Copyr|ght 2010 1he auLhor(s) assoclaLed wlLh each speclflc arLlcle presenLed ln Lhls publlcaLlon (wlLh Lhe excepLlon of Lhose menLloned ln noLe 1) have asserLed Lhelr moral rlghLs as auLhors of Lhe sald arLlcles under Lhelr own naLlonal and lnLernaLlonal copyrlghL laws. nelLher Lhe edlLor of Lhls publlcaLlon nor lSC/lLC !1C 1/SC27 ls responslble for Lhe accuracy of Lhe conLenL of Lhese arLlcles and so cannoL be held llable regardlng Lhe readers use, lnLerpreLaLlon or any lmplemenLaLlon of Lhese arLlcles or Lhelr conLenL. noLe 1. 1hls 8ook also conLalns several arLlcles from Lhe l5O locos and l5O Moooqemeot 5ystems magazlnes. 1hey are reproduced ln Lhls 8ook wlLh Lhe klnd permlsslon of lSC CenLral SecreLarlaL who reLalns full copyrlghL over Lhese arLlcles. 1hese parLlcular arLlcles flrsL appeared ln varlous edlLlons of Lhe followlng magazlnes: l5O locos www.lso.org/lsofocus and Lhe l5O Moooqemeot 5ystems as lndlcaLed ln Lhe fooLer of each arLlcle.
Acknow|edgements A speclal Lhanks ls glven Lo all Lhose LhaL have conLrlbuLed arLlcles Lo Lhls publlcaLlon and also Lo organlzaLlons LhaL have senL leLLers of congraLulaLlons Lo SC27 on lLs 20 Lh
blrLhday.
M|crosoft Sponsorsh|p llnally, a speclal, Lhanks go Lo MlcrosofL CorporaLlon for Lhelr klnd sponsorshlp of Lhls publlcaLlon and Lhelr supporL of lSC/lLC !1C 1/SC 27.
Foreword by ISO Secretary-General Mr. Rob Steele to the book celebrating the 20 th anniversary of ISO/IEC JTC 1/SC 27, IT security techniques
E-business is as much an essential way of doing business in the corporate world as it has for public sector organizations and for individual consumers and citizens. Its undoubted advantages also bring new risks. These can range from fraudulent transactions to mistakes in identifying citizens, customers and business partners.
These and other risks can lead to actual or potential financial loss and therefore loss of confidence. This, in turn, can have a significant financial impact on citizens using the Internet for on-line shopping, and on businesses or public sector bodies exchanging legal documents, or performing electronic payments or transactions.
In addition, information in all its forms is a well recognized and powerful lever for the success of an organization and this is as true for small and medium-sized organizations (SMEs), in both private and public sectors, as it is for large organizations. In this environment, it is clear that the standards developed by ISO/JTC 1/SC 27, IT security techniques, provide considerable benefits to business, government and to people in their roles as consumers and citizens. SC 27 is responsible for two of ISO's best-selling and most widely implemented standards, ISO/IEC 27001 and ISO/IEC 27002, for information security management systems. These follow on the past success of SC 27 in developing the Security Evaluation Criteria (also known as the "Common Criteria") for security products. In addition, SC 27 has been at the forefront in developing encryption and digital security standards. But not content to rest on its laurels, SC 27 has already embarked on or is planning future standards including ones to solve the problems of identity // 2
management, privacy, cyber security and IT readiness for business continuity. In view of SC 27's impressive track record combined with its forward-looking perspective, it gives me great pleasure to wish the subcommittee, its officers and all the international experts, past and present, who have contributed to its success, a well deserved and joyful 20 th anniversary celebration, as well as best wishes for the future.
CUNTENTS
Welcome 1 Letters of Congratulations 3
lT0-T 0lN AFN0R BSl NlST FNlSA lSHS 0ser 6roup
ISC]ILC I1C 1]SC27 13 Tbe Times tbey ore o Cbonqinq SC 27s role in on olterinq security lonJscope {0r Wolter Fumy onJ 0r Horijke 0e Soete) SC27 lnformotion {Professor FJworJ humpbreys onJ 0ole }obnstone) lS0,lFC }TC 1 SC27 - Tbe Sbow Hust 6o 0n {0ole }obnstone) 'Hemories ore moJe of tbis' A view of tbe post {Professor FJworJ humpbreys)
SC27J WC1 37 W61 lnformotion Security Honoqement System StonJorJs {Professor FJworJ humpbreys) lS0,lFC 2700S onJ Risk Honoqement {AnJers CorlsteJt) CoulJ moturity belp risk monoqement? {Hottbieu 6roll) Fotber of lSHS StonJorJs {}omes Butler-Stewort) Cose stuJies sbow volue of lS0,lFC 27001 conformity {lS0 Honoqement Systems) lnformotion security monoqement systems for smoll onJ meJium-sizeJ enteprises {lS0 Honoqement Systems) Service monoqement witb o smile of confiJence {lS0 Focus)
SC27 WC2 85 Cryptoqropbic StonJorJs: Acbievements, Current Activities onJ Future Perspectives of SC 27,W6 2 {Prof. Kenji Noemuro onJ Tokesbi Cbikozowo) StonJorJizotion of moJern cryptoqropbic mecbonisms: liqbtweiqbt cryptoqropby {Riool 0ominques) 0sinq lS0 Security StonJorJs in lnternotionol Poyment CorJ Systems {Hike WorJ onJ 0oviJ Hoin) FCRYPT ll Furopeon Network of Fxcellence for Cryptoloqy {Bort Preneel)
SC27 WG3 103 Current Activities onJ Future Perspectives of SC 27,W6 S {Hiquel Bonon) lS0 1S408, tbe Common Criterio Recoqnition Arronqement, onJ tbe role of SC27 {0oviJ Hortin) lS0,lFC 19790 Security Requirements for Cryptoqropbic HoJules {RonJoll Foster onJ }eon Pierre uemorJ) Security ottributes extension onJ relotion witb JepenJobility {Anne Coot Romes onJ }eon Coire) Fvoluotion Criterio for lT Security {Professor Svein }obon Knopskoq) Assuronce lonJscope {}obn hopkinson) lS0,lFC 19792 - Tbe first biometric project in SC 27 {Nils Tekompe) SSF-CHH {}obn hopkinson) Professor Hots 0blin - An obituory {0oq Stromon onJ Hike Nosb)
SC27 WG4 148 Fstoblisbinq lnformotion Security ReoJiness - o stonJorJ opproocb {0r Henq Cbow Konq) lnformotion Security & Business Continuity - lCT ReoJiness of on Fnterprise {Pbilip Sy) lnformotion Security lnciJent Honoqement is reneweJ os lnternotionol StonJorJ {Yosbibiro Sotob) lnformotion security: Risks or bozorJs {lS0 Focus) SC27 WGS 15 Tecbnoloqies for privocy, iJentity monoqement onJ biometrics {Professor Koi Ronnenberq) ACBio, tbe first lnternotionol StonJorJ on online biometric verificotion, onJ its bormonizotion octivities witb otber stonJorJs boJies {YomoJo Asobik) Fl0lS {hons heJbom) PlC0S conqrotulotes SC 27 on its 20tb birtbJoy! {ZJenek Ribo)
1 We|come to the SC27 |at|num 8ook
1hls book has been produced Lo celebraLe Lhe LwenLleLh-blrLhday of lSC/lLC !1C 1/SC27, Lhe sub-commlLLee responslble for lnformaLlon and l1 securlLy sLandards. lncluded ln Lhls book are many arLlcles wrlLLen by experLs worklng ln SC27, as well Lhe currenL and pasL offlcers of SC27. Also lncluded are sLaLemenLs and leLLers from llalson organlzaLlons LhaL work wlLh SC27 as well as some of Lhe naLlonal SLandard 8odles LhaL are members of SC27.
lSC/lLC !1C 1/SC27 ls an lnLernaLlonal recognlzed cenLre of lnformaLlon securlLy experLlse servlng Lhe needs of many buslness secLors as well as governmenLs. lLs work covers boLh managemenL sLandards as well as Lechnlcal sLandards. 1he work of lSC/lLC !1C 1/SC27 ls ln dlrecL response Lo buslness, governmenL and consumer requlremenLs lnformaLlon securlLy sLandards. 1he arLlcles ln Lhls laLlnum 8ook reflecLs some of Lhe many achlevemenLs of SC27 slnce lLs esLabllshmenL ln Aprll 1990. 1hese achlevemenLs have flourlshed as a dlrecL resulL of SC 27 keeplng up Lo daLe wlLh changes ln markeL and buslness requlremenLs, greaLer lnLeresL ln managemenL sysLems securlLy, new LhreaLs and rlsks, new Lechnology, ublqulLous deploymenL of wlreless and moblle compuLlng and communlcaLlons neLworks and devlces, socleLal securlLy, economlc changes and Lhe lmpacL of new regulaLlons and leglslaLlon.
1he work of SC27 enables organlzaLlons Lo engage ln prevenLlve acLlons Lo proLecL Lhelr lnformaLlon and for buslness avallablllLy and conLlnulLy and Lo avold buslness conLlnually needlng Lo apply correcLlve acLlon Lo resolve securlLy compromlses and fallures of yesLerday and Lhe pasL. lL ls more economlcally sound for Lhe lSC/lLC communlLy Lo work Lowards prevenLlve acLlons raLher Lhan correcLlve acLlons. ln parLlcular such proLecLlon ls requlred Lo malnLaln operaLlonal condlLlons wlLhln buslness envlronmenLs wlLhln and across lndusLry secLors, for economlc growLh and naLlonal and global susLalnablllLy, as well as for crlLlcal lnfrasLrucLure purposes ln Llmes of crlsls and dlsasLers.
CongraLulaLlons go Lo all Lhose LhaL have been lnvolved ln Lhe success of SC27 over Lhe lasL LwenLy years and Lo Lhe readers of Lhls publlcaLlon please make yourselves comforLable and en[oy Lhe read.
rof. Ldward Pumphreys laLlnum 8ook LdlLor !une 2010 2 S
Letters of Congratu|at|ons
!une 2010
uear ur lumy
CongraLulaLlons on Lhe 20 Lh blrLhday for lSC/lLC !1C1/SC27. l1u-1 SLudy Croup 17 (SecurlLy) and lLs predecessor SLudy Croup 7 ls pleased wlLh our long and frulLful parLnershlp wlLh SC 27 ln developlng lC1 securlLy sLandards.
lor example, early [olnL work wlLh SC 27 on LrusLed Lhlrd parL servlces resulLed common LexL sLandards l1u-1 x.841 | lSC/lLC 1S816, l1u-1 x.842 | lSC/lLC 18 14S16 and l1u-1 x.843 | lSC/lLC 1S94S. 1hls was followed by Lwln LexLs l1u-1 x.80S and lSC/lLC 18028-2 on neLwork securlLy archlLecLure.
ln Lhe l1u-1 sLudy perlod of 200S-2008, SC 17 worked [olnLly wlLh SC 27, especlally WC 1, on lnformaLlon SecurlLy ManagemenL SysLem (lSMS) ln order Lo develop an ldenLlcal sLandard for lnformaLlon SecurlLy ManagemenL Culdellne for LelecommunlcaLlons organlzaLlons among lSC/lLC and l1u-1. 1he work was successfully compleLed ln 2008 resulLlng ln l1u-1 x.10S1 | lSC/lLC 27011.
Lxpandlng on Lhese successful experlences, SC 17 ls now worklng [olnLly wlLh SC 27 on lnformaLlon securlLy governance, ldenLlLy managemenL (ldM), cybersecurlLy, and oLher Loplcs. SC17 ls pleased wlLh Lhe [olnL cooperaLlon ln developlng securlLy sLandards and ln workshops. We look forward Lo conLlnulng sLrong collaboraLlon ln Lhe common areas of lC1 securlLy.
Dear Members of JTC 1/SC 27 IT Security techniques
Cord Wischhfer is the Secretary of NIA, the German mirror committee of JTC 1. He joined DIN, the German Institute for Standardization, in 1993. Since then he worked in various national and international standards committees e.g. those on information technology, terminology, documen- tation and graphic technology. Cord is also a member of the German delegation to JTC 1 and participates in the work of JTC 1/SWG-D and SWG-P.
JTC 1/SC 27 is celebrating its 20 th anniversary this year. You, we, can look back on 20 years of very successful standardization work in the field of IT Security. Even though 20 years may appear to be quite a long time the story of JTC 1/SC 27 is not yet over. Quite to the contrary! It is obvious to me that the work of the committee is becoming more and more important and that the results of your work are increas- ingly accepted worldwide. This is apparent from the large number of national bodies that participate in the work as well as the great amount of work that is being done in the working groups. The high quality of the standards developed by JTC 1/SC 27 explains why these standards are adopted at the national level and applied at the international one. I am proud of the achievements of JTC 1/SC 27 and NIA, the German mirror committee of JTC 1, is glad that we have been able to contribute to the success of the international committee through the technical expertise of our experts, the work of the JTC 1/SC 27 Secretariat and the leadership of the SC Chairmen over the years. Looking into the future I am pleased to assure you that Germany is fully committed to continuing the success story of JTC 1/SC 27. The German IT industry and the German government continue to strongly support the work of the JTC/SC 27 Secretariat. NIA will make sure that the resources needed for efficiently running the committee's secretariat are available and we will do our best to meet the future demands of JTC 1/SC 27. Yours sincerely
SLCUkI1 IN MIND 1he !1C 1/SC 27 lrench mlrror commlLLee: AlNOk Ctoope Je cootJlootloo 5cotlt Jes 5ystmes Jlofotmotloo (Cc55l)
1he rapld evoluLlon, lndeed dazzllng ln recenL years, of lnformaLlon, neLwork communlcaLlon and lnLerneL Lechnologles ls Lo be offseL by Lhe lncrease of rlsks assoclaLed Lo daLa manlpulaLlon, sLorage and Lransmlsslon. As a maLLer of facL, Lhls progress hlghllghLs Lhe absoluLe need of proLecLlon noL only for compuLlng, buL also for daLa, when exchanged and sLored, as well as for l1 sysLems.
More Lhan ever, Lhe news ls echoed wlLh fallures and hacklngs. Powever, beyond Lhese exemplary cases much- publlclzed, how many prlvaLe and publlc organlzaLlons are paylng for dysfuncLlons and scams because of lnefflclenL lnformaLlon securlLy?
lor SM8s, large lndusLrlal groups, banks or even governmenL servlces, Lhe securlLy of Lhelr lnformaLlon sysLems, keysLone for exLernally-orlenLed acLlvlLles (sales, purchase, promoLlon, eLc) as for lnLernally-orlenLed acLlvlLles (human resources managemenL, accounLlng, eLc), has become cruclal, lf noL vlLal!
1hus, lL ls essenLlal LhaL users of Lhese Lechnologles could have full confldence ln Lhe sysLems Lhey use. 1hls confldence, resulLlng from Lhe appllcaLlon of securlLy Lechnlques, may be lncreased Lhrough Lhe lmplemenLaLlon of operaLlonal securlLy pollcles, efflclenL and scalable ln Lhe organlzaLlon, and Lhe adopLlon of sLandards LhaL wlll effecLlvely ensure Lhe achlevemenL of Lhe deslred level of securlLy, expressed ln Lerms of: daLa avallablllLy, lnLegrlLy and confldenLlallLy, equlpmenLs and sofLware lnLeroperablllLy as well as comparaLlve lnformaLlon securlLy governance pracLlces.
neverLheless, desplLe of Lhe facL LhaL lSMS has become Lhe maln concern of l1 managers, lnformaLlon securlLy should noL be llmlLed Lo Lhe scope of Lhelr own company or publlc auLhorlLy, buL exLended Lo a global approach of securlLy LhaL Lhe lnLerconnecLlon of neLworks and sysLems requlres.
ln Lhls conLexL, Lhe use of sLandardlzed Lechnlques ls a key asseL as lL allows Lransparency, comparablllLy, lmprovemenL and skllls enhancemenL ln an area where, by naLure, Lhe reflexes of dlscreLlon and secrecy perslsL as a Loken of pseudo efflclency.
1hls sLandardlzaLlon eases Lhe use of Lools and sysLems LhaL can communlcaLe LogeLher, as well as lL enables soluLlons provlders Lo preserve Lhelr markeL share. AcLually, ln Lhe absence of ob[ecLlve basls for Lhe comparlson of Lhelr producLs, Lhere would be a rlsk for Lhem noL Lo meeL Lhe needs of users, allowlng globallzed suppllers and lndusLrlals Lo promoLe lncompaLlble and non lnLeroperable proprleLary soluLlons. 1hls comes ln addlLlon Lo Lhe rlsks relaLed Lo securlLy and economlc Lhlevery LhaL could resulL from Lhe use of algorlLhms undlsclosed and noL ob[ecLlvely assessed.
Such are Lhe challenges faced by lrench auLhorlLles and companles when achlevlng Lhelr roles: proLecLlng Lhe publlc for Lhe flrsL, and belng compeLlLlve acLors and advocaLes of naLlonal experLlse for Lhe laLLer.
And such ls Lhe responslblllLy of !1C 1/SC 27 lrench mlrror commlLLee, whlch also celebraLes lLs 20Lh blrLhday, a sLeerlng commlLLee for Lransversal coordlnaLlon, a recognlzed neLwork of experLlse and an lnformaLlon and waLch plaLform, whose members are acLlvely lnvolved ln Lhe sLandards developmenL carrled ouL wlLhln SC 27 Worklng Croups.
1he !1C 1/SC 27 lrench mlrror commlLLee: AlNOk Ctoope Je cootJlootloo 5cotlt Jes 5ystmes Jlofotmotloo (Cc55l) ISMS International User Group (IUG)
Cn behalf of many Lhousands of lSMS user organlzaLlons around world we congraLulaLe you and your commlLLee on reachlng lLs 20 Lh blrLhday. 1hls ls a mllesLone evenL ln Lhe hlsLory of lnLernaLlonal lnformaLlon and l1 securlLy sLandardlzaLlon. We would parLlcular llke Lo congraLulaLe you on Lhe developmenL of Lhe successful famlly of lSC/lLC 2700x lSMS sLandards whlch have provlded buslnesses and governmenLs around Lhe global wlLh Lhe rlghL seL of Lools Lo meeL Lhelr own lnformaLlon securlLy managemenL and governance requlremenLs as well as saLlsfylng compllance and conLracLual obllgaLlons. 1he Lake-up of Lhe flagshlp of Lhe lSMS famlly of sLandards, lSC/lLC 27001, has proved Lo be Lhe besL selllng, world beaLlng lSC lnformaLlon securlLy sLandard. 1he success of lSC/lLC 27001 has been clearly demonsLraLed by Lhe number of organlzaLlons LhaL have had Lhelr lSMS cerLlfled as can be seen by vlslLlng Lhe lSMS lnLernaLlonal CerLlflcaLe 8eglsLer (www.lSC27001cerLlflcaLes.com). 1he lSMS luC conLlnually geLs feedback from lSMS user organlzaLlons expresslng Lhe many beneflLs recelved from lmplemenLlng lSC/lLC 27001.
1he lSMS luC looks forward Lo conLlnued collaboraLlon wlLh SC27 ln Lhe fuLure developmenL and progress of lSMS sLandardlzaLlon. Slncerely, rof. Ldward Pumphreys lSMS luC lounder and ulrecLor
13
ISC]ILC I1C 1]SC27
14 '1he 1|mes they are a-Chang|ng' - SC 27's ro|e |n an a|ter|ng secur|ty |andscape
1he pasL quarLer-cenLury has seen a mlgraLlon of human acLlvlLles from a physlcal, person-Lo-person conLacL lnLo an elecLronlc world wlLh lLs laLesL lncarnaLlon known as Lhe cloud". CloballsaLlon would noL be posslble wlLhouL modern l1, hlgh- bandwldLh and lnexpenslve communlcaLlons, and Lhe World Wlde Web. Among Lhe crlLlcal lssues ralsed by Lhls LransformaLlon are lLs effecLs on securlLy and prlvacy, effecLs whlch are of concern Lo lndlvlduals, Lo enLerprlses, and Lo governmenLs. SecurlLy and prlvacy can be proLecLed or obLalned ln a varleLy of ways, and ln parLlcular ln Lhe elecLronlc world crypLography ls an essenLlal Lool Lo Lhls end.
New Approaches to Cryptography lor cenLurles, crypLography had been LreaLed as a secreL arL, and from Lhe beglnnlng, Lhe exporL of crypLographlc producLs had been LlghLly conLrolled wlLh Lhe lnLenLlon Lo conflne lLs use Lo governmenL, mlllLary, and a llmlLed number of commerclal secLors wlLh obvlous securlLy needs, such as Lhe flnanclal lndusLry. 1hls aLLlLude has changed noL very long ago. lor example, Lhe uS exporL rules were only revlsed ln 2000 Lo place less emphasls on Lhe sLrengLh of crypLographlc Lechnlques used ln commerclal producLs, and only Lhen, selllng such producLs LhroughouL (mosL of) Lhe world became relaLlvely easy. CrypLography was a naLural Loplc for Lhe Otqoolzotloo fot cooomlc co-opetotloo ooJ uevelopmeot (CLCu), whlch Lhen already had a hlsLory ln prlvacy pollcy. Pavlng developed pollcy guldellnes for lnformaLlon securlLy ln 1992, Lhe CLCu Lackled Lhe encrypLlon debaLe ln 1996. ln March 1997, Lhe organlzaLlon lssued lLs crypLography guldellnes whlch emphaslzed Lhe lmporLance of LrusL ln crypLographlc producLs and urged LhaL tbe Jevelopmeot ooJ ptovlsloo of ctyptoqtopblc metboJs sboolJ be JetetmloeJ by tbe motket lo oo opeo ooJ competltlve eovltoomeot, ooJ tbot tbe Jevelopmeot of lotetootloool tecbolcol stooJotJs, ctltetlo ooJ ptotocols fot ctyptoqtopblc metboJs sboolJ olso be motket Jtlveo [CLCu 1997]. lL was Lhls developmenL LhaL flnally allowed SC 27 Lo change lLs scope and Lo no longer exclude Lhe sLandardlzaLlon of crypLographlc algorlLhms. 1hls happened aL a Llme when Lhe approach Lo Lhe sLandardlsaLlon of crypLographlc Lechnlques was a- changlng. When seeklng Lo replace Lhe more Lhan LwenLy-year-old uaLa LncrypLlon
15 SLandard (uLS) wlLh a new algorlLhm, Lhe uS Notloool lostltote of 5tooJotJs ooJ 1ecbooloqy (nlS1) Look a novel approach and Lhe conLrasL wlLh Lhe process LhaL led Lo Lhe adopLlon of uLS Lwo decades earller could barely have been larger. 1he fleld had maLured and as a resulL, Lhe Advanced LncrypLlon SLandard (ALS) can [usLly be called a second-generaLlon block clpher. ALS and Lhe ALS sLandardlsaLlon process were noL Lhe only fundamenLal changes. ConLlnuous advances ln compuLlng and dlscreLe maLhemaLlcs had made Lhe 8SA publlc-key crypLosysLem uncomforLably cosLly. 1he soluLlon comlng Lo hand makes use of maLhemaLlcal sLrucLures called elllpLlc curves. CrypLosysLems based on elllpLlc curves only requlre abouL Lwlce as many blLs as Lhe ALS Lo achleve an analogous level of securlLy - noL Lhousands of blLs as Lhe 8SA scheme or a LradlLlonal ulffle-Pellman key esLabllshmenL proLocol. SC 27 was aL Lhe forefronL of sLandardlzlng such second-generaLlon publlc-key crypLosysLems. Slnce Lhen Lhe markeL for crypLography has exploded. uue Lo securlLy requlremenLs of Lhe lnLerneL, Lhe Secure SockeL Layer proLocol (SSL) became Lhe mosL wldely deployed crypLographlc Lool. 1oday, lL ls vlrLually lmposslble Lo flnd a commerclal secLor wlLhouL securlLy and prlvacy needs.
1he k|se of Comp||ance 8uL noL only Lhe way crypLography ls dealL wlLh has changed over Lhe lasL Lwo decades. Lven more lmporLanL changes happened ln Lhe way lnformaLlon securlLy ls addressed by enLerprlses and governmenLs. LnLerprlses are noL [usL flghLlng Lhe bad guys or enabllng new buslness opporLunlLles, Lhey also need Lo show cusLomers and compeLlLors LhaL Lhey are properly proLecLed. ln addlLlon, lnLernaLlonal and reglonally mandaLed securlLy and prlvacy requlremenLs, dlrecLlves and sLandards have shaped a hlgher level of securlLy awareness and undersLandlng. lollowlng a number of ma[or accounLlng and reporLlng scandals around Lhe Lurn of Lhe cenLury, whlch lnvolved promlnenL companles such as Lnron, armalaL, or WorldCom, was Lo refocus on decenL "corporaLe governance" ln order Lo resLore publlc LrusL and lnvesLor confldence ln accounLlng pracLlces. Several legal regulaLlons lncludlng 8asel ll, Lhe Sarbanes-Cxley AcL (SCA), and Lhe Cramm-Leach- 8llley AcL were esLabllshed and compllance became a mandaLory Loplc on Lhe agendas of board meeLlngs ln many enLerprlses wlLh securlLy belng an lnherenL componenL wlLhln compllance requlremenLs. Cn Lhe oLher hand Lhe 9/11 evenLs augmenLed securlLy awareness wlLh governmenLs leadlng Lo regulaLlons addresslng, noL only homeland securlLy, buL also crlLlcal lnfrasLrucLures, cybercrlme, and many oLher areas.
16 WlLh Lhese developmenLs, securlLy evolved from a Lechnlcal, ofLen add-on feaLure" dealL wlLh by academlcs and compuLer speclallsLs Lo an overall lnLegraLed servlce" whlch also lnvolves buslness and senlor managemenL. More and more organlzaLlons lmplemenLed an lnformaLlon securlLy managemenL sysLem (lSMS) as parL of Lhelr corporaLe governance, Lhereby drlven by a buslness rlsk managemenL orlenLed approach. Many of Lhem hereby use Lhe lSMS 2700x serles developed by SC 27. 1hese lSMS sysLems do noL only address Lhe pure Lechnlcal lmplemenLaLlons buL also deal wlLh aspecLs such as ldenLlLy managemenL, lncldenL handllng, human resources, Lhlrd parLy lnvolvemenL, and evaluaLlon. 1he approach ls based on Lhe so-called uCA (plan-do-check-acL) model, whlch ls essenLlal for Lhe permanenL lmprovemenL of any securlLy managemenL sysLem.
DCA app||ed to SC 27 uurlng Lhe pasL 20 years SC 27 has successfully applled Lhe uCA model Lo adapL lLs sLandardlzaLlon work Lo Lhe changlng securlLy landscape. 1he commlLLee has revlsed and exLended lLs scope a number of Llmes Lo reflecL new or alLerlng demands from Lhe markeL ln areas such as crypLographlc algorlLhms, cyber securlLy, prlvacy, ldenLlLy managemenL, or securlLy aspecLs of blomeLrlcs.
17 When lL became necessary, lL also adapLed lLs sLrucLure and expanded from Lhree Lo flve worklng groups ln order Lo approprlaLely deal wlLh all aspecLs of lnformaLlon securlLy, from securlLy Lechnlques (lncludlng crypLographlc algorlLhms) and servlces, vla securlLy evaluaLlon and accredlLaLlon, Lo securlLy guldance and managemenL. 1he new sLrucLure noL only helped Lo lmprove Lhe focus of Lhe varlous WCs, buL also aLLracLed a subsLanLlal amounL of new resources. CurrenLly SC 27 meeLlngs are Lyplcally aLLended by more Lhan 200 parLlclpanLs. Powever, one aspecL of Lhe scope of SC 27 remalned unchanged durlng Lhese 20 years - Lhe general naLure of lLs dellverables. locuslng on Lhe developmenL of generlc sLandards for Lhe proLecLlon of lnformaLlon and lC1 has lead Lo a conslderable number of llalsons Lo oLher sLandardlzaLlon and lndusLry bodles, whlch have been shaped over Lhe pasL years. Many of Lhese llalson bodles Lyplcally use SC 27 sLandards and Lechnlcal reporLs as a basls for developlng Lhelr own securlLy lmplemenLaLlon sLandards speclflc for Lhelr secLor such as Lelecom, flnanclal lndusLry, healLh care, or LransporL. lor more lnformaLlon on SC 27 and lLs work program, Lhe reader ls referred Lo [SC27]. keferences [CLCu 1997]: 8ecommendaLlon of Lhe Councll concernlng Culdellnes for CrypLography ollcy (hLLp://www.oecd.org/documenL/34/0,3343,en_2649_342SS_1814690_1_1_1_1,00 .hLml) [SC27]: hLLp://www.[Lc1sc27.dln.de/en
18 ISC]ILC I1C 1 SC27 - INICkMA1ICN Ldward Pumphreys, SC27 WC1 Convenor uale !ohnsLone, SC27 WC1 vlce-Convenor SC27 Management 1eam 5c27 choir ChrlsLlan !ahl, uln, Cermany (1990 - 1992) ur klaus vedder, uln, Cermany (1992 - 1996) ur WalLer lumy, uln, Cermany (1996 Lo presenL) 5c27 vice-choir ur Marl[ke de SoeLe, n8n, 8elglum (2003 Lo presenL) 5c27 5ecretoriot Ms AnneLLe Calkln, CMu (1990-1992) Ms W. Wllke, uln, Cermany (1992 - 1996) Ms krysLyna assla, uln Cermany (1996 Lo presenL)
Work|ng Group Convenors and Secretar|es WG1 ISMS Convenor: rof. Ldward Pumphreys, 8Sl, uk (1990 Lo presenL) SecreLary: ur Angellka laLe, 8Sl, uk (200S - 2008) vlce-convener : Mr uale !ohnsLone SA, AusLralla (2009 Lo presenL)
1be 1etms of kefeteoce of tbls wotkloq qtoop ote.
1he scope of WC 1 covers Lhe developmenL of lSMS (lnformaLlon SecurlLy ManagemenL SysLem) sLandards and guldellnes (see SC 27 nS114). 1hls lncludes:
1. uevelopmenL and malnLenance of Lhe lSC/lLC 27000 lSMS sLandards famlly 2. ldenLlflcaLlon of requlremenLs for fuLure lSMS sLandards and guldellnes 3. Cn-golng malnLenance of WC1 sLandlng documenL Su WC 1/1 (WC 1 8oadmap) 4. CollaboraLlon wlLh oLher Worklng Croups ln SC 27, ln parLlcular wlLh WC 4 on sLandards addresslng Lhe lmplemenLaLlon of conLrol ob[ecLlves and conLrols as deflned ln lSC/lLC 27001.
19 Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng wlLh speclflc requlremenLs and guldellnes for lSMS, for example:
l1u-1 1elecoms lSC/1C 21S PealLhcare lSC/1C 68 8anklng lSC/1C 176 CuallLy MS lSC/1C 204 lnLelllgenL LransporL sysLems lSC/1C 223 Clvll uefence lSSLA lSACA lSl LnlSA lnLerpol 1ransporL SecLor Lnergy SecLor Aerospace AuLomoLlve lndusLry SLandards bodles, such as lL1l, lLLL lnLernaLlonal lnsLlLuLlons, e.g. CLCu, ALC, Lu lAl and CASCC, !1CC and oLher relevanL groups regardlng Lhe developmenL of accredlLaLlon and cerLlflcaLlon sLandards and guldellnes
WG2 Cryptography and secur|ty mechan|sms Convenor: Mr L. Culllou, AlnC8, lrance (1990 - 1993) SecreLary: Mr C. 8oursLln, AlnC8, lrance (1990 - 1993)
Convenor: ur Marl[ke de SoeLe, 8elglum (1994 - 2003)
Convenor: Mr. 1akeshl Chlkazawa, !lSC, !apan (2010 Lo presenL) vlce-convener: Mr. 1oshlo 1aLsuLa, !lSC, !apan (2010 Lo presenL)
1be tetms of tefeteoce of tbls wotkloq qtoop ote.
WC 2 provldes a cenLre of experLlse for Lhe sLandardlzaLlon of l1 SecurlLy Lechnlques and mechanlsms wlLhln !1C 1:
ldenLlfy Lhe need and requlremenLs for Lhese Lechnlques and mechanlsms ln l1 sysLems and appllcaLlons, develop Lermlnology, general models and sLandards for Lhese Lechnlques and mechanlsms for use ln securlLy servlces. 1he scope covers boLh crypLographlc and non-crypLographlc Lechnlques and mechanlsms lncludlng:
20
confldenLlallLy, enLlLy auLhenLlcaLlon, non-repudaLlon, key managemenL, daLa lnLegrlLy such as o message auLhenLlcaLlon, o hash-funcLlons, o dlglLal slgnaLures.
1he mechanlsms ln general lnclude several opLlons wlLh respecL Lo Lhe Lechnlques used lncludlng symmeLrlc crypLographlc, asymmeLrlc crypLographlc and non- crypLographlc.
Convenor: MaLs Chlln, SlS, Sweden (1999 - 2009) SecreLary: ur Mlke nash, 8Sl, uk (2001 - 2009)
Convenor: Mlguel 8ann, ALnC8, Spaln (2009 Lo presenL) SecreLary: ur 8erLolL kruger, uln, Cermany (2009 Lo presenL)
1he terms of reference of th|s work|ng group are:
SLandards for l1 SecurlLy evaluaLlon and cerLlflcaLlon of l1 sysLems, componenLs, and producLs. 1hls wlll lnclude conslderaLlon of compuLer neLworks, dlsLrlbuLed sysLems, assoclaLed appllcaLlon servlces, eLc. 1hree aspecLs may be dlsLlngulshed:
evaluaLlon crlLerla, meLhodology for appllcaLlon of Lhe crlLerla, admlnlsLraLlve procedures for evaluaLlon, cerLlflcaLlon, and accredlLaLlon schemes.
1hls work wlll reflecL Lhe needs of relevanL secLors ln socleLy, as represenLed Lhrough lSC/lLC naLlonal 8odles and oLher organlsaLlons ln llalson, expressed ln sLandards for securlLy funcLlonalLy and assurance. AccounL wlll be Laken of relaLed lSC/lLC and lSC sLandards for quallLy managemenL and LesLlng so as noL dupllcaLe Lhese efforLs.
21
WG4 Secur|ty Contro|s and Serv|ces Convenor: ur Meng Chow kang, S8lnC, Slngapore (2006 Lo presenL) SecreLary: hlllp Sy, S8lnC, Slngapore (2009 Lo presenL)
1be tetms of tefeteoce of tbls wotkloq qtoop ote.
1he scope of WC 4 covers Lhe developmenL and malnLenance of sLandards and guldellnes addresslng servlces and appllcaLlons supporLlng Lhe lmplemenLaLlon of conLrol ob[ecLlves and conLrols as deflned ln lSC/lLC 27001. 1hls lncludes:
1. CurrenL SC 27 pro[ecLs: l1 neLwork securlLy (lSC/lLC 18028) lnformaLlon securlLy lncldenL managemenL (lSC/lLC 18 18044) Culdellnes for lnformaLlon and communlcaLlons Lechnology dlsasLer recovery servlces (lSC/lLC 24762) SelecLlon, deploymenL and operaLlon of lnLruslon ueLecLlon SysLems (luS) (lSC/lLC 18043) Culdellnes on use and managemenL of 1rusLed 1hlrd arLy servlces (l1u-1 x.842 | lSC/lLC 18 14S16) SpeclflcaLlon of 11 servlces Lo supporL Lhe appllcaLlon of dlglLal slgnaLures (l1u-1 x.843 | lSC/lLC 1S94S) SecurlLy lnformaLlon ob[ecLs for access conLrol (l1u-1 x.841 | lSC/lLC 1S816)
2. ldenLlflcaLlon of requlremenLs for and developmenL of fuLure servlce and appllcaLlons sLandards and guldellnes, for example ln Lhe areas of: 8uslness ConLlnulLy Cyber SecurlLy CuLsourclng
3. Cn-golng malnLenance of WC4 sLandlng documenL Su WC 4/1 (WC 4 8oad Map) 4. CollaboraLlon wlLh oLher Worklng Croups ln SC 27, ln parLlcular wlLh WC1 on lSMS sLandards and guldellnes. S. Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng wlLh speclflc requlremenLs and guldellnes for servlces and appllcaLlons, for example: l1u-1 1elecoms lSC/1C 21S PealLh lnformaLlcs lSC/1C 68 8anklng lSSLA
22 Aerospace AuLomoLlve lndusLry SLandards bodles, such as lL1l, lLLL lnLernaLlonal lnsLlLuLlons, e.g. CLCu, ALC, Lu
WGS r|vacy and Ident|ty Management AcLlng Convenor: !ohn Snare, SA, AusLralla (2006)
Convener: rof. kal 8annenberg, uln, Cermany (2007 Lo presenL) SecreLary: !an Schallaboeck, uln, Cermany (2007 Lo presenL)
1be tetms of tefeteoce of tbls wotkloq qtoop ote.
1he scope of SC 27/WC S covers Lhe developmenL and malnLenance of sLandards and guldellnes addresslng securlLy aspecLs of ldenLlLy managemenL, blomeLrlcs and Lhe proLecLlon of personal daLa. 1hls lncludes:
2. ldenLlflcaLlon of requlremenLs for and developmenL of fuLure sLandards and guldellnes ln Lhese areas. lor example ln Lhe area of ldenLlLy ManagemenL, Loplcs such as: 8ole based access conLrol rovlslonlng ldenLlflers Slngle slgn-on ln Lhe area of rlvacy, Loplcs such as: A rlvacy lramework A rlvacy 8eference ArchlLecLure rlvacy lnfrasLrucLures AnonymlLy and credenLlals Speclflc rlvacy Lnhanclng 1echnologles (L1s) rlvacy Lnglneerlng ln Lhe area of 8lomeLrlcs, Loplcs such as: roLecLlon of blomeLrlc daLa AuLhenLlcaLlon Lechnlques
23
3. CollaboraLlon wlLh oLher Worklng Croups ln SC 27 e.g. WC 1 on managemenL aspecLs, WC 2 on speclflc crypLographlc Lechnlques and WC 3 on evaluaLlon aspecLs.
4. Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng wlLh speclflc requlremenLs and guldellnes for servlces and appllcaLlons ln Lhls area, for example: lSC/lLC SC 37 8lomeLrlcs LC8?1 lSC/1C68/SC2 llnanclal Servlces SecurlLy lSC/1C68/SC6/WC10 llnanclal Servlces-8eLall llnanclal Servlces-rlvacy l1u-1 SC17 SecurlLy, languages and LelecommunlcaLlon sofLware luLure of ldenLlLy ln Lhe lnformaLlon SocleLy (llulS) 1he lnLernaLlonal Conference of uaLa roLecLlon and rlvacy Commlssloners 1he Cpen Croup (ldM lorum and !erlcho lorum) SC27 Members -members Algerla, AusLralla, AusLrla, 8elglum, 8razll, Canada, Chlna, CLe-d'lvolre, Cyprus, Czech 8epubllc, uenmark, llnland, lrance, Cermany, lndla, lLaly, lreland, !amalca, !apan, kazakhsLan, kenya, 8ep. of korea, Luxembourg, Malaysla, Morocco, 1he neLherlands, new Zealand, norway, oland, 8omanla, 8usslan lederaLlon, Slngapore, Slovakla, SouLh Afrlca, Spaln, Srl Lanka, Sweden, SwlLzerland, ukralne, unlLed klngdom, unlLed SLaLes of Amerlca, uruguay. (1oLal: 42)
C-members ArgenLlna, 8elarus, 8osnla and Perzegovlna, CosLa 8lca, Ll Salvador , LsLonla, Chana, Pong kong, Pungary, lndonesla, lsrael, LlLhuanla, orLugal, Serbla, Slovenla, Swazlland, 1halland, 1urkey (1oLal: 18) SC27 L|a|sons 1he followlng are some of Lhe llalsons LhaL SC27 has had wlLh oLher organlzaLlons and sLandards groups boLh wlLhln lSC/lLC and exLernal Lo lSC/lLC. 1hls llsL covers Lhe llalsons of Lhe lasL LwenLy years. Lxterna| CA1 A L|a|sons LnlSA (Luropean neLwork and lnformaLlon SecurlLy Agency)
L|a|sons w|th ILC lLC/1C 6S lndusLrlal-process measuremenL, conLrol and auLomaLlon - WC 10 SecurlLy for lndusLrlal process measuremenL and conLrol - neLwork and sysLem securlLy
Interna| L|a|sons w|th|n ISC]ILC I1C 1 !1C 1 Ad Poc on vocabulary !1C 1/WC 6 CorporaLe Covernance of l1 SC 6 1elecommunlcaLlons and lnformaLlon exchange beLween sysLems SC 7 SysLems englneerlng SC 17/WC 3 Machlne readable Lravel documenLs SC 17/WC 4 lnLegraLed clrculL cards wlLh conLacLs SC 17/WC 11 AppllcaLlon of 8lomeLrlcs Lo Cards and ersonal ldenLlflcaLlon SC21 Cpen SysLems lnLerconnecLlon sLandards SC 22 rogrammlng languages, Lhelr envlronmenLs and sysLem sofLware lnLerfaces SC 2S lnLerconnecLlon of l1 LqulpmenL SC2 31/WC4 AuLomaLlc ldenLlflcaLlon and daLa capLure Lechnlques SC 36 lnformaLlon Lechnology for learnlng, educaLlon, and Lralnlng SC 37 8lomeLrlcs
26 n|stor|ca| Meet|ng Summary lSC/lLC !1C 1/ SC27 has been successfully ln operaLlon for 20 years and has been holdlng lLs regular 6-monLhly meeLlngs ln dlfferenL parLs of Lhe world. 1he full locaLlon hlsLory of Lhe meeLlngs ls summarlzed as follows:
27 Lach of Lhese meeLlngs has boughL wlLh lL lLs own unlque loglsLlcal challenges, happy memorles and producLlve work ouLpuLs. ln Lhe paper lSC/lLC !1C 1 SC27 - 1he Show MusL Co Cn" some of Lhe challenges encounLer on one unlque occaslon are dlscussed.
28 ISC]ILC I1C 1 SC27 - 1he Show Must Go Cn uale !ohnsLone, SC27 WC1 vlce-Convenor 1he purpose of Lhls paper ls Lo dlscuss Lhe meeLlng LhaL easlly presenLed SC27 wlLh probably lLs largesL challenge of all of lLs meeLlngs held. 1he meeLlng LhaL dellvered Lhe mosL challenges for Lhe SC27 ManagemenL 1eam, meeLlng aLLendees and naLlonal 8ody parLlclpanLs, was LhaL whlch occurred ln Melaka, Malaysla ln Aprll of 2010. 1hls ls Lhe flrsL Llme LhaL a ma[or naLural evenL occurred [usL as Lhe flnal preparaLlons were belng made by parLlclpanLs ln seLLlng off on Lhelr [ourney Lo Lhe SC27 meeLlng locaLlon. ApproxlmaLely four days before Lhe sLarL of Lhe Malaysla meeLlng was scheduled Lo commence Lhe Ly[af[alla[kull volcano ln lceland erupLed causlng subsLanLlal dlsrupLlons Lo Lhe Lravel plans of a large number of parLlclpanLs lnLendlng Lo Lravel from Lurope Lo Lhe SC27 meeLlngs. 1hls slngle naLural evenL caused Lhe largesL number of SC27 members plannlng Lo Lravel (ln Lhls case from Lhe Luropean reglon) Lo Lhe meeLlng ln Melaka, Malaysla Lo evenLually cancel Lhelr Lravel plans. Lven before Lhe meeLlng commenced, lL was very qulckly apparenL LhaL conLlnulLy arrangemenLs were requlred Lo be adopLed Lo ensure Lhe meeLlngs conLlnued ln a successful manner. 1hls ls especlally so, glven LhaL a large number of delegaLes who were already ln LranslL Lo Lhe meeLlng locaLlon ln Malaysla ensured LhaL Lhe meeLlng musL go on. 1he unlque challenges encounLered for Lhls parLlcular meeLlng lncluded Lhe followlng lndlvlduals noL belng able Lo lnlLlally Lravel Lo Lhe meeLlng locaLlon ln Malaysla: SC27 Chalrman, SC27 vlce-Chalrman, WC1, WC3, WCS Convenors, WC3 and WCS vlce-Convenors, Large number of ro[ecL LdlLors and Co-LdlLors, number of naLlonal 8ody ro[ecL LxperLs key Lo Lhe progresslng of selecLed pro[ecLs. CLher challenges encounLered lncluded: 8earrangemenLs of hoLel booklngs for parLlclpanLs, MeeLlng faclllLles equlpped for on-slLe (noL remoLe) parLlclpaLlon, ulmlnlshed SC27 ManagemenL 1eam.
29 AlLhough SC27 dld noL have any formally adopLed ln-place documenLed conLlngency plans, Lhe overall slLuaLlon was managed successfully due Lo Lhe qulck Lhlnklng acLlons of many parLlclpanLs. 1helr acLlons lncluded: reparlng MeeLlng laclllLles for 8emoLe Access (l.e. speaker/mlcrophone communlcaLlons), ueLermlnlng pracLlcable remoLe communlcaLlon soluLlon(s) accesslble by all wlLh mlnlmum preparedness Lo access (l.e. llcenslng) and no experLlse ln lLs use (l.e. Lralnlng), ueLermlnlng acLlng pro[ecL coordlnaLors (AcLlng LdlLors) for pro[ecLs where no ro[ecL LdlLor represenLaLlon were presenL, 8eallocaLlon of responslblllLles for formal presenLaLlons, meeLlng leadershlp and oLher evenLs, Managlng Lhe frusLraLlons of naLlonal 8ody parLlclpanLs who had Lhelr Lravel plans severely lmpacLed by Lhe evenL. As a resulL of Lhls parLlcular evenL and unlque clrcumsLances, SC27 conLlnuously alms Lo sLrlve ln lmprovlng on lLs conLlngency arrangemenLs whlch lncludes conslderaLlon for: ldenLlfylng poLenLlal hosLs for shorL-noLlce reglonal meeLlng locaLlons where SC27 naLlonal 8ody members can collecLlve use Lhe avallable faclllLles, Lncouraglng greaLer global separaLlon of key meeLlng parLlclpanLs (l.e. co- edlLors), 1aklng Lhe experlences learned and uslng Lhese as lessons Lowards fuLure poLenLlal occurrences of a slmllar naLure. 1here are Lhose lndlvlduals (and you all know who you are) who wlll say Lhls was one of Lhelr buslesL and mosL challenglng worklng weeks ever. 8uL wlLh all of Lhelr commlLmenL and asslsLance Lhe meeLlngs proved Lo be very successful. ln parLlcular Lhe evenL organlzers are slngled ouL as havlng been crlLlcal Lo Lhe overall success of Lhe meeLlngs. 1helr ablllLy Lo very qulckly adopL Lhe meeLlng locaLlon Lo Lechnlcally accommodaLe Lhe remoLe parLlclpanLs, whlch ln lLself generaLed communlcaLlon challenges (excellenLly supporLed and resolved by a one of Lhe meeLlng's sponsors), was very much appreclaLed and acknowledged by all lnvolved as belng crlLlcal Lo Lhe meeLlng's success. AlLhough on Lhls occaslon Lhe lSC/lLC !1C 1/SC 27 meeLlngs lacked a number of Luropean experLs LhaL could noL aLLend Lhe meeLlng due Lo Lhe lcelandlc volcano lncldenL and Lhe assoclaLed dlsrupLlon ln alr LransporLaLlon, Lhelr commlLmenL and acLlve regular parLlclpaLlon vla remoLe communlcaLlons Lo Lhe lenary and edlLlng
30 meeLlngs (vla emall or vla Skype conference calls) durlng Lhe course of Lhe week proved lnvaluable. Lven Lhough SC27 dld noL posses ln-hand documenLed conLlngency plans (whlch one would have expecLed would have enabled a more effecLlve approach Lowards deallng wlLh Lhe unexpecLed evenL), Lhe ablllLy for alLernaLlve leadershlp Lo form qulckly and for all lnvolved lndlvlduals Lo communlcaLe and agree on Lhe relevanL acLlons requlred, resulLed ln Lhe SC27 meeLlngs proceedlng smooLhly. 1hls ln lLself ls a LesLamenL Lo Lhe level of close bondlng, cooperaLlon and undersLandlng LhaL has formed beLween all Lhe lndlvlduals assoclaLed wlLh SC27 over lLs pasL 20-years of operaLlon.
31
'Memor|es are made of th|s' V|ew of SC27 ast
S
36
37
SC27] WG1
38
39 Informat|on Secur|ty Management System Standards
8ackground SC27 27/WC 1 from lLs lnaugural meeLlng Lo Loday has been lnvolved ln some form of sLandardlsaLlon relaLed Lo Lhe managemenL of securlLy sysLems. ln Lhe early years (1990-97) Lhls malnly lnvolved Lhe managemenL of l1 securlLy as well as appllcaLlon level securlLy, Lhls Lhen progressed (1996-200S) Lo oLhers sLandards such as a serles of neLwork securlLy sLandards, 1rusLed 1hlrd arLles and ulglLal SlgnaLures, lnLruslon ueLecLlon SysLems and a sLandard on lncldenL handllng and Lhen flnally ln Lhe laLLer years (1999-Lo daLe) managemenL of lnformaLlon securlLy and Lhe publlcaLlon of Lhe lSC/lLC 2700x famlly of sLandards.
uurlng Lhe 90s WC1 collaboraLed regularly wlLh !1Cl/SC21/WC1, WC4 (CSl managemenL) and WC6 (Cu) on varlous aspecLs of lSC securlLy, for example on CuLS (upper layer securlLy), l1AM securlLy, Lhe access conLrol, confldenLlallLy, non- repudlaLlon, auLhenLlcaLlon and lnLegrlLy frameworks (Lhe l1u-1 x.800 famlly of sLandards), CSl managemenL sLandards, WC1 also worked wlLh:
l1u-1 on uAl, messaglng sysLem securlLy (l1u-1 x.400) and dlrecLorles securlLy (l1u-1 x.S00) and Cu securlLy (ln con[uncLlon !1C1/SC21) (llalson offlcer rof. Ldward Pumphreys, uk), !1C1/SC6 on neLwork layer nLS and LransporL layer 1LS sLandards for securlLy (llalson offlcer !lm Long, uk), !1C1/WC3 on Lhe securlLy aspecLs of Cpen-Lul sLandards (llalson offlcer elkonen, llnland), !1C1/SC22 on Al securlLy and securlLy lnformaLlon ob[ecLs (llalson offlcer rof. Ldward Pumphreys, uk), !1C1/W18 on MulLl-medla/Pyper-medla securlLy aspecLs (llalson offlcer rof. Ldward Pumphreys, uk), LCMA on securlLy lnformaLlon ob[ecLs (llalson offlcers kre resLLun, norway and 1om arker, uk).
uurlng Lhe 20 years of lLs sLandardlsaLlon work of WC1 has seen many changes and meeL many challenges ln Lhe markeL requlremenLs for lnformaLlon and l1 securlLy. WC1 has always successfully responded Lo Lhese challenges Lo dellver sLandards LhaL would provlde for buslnesses whaL needs Lo be done Lo manage lLs lnformaLlon and l1 securlLy rlsks and Lo lmplemenL level of proLecLlon for lLs lnformaLlon and l1 40 sysLem asseLs. As Lhe work of WC1 expanded (pre-lSMS work see below) lL was declded ln 2008 Lo spllL Lhe work of Lhe group lnLo Lwo and so a new worklng group was formed, WC4. under Lhe new arrangemenLs WC1 became fully responslble for all lSMS (lnformaLlon securlLy managemenL sysLem) sLandards and WC4 responslble for sLandards deallng wlLh lnformaLlon securlLy managemenL servlces and appllcaLlons.
llnally ln May 2009 uale !ohnsLone was appolnLed Lhe vlce-convenor of WC1.
re-ISMS Work rocedures for Lhe 8eglsLraLlon of CrypLo AlgorlLhms (lS 9979) o LdlLor rof. Ldward Pumphreys (uk) o 1hls pro[ecL was carrled over from !1C1/SC20 o 1hls pro[ecL was handed over Lo WC2 ln 1997 eer LnLlLy AuLhenLlcaLlon arL 1 Ceneral Model (lS 9798 arL 1) o LdlLors rof. Ldward Pumphreys (uk), and Lhen !ohn Popklnson (Canada) and karen 8andell (uSA) o 1hls pro[ecL was carrled over from !1C1/SC20 o 1hls pro[ecL was handed over Lo WC2 ln 1994 lramework for key ManagemenL o LdlLors 8ob Llander (uSA) and Lhen 8oland Muller (Cermany) from 1994 1hls pro[ecL was handed over Lo WC2 ln 1997 SpeclflcaLlon of 11 servlces Lo supporL Lhe appllcaLlon of dlglLal slgnaLures (l1u-1 x.843 l lSC/lLC 1S94S) o LdlLor ur. 8erLolL kruger (Cermany) o 1hls pro[ecL was handed over Lo WC4 ln 2008 Culdellnes for Lhe use and ManagemenL of 1rusLed 1hlrd arLles (l1u-1 x.842 | lSC/lLC 14S16) o LdlLors Andre Crlssonnanche (lrance), Lhen Maynard Panscom (Canada) and Lhen Pans !oachlm elka (Cermany) l1 lnLruslon ueLecLlon lramework (lSC/lLC 1S947) o LdlLor 8lchard 8rackney (uSA) o 1hls pro[ecL lncorporaLed lnLo lSC/lLC 18043 ln 2006 o 1hls pro[ecL was handed over Lo WC4 ln 2008 Culdellnes for Lhe lmplemenLaLlon, managemenL and operaLlon of lnLruslon ueLecLlon sysLems (luS) (lSC/lLC 18043) o LdlLor 8lchard 8rackney (uSA) o 1hls pro[ecL was handed over Lo WC4 ln 2008 Culdellnes for Lhe ManagemenL of l1 SecurlLy (lSC/lLC 1333S arLs 1-S) 41 o arL 1 ConcepLs and Models for lC1 SecurlLy ManagemenL: edlLor !ohn Popklnson (Canada) and Lhen Allce SLurgeon (Canada) for Lhe revlslon o arL 2 Managlng and lannlng l1 SecurlLy: edlLors Andre Crlssonnanche (lrance) up Lo 1994, Lhen WalLer Wldmer (SwlLzerland) from 1994 and !lm Long (uk) revlslon of arL 2 o arL 3 1echnlques for ManagemenL: edlLors Permann SleberL (Cermany) up Lo 1994 and Lhen Angellka laLe (Cermany) from 1994 o arL 4 8asellne Approach: edlLor Angellka laLe (Cermany) o 1he conLenL of Lhese pro[ecLs were subsumed lnLo parLs of Lhe lSC/lLC 2700x famlly. lor example CMl1S-3 was lnpuL lnLo Lhe developmenL of lSC/lLC 2700S. o arL S AppllcaLlon of l1 SecurlLy Servlces and 1echnlques: edlLor 8obln Mosses (uk) o 1hls pro[ecL was lncorporaLed lnLo lSC/lLC 18028-1 ln 2006 SecurlLy lnformaLlon Cb[ecLs for Access ConLrol (l1u-1 x.841 | lSC/lLC 1S816) o LdlLors ur Warwlck lord (Canada), Lhen 8oberL 8osenLhal (uSA), noel nazarlo (uSA), Larry nelson (uSA) and flnally 8uarldh Macdonald (uk) o 1hls pro[ecL was handed over Lo WC4 ln 2008 neLwork SecurlLy (lSC/lLC 18028 arLs 1-S) o arL 1 neLwork SecurlLy ManagemenL: edlLor Lrlc Cheur (8elglum) and !lm Long (uk) and Lhe 8obln Mosses (uk) o arL 2 neLwork SecurlLy ArchlLecLure: edlLor 8lchard kelghley (uk) o arL 3 Securlng CommunlcaLlons beLween neLworks uslng SecurlLy CaLeways: edlLor !oachlm SchleLLe (Cermany) o arL 4 8emoLe Access: edlLor 8olland Muller (Cermany) o arL S Securlng CommunlcaLlons across vns: edlLors !lm Long (uk) and lgor kadoschuk (uSA), and Lhen aul Panley (uk) o 1hese pro[ecLs were handed over Lo WC4 ln 2008 1lme SLamplng o LdlLor 8olland Muller (Cermany) o 1hls pro[ecL was handed over Lo WC2 ln 2008 lnformaLlon SecurlLy lncldenL Pandllng (lSC/lLC 18044) o LdlLor Crzegorz ohoreckl (oland) and Lhen 8obln Mosses (uk) o 1hls pro[ecL was handed over Lo WC4 ln 2008
ISMS Work CcLober 2000 saw Lhe dawn of a new age ln lnformaLlon securlLy sLandards when 8S 7799-1 was submlLLed Lo lSC/lLC and was approved for publlcaLlon as lSC/lLC 17799 (edlLor rof. Ldward Pumphreys (uk) and for Lhe revlslon ur. Angellka laLe (uk) and ur. Cllver Welssmann (Cermany). 1hls sLandard was renumbered as lSC/lLC 42 27002 ln 2006. 1hls evenL ln 2000 opened Lhe door Lo Lhe developmenL of a famlly of lSC/lLC 2700x of lnformaLlon securlLy managemenL sLandards, whlch conLlnues Lo develop, expand and be adopLed by buslness around Lhe world.
Cf course Lhe flagshlp of Lhe lSC/lLC 2700x famlly, ls Lhe lSMS requlremenLs sLandard lSC/lLC 27001 (edlLor !ohn Snare (AusLralla). 1hls sLandard seLs Lhe requlremenLs for Lhe whole Lhe oLher sLandards ln Lhe famlly. lL ls Lhe only sLandard ln lSC/lLC, whlch can be used for Lhlrd parLy cerLlflcaLlon of an organlsaLlon's lSMS lmplemenLaLlon. lLs pedlgree ls Lhe uk sLandard 8S 7799-2 whlch became Lhe lSC/lLC 27001 sLandard ln 200S. 1hls sLandard ls a code of pracLlce for lnformaLlon securlLy managemenL and provldes a caLalogue of securlLy conLrols. lSC/lLC 27002 ls used alongslde lSC/lLC 27001 and ls used ln Lhe followlng way. ln esLabllshlng an lSMS an organlsaLlon needs Lo carry ouL a rlsk assessmenL ln accordance wlLh Lhe requlremenL speclfled ln lSC/lLC 27001. Cnce Lhe assessmenL has been carrled Lhen a sysLem of conLrols need Lo be selecLed reduce Lhe seL of ldenLlfled rlsks. 1hese conLrols are selecLed from a caLalogue of conLrols glven ln Annex A of lSC/lLC 27001, whlch ls a dupllcaLe copy of Lhose conLrols glven ln lSC/lLC 27002. WhaL lSC/lLC 27002 offers ln addlLlon Lo a seL of conLrols ls lmplemenL guldance for each of Lhe conLrols and Lhls does noL appear ln Annex A of lSC/lLC 27001.
8oLh lSC/lLC 27001 and lSC/lLC 27002 are currenLly undergolng Lhe normal lSC S- year process of revlslon LhaL applles Lo all lSC/lLC sLandards. 1he alm of Lhls ls Lo make sure LhaL boLh Lhese sLandards are up Lo daLe and conLlnue Lo meeL Lhe needs Lo buslness. lf Lhere are new buslness requlremenLs LhaL need Lo be meL Lhen Lhese wlll be lncorporaLed lnLo Lhe new verslons. 1he revlslon process ls conslderlng conLrlbuLlons from many sources and buslness secLors Lo ensure LhaL Lhe nexL verslons of Lhese sLandards wlll remaln flL-for-purpose for anoLher S years once Lhey have been publlshed. 1he currenL 200S verslons of Lhese sLandards wlll remaln legal and valld unLll Lhey are replaced wlLh Lhe revlsed verslons, whlch ls llkely Lo be aL leasL 18-24 monLhs down Lhe road.
ISMS Support|ng Standards 1he oLher sLandards ln Lhe core of Lhe lSC/lLC 2700x famlly are:
ISC]ILC 27000 Cverv|ew and Vocabu|ary (edlLors uale !ohnsLone,
kel Parada, !apan and Cllver Welssmann, Cermany)
1bls lotetootloool 5tooJotJ ptovlJes oo ovetvlew of lofotmotloo secotlty moooqemeot systems, wblcb fotm tbe sobject of tbe l5M5 fomlly of stooJotJs, ooJ Jefloes teloteJ tetms. 43
NO1 Aooex A ptovlJes clotlflcotloo oo bow vetbol fotms ote oseJ to exptess tepoltemeots ooJ/ot qolJooce lo tbe l5M5 fomlly of stooJotJs.
1be l5M5 fomlly of stooJotJs locloJes stooJotJs tbot.
1be potpose of tbls lotetootloool 5tooJotJ ls to ptovlJe ptoctlcol qolJooce lo Jeveloploq tbe lmplemeototloo ploo fot oo lofotmotloo 5ecotlty Moooqemeot 5ystem (l5M5) wltblo oo otqoolzotloo lo occotJooce wltb l5O/lc 27001.2005. 1be octool lmplemeototloo of oo l5M5 ls qeoetolly execoteJ os o ptoject.
1be ptocess JesctlbeJ wltblo tbls lotetootloool 5tooJotJ bos beeo JeslqoeJ to ptovlJe soppott of tbe lmplemeototloo of l5O/lc 27001.2005, (televoot potts ftom clooses 1, 5, ooJ 7 locloslve) ooJ Jocomeot.
o) tbe ptepototloo of beqlooloq oo l5M5 lmplemeototloo ploo lo oo otqoolzotloo, Jefloloq tbe otqoolzotloool sttoctote fot tbe ptoject, ooJ qololoq moooqemeot opptovol, b) tbe ctltlcol octlvltles fot tbe l5M5 ptoject ooJ, 44 c) exomples to ocbleve tbe tepoltemeots lo l5O/lc 27001.2005.
8y osloq tbls lotetootloool 5tooJotJ tbe otqoolzotloo wlll be oble to Jevelop o ptocess fot lofotmotloo secotlty moooqemeot, qlvloq stokebolJets tbe ossotooce tbot tlsks to lofotmotloo ossets ote cootloooosly molotoloeJ wltblo occeptoble lofotmotloo secotlty boooJs os JefloeJ by tbe otqoolzotloo.
1bls lotetootloool 5tooJotJ ptovlJes qolJooce oo tbe Jevelopmeot ooJ ose of meosotes ooJ meosotemeot lo otJet to ossess tbe effectlveoess of oo lmplemeoteJ lofotmotloo secotlty moooqemeot system (l5M5) ooJ coottols ot qtoops of coottols, os speclfleJ lo l5O/lc 27001.
1bls woolJ locloJe pollcy, lofotmotloo secotlty tlsk moooqemeot, coottol objectlves, coottols, ptocesses ooJ ptoceJotes, ooJ soppott tbe ptocess of lts tevlsloo, belploq to Jetetmloe wbetbet ooy of tbe l5M5 ptocesses ot coottols oeeJ to be cbooqeJ ot lmptoveJ. lt oeeJs to be kept lo mloJ tbot oo meosotemeot of coottols coo qootootee complete secotlty.
ISMS Accred|tat|on and Aud|t|ng Standards ln 200S Lhe WC1 convenor Ldward Pumphreys Look Lhe nexL bold sLep ln esLabllshlng Lhe lSC/lLC 2700x famlly on Lhe world's sLage by havlng dlscusslons wlLh lAl and CASCC on Lhe Loplc of lnLernaLlonal conformance assessmenLs for lSC/lLC 27001. 1hls resulLed ln Lhe WC1 convenor seLLlng up a worklng parLy wlLh represenLaLlves from lL1l, CASCC, lAl and LA Lo conslder Lhe adopLlon of Lhe LA documenL LA 7/03 as an lSC sLandard for Lhe accredlLaLlon of bodles provldlng assessmenL servlces of lSMS lmplemenLaLlons. Cver a space of slx monLhs Lhe work lnvolved formaLLlng of LA 7/03 as an lSC/lLC sLandard and allgnlng and addlng Lo Lhe LexL of LA 7/03 wlLh Lhe LexL of Lhe generlc accredlLaLlon sLandard lSC 17021. Cnce Lhls work was flnlshed Lhe edlLor Ldward Pumphreys Labled Lhe documenL ln 46 SC27/WC1 for experL revlew and commenL. 1he resulL of all Lhls work was Lhen lSC/lLC 27006.
1he nexL sLage ln Lhe process was Lhe developmenL of lSC/lLC 27007 Culdellnes for lnformaLlon securlLy managemenL sysLems audlLlng (edlLors ur Angellka laLe, uk and Wang xln[le, Chlna). 1hls work sLarLed afLer dlscusslons beLween Lhe WC1 Convenor and 1M8 groups SAC and !1CC boLh of whlch are responslble for Lhe coordlnaLlon of requlremenLs and Lechnlcal aspecLs of managemenL sysLem sLandards. 1hls work ls belng done ln collaboraLlon wlLh Lhose lnvolved ln Lhe revlslon of lSC 19011 and lSC 17021-2 boLh of whlch address audlLor guldance for Lhe generlc famlly of managemenL sysLem sLandards. AddlLlonal lnpuL lnLo Lhls work was provlded by Lhe lSC 9001 AudlLlng racLlces Croup, whlch ls an lnformal group of quallLy managemenL sysLem experLs, audlLors and pracLlLloners drawn from lSC/1C 176 and Lhe lAl. lL has developed a number of guldance papers and presenLaLlons LhaL conLaln explanaLlons abouL Lhe audlLlng of quallLy managemenL sysLems. 1hese reflecL Lhe process-based approach LhaL ls essenLlal for audlLlng Lhe requlremenLs of lSC 9001.
A flnal developmenL ln Lhls area ls lSC/lLC 27008 Culdance for audlLors on lnformaLlon securlLy managemenL sysLems conLrols (edlLor Anders CarlsLedL). 1hls provldes guldance on revlewlng Lhe lmplemenLaLlon and operaLlon of conLrols, lncludlng Lechnlcal compllance checklng of lnformaLlon sysLem conLrols, ln compllance wlLh an organlzaLlon's esLabllshed lnformaLlon securlLy sLandards.
ISMS Sector Support|ng Standards A new range of sLandards are belng developed LhaL look aL Lhe speclflc requlremenLs of secLors and appllcaLlons LhaL are adopLlng lSC/lLC 27001. 1hese sLandards, of course, wlll noL replace lSC/lLC 27001, buL Lhey supply deflnlLlons of addlLlonal secLor-speclflc requlremenL. 1he currenL programme of work lncludes:
ISC]ILC 27010 - for |nter-sector commun|cat|ons 1hls sLandard conslders varlous securlLy requlremenLs regardlng Lhose secLors and organlzaLlons lnvolved ln naLlonal lnfrasLrucLure. 1hls lncludes Lhe securlLy of command and conLrol appllcaLlons such as supervlsory conLrol and daLa acqulslLlon. I1U-1 x.10S1 | ISC]ILC 27011 - for te|ecommun|cat|on organ|zat|ons 8ased on lSC/lLC 27002, Lhls sLandard was [olnLly publlshed by l1u-1 and lSC/lLC ln 2008 . ISC]ILC 27013 - |ntegrat|ng ISC]ILC 20000-1 and ISC]ILC 27001 47 1hls sLandard provldes guldance Lo Lhose organlzaLlons LhaL wlsh Lo lnLegraLe Lhelr l1 servlce managemenL and lnformaLlon securlLy managemenL sysLems Lo Lake advanLage of Lhe common elemenLs of Lhese Lo sLandards. lor example, Lhey can comblne documenLaLlon sysLems, lncldenL handllng sysLems and secure servlce dellvery, monlLorlng and revlew processes. ISC]ILC 27014 - |nformat|on secur|ty governance framework 1hls sLandard supporLs Lhe lnformaLlon securlLy aspecL of a corporaLe governance framework. lSC/lLC 27001 ls an ldeal lnformaLlon securlLy framework as lL lncludes Lhe Lhree key elemenLs of governance: rlsk managemenL, sysLem of conLrols and an audlLlng funcLlon. ISC]ILC 2701S - for f|nanc|a| and |nsurance serv|ces sector 1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001.
ISMS Iuture Work 1here are many areas of lSMS sLandardlsaLlon sLlll Lo be addressed. Cne parLlcular Loplc, whlch ls llkely Lo be a pro[ecL ln Lhe noL Loo dlsLanL fuLure, ls on lnformaLlon securlLy managemenL - CrganlzaLlonal economlcs. 1hls pro[ecL wlll alm aL provldlng advlce, guldance and economlc approaches for managemenL conslderaLlon ln Lhe conLexL of lnformaLlon securlLy, lnformlng Lhem of Lhe buslness raLlonale for Lhe efflclenL allocaLlon of flnlLe resources, e.g. expendlLure, on Lhe proLecLlon of lnformaLlon asseLs, lncludlng an undersLandlng of Lhe behavlour of Lhe human LhreaL acLors.
CLher posslble areas of lSMS sLandards developmenL could lnclude:
lSMS Culdellnes on SecurlLy and Puman 8esources 1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001. lSMS Culdellnes for 8uslness rocesses 1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001. lSMS Culdellnes for ManagemenL and SecurlLy 8evlews 1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001. lSMS for Lhe LransporLaLlon secLor 1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001. lSMS for Lhe energy secLor
48 ISC]ILC 2700S and k|sk Management Anders CarlsLedL Co-edlLor of lSC/lLC 2700S
8lsk managemenL analyses whaL can happen and whaL Lhe posslble consequences can be, before decldlng whaL should be done and when, Lo reduce Lhe rlsk Lo an accepLable level. 8lsk managemenL ls deflned as coordlnaLed acLlvlLles Lo dlrecL and conLrol an organlzaLlon wlLh regard Lo rlsk" and lnformaLlon securlLy rlsk as "effecL of lnformaLlon securlLy uncerLalnLy on ob[ecLlves" lSC/lLC 2700S was developed and deslgned Lo asslsL organlzaLlons wlLh Lhe saLlsfacLory lmplemenLaLlon of lnformaLlon securlLy based on a rlsk managemenL approach. lL provldes guldellnes for lnformaLlon securlLy rlsk managemenL supporLlng Lhe general concepLs speclfled ln lSC/lLC 27001. A sysLemaLlc approach Lo lnformaLlon securlLy rlsk managemenL ls necessary Lo ldenLlfy organlzaLlonal needs regardlng lnformaLlon securlLy requlremenLs and Lo creaLe an effecLlve lnformaLlon securlLy managemenL sysLem (lSMS). 1hls approach should be sulLable for Lhe organlzaLlons envlronmenL, and ln parLlcular should be allgned wlLh overall enLerprlse rlsk managemenL. SecurlLy efforLs should address rlsks ln an effecLlve and Llmely manner where and when Lhey are needed. lnformaLlon securlLy rlsk managemenL should be an lnLegral parL of all lnformaLlon securlLy managemenL acLlvlLles and should be applled boLh Lo Lhe lmplemenLaLlon and Lhe ongolng operaLlon of an lSMS. lSC/lLC 27001 speclfles LhaL Lhe conLrols lmplemenLed wlLhln Lhe scope, boundarles and conLexL of Lhe lSMS shall be rlsk based. 1he appllcaLlon of an lnformaLlon securlLy rlsk managemenL process can saLlsfy Lhls requlremenL. 1here are many approaches by whlch Lhe process can be successfully lmplemenLed ln an organlzaLlon. 1he organlzaLlon should use whaLever approach besL sulLs Lhelr clrcumsLances for each speclflc appllcaLlon of Lhe process. ln an lSMS, esLabllshlng Lhe conLexL, rlsk assessmenL, developlng rlsk LreaLmenL plan and rlsk accepLance are all parL of Lhe plan" phase. ln Lhe do" phase of Lhe lSMS, Lhe acLlons and conLrols requlred Lo reduce Lhe rlsk Lo an accepLable level are lmplemenLed accordlng Lo Lhe rlsk LreaLmenL plan. ln Lhe check" phase of Lhe lSMS, managers wlll deLermlne Lhe need for revlslons of Lhe rlsk assessmenL and rlsk LreaLmenL ln Lhe llghL of lncldenLs and changes ln clrcumsLances. ln Lhe "acL" phase, any acLlons requlred, lncludlng addlLlonal appllcaLlon of Lhe lnformaLlon securlLy rlsk managemenL process, are performed. 49 lnformaLlon securlLy rlsk managemenL should be a conLlnual process. 1he process should esLabllsh Lhe conLexL, assess Lhe rlsks and LreaL Lhe rlsks uslng a rlsk LreaLmenL plan Lo lmplemenL Lhe recommendaLlons and declslons. 1he lnformaLlon securlLy rlsk managemenL process can be applled Lo Lhe organlzaLlon as a whole, any dlscreLe parL of Lhe organlzaLlon (e.g. a deparLmenL, a physlcal locaLlon, a servlce), any lnformaLlon sysLem, exlsLlng or planned or parLlcular aspecLs of conLrol (e.g. buslness conLlnulLy plannlng). 1he sLandard conLalns a descrlpLlon of Lhe lnformaLlon securlLy rlsk managemenL process and lLs acLlvlLles: ConLexL esLabllshmenL, 8lsk assessmenL, 8lsk LreaLmenL, 8lsk accepLance, 8lsk communlcaLlon, 8lsk monlLorlng and revlew. 50
I|gure 1 Informat|on secur|ty r|sk management process 1he conLexL ls esLabllshed flrsL. 1hen a rlsk assessmenL ls conducLed. lf Lhls provldes sufflclenL lnformaLlon Lo effecLlvely deLermlne Lhe acLlons requlred Lo modlfy Lhe rlsks Lo an accepLable level Lhen Lhe Lask ls compleLe and Lhe rlsk LreaLmenL follows. lf Lhe lnformaLlon ls lnsufflclenL, anoLher lLeraLlon of Lhe rlsk assessmenL wlLh revlsed conLexL (e.g. rlsk evaluaLlon crlLerla, rlsk accepLance crlLerla or lmpacL crlLerla) wlll be conducLed, posslbly on llmlLed parLs of Lhe LoLal scope (see lSC/lLC 2700S - llgure 1 - 8lsk ueclslon olnL 1 above). An lLeraLlve approach Lo conducLlng rlsk assessmenL can lncrease depLh and deLall of Lhe assessmenL aL each lLeraLlon. 1he lLeraLlve approach provldes a good balance beLween mlnlmlzlng Lhe Llme and 51 efforL spenL ln ldenLlfylng conLrols, whlle sLlll ensurlng LhaL hlgh rlsks are approprlaLely assessed. 1he effecLlveness of Lhe rlsk LreaLmenL depends on Lhe resulLs of Lhe rlsk assessmenL. lL ls posslble LhaL Lhe rlsk LreaLmenL wlll noL lmmedlaLely lead Lo an accepLable level of resldual rlsk. ln Lhls slLuaLlon, anoLher lLeraLlon of Lhe rlsk assessmenL wlLh changed conLexL parameLers (e.g. rlsk assessmenL, rlsk accepLance or lmpacL crlLerla), lf necessary, may be requlred, followed by furLher rlsk LreaLmenL (see llgure 1, 8lsk ueclslon olnL 2). 8lsk LreaLmenL opLlons should be selecLed based on Lhe ouLcome of Lhe rlsk assessmenL, Lhe expecLed cosL for lmplemenLlng Lhese opLlons and Lhe expecLed beneflLs from Lhese opLlons. lSC/lLC 2700S - llgure 2 - below lllusLraLes Lhe rlsk LreaLmenL acLlvlLy wlLhln Lhe lnformaLlon securlLy rlsk managemenL process as presenLed ln llgure 1.
52 Figure 2 The risk treatment activity When laige ieuuctions in iisks may be obtaineu with ielatively low expenuituie, such options shoulu be implementeu. Fuithei options foi impiovements may be uneconomic anu juugement neeus to be exeiciseu as to whethei they aie justifiable. In geneial, the auveise consequences of iisks shoulu be maue as low as ieasonably piacticable anu iiiespective of any absolute ciiteiia. Nanageis shoulu consiuei iaie but seveie iisks. In such cases, contiols that aie not justifiable on stiictly economic giounus may neeu to be implementeu (foi example, business continuity contiols consiueieu to covei specific high iisks). The foui options foi iisk tieatment aie not mutually exclusive. Sometimes the oiganization can benefit substantially by a combination of options such as ieuucing the likelihoou of iisks, ieuucing theii consequences, anu shaiing oi ietaining any iesiuual iisks. Some iisk tieatments can effectively auuiess moie than one iisk (e.g. infoimation secuiity tiaining anu awaieness). A iisk tieatment plan shoulu be uefineu which cleaily iuentifies the piioiity oiueiing in which inuiviuual iisk tieatments shoulu be implementeu anu theii timefiames. Piioiities can be establisheu using vaiious techniques, incluuing iisk ianking anu cost-benefit analysis. It is the oiganization's manageis' iesponsibility to ueciue the balance between the costs of implementing contiols anu the buuget assignment. The iuentification of existing contiols may ueteimine that existing contiols exceeu cuiient neeus, in teims of cost compaiisons, incluuing maintenance. If iemoving ieuunuant oi unnecessaiy contiols is consiueieu (especially if the contiols have high maintenance costs), infoimation secuiity anu cost factois shoulu be taken into account. Since contiols may influence each othei, iemoving ieuunuant contiols might ieuuce the oveiall secuiity in place. In auuition, it may be cheapei to leave ieuunuant oi unnecessaiy contiols in place than to iemove them. Risk tieatment options shoulu be consiueieu taking into account: Bow iisk is peiceiveu by affecteu paities The most appiopiiate ways to communicate to those paities Context establishment pioviues infoimation on legal anu iegulatoiy iequiiements with which the oiganization neeus to comply. The iisk to oiganizations is failuie to comply anu tieatment options to limit this possibility shoulu be implementeu. All constiaints - oiganizational, technical, stiuctuial etc. 53 - that aie iuentifieu uuiing the context establishment activity shoulu be taken into account uuiing the iisk tieatment. 0nce the iisk tieatment plan has been uefineu, iesiuual iisks neeu to be ueteimineu. This involves an upuate oi ie-iteiation of the iisk assessment, taking into account the expecteu effects of the pioposeu iisk tieatment. Shoulu the iesiuual iisk still not meet the oiganization's iisk acceptance ciiteiia, a fuithei iteiation of iisk tieatment may be necessaiy befoie pioceeuing to iisk acceptance. Noie infoimation can be founu in IS0IEC 27uu2. The iisk acceptance activity has to ensuie that iesiuual iisks aie explicitly accepteu by the manageis of the oiganization. This is especially impoitant in a situation wheie the implementation of contiols is omitteu oi postponeu, e.g. uue to cost. Buiing the whole infoimation secuiity iisk management piocess it is impoitant that iisks anu theii tieatment aie communicateu to the appiopiiate manageis anu opeiational staff. Even befoie the tieatment of the iisks, infoimation about iuentifieu iisks can be veiy valuable to manage inciuents anu may help to ieuuce potential uamage. Awaieness by manageis anu staff of the iisks, the natuie of the contiols in place to mitigate the iisks anu the aieas of concein to the oiganization assist in uealing with inciuents anu unexpecteu events in the most effective mannei. The uetaileu iesults of eveiy activity of the infoimation secuiity iisk management piocess anu fiom the two iisk uecision points shoulu be uocumenteu. The infoimation secuiity iisk management piocess can be iteiative not only foi iisk assessment but also iisk tieatment activities. Infoimation secuiity iisk management shoulu contiibute to the following: Risks being iuentifieu Risks being assesseu in teims of theii consequences to the business anu the likelihoou of theii occuiience The likelihoou anu consequences of these iisks being communicateu anu unueistoou Piioiity oiuei foi iisk tieatment being establisheu Piioiity foi actions to ieuuce iisks occuiiing Stakeholueis being involveu when iisk management uecisions aie maue anu kept infoimeu of the iisk management status Effectiveness of iisk tieatment monitoiing 54 Risks anu the iisk management piocess being monitoieu anu ievieweu iegulaily Infoimation being captuieu to impiove the iisk management appioach Nanageis anu staff being euucateu about the iisks anu the actions taken to mitigate them The annexes of IS0IEC 27uuS incluue fuithei infoimation on aieas such as context establishment, iuentification anu valuation of assets anu impact assessments, thieats & vulneiabilities anu pioviues examples of infoimation secuiity iisk assessment appioaches anu constiaints foi iisk ieuuction. This stanuaiu is cuiiently subject to a minoi ievision in oiuei to align the content with IS0 S1uuu on Risk Nanagement.
55 Cou|d matur|ty he|p r|sk management? 1owards a sLep by sLep lnformaLlon securlLy rlsk managemenL lmprovemenL Mottbleo CkAll, l5O/I1c1/5c27/wC1 & wC5 membet, l5O/lc 27001 co-eJltot. Introduct|on lnformaLlon securlLy rlsk managemenL has been deflned by lSC/!1C1/SC27/WC1 ln [lSC 2700S]. lLs acLlvlLles are descrlbed as sub-processes: conLexL esLabllshmenL, lnformaLlon securlLy rlsk assessmenL, lnformaLlon securlLy rlsk LreaLmenL, lnformaLlon securlLy rlsk accepLance, lnformaLlon securlLy rlsk communlcaLlon, lnformaLlon securlLy rlsk monlLorlng and revlew. 1hese acLlvlLles rely on Lhe managemenL process, deals wlLh all prlmary asseLs (lnformaLlon and buslness processes) and all supporLlng asseLs (sysLems, organlzaLlons, slLes.). 8uL noL everyone ls able Lo lmplemenL lL, because Lhelr maLurlLy ls noL hlgh enough. 1hey need pracLlcal Lools or consulLancy servlces.
lSC/!1C1/SC27/WC3 has publlshed [lSC 21827]. lL descrlbes a capablllLy and maLurlLy model (SSL-CMM), whlch deflnes "cumulaLlve" capablllLy levels. Lach of Lhem represenLs Lhe way an organlzaLlon performs, conLrols, malnLalns and monlLors a process. Achlevlng a level assumes Lo have already reached Lhe prevlous one: level 1 - erformed lnformally, level 2 - lanned and Lracked, level 3 - Well deflned, level 4 - CuanLlLaLlvely conLrolled, level S - ConLlnuously lmprovlng. 1hls model could easlly be applled Lo each process lnvolved ln an lnformaLlon securlLy managemenL sysLem (lSMS), deflned ln [lSC 27001]. Concernlng rlsk managemenL, many of Lhe SSL-CMM process areas are lnvolved (A02 Assess lmpacL, A03 Assess SecurlLy 8lsk, A04 Assess 1hreaL, A0S Assess vulnerablllLy.). 56 8uL Lhese processes are noL fully compllanL wlLh Lhose deflned ln [lSC 2700S]. Moreover, [lSC 21827] doesn'L explaln how Lo reach each level, nor lf Lhe hlghesL level ls requlred. So, why noL uslng Lhese concepLs, ln order Lo lmprove rlsk managemenL wlLh a pracLlcal sLep by sLep approach?
1he prlnclple ls Lhe followlng: lnformaLlon securlLy has Lo be managed ln llne wlLh Lhe organlzaLlon sLakes. And low sLakes do noL requlre lnformaLlon securlLy Lo be managed as rlgorously as lf Lhey are hlgh. 1hls sLaLemenL, seemlngly slmple, ls a challenge lf you wanL Lo answer slmply, wlLhouL huge lnvesLmenLs. lnsplred by [lSC 21827], Lhe approach uses pragmaLlc quesLlons. lL alms aL qulckly ldenLlfylng sLakes, measurlng Lhe gap beLween whaL should be done and whaL ls done, and explalnlng Lhe acLlons Lo be lmplemenLed Lo manage lnformaLlon securlLy properly. What |s the appropr|ate |eve|? Ooestloo. uo l teolly oeeJ to teocb tbe blqbest mototlty level to moke tlsk moooqemeot? Aoswet. Moybe yoo Joo't eveo oeeJ to teocb tbe blqbest level. lt JepeoJs oo tbe stokes yoo foce. 1be blqbet tbey ote, tbe blqbet yoot mototlty level sboolJ be.
knowlng Lhe adequaLe capablllLy level ls Lhe flrsL sLage of Lhe approach. 1hls should be conducLed by Lhe auLhorlLy ln charge of Lhe lSMS. 1he "rlghL" capablllLy level for rlsk managemenL ls noL Lhe hlghesL, buL Lhe approprlaLe level ln Lerms of operaLlonal requlremenLs and LhreaLs Lo Lhe lnformaLlon sysLem.
1he sLakes are relaLed Lo Lhe global level of rlsk. 1hey can be assessed wlLh a shorL quesLlonnalre whlch addresses: - Lhe consequences, based on Lhe poLenLlal lmpacLs of lnformaLlon securlLy rlsks, - Lhe llkellhood, based on Lhe LhreaL sources capablllLles and Lhe level of vulnerablllLy. consequences ossessment WhaL could happen lf avallablllLy, lnLegrlLy or confldenLlallLy of some of Lhe prlmary asseLs (lnformaLlon and buslness processes) ls losL? use Lhe followlng Lable Lo geL 57 Lhe worse level of consequences of lnformaLlon securlLy rlsks (example ls glven ln bo|d on grey):
Level of consequences lmpacLs on buslness (mlsslon, declslon- maklng ablllLles.) Puman lmpacLs (safeLy, soclal Lles.) lmpacLs on asseLs (flnanclal, lmage.) CLher lmpacLs (legal, non- compllance, envlronmenL.) 1. negllglble AcLlvlLy dlsrupLed for a very shorL perlod of Llme A person was near|y |n[ured, or m|nor persona| d|ssat|sfact|on very low flnanclal loss or negaLlve word of mouLh 1hreats of |ega| prosecut|on, no act|on 2. S|gn|f|cant Act|v|ty d|srupted, or |nab|||ty to make dec|s|ons for one day ln[ury Lo a person, or ma[or personal dlssaLlsfacLlon Loss of |ess than 1S of sa|es, or negat|ve buzz market|ng Legal prosecuLlon and flne, or non- compllance Lo an lnLernal sLandard 3. lmporLanL AcLlvlLy dlsrupLed or sLopped, or lnablllLy Lo make declslons, for a few days A person was nearly kllled, or mlnor sLrlke Loss of 1S-30 of sales or menLlon ln a medla Legal prosecuLlon and senLence for an offense, or non-compllance Lo an exLernal sLandard, or mlnor envlronmenLal damage 4. CaLasLrophlc AcLlvlLy sLopped, or lnablllLy Lo make declslons, for more Lhan a week ueaLh of one or more persons, or ma[or sLrlke Loss greaLer Lhan 30 of sales or arLlcle ln Lhe press Legal prosecuLlon and senLence for a crlme, or non- compllance Lo a legal sLandard, or ma[or envlronmenLal damage
58 Like/ihood ossessment Pow lmporLanL ls Lhe LhreaL sources 1 capaclLy 2 ? use Lhe followlng llsL Lo choose Lhe mosL approprlaLe level of LhreaL sources capaclLy: 1. negllglble capaclLy 2. Low capaclLy 3. Substant|a| capac|ty 4. unllmlLed capaclLy
Pow lmporLanL are Lhe supporLlng asseLs vulnerablllLles (lnLrlnslc properLles whlch can be explolLed by LhreaL sources)? use Lhe followlng llsL Lo choose Lhe mosL approprlaLe level of vulnerablllLy of Lhe lnformaLlon sysLem: 1. Closed, slmple and sLable 2. noL LoLally close, slmple or sLable 3. ke|at|ve|y open (|nterconnected), comp|ex and chang|ng 4. Wldely open, complex and changlng
Pow posslble ls a rlsk? use Lhe followlng Lable Lo geL Lhe llkellhood of lnformaLlon securlLy rlsks:
1 1hlngs, persons or organlzaLlons LhaL could be aL Lhe orlgln of a LhreaL. 2 Skllls, Llme, money, close Lo Lhe lnformaLlon sysLem, aLLracLlveness of asseLs. 59 lrom the q/obo/ risk ossessment to the oppropriote /eve/ WhaL ls Lhe approprlaLe capablllLy level? use Lhe followlng Lable Lo geL Lhe approprlaLe level, dependlng on Lhe global level of rlsk (consequences and llkellhood):
4 3. Well deflned 4. CuanLlLaLlvely conLrolled S. ConLlnuously lmprovlng S. ConLlnuously lmprovlng 3 2. lanned and Lracked 3. Well deflned 4. CuanLlLaLlvely conLrolled S. ConLlnuously lmprovlng 2 1. erformed lnformally 2. lanned and Lracked 3. We|| def|ned 4. CuanLlLaLlvely conLrolled Consequences 1 1. erformed lnformally 1. erformed lnformally 2. lanned and Lracked 3. Well deflned 1 2 3 4 ApproprlaLe capablllLy level Llkellhood
What |s the actua| |eve|? Ooestloo. we bove beeo tolJ tbot we sboolJ "lmplemeot" jl5O 27005]. 8ot we bove lost o lot of tlme ooJ mooey, ttyloq to teotqoolze steps ooJ to cteote ptoctlcol tools, wltboot soccess! ls tbls o ptoblem of mototlty? Aoswet. lt ls o ptoblem of ooJetstooJloq of wbot stooJotJs ote. tbe qeoetlc tlsk moooqemeot ptocess ls JesctlbeJ lo jl5O J1000], ooJ lofotmotloo secotlty speclflc tecommeoJotloos fot tlsk moooqemeot ote qlveo lo jl5O 27005], wblcb ls obsolotely ooJ bopefolly oot o metboJ. lt Jesctlbes o ptocess, oot ptoceJotes. 5o, lt ls polte obvloos tbot yoo coo't "lmplemeot" lt. Mooy ptoctlcol, otqoolzeJ ooJ cobeteot metboJs exlst to Jo tbot, socb os j8lO5] (ltooce), jckAMM] (uk), jl18lM] (Cetmooy), jMACkl1] (5polo), jA5-N25 1J60] (Aosttollo ooJ New 2eolooJ). LsLlmaLlon of Lhe acLual capablllLy level can geL a "snapshoL" of Lhe level acLually achleved. 1hls should be conducLed by Lhe lnformaLlon securlLy rlsk managemenL process owner. Pe has Lo ldenLlfy Lhe level, whlch flLs Lhe way lL ls acLually made. Pls responses reflecL hls percepLlon of how lL ls currenLly managed. lf all polnLs of descrlpLlon are noL made, Lhen Lhe level ls noL reached.
60 use Lhe followlng Lable Lo esLlmaLe Lhe acLual capablllLy level:
8equlremenLs for achlevlng a level uone CapablllLy level 1 - lnformal pracLlces: a few lsolaLed acLlons AcLlons are performed by uslng baslc pracLlces. es CapablllLy level 2 - 8epeaLable and followed pracLlces: repeaLable acLlons 1he acLlons are planned. es 1he acLlons are performed by a person who has experLlse ln lnformaLlon securlLy. es Some pracLlces are formallzed, whlch allows copylng and reuse (posslbly by anoLher person). es CuallLaLlve measuremenLs are made (slmple lndlcaLors for resulLs). 1he compeLenL auLhorlLles are kepL lnformed of such measures. es CapablllLy level 3 - ueflned process: Lhe sLandardlzaLlon of pracLlces 1he acLlons are performed accordlng Lo a deflned process (e.g. adapLaLlon Lo Lhe conLexL, use of a meLhod), sLandardlzed (common Lo Lhe enLlre organlzaLlon) and formallzed (exlsLence of documenLaLlon).
1hose carrylng ouL such acLlons have approprlaLe experLlse ln Lhe process. es 1he organlzaLlon supporLs Lhe process and provldes resources, Lools and Lralnlng necessary for lLs operaLlon. es 1he process ls well undersLood boLh by managemenL and by Lhe performers.
CapablllLy level 4 - ConLrolled process: Lhe quanLlLaLlve measuremenL 1he process ls coordlnaLed LhroughouL Lhe lSMS and for each execuLlon.
CuanLlLaLlve measuremenLs are regularly performed (ln Lerms of performance).
1he measuremenLs (quallLaLlve and quanLlLaLlve lndlcaLors) are analyzed.
lmprovemenLs are made Lo Lhe process from Lhe analysls of measuremenLs.
CapablllLy level S - CpLlmlzed process: conLlnuous lmprovemenL 1he process ls dynamlcally adapLed Lo Lhe slLuaLlon. 1he analysls of measuremenLs ls deflned, sLandardlzed and formallzed.
1he lmprovemenL process ls deflned, sLandardlzed and formallzed. 1he evoluLlon of Lhe process ls logged. Level reached Leve| 1 61 now to reach appropr|ate |eve| from the actua| |eve|? Ooestloo. we ote lotetesteJ lo lofotmotloo secotlty tlsk moooqemeot, bot we Joo't feel teoJy fot socb o boqe lssoe. now sboolJ we beqlo? Aoswet. loJeeJ, yoo coo't cbooqe evetytbloq lo tbe otqoolzotloo ftom ootbloq. oo sboolJ lmptove yoot mototlty level step by step.
1o lmprove Lhe acLual level for reachlng Lhe approprlaLe one, Lhe organlzaLlon wlll gradually have Lo change lLs pracLlces.
1he prlnclple ls Lo sLarL from Lhe lowesL unachleved level, Lo plan and lmplemenL a serles of acLlons, and Lhen Lo repeaL Lhe operaLlon Lo achleve Lhe approprlaLe capablllLy level. lndeed, Lhe capablllLy scale ls cumulaLlve. So, reachlng a level requlres prlor achlevemenL of Lhe prevlous level.
necessary acLlons have Lo be planned ln order Lo ensure LhaL Lhe process meeLs Lhe requlremenLs of Lhe LargeLed level (acLlons, persons ln charge, dellverables, resources, schedule.). And Lhe organlzaLlon should provlde a sLable perlod of Llme beLween each sLep Lo glve Lhe process Lhe ablllLy Lo adapL Lo Lhe new operaLlon.
1hus, Lhe acLual capablllLy level wlll gradually move up Lo converge wlLh Lhe approprlaLe level. 1hls approach wlll achleve vlslble resulLs and qulck proflLs. Conc|us|on 1hls cosL-effecLlve meLhod helps Lo deflne, slmply and qulckly, necessary and sufflclenL pracLlces for lnformaLlon securlLy rlsk managemenL. ln addlLlon, Lhe ease of poslLlonlng and Lhe benchmarklng approach, make lL a markeLlng Lool, perfecLly sulLed for communlcaLlon wlLh CLCs, senlor managemenL, ClSCs, and Lhose wlLh an lnLeresL ln lmplemenLlng, uslng and audlLlng agalnsL Lhe SC27 sLandards. llnally, Lhe approach provldes Lhe baslc elemenLs for Lhe developmenL of a sLraLeglc plan or an lnformaLlon securlLy pollcy, Lhe esLabllshmenL of an lSMS, and Lhe lnLegraLlon of lnformaLlon securlLy lnLo Lhe pro[ecLs.
1hls arLlcle shows LhaL, ln Lhe fuLure, [lSC 21827] should be perfecLly allgned wlLh [lSC 27001] and [lSC 2700S], even lf Lhe Lwo sLandards are noL managed by Lhe same worklng group ln SC 27 (WC1 and WC3). 62 1he relaLlon beLween lSMS requlremenLs and process areas descrlbed ln [lSC 21827] should also be explalned, ln order Lo lmprove Lhe global lnformaLlon securlLy governance. keferences [AS-nZS 4360] A5/N25 1J60 - klsk Moooqemeot, Aosttolloo/New 2eolooJ 5tooJotJ (2004). [C8AMM] cc1A klsk Aoolysls ooJ Moooqemeot MetboJ, verslon S, Slemens. [L8lCS] xptessloo Jes 8esolos et lJeotlflcotloo Jes Objectlfs Je 5cotlt, Agence naLlonale de la securlLe des sysLemes d'lnformaLlon (2010). [lSC 21827] lSC/lLC 21827:2008. lofotmotloo tecbooloqy - 5ystems 5ecotlty oqloeetloq - copoblllty Mototlty MoJel (55-cMM). [lSC 27001] l5O/lc 27001.2005 - lofotmotloo tecbooloqy - 5ecotlty tecbolpoes - lofotmotloo secotlty moooqemeot systems - kepoltemeots. [lSC 2700S] l5O/lc 27005.2008 - lofotmotloo tecbooloqy - 5ecotlty tecbolpoes - lofotmotloo secotlty tlsk moooqemeot. [lSC 31000] l5O J1000.2009 - klsk moooqemeot - ltloclples ooJ qolJelloes. [l18M] 85l-5tooJotJ 100-J. klsk Aoolysls boseJ oo l1-CtooJscbotz, 8ooJesomt fot 5lcbetbelt lo Jet lofotmotloostecbolk (2008). [MACL8l1] MetoJoloqlo Je Aollsls y Cestlo Je klesqos Je los 5lstemos Je lofotmoclo, verslon 2, Mlolstetlo Je oJmlolsttoclooes pobllcos (2006).
1he Lwo besL selllng and successful sLandards on lnformaLlon securlLy LhaL lSC/lLC has ever publlshed are lSC/lLC 27001 and lSC/lLC 27002. 1hls arLlcle explalns Lhe hlsLory of evenLs LhaL led Lo Lhls remarkable lnLernaLlonal success sLory and of Lhe one man, Ldward (1ed) Pumphreys 'Lhe faLher of lSMS' S , who has noL only been lnvolved ln Lhls process and as auLhor of Lhe sLandards and accredlLaLlon crlLerla, buL from Lhe very sLarL has also been boLh a uk and lnLernaLlonal ambassador for Lhe promoLlon of Lhese sLandards. ln hls own words, 'lSC/lLC 27001 and lSC/lLC 27002 represenL a common language for organlsaLlons Lo show Lhey are flL-for-purpose Lo do Lhelr own buslness securely and also Lo securely Lrade wlLh oLhers'. Pe also advocaLed LhaL 'Lhe lSMS sLandards lSC/lLC 27001 and lSC/lLC 27002 (and prevlously 8S 7799-1 and 8S 7799-2) are a [ourney noL a desLlnaLlon' by whlch he meanL LhaL Lhey wlll conLlnue Lo evolve along a paLh Lraced by evolvlng buslness needs - Lhe sLandards wlll always be Lhe 'sLaLe-of-Lhe-arL' besL pracLlce for proLecLlng agalnsL Loday's and Lomorrow's LhreaL envlronmenL.
1he evldence of Lhe success of Lhese sLandards ls Lo be seen everywhere around Lhe globe for example hl-Lech lndusLrles ln !apan, hlgh-flnance ln Lurope, Mlddle- easL and Lhe lar LasL, naLlonal uLlllLles, lnLernaLlonal Lelecoms, supply chalns, ouLsourclng companles, lnLernaLlonal porLs auLhorlLles, heavy and llghL manufacLurlng lndusLry, Lhrough Lo Lln mlnes ln SouLh Amerlca and managlng Souq's ln Lhe Mlddle-LasL, ln facL almosL all buslness secLors, as well as belng lmplemenLed by governmenLs, research organlsaLlons and lnsLlLuLlons and charlLles. All Lhose companles LhaL have been enllghLened by Lhe facL LhaL buslness proflLs are llnked Lo how well Lhey proLecL Lhelr crlLlcal asseLs, all Lhese have Laken Lo adopL lSC/lLC 27001 and lSC/lLC 2702. ln facL lSC/lLC 27001 has become Lhe 'common language and benchmark' for buslness securlLy.
3 1bls ls oo exteoJeJ sommoty of tbe looqet 50 poqe ottlcle tltleJ 1be lotbet of l5M5 5tooJotJs pobllsbeJ lo Motcb, 2009. 1be lofotmotloo fot tbls ottlcles bos beeo kloJly JoooteJ by votloos qovetomeot sootces lo tbe uk ooJ octoss tbe qlobe, ftom occteJltotloo ooJ cettlflcotloo boJles, ftom ootloool stooJotJs boJles ooJ stooJotJs Jevelopets, ooJ ftom l5M5 osets. 1 loJepeoJeot coosoltoot lo tbe flelJ of lofotmotloo secotlty ooJ stooJotJs. toles bove locloJeJ oJvlsot to uk qovetomeot, uN wotkloq pottles, otopeoo commlssloo, Ocu ooJ lotetootloool cbombets of commetce. S lo tbls ottlcle 1eJ nompbteys, tbe fotbet of l5M5 ooJ potet l5M5 wlll be oseJ lotetcbooqeobly. 64 1he full sLory has lLs good Llmes and lLs bad Llmes. 1he good Llmes were Lhe serles of successful evenLs due ln parL Lo Lhe slgnlflcanL breakLhroughs LhaL were made along Lhe way as well as Lhe varlous honours and lndusLry awards LhaL were besLowed on 'Lhe faLher of lSMS'. 1he bad Llmes lncluded Lhe re[ecLlon of Lhe lSC communlLy Lo recognlse Lhe lmporLance of lSMS sLandards as was demonsLraLed ln Lhe dlsapproval of 8S 7799-1 ln 1996. Some well-known organlsaLlons and Lhelr CLCs ln Lhe uSA and Lurope, assoclaLed wlLh corporaLe securlLy user groups sald Lhlngs such as 'Lhe lSC securlLy communlLy ls noL yeL maLure enough Lo geL Lo grlps wlLh Lhe requlremenLs of modern buslness needs for lnformaLlon securlLy and LhaL lL would probably Lake aL leasL anoLher S years for Lhem Lo caLch up and see Lhe llghL' 6 and 'Lhe uk has produced a wlnner of a sLandard whlch many corporaLlons need - lL ls a shame LhaL lSC securlLy experLs are so far behlnd Lhe Llmes and have Laken a 'noL lnvenLed here' aLLlLude deprlvlng buslness of whaL Lhey need 7 '. 1hese seem awful lndlcLmenLs Lo make buL Lhe facL ls LhaL lL was noL unLll 2000 LhaL lSC parLlally succeeded ln recognlslng Lhe lmporLance of lSMS and whllsL buslnesses worldwlde crylng ouL for Lhese sLandards - Lhe markeL could noL geL enough of lSMS sLandards. l have referred Lo many breakLhroughs, whlch shaped Lhe phllosophy and paradlgms for lSMS securlLy as we know lL Loday. Pere are some LhaL 'Lhe faLher of lSMS' succeeded ln developlng and lnLroduclng: (l) Lhe noLlon of rlsk managemenL as a crlLlcal elemenL lnLo esLabllshlng and malnLalnlng an lSMS, (ll) Lhe process paradlgm, (lll) Lhe crlLerla for accredlLaLlon of bodles LhaL could underLake lSMS audlLs and (lv) lnLernaLlonal cerLlflcaLlon.
WhaL follows are Lhe hlghllghLs of Lhe varlous sLages of lSMS sLandards and cerLlflcaLlon developmenL. 1he full arLlcle menLloned ln Lhe fooLnoLe glves a deLalled narraLlve of Lhese sLages.
Lets Start at the 8eg|nn|ng (|ate 80s) We need Lo go back Lo Lhe laLe 1980's Lo Lrace one of Lhe sources of Lhls developmenL. So leL's sLarL wlLh Lhe l-4 (lnLernaLlonal lnformaLlon lnLegrlLy lnsLlLuLe), a 'club' of mulLl-cllenL organlsaLlons from around Lhe world, whlch meL aL Lhe S8l (SLanford 8esearch lnsLlLuLe) offlces based aL Lhe unlverslLy of Callfornla, SLanford. 1hls 'club', esLabllshed by Lhe lnLernaLlonally recognlsed
6 Motk Iobosoo, cO of ooe of top 100 compooles lo tbe u5A speokloq ot o cotpotote u5A coofeteoce lo llotlJo lo 1997. 7 Iobo Nlqbtloqole, ultectot of cotpotote 5ecotlty, speokloq ot oo loJostty-wlJe u5 beotloq lo wosbloqtoo, Moy 1997. 8otb tbese stotemeots (1) ooJ (5) ote ftom o collectloo of ovet 100 socb stotemeots exptessloq Jlsoppolotmeot ot l5O. 65 securlLy guru uonn arker, ln 198S, was an lnfluenLlal force of preemlnenL lnformaLlon securlLy experLlse from around Lhe world, whlch meL Lo dlscuss and progress many slgnlflcanL ldeas on lnformaLlon securlLy as well as researchlng Lhese ldeas for Lhe beneflL of mulLl-cllenL organlsaLlons. Cne of Lhe ldeas LhaL l-4 dld research on was LhaL of 'basellne conLrols'. 1hls lnvolved engaglng organlsaLlons around Lhe world Lo conslder whlch securlLy conLrols Lhey currenLly deployed LhaL provlded a basellne of proLecLlon across Lhelr buslness acLlvlLles. Cnce l-4 recelved feedback from Lhese organlsaLlons Lhey publlshed a reporL of Lhose basellne conLrols LhaL were common Lo all organlsaLlons. 1ed Pumphreys (worklng aL 81 ln Lhe uk aL Lhe Llme) and Cllve 8laLchford (from lCL, uk), as well as represenLaLlves from 8oyal uuLch Shell (1he neLherlands) were Lhe maln Luropean players ln Lhls developmenL. Luropean conLrlbuLlons Lo Lhls work were qulLe slgnlflcanL especlally Lhe work of 1ed Pumphreys, whose vlslon of a uk sLandard ln Lhls area sLarLed Lo be formulaLed aL Lhls Llme. CLher players acLlve ln Lhls work were many leadlng companles and banks ln Lhe uSA who also added many slgnlflcanL conLrlbuLlons on whaL corporaLlons and mulLl-cllenLs organlsaLlons need Lo manage Lhelr buslnesses.
AfLer Lhls l-4 developmenL Lhe Loplc of 'basellne securlLy conLrols' became fashlonable amongsL mulLlnaLlonal organlsaLlons as well as a number of governmenLs deparLmenLs ln Lhe uSA, neLherlands and uk (u1l) who Look on board slmllar ldeas. 1he l-4 work LogeLher wlLh Lhe supporL and enLhuslasm of Lhe u1l and many uk experLs was Lhe drlver LhaL spurred 1ed Pumphreys potet l5M5 on Lo auLhor lSMS sLandards, many parLs of Lhe lSMS meLa-sLandards lnfrasLrucLure and Lo achleve whaL we have Loday Lhe lSC/lLC 2700x famlly of sLandards and lnLernaLlonal cerLlflcaLlon pracLlce.
1he Iormat|ve ears (1990-199S) AfLer Lhls l-4 developmenL potet l5M5 came back Lo Lhe uk wenL lnLo acLlon and one Lhlng led Lo anoLher and Lhe lSMS sLandards work sLarLed Lo grow and flourlsh. 66
u1l made a recommendaLlon lt ls tecommeoJeJ tbot oo occteJltotloo ptoceJote fot l1 secotlty (slmllot to tbe exlstloq l5O 9001 Ooollty Assotooce 5tooJotJ) ls ptepoteJ ooJ JevelopeJ. 1bls wlll Jefloe o boselloe set of secotlty stooJotJs ooJ wlll locloJe loJepeoJeot ooJlt of oo otqoolsotloos secotlty wltb cettlflcotloo of lts ttostwottbloess 1hls recommendaLlon addresses Lwo lssues: Lhe need for 8S7799-llke sLandards as well as Lhe need for common crlLerla Lype sLandards. 1he ISMS ears (199S-1999)
67 AnoLher acLlvlLy ln Lhls perlod was Lhe developmenL of a uk accredlLaLlon sLandard speclfylng Lhe accredlLaLlon requlremenLs for bodles operaLlng assessmenL and cerLlflcaLlon/reglsLraLlon of organlzaLlons' lSMSs based on 8S 7799-2. 1hls sLandard was developed by 1ed Pumphreys under conLracL Lo u1l and worklng wlLh 8oger 8rockway ukAS and was Lhen used by ukAS Lo accredlL cerLlflcaLlon bodles ln Lhe uk and oLher parLs of Lhe world - 20 accredlLed cerLlflcaLlon bodles by Lhe end of 2000. 1oday Lhls number has lncreased Lo 10S lnvolvlng many more naLlonal accredlLaLlon bodles from Lurope, norLh Amerlca, AusLralla and Asla. 1hls ukAS accredlLaLlon sLandard was Lhen publlshed by LA, Lhe Luropean 8ody responslble for accredlLaLlon sLandards, as LA 7/03 and Lhls Lhen made lLs way lnLo lSC/lLC ln 2006 and became lSC/lLC 27006. ln addlLlon, Lhls Llme under conLracL Lo l8CA, 1ed Pumphreys developed Lhe scheme for cerLlflcaLed lSMS audlLors. ISMS User Groups and the ISC Cert|f|cate keg|ster (1998-2010) Cnce 8S 7799-1 and 8S 7799-2 were galnlng ln popularlLy, noL only ln Lhe uk, buL around Lhe globe lL was soon reallsed LhaL lL would be beneflclal Lo esLabllsh an lnLernaLlonal lSMS user Croup. WlLh Lhe supporL of Lhe u1l, 1ed Pumphreys founded such a group ln 1998 and aL Lhe same Llme esLabllshed an on-llne 8eglsLer of lSMS cerLlflcaLes boLh of whlch are sLlll ln operaLlon Loday. 1he lnLernaLlonal lSMS user Croup grew rapldly and Loday Lhere are local ChapLers now esLabllshed ln counLrles such as AusLralla, 8razll, lrance, Cermany, lndla, lLaly, !apan, Spaln, Sweden and many oLher parLs of Lhe world. Llkewlse Lhe 8eglsLer of lSMS cerLlflcaLes grew ln popularlLy and provlded a focus for many organlsaLlons Lo go Loward cerLlflcaLlon. 1he 8eglsLer of lSMS cerLlflcaLes Loday can be found aL www.lso27001cerLlfcaLes.com. 1he Internat|ona| ears (2000-2010) ln 2000, 1ed Pumphreys, Lhe Chalr of uk shadow-commlLLee of lSC/lLC !1C1/SC27 lS133 achleved consensus Lo resubmlL 8S 7799-1 lnLo lSC. 1hls led Lo Lhe accepLance of 8S 7799-1 as lSC/lLC 17799 pendlng an earller revlslon, whlch subsequenLly resulLed ln a revlsed verslon belng publlshed ln 200S. Also ln 200S, 8Sl on behalf of Lhe uk shadow-commlLLee of lSC/lLC !1C1/SC27 lS133, submlLLed 8S 7799-2. AL Lhe same Llme ln 200S we had Lhe flrsL lnLroducLlon by Lhe SC27 WC1 convenor (1ed Pumphreys) of Lhe 2700x serles by numberlng 8S 7799-2 as lSC/lLC 27001 Lo be followed ln laLer years by Lhe renumberlng of lSC/lLC 17799 as lSC/lLC 27002 and hls subsequenL launchlng of Lhe lSC/lLC 27000-2700S famlly. llnally ln 2007 1ed Pumphreys lnLroduced LA 7/03 lnLo WC1, whlch Lhen became lSC/lLC 27006. 68 1he Cast of Uk Actors (1990-2010) ln addlLlon Lo 'Lhe faLher of lSMS sLandards' Lhere have been many lmporLanL players LhaL have worked wlLh and alongslde hlm ln hls sLandards worklng panels all of whlch have played a role ln Lhls sLory (Lhls ls noL an exhausLlve llsL): 5tondords ond certificotion Po/icy ond user kequirements: Mlke Iooes, Nlqel nlcksoo, Ceoff 5mltb, 1toJl 5botp, lotolmo MoJbvl ooJ loolloe 1otJoff (u1l), koqet 8tockwoy, koqet 5tlllmoo ooJ Iooe 8eoomoot (ukA5), ueools wllletts (81), klcbotJ wlosbottow (5emo Ctoop ooJ ukA), 5lmoo leoty (lkcA), Iobo woolJ, uoto ltotectloo keqlsttot cltco 2000), 5teve 1bomos (neoJ of AlAc5 5ecotlty), cbtls 5ooJt (lcl, cboltmoo of c8l lofotmotloo 5ecotlty looel, 8c5 l58), 8tloo 5peoce (A8l), Iobo lvlosoo (8c5) 5tondords {ond certificotion*). 5teve nlll* (loqlco), uovlJ locey (5bell), ueools wllletts (81), Ceoff noyes (158), 5teve Iooes (M&5), Iobo lvlosoo (8c5), cbtls looley (A8l), kob Mooltoo (uolllvet), klcbotJ wlosbottow (5emo Ctoop ooJ ukA), 5teve lomftett (NotloowlJe), Iobo coott (lostltote of cbotteteJ Accoootoots), wllllom llst* (cboltmoo of 8c5 5ecotlty), wllllom wblttoket (lloyJs 158), Mootlce 8lockmoo* (uNv), Ceoff 8tooks* (lkOA), keltb 8lockmote* ooJ koy kotbetfotJ* (85l cettlflcotloo), Mottlo noqq, kobett 1emple ooJ loo ueoo (81), uovlJ 8tewet (Commo), ulck ltlce, kobett coles (klMC), lesley kobetts (A8l ooJ klMC), 5teve Motbews, cllff voos (c8l), wotteo Cteoves, letet kestell ooJ uovlJ 8tooks (85l), keltb Osbotoe (lcl), 5teve kltk (looJoo cleotloq noose), AoJy 5mltb, Aoqellko llote (Cetmooy) ooJ mooy otbets.
ISO Management Systems January-February 2009 33 INTERNATIONAL Visiting Professor Edward Humphreys (FH University of Applied Science, Hagenberg, Upper Austria), is Convenor of ISO/IEC JTC 1, Information technology, subcom- mittee SC 27, IT security techniques, working group WG 1, Information security management systems. E-mail edwardj7@msn.com Case studies show value of ISO/IEC 27001 conformity These testimonials show how three diverse organizations have benefited from implementation and certification of ISO/IEC 27001 information security management systems a gas processing group in Abu Dhabi, a Norwegian state-owned gaming organization, and Indias largest public sector energy infrastructure company. by Edward Humphreys Or gani z at i ons today are required to conform or comply with many different laws and regulations, industry norms and practices, internal audit- ing standards and matters of corporate governance. SO/IC 27OO1:2OO5. Infor- mation technology Secu- rity techniques Information security management systems Requirements, has become lhe benchmaik foi mosl infoi- mation security management system standards (ISMS) and the International Standard for achieving compliance with such requirements. This is because lhe slandaid is flexible enough to meet the needs of small, medium-sized and large organizations with applica- bility to all business sectors, governments, academic and charitable institutions (see Figure 1, overleaf). The International Standard is ideally suited to meet the needs of information security goveinance a key aspecl of corporate governance that piolecls an oigani zali on`s ISO Management Systems, www.iso.org/ims 34 ISO Management Systems January-February 2009 GASCO headquarters in Abu Dhabi. Web www.gasco.ae information assets (see Fig- ure 2). The following are three of many case studies of organi- zations that have certified to SO/IC 27OO1. (See also aili- cle Some 4 500 organizations implement ISO/IEC 27001 for information security, ISO Management Systems. 1uly- Augusl 2OO8). Figure 1 ISO/IEC 27001: a flexible benchmark for information management. Figure 2 ISO/IEC 27001: ideally suited to meet information security governance needs. INTERNATIONAL 1 GASCO Abu Dhabi Gas Industries Ltd. ISO/IEC 27001 : The ideal way forward Duiing lhe summei of 2OO8. lhe T Division of Abu Dhabi Gas ndusliies Lld (GASCO) became the first oil and gas company division in United Aiab Imiiales lo be ceili- fied in accordance with ISO/ IC 27OO1. The certification was achieved with senior management sup- port, under the leadership of General Manager Mr. Moham- med Sahoo Al Suwaidi. covei- ing implementation of state- of-the-art information security tools. Al GASCO. we seaich foi besl piaclices lo mainlain maikel leadership, as part of our policy of continual improvement. The increasing need for informa- lion exchange and T. pailicu- larly in a climate of threats and vulnerabilities in the sector, underlined the importance of information security manage- menl. Since SO/IC 27OO1 is the only globally recognized SMS slandaid. and as GASCO is implementing a range of management system standards, certification was the ideal way forward. External attacks Ovei lime. we noliced exlei- nal allacks on lhe nelwoik. inleinal usei eiiois and a lack of awareness of information security among employees. The company responded by build- ing a qualified information Adel Salem Alkaff is IT Division Manager, GASCO by Adel Salem Alkaff Risk management Audit Implementing TflfgX`bY controls Information fXVhe\gle\f^ management Implementing TflfgX` bYfXVhe\gl controls ISMS audits (internal and external) ISO/IEC 27001 and compliance Business cb_\Vl fgeTgXZlTaW objectives Governance (corporate) ISO/IEC 27001 \aYbe`Tg\bafXVhe\gl governance) Audit and certication requirements and standards Governance regulations Contractual obligations Laws ISO Management Systems, www.iso.org/ims ISO Management Systems January-February 2009 35 About GASCO Abu Dhabi Gas Industries Ltd (GASCO) processes natural and associated gas from onshore oil operations in the Emirate of Abu Dhabi. The company was incorporated in 1978 as a joint venture between Abu Dhabi National Oil Company (ADNOC) (68 % shareholding), Shell and Total (15 % each) and Partex (2 %). GASCO was established fol- lowing the directive of His Highness the late Sheikh Zayed bin Sultan Al Nahyan, President of the United Arab Emirates and Ruler of Abu Dhabi, to utilise Abu Dhabis significant gas resources which are converted into a wide range of domestic products exported worldwide. INTERNATIONAL 2 security team to implement incident management, user awareness campaigns, and sup- port best practice standards, such as SO/IC 27OO1 and lhe Information Technology Infra- sliucluie Libiaiy (TL). Iven lhough implemenling and maintaining an ISMS requires considerable dedication, the system has full management suppoil al GASCO. and we plan fuilhei exlensions lo lhe scope of the certification. Enhanced awareness mplemenling SO/IC 27OO1 has led to enhanced informa- tion security awareness among employees, improved security operation efficiency, and has helped increase understand- ing of the need for continual improvement. ISO/IEC 27001 is the only globally recognized ISMS standard Our company i s now seen as the leader in information secuiily wilhin lhe Abu Dhabi Nalional Oil Company Gioup (ADNOC). n addilion. going through the certification proc- ess helped us establish useful international contacts with oui ceilificalion body Lloyd`s Regislei ualily Assuiance Lld. (LRA). and wilh lead- ing ISMS consultancies around the world. Norsk Tipping AS Dont gamble with information security by Hilde Grunt Hilde Grunt is Security Advisor, Norsk Tipping ISO/IEC 27001-certified Norsk Tip- ping is Norways leading gaming company and member of the World Lottery Association. Slale-owned Noisk Tipping. Noiway`s leading gaming com- pany and member of the World Lolleiy Associalion (WLA). was certified according to ISO/ IC 27OO1 in 2OO8. some 11 years after gaining certifica- tion to the Intertoto Security Conliol Slandaid (a WLA predecessor). The objective of that earlier certification was to enable members to achieve a common security standard, and provide an approved security frame- woik foi lhose who wished to participate in international lolleiies. WLA ceilincalion is now a prerequisite for partici- paling in lhe \iking Lollo. a pan-Nordic numbers game. In 1997. Noisk Tipping became lhe rst organization to be certied according to this standard. Since 1995. lhe WLA Secuiily Conliol Slandaid has been continuously revised by the WLA Secuiily and Risk Man- agemenl Commillee. Howevei. SO/IC 27OO1 has now been added to the the general infor- mation security controls of the WLA slandaid. The lottery specific controls rel at i ng t o l ot t ery draws, inslanl lickels. handling of prize money, etc., remained unchanged f r om t he ol d WLA slandaid. Now. lo gain WLA ceilificalion. lhe lol- tery or gaming company has lo confoim lo bolh SO/IC 27OO1 and lhe lolleiy specific requirements. Major change nclusion of SO/IC 27OO1 was a major change. The pre- vious WLA-slandaid was an industry standard, and the WLA Secuiily and Risk Man- ISO Management Systems, www.iso.org/ims 36 ISO Management Systems January-February 2009 agemenl Commillee idenli- fied the controls needed to deal wilh lolleiy iisks. Any lottery or gaming company seeking ceilificalion had lo comply with all the controls in lhe slandaid. Compaied lo SO/IC 27OO1. lhe indusliy`s former ISMS requirements were much more simplistic. Piepaialion foi ceilificalion demanded a new approach and a lhoiough ievision of Noisk Tipping`s SMS. Axel Kiogvig. Piesidenl and CIO of Noisk Tipping. says lhal SO/IC 27OO1 ceilifica- tion represents a good quality assurance when the objective is to implement a management system to ensure that the com- pany`s infoimalion secuiily iisk is mainlained al a defined and acceptable level. Annual safeguard SO/IC 27OO1 ceilificalion is an indicator that we are on lhe iighl liack. and lhe annual audil is a safeguaid lo keep us focused throughout the year. Mr. Krogvig emphasizes the importance of maintaining certi fi cati on as the means of achieving lhe company`s objectives, and not that certi- fication becomes an objective in itself. There is always a danger that implementing a standard will cause unnecessary bureauc- racy and not bring substantial benefit to the organization. More than giving value, the standard can lead a life of its own, justifying any measures needed lo keep lhe ceilificale hanging on the wall. One must remain focused on the objec- tives and implement an ISMS that helps the processes to run smoothly and efficiently, says Mr. Krogvig. Benefits Accoiding lo Senioi \ice Pies- idenl CT. Tiond Kailsen. SO/ IC 27OO1 ceilificalion has given Noisk Tipping a common information security language, and this has created a new security awareness throughout the organization. Different departments, such as TC. sales and secuiily. now have a common understanding of iisk managemenl and iefei lo lhe same fiamewoik of con- trols. However, the standard can be a challenge to imple- ment since it is necessary to cooidinale SO/IC 27OO1 requirements with numerous other management system requirements confronting the company. Among olhei benefils. Mi. Karlsen says the standard pro- vides a structured approached to ISMS development and associated controls and docu- mentation. The fact that it is an open standard also allows comparison with other certi- fied companies, regardless of type of business. Middle management cite peri- odic audits performed by an accredited body as a principal benefil of SO/IC 27OO1 cei- tification. The discipline of a lhiid paily check on whelhei we do as we say reminds us nol lo poslpone oi foigel lasks critical to the core business processes amid the distractions of the daily routine. certification is the implemen- tation of an ISMS that prevents infoimalion secuiily exisling solely in lhe TC and secuiily depailmenls. by ulilizing exlei- nal reviews as company-wide quality assurance. INTERNATIONAL About Norsk Tipping Norsk Tipping, Norways leading gaming company, is wholly owned by the Norwe- gian State. Profits are divided equally between the nations sports and culture sectors. Norsk Tipping is a member of the World Lottery Association (WLA), a global professional association of state lottery and gaming organizations from 76 countries and five continents aimed at advancing the interests of state-authorized lotteries. Hilde Grunt is responsible for ISMS audits, security aware- ness and training. She is also Privacy Ombudsman in accor- dance with the Personal Data Act. She has been active in the revisions and development of the WLA Security Control Standards. Web www.norsk-tipping.no Headquarters of ISO/IEC 27001-certified Norsk Tipping in Hamar, Norway. Web www.norsk-tipping.no Anolhei significanl benefil mentioned by middle man- ageis is lhe SO/IC 27OO1 requirement for management to ensure that security is incor- porated in the general manage- ment processes. In summary, we believe the key benefil of SO/IC 27OO1 ISO/IEC 27001 certification represents a good quality assurance Wilhoul doubl. SO/IC 27OO1 implementation has enabled us to integrate information securi ty management i nto managing Noisk Tipping in a way that ensures our busi- ness objectives can be met at a defined and agreed level of infoimalion secuiily iisk. ISO Management Systems, www.iso.org/ims ISO Management Systems January-February 2009 37 Bharat Heavy Electricals Limited A role model for information security management in India Bhaial Heavy Ilecliicals Lim- iled (BHIL). ndia`s laigesl energy infrastructure engineer- ing and manufacturing enter- prise, is the rst Indian public sector organization to have achieved the distinction of ISO/ IC 27OO1 ceilincalion. The organization was audited and certified by the Stand- ardization, Testing and Quality Ceilificalion (STC) Diieclo- rate, part of the Department of Information Technology of the Minisliy of Communicalion and Information Technology at the Government of India. STC has ieceived inleinalional recognition of its ISMS certica- tion scheme following accredi- lalion by lhe Dulch Council foi Acciedilalion (Raad vooi Acciedilalie RvA). and is lhe rst Indian accredited certica- tion body in the country, and outside the United Kingdom and Netherlands, to have done so. BHIL geneiales. liansmils and maintains a huge amount of design, engineering and manufacturing data both in electronic form and on paper. With the entrenchment of IT in core business processes, more and more of that data is now stored on electronic media during the entire information lifecycle. Since this information is the lifeline of BHIL`s enliie busi- ness operations, its availability, confidentiality and integrity are critical for the survival of the company. Threats and vulnerabilities Ixlianel conneclivily pio- vi des communi cati on out- si de the organi zati on and vice-veisa. enabling BHIL lo lalk wilh supplieis. pailneis. vendors and customers, and impoilanlly. connecling back into legacy systems where critical corporate informa- tion lies. Inf ormat i on securi t y had always been important, but it was not given a particularly high priority because there had been no serious security inci- dents. However, threats and vulnerabilities have increased wilh exlianel conneclivily. INTERNATIONAL Author Arvind Kumar is Director, Standardization, Testing and Quality Certification Directorate, Department of Information Technology, Government of India. E-mail arvind@mit.gov.in by Arvind Kumar 3 BHIL l op managemenl became aware of the need to enhance information security, and the challenge of imple- menting an ISMS was assigned lo ils T fialeinily. Coipoiale information technology was the driver for corporation- wide implementation. The information technology nelwoik al BHIL consisls of strong IT groups at all major locations. These groups over- see the local IT infrastructure and woik lo meel all lhe T needs of their parent units. The coipoiale gioup looks aflei corporate office IT require- ments and also provides direc- lion lo lhe company`s enliie IT infrastructure. About BHEL M/S Bharat Heavy Electricals Limited (BHEL) is the largest engineering and manufactu- ring enterprise in India in the energy-related/infrastructure sector with a network of 14 manufacturing divisions, four power sector regional centres, over 100 project sites, eight service centres and 18 regio- nal. The company manufactures over 180 products under 30 major product groups and caters to the core power gene- ration and transmission, indus- try, transportation, telecommu- nication and renewable energy sectors of the Indian economy. Headquarters of ISO/IEC 27001-certified Bharat Heavy Electricals Limited in New Delhi, India. Web www.bhel.com ISO Management Systems, www.iso.org/ims 38 ISO Management Systems January-February 2009 Internal capability building Si nce BHIL aspi ied lo a fairly high level of maturity for information security, the company considered the merits of employing the services of an exleinal pailnei lo guide it through the initial phase of ISMS implementation. BHIL selecled lhe T seivices of STC. since we weie well known foi pioviding piofes- sional training and services in infoimalion secuiily. STC was iequiied lo liain BHIL personnel i n the di fferent aspects of information secu- iily nelwoik and syslem security, and ISMS and also to help in building up the capability needed to imple- ment an ISMS. The management decided that, allhough lhose exleinal seiv- ices were required at the outset, the company should build its own internal capabilities for the entire ISMS implementation process. They felt that internal resources should be developed because information security implementation is not a once- only event, but a continuous process. Requirements change along with changes in technol- ogy and business needs. This internal capability building proved to be a major boost to its ISMS implementation. Starting point BHIL`s opeialions exlend over the entire country, with functi on and practi ce di f- fering from one location to anolhei. As such. il was cleai lhal BHIL could nol apply for corporate certification, and that the whole company could not be covered as a single entity. Since most of the information is generated by the manufac- turing units and power sector regions, it was in those areas that we decided to implement lhe SMS fiisl. Iouileen ma|oi locations were identified and divided into two phases of seven each. The best practices of each unit were identified, and an information security policy was formulated and issued at corporate level. Successful implementation Iiom STC gui dance and internal meetings, the follow- ing requirements for successful ISMS implementation were developed: Gaining top management involvement at the units by setting up a structured network of committees and sub-com- mittees. This was necessary to achieve full awareness of requirements and resources. Cleaily. no oiganizalion-wide initiative can succeed without the involvement of senior managers. Developing employee aware- ness of their role in information security through education. Iase-of-use veisus secu- rity is an ongoing security issue for many organizations. It is a balancing act between what the user community wants, and the security policy. Security is only as strong as lhe weakesl link. and lhe full involvement of employees in the process is essential. With that aim, specialized liaining of key peisonnel was provided at all locations identi- ed for ISMS implementation coveiing nelwoik and syslem security, security processes and management, and security audits. Security forum BHIL decided lo oiganize a Coipoiale nfoimalion Syslem Secuiily Ioium wilh ils Coi- porate Information System Secuiily Officei (CSSO) as chaiiman. An nfoimalion Sys- tem Security Officer (ISSO) was identified for each loca- lion. All SSOs aie membeis of lhe Coipoiale nfoimalion Secuiily Ioium. The CSSO`s role is to maintain and review information security policy and provide guidance for its implementation. While the company needed common documentation, dif- ferences in local practice were accommodated in customized versions to meet local needs. Hence. BHIL decided lo have ve levels of documentation. The top level document, set- ting out the ISMS policy, was nalized jointly with unit IT heads. appioved by lhe Chaii- man and Managing Director and issued as the corporate information system security policy. This was applicable to the entire organization without modication. The other four levels ISMS Manual. SMS Policies and Guidelines. SMS Pioceduies and SMS Ioimals could be customized by the locations conceined. All ieviews and modifications to the ISMS documentation became the responsibility of the unit level security forums. Role model As a iesull of lhese planning and implementation processes, BHIL became lhe nisl ndian public sector company to imple- ment and certify an ISMS in confoimily lo SO/IC 27OO1. covering 13 units and the cor- porate IT department. Information security is now a pail of eveiy key business process. Management confi- dence in. and expeclalions of. the IT groups has increased many times. This has not only impioved lhe iisk manage- ment and contingency plan- ning associated with informa- tion resources, but has also enhanced cuslomei and slake- holder confidence. Iiom oui poinl of view as the certication body it was a challenge to certify one of the premium public sector organi- zations in the country, with such a diverse range of products catering to the core sectors of the Indian economy. Since SO/IC 27OO1 ceilin- cation there has been a sub- stantial improvement in the security management approach al BHIL. The company has become a role model for other public sector organizations in India under the national e-governance initiative to pro- tect the critical infrastructure of the country. INTERNATIONAL ISO Management Systems, www.iso.org/ims Service management with a smiIe of confidence by Jenny Dugmore, Convenor, ISO/IEC JTC 1/SC 7/WG 25, IT Service management, and Ted Humphreys, Convenor, ISO/IEC JTC 1/SC 27/WG 1, Information security management systems W e hear of business having glo- bal reach. The subjects of two International Standards serv- ice management and information securi- ty amply highlight that fact: both are mutually dependent, and both are key to modern business performing effectively in todays global economy. That is why the synergy between the two ISO standards which respectively address these issues has generated considerable interest. Indeed, ISO/IEC 27001:2005, Information tech- nology Security techniques Information security management systems Require- ments, and ISO/IEC 20000-1:2005, Infor- mation technology Service management Part 1: Specification, complement one another in important ways. This article looks at these stand- ards with an eye toward capturing what makes them important for business suc- cess and why together they constitute a matching set of operational tools for business. lnformation security management Many organizations rely on a com- plex supply chain and have outsourced a wide range of services, processes and facilities to external suppliers. Conversely, many organizations are offering services to clients and business partners. Wher- ever such arrangements exist, informa- tion is going to be accessed, shared and processed. Organizations manage infor- mation at different levels of sensitivity and criticality, and this information is subject to a range of threats and risks. In short, information security is a fun- damental part of the management and delivery of services. The ISO/IEC 27001 standard provides a specification for organiza- tions to develop an information secu- rity management system (ISMS). This enables them to establish, implement, deploy, monitor, review, maintain and improve an ISMS to meet the needs of their business. Although this article looks specifically at the service indus- try, the standard is being used across all market sectors. ISO/IEC 27001 deploys the same process model as other management sys- tems, including ISO/IEC 20000-1. The four phases specific to information secu- rity are shown in Figure 1. This continual improvement model aims to ensure that information security management con- tinues to be effective through use of an appropriate system of security controls, risk assessments and measurements. ISO Focus May 2008 11 Main Focus Company officers are accountabIe ISO/IEC 27001 requires organiza- tions to ensure that they assess the risks of their supply chain when using exter- nal services and engaging with external service providers. Even though an organ- ization might transfer responsibility for information processing to another party via an outsourcing contract, the organi- zation is still fully accountable for the protection of the information. The con- tract might delegate operational respon- sibility for this protection, but the CEO and directors of the organization will ultimately be held accountable in the event of a major breach. These officers are at the top of the ladder of responsi- bility to the company board, sharehold- ers, clients and customers. Used in a timely and proper manner, such procedures can avert losses, dam- age or harm to the organizations infor- mation assets. Another important issue is infor- mation sharing, processing, distribution and destruction. The supplier might be handling a range of different types of information on behalf of its clients, such as personal data, customer details, financial data, confidential reports and other sensitive information. The sup- plier is responsible for protecting this information against unauthorized disclo- sure, modification or deletion, and for ensuring its availability when the client needs access. The controls in ISO/IEC 27001 mean organizations establish an effective information processing system, which preserves the confidentiality, integrity and availability of client information. These controls provide coverage for both electronic and paper-based infor- mation systems, which can include infor- mation conveyed via voice, in written, typed or printed form, through multime- dia technology, by e-mail, fax, SMS or Web sites, shared by memory devices, and by other means. The controls range from management policies and techno- logical controls through to regulation and legislative controls. lnsider threats Client information needs to be pro- tected against internal as well as exter- nal threats. Recent surveys, reports and research show that a significant percent- age of information security breaches are caused by the insider threat both acci- dental and intentional. Employees and managers have privileges and access rights, presenting insiders with more opportu- nities and placing them in a position to compromise a clients information. Effective access control policy is essential and should cover both the external and the internal risks to the organizations information assets. ISO/ IEC 27001 defines access control at dif- ferent levels, namely, information and applications, network services and oper- ating system software. As this short overview illustrates, an organization needs to consider many aspects of information security when deciding to engage a service provider to process its information assets. Com- bining the information security con- trols from ISO/IEC 27001 with a serv- ice management system based on ISO/ IEC 20000 gives management the best of both worlds a set of tools for mini- mizing and managing information secu- rity risks, while maximizing business opportunities and service performance, and at the same time ensuring business continuity. So what does ISO/IEC 20000 have to offer from a service manage- ment perspective? Service management As we all know from our own experiences as customers, a good serv- ice is a huge benefit to customers, and a bad service can trigger any number of difficulties. We all remember a bad serv- ice for far longer than a good one, and rightly so ! We believe that as customers we should be able to rely on good serv- ice, whether we are catching a train or shopping for food. But service which is actually very difficult to define is not just about how an individual customer or client is affected. Good service is the result of efficient, effective and timely actions, many of which may be completely invis- ible to users of the service. A serious security breech can cause acute problems, especially for account- able parties, but a bad service can incur long-term chronic difficulties. To deliv- er a good service requires clear direc- tion from the highest level of manage- ment not a view that service is what the junior people do . Managers must be accountable for service just as they are accountable for security. Service providers must also have an agile and risk-averse approach to meet- ing rapid changes in customer needs, while maintaining good control of their own suppliers. Here, technology plays an important part. ISO/IEC 20000 can be traced back to a code of practice published in the UK in 1995, at a time when the IT industry was becoming more aware of the importance of good service. That, in fact, IT was not just about assembling the right hardware and software. The code of practice evolved into its current two parts of conformity requirements. ISO/ Figure 1 The phases of information security Implement and deploy ISMS Monitor and review ISMS Design ISMS Maintain and improve ISMS The ISO/IEC 27001 standard also considers what security provisions should be included in contracts and service lev- el agreements, based on identified risks. In addition to these requirements, both the organization and its suppliers can implement specified information security controls. For example, the use of effec- tive information security incident pro- cedures enables the provider to report back to the organization any potential security breaches that have occurred. Information security is a fundamental part of the management and delivery of services. 12 ISO Focus May 2008 ITIL COBIT Service management ISO/IEC 20000 series IS Quality management ISO 9000 series I Serv manage m ality IT security ISO/IEC 27000 series About the authors Dr. Jenny Dugmore is Director of Service Matters, a service man- agement consul- tancy company. Her career spans operational senior manage- ment, service management and consultancy. Dr. Dugmore chairs the BSI committee that produced BS 15000, on which ISO/ IEC 20000 was based. She was the Project Editor for the drafting of ISO/ IEC 20000, and is now Convenor of the working group responsible for ISO/IEC 20000. Dr. Dugmore is on the itSMFs ISO/IEC 20000 Certification Management Board and on the UK Governments ITIL Refresh Management Board. In 2005 itSMF awarded her the Paul Rappaport Lifetime Achievement Award for her contribution to service management. Professor Ted Humphreys has been leading the United Kingdoms activities regarding the ISO/IEC 27000 family of ISMS standards and the UK standards BS7799 Parts 1 and 2 (which later became ISO/IEC 27001 and ISO/IEC 27002) since 1990. He is also responsible for many of the ISMS accreditation and certification activities as well as producing the standard EA 7/03. He is an ISMS consultant providing advice to organizations around the world. He is also founder and Director of the ISMS International User Group, which promotes the global use of the ISO/IEC 27000 family for ISMS standards. IEC 20000-2:2005, Information tech- nology Service management Part 2 : Code of practice, continues to pro- vide guidance on how to, with a wid- er scope and greater maturity, keeping pace as the service management indus- try itself matured. Wide appIicabiIity ISO/IEC 27001 is not just about risk management and assuring business continuity, and ISO/IEC 20000 is not just about customer satisfaction. Keep- ing a technology-based service going can easily amount to 80 % of the total lifetime cost of owning a system, even if the cost of security breeches is ignored. Improvements can reduce the cost of a service while increasing the quality of the service. Although technology is part of service management, a common theme in ISO/IEC 20000 is what people do and how they can do it better . Require- ments range from management account- ability and commitment to service, con- tinual improvements, and low-risk oper- ational and service changes, through to building up knowledge by ensuring all customer requests are logged. Many of the ISO/IEC 20000-1 requirements highlight what to achieve , giving each service provider flexibility on how to do this, and ensuring wide applicability for ISO/IEC 20000. Wide applicability is central to the spirit and intent of ISO/IEC 20000. It is directly linked to the characteristics of todays service management industry: a sprawl- ing network of complex supply chains and customer relationships. Few services are now reliant on only one service pro- vider, and very few even are reliant on the activities of a single location. Most involve supply chains that cross nation- al boundaries, languages, specializations and time zones. Used in a timely and proper manner, such procedures can avert losses, damage or harm to the organizations information assets. Figure 2 The context of the ISO/IEC 20000 series se in an a v th in a Process assessment model (SPICE) ISO/IEC 15504 S/W Asset management (SAM) ISO/IEC 19770 ISO/ O IEC 1 Systems engineering ISO/IEC 15288 S/W Reference model ISO/IEC 12207 Ass ISO 9001 for S/W ISO/IEC 90003 Pr Proc oces esss Governance standards Terms Management system standards Software and systems engineering (process reference and process assessment) ISO Focus May 2008 13 Main Focus Service Strengthening the reIationships In the same way that the original security standard, BS 7799, was the fore- runner of the ISO/IEC 27000 series, the publication of BS 15000 set off a surge of interest and activity in the field of standards for service management. This field spans different groups within ISO/ IEC JTC 1/SC 7, Software and systems engineering, but all current activities are linked to the scope and target audience for ISO/IEC 20000-1. ISO/IEC 20000-1 will continue to be a service management system standard that can be used by itself or in conjunc- tion with standards such as ISO 9001, Quality management systems Require- ments, and ISO/IEC 27001. Substantial progress has been made in reviewing and revising the first edition, with the next version to be discussed at the SC 7 ple- nary in May 2008. This includes updat- ing and strengthening the relationship between the ISO/IEC 20000 and ISO/ IEC 27000 series. A major review has begun of ISO/ IEC 20000-2, which gives guidance on the requirements of ISO/IEC 20000-1. A new document, ISO/IEC 20000-3, on scoping, applicability and conformi- ty assessment under ISO/IEC 20000-1, is also being developed. This will give a detailed and practical explanation of how to define the limits of service man- agement, application of ISO/IEC 20000 and aspects of conformity. It is based on a wide range of supply chain examples for service providers, scoping what they do, who their customers are and what their suppliers do. The plans for the ISO/IEC 20000 series are influenced by a desire to har- monize standards and to understand the relationships to other methods and frameworks. Anyone who has wondered how all the pieces fit together will real- ize that this is a far from simple task. Some of the more important relation- ships for ISO/IEC 20000 are those shown in Figure 2. In addition, the ISO/IEC 27000 series of guidelines that support ISO/IEC 27001 is being extended to cover many sector-specific and service-related appli- cation areas, such as ISMS for e-govern- ment services, critical infrastructure serv- ices and outsourcing services. Already, ISO/IEC JTC 1/SC 27, IT security techniques, in conjunction with the International Telecommunica- tion Unions Telecommunication Stand- ardization Sector (ITU-T) has prepared a joint standard relating ISMS to telecom services: ISO/IEC 27011, Information technology Information security man- agement guidelines for telecommunica- tions. Other sector-specific ISMS stand- ards are likely to be developed over the coming years for example, for finan- cial services and energy management services, among others. All these developments will ben- efit from the increasing harmonization between the ISO/IEC 27000 series and the ISO/IEC 20000 series. An incrementaI approach Work has commenced on advice for an incremental approach towards achieving the requirements of ISO/ IEC 20000-1. This incremental approach, with advice in stages of what to do first, what to do next is based on subsets of the full requirements. Figure 3 shows one of several options being considered for the stages. In broad terms, the reactive stage covers the most easily implemented pro- cesses or sub-processes, which are usu- ally also the ones that deliver benefits quickly. Examples include the incident management process, which is intend- ed to minimize the impact on the cus- tomers service of a defect, usually by optimizing the speed at which the defect is corrected. The proactive stage includes processes that may take longer to show benefits and which may involve much more fundamental implementation work. An example is the configuration man- agement process, which is intended to define and control the components of the service. In the example shown in Figure 3, the final service stage is the full integration of all processes, including effective, efficient and well-understood continual improvement. If there is market interest, gold, silver and bronze level documents showing conformity requirements will follow, with ISO/IEC 20000-1 as the gold standard. Process modeIs The process reference model (PRM) is a set of process definitions based on process purpose and outcomes , together with an architecture describing relationships between the processes. Estab- lished examples of PRMs include ISO/ IEC 12207, Systems and software engi- neering Software life cycle processes. A proposed PRM for service manage- ment, ISO/IEC 20000-4, will match the scope of ISO/IEC 20000-1. A PRM also provides the basis for a process assessment model (PAM), in which process capability is defined so that it can be assessed over a series of levels. A PAM for service management has been proposed as part of SPICE, the ISO/IEC 15504 series: ISO/IEC 15504-8, Information technology Software proc- ess assessment Part 8: An exemplar process assessment model for IT serv- ice management. Similarly, ISO/IEC 27001 deploys a set of processes for information security, covering topics such as risk assessment and treatment, selection of controls for managing the risks, information security Figure 3 An incremental approach to ISO/IEC 20000-1 Proactive Reactive Chaos Continual improvement ISO/IEC 20000-1 Service management system Stage 3 Stage 2 Stage 1 14 ISO Focus May 2008 metrics and measurements for measur- ing the performance of the ISMS, inci- dent management and business continu- ity processes. Fitting it aII together As shown in Figure 4, support for implementing ISO/IEC 20000-1 is provided by the advice in ISO/IEC 20000-2 and ISO/ IEC 20000-3. The incremental approach also supports ISO/IEC 20000-1. The connection between ISO/ IEC 20000-1 and the process assessment model, ISO/IEC 15504-8, is less obvious. The link is actually via the process ref- erence model, ISO/IEC 20000-4, which will map to ISO/IEC 20000-1. Best practice service manage- ment is also being applied to production of the series of standards. The output of the change and configuration man- agement processes will include map- ping across the standards, methods and frameworks in Figure 2. This will include mapping ISO/IEC 27001 and ISO/IEC 20000. Rigorous approach A strong link between the ISO/ IEC 27000 and ISO/IEC 20000 series is the role played by the virtuous cycle of Plan-Do-Check-Act. This is a unify- ing link between all such management system standards. Although the details differ across the two sets of standards, the requirements are compatible and the theme for both is how do we do this better ? The synergy between the two goes well beyond the P-D-C-A cycle, as is shown in Figure 5. Both sets of docu- ments include the importance of manage- ment commitment, clarity on who does what, and training and awareness. Both also include the need for documentation, monitoring and report- ing. And other processes and requirements are common to both, ranging from the use of service-level agreements (SLAs) through to incident management pro- cesses. These features are common to both because they underpin a rigorous approach that is highly relevant to both areas of best practice. However, there are some differ- ences. Although security issues perme- ate all aspects of service management, and sound service management is a necessary basis for security, there are relatively few requirements labelled as security in the ISO/IEC 20000 series. The security clause in ISO/IEC 20000 refers to the ISO/IEC 27000 series. As would be expected, the ISO/IEC 20000 series includes some features that are not in the ISO/IEC 27000 series, including various aspects of supply chain manage- ment, supplier management, business The relationship between security and service management is so close and important that many organizations are adopting both sets of standards. Figure 4 The ISO/IEC 20000 series in development Figure 5 Synergy between the ISO/IEC 27000 and ISO/IEC 20000 series ISO/IEC 27000 series Risk management Asset management Legal and regulatory compliance Information security controls New and changed services Budgeting and accounting Business relationship Supplier management Problem management Configuration management Change management Release management ISO/IEC 20000 series Management commitment Roles and responsibilities Training and awareness Documentation Plan-Do-Check-Act Effectiveness measures Service reporting SLAs and contacts Continuity and availability Capacity planning Security requirements Incident management Mapping Process assessment model ISO/IEC 15504-8 (SPICE) Conformance Process reference model ISO/IEC 20000-4 ISO/IEC 20000-2 Advice Explains Part 1 requirements ISO/IEC 20000-3 Advice Scoping, applicability and conformity Step 1 Step 2 Step 3 ISO/IEC 20000-1 requirements S i n g l e
s t e p
a p p r o a c h I n c r e m e n t a l
a p p r o a c h ISO Focus May 2008 15 Following the two World Water Forums in Kyoto in March 2003 and in Mexico in March 2006 the interna- tional community committed to improv- ing governance of drinking water and wastewater services. Building capacity with local governments is identified as a priority in this effort. The big chaIIenge Standardization work started in 2002 within ISO technical committee ISO/TC 224, Service activities relating to drinking water supply systems and wastewater systems Quality criteria and performance indicators. The com- mittee faced an important challenge: to produce ISO standards dealing with water services that can be used in developed Main Focus relationship management and config- uration management. The differences also reflect the fact that service man- agement receives the output from soft- ware and systems development, changes to business plans and the introduction of new services. While the ISO/IEC 27000 series includes explicit reference to risk man- agement, the ISO/IEC 20000 series and service management manage risks by the integration of best practices for managing the service, making very little explicit reference to risk management. Combining forces The relationship between securi- ty and service management is so close and important that many organizations are adopting both sets of standards for their quality management. It is now com- mon for a service provider to adopt one of the sets, improve how they operate to conform to the requirements, and then to make further improvements to conform to the other set. If conformity has involved being certified, many organizations then arrange for audits to both standards to be done at the same time. In fact, when the scope of each audit is the same, it is now possible to have combined audits and a single certificate. However, this is still rare. Most service providers are being awarded a separate certificate for each standard, each certificate having a related but different scope. The common history of the two standards is reflected in the rapid adop- tion of training and qualifications in both service management and security for practitioners, consultants and auditors. Procurement practices now frequently require suppliers to be certified under one or both of the standards. The ISO/IEC 27000 and ISO/ IEC 20000 management system stand- ards have a strong base of support in the UK, and are experiencing rapid adoption in other countries. Most notable among these are China, Germany, India, Japan and South Korea, with interest growing in some 30 to 40 other countries. This is no surprise, as these two standards constitute a powerful tool for business- es striving to compete in todays global marketplace. by Laurence Thomas, Secretary, and Jean-Luc Redaud, Chair, ISO/TC 224, Service activities relating to drinking water supply systems and wastewater systems Quality criteria of the service and performance indicators W ater constitutes a worldwide challenge for the 21 st century, both in terms of management of available water resources and in the provision of access to drinking water and sanitation for the worlds popula- tion. In 2000, the United Nations recog- nized that access to water is an essential human right. lmproving water and wastewater services Pierre Granier 16 ISO Focus May 2008 Information security management systems for small and medium-sized enteprises Although many large organizations have been quick to see the benefits of ISO/IEC 27001:2005 the information security management system standard many SMEs have been slow adopters because of a lack of basic advice in its implementation. This will change with development of a new ISO handbook to demystify the process, due for publication in 2009. by Edward Humphreys SPECIAL REPORT Visiting Professor Edward Humphreys (FH University of Applied Science, Hagenberg, Upper Austria), is Convenor of ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, working group WG 1, Information security management systems. E-mail edwardj7@msn.com 6 ISO Management Systems January-February 2009 ISO Management Systems, www.iso.org/ims ISO Management Systems January-February 2009 7 SPECIAL REPORT Figure 1 Example of a typical information security gap analysis. SO/IC 27OO1:2OO5. Infor- mation technology Secu- rity techniques Information security management systems Requirements, is one of a family of information security management systems (ISMS) standards (see box) for use by all organizations regardless of size and sector. Well over 5 000 organizations have already certified their ISMS in conformity with ISO/ IC 27OO1. and many moie aie in process of doing so testi- mony to its broad applicability in helping protect business assets and information, and the reason why the ISMS strandard has become the common infor- mation security language within and between many different types of enterprise. However, while many large oiganizalions have been quick to see the benefits, many small to medium sized enterprises (SMIs) aie slill slow lo adopl lhe slandaid because of a lack of basic advice on its imple- mentation. Help will shortly be at hand following the development of a new SO handbook designed lo provide much needed guidance on SO/IC 27OO1 implemenla- lion foi SMIs fiom all seclois. due foi publicalion in 2OO9. This article provides a preview. Two approaches The handbook will offei a step-by-step or all-at-once approach to implementation dependi ng on l he SMI iesouices available. l explains that, irrespective of the size and naluie of lhe SMI . SO/ IC 27OO1 implemenlalion does not need to be costly or resource intensive. Step-by-step ISMS implemen- lalion enables lhe SMI lo be able to achieve a basic level of cost-effective protection wilhoul much effoil. And by fol- lowing two to three more steps, the organization can achieve a fully SO/IC 27OO1-confoim- ing ISMS when appropriate to the business. Basic protection All oiganizalions need a base- line of security to provide a minimum level of protection. Ioi example. viius allacks can threaten any organization, including SMIs. They should have back-up syslems in place to protect against information loss or destruction, and ensure physical protection of person- nel data and equipment. protection of personnel data and company records. Implementing a basic level of protection is an appropriate slailing poinl foi any SMI. beginning with a simple gap analysis to identify the protec- tion already in place, and what il lacks. Above is a lypical gap analysis checklisl using lhe conliols lisled in SO/IC 27OO2 (see Figure 1). ISMS policy An infoimalion secuiily policy statement can be a one-page document from senior manage- ment listing policy objectives and commitment, displayed in lhe oiganizalion`s piemises. This is a simple but effective daily reminder to employees of the importance of informa- tion security. Risk assessment The ob|eclive of a iisk assess- menl is lo idenlify lhe iisks confionling an SMI so lhal an appropriate set of information security controls can be imple- menled lo ieduce lhose iisks to an acceptable level. el iisk assessmenl is seen by many SMIs as a foimida- ble and lime-consuming lask requiring substantial resources. It does not need to be so. To exlend SMI infoimalion pio- tection beyond the baseline level iequiies a iisk assessmenl exeicise. Howevei. lhe sleps involved are quite straight- foiwaid as explained in lhe foilhcoming SO handbook. The baseline controls men- tioned are designed to reduce specific iisks such as anli- virus software to reduce the ISO/IEC 27002 Control Questions Yes Partial No Comments Do you have software implemented in your computers to detect, prevent and recover from a malicious code attack (e.g. from a virus attack) ? 4 Not all the computers in the busi- ness have this software installed. Do all your staff know about the dangers of malicious code attack (e.g. from a virus attack) and are they trained in the use of the software used to detect, prevent and recover from such attacks ? 4 Do you regularly update the software used to detect, prevent and recover from a malicious code attack (e.g. from a virus attack) ? 4 SO/IC 27OO2:2OO5 piovides a code of practice that describes the necessary controls for basic protection, including : a policy for high level informa- tion security management ; user awareness ; antivirus software ; backup ; access controls ; phys i cal pr ot ect i on of premises and commercially sensitive paper-based les and documents ; SMEs are still slow to adopt ISO/IEC 27001 ISO Management Systems, www.iso.org/ims 8 ISO Management Systems January-February 2009 SPECIAL REPORT iisk of a viius allack. back-ups lo minimize lhe iisk of dala loss through system failures, physical protection to lower lhe iisk of equipmenl and documentation theft. Typical vulnerabilities identi- fied by iisk assessmenl can include : On-line information theft and fraud This inclues on-line auction frauds, phishing (e-mail di sgui sed as offi ci al bank communication), 419 scam letters, and numerous other deceptions designed to lure users to part with personal infoimalion. bank and ciedil card details, social security numbers or passwords. System failures These can can shut down an SMI`s T syslem and disiupl normal business activity for days with possibly serious effects on revenue and com- petitiveness. Software problems These includes bugs, viruses, out of date programs and unauthorised access which can compromise information security. Misuse of company resources These can done by exleinal useis oi SMI slaff. whelhei accidental or intentional, and The ISO/IEC 27000 family The ISO/IEC 2700 family of information security management standards currently comprises four publications : ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements ISO/IEC 27002:2005, Information technology Security techniques Code of practice for information security management ISO/IEC 27005:2008, Information technology Security techniques Information security risk management ISO/IEC 27006:2007, Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems The principal standard, ISO/IEC 27001:2005, covers all types of organizations (e.g. commercial enterprises, government agencies, not-for-profit organizations), and specifies the requirements for establishing, imple- menting, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organizations overall business risks. It specifies requirements for the implementation of security controls customized to the needs of indi- vidual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties, and is intended to be suitable for several different types of use, including the following : use within organizations to formulate security requirements and objectives use within organizations as a way to ensure that security risks are cost effectively managed use within organizations to ensure compliance with laws and regulations use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met definition of new information security management processes identification and clarification of existing information security management processes use by the management of organizations to determine the status of information security manage- ment activities use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons implementation of business-enabling information security use by organizations to provide relevant information about information security to customers. ISO/IEC 27001 implementation does not need to be costly ISO Management Systems, www.iso.org/ims ISO Management Systems January-February 2009 9 SPECIAL REPORT can result in breaches of infor- mation security. Delayed response to security incidents Immediate reporting of any polenlial secuiily iisks should be iouline wilh measuies laken to correct the problem before it can have a negative impact on the organization. The iisk assessmenl should only focus on those areas requiring protection to avoid unnecessary expendiluie on infoimalion security solutions covering less iisky aieas of lhe business. Regardless of the measures laken. il is impossible lo ieduce infoimalion secuiily iisks lo zeio. The SMI should imple- ment the necessary controls to ieduce lhe iisks lo an accepl- able residual level without overspending on information security measures. There is a point at which the benefits gained are outweighed by the cost of implementing more and more security. Managi ng i ts i nformati on secuiily enables an SMI lo make syslem impiovemenls and upgrades when necessary to protect its investment in security. This involves regular monitoring, and reviewing any changes in operations that might affect the level of protection that has been implemented. If changes in business condi- tions are significant enough to increase information security iisks. lhen lhe SMI will have to consider changing the set of ISMS controls to counter lhe new iisks. Regulai ieviews not only ensure the continuing effectiveness of the system, but can be far more cost effective than more substantial periodic system upgrades. Better protection In this article, I have high- lighted some of the advice given in the forthcoming ISO handbook. l will also include checklisls. scoiecaids and case sludies lo help SMIs focus on lhe key aspecls of piolecling their business information using SO/IC 27OO1 as lhe ISMS tool. In essencethe new handbook will help lo simplify and demyslify SO/IC 27OO1 iequiiemenls and give SMIs a clearer understanding of how best to protect their busi- nesses. Maintaining an ISMS Implementing the controls set oul in SO/IC 27OO1 is an important aspect of protect- ing information, but just as important is maintaining the day-to-day effectiveness of the ISMS. If the system is not regularly managed then the investment in security can be wasted. It is impossible to reduce information security risks to zero The new handbook will demystify ISO/IEC 27001 ISO Management Systems, www.iso.org/ims 85
SC27 WG2 86 Cryptograph|c Standards: Ach|evements, Current Act|v|t|es and Iuture erspect|ves of SC 27]WG 2
Introduct|on Whlle Lhe lnformaLlon SecurlLy ManagemenL SysLems and relevanL managemenL sLandards provlde a fundamenLal framework and meLhodology for reallslng lnformaLlon securlLy, Lhey musL be complemenLed wlLh Lechnlcal safeguards Lo malnLaln confldenLlallLy, lnLegrlLy, avallablllLy and oLher ob[ecLlves of lnformaLlon securlLy.
CrypLography based on advanced Lheory of maLhemaLlcs provldes for Lhe mosL advanced Lechnologlcal means Lo meeL many of Lhese ob[ecLlves, e.g. Lhe confldenLlallLy of Lrade secreLs and personal daLa over wlreless connecLlons or on smarL cards, and Lhe lnLegrlLy of daLa and non-repudlaLlon of commerclal LransacLlons. lL ls galnlng more and more lmporLance ln Lhe age of lnformaLlon and communlcaLlon Lechnologles (lC1). lor example, dlglLal rlghLs managemenL needs Lechnlques for encapsulaLlng Lhe conLenL and for LransmlLLlng Lhe key for decrypLlon, publlc procuremenL procedures on Lhe lnLerneL need Lechnlques for auLhenLlcaLlng Lhe bldders and valldaLlng Lhe Lenders, and legal requlremenLs for preservlng Lax-relaLed and oLher buslness documenLs ln elecLronlc forms need auLhenLlcaLlng Lhelr conLenL and Llme of creaLlon.
SC 27/WC 2 ls mandaLed Lo develop lnLernaLlonal sLandards of CrypLographlc and SecurlLy 1echnlques" for confldenLlallLy, enLlLy auLhenLlcaLlon, non-repudlaLlon, key managemenL, and daLa lnLegrlLy such as message auLhenLlcaLlon, hash-funcLlons and dlglLal slgnaLures, whlch are Lo be uLlllzed ln varlous Lypes of buslness appllcaLlons, whlle Lhe developmenL of sLandards almed aL speclflc appllcaLlons ls ouLslde of lLs scope. ln oLher words, lL ls expecLed Lo produce generlc crypLographlc sLandards servlng-as a cenLre of experLlse ln Lhls area-oLher sLandardlzaLlon organlsaLlons worklng on more speclflc crypLographlc sLandards such as SC 17 on smarL card appllcaLlons and lSC/1C 68/SC 2 on banklng appllcaLlons.
1hls arLlcle provldes a summary vlew of Lhe pasL, presenL and Lhe near fuLure of lLs acLlvlLles.
87 8r|ef h|story of SC 27]WG 2 When SC 27 was formed ln 1990 as Lhe successor of lSC/1C 97/SC 20, lL was clearly sLaLed LhaL Lhe sLandardlzaLlon of encrypLlon algorlLhms was ouL of lLs scope. 1he maln reason for Lhe excluslon was LhaL crypLography was orlglnally consldered Lo belong Lo Lhe mlllLary area and noL for commerclal use, LhaL mosL crypLographlc algorlLhms publlshed by LhaL Llme were noL maLure yeL, maklng lL very dlfflculL Lo evaluaLe Lhelr securlLy, and LhaL Lhe developmenL of semlconducLors and compuLlng Lechnologles seemed Lo make Lhe Lhen known algorlLhms vulnerable Lo aLLacks.
1hus one of Lhe earllesL sLandards SC 27 produced was lSC/lLC 9979 (rocedures for Lhe reglsLraLlon of crypLographlc algorlLhms) publlshed ln 1991. 1he 8eglsLer, whlch was malnLalned by Lhe naLlonal CompuLer CenLre uk, and subsequenLly by 8oyal Polloway of Lhe unlverslLy of London, conLalned 24 algorlLhms ln 2001.
under Lhe flrsL convenorshlp by Louls Culllou and Lhe second by Marl[ke de SoeLe, SC 27/WC 2 produced varlous crypLographlc sLandards ln Lhe 1990s: e.g. lSC/lLC 9796 (ulglLal slgnaLure schemes glvlng message recovery), 9797 (Message auLhenLlcaLlon codes), 9798 (LnLlLy auLhenLlcaLlon), 10116 (Modes of operaLlon for an o-blL block clpher algorlLhm), 10118 (Pash funcLlons), 11770 (key managemenL), 13888 (non-repudlaLlon) and 14888 (ulglLal slgnaLures wlLh appendlx). 1hey may be sald Lo belong collecLlvely Lo Lhe flrsL generaLlon of Lhe SC 27/WC 2 sLandards.
ln Lhe meanLlme, Lhere were several changes occurrlng globally, whlch evenLually affecLed Lhe scope of SC 27/WC 2. llrsLly, Lhe lnLerneL was made avallable Lo commerclal appllcaLlons, causlng an exploslon of Lhe World-Wlde Web servlces. Secondly, flnanclal and oLher appllcaLlons of smarL cards, moblle phones and oLher lC1 devlces were expandlng. 1hlrdly, Lhere was a slgnlflcanL progress ln Lhe academlc research of crypLanalysls" on Lhe securlLy of crypLographlc algorlLhms. LasLly, Lhe pollLlcal background was undergolng a sea of change afLer Lhe end of Lhe cold war.
lL was perhaps due Lo Lhese changes LhaL Lhe uS governmenL lnlLlaLed a compleLely open procedure for esLabllshlng a new Advanced LncrypLlon SLandard (ALS) replaclng Lhe uaLa LncrypLlon SLandard (uLS) for non-mlllLary governmenLal appllcaLlons. ln addlLlon, Lhe CrganlsaLlon for Lconomlc Co-operaLlon and uevelopmenL (CLCu) publlshed lLs Culdellnes for CrypLography ollcy ln 1997, ln whlch one of Lhe elghL prlnclples was LlLled SLandards for crypLographlc meLhods" and recommended LhaL (L)echnlcal sLandards, crlLerla and proLocols for crypLographlc meLhods should be developed and promulgaLed aL Lhe naLlonal and lnLernaLlonal level." 88
ln 1999 lL was agreed LhaL SC 27/WC 2 should sLarL Lhe work ln Lhls hlLherLo prohlblLed area, and ln 2000 Lhe new pro[ecL 18033 (LncrypLlon algorlLhms) was approved by lSC/lLC !1C 1. lollowlng Lhe progress of Lhe pro[ecL, lSC/lLC 9979 was wlLhdrawn ln 200S.
Current act|v|t|es SC 27/WC 2 ls currenLly responslble for produclng, updaLlng and/or malnLalnlng 19 sLandards ln Lhe area of crypLography and relaLed securlLy mechanlsms. 1here ls no slngle way Lo classlfy Lhe pro[ecLs, buL Lhey may be placed ln Lwo dlagrams as shown ln llg.1 and llg.2, where an arrow from A Lo 8 denoLes LhaL A makes use of 8 or LhaL A ls enabled by 8. lor example, confldenLlallLy ls an ob[ecLlve, or a goal, of lnformaLlon securlLy, whlch may be reached Lhrough daLa secrecy and/or anonymlLy as subgoals, whlch, ln Lurn, may be reallsed by use of encrypLlon, anonymous enLlLy auLhenLlcaLlon and oLher mechanlsms.
llg. 1. 8elaLlonshlps beLween Lhe ob[ecLlves and Lhe 14 mechanlsm sLandards
89
llg. 2. SupporLlng and componenL mechanlsm sLandards
llg. 1 Lrles Lo show some relaLlonshlps beLween Lhe Lhree maln ob[ecLlves of lnformaLlon securlLy and 14 pro[ecLs. arLly due Lo Lhe hlsLorlcal background descrlbed above, a ma[orlLy of Lhem are concerned wlLh lnLegrlLy ln a broad sense, l.e. auLhenLlclLy of enLlLy, daLa lnLegrlLy, and Lhe lnLegrlLy of acLlon and Llme. A relaLlvely small number of pro[ecLs deal wlLh confldenLlallLy, lncludlng daLa secrecy and anonymlLy, and no sLandards have been produced Lo aLLaln avallablllLy, alLhough Lhere was a suggesLlon LhaL secreL sharlng mlghL be a candldaLe for sLandardlzaLlon Lo saLlsfy cerLaln requlremenLs of avallablllLy and confldenLlallLy aL Lhe same Llme.
1he flve oLher sLandards, shown ln llg. 2, are more or less common Lo Lhe varlous goals and subgoals, elLher as supporLlng mechanlsms or as componenL algorlLhms.
lSC/lLC 18033 (LncrypLlon algorlLhms) conslsLs of four parLs. arL 1 deflnes Lhe baslc Lermlnology and clarlfles Lhe properLles of asymmeLrlc and symmeLrlc Lypes of clphers. AsymmeLrlc clphers are also known as publlc key crypLosysLems, ln whlch encrypLlon ls performed wlLh a publlc key and decrypLlon ls done wlLh lLs assoclaLed prlvaLe key. SymmeLrlc clphers, whlch can be classlfled lnLo block clphers and sLream clphers, are LradlLlonally called common key (or secreL key) crypLosysLems, ln whlch boLh encrypLlon and decrypLlon are performed uslng a common secreL key. ln addlLlon, Lhls parL of Lhe sLandard provldes lnformaLlon on Lhe crlLerla for selecLlng algorlLhms for lncluslon ln Lhe sLandard from Lhe large varleLy of crypLographlc Lechnlques publlshed and ln use. 1he crlLerla lnclude Lhe sLrengLh Lo reslsL crypLanalyLlc aLLack, Lhe performance on a varleLy of Lyplcal Cus, Lhe naLure of any llcenslng lssues and Lhe maLurlLy. arL 2 speclfles selecLed asymmeLrlc clphers, whlle arLs 3 and 4 respecLlvely speclfy selecLed block clphers and sLream clphers.
1ogeLher wlLh lSC/lLC 1S946 (CrypLographlc Lechnlques based on elllpLlc curves), 90 18031 (8andom blL generaLlon) and 18032 (rlme number generaLlon), Lhe encrypLlon algorlLhm sLandard represenLs Lhe second generaLlon of SC 27/WC 2 sLandards.
lSC/lLC 19772 (AuLhenLlcaLed encrypLlon) ls a new sLandard publlshed ln 2009, speclfylng meLhods for processlng a daLa sLrlng for Lhe purpose of daLa confldenLlallLy, daLa lnLegrlLy and daLa orlgln auLhenLlclLy aL Lhe same Llme. ro[ecL 291S0 (SlgncrypLlon) ls under developmenL, almlng Lo aLLaln a slmllar seL of goals wlLh cerLaln mechanlsms comblnlng dlglLal slgnaLure and encrypLlon Lechnlques.
ro[ecL 29192 (LlghLwelghL crypLography) was lnlLlaLed ln 2008, and ro[ecLs 20008 (Anonymous dlglLal slgnaLures) and 20009 (Anonymous enLlLy auLhenLlcaLlon) ln 2009.
1hese recenL acLlvlLles slgnlfy Lhe beglnnlng of Lhe Lhlrd generaLlon ln Lhe hlsLory of SC 27/WC 2.
Iuture perspect|ves lL ls evldenL LhaL Lhe fuLure focus of Lhe SC 27/WC 2 acLlvlLles wlll depend on Lwo maln forces: markeL needs and Lechnologlcal seeds. ln addlLlon, Lhe acLlve revlew of exlsLlng sLandards wlll be requlred ln order Lo avold Lhe mechanlsms lncluded ln Lhem become vulnerable Lo new Lypes of aLLacks.
Some of Lhe poLenLlal candldaLes for Lhe fuLure work lnclude: group- based/orlenLed crypLography, such as secreL sharlng schemes and Lhreshold crypLography, lmplemenLaLlon orlenLed crypLography, such as Lechnlques for proLecLlng agalnsL slde channel aLLacks, new crypLographlc prlmlLlves, such as hyper-elllpLlc curve crypLography and laLLlce-based publlc key crypLography, new crypLographlc sysLems, such as lu-based schemes and cerLlflcaLeless (or Loken- based) publlc key crypLography, appllcaLlon-orlenLed Lechnlques, such as crypLography for dlglLal rlghLs managemenL and broadcasL encrypLlon, and oLher lLems, such as achlevlng long-Lerm securlLy wlLh uncondlLlonal schemes and quanLum key dlsLrlbuLlon sysLem.
Conc|us|on SC 27/WC 2 has gone Lhrough Lwo generaLlons of sLandards developmenL. 1he flrsL generaLlon of sLandards on enLlLy auLhenLlcaLlon, dlglLal slgnaLures and oLhers were produced ln Lhe 1990s under a resLrlcLlon concernlng Lhe lnLernaLlonal sLandardlzaLlon of encrypLlon algorlLhms. 1he second generaLlon of sLandards were characLerlsed by Lhe developmenL of lSC/lLC 18033 and oLher sLandards ln Lhe area 91 of advanced crypLography. Many of Lhese sLandards are ln dlrecL use or used lndlrecLly Lhrough relaLed sLandards produced by oLher organlsaLlons lncludlng !1C 1/SC 17, lSC/1C 68/SC 2, l1u-1 and lL1l.
SC 27/WC 2 has sLarLed Lhe developmenL of lLs Lhlrd generaLlon of sLandards. lL wlll conLlnue Lo produce crypLographlc sLandards of mechanlsms and algorlLhms useful for meeLlng dlverslfled buslness needs for lnformaLlon securlLy.
1hese sLandards, however, may noL dlrecLly meeL markeL needs, Lhey wlll enable more speclflc, appllcaLlon orlenLed Lechnlques, e.g., for flnanclal servlces, publlc procuremenL procedures, smarL card appllcaLlons, elecLronlc LransacLlons, and dlglLal rlghLs managemenL. lor Lhese reasons, lL ls lmporLanL LhaL SC 27/WC 2 conLlnue Lo work LogeLher wlLh oLher sLandardlzaLlon commlLLees and organlsaLlons. 92
Standard|zat|on of modern cryptograph|c mechan|sms: L|ghtwe|ght cryptography 8laal uomlngues Armscor, uefence lnsLlLuLes, SouLh Afrlca
Introduct|on Cne of Lhe exclLlng flelds of research ln crypLography ls LhaL of llghLwelghL crypLography. 1he open llLeraLure research slnce Lhe 1980's ln crypLography has lead Lo loLs of lnslghL lnLo how Lo deslgn secure crypLographlc mechanlsms. 1hls has lead Lo lndusLry adopLlng crypLography as a powerful Lool Lo noL only proLecL daLa agalnsL unauLhorlsed access, buL also auLhenLlcaLe users, slgn documenLs elecLronlcally eLc. CrypLography ls one of Lhe pracLlcally appllcable soluLlons LhaL requlre experLs from Lhree flelds namely englneerlng, compuLer sclence, and maLhemaLlcs Lo work LogeLher Lo come up wlLh soluLlons Lo real world problems. CrypLography as a soluLlon Lo securlLy problems has evolved wlLh dlglLal Lechnology over Lhe pasL LwenLy years, Lo some exLenL closely relaLed Lo Lhe ever lncreaslng demand for more compuLlng power. CrypLography on plaLforms wlLh loLs of compuLlng power has Lherefore grown wlLh Lhe same Lempo as Lhe avallable compuLlng power. 1he same ls Lrue for crypLography ln hardware devlces. Cver Lhe pasL decade a markeL has emerged LhaL requlres smaller devlces, many of whlch run off baLLerles, and ln some cases even off no oLher power source oLher Lhan an elecLromagneLlc fleld LhaL powers lL only for a brlef momenL. Lxamples of Lhese are: Cellular phones Sensor neLworks SmarL cards ConLacLless smarLcards 8adlo frequency ldenLlflcaLlon Lags (8llu)
Along wlLh Lhe Lechnology Lhe number of people wlLh enough skllls Lo aLLack Lhese devlces has also lncreased. 1hls leads Lo Lhe sLeallng lnformaLlon, clonlng devlces used for access conLrol eLc. CrypLographlc research adopLed Lo Lhls qulckly by Laklng a Lurn ln Lhe opposlLe dlrecLlon of lncreaslng compuLlng power by deslgnlng 93 crypLographlc mechanlsms LhaL requlre less resources Lo operaLe, yeL be safe enough for Lhelr appllcaLlon. 1hls research has lead Lo whaL ls loosely known Loday as llghLwelghL crypLography. When no securlLy ls used ln small devlces, aLLackers generally have no problem aLLacklng Lhose sysLems. erhaps Lhe mosL well known ls from Lhe laLe 1980's and early 1990's when garage door openers and car alarm remoLe conLrols were aLLacked by merely capLurlng Lhe code Lhe remoLe conLrol LransmlLs, and laLer replaylng Lhe code Lo open Lhe door or dlsable Lhe alarm (LradlLlonally called a replay aLLack). 1he keyloq clpher was deslgned for remoLe conLrols, and Lhe Lechnology of Lhe Llme was very resLrlcLlve. ln reLrospecL keyloq can be seen as one of Lhe flrsL llghLwelghL crypLography deslgns. 1here were also proprleLary clphers developed for Lhe CysLer cards whlch conLrol access Lo LransporL sysLem and doors Lo bulldlngs. 8oLh Lhese clphers were evenLually broken. lndusLry deslgned Lhese clphers because Lhere were no sLandard clphers avallable LhaL could do Lhe [ob wlLh Lhe flLLlng Lhe consLralnLs of Lhe plaLforms. Clearly Lhe markeL requlres publlshed, well scruLlnlsed clphers whlch wlll noL lead Lo Lhe embarrassmenL of geLLlng broken and leadlng Lo securlLy compromlses. !1C 1 lnsLrucLed lLs subcommlLLee SC 27 Lo sLudy llghLwelghL crypLography ln 2006 (Lhen loosely Lermed low power crypLography) for posslble sLandardlzaLlon. 1he sLudy perlod conLlnued unLll lLs CcLober 2008 meeLlng when SC 27 declded Lo lssue a new work lLem proposal for sLandardlzaLlon of llghLwelghL crypLography. Def|n|ng ||ghtwe|ght cryptography Loosely deflned, llghLwelghL crypLography ls crypLography Lallored for consLralned envlronmenLs. 1radlLlonally llghLwelghL crypLography ln Lhe academlc communlLy was sLudled ln Lerms of 8adlo lrequency ldenLlflcaLlon 1ags (8llu). MosL llLeraLure wlll Lherefore refer Lo CaLe LqulvalenLs (CL) as Lhe slze of an algorlLhm when lmplemenLed ln hardware and ls wrlLLen ln wlLh Lhe appllcaLlon of 8llu ln mlnd. 8llus are very small wlLh very llLLle space lefL on Lhe chlp for a crypLographlc algorlLhm. Cnly conslderlng CLs Lo deflne llghLwelghL crypLography ls noL Lhe besL approach for a number of reasons: 1. A low CL counL can be obLalned by rolllng up a block clpher, aL Lhe expense of laLency. 1hls makes lL dlfflculL Lo compare dlfferenL lmplemenLaLlons. 2. ln some appllcaLlons, low power raLher Lhan low CL counL ls lmporLanL. Speclflcally ln sensor neLworks where devlces run on baLLerles. 94 3. LlghLwelghL proLocols and slgnaLure schemes Lry Lo mlnlmlse Lhe number of blLs LhaL musL be senL over Lhe channel, and CL counL does noL come lnLo play aL all. 4. 1here are a number of sofLware orlenLed clphers whlch are sulLable for low end processors, and Lhe noLlon of CL does noL come lnLo play when conslderlng processors.
lnsLead, Lhe llghLwelghL crypLography sLandard under developmenL Lakes a dlfferenL approach. llrsLly, lL dlsLlngulshes beLween crypLography LargeLed aL hardware lmplemenLaLlons, and crypLography LargeLed aL sofLware lmplemenLaLlons. lL also groups dlfferenL prlmlLlves lnLo dlfferenL parLs of Lhe same sLandard namely: 1. 8lock clphers 2. SLream clphers 3. Mechanlsms uslng asymmeLrlc Lechnlques lor block and sLream clphers, CL counL ls consldered as Lhe maln measuremenLs, wlLh LhroughpuL / area as Lhe addlLlonal measuremenLs. AL Lhe Llme of wrlLlng, more comparaLlve measures are sLlll under developmenL Lo ald users Lo compare dlfferenL hardware LargeLed block and sLream clphers. lor sofLware LargeLed clphers, 8AM requlred durlng execuLlon of Lhe code and program code slze are ofLen lmporLanL. lL ls Lrlcky Lo compare dlfferenL clphers falrly ln Lhe sofLware envlronmenL Lhough, as lL ls hlghly dependenL on Lhe Lype of processor belng consldered. AL Lhe Llme of wrlLlng, Lhls problem has noL been compleLely solved. 1he maln polnL ls LhaL lL ls noL easy Lo deflne llghLwelghL crypLography ln a slngle senLence, and probably noL falr elLher. 1here ls much more Lo llghLwelghL crypLography LhaL has Lo be consldered Lo deflne lL preclsely. 1he matur|ty of ||ghtwe|ght cryptography LlghLwelghL crypLography goL a loL of aLLenLlon because of Lhe emerglng 8llu Lechnology. Clphers llke keyloq and Mlfalre have been around ln proprleLary form for a whlle, buL Lhey were noL well sLudled ln Lhe open llLeraLure. lnsLead, Lhe formal sLudy of llghLwelghL crypLography ls probably more concenLraLed durlng Lhe lasL flve years. 1he LC8?1 ll pro[ecL (www.ecrypL.eu.org) ls also sLudylng llghLwelghL crypLography formally. Cne can Lherefore argue LhaL llghLwelghL crypLography ls noL all LhaL maLure yeL. Powever, Lhe ALS selecLlon process dld lead Lo an evoluLlon of our undersLandlng speclflcally of block clphers, and Lhe eS18LAM pro[ecL LhaL ls a parL of Lhe LC8?1 pro[ecL has lead Lo focussed sLudylng of sLream 95 clphers. Popefully Lhe same wlll be Lrue for Lhe SPA-3 compeLlLlon and lL ls hoped LhaL llghLwelghL hash funcLlons wlll also emerge evenLually. Clphers llke keyloq and Mlfalre have shown LhaL lndusLry ls ln serlous need (and has been for qulLe a whlle now) of llghLwelghL crypLography for pracLlcal LhreaLs. SC 27 ls aLLempLlng Lo accommodaLe Lhls need by Lhls sLandardlzaLlon of whaL lL belleves ls llghLwelghL crypLography mechanlsms LhaL ls maLure enough Lo flll Lhe securlLy requlremenLs lndusLry has. ract|ca| app||cat|ons of ||ghtwe|ght cryptography As menLloned earller, Lhe mosL well known appllcaLlon of llghLwelghL crypLography ls ln 8llu Lags. 1hese Lags are already ln use. AppllcaLlons are from as slmple as Lhe replacemenL of barcodes, Lo more complex appllcaLlons such as paymenL sysLems, Loll road sysLems, number plaLes on cars eLc. lL ls clear LhaL some of Lhese appllcaLlons do requlre crypLographlc securlLy. 1ake for lnsLance Loll road sysLems. AuLomaLlc Lolllng of vehlcles ensures LhaL Loll roads don'L slow Lrafflc down and cause Lrafflc [ams. Cn Lhe oLher hand, Lhe owner of an 8llu Lag for auLomaLlc Lolllng wanLs Lo be assured LhaL he wlll noL be vlcLlm Lo copylng of Lhe responses of hls 8llu Lag, endlng ln paylng Loll bllls he dld noL lncur. lor Lhls Lo be secure, boLh a secure proLocol musL exlsL beLween Lhe lnLerrogaLor and Lhe 8llu Lag, as well as a means Lo encrypL Lhe response LhaL ls LransmlLLed over Lhe alr. SlgnaLure schemes may also come lnLo play ln such a securlLy deslgn. AnoLher appllcaLlon of llghLwelghL crypLography ls ln sensor neLworks. A sensor may run from baLLerles, and lL may be for long perlods. LlghLwelghL crypLography ln Lhls case wlll be mechanlsms opLlmlsed Lo work wlLh as few operaLlons as posslble Lo conserve baLLery power, yeL be safe for Lhelr appllcaLlon. Challenge-response schemes wlLh as llLLle overhead as posslble are also lmporLanL, as Lransmlsslon power domlnaLes over compuLaLlon power. 1he number of blLs LransmlLLed musL Lherefore be mlnlmlsed. 1he oldesL appllcaLlons of llghLwelghL crypLography were ln garage door openers and car lmmoblllsers. 1he code LransmlLLed Lo Lhe recelver musL be kepL safe from eavesdropplng Lo ensure LhaL replay aLLacks are noL posslble. 1he cosL of Lhe remoLe musL also be kepL as low as posslble, and Lherefore llghLwelghL crypLography LhaL occuples as llLLle space as posslble on Lhe remoLe conLrol ls Lhe obvlous cholce. LlecLronlc money comes as a replacemenL for old LlckeL sysLems used on publlc LransporL. lL ls much more convenlenL Lo buy credlL whlch ls sLored on a cheap card (cosL of Lhe card musL be much cheaper Lhan Lhe value of Lhe LransporL lL ls provldlng). 1he publlc LransporL auLhorlLy wanLs Lo ensure LhaL lL ls Lhe only 96 auLhorlLy LhaL can "recharge" Lhe credlL on Lhe card, and also LhaL no one can clone Lhe credlL on an exlsLlng card. ln Lhe medlcal fleld, llghLwelghL crypLography plays an lmporLanL role ln 8ody Area neLworks (8An). Modern medlclne can replace or enhance body funcLlons of falllng organs. 1he devlces performlng Lhese funcLlons (llke for lnsLance pacemakers for Lhe hearL) ofLen have 'Lweakable' parameLers. 1he paLlenL wanLs Lo be sure LhaL only hls docLor can Lweak Lhe parameLers, and no one else. Conc|us|on lndusLry requlres llghLwelghL crypLography. LlghLwelghL crypLography ls an example of a sclence LhaL ls sLlll young, buL Lhere are mechanlsms LhaL are maLure enough Lo fulfll Lhe lndusLry requlremenL. SC 27 ls currenLly developlng a sLandard Lo ensure LhaL lndusLry has soluLlons for lLs securlLy problems. ln Lhls sLandard, SC 27 deflnes llghLwelghL crypLography, provldes meLhods Lo ald users Lo choose Lhe besL mechanlsm for Lhelr appllcaLlon, and sLandardlzes mechanlsms, whlch SC 27 belleves are maLure enough for lndusLry use. 97 Us|ng ISC Secur|ty Standards |n Internat|ona| ayment Card Systems Mlke Ward and uavld Maln MasLerCard lnLernaLlonal
Introduct|on 1hls arLlcle provldes an overvlew on how valuable Lhe lSC securlLy sLandards from SC27 have been ln Lhe developmenL of lnLernaLlonal card paymenL sysLems. SLarLlng many years ago wlLh magneLlc sLrlpe cards, evolvlng ln more recenL Llmes Lo card paymenLs uslng LMv smarL card Lechnology. 8ackground on Card ayments cord Poyments aymenL card LransacLlons Lyplcally Lake place beLween Lwo parLles LhaL do noL know one anoLher, for example a LourlsL paylng a hoLel blll. 1hls LransacLlon ls made posslble by Lhe conLracLual relaLlonshlp LhaL exlsLs beLween Lhe bank LhaL lssued Lhe card Lo Lhe cardholder and Lhe acqulrlng bank of Lhe merchanL. 1he relaLlonshlp beLween an lssulng bank and an acqulrlng bank LhaL are from Lwo dlfferenL counLrles ls esLabllshed by membershlp of an lnLernaLlonal paymenL sysLem, such as Lhose provlded by Lhe members of LMvCo (Amerlcan Lxpress, !C8, MasLerCard and vlsa). 1he paymenL sysLem provldes Lhe neLwork for auLhorlslng and clearlng of cross-border paymenL LransacLlons and seLs Lhe rules of membershlp and operaLlon, along wlLh an ofLen, complex seL of guaranLees. cord Poyments 5ecurity 1he Lechnlques of card auLhenLlcaLlon and cardholder verlflcaLlon are cenLral Lo Lhe securlng of card paymenL LransacLlons. lor magneLlc sLrlpe cards, card auLhenLlcaLlon lnvolves Lhe merchanL checklng Lhe accounL number, explry daLe, hologram, brandlng and arLwork, Lhe card lssuer checklng Lhe card verlflcaLlon code (Lhls ls a 3 dlglL crypLogram compuLed uslng an lssuer key and wrlLLen onLo Lhe magneLlc sLrlpe of Lhe card prlor Lo lssulng Lhe card Lo Lhe cardholder), and cardholder verlflcaLlon lnvolves Lhe merchanL comparlng a handwrlLLen slgnaLure wlLh Lhe speclmen slgnaLure on Lhe slgnaLure panel of Lhe card, Lhe card lssuer checklng Lhe ln enLered by Lhe cardholder. 98
An lmporLanL dlsLlncLlon beLween merchanL checklng and lssuer checklng ls LhaL for Lhe laLLer Lhe LransacLlon musL be communlcaLed 'onllne' Lo Lhe lssuer raLher Lhan belng processed locally 'offllne'. 1he processlng of onllne LransacLlons ls more expenslve Lhan offllne LransacLlons, especlally ln Lhe case of ln verlflcaLlon where a chaln of crypLographlc keylng relaLlonshlps and secure crypLographlc devlces are needed ln order Lo LransmlL Lhe ln encrypLed beLween Lhe A1M or merchanL's ln pad and Lhe lssulng bank's hosL securlLy module. 1o reduce Lhe number of onllne LransacLlons, merchanL Lermlnals may be conflgured Lo only send LransacLlons onllne lf Lhe moneLary amounL of Lhe goods or servlces belng purchased exceeds a cerLaln llmlL. l5O 5tondords 1he followlng securlLy-relaLed lnLernaLlonal SLandards from SC27 are used for ln enLry devlces and ln proLecLlon for onllne Lransmlsslon: lSC 9S64 8anklng - ln managemenL and securlLy lSC 11S68 8anklng - key managemenL lSC 13491 8anklng - Secure crypLographlc devlces ln addlLlon Lhe followlng lnLernaLlonal SLandards are used for magneLlc sLrlpe cards and for daLa Lransmlsslon from merchanL Lo card lssuer: lSC/lLC 7810 ldenLlflcaLlon cards - hyslcal characLerlsLlcs lSC/lLC 7811 ldenLlflcaLlon cards - 8ecordlng Lechnlque lSC/lLC 7812 ldenLlflcaLlon cards - ldenLlflcaLlon of lssuers lSC/lLC 7813 ldenLlflcaLlon cards - llnanclal LransacLlon cards lSC 8S83 8ank card orlglnaLed messages - lnLerchange message speclflcaLlons - ConLenL for flnanclal LransacLlons LMV ICC ayment Spec|f|cat|ons whot is Mv? 1he abbrevlaLlon 'LMv' sLems from Lhe Lhree key players when Lhe speclflcaLlons were flrsL developed, 'Luropay, MasLerCard and vlsa' and lL ldenLlfles a serles of Lechnlcal speclflcaLlons for smarL deblL and credlL card paymenLs. 1he flrsL ma[or verslon of Lhe speclflcaLlons was publlshed ln 1996 and known as LMv'96. 1hls verslon was followed by LMv v3.1.1 ln 1998, LMv v4.0 (also known as LMv2000) ln 2000, LMv v4.1 ln 2004 and mosL recenLly LMv v4.2 publlshed ln 2008. uurlng Lhls perlod an organlsaLlon called LMvCo LLC had been esLabllshed Lo manage Lhe speclflcaLlons. LMvCo currenLly comprlses Amerlcan Lxpress, !C8 lnLernaLlonal, 99 MasLerCard lnLernaLlonal and vlsa lnLernaLlonal (Luropay havlng become parL of MasLerCard).
Mv security WlLh Lhe lnLroducLlon of smarL paymenL cards comes Lhe posslblllLy for far more effecLlve card auLhenLlcaLlon meLhods (CAMs) and cardholder verlflcaLlon meLhods (CvMs) Lhan wlLh magneLlc sLrlpe Lechnology. SLarLlng wlLh LMv'96 LMv has lnLroduced Lhree Lypes of offllne CAM - sLaLlc daLa auLhenLlcaLlon, dynamlc daLa auLhenLlcaLlon and comblned dynamlc daLa auLhenLlcaLlon, a muLual dynamlc onllne CAM, and an offllne CvM based on ln verlflcaLlon performed by Lhe card wlLh opLlonal ln enclphermenL.
1he offllne CAMs use 8SA publlc key crypLography. SLaLlc daLa auLhenLlcaLlon requlres Lhe merchanL Lermlnal Lo verlfy a card-sLored dlglLal slgnaLure compuLed by Lhe lssuer on sLaLlc card daLa prlor Lo lssuance. 1he dynamlc daLa auLhenLlcaLlon Lechnlques requlre Lhe merchanL Lermlnal Lo verlfy a dynamlc dlglLal slgnaLure generaLed by Lhe card ln a challenge-response proLocol. uynamlc daLa auLhenLlcaLlon has sLronger securlLy Lhan sLaLlc daLa auLhenLlcaLlon buL also requlres LhaL Lhe card have an 8SA prlvaLe key along wlLh 8SA processlng capablllLy. SlgnaLures are creaLed and verlfled uslng 8SA and SPA-1 as deflned ln lSC/lLC 9796- 2 and lSC/lLC 10118-3 respecLlvely. lor Lhe dynamlc onllne CAM, LMv uses Messages AuLhenLlcaLlon Codes (MACs). LMv enables Lhe card Lo send a crypLogram vla Lhe merchanL Lermlnal Lo Lhe lssuer, who can Lhen verlfy Lhls crypLogram (Lhe lssuer derlves Lhe card key from an lssuer masLer key) and can respond Lo Lhe card wlLh an auLhorlsaLlon response crypLogram and oLher secured messages. Lxamples of oLher secured messages are commands Lo block or unblock Lhe card or Lo change Lhe ln on Lhe card. 1he block/unblock commands requlre lnLegrlLy and auLhenLlclLy whereas Lhe ln change command addlLlonally requlres confldenLlallLy. SC27 lnLernaLlonal sLandards are used exLenslvely. MACs are creaLed and verlfled accordlng Lo lSC/lLC 9797-1 and lSC 16609. uaLa ls encrypLed and decrypLed uslng lSC/lLC 18033-3 (2-key 1rlple uLS) and lSC/lLC 10116 (LC8 mode and C8C mode). Cffllne ln verlflcaLlon can be performed elLher by submlLLlng Lhe cardholder- enLered plalnLexL ln Lo Lhe card for verlflcaLlon or by submlLLlng Lhe ln enclphered under a card's publlc key. Cffllne enclphered ln was lnLroduced ln LMv 100 3.1.1 (1998) and, as wlLh uuA, requlres Lhe card Lo have an 8SA prlvaLe key along wlLh 8SA processlng capablllLy. LncrypLlon uses random paddlng and an 8SA Lransform as deflned ln lSC/lLC 18033-2.
luture vo/ution of Mv As LMv evolves, new Lechnologles wlll be embraced. Cne currenL lLem ls for conLacLless paymenL cards and moblle devlces, whlch conLlnue Lo use Lhe same klnds of securlLy servlces and sLandards as exlsLlng conLacL cards. ln Llme Lhe exlsLlng 8SA publlc key Lechnology wlll reach a key lengLh llmlLaLlon and wlll need exLendlng or replaclng. 1he expecLed approach ls Lo use LlllpLlc Curve CrypLography based on Lhe SC27 14888 and 18033-2 sLandards, wlLh a hash algorlLhm also expecLed Lo be sLandardlsed by SC27. lor more lnformaLlon abouL LMvCo, Lhe LMv speclflcaLlons and Lo download Lhe speclflcaLlons, please see Lhe LMvCo webslLe aL www.emvco.com.
101 LCk1 II Luropean Network of Lxce||ence for Crypto|ogy 8arL reneel kaLholleke unlverslLelL Leuven and l881 uepL. LlecLrlcal Lnglneerlng-LSA1/CCSlC, kasLeelpark Arenberg 10 8us 2446, 8-3001 Leuven, 8elglum barL.preneel[esaL.kuleuven.be
LC8?1 ll (Luropean neLwork of Lxcellence for CrypLology hase ll) ls funded wlLhln Lhe lnformaLlon and CommunlcaLlon 1echnologles (lC1) rogramme of Lhe Luropean Commlsslon's SevenLh lramework rogramme (l7). 1he flrsL phase of LC8?1 ran from 2004-2008, whlle Lhe second phase ls runnlng from 2008-2012. 1he eleven core parLners of LC8?1 ll are k.u.Leuven (cordlnaLor), 8.u.8ochum, unlv. 8rlsLol, LnS, LlL, lrance 1elecom, l8M 8esearch Zurlch, 8oyal Polloway unlv of London, 1.u.Llndhoven, 1.u.Craz and unlv. of Salerno. LC8?1 ll has also 29 assoclaLe members, Lhe compleLe llsL can be found ln [1].
1he ob[ecLlves of LC8?1 ll are Lo malnLaln and sLrengLhen Lhe excellence of Luropean research and lndusLry ln Lhe areas of crypLology and obLaln a durable lnLegraLlon among Lhe parLners. 1he crypLographlc research wlLhln LC8?1 ll ls organlzed ln Lhree vlrLual labs: SymLab (symmeLrlc Lechnlques), MA?A (publlc key algorlLhms and proLocols), and vAMl8L (secure and efflclenL lmplemenLaLlons). Lach of Lhese labs ls organlzed ln several worklng groups. ln addlLlon Lo workshops and research meeLlngs for sclenLlflc collaboraLlon, LC8?1 ll organlzes schools Lo Lraln researchers ln advanced crypLographlc Lechnlques. LC8?1 ll also reaches ouL Lo users of crypLography: each year, Lhe pro[ecL publlshes a reporL on algorlLhms and key lengLhs [2]. 1hls reporL offers concreLe recommendaLlons on crypLographlc algorlLhms and key lengLhs, lL Lakes lnLo accounL Lhe fasL developmenLs ln Lhe academlc research and also reporLs on progress ln sLandardlzaLlon.
LC8?1 ll also reaches ouL Lo sLandardlzaLlon bodles, one of Lhe Lasks of Lhe pro[ecL ls Lo acL as an lnLerface beLween sLandardlzaLlon bodles on Lhe one hand, and Lhe crypLographlc research communlLy on Lhe oLher hand. ln Lhe conLexL of Lhls lnLerface wlLh sLandardlzaLlon bodles, Lhe LC8?1 ll pro[ecL has esLabllshed a CaLegory C llalson wlLh lSC/lLC !1C1/SC27/WC2. 1he LC8?1 ll pro[ecL can offer sclenLlflc comparlsons of Lhe securlLy level of crypLographlc algorlLhms and proLocols. A securlLy evaluaLlon can deLermlne wheLher Lhere exlsL any crypLographlc aLLacks, and how large Lhe securlLy margln ls Lo Lhe mosL advanced aLLacks, lL can also conslder securlLy reducLlons LhaL reduce Lhe securlLy of Lhe algorlLhm or proLocol Lo a maLhemaLlcal problem LhaL ls belleved Lo be hard, lL can 102 also assess Lhe dlfflculLy Lo proLecL lmplemenLaLlons agalnsL slde channel aLLacks. A performance evaluaLlon can deLermlne Lhe speed of Lhe algorlLhm or proLocol ln sofLware and hardware. lor sofLware benchmarklng, an open evaluaLlon plaLform has been creaLed under Lhe name e8ACS [3]. We are convlnced LhaL Lhese comparlson efforLs are very helpful Lo prepare an area for sLandardlzaLlon.
8eLween 2004 and 2008, LC8?1 has organlzed Lhe eS18LAM pro[ecL Lo evaluaLe Lhe securlLy and performance of sLream clphers, Lhls open compeLlLlon has been exLremely successful: 36 submlsslons were recelved from all over Lhe world, afLer an lnLenslve evaluaLlon process LhaL also lncluded deslgn lLeraLlons, seven sLream clphers were recommended as promlslng candldaLes for furLher research and sLandardlzaLlon [4]. ln addlLlon, a much deeper undersLandlng has been developed of Lhe sLrengLhs and weaknesses of sLream clphers. We belleve LhaL Lhe ouLcome of Lhe eS18LAM pro[ecL ls exLremely valuable Lo any sLandardlzaLlon body LhaL wanLs Lo sLandardlze modern sLream clphers.
CurrenLly LC8?1 ll ls very acLlve ln Lhe area of crypLographlc hash funcLlons, afLer crypLanalyLlc breakLhroughs ln Lhe lasL flve years, nlS1 (naLlonal lnsLlLuLe for SLandards and 1echnology) had declded Lo organlze beLween 2008 and 2012 an open compeLlLlon for a new crypLographlc hash sLandard SPA-3. 1he LC8?1 ll pro[ecL has been lnvolved heavlly ln Lhls compeLlLlon, by submlLLlng deslgns and by conLrlbuLlng Lo Lhe evaluaLlon Lhrough workshops and research meeLlngs. lL ls clear LhaL Lhe resulLs of Lhese efforLs wlll also lmpacL Lhe work of SC27/WC2. AnoLher area of currenL lnLeresL ln whlch research and benchmarklng acLlvlLles are belng organlzed ls llghLwelghL crypLography, Lhls ls also a work lLem ln SC27/WC2. ln Lhe area of publlc key crypLography, LC8?1 ll ls currenLly sLlmulaLlng research on palrlng-based crypLography and laLLlces, lL ls llkely LhaL boLh Loplcs wlll become maLure for sLandardlzaLlon ln Lhe nexL years.
1he LC8?1 ll pro[ecL ls very pleased abouL lLs consLrucLlve collaboraLlon wlLh lSC/lLC SC27/WC2, we belleve LhaL an lnLeracLlon beLween sLandardlzaLlon and research ls muLually beneflclal and can resulL ln beLLer sLandards and more relevanL academlc research. keferences [1] LC8?1 ll pro[ecL webpage hLLp://www.ecrypL.eu.org [2] LC8?1 ll ?early 8eporL on AlgorlLhms and keyslzes (2009-2010), hLLp://www.ecrypL.eu.org/documenLs/u.SA.13.pdf [3] e8ACS: LC8?1 8enchmarklng of CrypLographlc SysLems, hLLp://bench.cr.yp.Lo/ [4] 8obshaw, M.!.8., 8llleL, C. (eds.): new SLream Clpher ueslgns. LnCS, vol. 4986, Sprlnger, Peldelberg (2008) 103
SC27 WG3 104 Current Act|v|t|es and Iuture erspect|ves of SC 27]WG 3 Mlguel 8ann lSC/lLC !1C 1/SC 27/WC 3 Convenor Lpoche and Lsprl, CLC
Abstract wC J ptovlJes o boJy of expettlse fot stooJotJlzotloo of ctltetlo ooJ metboJs fot secotlty evolootloo ooJ cettlflcotloo. Mocb bos beeo ocbleveJ sloce tbe beqlooloq of tbe stooJotJlzotloo octlvltles lo tbls oteo, bot mocb mote ls JemooJeJ by tbe toplJ expoosloo of tbe ose ooJ complexlty of lofotmotloo tecbooloqy. 1bls ottlcle btlefly Jesctlbes tbe cotteot wotk oteo of wC J, locloJloq pobllsbeJ os well os Jeveloploq wotk, bow tbot wotk oteo telotes to otbet stooJotJlsotloo octlvltles botb wltblo 5c 27 ooJ ootslJe, ooJ Jlscosses poteotlol fotote Jltectloos fot wC J. 8ackground 1he 1erms of 8eference WC 3 currenLly sLaLes: l5O/lc l1c 1/5c 27 w6 l - 5ecurity evo/uotion criterio terms of reference 5tooJotJs fot l1 secotlty evolootloo ooJ cettlflcotloo of l1 systems, compooeots, ooJ ptoJocts. 1bls wlll locloJe cooslJetotloo of compotet oetwotks, JlsttlboteJ systems, ossocloteJ oppllcotloo setvlces, blomettlcs, etc., 1btee ospects moy be JlstloqolsbeJ. o) evolootloo ctltetlo, b) metboJoloqy fot oppllcotloo of tbe ctltetlo, c) oJmlolsttotlve ptoceJotes fot evolootloo, cettlflcotloo, ooJ occteJltotloo scbemes, 1bls wotk wlll teflect tbe oeeJs of televoot sectots lo soclety, os tepteseoteJ tbtooqb l5O/lc Notloool 8oJles ooJ otbet otqoolsotloos lo llolsoo, exptesseJ lo stooJotJs fot secotlty fooctlooollty ooJ ossotooce, Accooot wlll be tokeo of teloteJ l5O/lc ooJ l5O stooJotJs fot poollty moooqemeot ooJ testloq so os oot to Jopllcote tbese effotts. 105 WG 3 Scope and pro[ect character|sat|on 1he need for securlLy ln Lhe use of l1 can be descrlbed from Lwo perspecLlves. Cn Lhe flrsL hand users need relevanL and approprlaLe securlLy funcLlonallLy able Lo meeL securlLy ob[ecLlves (based upon ldenLlfled LhreaLs and mandaLed pollcles). users also need confldence ln LhaL Lhe deployed securlLy soluLlons are effecLlve ln lmplemenLlng Lhe pollcles and counLerlng Lhe percelved LhreaLs. Such confldence enables users Lo balance l1 securlLy, non-l1 securlLy measures and oLher requlremenLs ln an efflclenL manner. lL also enables Lhe user Lo Lake Lhe resldual rlsks lnLo accounL when deallng wlLh rlsk managemenL aL hlgher organlzaLlonal levels. WC 3 ln parLlcular deals wlLh Lhe assessmenL Lechnologles for measurlng Lhe relevance and effecLlveness of l1 securlLy measures. users may choose Lo evaluaLe Lhe offered securlLy ln avallable producLs Lhemselves, buL more ofLen use Lhlrd parLy assessmenL as a more cosL effecLlve opLlon. 1he WC 3 1erms of 8eference deflne Lhe scope of Lhe sLandardlzaLlon work performed aL Lhls worklng group, and help Lo clarlfy Lhe appllcablllLy of a parLlcular sLandardlzaLlon lnlLlaLlve, and Lo Lhe undersLandlng of Lhe currenL caLalogue of pro[ecLs. lrom Lhe perspecLlve of Lhe LargeL of evaluaLlon (1CL), and cerLlflcaLlon, Lhe coverage ls qulLe open, from componenLs, Lo producLs and furLher Lo lnclude sysLems. 1hls range may be covered by general sLandards, wlLh absLracL LargeL of evaluaLlon paradlgms, llke Lhe lSC/lLC 1S408, buL may also requlre producL Lype speclflc sLandards, where generallzaLlon may be losL ln favour of effecLlveness and lmmedlaLeness of appllcablllLy of Lhe requlremenLs, meLhodology and guldance. 8oLh approaches are recognlzed Lo be complemenLary, and equally useful. Cnce Lhe LargeL of evaluaLlon and cerLlflcaLlon ls clear, Lhree aspecLs may be dlsLlngulshed: a) LvaluaLlon crlLerla, whlch lncludes paradlgms, funcLlonal and assurance requlremenLs, b) MeLhodology for appllcaLlon of Lhe crlLerla, whlch may be for Lhe evaluaLlon and LesLlng of Lhe 1CL, or meLhodology guldance for Lhe developmenL of a compllanL 1CL, Whlle Lhe scope of WC 3 does noL cover sLandardlzaLlon ln Lhe area of developmenL pracLlces, many aspecLs of 1CL securlLy are lnherlLed from Lhese pracLlces, hence Lhe opporLunlLy Lo provlde a vlew from Lhe perspecLlve of Lhe evaluaLlon crlLerla appllcaLlon. 106 c) AdmlnlsLraLlve procedures for evaluaLlon, cerLlflcaLlon, and accredlLaLlon schemes. Any lnLernaLlonal sLandard wlLhln Lhe WC 3 realm wlll be characLerlzed Lhen by: a) 8y Lhe Lype of 1CL LhaL lL applles Lo, b) WheLher lL conLalns evaluaLlon crlLerla (LC), meLhodology for evaluaLlon and LesLlng (ML), guldance for developmenL (Cu), or admlnlsLraLlve procedures for evaluaLlon, cerLlflcaLlon and accredlLaLlon schemes (A). noLe LhaL Lechnlcal reporLs may explore aspecLs of appllcaLlon and complemenLary areas wlLhln and around Lhe WC 3 Loplcs, and may noL sLrlcLly meeL Lhls characLerlsaLlon. Current act|v|t|es On qenero/ l1 products. Lva|uat|on cr|ter|a for I1 secur|ty (1S048) WlLh Lhe noLlce of publlcaLlon of 1S408-1 (n8603), lSC/lLC 1S408 concluded lLs second revlslon, wlLh lLs flrsL pre-revlew planed for 2011. WC 3 has publlshed Lhls laLesL revlslon ln close collaboraLlon wlLh Lhe Common CrlLerla uevelopmenL 8oard (CCu8), Lo ensure LhaL developmenL work ln boLh bodles provldes a coherenL caLalogue of sLandards Lo Lhe markeL. 1he laLesL edlLorlal flxes of Lhe Common CrlLerla v3.1 release 3 have been provlded Lo Lhe WC 3, whlch are belng processed as a uefecL 8eporL (n8120) Lo correcL Lhe correspondlng 1S408 parLs. lurLhermore, Lhe CCu8 anLlclpaLes a number of relaLlvely mlnor changes Lo Lhe Common CrlLerla Lo be developed for lncorporaLlon ln Lhe nexL annual release. 1he changes mosLly relaLe Lo Lhe area of Auv and wlll be drafLed by !une 2010, Lo be supplled Lo WC3 ln a form sulLable for revlew and lncorporaLlon as corrlgenda. Methodo|ogy for I1 secur|ty eva|uat|on (1804S) 1he second edlLlon of Lhls lnLernaLlonal SLandard was publlshed ln 2008, wlLh lLs flrsL pre-prevlew planned for 2011. 1hls evaluaLlon meLhodology pro[ecL runs LlghLly coupled wlLh lSC/lLC 1S408 for conLenL, calendar and close coordlnaLlon wlLh Lhe CCu8. Gu|de for the preparat|on of Secur|ty 1argets and rotect|on rof||es (1S446) Many people conslder Lhls 1echnlcal 8eporL Lo be a very good lnLroducLlon Lo lSC/lLC 1S408. lL also provldes pracLlcal guldance Lo Lhe process of preparlng for evaluaLlon. lLs second revlew was publlshed ln 2009, allgnlng lLs conLenL Lo lSC/lLC 1S408:2009. 107 kespons|b|e Vu|nerab|||ty D|sc|osure (29147) lSC/lLC 29147 alms Lo provlde a meLhodology for Lhe dlsclosure and managemenL of vulnerablllLy alerLs Lo be used by all lnLeresLed parLles. 1hose parLles would lnclude Lhe dlscoverer, vendor, and vulnerablllLy lnformaLlon servlces. lL would lnclude meLhods Lo deLermlne rlsk, formaL for dlscloslng vulnerablllLy lnformaLlon, and meLhods for organlzaLlons Lo gaLher and process Lhe dlsclosed lnformaLlon. lL ls currenLly ln Wu sLage. Cn spec|f|c product types: cryptograph|c modu|es Secur|ty requ|rements for cryptograph|c modu|es (19790) 1hls pro[ecL covers securlLy funcLlonal and compllance LesLlng requlremenLs for crypLographlc modules, and closely follows Lhe llS 140-2. lL was publlshed ln 2006, and laLer amended ln 2008 wlLh Lechnlcal corrlgenda. A revlslon has sLarLed, ln concurrenL developmenL wlLh Lhe publlcaLlon of llS 140- 3, currenLly ln Wu sLage. 1est requ|rements for cryptograph|c modu|es (247S9) 1he purpose of Lhls sLandard publlshed ln 2008 ls Lo descrlbe Lhe meLhodology Lo be used by accredlLed laboraLorles Lo LesL wheLher a glven crypLographlc module conforms Lo Lhe requlremenLs of lSC/lLC 19790. lL lncludes deLalled procedures, lnspecLlons, and LesLs LhaL Lhe LesLer musL follow, and Lhe expecLed resulLs LhaL musL be achleved for Lhe crypLographlc module Lo saLlsfy Lhe lSC/lLC 19790 requlremenLs. lL ls envlsaged Lo be updaLed afLer Lhe currenL revlslon of 19790. Cn spec|f|c product types: trusted p|atform modu|es 1rusted p|atform modu|e (11889) lSC/lLC 11889 was publlshed ln 2009, ln Lhe course of LransposlLlon from a ubllcly Avallable SpeclflcaLlon (AS) Lo an lnLernaLlonal SLandard submlLLed by Lhe 1rusLed CompuLlng Croup (1CC). lSC/lLC 11889-1 deflnes Lhe 1rusLed laLform Module (1M) a devlce LhaL enables LrusL ln compuLlng plaLforms ln general. lSC/lLC 11889 ls broken lnLo parLs Lo make Lhe role of e ach documenL clear. Any verslon of Lhe sLandard requlres all parLs Lo be a compleLe sLandard. On specific techno/oqies Ver|f|cat|on of cryptograph|c protoco|s (29128) 1hls sLandard wlll provlde a Lechnlcal base for Lhe assessmenL of Lhe securlLy of crypLographlc proLocols. lL wlll descrlbe deslgn evaluaLlon crlLerla for Lhese proLocols, as well as meLhods Lo be applled ln a verlflcaLlon process for such proLocols. 1he sLandard wlll provlde deflnlLlons of dlfferenL proLocol assurance levels. 1he dlscrlmlnanLs for each proLocol assurance level wlll lnclude a 108 speclflcaLlon of Lhe deslgn of Lhe proLocol, speclflcaLlon Lechnlques for Lhe operaLlng envlronmenL, securlLy ob[ecLlves and properLles, and evldence LhaL Lhe proLocol operaLlng ln Lhe envlronmenL achleves lLs ob[ecLlves or saLlsfles lLs properLles. 1he pro[ecL ls currenLly aL Cu sLage. A Iramework for secur|ty eva|uat|on and test|ng of b|ometr|c techno|ogy (19792) 1hls sLandard, publlshed ln 2009, speclfles Lhe speclflc sub[ecLs Lo be addressed durlng a securlLy evaluaLlon of a blomeLrlc sysLem. lL covers Lhe blomeLrlc-speclflc aspecLs and prlnclples Lo be consldered durlng Lhe securlLy evaluaLlon of a blomeLrlc sysLem. lL does noL address Lhe non-blomeLrlc aspecLs whlch mlghL form parL of Lhe overall securlLy evaluaLlon of a sysLem uslng blomeLrlc Lechnology (e.g. requlremenLs on daLabases or communlcaLlon channels). CurrenL spread of blomeLrlc Lechnology probably wlll demand an early revlew of Lhls sLandard, Lo accommodaLe progress ln Lhe fleld. Secure software deve|opment and eva|uat|on under ISC]ILC 1S408 and ISC]ILC 1840S 1hls recenLly launched pro[ecL wlll provlde meLhodology guldance for Lhe developer and Lhe evaluaLor on how Lo use Lhe aLLack paLLerns as a Lechnlcal reference polnL durlng Lhe 1CL developmenL llfe cycle and ln an evaluaLlon of Lhe 1CL secure sofLware under lSC/lLC 1S408 and 1804S, by addresslng a number of Loplcs. 1he developmenL of Lhls documenL wlll also lnvesLlgaLe wheLher speclflc elemenLs from lSC/lLC 1S026 (and lLs revlslon) are appllcable Lo Lhe guldellnes belng developed ln Lhe 18 wlLhln Lhe conLexL of lS 1S408 and 1840S. lL ls expecLed an lncrease of Lhe effecLlveness ln Lhe reducLlon of vulnerablllLles for producLs developed and evaluaLed accordlng Lo Lhls 1echnlcal 8eporL. On qenero/ systems A framework for I1 secur|ty assurance (1S443) 1he ob[ecLlve of Lhls 1echnlcal 8eporL ls Lo presenL a varleLy of assurance meLhods and assurance approaches Lo gulde Lhe l1 SecurlLy rofesslonal ln Lhe selecLlon of an approprlaLe assurance meLhod (or comblnaLlon of meLhods) Lo achleve confldence LhaL a glven l1 securlLy producL, sysLem, servlce, process or envlronmenLal facLor saLlsfles lLs sLaLed securlLy assurance requlremenLs. 1hls reporL examlnes assurance meLhods and approaches proposed by varlous Lypes of organlsaLlons wheLher Lhey are approved or de-facLo sLandards. ubllshed ln 200S, lL has noL found sufflclenL supporL Lo be updaLed yeL. 109 Secur|ty Assessment of Cperat|ona| Systems (19791) 1hls 1echnlcal 8eporL provldes guldance and crlLerla for Lhe securlLy evaluaLlon of operaLlonal sysLems. lL provldes an exLenslon Lo Lhe scope of lSC/lLC 1S408, by Laklng lnLo accounL a number of crlLlcal aspecLs of operaLlonal sysLems noL addressed ln lSC/lLC 1S408 evaluaLlon. 1he prlnclpal exLenslons LhaL are requlred address evaluaLlon of Lhe operaLlonal envlronmenL surroundlng Lhe 1CL, and Lhe decomposlLlon of complex operaLlonal sysLems lnLo securlLy domalns LhaL can be separaLely evaluaLed. 1he second revlew, recenLly publlshed, allgns lLs conLenL wlLh LhaL of lSC/lLC 1S408. Systems Secur|ty Lng|neer|ng - Capab|||ty Matur|ty Mode| (21827) 1hls sLandard was based on a AS submlsslon from lSSLA and lLs second edlLlon was publlshed ln 2008. 1he scope encompasses Lhe sysLem securlLy englneerlng acLlvlLles for a secure producL or a LrusLed sysLem addresslng Lhe compleLe llfecycle of: concepL deflnlLlon, requlremenLs analysls, deslgn, developmenL, lnLegraLlon, lnsLallaLlon, operaLlon, malnLenance end de-commlsslonlng, requlremenLs for producL developers, secure sysLems developers and lnLegraLors, organlzaLlons LhaL provlde compuLer securlLy servlces and compuLer securlLy englneerlng, and applles Lo all Lypes and slzes of securlLy englneerlng organlzaLlons from commerclal Lo governmenL and Lhe academe. Secure System Lng|neer|ng r|nc|p|es and 1echn|ques (29193) 1hls 1echnlcal 8eporL, currenLly ln Wu, wlll provlde guldance on Lhe prlnclples, besL pracLlces and Lechnlques for secure-sysLem deslgn for lnformaLlon and communlcaLlon sysLems, complemenLlng already exlsLlng deslgn processes wlLh securlLy speclflc englneerlng aspecLs. 1he audlence wlll lnclude sysLem archlLecLs and deslgners. lurLhermore Lhe 1echnlcal 8eporL wlll provlde reference lnformaLlon Lo sysLem developers and evaluaLors. New areas for future work On specific techno/oqies 1omper protection requirements ond evo/uotion 1he area of anLl-Lamperlng aspecLs of proLecLlon has been dlscussed before ln SC 27. AL Lhe Llme of LhaL dlscusslon Lhe lssue of WC 2 1erms of 8eference was dlscussed ln vlew of Lhe facL LhaL WC 2 was Lo be responslble for boLh crypLographlc and non- crypLographlc securlLy mechanlsms. AL Lhe same Llme, WC 2 noLed LhaL lL lacked access Lo sufflclenL experLlse ln Lhe fleld of non-crypLographlc proLecLlon mechanlsms. 1C 68 has publlshed sLandards (lSC/lLC 13491) ln Lhls area. lrom SC 27 perspecLlve, anLl-Lamperlng lssues are of relevance Lo pro[ecL 19790. 110 Powever, anLl-Lamperlng measures may also have Lhelr appllcaLlon ln oLher areas of Lhe l1 securlLy fleld (proLecLlon of hardware resources, LransporL devlces for passwords and crypLographlc keys, blomeLrlc sensor devlces eLc). 1he WC 3 has launched a SLudy erlod ln Lhls area, wlLh no acLlons concluded yeL. On specific product types 1he CCu8 ls ln Lhe process of creaLlng consorLla (lnvolvlng schemes, lndusLry (boLh developers and evaluaLors), and users/oLher lnLeresLed parLles) Lo work on Lhe developmenL of proLecLlon proflles and supporLlng documenLs ln deflned Lechnlcal areas. Some lnlLlal areas lnclude: ulsk LncrypLlon uS8 daLa sLorage devlces LnLerprlse SecurlLy ManagemenL llrewalls CperaLlng SysLems uaLabases 8rowsers Secure sofLware developmenL - Lools and Lechnlques 1hese works may conclude wlLh Lhe publlcaLlon of producL Lype speclflc roLecLlon roflles, wlLh companlon evaluaLlon meLhodology, whlch may be sub[ecL of publlcaLlon as lSC/lLC sLandards and Lechnlcal reporLs. lnlLlaLlves from newly esLabllshed llalson channels may Lrlgger new pro[ecLs ln speclflc producL Lypes, llke smarL cards. On systems Cloud compuLlng, crlLlcal lnfrasLrucLures and complex l1 sysLems ln general have noL been addressed by WC 3, and Lhelr securlLy evaluaLlon ls probably a maLLer for Lhe lmmedlaLe WC 3 acLlvlLy. 111 ACkCNMS CC Common CrlLerla, equlvalenL Lo lSC/lLC 1S408 CCu8 Common CrlLerla uevelopmenL 8oard, a body wlLhln CC8A CC8A Common CrlLerla 8ecognlLlon ArrangemenL CLM Common CrlLerla LvaluaLlon MeLhodology [1804S] uLS uaLa LncrypLlon SLandard LAL LvaluaLlon Assurance Level [lSC/lLC 1S408] PMAC [keyed] Pashlng for Message AuLhenLlcaLlon [Code] [lL1l 8lC 2104] roLecLlon roflle [lSC/lLC 1S408] 88AC 8ole 8ased Access ConLrol SSL-CMM SysLems SecurlLy Lnglneerlng - CapablllLy MaLurlLy Model [lSC/lLC 21827] S1 SecurlLy 1argeL [lSC/lLC 1S408] 1CC 1rusLed CompuLlng Croup 1CL 1argeL of LvaluaLlon 1M8 lSC 1echnlcal ManagemenL 8oard 1M 1rusLed laLform Module 112 ISC 1S408, the Common Cr|ter|a kecogn|t|on Arrangement, and the ro|e of SC27 uavld MarLln, CCu8 and SC27 WC3 Llalson Many l1 producLs conLaln funcLlonallLy LhaL ls expecLed Lo meeL end-user securlLy requlremenLs, elLher as a dlrecL parL of lLs prlmary role (e.g. a flrewall) or ln supporL of LhaL prlmary role (e.g. A daLabase holdlng senslLlve daLa). 1hose responslble for procurlng and bulldlng sysLems lnvolvlng such producLs wlll Lherefore seek assurances from Lhe developers/vendors LhaL Lhe producLs provlde Lhe approprlaLe securlLy funcLlonallLy and LhaL Lhe producLs have also been deslgned and bullL ln a way LhaL Lhe securlLy funcLlonallLy wlll operaLe boLh rellably and robusLly. rovldlng such assurance on an lndlvldual basls, or even on a per-naLlon basls vla naLlonal evaluaLlon schemes ls noL a pracLlcal opLlon for anyLhlng oLher Lhan a few hlgh volume/speclallsed requlremenLs. WhaL vendors and users need ls an assurance scheme LhaL ls common across many naLlons and whlch provldes muLual recognlLlon of resulLs (so LhaL an evaluaLlon and cerLlflcaLlon by one naLlonal scheme can be readlly recognlsed by Lhe oLher naLlons). 1he lnLernaLlonal Common CrlLerla for lnformaLlon 1echnology SecurlLy LvaluaLlon (CC) and Lhe companlon documenL Lhe Common MeLhodology for lnformaLlon 1echnology SecurlLy LvaluaLlon (CLM), are used by Lhe cerLlflcaLlon schemes LhaL operaLe under Lhe Common CrlLerla 8ecognlLlon ArrangemenL (CC8A) Lo offer Lhe cosL effecLlve way for developers/sponsors of securlLy relaLed l1 producLs Lo offer confldence for Lhelr users worldwlde. 1he CC8A and lLs subcommlLLees provldes Lhe framework for ensurlng conslsLency and quallLy of evaluaLlons (ln con[uncLlon wlLh oLher quallLy assessmenL organlsaLlons coverlng Lhe work of evaluaLlon laboraLorles under lSC/lLC 1702S), whlle Lhe CC and CLM (LogeLher wlLh oLher supporLlng documenLs where requlred) seL Lhe common requlremenLs. ConLlnual work, Lhrough regular meeLlngs, and oLher lnLerchanges ls used boLh Lo harmonlse Lhe appllcaLlon and Lo furLher develop Lhe sLandards. 8y publlshlng equlvalenL verslons of Lhe CC8A documenLs as lSC/lLC 1S408 (Lhree parLs) and lSC/lLC 1804S respecLlvely, lSC lncreases boLh Lhe appeal and Lhe usage of Lhe sLandards (some naLlons requlre reference Lo lSC sLandards). noLe however LhaL Lhe cerLlflcaLlon needs Lo be performed under Lhe CC8A ln order for muLual recognlLlon Lo apply. 1he role of SC27, and speclflcally Lhe WC3 subgroup ls very much greaLer however Lhan one of slmply reformaLlng and publlshlng equlvalenL verslons. 1he worklng group lLself comprlses a wlde body of experLs and, Lhrough naLlonal represenLaLlon and consulLaLlon mechanlsms (voLlng eLc.), Lakes lnpuL from an even greaLer range of experLs. 1helr oplnlon ls of sufflclenL lmporLance LhaL Lhe Common CrlLerla 113 uevelopmenL 8oard (CCu8), whlch oversees Lhe developmenL of Lhe CC and CLM, appolnLs a llalson offlcer and conslders Lhe llalson sLaLemenLs Lo/from SC27/WC3 aL every meeLlng. As new verslons of Lhe crlLerla are developed and as Lechnlcal lssues relaLlng Lo Lhe usage of Lhe sLandards arlse, Lhe SC27 WC3 are consulLed for Lhelr oplnlons and lnpuL. Cver lLs 10 plus year llfe Lhe CC8A has grown, so LhaL lL now comprlses 26 naLlons, wlLh half of Lhese able Lo lssue cerLlflcaLes. More Lhan 1200 cerLlflcaLes have been lssued and Lhe level of lnLeresL boLh ln cerLlfylng producLs and ln becomlng a member of Lhe CC8A conLlnues Lo grow. As general sofLware producLs also conLlnue Lo become boLh larger and more complex, and as Lhe markeL demands lncreaslngly rapld, and effecLlve, assurance mechanlsms LhaL can comprehenslvely cover a wlder range of producLs, Lhe CCu8 ls currenLly revlewlng Lhe besL way Lo provlde Lhls assurance and ls seeklng Lo repllcaLe Lhe undoubLed success of Lhe smarLcard communlLy (smarLcards and slmllar devlces form Lhe largesL slngle grouplng of cerLlflcaLes and Lhe work of Lhe communlLy [lncludlng developers, governmenL, evaluaLlon faclllLles, and end users], provldes a means by whlch Lhe naLlons lnvolved are able Lo obLaln an even greaLer degree of muLually recognlsed assurance) across oLher Lechnlcal areas. 1hrough conLlnual llalson wlLh SC27 WC3 Lhe wlder needs of lSC, as an lnLernaLlonal sLandards body wlll be malnLalned LhroughouL Lhls work. As a relaLlvely new llalson offlcer (havlng only aLLended one meeLlng so far), my personal vlew ls LhaL Lhe SC27 WC3 group, well supporLed by Lhe varlous admlnlsLraLlon sLaff and Lools, provldes an effecLlve and useful mechanlsm for galnlng lnLernaLlonal consensus ln Lhe fleld. l congraLulaLe SC27 on aLLalnlng lLs 20 Lh
8lrLhday and look forward Lo Lhe conLlnuaLlon of lLs work across Lhe nexL 20 years!
ln lnformaLlon 1echnology Lhere ls an ever-lncreaslng need Lo use crypLographlc mechanlsms such as Lhe proLecLlon of daLa agalnsL unauLhorlsed dlsclosure or manlpulaLlon, for enLlLy auLhenLlcaLlon and for non-repudlaLlon. 1he securlLy and rellablllLy of such mechanlsms are dlrecLly dependenL on Lhe crypLographlc modules ln whlch Lhey are lmplemenLed. 1hls lnLernaLlonal SLandard provldes for four lncreaslng, quallLaLlve levels of securlLy requlremenLs lnLended Lo cover a wlde range of poLenLlal appllcaLlons and envlronmenLs. 1he crypLographlc Lechnlques are ldenLlcal over Lhe four securlLy levels. 1he securlLy requlremenLs cover areas relaLlve Lo Lhe deslgn and lmplemenLaLlon of a crypLographlc module. 1hese areas lnclude crypLographlc module speclflcaLlon, crypLographlc module lnLerfaces, roles, servlces, and auLhenLlcaLlon, sofLware/flrmware securlLy, operaLlonal envlronmenL, physlcal securlLy, physlcal securlLy - non-lnvaslve aLLacks, senslLlve securlLy parameLer managemenL, self-LesLs, llfe-cycle assurance, and mlLlgaLlon of oLher aLLacks.
1he overall securlLy raLlng of a crypLographlc module musL be chosen Lo provlde a level of securlLy approprlaLe for Lhe securlLy requlremenLs of Lhe appllcaLlon and envlronmenL ln whlch Lhe module ls Lo be uLlllsed and for Lhe securlLy servlces LhaL Lhe module ls Lo provlde. 1he responslble auLhorlLy ln each organlzaLlon should ensure LhaL Lhelr compuLer and LelecommunlcaLlon sysLems LhaL uLlllse crypLographlc modules provlde an accepLable level of securlLy for Lhe glven appllcaLlon and envlronmenL. Slnce each auLhorlLy ls responslble for selecLlng whlch approved securlLy funcLlons are approprlaLe for a glven appllcaLlon, compllance wlLh Lhls lnLernaLlonal SLandard does noL lmply elLher full lnLeroperablllLy or muLual accepLance of compllanL producLs. 1he lmporLance of securlLy awareness and of maklng lnformaLlon securlLy a managemenL prlorlLy should be communlcaLed Lo all concerned. lnformaLlon securlLy requlremenLs vary for dlfferenL appllcaLlons, organlzaLlons should ldenLlfy Lhelr lnformaLlon resources and deLermlne Lhe senslLlvlLy Lo and Lhe poLenLlal lmpacL of a loss by lmplemenLlng approprlaLe conLrols. ConLrols lnclude, buL are noL llmlLed Lo: 115 physlcal and envlronmenLal conLrols, access conLrols, sofLware developmenL, backup and conLlngency plans, and lnformaLlon and daLa conLrols. 1hese conLrols are only as effecLlve as Lhe admlnlsLraLlon of approprlaLe securlLy pollcles and procedures wlLhln Lhe operaLlonal envlronmenL. 1hls lnLernaLlonal SLandard ls derlved from nlS1 lederal lnformaLlon rocesslng SLandard (llS) u8 140-2 Cn !uly 17, 199S, Lhe naLlonal lnsLlLuLe of SLandards and 1echnology (nlS1 uSA) esLabllshed Lhe CrypLographlc Module valldaLlon rogram (CMv) LhaL valldaLes crypLographlc modules Lo lederal lnformaLlon rocesslng SLandards. 1he CMv ls a [olnL efforL beLween nlS1 and Lhe CommunlcaLlons SecurlLy LsLabllshmenL Canada (CSLC). 1he naLlonal lnsLlLuLe of SLandards and 1echnology (nlS1) admlnlsLers Lhe naLlonal volunLary LaboraLory AccredlLaLlon rogram (nvLA). nvLA provldes accredlLaLlon servlces Lhrough varlous laboraLory accredlLaLlon programs (LAs), whlch are esLabllshed on Lhe basls of requesLs and demonsLraLed need. Lach LA lncludes speclflc LesL or callbraLlon sLandards and relaLed meLhods and proLocols assembled Lo saLlsfy Lhe unlque needs for accredlLaLlon ln a fleld of LesLlng or callbraLlon. nvLA accredlLs publlc and prlvaLe laboraLorles based on evaluaLlon of Lhelr Lechnlcal quallflcaLlons and compeLence Lo carry ouL speclflc callbraLlons or LesLs. vendors of crypLographlc modules can use Lhe lndependenL laboraLorles LhaL are accredlLed by nvLA for CrypLographlc and SecurlLy 1esLlng (CS1) for Lhe LesLlng of modules for conformance Lo lederal lnformaLlon rocesslng SLandard 140-2, 5ecotlty kepoltemeots of ctyptoqtopblc MoJoles. As of !une 10, 2010, Lhe CMv has lssued over 132S valldaLlon cerLlflcaLlons LhaL represenL over 2800 crypLographlc modules. 1here are currenLly 17 nvLA accredlLed CS1 LaboraLorles locaLed ln S counLrles: uSA, Canada, Cermany, Spaln, !apan and 1alwan 8CC. AddlLlonal uSA and lnLernaLlonal laboraLorles are ln Lhe process of accredlLaLlon. 1he modules were submlLLed for LesLlng from over 30S vendor's locaLed world wlde. 1he developmenL and publlshlng of lSC/lLC 19790 bullds on Lhls foundaLlon and ls a LesLamenL of Lhe value of Lhe sLandard and LesLlng.
116 Secur|ty attr|butes extens|on and re|at|on w|th dependab|||ty Anne CoaL-8ames, Clk8 ro[ecL Manager, lrench neLwork and lnformaLlon SecurlLy Agency !ean Calre, uepuLy ClSC, 8A1
1here ls a sLraLeglc quesLlon Lo conslder a sysLem followlng one aspecL or Lo conslder lL ln lLs whole. lor example, relaLlons beLween securlLy 1 and dependablllLy flnd dlfferenL answers. Some Lhlnk LhaL Lhese domalns are noL compllanL LogeLher and cannoL be addressed on Lhe same hand, oLher see Lhem synerglc, each conLrlbuLlng Lo Lhe oLher's success. A loL of llLeraLure exlsLs abouL Lhls quesLlon, buL, synLheLlcally, whaL abouL lL? l. nistory lrom an hlsLorlcal polnL of vlew, dependablllLy (also called lMuS) alms Lo avold LhaL sysLem fallures lead Lo caLasLrophlc evenLs (safeLy/harmlessness) and focuses on accldenLal causes. (e.g. human faulL, componenL dysfuncLlon) or envlronmenLal causes (e.g. aLmospherlc condlLlons). MalevolenL acLs are noL consldered, concepLs and Lechnlques seLup for lMuS are noL adapLed Lo malevolence LreaLmenL, even lf sLandards general vocabulary enables Lo Lake Lhem lnLo accounL. lor example, dependablllLy: 1) uoes noL conslder confldenLlallLy, 2) refers, for ensurlng messages lnLegrlLy, error deLecLlon codes (e.g. checksum), noL reslsLanL faced Lo an lnLelllgenL aLLack.
1hese cholces are based on assumpLlon LhaL Lhe sysLem ls closed, wlLh non malevolenL acLors. 1hls slmpllfles Lhe confldenLlallLy quesLlon. 1hls assumpLlon has some well known llmlLs. lor example, Lhe LransporL lMuS referenLlal lncludes Lwo CLnLLLC sLandards, l'Ln S01S9-1 eL l'Ln S01S9-2, abouL communlcaLlons beLween componenLs. Cne for closed sysLems (no hosLlle agenLs), Lhe oLher for opened sysLems, and seL some old crypLographlc prlmlLlves (noL adapLed Lo 1C/l) as mandaLory.
Cn Lhe oLher hand, lSS comes from Lhe need Lo ensure confldenLlallLy faced Lo a malevolenL envlronmenL, ln a sysLem preservaLlon loglc (reference Lo Lhe flrsL 8ell- Laadula securlLy model). LxLended Lo lnLegrlLy and avallablllLy, lSS alms Lhe preservaLlon of Lhese aLLrlbuLes, ln an lmmunlLy perspecLlve.
1 SafeLy = harmlessness, accenL on (caLasLrophlc) consequences for Lhe sysLem users SecurlLy = lmmunlLy, accenL on preservaLlon of sysLem properLles, agalnsL exLernal agresslons (hosLlle source)
117
Culckly, lL appears LhaL concreLe sysLems, and noL only crlLlcal lnfrasLrucLures, wlll have Lo fulfll dependablllLy and lSS requlremenLs, leadlng Lo Lhe quesLlon how Lo LreaL Lhem LogeLher?" And shorLly, Lhe analysls demonsLraLes LhaL all Lhelr boLh aLLrlbuLes are llnked (see [LAAS]).
lSS focuses on avallablllLy, lnLegrlLy, and confldenLlallLy. uependablllLy focuses abouL avallablllLy, lnLegrlLy, buL also abouL rellablllLy, safeLy, and malnLalnablllLy. So Lhey share aL leasL Lhe avallablllLy and lnLegrlLy preoccupaLlons. lf Lhese aLLrlbuLes are masLered ln Lhe framework of a securlLy approach, Lhey wlll probably conLrlbuLe Lo dependablllLy, on Lhe perlmeLer addressed by lSS.
1he lnLegrlLy of Lhe sysLem conLrlbuLes Lo lLs rellablllLy, Lhe llkellhood of a corrupLed sysLem fallure belng, ln prlnclple, hlgher LhaL Lhose of a sane sysLem (or whaL abouL vlrus?), and consequenLly, llmlLlng Lhe sysLem fallure llkellhood, lL llmlLs Lhe llkellhood LhaL Lhe sysLem assaulLs lLs envlronmenL and users, lncreaslng so Lhe sysLem safeLy. Cn Lhe same way, lf sysLem malnLalnablllLy ls ensured ln dependablllLy approach, lL wlll conLrlbuLe Lo Lhls sysLem avallablllLy and lnLegrlLy, from an lSS polnL of vlew.
ln Lhe sLrlcL lSS framework, confldenLlallLy ls already anLagonlsL wlLh avallablllLy (see break glass prlnclple for healLh daLa). Lnsure senslble daLa confldenLlallLy has a cosL on volume and Llme efflclency, and add Lo funcLlonal complexlLy, agalnsL needs for rellablllLy and robusLness assoclaLed Lo dependablllLy. 118 ll. comporison between concepts ond termino/oqies Cne angle sLone on Lhls debaLe ls locaLed around Lhe concepLs and vocabulary of each domaln. 1hls polnL ls lllusLraLed ln Lhe dlagram below, LhaL proposes poLenLlal correspondences beLween dependablllLy concepLs 2 on Lhe Lop, and lSS concepLs 3 on Lhe boLLom of Lhls plcLure: Analysls of lSS sLandards relaLed Lo lncldenL managemenL shows Lhe followlng lssues: uependablllLy faulL / error Lerms do noL appear ln lSS sLandards, evenL Lhose abouL conLlnulLy managemenL (8S 2S999) or lncldenL managemenL (18044), for example faulL ls never used, lallure appears once ln lSC 27031, as synonym of dlsasLer,
2 lor dependablllLy, ao octot commlts o foolt, ooJ lottoJoces oo ettot lo tbe system (compooeot ot Jocomeototloo), (ooJ tbe system ls leJ lo oo oosecote / oostoble stote), tbot leoJs to o follote lo tbe system bebovloot. 3 lncident . sltootloo tbot mlqbt be, ot coolJ leoJ to, o bosloess Jlstoptloo, loss, emetqeocy ot ctlsls j85 25999] ot "lssoes to be oJJtesseJ jlocloJe ptepototloo ooJ Jeolloq wltb ] socb os lc1 secotlty loclJeots, locloJloq follotes jl5O 270J1] uisruption . lotettoptloo of ootmol bosloess opetotloos ot ptocesses wblcb coo tooqe ftom sbott tetm to looqet tetm ooovolloblllty (8525999) 119 CfLen, lSS concepLs covers Lwo or more dependablllLy concepLs (dlsasLer and dlsrupLlon are as well Lhe orlglnaLlng evenL (faulL) Lhan Lhe fallure caused by Lhe evenL), Lrror ls used as acLlon or resulL of an acLlon, buL noL ln Lhe meanlng of stotos of o system.
Cn Lhe oLher hand, we can esLabllsh some parallels beLween lSS measures and Lhe four, faulL managemenL modes deflned by dependablllLy prlnclples, llsLed below.
Some examples of securlLy measures can be assoclaLed aL each faulL managemenL mode:
Iau|t manageme nt mode Def|n|t|on 1hreats management examp|es Vu|nerab|||ty management examp|es laulL prevenLlon prevenL Lhe occurrence or lnLroducLlon of faulLs ALLack modelllng (prevenLlon or forecasLlng ?) SpeclflcaLlon revlew deslgn and codlng rules formal developmenL sysLem valldaLlon laulL removal reduce Lhe number and severlLy of faulLs hyslcal perlmeLer proLecLlon sysLem valldaLlon, debug (8ohr bug), bug flxlng 120 Iau|t manageme nt mode Def|n|t|on 1hreats management examp|es Vu|nerab|||ty management examp|es laulL Lolerance Avold servlce fallures ln Lhe presence of faulLs SysLem redundancy, back-up, dlverslLy, survlvablllLy 8ecoverablllLy (mandel rebooL node) dlverslLy survlvablllLy fallover Lo sLandby laulL forecasLlng esLlmaLe Lhe presenL number, Lhe fuLure lncldence, and Lhe llkely consequences of faulLs 8lsk analysls / lmpacL & llkellhood evaluaLlon Aglng bug
lll. Perspectives ond conc/usions 1hls shorL analysls of gaps beLween lSS and dependablllLy concepLs shows luxury LhaL dependablllLy could brlng Lo lSS, and reclprocally. And Lhls noL only on lncldenL managemenL lssues, one of Lhe lSS ma[or concepLs.
And lL ls Lhere, ln basemenL concepLs, LhaL Lhe maln common polnLs and Lhe maln dlfferences beLween Lhe Lwo domalns are locaLed. Lven lf avallablllLy, rellablllLy, conLlnulLy, and safeLy aLLrlbuLes deflnlLlon are all dlfferenL, lSS and dependablllLy have a common goal, masLerlng rlsks. WhaLever Lhe consldered sysLem, sLakes are Lhe same: llmlL Lhe lmpacLs of a sysLem fallure on enLlLy acLlvlLy, people, economlc resulL, envlronmenL, repuLaLlon, and oLher buslness lmpacLs.
1he Lable below proposes some examples of securlLy fallures on sysLem consldered as proLecLed" from a safeLy polnL of vlew, leadlng Lo slgnlflcanL lmpacLs.
ln all cases, Lhe ma[or dlfference beLween Lhe Lwo approaches ls LhaL lSS focuses on Lhe sysLem Lo proLecL, when dependablllLy focuses also Lo lmmedlaLe and concreLe poLenLlal lmpacLs on lLs envlronmenL of Lhe sysLem, once damaged 4 . ln all cases, seLup an lSS approach conLrlbuLes Lo sysLems rellablllLy and dependablllLy, and [olnLly llmlL rlsks leadlng Lo lmpacLs on companles, envlronmenL, people, and Lhe whole socleLy.
lv. luture: new concepts 1radlLlonal lSS concepLs enable Lo bulld exLremely sure sysLems (e.g. conLrol/command sysLem), wlLhln cerLaln llmlLs, llke hlgh cosL, llmlLed funcLlons and efflclency. 1hese sysLems, and Lhelr bulldlng concepLs, are noL yeL sufflclenL for Loday sLakes of complexlLy, sysLem openlng, and sophlsLlcaLed LhreaLs professlonallsm.
We have Lo pass-over unlque vlew concepLs, focused on faulL prevenLlon, and deflne new securlLy prlnclples, chooslng on sysLem adapLaLlon faced Lo lLs envlronmenL, evenLs lL ls ln confllcLed wlLh.
Answer Lo Lhese quesLlons can be broughL by Lhe concepLs so called survlvablllLy and reslllence. uependablllLy ls a help Lo go from Lhe lnformaLlon Assurance vlslon of Lhe sysLems securlLy, Lowards Lhe Mlsslon Assurance vlslon.
lL enables Lo reach Lhe aspecLs reslllence and survlvablllLy S of Lhe sysLem and
4 Can we say that for ISS the system imploses, for dependability,it explodes ?) S Survivability : the degree to which a system is able to withstand attack and still function at a certain level (IA newsletter vol12 n4 Fall 2009, par Karen Goertzel Mercedes 122 organlsaLlon wlLh requlred argumenLs.
6 All Lhese dlsclpllnes are complemenLary, noL anLagonlsL. 7
SecurlLy or safeLy or survlvablllLy consLlLuLe only parLlal vlslon of Lhe sysLem and lLs requlremenLs. lor a full vlslon, for undersLandlng survlvablllLy, englneers and consulLanLs have Lo conslder securlLy and safeLy.
As showed above, masLerlng rlsks creaLes real needs for esLabllshlng brldges beLween securlLy and relaLed dlsclpllnes. We are sure LhaL SC27, as cenLre of excellence ln lnformaLlon securlLy, wlll succeed Lo lnLegraLe securlLy relaLed concepLs provldlng added value Lo buslness, ln lLs general lnLernaLlonal sLandards.
Resilience may be defined as the ability of a system or organization to react to and recover from disturbances at an early stage, with minimal effect on the dynamic stability (Hollnagel, Woods and Leveson 2006) 6 Illustration from MG. Richards (MIT) 2009 survivability-attributes-extensions 7 See also, WalLer Schn (Cn8S) CrlLlcal sysLem securlLy and cybercrlme, Lowards global securlLy 123 Lva|uat|on Cr|ter|a for I1 Secur|ty rofessor, CenLre ulrecLor, Sveln !ohan knapskog CenLre for CuanLlflable CuallLy of Servlce ln CommunlcaLlon SysLems (C2S), norweglan unlverslLy of Sclence and 1echnology (n1nu), 1rondhelm, norway u8L: hLLp://www.q2s.nLnu.no/people
1 Introduct|on SecurlLy ls lncreaslngly seen as one of Lhe baslc quallLles for lC1 servlces. WlLhouL adequaLe securlLy, a number of poLenLlal servlce users wlll decllne Lhe use of neL- based servlces, whlch Lhey oLherwlse would have found Lo be effecLlve and useful. Servlce provlders musL be able Lo convlnce users of Lhe facL LhaL lnformaLlon whlch ls exchanged as a parL of Lhe servlce relaLed procedures and whlch may be seen as senslLlve, e.g. for economlcal or personal reasons ls noL golng asLray or falllng vlcLlm of any klnd of abuse or mlsuse. Powever, lL ls noL aL all easy Lo descrlbe and characLerlze lC1 securlLy ln quanLlLaLlve and absoluLe Lerms - Lhe answer Lo Lhls challenge may perhaps be soughL wlLh oLher means. lL may be LhaL adequaLe assurance besL can be obLalned by lC1 producL and/or sysLem securlLy evaluaLlon performed by personnel wlLh adequaLe compeLence, preferably performlng Lhelr skllled duLles ln a securlLy evaluaLlon laboraLory owned and run by an admlnlsLraLlvely and economlcally lndependenL Lhlrd parLy. A securlLy evaluaLlon alms aL provldlng developers, manufacLurers, vendors and end users allke a common framework for undersLandlng and descrlblng Lhe securlLy challenges Lhey all are faclng, and Lo use Lhls framework Lo Lhelr advanLage as a Lool Lo descrlbe Lechnlcal and organlzaLlonal measures necessary Lo meeL Lhe securlLy challenges. 2 ISC]ILC IS 1S408, art 1]3 - Lva|uat|on Cr|ter|a for I1 Secur|ty LvaluaLlon of Lhe securlLy of lC1 sysLems for non-mlllLary appllcaLlons has been performed slnce Lhe beglnnlng of Lhe 1980s, based on Lhe crlLerla publlshed ln Lhe uS sLandard enLlLled 1rusLed CompuLer SecurlLy LvaluaLlon CrlLerla" (1CSLC, colloqulally Lermed 1he Crange 8ook"). 1owards Lhe end of Lhe decade, also Canada and a group of Luropean counLrles, encompasslng unlLed klngdom, Cermany, lrance and Lhe neLherlands, had begun Lhe developmenL and publlcaLlon of evaluaLlon crlLerla lnLended for use ln Lhelr respecLlve naLlonal schemes for lC1 securlLy evaluaLlon and cerLlflcaLlon. 8oLh Lhe Canadlan and Luropean crlLerla was somewhaL dlfferenL from Lhe 1CSLC ln sLrucLure and conLenL, slnce Lhelr lnLenLlons were Lo more sLrongly emphaslze producL evaluaLlons Lhan whaL had unLll Lhen been Lhe prevalenL mode of operaLlon used by Lhe uS evaluaLlon scheme, malnly LargeLlng hollsLlc assessmenL of cenLrallzed compuLer planLs. As soon as producL 124 evaluaLlon becomes Lhe maln focus area, lL falls more naLural Lo regard securlLy funcLlonallLy and securlLy assurance as Lwo lndependenL securlLy aspecLs, whlch can be speclfled lndependenLly, aL leasL Lo a cerLaln (some wlll argue falrly hlgh) degree. 1he lnLroducLlon of Lhls plvoLal prlnclple opened up for a far more flexlble evaluaLlon reglme, wlLh slgnlflcanL poLenLlal for Llme savlng procedures for Lhe acLual evaluaLlon performance, and Lhe posslblllLy for fuLure procedures openlng up for developmenL of secure producLs by reuslng prevlously evaluaLed producLs as bulldlng blocks when composlng a more complex producL or sysLem. 1he Canadlan and Luropean lnlLlaLlves spurred furLher developmenL of Lhe uS crlLerla, and ln Lhe early 1990s, a documenL enLlLled Mlnlmum SecurlLy luncLlonallLy 8equlremenLs" (MSl8) was released Lo Lhe publlc. 1hls was Lhe forerunner of a compleLely revlsed seL of crlLerla for Lhe uS scenarlo, Lhe lederal CrlLerla" whlch was lnLended Lo compleLely replace Lhe Crange 8ook". 1he lederal CrlLerla" lncorporaLed Lhe prlnclple of lndependence beLween securlLy funcLlonallLy and assurance, and was ln LhaL respecL an obvlous and consclous adapLaLlon Lo Lhe developmenL Lrlggered by Canada and Lurope Lowards a new evaluaLlon paradlgm. An lllusLraLlon of Lhe early developmenL of Lhe dlfferenL emerglng lnlLlaLlves ls glven ln flg. x.1.
llg. 1 1lme relaLlons beLween naLlonal and Luropean crlLerla lnlLlaLlves
ln parallel wlLh Lhe LranslLlon from 1he Crange 8ook" Lo Lhe lederal CrlLerla", a developmenL process was sLarLed ln lSC, managed by Lhe newly esLabllshed Sub- CommlLLee 27 "SecurlLy 1echnlques" (SC 27). 1he sLandardlzaLlon efforL plcked up 198 199 199 US Urange Canadian CTCPEC European national and ISU NIST ITSEC Federal ISU Common Criteria CC V.1.0 CC V.2.0 CDJDIS 199 125 on Lhe dlrecLlon lndlcaLed by Lhe developmenL of Lhe aforemenLloned naLlonal and Luropean lnlLlaLlves wlLhln Lhe fleld. lL became obvlous LhaL a slgnlflcanL number of lndependenL, posslbly dlverglng, sLandards ln Lhls area could lead Lo a subopLlmal slLuaLlon boLh for developers, vendors and end users of secure lC1 producLs and sysLems. lL would be ln Lhe besL lnLeresL for all parLles lnvolved LhaL a world wlde lnLernaLlonally recognlzed reglme for evaluaLlon, could be esLabllshed, so LhaL Lhe markeL operaLors would have Lhe necessary confldence LhaL Lhere would be sufflclenL end user demand for sLandardlzed scope and quallLy of securlLy measures ln lC1 producLs. AL Lhe SC 27 meeLlng ln SLockholm ln Aprll 1990, a dedlcaLed Worklng Croup (WC 3) was esLabllshed wlLh Lhe mandaLe Lo work for Lhe fuLure lnLernaLlonal sLandardlzaLlon wlLhln Lhe area. naLurally, Lhe sLarLlng polnL of Lhe work were Lo be Lhe exlsLlng publlshed crlLerla, and Lhe goal was Lo ldenLlfy Lhe parLs of Lhese whlch represenLed Lhe besL currenL pracLlce for securlLy evaluaLlon, boLh ln prlnclple, meLhod and Lechnlque, and Lo comblne Lhese parL lnLo a conslsLenL seL of securlLy evaluaLlon crlLerla whlch would be unlversally recognlzed as Lhe new sLandard. As ls shown ln llg. 1, Lhe naLlons acLlvely lnvolved ln Lhe developmenL of evaluaLlon crlLerla conLlnued Lhelr work wlLh Lhe crlLerla ln parallel wlLh Lhe lSC worklng group. AfLer a presenLaLlons of Lhe newly publlshed uS lederal CrlLerla ln Lurope ln 1993, a pro[ecL for a [olnL uS, Canadlan and Luropean 1ask lorce named Lhe Common CrlLerla LdlLorlal 8oard (CCL8) was esLabllshed Lo coordlnaLe and furLher develop Lhe parLs of Lhe exlsLlng dlfferenL crlLerla documenLs wlLh Lhe wldesL supporL, wlLh Lhe alm Lo produce one common seL of documenLs whlch could be used as lnpuL Lo Lhe lnLernaLlonal sLandardlzaLlon process managed by Lhe SC 27/WC 3. 1he pro[ecL acLlvlLy of Lhe CCL8 was fully coordlnaLed wlLh Lhe sLandardlzaLlon process ln SC 27/WC 3, boLh Llme and conLenL wlse Lhrough a CaLegory C Llalson whlch ls slgnlfylng Lechnlcal cooperaLlon on a mlnuLe deLall level. 1he resulLlng sLandard [1, 2, 3], commonly referred Lo as Lhe Common CrlLerla (CC) was flnally publlshed ln 1999, afLer havlng collecLed ma[orlLy supporL from Lhe voLlng members of lSC and lLC acLlve ln Lhe subcommlLLee lSC/lLC !1C 1/ SC 27. Slnce Lhen, several revlsed verslons have followed. AL Lhe Llme of wrlLlng, Lhe lasL verslons of Lhe sLandard are from 2008 (parLs 2 and 3) and 2009 (parL 1). 3 Lva|uat|on Mode| lC1 securlLy evaluaLlon ls a Lechnlcal dlsclpllne, and needs Lo follow Lhe general guldellnes for (Loday's) besL englneerlng pracLlce" wlLhln Lhe fleld. 1here are Lwo maln dlrecLlons or pracLlces for lC1 securlLy evaluaLlons - one ls Lermed ptoJoct evolootloo whlle Lhe oLher ls referred Lo as system evolootloo. A ptoJoct evolootloo ls performed for a producL, whlch ls sLlll slLLlng on Lhe shelf of a manufacLurer or a 126 vendor, and Lhe fuLure operaLlve envlronmenL for Lhe producL can be assumed, buL lL ls noL known. A producL evaluaLlon can be performed boLh concurrenLly, l.e. runnlng ln parallel wlLh Lhe developmenL of Lhe producL, and as a separaLe process afLer Lhe developmenL ls flnlshed. A system evolootloo on Lhe oLher hand, ls performed on an lC1 sysLem, whlch ls a composlLe producL or seL of producLs lnsLalled ln Lhelr normal operaLlng envlronmenL, whlch ls assumed known ln every necessary deLall. hyslcal, personnel and organlzaLlonal condlLlons can be parameLerlzed and Laken lnLo conslderaLlon durlng a sysLem evaluaLlon. llgure x.2 shows Lhe general model of an evaluaLlon slLuaLlon. 1he 1argeL of LvaluaLlon (1CL) ls developed under Lhe lnfluence of a seL of generlc securlLy requlremenLs speclfled ln a roLecLlon roflle () and/or speclflc securlLy requlremenLs speclfled ln a SecurlLy 1argeL (S1). 8oLh Lhe and S1 are developed ln accordance wlLh Lhe crlLerla (CC). 1he requlremenLs for Lhe evaluaLlon process lLself are also found ln Lhe CC. 1hese wlll ln lLs Lurn be senL Lo an evaluaLlon Lask force, LogeLher wlLh Lhe necessary documenLaLlon, l.e. Lhe documenLaLlon of Lhe deLalled Lechnlcal procedures ln Lhe dlfferenL producL developmenL phases, Lhe producL manuals for Lhe lnsLallaLlon and malnLenance of Lhe producL ln lLs operaLlng envlronmenL and Lhe user manuals for Lhe 1CL. llgure 2 Ceneral model for evaluaLlon [1] 127 An evaluaLlon reporL ls produced as parL of Lhe evaluaLlon Lask. 1he reporL can be used as basls for a subsequenL cerLlflcaLlon process, buL lL ls also naLurally requlred by Lhe user or owner of Lhe 1CL. ln an ldeal world, daLa could be collecLed ln Lhe operaLlve phase of Lhe llfeLlme of Lhe 1CL, and Lhe securlLy relevanL parL of such daLa could be fed back Lo Lhe dlfferenL developmenL sLages of fuLure verslons of Lhe producLs Lo lmprove Lhe proLecLlon offered by Lhe lmplemenLed securlLy counLermeasures agalnsL experlenced LhreaLs presenL ln Lhe operaLlonal envlronmenL of Lhe 1CL. Powever, how Lo organlze such closed llfe cycle loops ln a commerclal seLLlng ls sLlll an open lssue. 4 Secur|ty requ|rements 1he 1CL lncorporaLes securlLy measures derlved from Lhe securlLy ob[ecLlves of Lhe 1CL. 1he securlLy ob[ecLlves musL be saLlsfled by Lhe collecLlon of Lhe securlLy requlremenLs derlved from dlfferenL sources, such as:
Lhe securlLy pollcy of Lhe organlzaLlon ldenLlflable LhreaLs laws regulaLlons
ln addlLlon, Lhe knowledge and experLlse found ln Lhe envlronmenL whlch could be used Lo explolL weak or mlsslng securlLy counLermeasures or unknown vulnerablllLles of Lhe 1CL musL be somehow assessed. uocumenLaLlon of Lhe securlLy ob[ecLlves ls done on a relaLlve absLracL level of Lhe speclflcaLlon hlerarchy. 1he 1CL deslgn speclflcaLlon and Lhe 1CL lmplemenLaLlon documenLaLlon are Lhe nexL levels of deLall, and conLaln Lhe necessary concreLlzaLlon and speclflcaLlon of securlLy requlremenLs. Some securlLy requlremenLs needs Lo be LesLed Lo be able Lo declde whaL securlLy counLermeasures ln Lhe form of securlLy servlces and mechanlsms are relevanL. lL ls lmporLanL Lo be aware of Lhe facL LhaL even Lhough speclfled funcLlonal properLles and behavlor can be LesLed Lo Lhe full, Lhe absence of unwanLed properLles or behavlor can never be exhausLlvely LesLed. S Def|n|t|on of Assurance [3] Assurance ls based on a seL of SecurlLy Assurance 8equlremenLs (SA8s) whlch are formulaLed ln a sLandardlzed language Lo ensure exacLness and faclllLaLe comparablllLy beLween evaluaLlon resulLs. 1he SecurlLy 1argeL for a 1CL provldes a sLrucLured descrlpLlon of Lhe evaluaLlon acLlvlLles Lo deLermlne correcLness of Lhe SA8s. 128 1he SA8s serve as sLandard LemplaLes wlLh whlch one can express assurance requlremenLs for 1CLs. ln [3], Lhe seL of assurance componenLs are caLalogued, and Lhe componenLs are organlzed lnLo famllles and classes. Seven pre-deflned assurance packages whlch are called LvaluaLlon Assurance Levels (LALs) are llsLed. lf Lhe SA8s are meL, assurance ln Lhe correcLness of Lhe 1CL ls esLabllshed, and Lhe 1CL ls Lherefore less llkely Lo conLaln vulnerablllLles whlch can be explolLed by aLLackers. 1he amounL of assurance LhaL Lhe correcLness of Lhe 1CL ls as clalmed, ls deLermlned by Lhe scope, depLh and rlgor of Lhe examlnaLlons whlch are performed accordlng Lo Lhe componenLs requlred Lo maLch Lhe SA8s.
6 8u||d|ng conf|dence |n the eva|uat|on process 1he confldence LhaL Lhe securlLy counLermeasures deslgned and bullL lnLo Lhe 1CL ls as effecLlve and approprlaLe as clalmed by Lhe manufacLurer and/or vendor, and LhaL Lhey are correcLly lmplemenLed musL be deduced from Lhe deLalled knowledge of Lhe producL or sysLem. 1he general knowledge musL encompass Lhe deflnlLlon, consLrucLlon, lmplemenLaLlon, and ln Lhe ldeal case, also Lhe operaLlon of Lhe 1CL. ln a producL evaluaLlon paradlgm, Lhe lnformaLlon of Lhe operaLlng envlronmenL ls normally noL accesslble and Lhe knowledge of Lhe operaLlng phase can Lherefore noL be lncluded ln Lhe evaluaLor knowledge base. 1he evaluaLor can make assumpLlons of Lhe fuLure operaLlng envlronmenL of Lhe 1CL, and base hls assessmenL on Lhe reallsm of Lhese assumpLlons. 1he confldence LhaL Lhe LoLallLy of Lhe securlLy properLles of Lhe 1CL lndeed ls adequaLe for lLs lnLended purpose musL ln any case be Lransferred from Lhe evaluaLor (afLer Lhe laboraLory lLself ls saLlsfled LhaL hls ls Lhe case) Lo Lhe end user. Cn of Lhe maln argumenLs for uslng a common seL of evaluaLlon crlLerla ls LhaL lL may conLrlbuLe Lo Lhe common undersLandlng of Lhe evaluaLlon process wlLh lLs capablllLles and llmlLaLlons, and for Lhe dlfferenL roles Lhe dlfferenL acLors are presumed Lo play, boLh ln connecLlon wlLh Lhe evaluaLlon lLself and Lhe Lransfer of securlLy confldence. 7 Crgan|z|ng the requ|rements |n the CC 1he securlLy requlremenLs descrlbed ln Lhe CC are hlerarchlcally ordered. 1he Lop level ls called o closs, encompasslng funcLlonal or assurance componenLs sharlng o commoo loteot, buL wlLh dlfferenL coverage for Lhe securlLy ob[ecLlves. 5ecotlty objectlves are expressed by lomllles. A fomlly ls deflned for Lhose securlLy componenLs whlch alm Lo saLlsfy slmllar objectlves, buL wlLh varylng degree of lmporLance and Lhoroughness expressed by compooeots. A compooeot ls a mapplng of a seL of secotlty tepoltemeots, whlle Lhe lowesL level ln Lhls hlerarchy ls oo elemeot. Ao elemeot descrlbes aLomlc securlLy requlremenLs, l.e. requlremenLs where furLher sub-dlvlslon would probably noL lead Lo any meanlngful evaluaLlon resulL. 129 An LvaluaLlon Assurance Level (LAL) ls characLerlzed by: 5cope , whaL parLs of Lhe lC1 sysLem are securlLy relevanL and Lherefore musL be lncluded ln Lhe evaluaLlon. ueptb, Lhe evaluaLlon ls performed ln varylng deLall ln deslgn and lmplemenLaLlon, and Lhe appurLenanL documenLaLlon for each caLegory. klqot, Lhe evaluaLlon ls performed wlLh varylng emphasls on sLrucLure and formallLy. 1he requlremenL for funcLlonal securlLy componenLs from one or more of Lhe funcLlonal classes wlll be expressed ln a and/or a S1. 1he sum of Lhe componenLs characLerlze Lhe securlLy relevanL capablllLles of Lhe 1CL, where relevance ls glven by Lhe necessary and adequaLe measures Lo be Laken Lo saLlsfy Lhe securlLy ob[ecLlves sLaLed for Lhe 1CL (producL or sysLem). 1he user wlll be able Lo deLecL Lhe securlLy behavlor of Lhe 1CL by dlrecL lnLeracLlon wlLh Lhe 1CL vla lLs exLernal lnLerfaces or by observlng Lhe 1CL's response Lo exLernal sLlmull. 1he seL of securlLy funcLlonallLy classes ls consldered 'open', ln Lhe sense LhaL lL can be exLended by new or amended classes whenever needed, e.g. Lrlggered by new or changed requlremenLs Lo meeL boLh conLemporary and fuLure demands. 8 rotect|on rof||es (s) A roLecLlon roflle () ls a generlc securlLy speclflcaLlon conLalnlng a seL of securlLy requlremenLs, elLher Laken from Lhe CC or expllclLly expressed ln a separaLe securlLy speclflcaLlon whlch can be assumed Lo be adequaLely addresslng Lhe securlLy ob[ecLlves of a cerLaln Lype of appllcaLlons. A descrlbes boLh funcLlonal securlLy requlremenLs as a comblned llsL of funcLlonal securlLy classes, famllles or componenLs, as well as assurance requlremenLs compllanL wlLh a glven LAL. ln addlLlon Lo Lhe securlLy requlremenLs, a wlll also conLaln a raLlonale for Lhe securlLy ob[ecLlves whlch are speclfled and Lhe correspondlng securlLy requlremenLs whlch are found necessary and adequaLe Lo saLlsfy Lhese ob[ecLlves. uslng exLended componenL deflnlLlons allow users Lo speclfy funcLlonal and assurance componenLs noL already deflned ln Lhe CC arL 2 or arL 3 documenLs. 1hls can be necessary lf users (developers) come Lo Lhe concluslon LhaL Lhe exlsLlng componenL seLs are noL qulLe adequaLe for Lhe lnLended usage, e.g. lf speclflc new LhreaL scenarlos emerge. When speclfylng Lhe securlLy assurance requlremenLs for an LAL, only one componenL from each assurance famlly wlll be chosen. 1he assurance componenLs are sLrlcLly hlerarchlcal - a componenL from Lhe same famlly wlLh a hlgher number wlll lnclude all assurance elemenLs presenL ln componenLs wlLh a lower number. 130 lor each famlly used, Lhe descrlbes Lhe acLlons Lhe developer (or manufacLurer) and evaluaLor wlll have Lo perform Lo esLabllsh Lhe necessary confldence LhaL Lhe securlLy measures for Lhe 1CL acLually are saLlsfacLorlly esLabllshed. A vlLal parL of a ls a paragraph conLalnlng Lhe raLlonale for Lhe securlLy ob[ecLlves chosen for Lhe 1CL, whaL funcLlonal and assurance requlremenLs whlch have been derlved Lo obLaln Lhese, and whaL sLrengLh of Lhe chosen securlLy mechanlsms are Lo be used. 9 rotect|on prof||e reg|str|es A ls assumed Lo be reusable. 1o dlssemlnaLe Lhe knowledge of whlch s LhaL already are developed, an open reglsLry of s has been developed [4]. Lnd users, organlzaLlons, companles or speclal lnLeresL groups can use Lhls reglsLer of s dlrecLly lf Lhe enLrles Lhereln are found Lo adequaLely address Lhelr securlLy needs. A prevlously reglsLered (poLenLlally evaluaLed and cerLlfled) may also serve well as a sLarLlng polnL for Lhe furLher developmenL of new s whlch may cover Lhe securlLy needs for oLher, posslbly relaLed, appllcaLlon areas wlLh sllghLly dlfferenL or exLended securlLy requlremenLs. A whlch ls llsLed ln Lhe reglsLer wlLh sLaLus evolooteJ has been evaluaLed based on Lhe same crlLerla as oLher lC1 producLs or sysLems, l.e. Lhe CC, parL 2 and 3. 10 Secur|ty 1arget A SecurlLy 1argeL (S1) ls an lmplemenLaLlon-dependenL sLaLemenL of securlLy needs for a speclflc ldenLlfled 1CL. An S1 may be based on one or more s Lo show LhaL Lhe S1 conforms Lo Lhe securlLy requlremenLs expressed ln Lhose s. 1he S1 descrlbes Lhe securlLy ob[ecLlves of Lhe 1CL, and demonsLraLes LhaL Lhe speclfled counLermeasures are sufflclenL Lo fulflll Lhe securlLy requlremenLs derlved from Lhe ob[ecLlves. SecurlLy ob[ecLlves are commonly deLermlned by Lhe sum of securlLy pollcy declslons, formal rules and regulaLlons and ldenLlfled LhreaLs ln Lhe operaLlng envlronmenL. CounLermeasures whlch fulflll Lhe securlLy requlremenLs wlll counLer all ldenLlfled LhreaLs. lor pracLlcal reasons, Lhe counLermeasures are dlvlded ln Lwo groups: a) Lo fulflll Lhe securlLy requlremenLs for Lhe 1CL, and b) Lo fulflll Lhe securlLy ob[ecLlves for Lhe operaLlonal envlronmenL. Cnly Lhe counLermeasures lmplemenLed Lo fulflll Lhe securlLy requlremenLs for Lhe 1CL wlll be sub[ecL Lo evaluaLlon. CounLermeasures agalnsL LhreaLs ldenLlfled ln Lhe operaLlng envlronmenL musL be lmplemenLed based on assumpLlons. 1helr correcLness and sLrengLh wlll noL be evaluaLed. An S1 wlll be sub[ecL Lo a separaLe evaluaLlon, uslng Lhe S1 evaluaLlon crlLerla speclfled ln [3], Clause ASL prlor Lo Lhe acLual 1CL evaluaLlon. 1he purpose of Lhe S1 evaluaLlon ls Lo deLermlne Lhe sufflclency of Lhe 1CL and Lhe operaLlng envlronmenL. 131 11 Common Lva|uat|on Methodo|ogy (CLM) 1he Common MeLhodology for lnformaLlon 1echnology SecurlLy LvaluaLlon (CLM) [S] ls a companlon documenL Lo Lhe CC . 1he CLM descrlbes Lhe mlnlmum acLlons Lo be performed by an evaluaLor ln order Lo conducL a CC evaluaLlon, uslng Lhe crlLerla and evaluaLlon evldence deflned ln Lhe CC. 1here are dlrecL relaLlonshlps beLween Lhe CC sLrucLure whlch are class, famlly, componenL and elemenL and Lhe sLrucLure of Lhe CLM expressed as acLlvlLles, sub-acLlvlLles and acLlons. Lach evaluaLlon, wheLher of a or S1/1CL follows Lhe same process, whlch has four maln evaluaLor Lasks: lnpuL Lask ouLpuL Lask evaluaLlon sub-acLlvlLles demonsLraLlon of Lhe Lechnlcal compeLence Lo Lhe evaluaLlon auLhorlLy
ln an evaluaLlon, Lhere are four baslc roles: ueveloper Sponsor LvaluaLor LvaluaLlon (and cerLlflcaLlon) auLhorlLy
1he sponsor ls responslble for commlsslonlng and supporLlng Lhe evaluaLlon. lL esLabllshes Lhe dlfferenL agreemenLs for Lhe evaluaLlon and ensures LhaL Lhe evaluaLor ls provlded wlLh Lhe evaluaLlon evldence. 1he developer produces Lhe 1CL and ls responslble for provldlng Lhe evldence requlred for Lhe evaluaLlon. 8oles are supposed Lo be fully lndependenL, boLh organlzaLlonally and economlcally, wlLh one posslble excepLlon - one organlzaLlon may acL ln boLh Lhe developer and sponsor roles. 1he evaluaLor performs Lhe evaluaLlon Lasks requlred ln Lhe conLexL of an evaluaLlon. 1he enLlLy recelves Lhe evaluaLlon evldence from Lhe developer on behalf of Lhe sponsor or dlrecLly from Lhe sponsor, performs Lhe evaluaLlon sub- acLlvlLles and provldes Lhe resulLs of Lhe evaluaLlon assessmenL Lo Lhe evaluaLlon auLhorlLy. 1he evaluaLlon auLhorlLy esLabllshes and malnLalns Lhe scheme, monlLors Lhe evaluaLlon conducLed by Lhe evaluaLor, and lssues cerLlflcaLlon/valldaLlon reporLs as well as cerLlflcaLes based on Lhe evaluaLlon resulLs provlded by Lhe evaluaLor. 1he evaluaLlon process may be preceded by a preparaLlon phase where lnlLlal conLacL ls made beLween Lhe sponsor and Lhe evaluaLor. 1he lnLenL of Lhls phase ls Lo perform a feaslblllLy analysls Lo assess Lhe llkellhood of a successful evaluaLlon. 132 1he overall verdlcL of an evaluaLlon ls poss lf and only lf all Lhe verdlcLs afLer each of Lhe sub-acLlvlLles are also poss. lf Lhe verdlcL for any of Lhe evaluaLor acLlon elemenLs ls fall, Lhen Lhe verdlcLs for Lhe correspondlng assurance componenL, assurance class, and overall verdlcL are also fall. 1he lnLenL of uslng a common evaluaLlon meLhodology even ln a commerclally compeLlLlve markeL ls Lo Lhe largesL posslble degree obLaln evaluaLlon resulLs whlch are comparable and repeaLable, and Lo keep cosLs aL a reasonable and predlcLable level. 12 Industr|a| and soc|eta| |mpact of IS 1S408 1he purpose of havlng an lnLernaLlonal sLandard by whlch Lo assess securlLy of l1 producLs ls raLher obvlous. 1he evaluaLlon process ls Llme consumlng and cosLly. 1he cosL comes from boLh Lhe Llme spenL and Lhe expecLaLlon of very hlgh securlLy compeLence requlremenLs on Lhe professlonals performlng Lhe evaluaLlon. 1o allevlaLe Lhe lmpacL of Lhese mechanlsms as much as posslble, lL ls vlLal LhaL Lhe evaluaLlon process lLself ls sLreamllned Lo have hlgh efflclency and rellable resulLs whlch can be lnLerpreLed and reused ln all counLrles and every markeL secLor. 1he laboraLorles performlng Lhe acLual evaluaLlon and Lhe publlc auLhorlLles managlng Lhe naLlonal evaluaLlon schemes need Lo be aL an lnLernaLlonally comparable and accepLable quallLy and capaclLy level. naLlons havlng been acLlvely parLlclpaLlng ln Lhe developmenL of Lhe crlLerla sLandard have managed Lhls ln a cooperaLlve fashlon by esLabllshlng 1he common CrlLerla 8ecognlLlon AgreemenL (CC8A)", Lhe orlglnal LexL of whlch ls downloadable from [6]. 1he group of naLlons already esLabllshed as cooperaLlve members assess Lhe naLlonal evaluaLlons schemes and evaluaLlon faclllLles ln counLrles, whlch would llke Lo [oln Lhe communlLy, and Lhereby guaranLee conslsLency and quallLy of Lhe Lechnlcal and managerlal schemes whlch are accepLed as new members of Lhe communlLy. Worklng wlLh common sLandards, boLh for Lechnlcal and managerlal aspecLs of securlLy evaluaLlon, lmproves Lhe efflclency and cosL-effecLlveness and ellmlnaLes Lhe danger of havlng Lo perform dupllcaLe evaluaLlons of l1 producLs as well as proLecLlon proflles. A conslderable number of lndusLrlally developed counLrles have [olned Lhe CC8A, Lhereby creaLlng a common undersLandlng of Lhe Lechnlcal aspecLs of Lhe evaluaLlon process, as well as a unlfled markeL for l1 securlLy cerLlfled producLs. 1he l1 developers lnLeresL ln Lhls Lype of evaluaLlon scheme ls Lo obLaln cerLlflcaLes for Lhelr l1 producLs Lo lncrease Lhe assurance Lhe end users need of Lhe facL LhaL Lhe besL englneerlng pracLlces has been employed when deslgnlng and lmplemenLlng approprlaLe securlLy funcLlonallLy of Lhe producL ln quesLlon. 1he user communlLles beneflL form Lhe CC8A lndlrecLly by havlng Lhe opporLunlLy Lo consulL Lhe daLabase of prevlously evaluaLed l1 producLs when searchlng for secure bulldlng blocks for l1 133 producLs under developmenL, evaluaLed Lo a cerLaln assurance level, or Lhe asslsLance of consulLlng prevlously reglsLered proLecLlon proflles whlch wlll frequenLly also be evaluaLed. ln Lhe end, all of Lhese arrangemenLs have a common goal for all parLlclpaLlng parLles - Lo lmprove Lhe quallLy of securlLy provldlng producLs and servlces ln Lhe ever expandlng cyberspace. keferences [1] lSC/lLC 1S408-1:2009. lnformaLlon 1echnology - SecurlLy 1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 1: lnLroducLlon and Ceneral Model. [2] lSC/lLC 1S408-2:2008. lnformaLlon 1echnology - SecurlLy 1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 2: SecurlLy luncLlonal ComponenLs. [3] lSC/lLC 1S408-3:2008. lnformaLlon 1echnology - SecurlLy 1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 3: SecurlLy Assurance ComponenLs. [4] hLLp://www.commoncrlLerlaporLal.org/pp.hLml [S] lSC/lLC 1804S:2008. lnformaLlon 1echnology - SecurlLy 1echnlques- MeLhodology for l1 securlLy evaluaLlon [6] hLLp://www.commoncrlLerlaporLal.org/flles/operaLlngprocedures/cc- recarrange.pdf 134 ASSUkANCL LANDSCAL 8
IN1kCDUC1ICN AssoclaLed wlLh any producL or servlce, ln addlLlon Lo Lhe feaLures or funcLlons provlded, ls Lhe LrusL and confldence LhaL Lhe producL or servlce wlll funcLlon as adverLlsed and provlde Lhe lnLended resulLs, or Lhe producL or servlce wlll be replaced or recondlLloned. 1hls confldence and LrusL ls generally referred Lo as Assurance", parLlcularly wlLhln Lhe lnformaLlon and CommunlcaLlons 1echnology (lC1) SecurlLy realm.
WlLhln lC1 SecurlLy, Assurance, does noL provlde any addlLlonal securlLy servlces or safeguards, lL raLher refers Lo Lhe securlLy of Lhe producL or servlce and LhaL Lhe producL or servlce fulfllls Lhe requlremenLs of Lhe slLuaLlon, saLlsfles Lhe SecurlLy 8equlremenLs. 1hls may appear Lo be a less Lhan lmporLanL aspecL aL flrsL slghL, parLlcularly when Lhe cosL of provldlng or obLalnlng Assurance ls facLored ln. Powever, lL should never be forgoLLen LhaL, whlle Assurance does noL provlde addlLlonal securlLy servlces or safeguards, lL does serve Lo reduce Lhe uncerLalnLy assoclaLed wlLh vulnerablllLles, and Lhus Lhe need for addlLlonal securlLy servlces or safeguards. ln Lhls manner cosL savlngs may accrue. 1hus Assurance does provlde a very lmporLanL elemenL when performlng a SecurlLy 8lsk AssessmenL, and durlng Lhe 8lsk ManagemenL phase of deLermlnlng lf addlLlonal safeguards are requlred and seLLlng prlorlLles.
WlLhln lC1 SecurlLy, SofLware pays a vlLal role. lL forms an lmporLanL parL of mosL lf noL all SecurlLy Mechanlsms. 1he assoclaLed SofLware Assurance ls also vlLal, perhaps even more so ln Lhe case of sofLware as so many securlLy breaches occur vla Lhe avenue of sofLware breaches. 1nL ASSUkANCL CASL Assurance ln and of lLself, ln all cases, ls a complex Loplc, no more so Lhan ln Lhe case of SofLware Assurance. Cenerally speaklng, assoclaLed wlLh any producL or servlce ls an Assurance Case. 1hls Assurance Case provldes Lhe confldence and LrusL
8 CopyrlghL /ll1, 2007 135 LhaL Lhe user of Lhe producL or servlce may have ln Lhe securlLy of Lhe producL or Servlce. 1he Assurance Case Lhen ls an overall package of Assurance relaLed Lo Lhe producL or servlce.
1he Assurance Case may be represenLed ln many ways and many forms, buL ofLen lL ls lnsLanLlaLed ln Lhe name and logo of Lhe producL vendor or servlce provlder. 1he Assurance Case ls supporLed by a number, one or many, Assurance C|a|ms LhaL form a parL of Lhe Assurance Case. 1hese Assurance Clalms may be overLly presenLed as parL of Lhe producL or servlce, or Lhey may be less obvlous and form parL of Lhe supporLlng documenLaLlon. ASUkANCL CLAIM Assurance Clalms are ofLen represenLed as Marks or Symbols" LhaL may be applled Lo Lhe producL or servlce9. Marks and Symbols come ln many Lypes ranglng form reglsLered and cerLlfled Marks LhaL lnclude 1hlrd arLy" LesLlng and cerLlflcaLlon of Lhe producL or servlce, Lo Symbols LhaL lnclude Lhe reglsLered Logo of Lhe producL or sub-assembly. Symbols are ofLen used for Lhe purpose of auLhenLlcaLlng" Lhe orlgln of Lhe producL or servlce.
As an example, lf one Lurns over a lapLop or noLebook compuLer, and Lhelr power supplles, one wlll see a serles of Marks relaLed Lo Lhe elecLrlcal and elecLronlc safeLy and lnLerference of Lhe producL. 1hese are Assurance Clalms. 1hey Lell Lhe user LhaL Lhe producL has been LesLed and ls safe Lo use. ln some cases Lhey may lnclude llmlLaLlons on use, such as Lhe llmlLs on volLage range usage of Lhe power supply. AnoLher klnd or Mark, more correcLly a Symbol, may also be seen on many of Lhese producLs, buL ls usually locaLed lnslder Lhe lapLop. 1hls symbol denoLes Lhe processor chlp used ln Lhe LapLop, e.g. lnLel lnslde". Agaln Lhls ls anoLher Lype of Assurance Clalm. 1ogeLher, Lhese and oLher Lypes of Assurance Clalms go Lo make up Lhe Assurance Case assoclaLed wlLh Lhe, ln Lhls case, producL.
Assurance Clalms come ln many dlfferenL Lypes and can be used ln many dlfferenL ways. 1hey are ofLen for dlfferenL purposes. ln Lhe example above, Lhe Symbol used Lo denoLe Lhe Lype of processor chlp ln Lhe lapLop ls an example of ass 1hrough Assurance"10. 1hls form of Assurance Clalm ls lnLended for Lhe flnal purchaser of Lhe assembled producL, l.e. you and l, noL dlrecLly Lhe lnLegraLor of Lhe
9 Naiks anu Symbols aie most often associateu with piouucts. 1u See IS0IEC TR 1S44S-S foi moie uetails. 136 parLs Lo creaLe Lhe flnal producL. lL ls used by Lhe lnLegraLor as a parL of Lhe overall lapLop Assurance Case. CLher Assurance Clalms of Lhe processor chlp's Assurance Case would be LargeLed dlrecLly Lo Lhe lnLegraLor, and are noL llkely Lo be presenLed Lo Lhe flnal producL user.
1he form, sLrucLure and naLure of Lhe Assurance Clalm Lhen ls usually dependenL upon Lhe user of LhaL Assurance Clalm and Lhelr needs. ln Lhe examples glven above, Symbols are frequenLly used, aL leasL ln parL, Lo ensure Lhe auLhenLlclLy of Lhe producL or servlce. 1he flnal user can be assured LhaL Lhe producL or servlce ls auLhenLlc. Powever, Lhls ls dependenL upon Lhe user belng able Lo ldenLlfy a forgery, whlch may noL be easy, and upon Lhe owner of Lhe Symbol prosecuLlng forgerles vlgorously. lf Lhese Lwo acLlons do noL occur, Lhen Lhe value of Lhe Assurance Clalm provlded by Lhe Symbol ls undermlned.
ln Lhe case of Marks Lhe slLuaLlon ls a llLLle dlfferenL. Cenerally Marks are owned and reglsLered by an lndependenL organlzaLlon. Cenerally Lhere are 1hlrd arLy 1esLlng LaboraLorles LhaL ensure compllance wlLh Lhe requlremenLs of Lhe Mark. Marks are also rlgorously defended and any fraudulenL use of Lhe Mark ls prosecuLed. roducLs conLalnlng false Marks wlll be wlLhdrawn from sale.
Marks and Symbols are one Lype of Assurance Clalm. 1hey use an lcon Lo represenL Lhe clalm. CLher Lypes of Assurance Clalm use naLural language Lo express Lhe clalm ln words and ln some cases maLhemaLlcal or chemlcal noLaLlon may be used. 1he form of expresslon depends largely upon Lhe lnLended reclplenL of Lhe Assurance Clalm and Lhelr needs. Powever, parLlcularly when uslng naLural language, conslderable care ls needed when consLrucLlng Lhe Assurance Clalm.
Assurance Clalms should noL be open ended. Many Assurance Clalms are assoclaLed wlLh llmlLaLlons. lor example Lhe clalm may llmlLed by a LemperaLure range of appllcablllLy. AlLernaLlvely Lhe clalms may be llmlLed by Lhe way ln whlch Lhe producL or servlce ls used. CuLslde Lhese llmlLaLlons Lhe Assurance Clalms ls noL consldered Lo be of value.
AnoLher Lrap Lo be avolded ls a negaLlve clalm. A LrlLe example of Lhls ls Lhe sLaLemenL LhaL 1he Lock ness MonsLer does noL exlsL". 1hls klnd of sLaLemenL ls lmposslble Lo prove, one can only prove LhaL Lhe Lock ness MonsLer exlsLs, noL LhaL lL does noL. 1hls brlng us Lo anoLher lmporLanL properLy of Assurance Clalms, Lhey musL be provable. ln Lhe example above lL ls lmmaLerlal wheLher one belleves" LhaL Lhe Lock ness MonsLer exlsLs or LhaL lL does noL, Lhls ls a maLLer of bellef, 137 however ln Lerms of proof lL ls noL posslble Lo prove LhaL lL does noL. Assurance Clalms are abouL roofs, noL bellefs, and Lhus negaLlve clalms musL be avolded.
As an example relaLed Lo sofLware of whaL has been dlscussed ln Lhe proceedlng paragraphs, an Assurance Clalm LhaL a sofLware producL ls secure would be a poor clalm and of llLLle value. lL has no llmlLaLlons placed upon lL and nor can lL be proven. Powever, and Assurance Clalm LhaL Lhe sofLware producL conLalned no explolLable buffer overflows" would be a good Assurance Clalm as Lhls clalm can be subsLanLlaLed by Assurance Arguments and supporLed by Assurance Lv|dence.
As can be see form Lhe precedlng, consLrucLlng Assurance Clalms ls noL necessarlly an easy nor slmple Lask. 1he Assurance Clalm should Lo Lake lnLo accounL Lhe needs of Lhe flnal user and Lhelr Lechnlcal experLlse. Some flnal users can learn Lo 1rusL and Pave Confldence ln" a Mark or Symbol wlLhouL Lhe necesslLy of deallng wlLh complex Lechnlcal maLerlals. Powever oLhers are unllkely Lo be saLlsfled wlLh [usL Lhe Mark or Symbol parLlcularly lf Lhe producL or servlce ls Lo be lnLegraLed lnLo anoLher producL or sysLem. ln Lhese cases Lhey need Lhe Lechnlcal deLalls. ASSUkANCL AkGUMLN1S Assurance ArgumenLs subsLanLlaLe Lhe Assurance Clalm. 1here may be a slngle Assurance ArgumenL or several Lo subsLanLlaLe Lhe Assurance Clalm. ln some cases a slngle Assurance ArgumenL may be used Lo subsLanLlaLe mulLlple Assurance Clalms.
Assurance ArgumenLs can be consLrucLed ln mulLlple ways, however lL ls lmporLanL Lo remember LhaL Lhey are Lhe proofs offered Lo subsLanLlaLe Lhe Assurance Clalmed and Lherefore should be sLrucLured ln Lhe approprlaLe manner.
As an example of an Assurance ArgumenL, ln Lhe example used earller of an Assurance Clalm LhaL a sofLware producL conLalned no explolLable buffer overflows", Lhe Assurance ArgumenL offered Lo subsLanLlaLe Lhls clalm mlghL be LhaL Lhe sofLware producL made been sub[ecLed Lo sLaLlc analysls by a Lool deslgned Lhe LesL for explolLable buffer overflows. rovlded LhaL a repuLable and well recognlzed Lools was used, Lhls argumenL mlghL consLlLuLe adequaLe roof".
ln Lhe case of a Mark, Lhe Assurance ArgumenL LhaL subsLanLlaLes Lhe Assurance Clalm represenLed by Lhe Mark ls Lhe requlremenLs and deLalls of Lhe LesLlng assoclaLed wlLh Lhe use of Lhe Mark.
138 ln Lhe case of a Symbol Lhe slLuaLlon ls somewhaL dlfferenL. ln Lhls case Lhe Assurance ArgumenL ls subsLanLlaLed by Lhe repuLaLlon of Lhe organlzaLlon LhaL owns Lhe Symbol or whom Lhe Symbol represenLs. lL may also be subsLanLlaLed by Lhe warranLles and guaranLees offered by Lhe producL or servlce vendor LhaL are assoclaLed wlLh Lhe producL or servlce.
CLher Assurance ArgumenLs LhaL subsLanLlaLe Assurance Clalms, parLlcularly wlLh regard Lo securlLy or safeLy may relaLe Lo Lhe securlLy englneers who deslgned Lhe producL or servlce, and Lhelr professlonal compeLence Lo do Lhe [ob. 1he argumenL may sLaLe LhaL Lhe securlLy englneer(s) were professlonally cerLlfled under Lhe lnLernaLlonal SysLems SecurlLy rofesslonal CerLlflcaLlon Scheme (lSSCS), for example.
AnoLher klnd of Assurance ArgumenL may relaLe Lo Lhe processes used Lo deslgn Lhe producL and ln lLs producLlon, or Lhe processes used Lo provlde Lhe servlce. ln Lhls case Lhe argumenL would llkely relaLe Lo Lhe level of maLurlLy of Lhose processes, or Lhe maLurlLy proflle of Lhe processes, perhaps uslng lSC/lLC 21827 1he SysLems SecurlLy Lnglneerlng CapablllLy MaLurlLy Model (SSL-CMM).
An Assurance ArgumenL can be consLrucLed based on an evaluaLlon and LesLlng of Lhe producL. 1hls approach ls ofLen used for securlLy relaLed producLs, parLlcularly under Lhe SecurlLy LvaluaLlon or Common CrlLerla scheme, lSC/lLC 1S408. ln Lhls case Lhe Assurance ArgumenL ls based upon Lhe roLecLlon roflle of Lhe producL and Lhe LvaluaLed Assurance Level achleved11.
As can be seen, Assurance ArgumenLs can be consLrucLed ln many dlfferenL ways and drawn from many dlfferenL sources. ln Lhe examples glven above, Lhe Assurance ArgumenLs have been based upon: 1esLlng and evaluaLlon of Lhe producL or servlce, 1he repuLaLlon of Lhe suppller, 1he professlonal compeLence of Lhe englneers performlng Lhe work, and 1he maLurlLy of Lhe processes used.
CLher sources LhaL could be used lnclude: 1he meLhods used ln Lhe deslgn of Lhe producL or servlce, 1he Lools used ln Lhe deslgn of Lhe producL,
11 Foi moie infoimation see IS0IEC 1S4u8 (All Paits), oi www.CommonCiiteiiaPoital.oig 139 1he Lools used ln Lhe performance of Lhe servlce, and Many oLher poLenLlal sources.
All of Lhe above can be used Lo subsLanLlaLe Lhe Assurance Clalm. Whlch ones are ln facL used ln a parLlcular lnsLance largely depends upon Lhe needs of Lhe assurance reclplenL and how Lhey wlll make use of Lhe Assurance Case assoclaLed wlLh Lhe producL or servlce. ASSUkANCL LVIDLNCL 1he Assurance ArgumenL ls supporLed by Assurance Lvldence. Agaln Lhere are many forms of Assurance Lvldence LhaL can be used. Powever, whaL ls lmporLanL abouL Lhe evldence ls LhaL lL ls demonsLrable, repeaLable and defenslble.
Some examples of Assurance Lvldence relaLed Lo Lhe examples used earller ln Lhls paper are glven ln Lhe followlng bulleLs: 3) 1he Mark - Lhe resulLs of LesLs performed on Lhe producL and Lhe sampllng Lechnlques used, 4) 1he Symbol - Lhe organlzaLlons pasL hlsLory and LesLlmonlals form saLlsfled cusLomers, S) rofesslonal compeLence - Lhe cerLlflcaLe number of Lhe professlonal, and Lhe syllabus LhaL Lhe professlonal ls LesLed agalnsL, 6) rocess MaLurlLy - Lhe resulLs of appralsals of Lhe organlzaLlons processes, 7) lndependenL LvaluaLlon - Lhe SecurlLy 1argeL of Lhe sysLem and Lhe LvaluaLlon resulLs, and 8) 1ools and MeLhods - Lhe lndependenL LesLlng of Lhe Lools and Lhelr evaluaLlon, LesLlng and repuLaLlon for compleLeness, robusLness and effecLlveness.
CCNCLUSICN As can be seen Lhe assurance landscape ls relaLlvely complex. Assurance needs Lo be approached form Lhe reclplenLs or users requlremenLs perspecLlve, and how Lhey wlll make use of Lhe assurance. Assurance can Lake many forms and be presenLed ln mulLlple dlfferenL ways. lor example a slngle Assurance ArgumenL may have mulLlple Assurance Clalms assoclaLed wlLh lL, one a Mark for use by cerLaln klnds of assurance consumer and a second clalm ln naLural language for dlfferenL klnds of assurance consumers.
140 Sources of assurance and assurances Lypes van be many and varled. Some sources are beLLer aL provldlng cerLaln Lypes of assurance Lhan oLhers. Whlch ls Lo be used depends upon Lhe assurance needs, buL generally more Lhan one source of assurance ls requlred. lor more lnformaLlon on Lhls Loplc, see lSC/lLC 18 1S443-3.
Cenerally speaklng, Assurance Clalms ln Lhe form of Marks or Symbols wlll be represenLed on Lhe producL lLself. Some narraLlve Assurance Clalms may be represenLed on Lhe producL, however narraLlve Assurance Clalms are more llkely Lo be found ln Lhe supporLlng documenLaLlon. ln Lhe case of servlces, Assurance Clalms are almosL always conLalned ln Lhe supporLlng documenLaLlon.
As for Assurance ArgumenLs, Lhese may be lncluded ln Lhe documenLaLlon, buL are more llkely Lo made avallable upon requesL. Assurance Lvldence ls generally avallable only upon requesL. As has been sald several Llmes before how are where Lhe Assurance Case ls presenLed largely depends upon Lhe needs and requlremenLs of Lhe assurance reclplenL or user. SUMMAk ln summary, Lhe assurance landscape ls made up of four elemenLs: 1he Assurance Case, whlch ls Lhe LoLal package of assurance assoclaLed wlLh Lhe producL or servlce, 1he Assurance Clalm(s), whlch are Lhe acLual sLaLemenLs of Lhe assurance assoclaLed wlLh Lhe producL or servlce, 1he Assurance ArgumenL(s), whlch are Lhe proofs LhaL subsLanLlaLe Lhe clalms, and 1he Assurance Lvldence(s), whlch are Lhe maLerlals LhaL supporL Lhe proofs.
1oday, blomeLrlc sysLems have conquered markeLs ln whlch lLs securlLy characLerlsLlcs have Lo flL lnLo an overall securlLy concepL. Speclflcally ln governmenLal appllcaLlons (e.g. border conLrol) blomeLrlc appllcaLlons and componenLs are embedded lnLo sysLems whlch securlLy aspecLs have Lo undergo an lndependenL securlLy evaluaLlon. lL ls Lhe maln focus of worklng group 3 of lSC/lLC SC 27 Lo provlde developers and evaluaLors of componenLs and sysLems ln l1 securlLy wlLh evaluaLlon crlLerla. romlnenL examples of sLandards LhaL have been developed ln Lhls conLexL lnclude lSC/lLC 1S408 (Common CrlLerla for lnformaLlon 1echnology SecurlLy LvaluaLlon) and lSC/lLC 19790 (SecurlLy requlremenLs for crypLographlc modules). 1he evaluaLlon of blomeLrlc devlces and sysLem can - as a general rule - be conducLed ln Lhe same way as for any oLher l1 securlLy producL evaluaLlon. Pavlng sald LhaL, lL appears loglcal Lo use Lhe exlsLlng sLandards from SC 27 for Lhe evaluaLlon of blomeLrlc sysLems. Powever, blomeLrlc sysLems have cerLaln characLerlsLlcs LhaL need speclal conslderaLlon ln Lhe course of a securlLy evaluaLlon. 1he lnLernaLlonal SLandard lSC/lLC 19792 - SecurlLy LvaluaLlon of 8lomeLrlcs - speclfles Lhe speclflc aspecLs Lo be addressed durlng a securlLy evaluaLlon of a blomeLrlc sysLem. 1hereby, lSC/lLC 19792 does noL alm Lo deflne a concreLe meLhodology for Lhe securlLy evaluaLlon of blomeLrlc sysLems buL lnsLead focuses on prlnclpal requlremenLs. As such, lLs requlremenLs are lndependenL of any evaluaLlon or cerLlflcaLlon scheme and wlll need Lo be lncorporaLed lnLo and adapLed before belng used ln Lhe conLexL of a concreLe scheme. 1he areas LhaL need speclal conslderaLlon are represenLed by Lhe overall sLrucLure of Lhe sLandard: 1) Clauses 4 and S of lSC/lLC 19792 glve an overvlew of all Lerms, deflnlLlons and acronyms used. 1hls ls essenLlal ln order Lo provlde evaluaLors wlLh Lhe common vocabulary used by Lhe blomeLrlc communlLy" and serves Lo avold mlsundersLandlngs. 2) Clause 6 lnLroduces Lhe overall concepL for securlLy evaluaLlons of blomeLrlc sysLems. 1hls concepL reflecLs LhaL a securlLy evaluaLlon of a blomeLrlc 142 sysLem shall ln prlnclple be carrled ouL as any oLher securlLy evaluaLlon buL be augmenLed by Lhe speclal aspecLs provlded ln Lhe followlng clauses of lSC/lLC 19792. 3) Clause 7 descrlbes sLaLlsLlcal aspecLs of securlLy-relevanL error raLes. 8lomeLrlc sysLems do noL work as predlcLable or deLermlnlsLlcally as oLher mechanlsms for user auLhenLlcaLlon LhaL are known ln lnformaLlon securlLy (e.g. a ln based mechanlsm). 1he error raLes of blomeLrlc sysLems reflecL Lhls facL and serve as a general lndlcaLor for Lhe performance of a blomeLrlc sysLem. Whlle general performance aspecLs do noL fall lnLo Lhe scope of lSC/lLC 19792 some of Lhe error raLes have a slgnlflcanL lmpacL on Lhe securlLy LhaL a blomeLrlc sysLem can provlde. lL ls essenLlal LhaL each securlLy evaluaLlon of a blomeLrlc sysLem comprlses a LesL of Lhe securlLy relevanL error raLes. lSC/lLC 19792 refers Lo and adopLs LesL requlremenLs LhaL have been deflned by SC 37 ln lSC/lLC 1979S-1 ln Lhls area and deflnes a comprehenslve seL of requlremenLs LhaL a LesL ln Lhls are shall meeL. 4) Clause 8 deals wlLh Lhe vulnerablllLy assessmenL of blomeLrlc sysLems and deflnes a seL of common vulnerablllLles LhaL shall be consldered durlng each securlLy evaluaLlon. 1hose lnclude: S) erformance llmlLaLlons: 1hls vulnerablllLy handles Lhe quesLlon wheLher Lhe error raLes of Lhe blomeLrlc sysLem are sulLable for lLs appllcaLlon case. 6) ArLefacL of blomeLrlc characLerlsLlcs: 1hls vulnerablllLy deals abouL Lhe facL LhaL blomeLrlc characLerlsLlcs can be spoofed and how Lhls facL shall be consldered ln an evaluaLlon. 7) ModlflcaLlon of blomeLrlc characLerlsLlcs: 1hls vulnerablllLy deals abouL Lhe facL LhaL some blomeLrlc characLerlsLlcs can lnLenLlonally be changed and how Lhls facL shall be consldered ln an evaluaLlon. 8) ulfflculLy of conceallng blomeLrlc characLerlsLlcs: 1hls vulnerablllLy supporLs Lhe prevlous Lwo and deals wlLh Lhe quesLlon, how dlfflculL lL ls for an aLLacker Lo obLaln a blomeLrlc characLerlsLlc. 9) SlmllarlLy due Lo blood relaLlonshlp: 1hls vulnerablllLy addresses Lhe facL LhaL some blomeLrlc characLerlsLlcs are slmllar for blood-relaLlves. 10) Speclal blomeLrlc characLerlsLlcs: 1hls vulnerablllLy handles speclal blomeLrlc characLerlsLlcs for whlch Lhe blomeLrlc sysLem may show a deLerloraLlon ln lLs securlLy relevanL error raLes. 143 11) SynLheslsed wolf blomeLrlc samples: 1hls vulnerablllLy asks wheLher lL ls posslble Lo generaLe blomeLrlc samples for whlch Lhe blomeLrlc sysLem may show a deLerloraLlon ln lLs securlLy relevanL error raLes. 12) PosLlle LnvlronmenL: 1hls vulnerablllLy asks wheLher changes Lo Lhe characLerlsLlcs of Lhe envlronmenL of Lhe blomeLrlc sysLem can lead Lo a deLerloraLlon ln lLs securlLy relevanL error raLes. 13) rocedural vulnerablllLles around Lhe LnrolmenL rocess: 1he enrolmenL process esLabllshes Lhe baslc LrusL ln Lhe ldenLlLy of Lhe users of Lhe blomeLrlc sysLem. A procedural vulnerablllLy ln Lhls process can compromlse Lhe securlLy of Lhe blomeLrlc sysLem over lLs enLlre llfecycle. 14) Leakage and alLeraLlon of blomeLrlc daLa: 1hls vulnerablllLy sLands as a placeholder for all general vulnerablllLles LhaL may lead Lo a leakage or alLeraLlon of lmporLanL daLa. 1he descrlpLlons lnclude hlnLs and requlremenLs for an evaluaLor performlng a vulnerablllLy assessmenL. 1hose common vulnerablllLles shall be consldered durlng each securlLy evaluaLlon buL of course Lhey can only provlde Lhe basls for vulnerablllLy assessmenLs and can never be consldered belng compleLe. 1S) Clause 9 descrlbes Lhe evaluaLlon of prlvacy aspecL lncludlng crlLerla for a secure deleLlon of blomeLrlc daLa and a blndlng of blomeLrlc daLa Lo a concreLe appllcaLlon. As lSC/lLC 19792 ls lndependenL of any speclflc evaluaLlon scheme lL could serve as a framework for Lhe developmenL of concreLe evaluaLlon and LesLlng meLhodologles Lo lnLegraLe Lhe requlremenLs for blomeLrlc evaluaLlons lnLo exlsLlng evaluaLlon and cerLlflcaLlon schemes. Cn lLs own Lhe sLandard can serve as a sLarLlng polnL for a securlLy evaluaLlon and provlde general guldance Lo evaluaLors. lSC/lLC 19792 has been Lhe flrsL blomeLrlc pro[ecL ln SC 27 and has shown how lmporLanL Lhe cooperaLlon beLween SC 27 and SC 37 ls for Lhe success of blomeLrlc pro[ecLs ln sLandardlzaLlon. Whlle aspecLs of securlLy are ouL of scope for Lhe work of SC 37 lL ls essenLlal for Lhe work ln SC 27 Lo uLlllze Lhe blomeLrlc experLlse of SC 37. lL can be clearly sLaLed LhaL lSC/lLC 19792 would noL have been flnlshed aL Lhe currenL level of quallLy wlLhouL Lhe consLanL and consLrucLlve supporL of Lhe experLs of SC 37. As a slde effecL Lhe work on lSC/lLC 19792 also deslgned Lhe Llalson channel beLween SC 27 and SC 37 and smooLhed Lhe way for Lhe ongolng cooperaLlon beLween boLh SCs ln many oLher areas. 144 ISC]ILC 21827 Systems Secur|ty Lng|neer|ng - Capab|||ty Matur|ty Mode| (SSL-CMM) !ohn Popklnson lSSCS-rac ClSS lS l1C Cu8, SecurlLy SLraLeglsL Chalrman CAC-!1C1/1Cl1, Chlef 1echnlcal Cfflcer, lSSLA LffecLlve and efflclenL developmenL, managemenL and operaLlons of lnformaLlon and CommunlcaLlon 1echnology (lC1) requlres aLLenLlon Lo 1he eople, 1he rocess and 1he 1echnology. lL ls generally agreed wlLhln Lhe securlLy communlLy LhaL Lhey are [usL as appllcable Lo securlLy of any Lype, ln oLher words lL ls also necessary Lo focus on Lhe eople aspecL, Lhe rocess aspecLs and Lhe 1echnology aspecLs of securlLy. Lqually as lmporLanL as havlng Lhe approprlaLe ob[ecLlves and Code of pracLlce for lnformaLlon securlLy managemenL, Lhe processes LhaL Lhe organlzaLlon ls uslng need Lo be Lhe approprlaLe ones for Lhe organlzaLlon's slLuaLlon and Lhey need Lo have Lhe capablllLles and be as maLure as Lhe organlzaLlon's slLuaLlon warranLs. lL also should be noLed LhaL processes run ln parallel wlLh Lhe llfecycle and operaLlons and Lhus an assessmenL of processes provldes a vlew also ln parallel. All oLher assessmenL Lechnlques Lake a snap shoL ln Llme aL some momenL alone Lhe llfecycle or operaLlons.
Many sLandards are avallable LhaL focus on Lhe 1echnology aspecLs of securlLy, many oLhers address Lhe people lnvolved and people aspecLs of securlLy, however very few focus on Lhe rocess aspecLs. Whlle a few sLandards Louch on Lhe process dlmenslon, only one Lype of sLandard permlLs Lhe organlzaLlon Lo examlne Lhe processes and Lhe capablllLles and maLurlLy of Lhose processes. 1hese sLandards are generally know as CapablllLy MaLurlLy Models, or CMMs for shorL. Cf Lhe CMMs LhaL are avallable boLh wlLhln Lhe lSC and lLC communlLles and ouLslde, only one sLandard focuses on securlLy excluslvely, LhaL belng Lhe SysLems SecurlLy Lnglneerlng - CapablllLy MaLurlLy Model (SSL-CMM) lSC/lLC 21827.
1he SSL-CMM ls also unlque wlLhln Lhe CMM communlLy as lL ls Lhe only CMM LhaL exlsLs ln essenLlally Lhe same form boLh wlLhln Lhe lSC CMM seL of sLandards and ln Lhe non-lSC CMM seL of sLandards.
CMMs of Lhe conLlnuous model varleLy are hlghly flexlble. 1hey permlL Lhe user Lo selecL Lhe level of capablllLy and Lhus maLurlLy LhaL Lhey wlsh Lo elevaLe Lhe process Lo LhaL ls conslsLenL wlLh Lhe needs of Lhe organlzaLlon. All organlzaLlons have dlfferenL slLuaLlons and envlronmenLs and Lhus Lhelr needs are dlfferenL. A sLandard lncludes Lhls faclllLy provldes opLlmum flexlblllLy.
145 CMMs do conLaln a seL of processes, Lhey need Lo ln order Lo esLabllsh a base llne Lo work from. Powever Lhe seL of process provlded ln Lhe SSL-CMM are lnLended Lo be ad[usLed Lo Lhe seL of processes LhaL Lhe organlzaLlon already has ln place, noL Lhe oLher way around. lf Lhe organlzaLlon does noL have a formal process ln a parLlcular area, and deLermlnes LhaL lL needs one, Lhen Lhey mlghL wlsh Lo conslder adopLlng Lhe process conLalned ln 21827, buL Lhere ls no requlremenL Lo do so. 1hls level of flexlblllLy faclllLaLes Lhe use of Lhe SSL-CMM ln con[uncLlon wlLh oLher sLandards such as lSC/lLC 1333S, lSC/lLC 17799, lSC/lLC 27001, Lo name buL a few, as well as many 8eglonal and naLlonal sLandards.
ln addlLlon Lo helplng Lhe user organlzaLlon assess Lhe currenL level of capablllLy and maLurlLy of Lhelr securlLy processes, 21827 provldes guldance on elevaLlng Lhe maLurlLy of Lhe processes Lo a hlgher level, should Lhe organlzaLlon deLermlne Lhls needs Lo be done. WlLhln reason, any lndlvldual process can be elevaLed Lo any maLurlLy level deslred wlLhouL regard Lo Lhe maLurlLy of any oLher process. A few resLrlcLlons do exlsL ln Lerms of Lhe relaLlve maLurlLy levels of dependenL processes, buL Lhese Lake Lhe form of guldance, and common sense ls ofLen Lhe besL gulde.
AL flrsL slghL Lhe breakdown and organlzaLlon of Lhe processes wlLhln 21827 may seem somewhaL sLrange. Powever, lL should be born ln mlnd LhaL Lhe organlzaLlon and sLrucLure of Lhe processes, ln addlLlon Lo belng opLlmal for securlLy, has had Lo Lake ln Lo conslderaLlon flexlblllLy for Lhe user organlzaLlon and rocess lmprovemenL Lheory and pracLlce. 1hus aL flrsL slghL lL may seem sLrange Lo have four processes LhaL address Lhe securlLy rlsk dlsclpllne, buL Lhls was done Lo faclllLaLe flexlblllLy for Lhose organlzaLlons LhaL do noL have an overall securlLy rlsk process, and Lhere ls no resLrlcLlon ln comblnlng Lhe four processes LogeLher, should LhaL be more sulLed Lo Lhe user.
1he experlence of organlzaLlons havlng made use of Lhe SSL-CMM has been LhaL Lhey have reaped many beneflLs from enhanced, more efflclenL and effecLlve securlLy processes glvlng more rellable and conslsLenL resulLs. lor Lhose organlzaLlons developlng producLs LhaL are Lo be evaluaLed Lhey obLaln much of Lhe documenLaLlon Lhey need for Lhe evaluaLlon process are a parL of Lhelr normal processes once Lhey reach moderaLe levels of maLurlLy. 1he SSL-CMM ls noL only lnLended for organlzaLlon LhaL have a hlgh lnLeresL or need for securlLy, buL raLher all organlzaLlons LhaL need securlLy ln some manner shape or form can obLaln conslderable beneflLs from lLs use, conslderable reLurn on lnvesLmenL. 1he beneflLs have been found Lo be slmllar Lo Lhose achleved wlLh lmplemenLaLlon and use of oLher CMMs. 146 rofessor Mats Ch||n - An ob|tuary
rofessor MaLs Chlln of SLockholm, Sweden passed away ln AugusL 2009 aL Lhe age of 66 years. MaLs leaves behlnd hls beloved wlfe ChrlsLlna, daughLers Llsa and Mla and Lhelr famllles, hls son Lars, ChrlsLlna's son lredrlk from her earller marrlage and hls famlly, and hls broLher er and hls wlfe Anna-Llsa. MaLs Chlln was Lhe chemlsL who became an lnLernaLlonally hlghly respecLed lnformaLlon securlLy experL wlLh Lhe world as hls arena. Pe was also Lhe warm and proud husband and faLher, Lhe skllled brldge parLner, Lhe experlenced wlne connolsseur, Lhe experL on mushrooms, LrusLed frlend and generous hosL. MaLs had an M.Sc. ln chemlsLry from Lhe 8oyal lnsLlLuLe of 1echnology ln SLockholm, and was appolnLed ad[uncL professor of l1 SecurlLy aL SLockholm unlverslLy. MaLs became lnvolved ln Lhe compuLer securlLy area aL Lhe beglnnlng of Lhe 1980s, worklng for Lhe Swedlsh naLlonal uefence 8esearch LsLabllshmenL, Lhe Swedlsh uefence SLaff and flnally Lhe Swedlsh uefence MaLerlel AdmlnlsLraLlon (lMv), where he held a poslLlon as SLraLeglc SpeclallsL ln Lhe area of lnformaLlon and l1 SecurlLy. upon [olnlng lMv ln 1989 he became lnvolved ln Lhe Swedlsh naLlonal l1 programme, whlch lnvolved assessmenL of l1 securlLy evaluaLlon crlLerla and Lhe poLenLlal for a Swedlsh CerLlflcaLlon Scheme. AL Lhe same Llme MaLs Chlln became acLlve ln Lhe lnLernaLlonal sLandards subcommlLLee lSC/lLC !1C 1/SC 27 (l1 SecurlLy), and ln parLlcular lLs WC 3 (SecurlLy LvaluaLlon CrlLerla Worklng Croup. 1hroughouL Lhe 90s MaLs Chlln was a Swedlsh CovernmenL offlclal ln Lhe Senlor Cfflclals Croup - lnformaLlon SecurlLy (SCC-lS) aL Lhe Lu Commlsslon and became acLlve ln esLabllshlng Lhe Luropean MuLual 8ecognlLlon framework for l1 securlLy cerLlflcaLlon. Pe Lhen became lnvolved ln Lhe harmonlsaLlon work leadlng Lo Lhe lnLernaLlonal arrangemenL for muLual recognlLlon of l1 securlLy cerLlflcaLes (CC8A). uurlng 2003-200S he was a member of Lhe Swedlsh CablneL Cfflce's Commlsslon lnvesLlgaLlng naLlonal lnformaLlon SecurlLy pollcles and prlorlLles, lncludlng a recommendaLlon Lo esLabllsh Lhe Swedlsh CerLlflcaLlon 8ody for l1-securlLy aL lMv based upon lSC/lLC 1S408 (Lhe Common CrlLerla). uurlng 2007-2009 MaLs Chlln was chalr of Lhe ManagemenL CommlLLee of Lhe CC8A. 147 MaLs was acLlvely engaged ln Lhe work of WC3 from lLs sLarL. Pe was appolnLed as Lhe WC3 Clossary LdlLor aL Lhe flrsL WC 3 meeLlng ln Munlch ln CcLober 1990. As usual, MaLs was clearly Lhlnklng sLraLeglcally, slnce by volunLeerlng as Clossary LdlLor lL esLabllshed hls poslLlon as a parLlclpanL raLher Lhan merely an observer. MaLs aLLended Lhe WC 3 meeLlngs Lhrough Lhe 90s. Pe sLrongly supporLed Lhe consensus approach LhaL resulLed ln Lhe esLabllshmenL of lSC/lLC 1S408 as Lechnlcally ldenLlcal Lo Lhe Common CrlLerla. Pe replaced Sveln knapskog from norway as Convenor of SC 27/WC 3 ln Aprll 2000, and Lhen served as Convenor unLll shorLly before hls deaLh ln 2009. MaLs was an excellenL Convenor of WC 3, wlLh Lhe ablllLy Lo chalr meeLlngs paLlenLly, effecLlvely, buL flrmly and Lo schedule. Pe had Lhe useful ablllLy Lo Lhlnk abouL Lhe nexL quesLlon whllsL speaklng abouL Lhe currenL one. As Convenor, MaLs Look speclal care Lo ensure LhaL all delegaLes, even Lhose who were noL fluenL Lngllsh speakers, goL Lhelr say ln dlscusslons. As a resulL, he almosL always achleved a consensus resulL. MaLs was equlpped wlLh a large porLlon of humour and curloslLy LhaL was comblned wlLh an lncredlble ablllLy Lo read and absorb large amounLs of complex lnformaLlon. AL Lhe same Llme, he had greaL analyLlcal skllls and could see Lhe blgger plcLure amongsL all Lhe deLalls. As a good llsLener, belng well arLlculaLed and wlLh an old school genLleman's manner, he was genulnely lnLeresLed ln oLher people and Lhelr vlews. ConsequenLly, he became a LrusLed Convener and close frlend Lo people from all over Lhe world. We are all graLeful LhaL we had Lhe chance Lo meeL and learn Lo know such a warm and lncluslve person as MaLs. Pe provlded lnvaluable conLrlbuLlons Lo SC 27/WC 3, Lhe CC8A, SCC-lS, Lhe Swedlsh SLandards lnsLlLuLe, Lhe Swedlsh CC Scheme and many oLher organlsaLlons. MaLs Chlln's presence wlll be deeply mlssed.
uag SLrman, lMv, Sweden Mlke nash, Camma Secure SysLems LlmlLed, uk
148
SC27 WG4 149 Lstab||sh|ng Informat|on Secur|ty kead|ness - a standard approach ur Meng-Chow kang, ClSS, ClSA Convener, WC 4 ln 200S, wlLh Lhe developmenL of Lhe lSC/lLC 27001 and relaLed sLandards, SC 27 managemenL declded LhaL Lhere ls a need Lo have Worklng Croup (WC) 1 focus on Lhe seL of sLandards (commonly known as Lhe 2700x serles) LhaL provldes Lhe framework essenLlal for Lhe lmplemenLaLlon of Lhe lSC/lLC 27001 sLandard and lLs relaLed cerLlflcaLlon scheme. CLher sLandards LhaL provlde guldance and speclflcaLlons for lmplemenLaLlon of speclflc seL of securlLy conLrols, for example, Lhe neLwork SecurlLy sLandards, shall Lhen move Lo a dlfferenL WC for developmenL and malnLenance. AL Lhe same Llme, lSC/lLC !1C 1 managemenL and several naLlonal 8odles (n8) requesLed SC 27 Lo evaluaLe sLandards needs Lo address some of Lhe new lndusLry developmenL and concerns, such as CybersecurlLy, CuLsourclng, and oLher securlLy-relaLed l1 servlces. 1hese requlremenLs evenLually led Lo Lhe formaLlon of a new WC ln SC 27, known as WC 4, enLlLled SecurlLy ConLrols and Servlces SLandards Worklng Croup", whlch was formally endorsed aL Lhe 17 Lh SC 27 lenary ln Madrld ln Aprll 2006. 1he flrsL WC 4 meeLlng was held ln Clenburn, SouLh Afrlca ln Lhe auLumn of 2006. AL Lhls wrlLlng, WC 4 has [usL compleLed lLs 8 Lh
meeLlng ln Malaysla. ro[ecLs underLaken ln WC 4 lnclude Lhose lnherlLed from WC 1's prevlous scope of work (prlor Lo SepLember 2006) ln supporL of Lhe lmplemenLaLlon of lSC/lLC 2700x relaLed conLrols, and newly sLudled and approved Lhrough !1C 1. 1he laLLer lncludes, for example, Lhe Culdellnes for CybersecurlLy (lSC/lLC 27032), whlch lnvolves, ln addlLlon Lo esLabllshlng lSMS ln organlzaLlons, Lhe secure provlslonlng of lnLerneL/Cyberspace relaLed appllcaLlons and servlces, and secure collaboraLlve lnformaLlon sharlng Lo effecLlvely respond Lo emerglng CybersecurlLy lncldenLs (as descrlbed ln Lhe currenL drafL of Lhe sLandard). 1hls arLlcle dlscusses Lhe sLandards framework adopLed ln WC 4 Lo make sense ouL of Lhe collecLlon of sLandards LhaL Lhe WC has lnherlLed and requesLed Lo develop, as well as for esLabllshlng Lhe roadmap of new sLandards down Lhe road. WG 4 re|ated standards framework 1o provlde a hlgh level undersLandlng of how WC 4's sLandards supporLs Lhe comblned scope of Lhese Lwo areas of requlremenLs, WC 4 pro[ecLs are caLegorlzed and sLrucLured uslng a defence-ln-depLh framework as shown ln I|gure 1. 1he framework covers Lhree dlsLlncL areas of requlremenLs, namely: (1) Lhe need Lo prepare and respond Lo emerglng securlLy lssues, (2) Lhe need Lo manage and 150 prevenL Lhe occurrence of known securlLy lssues, and (3) Lhe need Lo manage, lncludlng lnvesLlgaLe lnformaLlon securlLy lssues and lncldenLs LhaL have occurred, due Lo fallure of Lhe lnformaLlon securlLy sysLem, varlous forms of aLLacks, or a naLural dlsasLer. WlLhln each area of Lhe framework, Lhere are a number of securlLy requlremenLs and relaLed sLandards, lncludlng exlsLlng and new pro[ecLs/Loplcs.
llgure 1: 1hree maln areas of needs for securlLy conLrols and servlces ln a defence-ln-depLh framework
1he maln focus of Lhe WC 4 sLandards framework ls Lo provlde lnformaLlon securlLy readlness ln Lhe organlzaLlon. As deplcLed ln I|gure 1, organlzaLlons flrsL need Lo be prepared Lo respond Lo emerglng rlsk lssues. 1hese are lssues LhaL have noL occurred prevlously, buL may be ldenLlfled Lhrough close monlLorlng and analysls of occurrlng evenLs. 1he absence or lack of readlness Lo deal wlLh emerglng rlsk lssues means LhaL any occurrence of a new rlsk could poLenLlally surprlse Lhe organlzaLlon and cause slgnlflcanL lmpacLs on lLs lnformaLlon securlLy. 1he sLandards ln Lhls area are Lo help organlzaLlon ldenLlfy and deLecL emerglng rlsk lssues LhaL are relevanL Lo Lhem, and esLabllsh programs of acLlvlLles so LhaL people and sysLems could respond more effecLlvely upon Lhe occurrence of Lhose rlsk lssues. lncldenLs LhaL have been encounLered before are caLegorlzed as known rlsk lssues. 1hese are lssues LhaL exlsLlng or new securlLy conLrols may be deployed or developed Lo reduce Lhelr lmpacL lf noL avold Lhelr occurrence. WC 4 sLandards ln Lhls area lnclude Lhose speclfled ln Lhe lSMS code of pracLlce sLandard (lSC/lLC 27002) requlrlng furLher elaboraLlon of requlremenLs and provlslon of lmplemenLaLlon guldance. 1he noLlon of addresslng known lssue ls also abouL 151 lmprovlng securlLy readlness. We already know how such rlsk lssues would unfold or lmpacL Lhe organlzaLlon, we Lherefore should noL allow Lhem Lo surprlse us when Lhey maLerlallze. 8y managlng and addresslng Lhese known lssues, organlzaLlons would esLabllsh capablllLles and conLrols Lo avold Lhelr occurrence and Lhe posslble lmpacLs of Lhose rlsk lssues. CrganlzaLlon could Lhen focus lLs resources ln ldenLlfylng changes ln Lhe rlsk envlronmenL, and make Lhe necessary preparaLlon for Lhose changes. llnally, havlng lSMS and Lhe necessary securlLy conLrols agalnsL known as well as emerglng rlsks do noL guaranLee LhaL Lhe organlzaLlon ls compleLely safe and secure agalnsL securlLy aLLacks and breaches. no sysLems can be perfecL. lallure should Lherefore be anLlclpaLed, especlally when operaLlng ln a consLanLly changlng envlronmenL. ln Lhls regards, lL ls necessary for organlzaLlons Lo also geL ready for poLenLlal mlshaps so LhaL Lhey may be handled and managed ln Lhe mosL effecLlve and efflclenL manner posslble. Such preparaLlon should lnclude measures Lo faclllLaLe afLer-Lhe-facL collecLlon of resldual daLa and audlL Lralls Lo supporL Lhe forenslc lnvesLlgaLlon process and faclllLaLe learnlng and lmprovemenL. I|gure 2 deplcLs Lhe allgnmenL of Lhose exlsLlng and fuLure Loplcs Lo Lhe Lhree caLegorles of securlLy conLrols and servlces requlremenLs shown ln I|gure 1.
llgure 2: Mapplng of exlsLlng and new pro[ecLs/proposals Lo Lhe Lhree areas of needs 152
Whlle Lhe number of sLandards ln WC 4's porLfollo has lncreased Lo cover Lhe key requlremenLs areas over Lhe pasL four years, Lhere are sLlll gaps ln fulfllllng Lhe ob[ecLlves of Lhe framework as well as meeLlng Lhe needs of lmplemenLaLlon of speclflc areas of conLrols ln lSC/lLC 27002. AL Lhe elghLh meeLlng ln Malaysla ln Aprll 2010, some delegaLes had suggesLed Loplcs ln Lhe known rlsks caLegory such as vulnerablllLy managemenL, securlLy operaLlons managemenL, and securlLy evenLs log managemenL for conslderaLlon ln Lhe near fuLure for developmenL. As securlLy conLrols and servlces are also requlred for supporLlng Lhe lmplemenLaLlon of crypLographlc mechanlsms, and oLher Lechnlcal securlLy capablllLles, WC 4's scope of work ln Lhe area of managlng known rlsks ls Lherefore noL llmlLed Lo Lhose as deflned ln lSC/lLC 27002, buL also WC 2, and poLenLlally WC 3 and WC S ln Lhe near fuLure. 1he sLrucLure, based on emerglng (or unknown), known and afLermaLh of rlsk lssues, LhaL ls adopLed ln WC 4 for caLegorlzaLlon of Lhe varlous sLandards Lherefore provlde a comprehenslve perspecLlve on lLs scope of work, as well as a baslc sLrucLure for ldenLlfylng sLandards requlremenLs Lowards fuLure developmenLs. Conc|ud|ng kemarks Managlng lnformaLlon securlLy ls an ongolng underLaklng ln organlzaLlons, ln vlew of Lhe changlng naLure of lnformaLlon securlLy rlsks. SC 27 promoLes a managemenL sysLem approach, Lhrough Lhe use of lSC/lLC 27001 lSMS lncorporaLlng a cycllcal sysLems process of lan-uo-Check-AcL (uCA) Lo ensure new rlsks are ldenLlfled whlle known rlsks are managed ln a conLlnuous lmprovemenL manner. 1he approach ls supporLed by addlLlonal sLandards addresslng Lhe conLrols requlremenLs and servlces needs, ln all Lhe Lhree sLages of lnformaLlon securlLy rlsks developmenL, from preparlng for Lhe emerglng (or unknown), addresslng Lhe known, Lo lnvesLlgaLlng Lhe occurrence of lnformaLlon securlLy lncldenLs. 1hls arLlcle focuses on Lhe sLandards framework underlylng Lhe scope of work of WC 4 ln SC 27. SupporLlng, lmplemenLlng, and operaLlng securlLy conLrols and servlces requlre crypLographlc and securlLy mechanlsms, lncludlng ldenLlLy, prlvacy, and blomeLrlc relaLed mechanlsms, proLocols and sysLems, and Lhe needs for Lhelr securlLy evaluaLlon and assurances, whlch are areas of focus by WC 2, WC S, and WC 3, respecLlvely. 1he work of WC 4 ls Lherefore noL an end by lLself. ueveloplng sLandards are noL wlLhouL challenges elLher. WlLh numerous sLandards organlzaLlons underLaklng Lhls ma[or endeavor ln parallel, much coordlnaLlon, lnformaLlon sharlng, and collaboraLlon are necessary Lo mlnlmlze dupllcaLlon of efforLs and maxlmlze Lhe use of llmlLed resources. Llalson Lherefore plays a crlLlcal 153 role ln addresslng Lhls concern. lurLhermore, whlle many counLrles/economles have represenLaLlon ln SC 27 (and oLher sLandards organlzaLlons), Lhe sysLems of sLandards developmenL are based around members' conLrlbuLlons of resources and conLenLs, and ma[orlLy voLe of consensus Lo ensure falrness ln Lhe process. As such, Lhls may noL necessarlly meeL all Lhe requlremenLs of Lhe user communlLles or allgn wlLh Lhelr respecLlve vlews or deslred approach. arLlclpaLlon and communlcaLlons by and amongsL members, coupled wlLh Lhe use of Lhe lSMS approach of conLlnuous lmprovemenLs are key success facLors Lo ensure conLlnue usablllLy of securlLy sLandards Lo Lhe members. 154 Informat|on Secur|ty & 8us|ness Cont|nu|ty - IC1 kead|ness of an Lnterpr|se hlllp Sy 12 , ClSA AlS !une 11, 2010
1 8ackground lnformaLlon securlLy has fasL become an lmporLanL parL of mosL enLerprlses' rlsk managemenL agenda, Lhanks Lo Lhe wldespread awareness and adopLlon of lSC/lLC 27001 and 27002 sLandards, as well as lLs rlslng slgnlflcance ln corporaLe governance. MosL organlzaLlons are spendlng conslderable amounL of money bulldlng up Lhelr defences, lncludlng safeguardlng Lhelr enLerprlse neLworks wlLh flrewalls and lnLruslon deLecLlon / proLecLlon devlces, securlng Lhelr daLa cenLres wlLh 2-facLors physlcal access conLrol sysLem, and screenlng Lhelr employees before slgnlng employmenL conLracLs. Powever Lhe openness of lnLerneL, Lhe acceleraLlng raLe of new Lechnologles emergence, and Lhe rlslng Lrend of compuLer fraud presenL Lo us a buslness world where any buslness may become Lhe nexL vlcLlm due Lo noL belng ready Lo cope wlLh newly emerglng securlLy LhreaLs. Meanwhlle, Lhe need for buslness conLlnulLy managemenL (8CM), lncludlng lncldenL preparedness, dlsasLer recovery plannlng, and emergency response and managemenL, has been recognlzed and supporLed wlLh speclflc domalns of knowledge, experLlse, and sLandards developed and promulgaLed ln Lhe recenL years. 13 As lnformaLlon and communlcaLlon Lechnology (lC1) has become an lnLegral parL of many of Lhe acLlvlLles whlch are elemenLs of Lhe crlLlcal lnfrasLrucLures ln all organlzaLlonal secLors, wheLher publlc, prlvaLe or volunLary, mosL organlzaLlons have become ever more rellanL on rellable, safe and secure lC1 lnfrasLrucLures and servlces. ln vlew of Lhese needs, lSC/lLC !1C 1 SC 27 WC 4 has been Lasked Lo develop Lhe lSC/lLC 27031 SLandard - Culdellnes for lnformaLlon and CommunlcaLlon 1echnology (lC1) 8eadlness for 8uslness ConLlnulLy and 1he lnLernaLlonal SLandard Lasks aL provldlng Lhe guldance for plannlng and malnLalnlng lC1 lnfrasLrucLure and servlces requlred for effecLlve and efflclenL response Lo Lhose focuslng evenLs,
12 hlllp Sy ls a rlnclpal ConsulLanL speclallzed ln lnformaLlon securlLy and buslness conLlnulLy / dlsasLer recovery. Pe ls Lhe secreLary Lo SC27 WC4 and ro[ecL Co-edlLor for lSC/lLC 27031 and 24762. 13 lSC 1C 223 has been Lasked Lo develop relevanL lnLernaLlonal sLandards for Lhe conLlnulLy managemenL of buslness and organlzaLlons, lncludlng lSC 22301 and 22399. 155 lncludlng emergency slLuaLlons [1]. 1hls ls besL supplemenLed wlLh Lhe lSC/lLC 24762:2008 SLandard - Culdellnes for lC1 ulsasLer 8ecovery Servlces (also developed by SC 27 WC 4), whlch guldes Lhe user ln seLLlng up Lhe lnfocomm Lechnology dlsasLer recovery (lC1 u8) capablllLy, lrrespecLlve wheLher Lhe organlzaLlon provldes Lhe servlce ln-house or Lhrough ouLsourclng arrangemenL. 2 IC1 kead|ness for 8us|ness Cont|nu|ty (Ik8C) ln plannlng for buslness conLlnulLy, Lhe requlremenLs for lnformaLlon processlng and communlcaLlon faclllLles need Lo be effecLlvely planned and lmplemenLed so LhaL Lhey are ready Lo supporL Lhe buslness conLlnulLy managemenL requlremenLs Lo ensure lnformaLlon and servlce avallablllLy. ln plannlng for 8CM, Lhe fallback arrangemenLs for lnformaLlon processlng and communlcaLlon faclllLles become essenLlal for ensurlng lnformaLlon avallablllLy durlng dlsasLer and for Lhe compleLe recovery of acLlvlLles over a perlod of Llme. ln Lhe conLexL of lSC/lLC 27031, Lhe scope of buslness conLlnulLy ls also expanded Lo lnclude preparedness for focuslng evenLs such as lC1 securlLy lncldenLs and fallures of lC1 sysLems. [1] lC1 conLlnulLy ls a cruclal elemenL of an overall 8CM sLraLegy and wlll help an organlzaLlon survlve a crlsls. CusLomers are more llkely Lo deserL suppllers lf Lhey are noL lmmedlaLely responslve Lo sysLem problems. As parL of Lhe lmplemenLaLlon and operaLlon of an lnformaLlon securlLy managemenL sysLem (lSMS) [2] and 8CMS (buslness conLlnulLy managemenL sysLem) respecLlvely, lL ls crlLlcal Lo develop and lmplemenL a readlness plan for Lhe lC1 servlces Lo help ensure buslness conLlnulLy. l88C provldes a meanlngful way Lo deLermlne Lhe sLaLus of an organlzaLlon's lC1 servlces ln supporLlng lLs buslness conLlnulLy ob[ecLlves by addresslng Lhe quesLlon ls our lC1 capable of respondlng" raLher Lhan ls our lC1 secure". lSC/lLC 27031 descrlbes Lhe concepLs and prlnclples of lC1 8eadlness for 8uslness ConLlnulLy, and provldes a framework of meLhods and processes for any organlzaLlon - prlvaLe, governmenLal, and non-governmenLal - lrrespecLlve of slze, Lo ldenLlfy and speclfy all aspecLs (such as performance crlLerla, deslgn, and lmplemenLaLlon) for lmprovlng lLs lC1 readlness Lo ensure buslness conLlnulLy. lL also enables an organlzaLlon Lo measure performance parameLers LhaL correlaLe Lo lLs l88C ln a conslsLenL and recognlzed manner. [3] ln order for an organlzaLlon Lo achleve lC1 8eadlness for 8uslness ConLlnulLy, lL needs Lo puL ln place a sysLemaLlc process Lo prevenL, predlcL and manage lC1 dlsrupLlon and lncldenLs whlch have Lhe poLenLlal Lo dlsrupL lC1 servlces. 1hls can be besL achleved by applylng Lhe lan-uo-Check-AcL (uCA) cycllcal sLeps as parL of a managemenL sysLem ln lC1 8eadlness for 8uslness ConLlnulLy (l88C). ln Lhls way l88C supporLs 8CM by ensurlng LhaL Lhe lC1 servlces are as reslllenL as approprlaLe 156 and can be recovered Lo pre-deLermlned levels wlLhln Llmescales requlred and agreed by Lhe organlzaLlon. As parL of Lhe 8CM process, l88C refers Lo a managemenL sysLem whlch complemenLs and supporLs an organlzaLlon's 8CM and/or lSMS program, Lo lmprove Lhe readlness of Lhe organlzaLlon Lo: - respond Lo Lhe consLanLly changlng rlsk envlronmenL, - ensure conLlnuaLlon of crlLlcal buslness funcLlons supporLed by Lhe relaLed lC1 servlces, - be ready Lo respond before an lC1 servlce dlsrupLlon occurs, upon deLecLlon of one or a serles of relaLed evenLs LhaL become lncldenLs, and - Lo respond and recover from lncldenLs/dlsasLers and fallures.
1he flgure below lllusLraLes how l88C and 8CM lnLeracL wlLh each oLher Lo help Lo caLer for an organlzaLlon's lC1 readlness.
157
l88C ls based around Lhe followlng key prlnclples: - lncldenL revenLlon - roLecLlng lC1 servlces from LhreaLs, such as envlronmenLal and hardware fallures, operaLlonal errors, mallclous aLLack, and naLural dlsasLers, ls crlLlcal Lo malnLalnlng Lhe deslred levels of sysLems avallablllLy for an organlzaLlon, - lncldenL ueLecLlon - ueLecLlng lncldenLs aL Lhe earllesL opporLunlLy wlll mlnlmlze Lhe lmpacL Lo servlces, reduce Lhe recovery efforL, and preserve Lhe quallLy of servlce, - 8esponse - 8espondlng Lo an lncldenL ln Lhe mosL approprlaLe manner wlll lead Lo a more efflclenL recovery and mlnlmlze any downLlme. 8eacLlng poorly can resulL ln a mlnor lncldenL escalaLlng lnLo someLhlng more serlous, - 8ecovery - ldenLlfylng and lmplemenLlng Lhe approprlaLe recovery sLraLegy wlll ensure Lhe Llmely resumpLlon of servlces and malnLaln Lhe lnLegrlLy of daLa. undersLandlng Lhe recovery prlorlLles allows Lhe mosL crlLlcal servlces Lo be relnsLaLed flrsL. Servlces of a less crlLlcal naLure may be relnsLaLed aL a laLer Llme or, ln some clrcumsLances, noL aL all, and - lmprovemenL - Lessons learned from small and large lncldenLs should be documenLed, analyzed and revlewed. undersLandlng Lhese lessons wlll allow Lhe organlzaLlon Lo beLLer prepare, conLrol and avold lncldenLs and dlsrupLlon.
3 IC1 D|saster kecovery (Dk) Serv|ces Many organlzaLlons are aL a loss wheLher Lhey should seL up Lhe lnfocomm Lechnology dlsasLer recovery (lC1 u8) capablllLy ln house or selecL from Lhe many u8 servlce provlders ln Lhe markeL. 1he basls of such declslon and/or selecLlon varled from organlzaLlon Lo organlzaLlon as currenLly Lhere ls no benchmark for Lhe provlslon of lC1 u8 servlces. 1he lSC/lLC 24762 sLandard was publlshed ln 2008 afLer gone Lhrough sLages of revlew, commenLs and resoluLlon. lL covers faclllLles and servlces capablllLy ln provldlng fallback and recovery supporL Lo an organlzaLlon's lC1 sysLems and applles Lo boLh ln-house as well as ouLsourced lC1 u8 servlces. lL alms Lo asslsL end-user ln elLher seLLlng up Lhe own ln house lC1 u8 servlce capablllLy, or selecLlng Lhe besL flL lC1 u8 servlce provlders by provldlng a basls Lo dlfferenLlaLe servlce provlders. 1he lnLernaLlonal SLandard speclfles Lhe requlremenLs LhaL servlce provlders musL possess so LhaL Lhey can provlde a LrusLed operaLlng envlronmenL and help companles secure and recover crlLlcal daLa durlng crlsls. 1hese requlremenLs lnclude Lhe lmplemenLaLlon, LesLlng and execuLlon aspecLs of dlsasLer recovery. 158 1he lnLernaLlonal SLandard ls based on a mulLl-Ller framework comprlslng elemenLs lncludlng pollcles, performance measuremenL, processes and people, whlch are key ln bulldlng up Lhe requlred supporLlng lnfrasLrucLure and servlces capablllLy. lL also recommends Lhe servlce provlder Lo lmprove lLs capablllLy and keep relevanL by golng Lhrough recommended conLlnuous lmprovemenL pracLlces. A guldellne for selecLlon of recovery slLes ls also lncluded ln Lhe sLandard. 4 Conc|us|on 1o esLabllsh Lhe lC1 readlness of 8uslness ConLlnulLy, an organlzaLlon wlll be equlpped wlLh approprlaLe lC1 lnfrasLrucLure, effecLlve lncldenL prevenLlon, deLecLlon and response process, as well as verlfled plans on lC1 dlsasLer recovery. SupplemenL Lhls programme wlLh a quallLy and effecLlve dlsasLer recovery faclllLles and servlces wlll furLher enhance Lhe organlzaLlon's reslllence, and hence ln Lurn lmprove lLs goodwlll and LrusLworLhlness. keferences [1] lSC/lLC !1C1 SC27 nS726 documenL - new Work lLem roposal on lC1 8eadlness for 8uslness ConLlnulLy [2] lSC/lLC 27001:200S - lnformaLlon Lechnology - SecurlLy Lechnlques - lnformaLlon securlLy managemenL sysLems - 8equlremenLs [3] lSC/lLC !1C1 SC27 n8622 documenL - lSC/lLC lCu 27031 - lnformaLlon Lechnology - SecurlLy Lechnlques - Culdellne for lnformaLlon and CommunlcaLlon 1echnology 8eadlness for 8uslness ConLlnulLy 159 Informat|on Secur|ty Inc|dent Management |s renewed as Internat|ona| Standard ?oshlhlro SaLoh, PewleLL-ackard !apan
1he documenL lSC/lLC 18 18044 lnformaLlon securlLy lncldenL managemenL ls already publlshed as Lechnlcal reporL, buL lL ls belng renewed as new lnLernaLlonal sLandard lSC/lLC 2703S. AL Lhe renewal sLage, people mlghL wanL Lo know abouL whaL was changed. lL ls slmple and Lhe conLenLs of Lhe documenL are resLrucLured for lmprovemenL of clarlflcaLlon and useful lnformaLlon ls added. 1he ma[or addlLlons are example approaches Lo Lhe caLegorlzaLlon and classlflcaLlon of lnformaLlon securlLy lncldenLs, examples of lnformaLlon securlLy lncldenLs and Lhelr causes, and cross-reference Lable of lSC/lLC 27001/27002 vs lSC/lLC 2703S as annexes. 1hese are lnLeresLed Loplcs, however, l would llke Lo lnLroduce ln Lhls arLlcle malnly whaL was noL changed aL Lhe renewal sLage. WhaL was noL changed ls baslc concepL. 1he sLandard documenL deflnes lnformaLlon securlLy evenL and lnformaLlon securlLy lncldenL as follows: Ao lofotmotloo secotlty eveot ls oo lJeotlfleJ occotteoce of o system, setvlce ot oetwotk stote loJlcotloq o posslble bteocb of lofotmotloo secotlty pollcy ot follote of sofeqootJs, ot o ptevloosly ookoowo sltootloo tbot moy be secotlty televoot. Ao lofotmotloo secotlty loclJeot ls loJlcoteJ by o sloqle ot o setles of oowooteJ ot ooexpecteJ lofotmotloo secotlty eveots tbot bove o slqolflcoot ptoboblllty of comptomlsloq bosloess opetotloos ooJ tbteoteoloq lofotmotloo secotlty. 1he lmporLance of deflnlng an evenL ls descrlbed laLer, buL Lhe meanlng of lncludlng unexpecLed ln Lhe deflnlLlon of Lhe lncldenL ls explalned now. lf someLhlng brlngs Lhe damage aL Lhe organlzaLlon, lL ls a maLLer of course Lo cope as an unwanLed Lhlng ln lL. lf a bad Lhlng ls generaLed wlLhouL expecLlng lL, lL ls synonymous wlLh unwanLed. Powever, Lhere ls anoLher case of unexpecLed Lhlng. lL ls LhaL a resulL ls noL bad. lor example, lL ls orlglnally naLural LhaL Lhe damage ls glven when noLhlng Look measures for lL when someLhlng occurred. Powever, lL dld noL reach for Lhe damage because someLhlng was lucky. lL ls Lhe case. When Lhe same cause occurred ln Lhe fuLure lf Lhe organlzaLlon cope for Lhe unexpecLed evenL LhaL dld noL reach Lhe damage, lL ls easy Lo come Lo prevenL Lhe damage. 1he organlzaLlon should LreaL lL as Lhe slgn of Lhe posslble lncldenL. lL ls Lhe reason why we lncluded noL only unwanLed" buL also unexpecLed". 160 1he followlng ls suggesLed ln Lhe documenL afLer havlng deflned Lerms as above. lL ls necessary Lo geL a response procedure Lo Lhe lncldenL and Lhe sysLem ready flrsL. Powever, as a resulL, response ls laLe when lL ls laLe LhaL Lhe on-slLe person concerned recognlzes many evenLs occurrlng rouLlnely as an lncldenL even lf Lhe sysLem, whlch can supporL qulckly esLabllshes an lncldenL. lf a reporL ls laLe even lf a flre deparLmenL acceleraLes response afLer he recelves communlcaLlon no maLLer how much, as a resulL, he seems noL Lo be able Lo shorLen Llme from flre ouLbreak Lo Lhe spoL arrlval of Lhe flreman. lL ls necessary Lo pay aLLenLlon Lo a former evenL recognlzed Lo be an lncldenL wldely. Powever, lL ls noL slmple. 8ecause lL ls Loo much lf every evenLs are reporLed from on-slLe persons Lo Lhe lncldenL response Leam. Cne ldea ls LhaL on-slLe persons should reporL even a Lrlfle lncldenL wlLhouL heslLaLlon and all are sorLed by Lhe Leam. AnoLher ldea ls LhaL on-slLe persons should reporL afLer assorLlng evenLs by uslng Lhe crlLerla prepared by Lhe Leam of Lhe evenLs Lo be reporLed. lL ls dlfflculL Lo make Lrade off beLween Lhe avoldance of overlooklng by on-slLe persons and reduclng Lhe work-load by Lhe Leam. 1here ls noL Lhe clear answer abouL lL, buL lL ls lmporLanL concepL LhaL an evenL ls changed Lo an lncldenL because Lhe probablllLy LhaL an evenL LhreaLens lnformaLlon securlLy rlses. lL ls also lmporLanL Lo Lhlnk LhaL evenL lLself does noL change, and how Lo LreaL Lhe evenL as Lhe organlzaLlon changes Lhen. lf an evenL called Lhe smoke ls a Lhlng by Lhe open-alr flre, lL ls a slmple evenL. 1he smoke by Lhe flre becomes Lhe lncldenL. vanlLy does noL change, and lL ls necessary Lo change a vlewpolnL. 1here ls anoLher suggesLlon ln Lhe documenL. 1he lncldenL response leLs a response procedure based on a prlor plan flll up, and lL ls baslc Lo cope aL Lhe Llme of lncldenL ouLbreak. Powever, on Lhe oLher hand, a procedure Lo cope by Lhe meLhod excepL Lhe procedure ls necessary when Lhe procedure LhaL Lhe organlzaLlon prepared for beforehand does noL comply wlLh Lhe facL of Lhe lncldenL. 8ecause lL ls noL posslble for Lhe slLuaLlon LhaL raLher ls unexpecLed Lo carry lL ouL only ln Lhe range LhaL Lhe organlzaLlon assumed beforehand by correspondence flexlbly. 1herefore lL ls necessary LhaL lL ls posslble by excepLlon measures by Lhe [udgmenL of Lhe person ln charge when lL meL wlLh Lhe unexpecLed slLuaLlon. uslng Lhe word of excepLlon measures, lL may be LhoughL LhaL lL ls rare. Powever, lL ls noL rare ln facL. WlLh Lhe response procedure based on a prlor plan, lL ls prepared wlLh based on assumed lncldenL scenarlo. ln LhaL case, lL ls naLural ln Lhe flrsL place abouL Lhe cause of Lhe lncldenL LhaL lL assumed Lo do an anLl-prevenLlon measure, and Lhe occurrence of such lncldenL mlghL be mlnlmlzed. 1herefore Lhe posslblllLy LhaL ls a Lhlng noL assumed ls raLher hlgh ln Lhe Lhlng becomlng Lhe lncldenL. lL ls Lhe reason why a procedure when an excepLlon occurred should be ready. When lL ls 161 noL clear, Lhe person ln charge Lhlnks wlLh Lhe besL of lnLenLlons, and havlng dealL may be goL rld of as vlolaLlon of predeflned procedure laLer. Anyone may noL do Lhe besL measures for all even lf oneself wlll be vlolaLed. Lverybody ls noL Lddle Murphy ln 8everly Pllls Cop and 8ruce Wlllls ln ule Pard. lL may seem LhaL lL may become ouL of conLrol when excepLlon measures ls allowed. Powever Lhere ls Lhe case sLudy ln P8C (Plgh 8ellablllLy CrganlzaLlon), such as Lmergency 8escue CenLer and nuclear ower lanL, where lL ls demanded LhaL safeLy needs Lo be malnLalned even lf an unexpecLed Lhlng ls generaLed. ln Lhe P8C, on-slLe persons are monlLorlng evenL as a slgn of Lhe lncldenLs carefully and Lhe persons ln charge are keeplng Lhe LhoughL LhaL Lhere ls noL a cholce excepL Lhe predeflned procedure fully. 1he P8C calls lLs posLure mlnd-full" and lL ls sald LhaL Lhere musL be mlnd-full" ln Lhe P8C. 1he baslc concepL of evenL and lncldenL" and Lhlnk of unexpecLed" has come from Lhe ldea of Lhe managlng unexpecLed ln P8C. lL ls succeeded Lo 2703S by 18044. 1he excepLlon measure ls sllghLly emphaslzed, buL a predeflned procedure musL be enforced off course lf Lhe assumpLlon of lL can be applled. All conLrlbuLors for Lhls lnLernaLlonal sLandard all wanL lL Lo help esLabllsh lnformaLlon securlLy lncldenL managemenL ln a mlndful way ln your organlzaLlon.
Billions at stake A number of standards are being developed for information security with- in ISO/IEC/JTC 1/SC 27. In particular, the working groups WG 1 and WG 4 are developing standards relating to infor- mation security management for appli- cation across a diverse set of industries such as telecoms, healthcare, energy sup- ply, finance, insurance and supply chain. These industries are often critical ele- ments of national infrastructure. originates from exposure to something which may result in personal injury or death, the loss of information, damage to property and so on. Safety and security often occupy the same space. For example, the securi- ty of the data in a patients health record system may have an impact on the health and safety of the patient. Or the security of the data in a system used for air traf- fic control may have an impact on the ability of air traffic controllers to main- tain safety. by Prof. Edward Humphreys, Convenor, ISO/IEC JTC 1/SC 27/WG 1, Requirements, security services and guidelines, and Convenor, Dr. Meng Chow Kang, ISO/IEC JTC 1/SC 27/ WG 4, Security controls and services. W hile the safety world tends to discuss hazards, we in the information security world are more likely to talk about risks. In both areas, some argue that their domain Information security : Risks or hazards ISO/IEC/JTC 1/SC 27 is developing standards for industries that are often critical elements of national infrastructure. Several examples over the last 18 years demonstrate that if the infor- mation security of these essential indus- tries is compromised, society is placed at risk. In the 1980s and 1990s, the UK in particular London suffered many such infrastructure attacks, all of which were intentionally initiated. And in recent years, natural disasters such as the South- east Asian tsunami and earthquakes in Japan and China also caused significant impacts on human safety and the avail- ability of information systems. Todays risks can, in worst case scenarios, lead to complete shutdown of businesses, property damage running into millions if not billions of dollars, disruption of critical services and infra- structure, and loss of life. Network security It is clear that IT systems them- selves are not always the problem ; the larger threat is often from people, includ- ing external users such as visitors, custom- ers and partners, and the growing problem of insider threats from employees. The information standards being developed in ISO/IEC/JTC 1/SC 27/WG 1 and WG 4 are based on the assumption that an organization applying these stand- ards carries out a proper risk assessment to address the problems raised above. ISO Focus June 2009 29 Main Focus About the authors Prof. Ted Humphreys (ISMS Research Professor Korea University) has been leading the United King- doms activities regarding the ISO/IEC 27000 family of Infor- mation Security Management System (ISMS) standards and the British stand- ards BS7799 Parts 1 and 2 (which formed the basis for ISO/IEC 27001 and ISO/IEC 27002) since 1990. He is also responsible for many of the ISMS accreditation and certification activities as well as producing the standard EA 7/03. He is an ISMS consultant provid- ing advice to organizations around the world. He is also founder and Director of the ISMS International User Group, which promotes the global use of the ISO/IEC 27000 family for ISMS stand- ards. P H ( P U b U d r I f ti S it M SC 27/WG 4 has published stand- ards addressing the provision of disaster recovery services (ISO/IEC 24762), net- work security (ISO/IEC 18028), intrusion detection systems (ISO/IEC 18043), and information security incident manage- ment (ISO/IEC TR 18044). While some of these standards are under revi- sion, WG 4 is also develop- ing standards on cyberse- curity (ISO/IEC 27032) in collaboration with ITU-T. The security of networks and ICT devices is now crucial to the safety of societies around the world. Business continuity WG 4 is also producing a stand- ard to address ICT readiness for busi- ness continuity (ISO/IEC 27031), and the working group is collaborating with other committees to develop business continu- ity standards. In 2009, WG 4 has further Managing information security by Sandrine Tranchard, Communication Officer, ISO Central Secretariat With more and more organizations implementing information security management systems (ISMS) as part of their risk management strategy, the publication of a new ISO/IEC standard giving an overview of ISMS is particularly timely. ISO/IEC 27000:2009, Information technology Security techniques Information security management systems Overview and vocabulary, will assist organizations of all types to understand the fundamentals, principles and concepts to improve protection of their information assets. Applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, non- profit organizations), ISO/IEC 27000:2009 supplements the ISO/IEC 27000 family of standards by providing an introduction to information security management and defining related terms. Today, an organizations information assets are dependent upon information and communications technology. The technology assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information. As the extent of the interconnected global business environment expands, so does the requirement to protect information as it is exposed to a wider variety of threats and vulnerabilities. Dr. Meng Chow Kang is Director of Information Security for China and APJ regions (Asia- Pacific and Japan) for Cisco Systems, Inc. He has been a practicing information security profes- sional for more than 20 years, with field experience spanning from technical to management in the various security and risk management roles in the Singapore government, major multi-national finan- cial institutions, and security and tech- nology providers. Dr. Kang has been contributing to the development and adoption of international standards relat- ing to information security since 1998, and is the founder of the Regional Asia Information Security Standards (RAISS) Forum. He is currently Convenor of ISO/IEC JTC 1/SC 27/WG 4, Security controls and services. embarked on new standards projects relat- ing to the security of outsourcing (ISO/ IEC 27036) and the management of dig- ital evidence (ISO/IEC 27037). SC 27/WG 1 has published ISO/ IEC 27001 to address the establishment, implementation, monitoring and review of information security management sys- tems (ISMS). The ISMS is appli- cable to all siz- es and types of organizations from small to very large and from low- to high- tech. SC 27/WG 1 has produced and published a standard on ISMS risk management as well as the accreditation of an organiza- tions ISMS implementation. In addition, they have jointly produced and published, with ITU-T, telecoms security require- ments on security controls in support of ISMS implementations. D C D I S C r P J S H ti i i f ti 30 ISO Focus June 2009 Preventing theft and unauthorized modification of electronic data by Maria Lazarte, Communication Officer, ISO Central Secretariat To protect the confidentiality and integrity of data being transferred or stored, ISO and IEC have jointly developed a new standard which defines authenticated encryption mechanisms that provide an optimum level of security. With the rise of electronic transactions involving sensitive information, such as the transfer of bank data or personal identity information, this standard responds to a growing need for increasingly demanding security requirements. says Prof. Chris Mitchell, Project Editor of the new ISO/IEC standard. The standard, ISO/IEC 19772, Information technology Security techniques Authenticated encryption, specifies six encryption methods (based on a block cipher algorithm) that can be used to ensure : Data confidentiality (protecting against unauthorized disclosure of data) Data integrity (enabling recipients to verify that the data has not been modified) Data origin authentication (helping recipients to verify the identity of the data). Prof. Mitchell explains, It has recently become widely recognized that using encryption on its own (or even combining encryption and Message Authentication Codes in non-optimal ways) can be dangerously weak, as shown by recently demonstrated practical attacks on implementations of widely used security protocols such as IPsec and SSH. There are thus excellent reasons to believe that it is better to rely on a single comprehensive data protection method. The mechanisms specified in the standard have been designed to maximize the level of security and provide efficient processing of data for optimum results. The standard includes mechanisms that can be applied to ensure the integrity of data even when not encrypted (e.g. to prevent modifications of e-mail addresses, sequence numbers, etc.). ISO/IEC 19772 will give confidence to users that their data is safe. Not only will it be useful for protecting information, but also for furthering the development of online transactions and e-businesses, and other applications involving sensitive data, concludes Prof. Mitchell. Threats change constantly, increasing in complexity as more information systems become interconnected to exchange and share information. The evolving nature of risks Other application- and sector- specific guidelines and standards are being developed to support ISMS implementa- tions, for example regarding information security governance and the protection of critical national infrastructure. These standards are aimed at addressing the threats and impacts that organizations face today. Of course threats and risks change constantly, increasing in complexity as more information systems become interconnected to exchange and share information. ISO/IEC JTC 1/SC 27 continuously monitors the future risk landscape, aiming to build preventive security measures that help organiza- tions manage the risks emerging with business growth while at the same time increasing use of more advanced infor- mation technology systems. Other subcommittees within JTC 1 are also developing standards that have security as a sub-component, such as SC 37 on biometric standards. Security standardization work is, in most cases, conducted in collaboration with SC 27, a member of the Joint Technical Col- laboration Group on management sys- tem standards, which includes those dealing with ISO 9001 for quality, ISO 14001 for environment and ISO 28000 on food safety. Despite sometimes overwhelming challenges, help is available to organi- zations through the toolbox of stand- ards published or under development by ISO/IEC JTC 1/SC 27. ISO Focus June 2009 31 165
SC27 WGS
166 1echno|og|es for pr|vacy, |dent|ty management and b|ometr|cs kol koooeobetq 1 , l5O/lc I1c 1/5c 27/wC 5 cooveoet, ltofessot of Moblle 8osloess & Moltllotetol 5ecotlty, Coetbe uolvetslty ltookfott (Cetmooy), www.m-cbolt.oet
l1 SecurlLy ls becomlng more and more of a people's problem", ls noL only a quoLe from l1 securlLy ploneer 8oger needham (unlverslLy of Cambrldge , uk), buL a Lrend wlLh ma[or buslness relevance and a dual-faced challenge. CrganlsaLlons need Lo geL more efflclenL ln ldenLlfylng and addresslng users and cusLomers, e.g. by maklng sure, LhaL a compeLenL polnL wlLhln Lhe organlsaLlon knows whlch user has whlch access rlghLs on whlch corporaLe resources. nowadays employees very ofLen have a hlsLorlcally grown pleLhora of ldenLlflers and access rlghLs. CfLen lL ls dlfflculL Lo know and manage, who has Lhe auLhorlzaLlon Lo do whaL. So when someone leaves an organlsaLlon lL ls usually dlfflculL Lo revoke auLhorlzaLlons, accounLs and access rlghLs Lo avold laLer mlsuse of corporaLe sysLems and corporaLe lnformaLlon. LsLabllshlng an efflclenL framework for corporaLe access managemenL wlLh rellable accounLablllLy ls noL a Lrlvlal Lask. A popular Lrend here ls slngle slgn-on", baslcally Lhe unlflcaLlon of all accounLs and access rlghLs on one sysLem per organlsaLlon, Lo whlch users auLhenLlcaLe Lhemselves and whlch Lhen provldes access Lo Lhe resources needed, e.g. a cusLomer daLabase or a prlnLer. A slmllar unlflcaLlon approach ls popular ln deallng wlLh cusLomers, e.g. when a Lelecom unlfles cusLomers' accounLs Lo provlde a slngle blll for dlfferenL buL relaLed servlces. CurrenLly very ofLen a provlder offers landllne Lelephony, moblle Lelephony, and lnLerneL access - and sends a dlfferenL blll for each. Whereas Lhls may cause unnecessary cosLs and complexlLy, Lhe unlflcaLlon of Lhose accounLs LhaL refer Lo Lhe same cusLomer also offer Lhe chance Lo provlde more cusLomlzed and personallzed
1 Dr. ka| kannenberg (www.m-cha|r.net) has been acLlve ln SC 27 slnce 1992, malnly ln WC 3. 200S he became Co-edlLor of Wu 24760, Co-8apporLeur of Lhe SC 27 SLudy erlod on ldenLlLy managemenL and 8apporLeur of Lhe SC 27 SLudy erlod on prlvacy. Slnce March 2007 he serves as Convener of WC S. 2002 kal was appolnLed as rofessor for Moblle Commerce and MulLllaLeral SecurlLy aL Lhe ueparLmenL for 8uslness lnformaLlcs aL CoeLhe unlverslLy ln lrankfurL (Cermany).
167 bundled servlces whlle ralslng Lhe securlLy, servlce quallLy, and cusLomer saLlsfacLlon. A relaLed lnsLrumenL Lo blnd accounLs Lo a slngle person and Lo enhance Lhe assurance for user auLhenLlcaLlon are blomeLrlc Lechnlques whlch use unlque physlologlcal and behavloural of a person, e.g. flngerprlnLs or lrls scan lnformaLlon, Lo securely ldenLlfy LhaL person. 1he unlflcaLlon of accounLs and access rlghLs can be a double-edged sword for users and servlce provlders allke. users usually llke Lhe added convenlence of slngle-slgn- on sysLems, uslng one slngle password for a number of log-lns and access accounLs. CrganlsaLlons on Lhe oLher hand see Lhe beneflL of slngle slgn-on sysLems ln a beLLer conLrol and managemenL of access rlghLs. Powever, as Lhe number of appllcaLlons for one lndlvldual lncreases, addlng numerous moblle devlces or new Web servlces Lo Lhelr dally llfe, Lhe rlsk of daLa mlsuse lncreases as well. 1he ldea of [usL havlng Lo provlde a flngerprlnL lnsLead of Lyplng a compllcaLed password every mornlng ls fasclnaLlng. Powever, Lhe more senslLlve lnformaLlon geLs posslbly accessed wlLh Lhls one ldenLlfler, Lhe hlgher Lhe rlsk for Lhe user Lo fall vlcLlm Lo ldenLlLy fraud and ulLlmaLely experlence loss or damage. A slmllar scenarlo applles Lo Lhe servlce provlder. When lL comes Lo personal lnformaLlon sLored on compuLer sysLems, prlvacy concerns need Lo be Laken serlously. lL may well be useful for a clLlzen Lo have an accounL wlLh Lhe Lax offlce Lo deal wlLh Lhe annual Lax declaraLlon onllne, and lL may be useful Lo llnk Lhls wlLh some lnformaLlon on Lhe cosLs pald for medlcal servlces, buL e.g. a compleLe unlflcaLlon of all Lhe daLa and proflles sLored by Lhe Lax offlce, Lhe hosplLal, and Lhe healLh lnsurance would need Lo be managed closely and ls unaccepLable ln many culLures - besldes Lhe facL LhaL lL may vlolaLe prlvacy regulaLlons. AL Lhe same Llme blomeLrlc lnformaLlon can be useful Lo make logln more secure and more convenlenL, buL assesslng Lhe secure appllcaLlon of such lnformaLlon ln compuLer sysLems ls noL Lrlvlal and ls sub[ecL of lnLenslve research. 8lomeLrlc lnformaLlon of an lndlvldual may conLaln senslLlve medlcal, geneLlc, or healLh lnformaLlon and, Lherefore, would poLenLlally cause greaL harm lf used lnapproprlaLely or lf lL would fall lnLo Lhe hands of unauLhorlzed persons or even crlmlnals. As a resulL, users wanL more conLrol over Lhelr ldenLlLy and over personal lnformaLlon, whlch ls collecLed and sLored on Lhem, and Lhey wanL Lo know who mlghL use Lhe daLa and for whaL purpose lL ls Lransferred Lo whom. 1hey also wanL
168 Lo be able Lo use Lechnologles for anonymlLy and pseudonymlLy ln order Lo manage wheLher and how Lhey are ldenLlfled ln whlch conLexLs. Conslderlng Lhe promlslng new ways ln whlch we use Lechnologles ln our dally llfe and Lhe lmporLanL challenge Lo handle an lndlvldual's ldenLlLy and personal lnformaLlon approprlaLely ln Lhe process, SC 27 has esLabllshed WC S on lJeotlty Moooqemeot ooJ ltlvocy 1ecbooloqles ln May 2006. CurrenLly WC S ls acLlve ln 9 pro[ecLs wlLh more belng expecLed. llnal CommlLLee urafL 2474S 8lomettlc lofotmotloo ptotectloo ls Lo provlde guldance for Lhe proLecLlon of blomeLrlc LemplaLes under varlous requlremenLs for confldenLlallLy, lnLegrlLy, avallablllLy and renewablllLy/revocablllLy durlng sLorage and Lransfer. lL also descrlbes Lhe relaLlonshlp beLween Lhe blomeLrlc reference and oLher personally ldenLlflable lnformaLlon, provldes Lhe requlremenLs for Lhe secure and prlvacy-compllanL managemenL and processlng of blomeLrlc lnformaLlon, and also clarlfles Lhe responslblllLy of Lhe blomeLrlc sysLem owner. CommlLLee urafL 24760A ftomewotk fot lJeotlty moooqemeot addresses Lhe secure, rellable, and prlvacy respecLlng managemenL of ldenLlLy lnformaLlon conslderlng LhaL ldenLlLy managemenL ls lmporLanL for lndlvlduals as well as organlzaLlons, ln any envlronmenL and regardless of Lhe naLure of Lhe acLlvlLles Lhey are lnvolved ln. lnLernaLlonal SLandard 24761 Aotbeotlcotloo cootext fot blomettlcs deflnes Lhe sLrucLure and Lhe daLa elemenLs of AuLhenLlcaLlon ConLexL for 8lomeLrlcs (AC8lo), whlch ls used for checklng Lhe valldlLy of Lhe resulL of a blomeLrlc verlflcaLlon process execuLed aL a remoLe slLe. 1hls lS 24761 allows any AC8lo lnsLance Lo accompany any daLa lLem LhaL ls lnvolved ln any blomeLrlc process relaLed Lo verlflcaLlon and enrolmenL. 1he speclflcaLlon of AC8lo ls appllcable noL only Lo slngle modal blomeLrlc verlflcaLlon buL also Lo mulLlmodal fuslon. CommlLLee urafL 29100 ltlvocy ftomewotk ls Lo provlde a hlgh-level framework for Lhe proLecLlon of personally ldenLlflable lnformaLlon (ll) wlLhln lC1 sysLems and Lo esLabllsh a common prlvacy Lermlnology, a descrlpLlon of Lhe acLors and Lhelr roles, an undersLandlng of prlvacy safeguardlng requlremenLs, and a reference Lo known prlvacy prlnclples. CommlLLee urafL 29101 ltlvocy tefeteoce otcbltectote ls Lo provlde a conslsLenL, hlgh-level approach Lo Lhe lmplemenLaLlon of prlvacy safeguardlng requlremenLs Lo safeguard Lhe processlng of ll ln lC1 sysLems and Lo provlde guldance for plannlng, deslgnlng and bulldlng lC1 sysLem archlLecLures LhaL more effecLlvely faclllLaLe Lhe prlvacy of lndlvlduals by prevenLlng Lhe lnapproprlaLe use of an lndlvldual's ll.
169 CommlLLee urafL 2911S otlty ootbeotlcotloo ossotooce ftomewotk (also l1u-1 x.eaa) alms aL enhanclng LrusL and confldence ln auLhenLlcaLlon by provldlng ob[ecLlve and vendor neuLral guldellnes for auLhenLlcaLlon assurance e.g. by uslng speclfled Levels of AuLhenLlcaLlon (LoAs) and provldlng guldance concernlng conLrol Lechnologles, processes, and managemenL acLlvlLles, as well as assurance crlLerla, LhaL should be used Lo mlLlgaLe auLhenLlcaLlon LhreaLs ln order Lo lmplemenL Lhose LoAs. Worklng urafL 29146A ftomewotk fot occess moooqemeot ls Lo deflne and esLabllsh a lramework for Access ManagemenL (AcM) based on Lhe roles an enLlLy may use Lo access lnformaLlon sysLems. lL focuses on Lhe secure managemenL of Lhe processes Lo access lnformaLlon and Lhe lnformaLlon assoclaLed wlLh Lhe accounLablllLy of an enLlLy wlLhln some conLexL. Worklng urafL 29190 ltlvocy copoblllty ossessmeot ftomewotk ls Lo provlde organlsaLlons wlLh hlgh-level guldance abouL how Lo assess Lhe maLurlLy of Lhelr ablllLy Lo manage and achleve prlvacy-relaLed ouLcomes. lL conslders LhaL Lhe lssue of prlvacy managemenL ls a mulLl-faceLed one wlLh mulLlple prlvacy sLakeholders" (parLles who have an lnLeresL ln Lhe way Lhe organlsaLlon ln quesLlon manages prlvacy) lmposlng very dlfferenL requlremenLs and wlLh dlfferenL lnformaLlon needed on dlfferenL hlerarchy levels. Worklng urafL 29191 kepoltemeots oo telotlvely ooooymoos oollokoble ootbeotlcotloo ls Lo provlde a model of parLlally anonymous unllnkable auLhenLlcaLlon wlLh ldenLlLy escrow and Lo deflne lLs requlremenLs. lL ls almed Lo provlde guldance Lo Lhe use of group slgnaLures and relevanL mechanlsms for Lhe purpose of daLa mlnlmlzaLlon and user convenlence. AL Lhe same Llme lL ls Lo allow Lhe users Lo conLrol Lhelr anonymlLy wlLhln Lhe group of reglsLered users by chooslng deslgnaLed escrow agenLs. ln addlLlon WC S malnLalns Lwo SLandlng uocumenLs: A 8oadmap (Su 1) and an Cfflclal rlvacy uocumenLs 8eferences. LlsL (Su 2).
AC8|o, the f|rst Internat|ona| Standard on on||ne b|ometr|c ver|f|cat|on, and |ts harmon|zat|on act|v|t|es w|th other standards bod|es ?AMAuA Asahlk, 1oshlba SoluLlons CorporaLlon LdlLor of lSC/lLC 24761
lo tbe ptocess of stooJotJlzloq l5O/lc 21761 Aotbeotlcotloo cootext fot blomettlcs (Ac8lo), o lot of expetts of 5c 27 ooJ otbet stooJotJs boJles bove soppotteJ me. 1bot moJe my mloJ to wtlte tbls ottlcle lo otJet to tecotJ tbe soppott tbe expetts bove qlveo to me ooJ to exptess my qtotltoJe to tbem. 1echn|ca| |ssues |n on||ne b|ometr|c ver|f|cat|on 8lomeLrlc verlflcaLlon ls noL used for servlces ln open neLwork envlronmenLs, such as onllne shopplng. lL ls because Lhere are Lhree ma[or Lechnlcal lssues as follows: lssue 1. lf blomeLrlc verlflcaLlon ls execuLed on Lhe oLher slde of an open neLwork, Lhere ls no evldence Lo LrusL Lhe resulL of Lhe blomeLrlc verlflcaLlon. lssue 2. lf blomeLrlc LemplaLes are sLored and compared wlLh blomeLrlc samples LransmlLLed Lhrough an open neLwork, elLher of Lhem may be leaked or counLerfelLed. lssue 3. Slnce Lhe modallLy (flngerprlnL, veln, eLc.) of blomeLrlc verlflcaLlon ls deLermlned by Lhe servlce provlder whlch uses blomeLrlc verlflcaLlon, Lhe users may have Lo prepare mulLlple blomeLrlc producLs Lo use mulLlple modallLles. 1o solve Lhese lssues, AC8lo was proposed. AC8|o, a so|ut|on to on||ne b|ometr|c ver|f|cat|on lSC/lLC 24761 AC8lo speclfles a sLrucLure of daLa whlch each blomeLrlc producL ln a blomeLrlc verlflcaLlon sysLem generaLes and whlch can assure Lhe resulLs of blomeLrlc verlflcaLlon. ln oLher words, AC8lo provldes evldence of resulLs of blomeLrlc verlflcaLlon. 1o be more speclflc, AC8lo ls a dlglLally slgned or auLhenLlcaLed daLa conLalnlng Lhe lnformaLlon of Lhe blomeLrlc producL, Lhe challenge Lo prevenL replay aLLacks, Lhe lnformaLlon whlch shows Lhe conslsLency of Lhe LransmlLLed daLa beLween blomeLrlc producLs ln blomeLrlc verlflcaLlon, and Lhe cerLlflcaLe of Lhe blomeLrlc LemplaLe lf Lhe blomeLrlc producL sLores and uses Lhe blomeLrlc LemplaLe. llgure 1 lllusLraLes Lhe ouLllne of Lhe daLa sLrucLure of AC8lo and how AC8lo ls used ln Lhe lnLerneL ln Lhe fuLure.
171
llgure 1 - An example of sysLems ln whlch AC8lo ls used Supports from the SC 27 experts A conLrlbuLlon from !apan n8 was submlLLed Lo SLudy erlod on AuLhenLlcaLlon of blomeLrlc daLa for Lhe SC 27 lorLaleza meeLlng held ln CcLober 2004 ln 8razll. 1he conLrlbuLlon was 8lomeLrlc AuLhenLlcaLlon ConLexL (8AC), whlch laLer was renamed Lo AuLhenLlcaLlon ConLexL for 8lomeLrlcs (AC8lo). hllllp P. (hll) Crlffln, Lhe uS n8 Pead of uelegaLlon and Lhe 8lomeLrlcs SLudy erlod 8apporLeur, proposed LhaL 8AC be recommended Lo SC 27. AL Lhe vlenna, AusLrla SC 27 meeLlng ln May 200S, SC 27 resolved LhaL 8AC be proposed as an nWl. hll, who also served as Lhe llalson offlcer Lo lSC/1C 68 Lhen, hlghly appreclaLed Lhe 8AC concepL, due Lo Lhe need for 8AC ln Lhe developlng lSC 19092 blomeLrlc lnformaLlon securlLy managemenL sLandard. Pe sLrongly supporLed Lhe use of 8AC as Lhe evenL log audlL record resulLlng from blomeLrlc enrollmenL and verlflcaLlon ln banklng or flnanclal sysLems where a hlgh level of securlLy ls requlred. 1hls was lncluded ln Lhe lSC 19092 sLandard, along wlLh Lhe use of 8AC Lo augmenL slmple blomeLrlc comparlson wlLh a securlLy pollcy-based blomeLrlc comparlson declslon. ln Lhe flrsL Wu, 8AC was wrlLLen ln a sLyle slmllar Lo lSC/lLC 1978S-1 C8Lll arL 1, uslng prose Lo descrlbe lLs absLracL daLa elemenLs, and 8AC dld noL speclfy ASn.1 module. hll conLrlbuLed Lhe lnlLlal elemenLs of Lhe ASn.1 module ln AC8lo Lo lmprove Lhe auLomaLlon of blomeLrlc verlflcaLlon processlng. Pls conLrlbuLlons are reflecLed Lo Lhe AC8lo lnLernaLlonal SLandard. hll has conLlnued Lo supporL and advlse AC8lo acLlvlLles even afLer he lefL SC 27 ln 2007. Pe has champloned Lhe AC8lo work ln oLher sLandards forums, lncludlng Lhe recenL revlslon of Lhe AnSl x9.84 securlLy sLandard ln AnSl x9, and ln securlLy educaLlon work ln Lhe lnLernaLlonal lnformaLlon SysLems SecurlLy AssoclaLlon (lSSA).
172 nlls 1ekampe of Cermany n8 was Lhe 8apporLeur of Lhe Advlsory Croup on 8lomeLrlcs. AL every meeLlng, AC8lo was dlscussed ln Lhls Advlsory Croup ln addlLlon Lo Lhe sesslon of AC8lo lLself. nlls had aLLended almosL every sesslon of AC8lo and glven a loL of useful advlces. 4. narmon|zat|on w|th the SC 37 experts very serlous (LhlrLeen) commenLs came from SC 37 as a llalson sLaLemenL on Lhe 1sL Wu (lssued ln AugusL 200S), expresslng lLs concerns on Lhe AC8lo pro[ecL. 1he 1sL Wu was noL clear enough abouL whaL AC8lo lnLended Lo sLandardlze. 1herefore lL mlghL have led Lo mlsundersLandlng slnce lL appeared Lo be very slmllar Lo lSC/lLC 1978S-1 C8Lll arL 1 and appeared Lo speclfy yeL anoLher lnLernaLlonal SLandard, lgnorlng Lhe lmpacLs on SC 37 pro[ecLs. AL Lhe SC 37 kyoLo meeLlng ln !anuary 2006, SC 37 Chalrman lernando odlo and WC 2 Convenor rof.. ?oung 8ln kwon gave Lhe AC8lo pro[ecL a chance Lo explaln AC8lo Lo Lhe experLs of SC 37/WC 2 whlch sLandardlzes blomeLrlc Lechnlcal lnLerfaces. 1hey undersLood Lhe lnLenslon of AC8lo and declded Lo found a Speclal Croup on AC8lo (SC on AC8lo) Lo revlew Lhe succeedlng drafLs of AC8lo. 1hls was Lhe beglnnlng of Lhe harmonlzaLlon beLween SC 37 acLlvlLles and Lhe AC8lo pro[ecL. AL kyoLo, Alessandro 1rlglla of Lhe uS n8 posed a dlfflculL problem: AC8lo should be applled Lo mulLlmodal fuslon blomeLrlcs. lL Look abouL half a year Lo solve Lhls problem. ln SepLember 2006, Lhe answer was examlned by Alessandro, Creg Cannon, and lred Perr of Lhe uS n8. 8ecause of Lhls challenge, Lhe resulLlng AC8lo speclflcaLlon can compleLely deal wlLh mulLlmodal fuslon. AL Lhe SC 37 London meeLlng ln !uly 2006, Lhe SC on AC8lo was held. AfLer Lhe dlscusslon on AC8lo, Lhe AC8lo pro[ecL requesLed Lhe SC on AC8lo Lo make Lhe lnLernaLlonal SLandards speclfled ln SC 37/WC 2 handle AC8lo ln Lhe fuLure. 1he resulL was beyond expecLaLlon. lL was concluded, wlLh a sLrong leadershlp from !ohn LarmouLh, Lo propose an nWl Lo amend Lhe lSC/lLC 19784-1 8loAl speclflcaLlon, whlch speclfles Lhe Al for 8loAl lmplemenLaLlons and Lhe Servlce rovlder lnLerface for sLandard lnLerfaces wlLhln a blomeLrlc sysLem. ln addlLlon, securlLy feaLures of encrypLlon and lnLegrlLy were lncluded. AfLer Lhe dlscusslon ln Lhe SC 37 WelllngLon meeLlng ln !anuary 2007, lL was agreed LhaL lL was necessary Lo dlvlde Lhe work lnLo Lhree pro[ecLs: lSC/lLC 19784-1 Amd.3, lSC/lLC 24709 Amd.1, and lSC/lLC 1978S-4. As lSC/lLC 24709 Amd.1 was dependenL on lSC/lLC 19784-1 Amd.3, and as lSC/lLC 24709 ls dependenL on lSC/lLC 19784-1, lSC/lLC 24709 Amd.1 was suspended unLll Lhe compleLlon of lSC/lLC 19784-1 Amd.3. ln lSC/lLC 19784-1, blomeLrlc daLa ls lnpuL and ouLpuL ln Lhe daLa sLrucLure called C8Lll 8l8 deflned ln lSC/lLC 1978S-1. 1he Al wlLh securlLy feaLures was Lo be speclfled ln lSC/lLC 19784-1 Amd.3 slnce no speclflcaLlon on securlLy feaLures
173 was deflned ln lSC/lLC 1978S-1. As a resulL, lL was concluded LhaL Lhe sLrucLure of Lhe SecurlLy 8lock, whlch conLalns lnformaLlon relaLed Lo Lhe securlLy feaLures for C8Lll, would be speclfled ln lSC/lLC 1978S-4. LaLer, afLer Lhe SC 37 1el Avlv meeLlng, AC8lo became Lhe underlylng formaL for Lhe C8Lll SecurlLy 8lock. ln 2010, Lhese Lwo pro[ecLs were compleLed (sub[ecL Lo flnal sLandardlzaLlon and publlcaLlon). lL could noL be accompllshed wlLhouL Lhe efforL and supporL of !ohn, lred, and Alessandro. ln addlLlon, !ohn lnLroduced !ean-aul Lemalre, a member of Lhe l1u-1 SC 17 CuesLlon on ASn.1 and Lhe lSC/lLC Convenor on ulrecLorles, Lo Lhe AC8lo pro[ecL. !ean-aul checked Lhe ASn.1 module of AC8lo and provlded lnvaluable advlce on how Lo lmprove Lhe ASn.1 module. ln SC 37, blomeLrlc performance LesLlng and reporLlng ls sLandardlzed ln WC S. 1he AC8lo pro[ecL asked WC S Lo speclfy machlne readable formaL for LesLlng and reporLlng aL Lhe SC 37 8erlln meeLlng ln !uly 2007 slnce Lhe machlne readable LesL reporL enables Lo glve lnformaLlon abouL producLs used ln blomeLrlc verlflcaLlon lf lL ls packed ln AC8lo lnsLances (daLa ob[ecLs compllanL Lo Lhe speclflcaLlon of AC8lo). 1he requesL was accepLed and lSC/lLC 29120 serles were approved afLer Lhe 8erlln meeLlng. aLrlck CroLher of uS n8 Look Lhe edlLorshlp of Lhe serles and reflecLed Lhe conLrlbuLlon from Lhe AC8lo pro[ecL Lo Lhe drafL LexLs whlch are now ln Lhe Cu sLage. 1he AC8lo pro[ecL wlll conLlnue Lo supporL Lhe work unLll Lhe lnLernaLlonal SLandards are approved . S. Supports from the SC 17 experts ln some models of blomeLrlc verlflcaLlon, lC cards play a very lmporLanL role, for example, Lo sLore blomeLrlc LemplaLes. 1herefore lL has been LhoughL Lo be very lmporLanL for AC8lo Lo descrlbe examples of lSC/lLC 7816 command sequences used Lo generaLe AC8lo lnsLances slnce lSC/lLC 7816 speclfles Lhe sLandard seL of commands Lo operaLe lC cards. Slnce Lhe edlLor of AC8lo ls a non experL of lC cards and Lhus had dlfflculLy Lo preclsely undersLand lSC/lLC 7816, Lhe concreLe examples of commands whlch ?C8lMC1C ?oshlkazu and SAkAMC1C Shlzuo of SC 17 !apan n8 had made Lo supporL Lhe AC8lo pro[ecL have been a greaL help. 1he frulL ls seen ln Annex 8 of lSC/lLC 24761. ln Lhe process of maklng command sequences, lL was found LhaL Lhe currenL speclflcaLlon of lSC/lLC 7816 was noL approprlaLe enough Lo generaLe AC8lo lnsLances lf Lhe card was capable of comparlng blomeLrlc LemplaLes wlLh blomeLrlc samples. now ln SC 17, a new command 8C (erform 8lomeLrlc CperaLlon) ls belng sLandardlzed Lo lmprove Lhe blomeLrlc operaLlons on lC cards. ln Lhe near fuLure, Lhe generaLlon of AC8lo ls planned Lo be speclfled ln Lhe 8C command.
174 6. narmon|zat|on w|th I1U-1 SG 17 experts ln l1u-1 SC 17, Lhere have been a cerLaln number of sLandardlzaLlon acLlvlLles relaLed Lo blomeLrlcs. Lspeclally Lhe ob[ecLlve of x.1084 1eleblomeLrlcs sysLem mechanlsm and LhaL of x.1089 1eleblomeLrlcs auLhenLlcaLlon lnfrasLrucLure (1Al) were closely relaLed Lo LhaL of AC8lo. x.1084 has speclfled an exLenslon of 1LS (1ransporL Layer SecurlLy) Lo blomeLrlc verlflcaLlon and x.1089 has speclfled an auLhenLlcaLlon lnfrasLrucLure, uslng a range of blomeLrlc cerLlflcaLes, for remoLe auLhenLlcaLlon of human belngs.. 1he AC8lo pro[ecL has dlscussed Lhe harmonlzaLlon wlLh Lhe edlLors, lSC8L ?oshlakl of x.1084 and Wel !lwel of x.1089, for several Llmes. As a resulL, boLh l1u-1 recommendaLlons reference AC8lo as a normaLlve sLandard whlch has enhanced Lhe lnLegrlLy of Lhe 1eleblomeLrlcs sLandard seL. Slnce Lhe lmporLance of blomeLrlcs ln LelecommunlcaLlon ls lncreaslng, more collaboraLlve work ls expecLed ln Lhe nexL verslon of Lhe documenLs. At tbe eoJ of tbls ottlcle, l woolJ llke to exptess my qtotltoJe oqolo to oll tbe expetts wbo kloJly sboteJ tlme fot Jlscossloo wltb me to moke Ac8lo o bettet lotetootloool 5tooJotJ. l bove beeo vety boppy to be wltb tbem. l olso woolJ llke to tbook. ltof.. NAMukA keojl, tbe cooveoot of 5c 27/wC 2, fot bls kloJ soppott wbeo Ac8lo wos boto ooJ oo lofoot, ltof.. kol koooeobetq, tbe cooveoot of 5c 27/wC 5, fot fostetloq Ac8lo to oo lotetootloool 5tooJotJ, letoooJo loJlo, tbe 5c J7 cboltmoo, fot Jltectloq tbe botmoolzotloo wltb votloos ptojects lo 5c J7, ltof.. oooq 8lo kwoo, tbe cooveoot of 5c J7/wC, fot ottooqloq tbe botmoolzotloo wltb 5c J7/wC 2, especlolly wltb 5C oo Ac8lo, lbllllp 5totbom, tbe cooveoot of 5c J7/wC 5, fot tokloq cote of tbe telotloo betweeo l5O/lc 29120 setles ooJ Ac8lo. keferences lSC/lLC 7816-4, ldenLlflcaLlon cards - lnLegraLed clrculL cards - arL 4: CrganlzaLlon, securlLy and commands for lnLerchange lSC/lLC 7816-8, ldenLlflcaLlon cards - lnLegraLed clrculL cards - arL 8: Commands for securlLy operaLlons lSC/lLC 7816-11, ldenLlflcaLlon cards - lnLegraLed clrculL cards - arL 11: ersonal verlflcaLlon Lhrough blomeLrlc meLhods
175 lSC/lLC 19784-1, lnformaLlon Lechnology - 8lomeLrlc appllcaLlon programmlng lnLerface - arL 1: 8loAl speclflcaLlon lSC/lLC 19784-1 AMLnuMLn1 3, lnformaLlon Lechnology - 8lomeLrlc appllcaLlon programmlng lnLerface - arL 1: 8loAl speclflcaLlon AMLnuMLn1 3 - SupporL for lnLerchange of cerLlflcaLes and securlLy asserLlons, and oLher securlLy aspecLs lSC/lLC 1978S-1, lnformaLlon Lechnology - Common 8lomeLrlc Lxchange lormaLs lramework - arL 1: uaLa elemenL speclflcaLlon lSC/lLC 1978S-4 - lnformaLlon 1echnology - Common 8lomeLrlc Lxchange lormaLs lramework - arL 4: SecurlLy 8lock formaL speclflcaLlons lSC/lLC Cu 29120-1, Machlne readable LesL daLa for blomeLrlc LesLlng and reporLlng - arL 1: LesL reporLs lSC/lLC Cu 29120-3, Machlne readable LesL daLa for blomeLrlc LesLlng and reporLlng - arL 3: LesL cerLlflcaLes lSC 19092, llnanclal Servlces - 8lomeLrlcs - SecurlLy framework l1u-1 x.1084, 1eleblomeLrlcs sysLem mechanlsm - arL 1: Ceneral blomeLrlc auLhenLlcaLlon proLocol and sysLem model proflles for LelecommunlcaLlons sysLems l1u-1 x.1089, 1eleblomeLrlcs auLhenLlcaLlon lnfrasLrucLure (1Al) AnSl x9.84, 8lomeLrlc lnformaLlon ManagemenL and SecurlLy for Lhe llnanclal Servlces lndusLry
176 IIDIS Pans Pedbom (karlsLad unlverslLy, Sweden, Llalson Cfflcer from llulS Lo SC 27/WC S)
llulS (luLure of ldenLlLy ln Lhe lnformaLlon SocleLy, www.fldls.neL) ls a mulLldlsclpllnary neLwork of Lxcellence (noL) lnlLlally funded by Lhe 6 Lh Luropean 8esearch lramework rogramme. 1he alm of llulS ls Lo fosLer lnLegraLlon of research ln Lhe ldenLlLy and ldenLlLy managemenL area such as Lhe role of ldenLlLy and ldenLlflcaLlon and lnLeroperablllLy of ldenLlLy and ldenLlLy managemenL Lechnologles and concepLs. As parL of Lhls work llulS esLabllshed a Llalson wlLh lSC/lLC !1C 1/SC 27/WC S Lo dlssemlnaLe lLs flndlngs lnLo Lhe sLandardlzaLlon world as well as Lo broaden our own horlzons and geL new vlews and commenLs on our flndlngs. SC 27/WC S was chosen for a number of reasons: Lhe plaln and LransparenL processes of lSC/lLC sLandardlzaLlon, Lhe compeLence LhaL we observed among Lhe naLlonal experLs and Lhe global ouLreach of SC 27 and lLs WCs. All ln all we feel LhaL Lhe cooperaLlon has been very successful and beneflclal for llulS and we feel LhaL we have boLh been able Lo glve guldance as well as belng lnfluenced durlng Lhe whole process.
ICCS congratu|ates SC 27 on |ts 20th b|rthday! Zdenek 8lha [Masaryk unlverslLy 8rno, Czech 8epubllc, Llalson Cfflcer Lo SC 27/WC S from lCCS]
lCCS (rlvacy and ldenLlLy ManagemenL for CommunlLy Servlces, www.plcos- pro[ecL.eu) ls proud Lo have esLabllshed Lhe llalson wlLh lSC/lLC !1C1/SC 27/WC S and Lo supporL WC S's pro[ecLs, especlally Lhe rlvacy ArchlLecLure (29101). lCCS ls an lnLernaLlonal research pro[ecL, wlLh a speclal focus on moblle communlLles. 1he lCCS consorLlum conslsLs of eleven parLners from seven dlfferenL counLrles, supporLed by Lhe Lu as a parL of Lhe 1rusL & SecurlLy Croup wlLhln Lhe 7Lh 8esearch lramework rogram. lL conLalns speclallsLs from Lhe flelds of sclence, research and lndusLry. 1he ob[ecLlve of Lhe pro[ecL ls Lo advance Lhe sLaLe of Lhe arL ln Lechnologles LhaL provlde prlvacy-enhanced ldenLlLy and LrusL managemenL feaLures wlLhln complex communlLy-supporLlng servlces LhaL are bullL on nexL CeneraLlon neLworks and dellvered by mulLlple communlcaLlon servlce provlders. lCCS' approach ls Lo research, develop, bulld Lrlal and evaluaLe an open, prlvacy- respecLlng, LrusL-enabllng ldenLlLy managemenL plaLform LhaL supporLs Lhe provlslon of communlLy servlces by moblle communlcaLlon servlce provlders.