1 / 19

ITU-T SG17 Q.3 Telecommunication information security management

ITU-T SG17 Q.3 Telecommunication information security management. An overview Miho Naganuma Q.3/17 Rapporteur. 17 March 2016. SG17, Security. Study Group 17. WP 1/17 Fundamental security. WP 2/17 Network and information security. WP 3/17 IdM + Cloud computing security. WP 4/17

geraldinef
Download Presentation

ITU-T SG17 Q.3 Telecommunication information security management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T SG17 Q.3 Telecommunication information security management An overview Miho Naganuma Q.3/17 Rapporteur 17 March 2016

  2. SG17, Security Study Group 17 • WP 1/17 • Fundamental security WP 2/17 Network and information security WP 3/17 IdM + Cloud computing security • WP 4/17 • Application security WP 5/17 Formal languages • Q6/17 • Ubiquitousservices • Q1/17 • Telecom./ICT security coordination • Q8/17 • Cloud Computing Security Q11/17 Directory, PKI, PMI, ODP, ASN.1, OID, OSI • Q4/17 • Cybersecurity Q2/17 Security architecture and framework • Q5/17 • Countering spam • Q10/17 • IdM • Q7/17 • Applications Q12/17 Languages + Testing • Q9/17 • Telebiometrics • Q3/17 • IS Management

  3. Question 3 The only question for information “management “ in SG17 • Why information security became so important? • What we have to protect ? • What is the aspect of telecommunication organization? Business continuity Managing business assets Organizational view Technical view Addressing security challenges on a global scale

  4. What we need to consider? Organization Compliance Incident handling Assets Governance Operations Human Assets policies Communications Networks Physical and environment Business Continuity Systems Supplier / External orgs relationship

  5. Questions • specific security management issues for telecommunications organizations? • Management issues for small and medium-sized telecom organizations? • Using the existing standards (ITU-T, ISO/IEC and others)? • In cloud computing environment? • personally identifiable information protection? • IPv6 environment?

  6. Recommendations X.1052 Framework X.1051 X.1056 Incident mgt X.1054 Governance X.1057 Asset mgt X.1055 Risk mgt Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

  7. X.1051 • ITU-T X.1051 | ISO/IEC 27011 • Revised version will be published soon “Information technology – Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations“ • Joint documents with ISO/IEC JTC1 SC27 • Controls in ISO/IEC 27002:2013 and telecommunications extended control set

  8. Information security controls: 2016

  9. Information security controls: 2016

  10. Structure of controls 8 Asset management (Domain) 8.1 Responsibility for assets (Sub-clause) Objective: To identify organizational assets and define appropriate protection responsibilities. 8.1.1 Inventory of assets Control Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. Implementation guidance The implementation guidance from ISO/IEC 27002 8.1.1 applies. Same objectives, controls with ISO/IEC 27002

  11. Structure of controls (cont.) Telecommunications-specific implementation guidance When developing and maintaining the inventory of assets, clear responsibilities between the tele- communications facilities of the organization and those of other connected or related telecommuni- cations organizations should be specified and clearly documented. The list of assets should be comprehensive covering all telecommunications assets of value including Information assets for network facilities, network services and applications. Additional resources can be found in the Bibliography. Other information The other information from ISO/IEC 27002 8.1.1 applies. Sector specific guidance and other information (additional)

  12. Recommendations -1 • Governance of information security (Rec. ITU-T X.1054) Rec.X.1054 Implementation of GovernanceModel

  13. Recommendations -2 • Information Security Management: • Information Security Management System(Recs. ITU-T X.1051, X.1052) Risk management and risk profile guidelines(Rec. ITU-T X.1055) • Security incident management guidelines(Rec. ITU-T X.1056) • Asset management guidelines (Rec. ITU-T X.1057) Rec. ITU-T X.1055 - Risk management process Rec. ITU-T X.1052 - Information Security Management Rec. ITU-T X.1057 - Asset management process

  14. Recommendations-3 • Incident organization and security incident handling: Guidelines for telecommunication organizations (Rec. ITU-T E.409) Rec. ITU-T E.409 - pyramid of events and incidents Rec. ITU-T X.1056 - Five high-level incident management processes

  15. Management view of IS, CS and PII Example Information Security PII Cybersecurity

  16. Challenges (2014-2016) • X.1051rev • X.gpim: Code of practice for personally identifiable information protection (common text with ISO/IEC 29151) • X.sgsm: Information security management guidelines for small and medium telecommunication organizations • X.sup-gpim, Supplement to ITU-T X.gpim Code of practice for PII protection based on X.gpim for telecommunications • X.sup-gisb, Best practice for implementation of X.1054 on governance of infromation security ; Case of Burkina Faso • X. Sup 23, ITU-T X.1037 - Supplement on security management guidelines for the implementation of an IPv6 environment in telecommunication organizations (Q2/17) • X.1631, Code of practice for information security controls based on ISO/IEC 27002 for cloud services (Q8/17)

  17. Collaboration with ISO/IEC JTC1 SC27 International Organization for Standardization International Electrotechnical Commission JTC1 SC27: Security Technique WG1 Information Security Management System WG2 Cryptography and security mechanisms WG3 Security evaluation, testing and specification WG4 Security controls and services WG5 Identity management and privacy technologies X.gpim Common documents/Updating related projects X.1051X.1631

  18. Next Challenge • Not yet confirmed but, • Emerging issues for “cyber resilient” organization • Traditional approach + Cyber approach and…

  19. Thank you Rapporteur: Miho Naganuma Associate Rapporteur: Kyeong Hee Oh

More Related