrase "Open Systems Interconnection", much of the information
contained in them is pertinent to the establishment of security functionality
in any communicating system.
</t>
</section>
<section anchor="itutsecman" title="ITU-T Security Manual">
<t>
http://www.itu.int/ITU-T/edh/files/security-manual.pdf
</t>
<t>
TSB is preparing an "ITU-T Security Manual" to provide an overview on security
in telecommunications and information technologies, describe practical issues,
and indicate how the different aspects of security in today's applications are
addressed by ITU-T Recommendations. This manual has a tutorial character: it
collects security related material from ITU-T Recommendations into one place
and explains the respective relationships. The intended audience for this
manual are engineers and product managers, students and academia, as well as
regulators who want to better understand security aspects in practical
applications.
</t>
</section>
<section anchor="itungn" title="ITU-T NGN Effort">
<t>
http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html
</t>
<t>
During its January 2002 meeting, SG13 decided to undertake the preparation of a new
ITU-T Project entitled "NGN 2004 Project". At the November 2002 SG13 meeting, a
preliminary description of the Project was achieved and endorsed by SG13 with the
goal to launch the Project. It is regularly updated since then.
</t>
<t>
The role of the NGN 2004 Project is to organize and to coordinate ITU-T activities
on Next Generation Networks. Its target is to produce a first set of Recommendations
on NGN by the end of this study period, i.e. mid-2004.
</t>
</section>
<section anchor="nricVrec" title="NRIC VI Focus Groups">
<t>
http://www.nric.org/fg/index.html
</t>
<t>
The Network Reliability and Interoperability Council (NRIC) was formed with
the purpose to provide recommendations to the FCC and to the industry to assure
the reliability and interoperability of wireless, wireline, satellite, and cable
public telecommunications networks. These documents provide general information
and guidance on NRIC Focus Group 1B (Cybersecurity) Best Practices for the
prevention of cyberattack and for restoration following a cyberattack.
</t>
<t>
Documents:
<list>
<t>
Homeland Defense - Recommendations Published 14-Mar-03
</t>
<t>
Preventative Best Practices - Recommendations Published 14-Mar-03
</t>
<t>
Recovery Best Practices - Recommendations Published 14-Mar-03
</t>
<t>
Best Practice Appendices - Recommendations Published 14-Mar-03
</t>
</list>
</t>
</section>
<section anchor="oasisSecJC" title="OASIS Security Joint Committee">
<t>
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security-jc
</t>
<t>
The purpose of the Security JC is to coordinate the technical activities of
multiple security related TCs. The SJC is advisory only, and has no
deliverables. The Security JC will promote the use of consistent terms,
promote re-use, champion an OASIS security standards model, provide consistent
PR, and promote mutuality, operational independence and ethics.
</t>
</section>
<section anchor="oasisSecTC" title="OASIS Security Services (SAML) TC">
<t>
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
</t>
<t>
The Security Services TC is working to advance the Security Assertion Markup
Language (SAML) as an OASIS standard. SAML is an XML framework for exchanging
authentication and authorization information.
</t>
</section>
<section anchor="oifia" title="OIF Implementation Agreements">
<t>
The OIF has 2 approved Implementation Agreements (IAs) relating to security.
They are:
</t>
<t>
OIF-SMI-01.0 - Security Management Interfaces to Network Elements
</t>
<t>
This Implementation Agreement lists objectives for securing OAM&P
interfaces to a Network Element and then specifies ways of using security
systems (e.g., IPsec or TLS) for securing these interfaces. It summarizes
how well each of the systems, used as specified, satisfies the objectives.
</t>
<t>
OIF - SEP - 01.1 - Security Extension for UNI and NNI
</t>
<t>
This Implementation Agreement defines a common Security Extension for
securing the protocols used in UNI 1.0, UNI 2.0, and NNI.
</t>
<t>
Documents: http://www.oiforum.com/public/documents/Security-IA.pdf
</t>
</section>
<section anchor="tiaonline" title="TIA">
<t>
The TIA has produced the "Compendium of Emergency Communications and
Communications Network Security-related Work Activities". This document
identifies standards, or other technical documents and ongoing
Emergency/Public Safety Communications and Communications Network
Security-related work activities within TIA and it's Engineering
Committees. Many P25 documents are specifically detailed. This "living
document" is presented for information, coordination and reference.
</t>
<t>
Documents: http://www.tiaonline.org/standards/technology/ciphs/documents/EMTEL_sec.pdf
</t>
</section>
<section anchor="ws-iSecProfile" title="WS-I Basic Security Profile">
<t>
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
</t>
<t>
The WS-I Basic Security Profile 1.0 consists of a set of non-proprietary
Web services specifications, along with clarifications and amendments to those
specifications which promote interoperability.
</t>
</section>
<section anchor="NIST800" title="NIST Special Publications (800 Series)">
<t>
http://csrc.nist.gov/publications/PubsSPs.html
</t>
<t>
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
</t>
</section>
<section anchor="NISTIR" title="NIST Interagency or Internal Reports (NISTIRs)">
<t>
http://csrc.nist.gov/publications/PubsNISTIRs.html
</t>
<t>
NIST Interagency or Internal Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.
</t>
</section>
<section anchor="NISTITL" title="NIST ITL Security Bulletins">
<t>
http://csrc.nist.gov/publications/PubsITLSB.html
</t>
<t>
ITL Bulletins are published by NIST's Information Technology Laboratory, with most bulletins written by the Computer Security Division. These bulletins are published on the average of six times a year. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Not all of ITL Bulletins that are published relate to computer / network security. Only the computer security ITL Bulletins are found here.
</t>
</section>
<section anchor="SANSreading" title="SANS Information Security Reading Room">
<t>
http://www.sans.org/reading_room/
</t>
<t>
Featuring over 1,885 original computer security white papers in 75 different categories.
</t>
<t>
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated.
</t>
</section>
</section>
<section anchor="sec" title="Security Considerations">
<t>
This document describes efforts to standardize security practices and
documents. As such this document offers no security guidance whatsoever.
</t>
<t>
Readers of this document should be aware of the date of publication of
this document. It is feared that they may assume that the efforts, on-line
material, and documents are current whereas they may not be. Please
consider this when reading this document.
</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>
This document does not propose a standard and does not require the
IANA to do anything.
</t>
</section>
<section anchor="Acks" title="Acknowledgments">
<t>
The following people have contributed to this document. Listing their names here does
not mean that they endorse the document, but that they have contributed to its
substance.
</t>
<t>
David Black, Mark Ellison, George Jones, Keith McCloghrie, John McDonough, Art Reilly, Chip Sharp,
Dane Skow, Michael Hammer, Bruce Moon, Stephen Kent, Steve Wolff, Bob Natale.
</t>
</section>
<section anchor="diffs" title="Changes from Prior Drafts">
<t>
-00 : Initial draft published as draft-lonvick-sec-efforts-01.txt
</t>
<t>
-01 : Security Glossaries:
<list><t>
<list><t>
Added ATIS Telecom Glossary 2000, Critical Infrastructure Glossary of Terms and
Acronyms, Microsoft Solutions for Security Glossary, and USC InfoSec Glossary.
</t></list>
</t>
<t>
Standards Developing Organizations:
<list><t>
Added DMTF, GGF, INCITS, OASIS, and WS-I
</t>
<t>
Removal of Committee T1 and modifications to ATIS and former T1 technical
subcommittees due to the recent ATIS reorganization.
</t></list></t>
<t>
Efforts and Documents:
<list><t>
Added DMTF User and Security WG, DMTF SPAM WG, GGF Security Area (SEC), INCITS
Technical Committee T4 - Security Techniques, INCITS Technical Committee T11 -
Fibre Channel Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint Committee,
OASIS Security Services TC, and WS-I Basic Security Profile.
</t>
<t>
Updated Operational Security Requirements for IP Network Infrastructure : Advanced
Requirements.
</t></list></t>
</list>
</t>
<t>
-00 : as the WG ID
<list><t>
Added more information about the ITU-T SG3 Q18 effort to modify ITU-T Recommendation M.3016.
</t></list>
</t>
<t>
-01 : First revision as the WG ID.
<list><t>
Added information about the NGN in the sections about ATIS, the NSTAC, and ITU-T.
</t></list>
</t>
<t>
-02 : Second revision as the WG ID.
<list><t>
Updated the date.</t>
<t>
Corrected some url's and the reference to George's RFC.
</t></list>
</t>
<t>
-03 : Third revision of the WG ID.
<list><t>
Updated the date.</t>
<t>
Updated the information about the CC</t>
<t>
Added a Conventions section (not sure how this document got to where it is without that)
</t></list>
</t>
<t>
-04 : Fourth revision of the WG ID.
<list>
<t>
Updated the date.
</t>
<t>
Added Anne & Lynn Wheeler Taxonomy & Security Glossary
</t>
<t>
CIAO glossary removed. CIAO has been absorbed by DHS and the glossary is no longer available.
</t>
<t>
USC glossary removed, could not find it on the site or a reference to it elsewhere.
</t>
<t>
Added TTA - Telecommunications Technology Association to SDO section.
</t>
<t>
Removed ATIS Security & Emergency Preparedness Activities from Documents section. Could not find it or a reference to it.
</t>
<t>
INCITS T4 incorporated into CS1 - T4 section removed
</t>
<t>
X9 Added to SDO list under ANSI
</t>
<t>
Various link or grammar fixes.
</t>
</list>
</t>
<t>
-05 : Fifth revision of the WG ID.
<list>
<t>
Updated the date.
</t>
<t>
Removed the 2119 definitions; this is an informational document.
</t>
</list>
</t>
<t>
-06 : Sixth revision of the WG ID.
<list>
<t>
Updated the date.
</t>
<t>
Added W3C information.
</t>
</list>
</t>
<t>
-07 : Seventh revision of the WG ID.
<list>
<t>
Updated the date.
</t>
</list>
</t>
<t>
-08 : Eighth revision of the WG ID.
<list>
<t>
Updated the reference to RFC 4949, found by Stephen Kent.
</t>
</list>
</t>
<t>
-09 : Nineth revision of the WG ID.
<list>
<t>
Updated the date.
</t>
</list>
</t>
<t>
-10 : Tenth revision of the WG ID.
<list>
<t>
Added references to NIST documents, recommended by Steve Wolff.
Updated the date.
</t>
</list>
</t>
<t>
-11 : Eleventh revision of the WG ID.
<list>
<t>
Updated the date.
</t>
</list>
</t>
<t>
-12 : Twelfth revision of the WG ID.
<list>
<t>
Updated the date.
</t>
</list>
</t>
<t>
-13 : Nothing new.
<list>
<t>
Updated the date.
</t>
</list>
</t>
<t>
-14 : Fourteenth revision of the WG ID.
<list>
<t>
Updated the date and reviewed the accuracy of Section 3.
</t>
<t>
Updated the section on Compendium of Approved ITU-T Security Definitions
</t>
<t>
Updated the section on the Microsoft glossary.
</t>
<t>
Updated the section on the SANS glossary.
</t>
<t>
Added the NIST Security glossary.
</t>
<t>
Added dates to all glossaries - where I could find them.
</t>
<t>
Added the SANS Reading Room material to Section 5.
</t>
</list>
</t>
<t>
-15 : Fifteenth revision of the WG ID.
<list>
<t>
Updated the date and reviewed the accuracy of Section 4. Several changes made.
</t>
<t>
Removed WS-I as they have merged with OASIS.
</t>
<t>
Added TM Forum.
</t>
</list>
</t>
<t>
Note: This section will be removed before publication as an RFC.
</t>
</section>
</middle>
<back>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 10:54:28 |