The Connected Information Security Group : Security Standards

ISO/IEC JTC 1/SC 27 - Working Group - Trip Report

cisg — Fri, 24 Oct 2008 16:31:10 GMT

Hi Andreas Fuchsberger here again....

Introduction

The most recent ISO/IEC JTC1/SC 27 (Subcommittee) Working Group (WG) meetings took place from 6^th – 10^th October 2008 in Limassol, Cyprus. As is set out by SC27’s charter all 5 Working Group meetings took place in parallel, allowing National Body (NB) experts to participate in more than WG during the week. The 5 Working Groups are:

· · Working Group 1: Information Security Management Systems (ISMS)

· · Working Group 2: Cryptography and Security Mechanisms

· · Working Group 3: Security Evaluation Criteria

· · Working Group 4: Security Controls and Services

· · Working Group 5: Privacy and Identity Management

As it physically not possible to attend all meetings simultaneously, this reports details results for the WG 2, 4 and 5, that were obtained either through attendance by the author or trusted reports available to the author.

Access currently to the various stages of the Working Drafts (WD) used to produce International Standards (IS) are usually restricted to active participants in the standards process. However it is usually easy to gain access by contacting your National Body of ISO/IEC JTC 1/SC 27.

Report from WG 2: Cryptography and Security Mechanisms

WG2 had a busy meeting and a large number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 2 meeting was well attended with 41 participants in total, representing 12 National Bodies; as the Japanese NB had the strongest attendance with 17 participants.

Noteworthy is the update of Standing Document SD 12 Cryptographic algorithms and key lengths, to be used as guidance which cryptographic algorithms should be used in production systems with their appropriate recommended key lengths. Also noteworthy is the new Study Period on Secret Sharing Mechanisms prompted by the presentation to WG 5 on Privacy Enhancing Technologies by the Japanese expert, Kazue Sako.

WG 2 initiated one New Work Item on Lightweight Cryptography and the following new Study Periods:

· · Lightweight cryptographic mechanisms

· · Key establishment mechanisms for multiple entities and German NB proposal on Group key management

· · Secret sharing mechanisms

· · Parsing ambiguity attacks

Report from WG4: Security Controls and Services

WG4 had a busy meeting and number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 4 meeting was well attended with 62 participants in total, representing 16 National Bodies, the Japanese NB had the strongest attendance with 11 participants.

WG 5 is a relatively new WG as such this was only the 6^th meeting. This is reflected through by the relevant immaturity of the documents so far, the majority being WDs, with exception of Network Security Part 1, which was inherited from WG 1 when WG 4 was created.

Of particular interest to is the progress that has been made in Application security: part 1.

WG 4 imitated 2 new Work Items:

· · Guidelines for Identification, Collection and/or Acquisition and Preservation of Digital Evidence

· · Guidelines for Security of Outsourcing

Report from WG5: Privacy and Identity Management

WG5 had a busy meeting and number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 5 meeting was well attended with over 40 participants in total. The terms of reference of WG 5 covers both Privacy and Identity Management, and experts were present from both areas.

WG 5 is a relatively new WG as such this was only the 6^th meeting. This is reflected through by the relevant immaturity of the documents so far, the majority being WDs.

Noteworthy is the progression of 2900 Privacy Framework to CD stage. The Study Period (SP) on Access Control Mechanisms prompted by the Chinese NB contribution during the 4^th WG 5 meeting, for which the author was Rappateur was concluded with recommendation to SC 27 Plenary to start on new SC 27 wide Study Period on Access Control. The author was volunteered as Rappateur for the new Study Period and also volunteered for the WG 5 drafting committee, that met after the closing the WG meeting throughout the week.

WG 5 imitated 2 new Work Items:

· · Privacy Capability Maturity Model and

· · Requirements for Relative Anonymity with Identity Escrow

Next Meetings

The next SC 27 WG meetings were agreed as:

· 2009-05-04 - 2009-05-08 Beijing, China

· 2009-11-02 - 2009-11-06 Redmond, WA, USA

TCG Fast track

The regular WG meetings were followed by a one day meeting to agree to fast track the adoption of the Trusted Computing Group (TCG) standards.

ISO SC27 Introduction and History

cisg — Fri, 24 Oct 2008 16:29:40 GMT

Hi Andreas Fuchsberger here.....

In order to better understand a report I am about to post next on a recent ISO security meeting I thought I would include some additional information about the language used in SC 27 and how SC 27 standards are created.

SC 27 is a sub-committee of the Joint Technical Committee (JTC1) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The International Organization for Standardization (Organisation internationale de normalisation) usually known as ISO is an international-standard-setting body composed of representatives from various national standards organizations. Created in 1947, the organization creates worldwide proprietary industrial and commercial standards. It is headquartered in Geneva, Switzerland. The International Electrotechnical Commission (IEC) is a not-for-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies. Currently there exists only one joint technical committee (JTC1). JTC1 standards use the prefix ISO/IEC.

The correct abbreviation used to indicate SC 27 output is ISO/IEC JTC1/SC 27. All output produced in SC 27 is given a project number. A definitive list of current projects is published in SC 27 Standing Document (SD)

SC 27 started worked in the early 1990s originally split into three working groups: (1) Security Management, (2) Cryptographic Mechanisms and (3) Security Evaluation Criteria. Much of the attention and success was derived from the WG 1 adoption of British Standard BS7799 and transformation and publication of originally ISO/IEC 17799 Parts 1 and 2 for Information Security Management and accompanying standards. The ISO/IEC 17799 series was later renamed to become the ISO/IEC 27000 Information Security Management series. Due to its success WG 1 was split into 3 Working Groups:

· · Working Group 1: Information Security Management Systems (ISMS)

· · Working Group 4: Security Controls and Services

· · Working Group 5: Privacy and Identity Management

A definitive list of projects including all published standards and work in progress is made available through Standing Document (SD) 7 Catalogue of SC 27 Projects and Standards.

Progression of Standards

Although the editing work of creating a new standard is performed by National Body experts during the Working Group meetings, it is SC 27 that delegates the authority to start a new standard. A national body may propose a New Work Item (NWI) by providing input to a WG meeting, or WG may initiate a new Study Period on a particular topic, usually also prompted by a NB or a subject matter expert. Both NWIP and SP are circulated by the SC 27 Secretariat for distribution through National Bodies. NB then vote on starting the process for creating new International Standard.

Once an editor is found, either through a volunteer or by a call for contributions to the NBs, the process for a new International Standard, the editor produces a series of Working Drafts. NBs are not required to distribute Working Drafts (WDs), however it is common practice. NBs consult their own experts for contributions to WDs. Editors then collect the international contributions and during the editing sessions of the WG meetings either accept, reject or otherwise find a compromise to the comments made by the National Body experts. SC 27 relies usually on finding a consensus by taking the NB comments into account, rarely does it come to a vote on accepting or rejecting a comment. Depending on the NB it may be more appropriate to let the NB withdraw a comment than reject it outright. After a WD draft has gone through multiple iterations and during the editing session it is agreed that the document has reached an acceptable level of maturity the WG can request SC 27 for a delegation of authority to move the document to Committee Draft (CD) stage. CDs are distributed to the NBs for study and comment. Once the CD has reached a further level of maturity, the WG can request to move to Final CD stage. FCDs are distributed by NBs for comment and are subject to a NB postal vote. For a FCD to pass it needs a three quarters majority SC 27 P-member NBs. Thereafter SC 27 takes over the progression of the standard to Daft International Standard (DIS) and then to publication by JTC1 to International Standard (IS).

The whole process takes now on average 2 – 2.5 years. This is a significant improvement since the mid 1990s when the process has taken up to 7 years. This used to be one of the major criticisms of the ISO Standards process. This and the fact that most ISO/IEC standards are chargeable, which is in contrast to the Internet standards RFCs and other industry standards.