1 / 70

JTC 1 Security and Privacy Entities

JTC 1 Security and Privacy Entities. SC 17 Cards and Personal Identification SC 27 IT Security SC 37 Biometrics SC 40 IT Governance. JTC 1 Security and Privacy. JTC 1 Security focus on areas of IT Security Technology Mechanisms Services Management Governance Evaluation Testing

llederer
Download Presentation

JTC 1 Security and Privacy Entities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JTC 1 Security and Privacy Entities • SC 17 Cards and Personal Identification • SC 27 IT Security • SC 37 Biometrics • SC 40 IT Governance

  2. JTC 1 Security and Privacy • JTC 1 Security focus on areas of IT Security • Technology Mechanisms • Services • Management • Governance • Evaluation Testing • Privacy Technologies

  3. Security and Privacy Topic Areas Governance Information security management system (ISMS) requirements plus ISMSaccreditation, certification and auditing (including acreddited CB requirements, guidance on ISMS auditong and guidelines for auditors on ISMS controls) ISMS supporting guidance - codes of practice of information security controls, ISMS risk management, ISMS performance evaluation and ISMS implementation guidance ISMS sector specific security controls (including application and sector specific e.g. Cloud, Telecoms, Energy, Finance) and sector-specific use of ISMS requirements standard Security services and controls (focusing on contributing to security controls and mechanisms, covering ICT readiness for business continuity, IT network security, 3rd party services, supplier relationships (including Cloud), IDS, incident management, cyber security, application security, disaster recovery, forensics, digital redaction, time-stamping and other areas) Identity management and privacy technologies (including application specific (e.g. cloud and PII), privacy impact analysis, privcy framework, identity management framework, entity authentication assurance framework,) Security Evaluation, Testing and Specification (including evaluation criteria for IT security, framework for IT security assurance, methodology for IT security evaluation, cryptographic algorithms and security mechanisms conformance testing, security assessment of operational systems, SSE-CMM, vulnerability disclosure, vulnerability handling processes, physical security attacks, mitigation techniques and security requirements) Cards and Personal Identification (including: Physical characteristics, circuit cards, machine readable cards, motor vehicle drivers licence) Biometrics (including file formats, programming interfaces, data interchange formats, biometric profiles, biometric information protection, biometric authentication) Cryptographic and security mechanisms (including encryption, digital signature, authentication mechansisms, data integrity, non-repudiation, key management, prime number generation, random number generation, hash functions)

  4. Key Security Products • ISO/IEC 27001 – Information Security Management System (ISMS) • 27000 Family of Standards • ISO/IEC 18033 – Encryption Algorithms • specifies asymmetric ciphers and symmetric ciphers • ISO/IEC 7811 – Identification Cards • ISO/IEC 2382-37 – Vocabulary • Harmonized vocabulary for biometrics

  5. 31000 ISO/IEC 27000 family relationship Vocabulary 27000 Audit 27006 27007 27008 Governance 27014 20000-1 ISMS 27001 27009 Controls 27002 27011 27017 27018 27019 27799 Implementation 27003 27015 Metrics 27004 Risk Management27005 27010 27013 Clause 17-27031 Clause 13.1 - 27033 Clause 16 - 27035 Clause 15 - 27036 Clause 12.4-27039 Investigative 27037 27038 27040 27041 27042 27043 27050 27016 27032 27034

  6. Key Privacy Products • ISO/IEC 29100 – Privacy Framework • Identifies privacy principles • ISO/IEC 29134 – Privacy impact assessment • ISO/IEC 29115 - Entity authentication assurance framework

  7. Vertical Topic Areas • Cloud Computing • Accessibility • Health Care • IoT • Societal considerations • Telecom

  8. Key Work Products Related to Verticals • Cloud Computing • ITU-T X.1631|ISO/IEC 27017 – Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002 • ISO/IEC 27018 - Code of practice for PII protection in public clouds acting as PII processors • ISO/IEC 27036-4 - Information security for supplier relationships – Part 4: Guidelines for security of cloud services • Health Care • ISO/IEC 27999 • Societal considerations • ISO/IEC 27032 – Guidelines for Cybersecurity • Telecom • ITU-T X.1051|ISO/IEC 27011 - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

  9. In Progress and Future Work Areas • Cyber Insurance • Cyber Resilience • Cloud Computing • SLA for security and privacy • Trusted connections • Virtualization • Big Data • Security and Privacy considerations • IoT • Privacy considerations • Identity Management • Security considerations • Privacy implications related to SmartPhone Applications • Privacy • Information Management System • Notices and Consent • De-identification techniques

  10. Collaboration with GSC Organizations • ITU-T • SG 17 – Information Security, Cloud Security, ISMS, Identity • SG 20 – IoT • SG 13 – Cloud Computing • ETSI • Cybersecurity, Cloud Security, Privacy, Crypto mechanisms • IEEE • Cloud Security, Information Assurance, storage, IoT

  11. Collaboration with Groups outside JTC 1 • INTERPOL • OASIS • ISC2 • FIRST • Opengroup • ISACA • ENISA • Amex • MasterCard • VISA • Article 29 Data Protection Working Party

  12. Summary • JTC 1 sees Security and Privacy as a key topic in all technology areas • JTC 1 Security and Privacy collaborates with many Industry Organizations through close liaison relationships • Security and privacy crosses many technology areas

  13. For Additional Information

  14. JTC 1/SC 17 Cards and personal Identification • Standardization in the area of: • Identification and related documents, • Cards and devices associated with their use in inter-industry applications and International interchange

  15. SC17 Structure WG 10 (Motor Vehicle driver licence and related documents) Convenor: Ms. LoffieJordaan WG 11 (Application of biometrics to cards and personal identification) Convenor: Lin Yih

  16. SC 37 Biometrics • Standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteri to biometric technologies; methodologies for performance testing and reporting and cross jurisdictional and societal aspects.

  17. SC37 Structure Special Group on Strategy

  18. SC 27 Mission • SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes requirements, methods, techniques and guidelines to address aspects of both security and privacy in regard to: • Information security management systems (ISMS) • Cryptographic and security mechanisms • Security evaluation, testing and specification • Security controls and services • Identity management and privacy technologies • Take a look at the SC 27 site for further information • http://www.JTC 1SC 27.din.de/en

  19. SC 27 Structure SWG-M (Management) Convenor: Faud Khan Vice-convenor: Anders Carlstedt SWG-T (Transversal Items) Convenor: Andreas Fuchsberger Vice-convenor: Laura Lindsay

  20. SC 27 Projects Facts & Figures • Projects • Total no of projects: 210 • No of active projects: 74 • Current number of published standards: 136 • Standing Documents (all freely available from the SC 27 site as given below) • SD6 Glossary of IT Security terminology (http://www.JTC 1SC 27.din.de/sbe/SD6) • SD7 Catalogue of SC 27 Projects and Standards (http://www.JTC 1SC 27.din.de/sbe/SD7 • SD11 Overview of SC 27 (http://www.JTC 1SC 27.din.de/sbe/SD11) • SD12 Assessment of cryptographic algorithms and key lengths (http://www.JTC 1SC 27.din.de/sbe/SD12)

  21. SC 27 Members • P-members (voting) • Algeria, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Côte-d'Ivoire, Cyprus, Czech Republic, Denmark, Finland, France, Germany, India, Ireland, Italy, Israel, Jamaica, Japan, Kazakhstan, Kenya, Rep. of Korea, Luxembourg, Malaysia, Mauritius, Mexico, Morocco, The Netherlands, New Zealand, Norway, Peru, Poland, Romania, Russian Federation, Rwanda, Singapore, Slovakia, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Thailand, The Former Yugoslav Republic of Macedonia, Ukraine, United Arab Emirates, United Kingdom, United States of America, Uruguay(Total: 51) • O-members (observing) • Belarus, Bosnia and Herzegovina, Costa Rica, El Salvador, Estonia, Ghana, Hong Kong, Hungary, Iceland, Indonesia, Islamic Rep. of Iran, Lithuania, State of Palestine, Portugal, Saudi Arabia, Serbia, Slovenia, State of Palestine, Swaziland, Turkey (Total: 20)

  22. SC 27 Liaison Partners • Internal Liaisons within ISO • ISO/CASCO • ISO/JTCG Joint technical Coordination Group on MSS • ISO/TC 46/SC 11 Information and documentation – Archives/Records management • ISO/TC 68/SC 2 Financial services -- Security • ISO/TC 171 Document management applications • ISO/TC 176/SC 3 - Quality management and quality assurance - Supporting technologies • ISO/TC 176/SC 3/WG 16 Quality management and quality assurance - Supporting technologies - Joint WG with TC 207/SC2 for the revision of ISO 19011 • ISO/TC 204 Intelligent transport systems - WG 1 Architecture • ISO/TC 208 Thermal turbines for industrial application (steam turbines, gas expansion turbines)

  23. SC 27 Liaison Partners • Internal Liaisons within ISO • ISO/TC 215 Health informatics - WG 4 Security • ISO/TC 251 Asset management • ISO/TC 262 Risk management • ISO/TC 292 Security and resilience

  24. SC 27 Liaison Partners • Internal Liaisons within IEC
 • IEC/TC 45/SC 45A Instrumentation, control and electrical systems of nuclear facilities • IEC/TC 57 Power systems management and associated information exchange - WG 15 Data and communication security • IEC/TC 65 Industrial-process measurement, control and automation – WG 10 Security for industrial process measurement and control – Network and system security

  25. SC 27 Liaison Partners • Internal Liaisons within ISO/IEC JTC 1
 • JTC 1 Ad Hoc on vocabulary • JTC 1/WG 7 Sensor networks • JTC 1/WG 8 Governance of II • JTC 1/WG 9 Big Data • JTC 1/WG 10 Internet of Things (IoT) • SC 6 Telecommunications and information exchange between system • SC 7 Software engineering • SC 17/WG 3 Machine readable travel documents • SC 17/WG 4 Integrated circuit cards with contacts • SC 17/WG 11 Application of biometrics to cards and personal identification • SC 22 Programming languages, their environments and system software interfaces • SC 25 Interconnection of IT equipment • SC 31/WG 4 Automatic identification and data capture techniques • SC 36 Information technology for learning, education, and training • SC 37 Biometrics • SC 38 Distributed application platforms and services (DAPS) • SC 40 IT service management and IT governance

  26. SC 27 Liaison Partners • External CAT A Liaisons 
 • Cloud Computing Association (CSA) • ECMA International • European Network and Information Security Agency (ENISA) • European Payment Council • European Telecommunications Standards Institute (ETSI) • ETSI Industry Specification Group (ISG) Information security indicators (ISI) • ETSI TC Methods for Testing & Specification • (ETSI TC MTS) • Information Systems Audit and Control Association/IT Governance Institute (ISACA/ITGI) • ITU-D Study Group 2 ICT applications, cybersecurity, emergency, telecommunications and climate-change adaption • ITU-T Joint coordination activity on identity management (JCA-IdM) • ITU-T Focus Group on aviation applications of cloud computing for flight data monitoring (FG AC) • ITU-T Study Group 13 (ITU-T SG 13) • ITU-T Study Group 17 (ITU-T SG 17) • MasterCard • VISA Europe

  27. SC 27 Liaison Partners • External CAT C Liaisons 
 • ABC4Trust • ARTICLE 29 Data Protection Working Party • Cloud Standards Customer Council (CSCC) • Common Criteria Development Board (CCDB) • Consortium of Digital Forensic Specialists (CDFS) • Cyber Security Naming and Information Structure Group Corporation • ETSI Industry Specification Group (ISG) Information Security Indicators (ISI) • EuroCloud • European Data Centre Association (EUDCA) • European Telecommunications Standards Institute (ETSI) • Forum of Incident Response and Security Teams (FIRST) • Future of Identity in the Information Society (FIDIS) • Information Security Forum (ISF) • Instituto Latinoamericano de Aseguramiento de la Calidad A. C. (INLAC) (The Latin-American Institute for Quality Assurance A.C.) 


  28. SC 27 Liaison Partners • External CAT C Liaisons 
 • International Conference of Data Protection and Privacy Commissioners • International Information Systems Security Certification Consortium, Inc. (ISC)2 • International Smart Card Certification Initiatives • Interpol • Kantara Initiative • PRACTICE (FP7 Project: Privacy-preserving Computation in the Cloud) • PRIPARE (FP7 Project) • Privacy and Identity Management for Community Services (PICOS) • Technology-supported Risk Estimation by Predictive Assessment of Sociotechnical Security (TREsPASS) • The Open Group • The OpenID Foundation • Trusted Computing Group (TCG)

  29. SC 27 Liaison Partners • External liaisons Under Vienna Agreement
 • CEN/TC 224 Personal identification, electronic signature and cards and their related systems and operations • CEN/TC 225 AIDC technologies • CEN/TC 377 Air Traffic Management • CEN/CENELEC/ETSI/SGCG Joint CEN, CENELEC and ETSI activities on standards for Smart Grid

  30. SC 27 WG 1 Mission • Information Security Management Systems • The scope covers all aspects of standardisation related to • information security management systems: • a) Management system requirements; • b) ISMS methods and processes, implementation guidance, codes of practice for information security controls; • c) Sector and application specific use of ISMS; • d) Accreditation, certification, auditing of ISMS; • e) Competence requirements for information security management system professionals • f) Governance; • g) Information security economics.

  31. WG 1 Products

  32. WG 1 Products

  33. WG 1 Products

  34. WG 1 Products

  35. WG 1 Products

  36. WG 1 Future Considerations

  37. SC 27 WG 2 Mission • Cryptography and Security Mechanisms • The Terms of Reference: • Identify the need and requirements for these techniques and mechanisms in IT systems and applications; and • Develop terminology, general models and standards for these techniques and mechanisms for use in security services. • The scope covers both cryptographic and non-cryptographic techniques and mechanisms including; • Confidentiality; • Entity authentication; • Non-repudiation; • Key management; and • Data integrity such as • Message authentication, • Hash-functions, and • Digital signatures.

  38. WG 2 Products

  39. WG 2 Products

  40. WG 2 Products

  41. WG 2 Products

  42. WG 2 Products

  43. WG 2 Products

  44. WG 2 Products

  45. WG 2 Future Considerations

  46. SC 27 WG 3 Mission • Security Evaluation, Testing and Specification • The scope covers aspects related to security engineering, with particular emphasis on, but not limited to standards for IT security specification, evaluation, testing and certification of IT systems, components, and products. The following aspects may be distinguished: • a) security evaluation criteria; • b) methodology for application of the criteria; • c) security functional and assurance specification of IT systems, components and products; • d) testing methodology for determination of security functional and assurance conformance; • e) administrative procedures for testing, evaluation, certification, and accreditation schemes.

  47. WG 3 Products

  48. WG 3 Products

  49. WG 3 Products

  50. WG 3 Products

More Related