etsi 2nd security workshop: future security · activities of ocg security are the creation of the...

ETSI 2nd Security Workshop: Future Security 16-17 January 2007 - Sophia-Antipolis, France Workshop Report

1

ETSI 2nd Security Workshop: Future Security 16-17 January 2007 - Sophia-Antipolis, France

Workshop Report


2

Overview........................................................................................................................ 3

Keynote speeches .......................................................................................................... 4

Session 1: ETSI Security I - Public Safety and Security ............................................ 7

Session 3: ETSI Security III - Upcoming challenges ............................................... 11

Session 4: CEN/CENELEC Security......................................................................... 13

Session 5: ETSI Security IV: Fixed/Mobile Convergence and Security.................. 15

Session 6: ISO/IEC and ITU-T Security ................................................................... 19

Conclusions and Recommendations for the Future.................................................. 21


3

Overview The 2nd ETSI workshop hosted by ETSI in Sophia Antipolis on the 16th and 17th of January 2007 brought over 100 people and others on the free web broadcast involved in Security Standards together for 2 full days. Presentations were given by experts representing organizations such as ETSI, CEN, CENELEC, The European Commission, ITU-T, ENISA, ISO/IEC, GSMA, KPN, Telefonica, EADS and others. The workshop met its goal of making a broad assessment of the current situation in security, providing collaboration and coordination opportunities, as well as direction for future work. There was enthusiasm from the delegates to participate in the 3rd ETSI Security Workshop, planned for 15-16 January 2008. Some key issues identified in the Workshop were: • Product proofing: a new area with a lot of potential for new standards; the ETSI

White Paper that is being produced will help to raise awareness inside and outside ETSI; also, collaboration between security specialists and criminology experts is necessary;

• An idea for regulation modelling was raised that could help in avoiding ambiguity in regulations;

• A lot of Bodies are working on smart cards (CEN, ISO, ETSI) and links were made for coordination;

• A closer link opportunity was created with the ITU network of experts initiative; • The smart card high speed interface security work in ETSI SCP and its relation

to ETSI TETRA needs to be looked at; • Public warning systems are instrumental for Emergency Telecommunications; • Retained Data is being successfully tackled within ETSI LI. • Work on DRM (Data Rights Management) might be necessary: currently TISPAN

is looking into the matter working on IPTV; • Hot Topics for Security for 2007:

o for 3GPP, GAA/GBA (as authentication architecture in 3G); o Healthcare; o Identity Management (currently work ongoing in ITU and ISO).


4

Keynote speeches

Welcoming speech - Jørgen Friis, ETSI Deputy Director General The participants were welcomed to the 2nd ETSI Security Workshop. The work of ETSI was described in this presentation. GSM was developed (by ETSI) for Europe, and is now a worldwide success story, with almost 2 billion users in over 200 countries, and one million new users every day. ETSI’s Lawful Interception handover standard is being deployed in Europe, and also in USA and Australia, where the laws are being developed to comply with the ETSI Standard. DVB system specifications based on DVB Project proposals have services available on every continent. TETRA has more that 600 contracts in 70 countries. There are also Radio microphones and cordless audio equipment, and global agreement on common standards amongst may other successes. ETSI has global membership; the Institute was established as a European body and retains European responsibilities. But many of ETSI’s Members are global players and so ETSI seeks to have its standards adopted worldwide. Over 100 of ETSI’s Members (about 20% of the total) have no established operations in Europe and many of the other 80% are headquartered outside Europe. Some of the latest standards are:

• Next Generation Networks (NGN) • Ultra wideband (UWB) • Band sharing • Grid • RFID • Low Power Devices • Emergency alerting, e-call • GSM on aircraft • Communications for Public Safety. •

New technologies bring new security challenges: they require new security mechanisms and features as technology is becoming more powerful and attackers take advantage of them, becoming more powerful too. Security failures are no longer just an embarrassment; they directly affect the stock value of companies. Information Security Standards are essential to ensure interoperability; standardisation ensures compliance of products with adequate levels of security and legislative action. Information Security Standardisation facilitates economic realization and cost reduction and ETSI has 20 years of experience in Security. The user gives primary importance to the level of service he receives; and this importance is also determined by the level of security provided by the products and services that are used.


5

ETSI Security Activities Overview - Charles Brookson - ETSI OCG-Security Chairman, DTI Charles Brookson introduced the ETSI activities in Security. ETSI OCG (Operational Coordination Group) Security is a lightweight security group with the aim of coordinating security issues inside ETSI and with organizations outside. Some of the activities of OCG Security are the creation of the ETSI Security Workshop, the ETSI Security White Paper, as well as other activities of awareness raising and coordination. The activities of ETSI in Security include: • Mobile and Wireless Security • Algorithms • Smart Cards • Next Generation Networks Security • Lawful Interception • Electronic Signatures A number of issues are open and are considered as future challenges: Product Proofing, DRM, NGN, and Retained Data. Security Standards for the Future Technologies are the Next Challenge and ETSI can meet that challenge.

EC Communication COM(2006)251 on a Strategy for a Secure Information Society - Gérard GALLER - Policy Officer, European Commission DG Information Society Unit A3: Internet; Network & Information Security The EC Communication on a Strategy for a Secure Information Society published in 2006 is inviting Europe to give even further importance to information security and apply its principles in the European companies and to revitalise the 2001 strategy communication. Specifically the goals this Communication is setting are: • New business and technical paradigms; • Security became a political issue; • Increasing focus on the protection of critical infrastructures; • To improve coordination between the various EC policy initiatives; • To answer the demand of EU and international stakeholders to cooperate; • To take the “new born” ENISA into account; • To stimulate a risk management approach. Among other things it was revealed that there will be a communication on cybercrime inviting Member states to collaborate to fight cybercrime. Also, a wider use of the Common Criteria and relevant certification is deemed necessary. In this context it was pointed out that TISPAN has adopted the CC approach for NGN standards. It was pointed out that IPR issues are not included in the Communication; this was accepted as a possible omission.

ENISA Activities in Security - Elisabetta Carrara - ENISA Security Expert In the presentation the different activities within ENISA were described.


6

ENISA was created with the objective of: • enhancing the capability in Europe to prevent, address and respond to NIS

problems; • becoming a centre of expertise, stimulate cooperation • providing assistance and advice to the Commission and the Member States; • Assisting the Commission in the technical preparatory work for Community

legislation in the field of NIS. ENISA's activities in 2006 were focused on awareness raising, CERT guidelines and inventorying, several workshops on security topics and NIS standardization and activities tracking. ENISA is currently in the process of selecting the topics on which to produce position papers for 2007. Input on this is welcome.


7

Session 1: ETSI Security I - Public Safety and Security Adrian Scrase, ETSI's Chief Technical Officer, chaired this session. Among things he stressed that the event is a workshop and not a conference. Therefore the delegates are invited to actively participate to the discussions and debate.

EMTEL - Raymond Forbes - ETSI EMTEL Chairman, Ericsson The EMTEL Special Committee of ETSI is responsible for creation of requirements concerning emergency communication services. The need for emergency telecommunications includes many scenarios ranging from a minor road traffic accident to a major incident like a passenger train crash, a terrorist incident, a natural disaster (e.g. an Earthquake, Tsunami). Provision for emergency telecommunications is also a major requirement in disaster situations. EMTEL acts as a key coordinator in getting requirements on Emergency Communications, outside ETSI (i.e. from different stakeholders) and inside ETSI (i.e. ETSI Bodies). It provides requirements on issues of network security, network integrity, network behaviour in emergency situations, and emergency telecommunications needs in networks. It also co-ordinates the ETSI positions on EMTEL related issues. also, in addition it is the Interface for emergency communications issues between ETSI and EC/EFTA, NATO, ITU groups, the CEPT ERO and relevant CEN and CENELEC committees. EMTEL covers the issues of

• Communication of citizens with authorities, • Communication from authorities to citizens, • Communication between authorities, • Communication amongst citizens.

EMTEL addresses both fixed and mobile networks and both public and private networks. Other relevant bodies are COCOM, IETF, and 3GPP. Also, EMTEL collaborates with other ETSI Committees; a lot of EMTEL work on requirements is then brought into NGN. The Committee has produced a number of standards and is currently revising some of them. Also, EMTEL is involved in some EU Projects: one of them is the eCall initiative that currently could proceed fasters. During the presentation it was specified that there is not yet a standard on a list of parameters and values for measurement of performance in case of activation of an emergency communication mechanism during a disaster.

Security modules for Professional Mobile Radio - Frederic ROUSSEAU, EADS Secure Networks To allow PMR protections there are several services in place: • Air interface protection, local to each radio cell; • Network infrastructure security; • End-to-end communications security between end-users’ applications;


8

• Management of security features for each subscriber. Several security modules solutions for PMR exist, offering services such as secure storage, encryption, authentication and integrity management and other methods. Concerning UICC synergies with PMR, it was pointed out that there is a need for a high speed interface for smart cards; it has to be noted that there are some differences between the civil requirements and PMR requirements. Nevertheless, ETSI SCP should collaborate closely with ETSI TETRA on this topic.

3GPP in Public Safety and Security - Joerg Swetina, 3GPP TSG SA1 Vice-Chairman 3GPP has some services dedicated to public safety: The Priority Service and Multimedia Priority Service, the VGCS for public authority officials, the transferring of emergency Call data. The ongoing work on a Public Warning System was judged a very interesting feature. A possible application of this system could be a witness alert, which has been successfully used on other infrastructures. As a result of the 2006 workshop, work was done on the “Selective Disabling of UE Capabilities" It is expected to be finalized this year in 3GPP Rel-7 (currently 3GPP CT1 is working on it). With the Cell Broadcast service, it was pointed out that it might not be adapted for 3GPP, and that a new feature might be created. In EMTEL, in order to authenticate where emergency messages come from (which government authority), XML schemas and digital signatures are being considered.

TETRA Security - Paul Leighton, Sepura TETRA is deployed around the world, from small commercial networks to national Public Safety networks. Each TETRA User has different security needs. Standards work continues under the Security and Fraud Prevention Group (SFPG) and ETSI TETRA WG6. TETRA security mechanisms include authentication, air-interface encryption (protects Signalling, IDs and voice/data traffic), stun/kill terminal disable (so that only valid terminals will be allowed in the network) and end-to-end encryption (increases protection of voice/data traffic). Mutual authentication is used in TETRA to avoid that the user authenticates on false infrastructure.


9

ETSI LI is the leading body in lawful interception standardization. ETSI LI has created the generic handover interface specification and the IP-based handover interface specification; in addition a set of service-specific details for IP services interception has been produced. Some security considerations for LI are that authorization to operate on LI solutions must be restricted to personnel and that interception must be not detected by the intercepted target. Retained data is also tackled in ETSI LI. The consideration for future work had began long ago in the Committee and the 1st ETSI Security Workshop helped to increase momentum and begin the activities. Lawful interception standardisation is characterised by the need for participation from different parties: regulation, law enforcement, manufactures and service providers or operators are all necessary to produce effective standards that correctly address all the requirements. Key escrow and key length for encryption was discussed; while it was pointed out that key issues are out of scope for LI, usually when encrypted content is delivered, the key is also expected to be delivered. Satellite LI was mentioned; TC LI is following closely TC SES.

Regulatory Framework for Communications Security and Privacy in Greece - Georgia Bafoutsou, Nicolaos Antoniadis - ADAE (Hellenic Authority for the Assurance of Communications Security and Privacy) The regulatory framework for secure communications was recently put in place in Greece from the competent authority (ADAE). The framework includes several aspects of information security, lawful interception and data retention. ADAE regulations are mainly based on the standards ISO/IEC 17799:2000, ITU-T X.1051 and the ETSI standards are used for lawful interception.

Security requirements capture from the EU regulatory framework - Scott Cadzow, C3L Some of the EC Directives that compose the security regulation for Europe are the Framework directive (Directive 2002/21/EC), the Authorisation directive (Directive 2002/20/EC), the Access directive (Directive 2002/19/EC) of the European Parliament the Privacy directive (Directive 2002/58/EC) and the Universal service directive (Directive 2002/22/EC). Regulation can have the following benefits from standardization: • Technological neutrality • Removal of technical entry barriers • Opening up new markets and economic models. • Indirectly creates economies of scale • Encouragement of multiple representation to be able to respond to the goals of

competition


10

It was discussed whether there could be a need for formal modelling of regulations to avoid disambiguity. This model language could be a tool to translate requirements in specific impacts in standards and would reduce the possibility of non-compliance.


11

Session 3: ETSI Security III - Upcoming challenges Charles Brookson, ETSI OCG-Security Chairman and Deputy Director for Standards in the DTI chaired the session.

Proofing Products against Crime - Shaun Whitehead - Loughborough University Proofing Products against Crime describes the act of integrating or embedding crime-prevention features into products. This aims to reduce their potential to become targets of criminal activity (such as theft, fraud, damage), as well as preventing their use as instruments of crime. Situational crime prevention is instrumental to reduce crime. The solution of a centralised EIR was discussed in this context. It was pointed out that this solution has had some success up to now; three countries in Europe have put the system in place: Lithuania, France and the UK. The techniques of product proofing can be applied to crime in second life; the goal of the project is to be able to apply them to anything. Crime displacement was discussed; in some cases crime can be prevented without being displaced, but being dispersed, meaning the crime wave is not as harsh as in the original area of occurrence. It was concluded that collaboration between security specialists and criminology experts is necessary.

Electronic Signatures Riccardo Genghini - ETSI ESI Chairman, Studio Notarile Genghini ETSI TC ESI is responsible for Electronic Signatures and Infrastructures standardization. There are currently 4 Special Task Forces assisting in this activity: • STF 298 Electr. Sign. profiles format, adapting TS 101 903 and TS 101 733 to

business use; • STF 305 Digital Accounting (SODA), specifying the formats and security

properties of signed documents for accounting; • STF 317 Algo-Paper param. Revision, adapting security requirements of

Algorithms to new security threats; • STF 318 Registered e-mails, specifying the application of electronic signatures for

securing emails and their delivery receipts. ETSI TC ESI is also collaborating with international organizations such as ASIA PKI Forum, APEC, Federal US PKI, IETF and ECOM. Upcoming challenges for ESI are e-Invoicing, Registered Email (REM) and Digital Accounting.

Voice Printing and Reachability Code (VPARC) Mechanism for SPIT - Ranjith Mukundan, Vijay Radhakrishnan, WIPRO Technologies India Spam, in the context of electronic mail (e-mail), is any message that is transmitted to a large number of recipients, some or all of who have not explicitly and knowingly requested for this information.


12

VoIP networks, using the public Internet, are also subject to similar vulnerabilities as e-mail. With the expected growth in VoIP deployments in the open Internet, there is a huge incentive for telemarketers to spam users with unsolicited information Using VoIP, telemarketers can send messages to thousands of addresses at a time, rather than tying up a single phone line to make one call. Types of SPAM are Call Spam, Instant Messaging Spam and Presence Spam. Several ways exist to counter SPAM, some of them are: Black Lists, where a spam filter will maintain a list of the addresses and domain names of potential spammers; White Lists, where it is maintained a list of callers that the user is willing to accept calls from; and Identity Assertion, where it is possible to securely identify the identity of a sender of a SIP message. Work countering SPAM is ongoing in IETF and TISPAN. It was suggested that charging is a way to combat of SPAM. Also, it was pointed out that excessive false rejects (unnecessary blacklisting), could create a DoS attack.


13

Session 4: CEN/CENELEC Security Chaired by Luc van den Berghe - CEN Pre-Standards Department Unit Manager Luc opened; CEN/CENELEC presents their activities for the second year in a row in the security. Relating to the presentation of Riccardo Genghini, eInvoicing standardization activity is being conducted successfully in CEN also.

Towards the establishment of an international network and trust-enhancing mechanism under the heading of the "Global Trust Centre" (GTC) - Thomas Andersson - President of Jönköping University and Chairman IKED The presence of a fragmented framework for trust and security in the digital work is hampering the development and diffusion of orderly solutions. Most responses have thus far been supply-driven and piecemeal in various respects. New mechanisms are needed for articulating the demand side and to help coordinate and diffuse solutions, notably in respect of authentication. The presentation surveyed the report "Enabling Trust in the Digital World", and addressed the international efforts made in recent years to establish an international network and trust-enhancing mechanism under the heading of the "Global Trust Center" (GTC). During questions it was specified that to obtain trust there must be a point of compromise with privacy; the user must be willing to make available some of his personal data. Currently the GTC project is open to proposals for collaboration.

CEN's activities towards a Citizen Electronic Card Technical Specification - Lorenzo Gaston - Gemalto The activities of CEN in specifying a Citizen Electronic Card were presented. Italian participation in ECC-4 will come in the near future; for now WG15 is GE, UK, FR, DK. WG16 and 17 are working on protection profiles also. Health is out of the scope of the ECC; generic mechanisms are more sought. Contactless: yes, it is in scope and with some interventions both contact and contactless are possible. There is no liaison with ETSI/SCP currently but the problems addressed are more or less the same, e.g. man-in-the-middle attacks to provide a secure communication channel even with a non-secure middleware.

Alarms Systems: Now and the Future - Sharon Cumberbatch - CENELEC TC79 Alarm Systems Secretary The activities in CENELEC Alarm systems Committee were presented. The Committee tackles issues such as Intruder & Hold-up Alarm Systems, Detection Devices for Intruder Alarm Systems, Control & indicating equipment, power supply, Social Alarm Systems, Alarm & monitoring systems; transmission equipment, Warning devices, CCTV Surveillance systems for security applications, Access


14

control systems for security applications, Alarm & monitoring systems; transmission network and other. Future activities in the field foresee the introduction of new technologies to make alarm systems more efficient and effective, incorporate multiple functionalities in the same device and develop some application based solutions.


15

Session 5: ETSI Security IV: Fixed/Mobile Convergence and Security Chaired by Judith E. Y. Rossebø, who is ETSI TISPAN WG7 Chairman and works for Telenor R&D.

3GPP Security - Valtteri Niemi - 3GPP SA3 Chairman, Nokia Leading principles of 3G security are that it is further enhancing 2G security features and adding countermeasures against real weaknesses in 2G. Main security characteristics in GSM are user authentication and radio interface encryption, SIM used as security module operating without user assistance, minimal need for trust in serving network. The highlights of Release 5, 6 and 7 were presented, as far as security is concerned. Release 5 provides strong mutual authentication, re-use of UMTS AKA protocol, UMTS AKA integration into HTTP Digest, inter-operator signalling done via security gateways, end-to-end security. Release 6 introduces security with WLAN interworking. Release 7 introduces the possibility of GBA as a solution to put GAA in place and supports https between UICC and NAF.

GAA/GBA: a new architecture for single sign-on - Luis angel Galindo - Telefonica Móviles Spain Several solutions to put in place a Generic Authentication Architecture (GAA) exist. GBA (Generic Bootstrapping Architecture), SSC (Support for Subscriber Certificates) are alternatives for this. The solution with each of the alternatives was presented. The timeline in which GBA for mobiles will be available depends on the market and deployment of IMS services. New services are enabled by more secure mechanisms, not simple passwords. In conclusion, GBA provides medium security but less security that asymmetric key systems, while SSC provides high security but higher computational load as a PKI infrastructure is needed to generate certificates.

TISPAN Security - Judith E. Y. Rossebø - ETSI TISPAN WG7 Chairman, Telenor R&D ETSI TISPAN is responsible for specifying NGN within ETSI. TISPAN proposes an architecture basis consisting of a range of subsystems: • Access network attachment subsystem • Resource and admission control sub-system • PSTN-ISDN emulation subsystem • IP Multimedia Subsystem (IMS) (from 3GPP) • IPTV Subsystem


16

TISPAN Working Group (WG) 7 is responsible for the management and co-ordination of the development of security specifications for TC TISPAN. For TISPAN NGN Release 1, TISPAN WG7 has: • Defined security requirements; • Defined a security architecture for NGN R1; • Conducted threat and risk analyses for specific NGN use cases; • Proposed countermeasures. • Standardized Lawful Interception functional entities, information flow and

reference points TISPAN WG7 produces specifications by conducting a systematic threat, vulnerability and risk analysis (TVRA). The threat analysis task is used to provide a methodology that allows to insert the countermeasures that are necessary, and not just a random set of them. The web tool that is being developed will further enhance this methodology. New areas of focus for TISPAN include SPIT countermeasures and a DRM study to discover whether there are suitable DRM standards available or SAGE is going to be consulted for this purpose. The security standardization taking place in TISPAN is including cases of mobility and relevant interconnection points.

Smart Cards - Klaus Vedder - ETSI SCP Chairman, Giesecke & Devrient GmbH In this presentation were described Smart Card activities in TC SCP and earlier initiatives. The group has 18 Years of Dedication and Real-life Experience, and was founded in March 2000 as the successor of SMG9 (the SIM-people, which specified the SIM for GSM). This is the most successful smart card application with more than 1,6 billion subscribers and 4 billion SIMs deployed. The Mission of the group is to create a series of specifications for a smart card platform, based on real-life (outside) requirements, on which other bodies can base their system specific applications to achieve compatibility between all applications resident on the smart card. Now we have evolved from the SIM to the UICC: From a standardized application offering secure value added services to a true multi-application security platform providing the user with a wealth of opportunities. The UICC provides a standardized security platform on which specific applications can be realized using today's interface to the outside world. Logical channels allow to run applications in parallel, applications may share standardized security functions, and applications may have their own security functions and attributes. The new high


17

speed interface being standardized will allow to use the smart card for DRM, stream ciphering (Pay TV) and as a mass storage device. Also, a contactless interface is being standardized. The vision is to turn today's mobile phone into a multipurpose terminal, a lifestyle tool, and personal security device by establishing a second, contactless communication channel. During the questions, it was specified that electronic signatures could be used (e.g. signing SMS) but SCP provides the underlying infrastructure, a platform on which to work on. In a scenario of use of the card with banks, bank and operators interests must be separated; the trusted interface could be a trusted third party that allows to download the desired application in the card and be the middleman in the transaction, as in the banking circuits.

GSM Association - James Moran - GSMA Fraud and Security Director The GSMA is the world’s largest and leading cellular trade association. The objective is to arrive at a single voice on behalf of the operator community to establish building block requirements. The GSMA security group is the oldest working group - Established 1989. It helped specify security protocols for GSM - the most secure mobile standard; it partners with 3GPP TSG SA3 and ETSI SAGE, with 4 meetings per year with 1 annual joint meeting with Fraud Forum. It also has a GSM 2000 joint project team with ETSI/3GPP TSG SA3. The GSMA 2007 Security Group work items are: • Develop standard risk assessment methodology • Emergency messaging and warning • Develop operator guidelines for secure HSPA in laptops • Develop handset security roadmap • Analysis of the impact of mobile malware • Identify and document BTS/IP security issues • Counter phishing techniques hampering communications • Standards based SMS/MMS Spam countermeasures • Support deployment of A5/3 and GEA3 cipher algorithms • Produce security algorithm implementation strategy • Risk assessment of emerging services The GSMA security services are: • Algorithm distribution services • Fraud and security advisory service • Support and project management • Document and online content maintenance • Security Accreditation Scheme • GSMA fraud training programme


18

• IMEI Database • Monitoring and reporting on handset theft


19

Session 6: ISO/IEC and ITU-T Security Chaired by Mike Harrop, ITU-T Rapporteur SG17 Q4, Communications Security Project, the session presented the activities of ISO/IEC and ITU-T in security, as well as some real-world examples.

ISO/IEC JTC1 SC27 - Dr. Marijke De Soete - ISO/IEC JTC1 SC27 Vice-Chairman, NXP Semiconductors In this presentation the ISO ISMS standards and related initiatives were illustrated. ISO/IEC JTC 1/SC27 WG1 interests include: Information security management systems (ISMS), Information security best practice, Risk management, Metrics and measurements, Implementation guidance, Information security incident handling, IT network security, TTP services and DR services. IS0 27000 ISMS Series include standards on Requirements, Measurements, Risk Management and Implementation. ISO/IEC 17799 (renumbered as 27002) is the Code of Practice for information security management on a large number of topics such as asset management, mobile code, vulnerability management, human resources, incident handling and other. ISO/IEC JTC 1/SC27 WG1 has a liaison with ITU-T and collaboration is taking place in a number of issues. It was noted that there is no current liaison with ETSI’s Technical Committee’s, except for a liaison of ISO/IEC JTC 1/SC27 WG2 with ETSI SAGE Special Committee. During the presentation it was discussed the fact that there may be overlapping issues in the ISO committees. Identity management standards.

Hierarchical Security Management - Johan Bakker, KPN Information Security Governance Principal Policy Advisor Deployment of an Information Security Management System in a large company such as KPN is challenging. ISO 27001 provides a model and requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS. The idea was to adopt the same ISMS approach for the operational, tactical and strategic level, so as to allow for all levels to share the same vocabulary, document templates, and concepts. Parameters to an ISMS are scope, context, types of assets, aspects of the assets, risks, and controls. The project of implementation took about 6 months. It was pointed out that the most important fact in standards is the successful implementation.


20

Overview of ITU-T Security Activities - Mike Harrop, ITU-T Rapporteur SG17 Q4, Communications Security Project Provided a brief overview of ITU-T security standards activities and a highlight some of the recent key achievements, particularly those resulting from the October workshop New Horizons for Security Standardization. ITU-T SG 17 is the Lead Study Group on telecommunication security - It is responsible for coordination of security across all Study Groups. It is subdivided into three Working Parties (WPs) • WP1 - Open systems technologies; • WP2 - Telecommunications security; and • WP3 - Languages and telecommunications software. Current interests are: • End-to-end Multicast Communications with QoS Managing Facility • Directory services, Directory systems, and public key/attribute certificates • Open Systems Interconnection (OSI) • Communications Systems Security Project • Security Architecture and Framework • Cyber Security • Security Management • Telebiometrics Secure Communication • Countering spam by technical means The SG17 Roadmap a project with the aim of producing a database of security standards containing all relevant standards from Standards Developing Organizations (SDOs) globally has been now completed and the search tool will be available online. The recently created Focus Group on Identity Management was discussed; there are some similar activities also in some other SDOs.


21

Conclusions and Recommendations for the Future The workshop met its goal of making a broad assessment of the current situation in security, providing collaboration and coordination opportunities, as well as direction for future work. There was enthusiasm from the delegates to participate in the 3rd ETSI Security Workshop, planned for 15-16 January 2008. Some recommendations for future focus were:

• Possible work in healthcare, or at least sharing and convergence of the various ideas. A number of SDOs are involved in ICT issues for healthcare, some with even multiple Committees. As the topics of security, privacy and trust are of primary importance on this field, great attention and stronger coordination and collaboration should be .

• Product proofing against crime is a topic to be developed in 2007. The ETSI White Paper that is being produced will help to raise awareness inside and outside ETSI; also, collaboration between security specialists and criminology experts is necessary. A lot of further work should be done in this area to effectively respond to the EC Mandate M/355.

• Identity Management is another hot topic in security for 2007. The concept of digital identity is essential to be well defined for purposes of network architecture, service provisioning, content handling, billing and charging. Currently there is no common denominator in this field among SDOs. There is already some work going on in ITU and ISO and is well monitored by others; further sharing of ideas is essential

etsi 2nd security workshop: future security · activities of ocg security are the creation of the...

Documents