in070801
INCITS TC CS1, Cyber Security
Annual
Report for the period July 1, 2006 to July 1, 2007
o
Link
to Subgroup's area on the
Secretariat's Projects Database
o
Membership
and Officers
o
Other
administrative information
Informal Description of Work:
INCITS/CS1 was established
in April 2005 to
serve as the US TAG for ISO/IEC JTC 1/SC 27 and all SC 27 Working
Groups. The scope of the work of CS1
coincides with
that of SC 27, namely the following:
Standardization of generic methods, techniques and guidelines for information, IT and communication security. This includes the following areas:
• requirements capture methodology;
• security techniques and mechanisms, including procedures for the registration of security components;
• management of information, IT and communication security;
• management support documentation, including terminology, conformance assessments and security evaluation criteria standards.
CS1 engages in active liaison and collaboration with appropriate bodies to ensure proper development and application of CS1 (and SC27) standards and technical reports in relevant areas.
CS1 benefits greatly from the considerable
efforts of staff
at the INCITS Secretariat, primarily Debbie Spittle and Lynn Barra on
our
behalf.
CS1 presently
has 29 members, while its Sub Group, CS1.1
has 13 members. CS1 membership includes commercial organizations,
government organizations, consultants, and consortia. The
interest
in CS1 stems from increasing use of e-business techniques, increasing
conversion
to e-government, increasing organizational globalization, and
increasing
federal government emphasis on security. As
a result of SC 27 establishment of WG 5,
Identity Management and Privacy Technologies, there is now a new focus
on
identity management and privacy technologies. CS1
needs new expertise in these areas, and
hopes to see possible new members interested in these high visibility
areas.
CS1 maintains formal and informal liaisons with US TAGs to other JTC 1 SCs, including M1 and T11, the financial services standards organizations (ASC X9 and ISO TC68), IEEE P1700 and P1619. CS1 has also expanded its liaisons to include ISSEA in the area of Security Metrics in WG1 and liaisons with Open Group in the areas of Identity Management and Security. CS1 has started the process to establish additional liaisons to PTSC-SEC and PTSC-SAC. These are sub-committees of the ATIS committee on Packet Technologies and Systems Committee (PTSC), which develops and recommends standards and technical reports related to packet services and packet service architectures.
CS1 currently meets 4 times per year. CS1
strives to
make sure that the 4 meetings per year are geographically dispersed
around the
CS1 uses electronic document distribution
through a
document register maintained by the INCITS Secretariat at http://cs1.incits.org/, parts of
which are
password protected. There is also a separate part of the same web
site
devoted to SC 27 documents, named the Members Only area.
It is password protected.
Getting documents in a timely fashion from SC 27 continues to be a
problem area. Only ANSI has permission to
get documents
from the ISOTC site, then they load them on to the ANSI Library, then
CS1 is automatically
notified when SC 27 documents are available. The end result is
that SC 27
documents exist in three separate places—DIN, ISOTC and the CS1 web
site. Each time the CS1 Chair must
download files,
have INCITS staff take time to post them to the CS1 web site. This is time consuming and duplicative.
The work as US TAG to SC 27 has included
preparing
contributions to, reviews of, and providing editors of active projects
leading
to international standards and technical reports. During the
reporting
period, there were numerous active projects that CS1 was requested to
review
and contribute to. In addition, the CS1 committee membership includes
editors
of international projects. Overall, the committee has been very
effective
in its representation of
CS1 has a task group,
CS1.1, Role Based Access Control (RBAC) to
develop
implementation requirements for applications to use Role-Based Access
Control
(RBAC). With RBAC, security permissions are managed by
first assigning
permissions to roles (e.g., Doctor, Nurse) and then assigning users to
those
roles. The initial goal of the INCITS RBAC Task Group will be to
develop a set
of implementation requirements for applications such as financial
services,
health care, or manufacturing, based on the RBAC standard (INCITS
359-2004).
This work is intended to promote interoperability among organizations
employing
RBAC as an access control model. The new INCITS CS1.1 task group will
be
responsible for the technical development of all RBAC related projects
within
CS1. However, CS1 retains all US TAG
responsibilities for
RBAC related projects in SC 27.
CS1.1 currently has two
approved national projects. The first is
INCITS Project 1794 – D, Information technology - Requirements for the
Implementation of Role Based Access Control (RBAC). It will be a set of implementation requirements
for
applications such as financial services, health care, or manufacturing,
based
on the RBAC standard (INCITS 359-2004). This work is intended to
promote
interoperability among organizations employing RBAC as an access
control model.
Ed Coyne is the Editor for the new project. The
project is expected to go out for its
first public review some time in 2008.
The second national
project is INCITS Project
1831-DT-A, Information technology - Minimum Security Guidelines for
Protecting
Personal Identifiable Information and other Sensitive Information
stored on and
Exchanged between Information Systems [Technical Report]. This
project
will not be done under a separate task group. Alan Paller os the
SANS
Institute is the editor, and Eva Kuiper of HP is co-editor.
CS1 is hopeful that there
may be an
additional national project in the next year.
2. Significant
accomplishments
Aside from the formation of
the CS1.1 task group and the 2 new national projects, CS1
accomplishments are
the CS1 substantial contributions to the overall SC 27 list of
published
standards and standards awaiting publication. There have
been enough
As
a result of the successful
SC 27 seems to have
no rules for the timelines for
agenda items, especially when 20-30 files necessary for the meeting are
sent
out using the system above between 7-3 days prior to meetings start. In order to install some rigor into SC 27
agendas, CS1 contributed
a change to SC 27 Standin Document 5 adding
hard dates with respect to contributions to SC 27 agendas in
advance of
meetings. This is likely to become
permanent over the next several months.
It would make sense if this was also done in other SC’s and from
JTC 1
perspective.
Additional accomplishments
include
assignments of CS1 members to international projects:
A. ISO/IEC JTC 1/SC
27 appointed the
following liaison officers from CS1
a.
Eva Kuiper will be the SC 27 WG5 Liaison
to the Open Group.
b. Dick
Brackney will be the Liaison from SC 27 WG5 to the ITU-T SG
13
for Privacy and Identity management matters, and Liaison from SC
27
WG 4 to the ITU-D for WG 4 Projects.
B. ISO/IEC JTC 1/SC
27 appointed the
following editors from CS1:
a.
Dr. Uma Chandrashekhar is
co-editor of ISO/IEC 27003 Information security management system
implementation guidance.
b. Dimitri Andivahis is
editor of
1.27.27.03 (18014-3), Time-stamping services – Part 3: Mechanisms
producing
linked tokens
c.
Laura Kuiper is
co-editor of Project 1.27.28.01 (18028), the revision of
the multi-part Guidelines for Network
Security, as well as Co-editor of part
2,
Project 1.27.28.02 (18028), Guidelines for the Design and Implementation of Network Security
d. Richard Brackney is Editor of
Project 1.27.57
(29115), Authentication
Assurance
C.
ISO/IEC JTC 1/SC 27 appointed the following rapporteurs from
CS1:
a. Eva Kuiper is co-Rapporteur on the Study Group
on ISMS Auditor Guidelines
b. Fiona Pattinson has been appointed
Rapporteur for a Study Period on
Secure system design.
The number one challenge
for CS1 moving into
the future is to attract new members with knowledge in the new areas
under the
scope of CS1. It's particularly important that CS1 and INCITS get
the
word out on the new areas of WG5--Identity management and Privacy
Technologies. Identity management is a high priority for
organizations
and CS1 needs to draw new members who wish to work on national and
international standards in these areas.
The ability
of CS1 to
participate effectively in the work of SC 27 continues to be impaired
by the
change from access to the DIN server, where SC 27 documents used to be
housed,
to the ISOTC site. Direct access was possible then. The
ISOTC site
now houses SC 27 documents, and only ANSI is allowed direct
access. This
inserts a layer of time and redundancy into the process just to obtain
the
necessary documents in a timely manner to respond with US
contributions.
First ANSI must put the documents into its library, then and only
then
can CS1 obtain access. It is particularly noticeable when a
standard
document is undergoing Final review. INCITS requires at least a
month and
10 days out of the time allotted to get the
The first
expected
challenge is a continuing one: Consideration of standing task
groups to
progress the national and international program of work. Although
this
the time honored and practical method for sub-dividing the workload of
TC’s,
the some of the old T4 member were not used to having either task
groups nor
national projects. Forming the CS1.1 task group for RBAC was a
concern
for some CS1 members that was felt that the parent group would not know
what is
going on, and would somehow lose control of the work. Therefore,
CS1.1
was created with the stipulation that a one year review will take
place.
Of course, others felt that this was redundant since the work of CS1.1
is
reviewed at all CS1 meetings.
When
the second
national project was approved by CS1, there was no mention or thought
given to
creating a task group to do the work. Thus all of CS1 will be
participating in this effort, as well as time during the actual CS1
meeting
devoted to editing sessions.
The other
expected
challenge is developing and promoting US contributions for the SC 27
information security management system standards, including the newly
renumbered 27000 series, Identity Management and Privacy
technologies. We
need more expertise in the CS1 membership in these areas if the
|
Meeting Number |
Date |
Location |
|
|
2006 |
|
|
CS1.1 #004 |
August 14 |
|
|
CS1 #007 |
August 15-16 |
|
|
CS1.1 #005 |
October 2 |
|
|
CS1 #008 |
October 3-4 |
|
|
SC 27 Working Groups |
November 13-17 |
|
|
|
2007 |
|
|
CS1.1 #006 |
Jan 23 |
|
|
CS1 #009 |
Jan 24-25 |
|
|
CS1 #010 |
March 7-8 |
|
|
CS1.1 #007 |
April 3 |
|
|
SC 27 Working Groups |
April 16-20 |
|
|
SC 27 Plenary |
April 23-24 |
|
|
Meeting Number |
Date |
Location |
|
|
2007 |
|
|
CS1.1 #008 |
July 31 |
|
|
CS1 #011 |
August 1-2 |
|
|
CS1.1 #009 |
August 28 |
|
|
CS1 #012 |
September 5-6 |
|
|
Joint
meeting of WG 4 and ITU-T SG 17 (to be confirmed) |
September 26 |
|
|
WG 5
Workshop with ITU-T and FIDIS |
September 30 |
|
|
SC 27 Working Group Meetings |
October 1-5 |
|
|
CS1.1 #009 |
October 9 |
|
|
|
2008 |
|
|
CS1.1 #010 |
TBD |
|
|
CS1 #013 |
TBD |
|
|
SC 27 Working Groups |
April 14-18 |
|
|
SC 27 Plenary |
April 21-22 |
|
CS1 maintains formal and
informal liaisons with related activities in other US TAGs to JTC 1 SCs
including
M1 and T11, and the financial services standards organizations (ASC X9
and ISO
TC68), IEEE P1700 and P1619, and ITU-T. In the last year, CS1 has also
expanded
its liaisons to include an additional liaison to ISSEA to cover Metrics
in WG1
and liaisons with Open Group in the areas of Identity Management and
Security.
a. Open Group, Eva Kuiper,
HP
b. X9F, Sheila Brand, NSA
c. IEEE P1700, Eva Kuiper,
HP
d. IEEE P1619, Eric.
Hibbard,
e. INCITS M1, Mike Hogan,
NIST
f. INCITS T11, Eric.
Hibbard,
g. PTSC-SEC Once established,
Laura Kuiper, Cisco Systems, will be the liaison
h. PTSC-SAC, Once established,
Dick Brackney, NSA, will be the liaison
Chairman - Dan
Benigni – NIST (Trained July 2005)
Send
email to Dan Benigni at: dbenigni@nist.gov
Address:
Information Technology Laboratory,
Computer Security Division, System and Network Security Group (893.02),
International
Representative - Scott Erkonen,
PREMIER Bankcard Inc. (Trained April 2006)
Send
email to Scott Erkonen at: Scott.Erkonen@premierbankcard.com
Address:
Secretary - Laura
Kuiper, Cisco Systems, Inc. (No
Training required)
Send
email to Laura Kuiper at: kuiperl@cisco.com
Address:
CS1.1 Officers
include:
CS1 presently has 26 members. Growth has been sporadic. CS1 membership includes commercial organizations, government organizations, consultants, and consortia.
Membership list from INCITS database.
Members
include: Alcatel-Lucent, Atsec
Information Security Corp, Booz Allen & Hamilton Inc, CISCO SYSTEMS
INC,
Computer Sciences Corporation, Concordant Inc, EWA - Information &
Infrastructure Technologies Inc, Forsythe Solutions Group,
Hewlett-Packard
Company (Canada Ltd), HID Global, Hitachi Data Systems, HotSkills Inc,
Inter-Continental
Hotels Group (A), IBM Corporation, Inter-
Continental Hotels Group (A), KPMG LLP,
Lexmark International (A), Microsoft
Corporation (A),
Mitre Corporation, National Security Agency, NIST, PREMIER Bankcard
Inc,
Raytheon Systems Company, RSA Security Inc, Surety Technologies Inc,
The Open
Group (L), The SANS Institute, the Zygma partnership, United States
Dept of
Homeland Security, and VHA Health Information Architecture Office,
Verisign Inc.
ISO/IEC
JTC 1/SC 27 has endorsed
the following Working Group Study Periods.
|
WG |
Duration |
Topic |
1
|
6 months
|
Technical
ISM Audits
|
|
2 |
6 months
|
Three-party
entity authentication
|
|
3 |
12 months |
Secure system design |
ISO/IEC
JTC 1/SC 27 has endorsed the
following extensions of Working Group Study Periods for 6 months.
|
WG |
Doc. |
Topic |
1
|
SC 27 N5537
|
Sector-Specific
ISMS Standards for the World Lottery Association
|
1
|
SC 27 N5538
|
Sector-Specific
ISMS Standards for the Automotive Industry
|
2
|
SC27 N5846
|
Low power
encryption
|
2
|
SC27 N5809
|
Signcryption
|
2
|
SC27 N5899
|
Merge of
ISO/IEC 9796 and ISO/IEC 14888
|
3
|
SC 27 N5160
|
Responsible
Vulnerability Disclosure
|
ISO/IEC
JTC 1/SC 27 approves the
following documents and requests its Secretariat to circulate them for
NWI
ballot.
|
Doc |
Project |
Title |
|
SC27 N5868 |
NWI |
Guidelines for ISMS Auditing (27007) |
|
SC27 N5925 |
NWI |
Verification of cryptographic protocols |
|
SC27 N5729 |
NWI |
Application Security |
|
SC27 N5726 |
NWI |
ICT Readiness for Business Continuity |
|
SC27 N5722 |
NWI |
Guidelines for Cybersecurity |
International standards
are becoming a major
influence on the security scene. They are seen as one of the major
dynamic
tools to help nations, communities, societies, organizations, and
individuals
improve their resilience in the face of security threats both natural
and
man-made. Information Security
Management Systems standards will become the benchmark of best
practices for
development of incident preparedness, security, and
operational/business
continuity management within public and private organizations.
The market
relevance for the IT Security Techniques area of
standardization is great. The need for secure electronic
communication,
e-commerce, and international interoperability continue to
expand.
Further, the sophistication and frequency of attacks on these
activities also
is increasing. Therefore, the need for dependable, standardized
IT
Security techniques continues to increase.
Web-based business models are impacting all areas of commerce and society. We are on our way towards eEverything (healthcare, banking, retail sales, business supply chains, education, manufacturing, government services, etc.). The really big bumps in the road are those of security. Threats include attacks from within (disgruntled employees), attacks from without (viruses, worms), identity theft, loss of privacy, spyware, and spam, to name a few potentially catastrophic to merely annoying problems. These threats endanger the security of our society because they endanger the networks upon which our society is becoming more and more dependent. Cyber threats and crimes will not be controlled without timely development and widespread use of comprehensive, quality cyber security standards.
There
continue to be emerging markets in Eastern
Europe, Southeastern Asia, and
The area
of Identity Management is gaining
momentum, with the newly created SC 27/ WG 5, Identity Management and
Privacy
Technologies. Identity
management entails authoritative sources in organizations issuing
identifiers
for persons (employees, customers, residents, etc.). These
authoritative
sources rely upon references and support in the form of government
issued
identification such as birth certificates, driver's licenses, and
passports.
Unfortunately phony credentials remain all too easy to obtain. This
problem is
compounded by the connectivity and anonymity of cyber space.
The need
for identifier management is readily apparent in the crime of identity
theft.
Identity theft is defined as all types of crime in which someone
wrongfully
obtains and uses another person's personal data in some way that
involves fraud
or deception, typically for economic gain. Identity theft inflicts
substantial
costs on both individuals and businesses.
Current SC 27/WG 5 work is
being structured
into the following 5 areas:
1. A
Privacy Framework
2. A
Privacy Reference Architecture
3.
Specific Privacy Technologies (PxTs)
4.
Privacy Engineering
5.
Guidelines delineating the use of Privacy
relevant Technologies
10. Other administrative information
Obsolete Standards: None.
Financial Statement: None. CS1 does not collect or disburse any funds.
CS1 Internal Procedures: The CS1 internal procedures are as follows:
Procedure Description: CS1 relies on the Standards Development Policies and Procedures dictated CS1 Standards Development by INCITS, and the templates and guidelines specified in the ISO Policies and Procedures.
Directives: CS1 relies on the INCITS Electronic Procedures and has not adopted any CS1 Electronic Procedures of its own.
CS1 Procedure for Funding: CS1 does not fund technical editors.
Technical Editors: CS1 relies on the INCITS Secretariat for all document storage in a CS1 Document Retention Policy password protected area of the CS1 web site.
CS1 Plenary Meetings: CS1 does not hold plenary meetings.