Development and Implementation of Security Standards John P. Hopkinson Payoff

Size: px
Start display at page:

Download "82-03-10 Development and Implementation of Security Standards John P. Hopkinson Payoff"

Transcription

1 Development and Implementation of Security Standards John P. Hopkinson Payoff This article describes the groups involved in the process of developing standards for information security. The method by which an international security standard is produced is identified. In addition, the article includes a discussion on how standards are used, a review of recently published security standards, and current standards development programs. Problems with the current standardization process are identified together with potential resolutions. Introduction In today's commercial environment the need to communicate and the pressures to exchange information quickly are increasing.electronic Data Interchange is a significant force in this direction.(in fact, Electronic data interchange is no longer seen as conferring competitive advantage; it is the competitive norm.) It is becoming essential for organizations to possess such technical capabilities if they are to remain competitive. For two or more computers to exchange information, they must either communicate in the same way or they must be able to translate data. To keep the number of options for information exchange and processing within reasonable bounds, some commonly agreed formats (known as standards) are helpful. These standards are important and are becoming more commonplace in information technology, and they can cover many areas. This article addresses standards for information security. It includes: An introduction to the different types of standards development groups. An insight into how standards are produced. A review of the major areas of standards development. Suggested improvements to the standards development process. The suggested improvements stem from discussions with the users of standards. Although some of the statements and assumptions may be applicable to other standards areas, they are primarily directed towards security standards. Standards Development Groups Standards development groups can be divided into the following types: International. Regional. National. Each of these groups has a distinct level of involvement in the IS discipline. These groups are examined in the following sections.

2 International Standards Group The first group of standards-writing bodies identified is the international one. This group consists primarily of these three organizations: The International Organization for Standardization(ISO). The International Electrotechnical Commission (IEC). The International Telecommunications Union (ITU).(previously called The International Telegraph & Telephone Consultative Committee [CCITT]). ISO and ITU have the greatest level of activity in the information security area, and it is important to note that a great deal of cooperation exists between them. Activities are currently under way to enhance and expand this cooperation and make it more efficient. International Standards Organization and IEC have been working together for many years in different, but related areas. An example of ISO and IEC cooperative activities is the Joint Technical Committee 1 (JTC 1). Within International Standards Organization/International Electrotechnical Commission JTC 1, Subcommittee 27is responsible for the development of security techniques. Subcommittee 27 consists of three working groups: Working Group 1, responsible for requirements, security services, and guidelines. Working Group 2, responsible for both cryptographic and noncryptographic techniques. Working Group 3, responsible for evaluation criteria. It should be pointed out that, although ISO develops standards for the use of cryptography, it does not standardize cryptographic algorithms. The other group within JTC 1 that is most heavily involved in security is Subcommittee 21. This group focuses on Open Systems Interconnection, and it concentrates on the modeling and framework aspects of security. Several other committees within ISO have some involvement with security (e.g., Subcommittees 6, 17, 18, 30, and Technical Committee 68), though to a much lesser extent then Subcommittee 27, which is entirely security oriented, and Subcommittee 21. Although it may appear that development of security standards is spread over many different groups, very close liaison exists between all the subcommittees and working groups. In addition, some moves are taking place to concentrate more security activities in Subcommittee 27. Regional Standards Group There is currently only one regional standards group, the European Commission. This body is developing standards for all countries that are part of the European Economic Community. The ultimate goal of this group is to develop a single set of standards for all Europe. This reduces incompatibilities or at least ensures interworking. The European Commission is putting considerable effort into the development of standards and investing heavily in the development of security standards. Although only one regional standards-setting body exists at this time, it is reasonable to expect that others will appear. The development of multicountry free trade blocks can be expected to stimulate the growth in this type of standards- setting body. It may be that the development of a North American free-trade area will lead to the formation of a regional standards body.

3 National Standards Group The majority of nations have one or more standards-writing bodies. Within the national standards group, there tend to be two subgroups, one for the military and national security segments of the government, and one for the remainder of the government and the commercial sector. The differences between the two groups tend to be of degree and focus or direction, rather than fundamental differences of principle. An additional area that should be mentioned is sectorial standards groups. In the national category there are many sectorial standards groups (e.g., banking and medical sector groups). In addition, many sectorial groups have international counterparts, and many are part of other organizations (e.g., the international community Technical Committee 68, mentioned previously, deals with banking standards; Technical Committee 68 is also part of International Standards Organization/International Electrotechnical Commission). Within different countries or communities, standards are used in different ways. In some cases, standards are given the force of law and must be complied with. In other areas, standards may be enforced by regulatory authorities with penalties set for noncompliance. And in other areas, standards are advisory and may be used if desired; although there may be encouragement to use standards, nonuse does not incur penalty. These differences have an impact on the way in which standards are perceived within the different communities and the level of effort and involvement put into the development of standards. Standards Development International standards are usually developed by a process of consensus. (This is the case with International Standards Organization standards particularly.) The majority of parties involved in the development of the standard must agree on the content of the standard and the way in which it is written. This process affects all stages of the development of a standard. This technique may slow the process; however, the result is(hopefully) acceptable to all concerned. In addition, it ensures that no one group influences the standard unduly, thus gaining commercial advantage. Another result of this process is that in many cases there are options available within the standard; two products may comply with the standard and yet not be completely compatible. Although this may be seen as a disadvantage of the standard, it is a natural consequence of the consensus process. To do otherwise would cause some groups to ignore the standards, thus defeating the whole standards-setting process. The standards provide a framework and a metric for obtaining interoperability. The process is by no means ideal; however, until one that is acceptable to all is developed, it is the only available process. In addition, standards groups often try to adapt standards that already exist to their own uses. There can be many sources of input. The initial input may come from such sources as another standards-writing body, defacto standards, commercial product, or in some cases research (although the latter case is unusual). The experts who develop standards, for the most part, do so in their own time and through the auspices of their employers. They are not employed by the standards-writing bodies. The level of support within the community has a dramatic bearing on the number of contributing experts and their level of involvement. The majority of experts are experts in their particular technical field, not in writing standards. In addition, the writing ability of the experts may not be the foremost. Nonetheless, this process ensures that the individuals developing the standards are actively involved in the field, have practical and current experience, and are in tune with the future directions of the area. It also encourages greater participation.

4 Other Standards Groups During the last few years, several other groups have emerged that claim to be developing standards. These groups include commercial vendors or vendor groups, and user groups. The essential differences between these groups and the formal standards organizations are the following: They are not formally constituted. They are not open and they lack formal accrediting authorities. Their standards are not generally produced by consensus. They lack the formal procedures to verify a consensus position. They tend to serve a narrower community or interest. The results produced tend to be narrower in focus. The results tend to be difficult to expand or to apply to broader areas. Although the international standards groups do sometimes make use of the products of these noaccredited groups as a basis for the development of international standards, the standards frequently require considerable rework and modification, and the end result usually bears little resemblance to the original. In general International Standards Organization tends to avoid sectorial issues (with such obvious exceptions as banking), and it produces standards for the general community. This is often not the case with the standards produced by other groups. This gives rise to considerable concerns particularly within the international standards community, because one of the key aims is to reduce fragmentation and barriers to linking systems together. The international community is driving towards truly open systems. Although some of these other groups may have open systems in mind, their results are often sectorial in nature and run counter to this direction. Use of Standards Standards are written with many different users in mind. However, they are primarily written for the use of the implementor of the standard. The implementation group could be the manufacturer of a product (e.g., a cryptographic device) or an organization that wishes to develop a system that includes cryptographic devices. They could also be systems integrators, Value-Added Reseller, and third-party product developers. From the system implementors point of view, standards are most important if they intend to use products from several different manufacturers. Standards are essential to ensure compatibility. Standards also ensure that as products change and evolve, different elements continue to work together. Trends in Development and Implementation There is normally a time lag from the completion of a standard to its implementation in products. Two very important standards from a security perspective are the X400 and X500 standards. These standards have applicability beyond security. X400, originally published in 1984, was enhanced in 1988 as X400(88) and again in 1992 as X400(92). A number of products implementing the X400(88) enhancements are now available, with a few implementing the 92 enhancements as well. Some organizations have implemented

5 mail systems using X400(88) and X500. Although the use of these standards requires careful planning, they provide considerable benefit to the organization. A number of important areas are currently being worked on within several groups in the international community. These areas include: Security frameworks. Security guidelines. Security evaluation criteria. Security mechanisms. Security Frameworks Security frameworks are being developed based on the open systems security architecture, IS They expand on the security services identified within the security architecture. The frameworks do not identify mechanisms to implement a particular service, but they do identify requirements for services and an overall structure. As an example, the cryptographic key management framework provides a general overview, while the supporting parts address such specific mechanisms as key management using symmetric or asymmetric algorithms. The frameworks are being developed by International Standards Organization/International Electrotechnical Commission JTC1/Subcommittee 21 andiso/iec JTC1/Subcommittee 27 in cooperation and are at differing stages of completion. Security Guidelines Security guidelines covering such areas as management, trusted third parties, baseline controls, and the use and selection of security services and mechanisms are in proposal or development stages. One of the most important projects within this area is the Guidelines for the Management of IT Security This guideline identifies the elements critical to security and the processes for their management. The guideline can be of use to the developers of standards to ensure that the elements and data that security requires are available. This assists implementors to ensure that all the elements are appropriately addressed for their environment. Security Evaluation Criteria The security evaluation criteria activity is of considerable importance. Currently there are a number of different sets of evaluation criteria in different countries. Without intergovernmental agreements to accept other governments criteria, an evaluation of a product would have to be repeated. The International Standards Organization evaluation criterion is attempting to resolve this situation with an internationally determined set of functions, dependences, and assurance scales. This work is still in the early stages and is expected to take two to three years to complete. After its completion, this evaluation criterion should make the international purchasing and integration of security products considerably easier. Security Mechanisms The area of security mechanisms covers a considerable number of topics. To an extent, this area relates to the use of cryptographic techniques to address such aspects as the

6 integrity of information, authenticity, repudiation, authentication of entities, and confidentiality. These sets of standards are of considerable importance in a distributed and networked environment. The ability to achieve these functions for electronic commerce is vital. Problems and Potential Resolutions There is wide diversity in the level of knowledge about information security standards. Some organizations are very aware and make extensive use of standards. Others appear to have little knowledge or awareness of standards. Many standards, particularly international ones, are very broad and permit several options. They do not contain an explanation of their intended use. Two products, both compliant with the standard, may not be compatible. As noted, this is a result of the consensus process. In addition, some standards (e.g., the Open Systems Interconnect Security Architecture IS ) are designed to allow the user of the standard to select from among several options. The US and UK governments open systems interconnect profiles (GOSIPs) reduce the number of options available but still allow some selection by the ultimate user of the standard. One partial resolution is to include a section explaining their intended use; another is the development of international standards profiles, which permit fewer options. Standards are often hard to read and very technical. This perhaps stems more from a lack of understanding on the part of the user, because standards, for the most part, are intended for the implementor. Another criticism is that there is a lack of guidelines for the implementation of standards. To develop a guideline for every individual standard would be an enormous task and would considerably slow the standards development process. Producing guidelines for areas of concern or groups of standards is perhaps a more manageable task. It is a requirement that the international and national standards writing bodies have recognized and are moving to address. The process to be followed is still performed by consensus and thus the development may be prolonged. However, the process of developing guidelines is somewhat less formal and, therefore, development should not take as long as that for developing standards. Another comment that is often heard from the commercial sector is that the majority of standards for security are written in language that is more appropriate to the military and high-security disciplines. It should be pointed out that the majority of funds allocated to research and standards writing activities have been provided by military and intelligence groups, directly or indirectly. It is probably inevitable that the results appear to be for those fields. If the commercial areas want standards and research that is more appropriate to their needs, they must invest in the research that is needed. The final comment most frequently heard is that standards development is slow and lags behind industry development. The slow process is recognized by those involved in standards development, and every effort is made to reduce unnecessary delay. Beyond this, the only resolution is to have greater participation and commitment to standards development. As has been discussed, the consensus nature of the process inevitably causes delay. In addition, the voluntary nature of the process means that it is very dependent on the level of commitment to standardization of the participants. Conclusion Standards are necessary to ensure that proper communication occurs between systems. Security standards provide a common basis for protection and management of information exchange. Many groups can be involved in the development of standards, therefore, the development process can be slow. Although trends in improving development and

7 implementation are occuring, all standards development processes have imperfections. In many cases, resolution of the problems can be achieved within the organization implementing the standards by following suggestions presented in this article. To facilitate standards development, it is important that a wide cross-section of the community becomes involved in the process. This ensures that all parties using the standards are properly represented. Author Biographies John P. Hopkinson John P. Hopkinson, ISP, CDRP, is a security architect for T-Base Research and Development Inc. in Ottawa, Canada.

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT ISO/IEC Information & ICT Security and Governance Standards in practice Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT June 4, 2009 ISO and IEC ISO (the International Organization for Standardization)

More information

Relationship to Software Engineering Standards

Relationship to Software Engineering Standards Chapter3 Relationship to Software Engineering Standards STANDARDS ORGANIZATIONS Standards organizations are bodies, organizations, and institutions that produce standards. These organizations develop standards

More information

This document is a preview generated by EVS

This document is a preview generated by EVS INTERNATIONAL STANDARD ISO/IEC 27033-1 Second edition 2015-08-15 Information technology Security techniques Network security Part 1: Overview and concepts Technologies de l information Techniques de sécurité

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

Electronic Data Interchange (EDI) Messaging Security

Electronic Data Interchange (EDI) Messaging Security Essay 18 Electronic Data Interchange (EDI) Messaging Security Ted Humphreys The modern economy and the future wealth and prosperity of industry and commerce rely increasingly on the exchange of data and

More information

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy November 18, 2008 Teresa Schwarzhoff Computer Security Division Information

More information

Representative Organizations

Representative Organizations Essay 10 Representative Organizations That Participate in Open Systems Security Standards Development Harold J. Podell This essay presents an introduction to representative organizations that participate

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Licensing Options for Internet Service Providers June 23, 2001 Updated September 25, 2002

Licensing Options for Internet Service Providers June 23, 2001 Updated September 25, 2002 Licensing Options for Internet Service Providers June 23, 2001 Updated September 25, 2002 Some countries require Internet Service Providers ( ISPs ) to obtain government- issued licenses before commencing

More information

Basel Committee on Banking Supervision. Working Paper No. 17

Basel Committee on Banking Supervision. Working Paper No. 17 Basel Committee on Banking Supervision Working Paper No. 17 Vendor models for credit risk measurement and management Observations from a review of selected models February 2010 The Working Papers of the

More information

Increase Software Development Productivity:

Increase Software Development Productivity: Increase Software Development Productivity: Equations for Efficiency By Adam Kolawa, Parasoft Co-Founder and CEO Why Productivity Matters In today s economy, software development is a great expense for

More information

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD INTERNATIONAL STANDARD ISO/IEC 14662 First edition Information Technologies - Open-edi reference model Technologie de l'information - Modèle de référence EDI-ouvert Reference number Page 2 Contents Foreword...

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2723 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2013) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

Documenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility

Documenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility Documenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility Kellie Wittman, Tompkins Associates September 2009 www.tompkinsinc.com Contents Introduction 3 Why bother

More information

American National Standards. value of the ANS designation

American National Standards. value of the ANS designation American National Standards value of the ANS designation accreditation and approval The American National Standards Institute (ANSI) coordinates, facilitates, and promotes the development of voluntary

More information

-SETTING ORGANIZATIONS

-SETTING ORGANIZATIONS APPENDIX D STANDARD AND S TANDARD-S -SETTING ORGANIZATIONS William Stallings Copyright 2008 D.1 THE IMPORTANCE OF STANDARDS...2 D.2 INTERNET STANDARDS AND THE INTERNET SOCIETY...3 The Internet Organizations

More information

Predicting Medication Compliance and Persistency

Predicting Medication Compliance and Persistency Predicting Medication Compliance and Persistency By: Jay Bigelow, President Amanda Rhodes, M.P.H., C.H.E.S., Vice President Behavioral Solutions MicroMass Communications, Inc. Introduction A widely recognized

More information

TELECOMMUNICATION NETWORKS

TELECOMMUNICATION NETWORKS THE USE OF INFORMATION TECHNOLOGY STANDARDS TO SECURE TELECOMMUNICATION NETWORKS John Snare * Manager Telematic and Security Systems Section Telecom Australia Research Laboratories Victoria TELECOMMUNICATIONS

More information

A Technology Infrastructure for Standards Consortia

A Technology Infrastructure for Standards Consortia A Technology Infrastructure for Standards Consortia Applying Best Practices Introduction The technology industry has come to rely heavily on open standards to bring innovation to market. The industry has

More information

Cyber Security Recommendations October 29, 2002

Cyber Security Recommendations October 29, 2002 Cyber Security Recommendations October 29, 2002 Leading Co-Chair (Asia/Oceania) Co-Chair (Americas) Co-Chair (Europe/Africa) Dr. Hiroki Arakawa Executive Vice President NTT Data Corporation Richard Brown

More information

Focal points for expanded practical cooperation among standards organizations. The Business Requirement

Focal points for expanded practical cooperation among standards organizations. The Business Requirement Focal points for expanded practical cooperation among standards organizations The IEC/ISO/ITU/UNECE MoU on e-business e Standards June 2013 The Business Requirement Global supply networks are increasingly

More information

Today, the Cisco Enterprise B2B team has created automated and standardized processes in the following areas:

Today, the Cisco Enterprise B2B team has created automated and standardized processes in the following areas: How Cisco Enables Electronic Interactions with Sales, Manufacturing, and Service Partners Business-to-business drives productivity, growth, and an improved customer experience. Cisco IT Case Study/Business

More information

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

The role of standards in driving cloud computing adoption

The role of standards in driving cloud computing adoption The role of standards in driving cloud computing adoption The emerging era of cloud computing The world of computing is undergoing a radical shift, from a product focus to a service orientation, as companies

More information

Mississippi Department of Archives and History. Reformatting Standards

Mississippi Department of Archives and History. Reformatting Standards Mississippi Department of Archives and History Reformatting Standards STANDARDS FOR DIGITAL IMAGING MDAH approves the following standards for reproduction of public records using digital imaging systems:

More information

European Security Standards Reference Implementation Initiative (ESSRII)

European Security Standards Reference Implementation Initiative (ESSRII) European Security Standards Reference Implementation Initiative (ESSRII) A Proposal for Action in Europe on International Information Security Standards Brian Gladman, European Technical Director, Trusted

More information

Consumer Protection Code

Consumer Protection Code Consumer Protection Code Submission by the Society of Actuaries in Ireland May 2005 Introduction The Society of Actuaries in Ireland welcomes the opportunity to make this submission in relation to the

More information

A Guide to Choosing the Right EMR Software. A Guide to Choosing the Right EMR Software

A Guide to Choosing the Right EMR Software. A Guide to Choosing the Right EMR Software A Guide to Choosing the Right EMR Software A Guide to Choosing the Right EMR Software Eight Important Benchmarks for Community and Critical Access Hospitals Eight Important Benchmarks for Community and

More information

Associate Prof. Dr. Victor Onomza Waziri

Associate Prof. Dr. Victor Onomza Waziri BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,

More information

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU. Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

Securing Distribution Automation

Securing Distribution Automation Securing Distribution Automation Jacques Benoit, Cooper Power Systems Serge Gagnon, Hydro-Québec Luc Tétreault, Hydro-Québec Western Power Delivery Automation Conference Spokane, Washington April 2010

More information

A NEW FRAMEWORK FOR BRIDGING THE GAP BETWEEN IT SERVICE MANAGEMENT AND IT GOVERNANCE FROM A SECURITY PERSPECTIVE

A NEW FRAMEWORK FOR BRIDGING THE GAP BETWEEN IT SERVICE MANAGEMENT AND IT GOVERNANCE FROM A SECURITY PERSPECTIVE A NEW FRAMEWORK FOR BRIDGING THE GAP BETWEEN IT SERVICE MANAGEMENT AND IT GOVERNANCE FROM A SECURITY PERSPECTIVE E. da Cruz 1 and L. Labuschagne 2 Academy of Information Technology at the University of

More information

Standardising the Internet of Things Is Today s System Adequate?

Standardising the Internet of Things Is Today s System Adequate? Standardising the Internet of Things Is Today s System Adequate? Kai Jakobs A Bit of Motivation The IoT represents another paradigm shift in communication initially, communication occurred between humans,

More information

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Announcement of a new IAEA Co-ordinated Research Programme (CRP) Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C)

More information

1918-2008 ANSI: A HISTORICAL OVERVIEW

1918-2008 ANSI: A HISTORICAL OVERVIEW 1918-2008 ANSI: A HISTORICAL OVERVIEW 1918-2008 ANSI: A HISTORICAL OVERVIEW The history of the American National Standards Institute (ANSI) and the U.S. voluntary standards system is dynamic and evocative

More information

AD Management Survey: Reveals Security as Key Challenge

AD Management Survey: Reveals Security as Key Challenge Contents How This Paper Is Organized... 1 Survey Respondent Demographics... 2 AD Management Survey: Reveals Security as Key Challenge White Paper August 2009 Survey Results and Observations... 3 Active

More information

Darshan Institute of Engineering & Technology Unit : 7

Darshan Institute of Engineering & Technology Unit : 7 1) Explain quality control and also explain cost of quality. Quality Control Quality control involves the series of inspections, reviews, and tests used throughout the software process to ensure each work

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Electronic Commerce and Competition (October 2000)

Electronic Commerce and Competition (October 2000) Office of Economic Competition Electronic Commerce and Competition (October 2000) 1. Introduction The competition policy approach towards electronic commerce - as the market is in continuous change - is

More information

How To Protect Your Brand From Harm

How To Protect Your Brand From Harm Defining a Global Brand Protection Program by an Effective Corporate Strategy and Corresponding Infrastructure Rudy Diaz Chief Operating Officer PICA Corporation September 23, 2010 PICA Corporation 551

More information

Draft WGIG Issues Paper on E-Commerce

Draft WGIG Issues Paper on E-Commerce Draft WGIG Issues Paper on E-Commerce This paper is a 'draft working paper' reflecting the preliminary findings of the drafting team. It has been subject to review by all WGIG members, but it does not

More information

ISO/IEC 90003:2004 covers all aspects

ISO/IEC 90003:2004 covers all aspects Huge potential user base for ISO/IEC 90003 the state of the art for improving quality in software engineering ISO/IEC 90003:2004, Software engineering Guidelines for the application of ISO 9001: 2000 to

More information

Using ISO 9001 or ISO 14001 to Gain a Competitive Advantage

Using ISO 9001 or ISO 14001 to Gain a Competitive Advantage Using ISO 9001 or ISO 14001 to Gain a Competitive Advantage Spencer Hutchens Jr. Introduction To be competitive on both a national and a global basis, organizations must adopt a forward-thinking approach

More information

Certification for Information System Security Professional (CISSP)

Certification for Information System Security Professional (CISSP) Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by

More information

ENISA workshop on Security Certification of ICT products in Europe

ENISA workshop on Security Certification of ICT products in Europe ENISA workshop on Security Certification of ICT products in Europe Introduction On 16th of March 2016 ENISA organised a workshop aiming at bringing together stakeholders from the ICT security certification

More information

Canadian Anti-Spam Act Survey Bill C-28. May 2012

Canadian Anti-Spam Act Survey Bill C-28. May 2012 Canadian Anti-Spam Act Survey Bill C-28 May 2012 Executive Summary On December 22, 2010 the Canadian House of Commons passed Bill C-28, which aims to regulate unsolicited electronic commercial messages,

More information

Standards for Cyber Security

Standards for Cyber Security Best Practices in Computer Network Defense: Incident Detection and Response M.E. Hathaway (Ed.) IOS Press, 2014 2014 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-372-8-97 97

More information

The Business Benefits of Logging

The Business Benefits of Logging WHITEPAPER The Business Benefits of Logging Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 The Business Benefits of Logging 4 Security as

More information

Free and Open Source Software Compliance: An Operational Perspective

Free and Open Source Software Compliance: An Operational Perspective Free and Open Source Software Compliance: An Operational Perspective 95 Free and Open Source Software Compliance: An Operational Perspective Philip Koltun a Director of Open Compliance Program, The Linux

More information

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan

More information

INTERNATIONAL TELECOMMUNICATION UNION

INTERNATIONAL TELECOMMUNICATION UNION INTERNATIONAL TELECOMMUNICATION UNION ITU-T D.140 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/98) SERIES D: GENERAL TARIFF PRINCIPLES General tariff principles Charging and accounting in the international

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

Benchmark of controls over IT activities. 2011 Report. ABC Ltd

Benchmark of controls over IT activities. 2011 Report. ABC Ltd www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)

More information

Effective Model Risk Management for Financial Institutions: The Six Critical Components

Effective Model Risk Management for Financial Institutions: The Six Critical Components January 2013 Effective Model Risk Management for Financial Institutions: The Six Critical Components A White Paper by Brookton N. Behm, John A. Epperson, and Arjun Kalra Audit Tax Advisory Risk Performance

More information

This IDC Retail Insights Perspective looks at the growing applicability of business intelligence and analytics for the wholesale industry.

This IDC Retail Insights Perspective looks at the growing applicability of business intelligence and analytics for the wholesale industry. The Growing Use of Business Intelligence and Analytics in Wholesale P E R S P E C T I V E # G R I 2 2 5 6 4 4 Simon D. Ellis Henry D. Morris IN THIS PERSPECTIVE This IDC Retail Insights Perspective looks

More information

The$Risks$of$Status$Quo$$ in$product$development$

The$Risks$of$Status$Quo$$ in$product$development$ The$Risks$of$Status$Quo$$ in$product$development$ Running$Lean,$Responsive$and$Secure$with$PDM$ Published*by:* $Some$believe$that$product$development$ improvements$have$little$impact$$ It's a perception

More information

Telecom Industry Services. Change Management Process

Telecom Industry Services. Change Management Process FINAL 5 / 22 / 98 Telecom Industry Services Change Management Process 1 FINAL 5 / 22 / 98 TABLE OF CONTENTS INTRODUCTION 3 BELL ATLANTIC CHANGE CONTROL ORGANIZATION STRUCTURE 4 TERMS AND DEFINITIONS Overview

More information

THE IMPACTS OF BREACHES

THE IMPACTS OF BREACHES THE IMPACTS OF BREACHES DR. BRANDEN R. WILLIAMS & MAC A SURVEY OF MAC MEMBERS ON THE REALITIES OF DATA BREACHES CONTENTS INTRODUCTION AND METHODOLOGY... 4 ASSUMPTIONS AND LIMITATIONS... 4 KEY FINDINGS...

More information

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

More information

Global Business Services and the Global Payroll Function

Global Business Services and the Global Payroll Function GLOBAL PAYROLL BENCHMARKING STUDY UPDATE By Karen Beaman, Jeitosa Group International Introduction Shared Services delivery models have continued to expand and mature in recent years as organizations look

More information

The Benefits of Accreditation for Developing Countries

The Benefits of Accreditation for Developing Countries The Benefits of Accreditation for Developing Countries Background /Context: Nature and Scope of Paper: All or most developed countries currently enjoy the trade benefits which flow from national accreditation

More information

Securing Internet Payments. The current regulatory state of play

Securing Internet Payments. The current regulatory state of play Securing Internet Payments The current regulatory state of play In recent years the European Union (EU) institutions have shown a growing interest on the security of electronic payments. This interest

More information

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, 28-29 JUNE 2011 The Seoul Declaration on the Future of the Internet Economy adopted at the 2008 OECD

More information

T1M1: Management Plane Security Standard (T1.276)

T1M1: Management Plane Security Standard (T1.276) T1M1/2003-039 R3 July 9, 2003 T1M1: Management Plane Security Standard (T1.276) Presentation Contributors and Liaison Representatives: Mike Fargano - T1M1 Chair, michael.fargano@qwest.com Jim Stanco -

More information

This is a preview - click here to buy the full publication TECHNICAL REPORT INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL

This is a preview - click here to buy the full publication TECHNICAL REPORT INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL TECHNICAL REPORT ISO/IEC TR 15067-4 First edition 2001-06 INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL Part 4: Security system for HES ISO/IEC 2001 All rights reserved. Unless

More information

WHITE PAPER APRIL 2012. Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives

WHITE PAPER APRIL 2012. Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives WHITE PAPER APRIL 2012 Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives New healthcare reforms have created an unprecedented impact on hospital systems operations.

More information

Managing Successful Software Development Projects Mike Thibado 12/28/05

Managing Successful Software Development Projects Mike Thibado 12/28/05 Managing Successful Software Development Projects Mike Thibado 12/28/05 Copyright 2006, Ambient Consulting Table of Contents EXECUTIVE OVERVIEW...3 STATEMENT OF WORK DOCUMENT...4 REQUIREMENTS CHANGE PROCEDURE...5

More information

What is ISO 9001 and should i care? SAFER, SMARTER, GREENER

What is ISO 9001 and should i care? SAFER, SMARTER, GREENER What is ISO 9001 and should i care? SAFER, SMARTER, GREENER 02 THE ROLE OF STANDARDS What is ISO 9001 and should I care? The Role of Standards The objective of any standard, whether it relates to the manufacture

More information

Figure 2: DAMA Publications

Figure 2: DAMA Publications Steve Hawtin, Schlumberger Information Solutions 14 th Petroleum Data Integration, Information & Data Management Conference The effective management of Exploration and Production (E&P) data has a major

More information

Outsourcing Life Cycle: Integrating DMAIC Controls. WCQI Concurrent Session: M09 Monday May 21, 1:30 2:30 PM Presenter: Daniel Zrymiak

Outsourcing Life Cycle: Integrating DMAIC Controls. WCQI Concurrent Session: M09 Monday May 21, 1:30 2:30 PM Presenter: Daniel Zrymiak Outsourcing Life Cycle: Integrating DMAIC Controls WCQI Concurrent Session: M09 Monday May 21, 1:30 2:30 PM Presenter: Daniel Zrymiak Introduction This presentation combines knowledge of an Outsourcing

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

April 2, 2015. Re: Comments on Connected Health and Care for the Nation. Dear Dr. DeSalvo:

April 2, 2015. Re: Comments on Connected Health and Care for the Nation. Dear Dr. DeSalvo: April 2, 2015 Karen DeSalvo M.D. National Coordinator for Health Information Technology Department of Health and Human Services 200 Independence Ave, S.W., Suite 729D Washington, DC 20201 Re: Comments

More information

ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things

ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things November 2008 Executive Summary The Internet of the future

More information

MSC Security Program Security in the Logistics Supply Chain

MSC Security Program Security in the Logistics Supply Chain Maritime Security Council L MSC Security Program Security in the Logistics Supply Chain First Hemispheric Convention on Port Logistics and Competitiveness Ixtapa-Zihuatanejo November 3-5, 2010 Talking

More information

An Overview of the ANSI/ASA Standards Program

An Overview of the ANSI/ASA Standards Program An Overview of the ANSI/ASA Standards Program Christopher J. Struck a) CJS Labs - San Francisco, CA 94114 - USA Acoustical Society of America - Melville, NY 11747 - USA An overview of the standards program

More information

Strengths and Weaknesses of Cybersecurity Standards

Strengths and Weaknesses of Cybersecurity Standards Strengths and Weaknesses of Cybersecurity Standards Bart Preneel COSIC KU Leuven and iminds, Belgium firstname.lastname@esat.kuleuven.be April 7, 2014 Bart Preneel 1 What is cybersecurity? Liddell and

More information

Achieving Security through Compliance

Achieving Security through Compliance Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3

More information

SECTION.0100 - GENERAL ADMINISTRATION

SECTION.0100 - GENERAL ADMINISTRATION 1 1 1 1 1 1 0 1 0 1 SECTION.00 - GENERAL ADMINISTRATION.01 HOW TO CONTACT THE ELECTRONIC COMMERCE SECTION The North Carolina Department of the Secretary of State administers the Electronic Commerce Act.

More information

Getting a Better Framework Accountability and the objective. Bulletin

Getting a Better Framework Accountability and the objective. Bulletin Accountability and the objective of financial reporting Bulletin sept 2013 2013 European Financial Reporting Advisory Group (EFRAG), the French Autorité des Normes Comptables (ANC), the Accounting Standards

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

PowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0

PowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0 PowerKey Conditional Access System Phase 1.0 System Overview Revision 1.0 Scientific-Atlanta, Inc, Unpublished Works of Scientific-Atlanta, Inc. Copyright 1997 Scientific-Atlanta, Inc. All Rights Reserved

More information

This document is a preview generated by EVS

This document is a preview generated by EVS INTERNATIONAL STANDARD ISO/IEC 29180 First edition 2012-12-01 Information technology Telecommunications and information exchange between systems Security framework for ubiquitous sensor networks Technologies

More information

GAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities.

GAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities. GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected

More information

General Terms and Conditions of the Netherlands Association of Interpreters and Translators for Translation Work

General Terms and Conditions of the Netherlands Association of Interpreters and Translators for Translation Work General Terms and Conditions of the Netherlands Association of Interpreters and Translators for Translation Work Definitions Client Contract (of Work) Translator 1) The natural or legal person who has

More information

Improving Performance by Breaking Down Organizational Silos. Understanding Organizational Barriers

Improving Performance by Breaking Down Organizational Silos. Understanding Organizational Barriers Select Strategy www.selectstrategy.com 1 877 HR ASSET 1 877 472 7738 Improving Performance by Breaking Down Organizational Silos Understanding Organizational Barriers Restructuring initiatives have become

More information

How a Cloud Service Provider Can Offer Adequate Security to its Customers

How a Cloud Service Provider Can Offer Adequate Security to its Customers royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current

More information

ICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA)

ICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA) ICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA) Highlights Explanation of global framework available for OBA self-regulation Checklist from existing OBA self-regulatory mechanisms

More information

Understanding the Software Contracts Process

Understanding the Software Contracts Process Understanding the Software Contracts Process By John Seidl, Partner Tompkins Associates More and more often, companies are purchasing supply chain software from commercial software vendors rather than

More information

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD ISO/IEC 14543-4-2 INTERNATIONAL STANDARD Edition 1.0 2008-05 Information technology Home electronic system (HES) architecture Part 4-2: Communication layers Transport, network and general parts of data

More information

The Journey to the Cloud for Life Sciences Content Management

The Journey to the Cloud for Life Sciences Content Management The Journey to the Cloud for Life Sciences Content Management Part 1: Industry Forces and Cloud Adoption complies with ISO 20252 Page Table of Contents Executive Summary 2 Industry Forces in Conflict 3

More information

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co.

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ 0844 586 0040 intouch@digitalpathways.co.uk Security Services Menu has a full range of Security Services, some of which are also offered as a fully

More information

Corporate Program. Consensus WE BUILD IT. Giving Industry a Direct Voice in the IEEE Standards Association

Corporate Program. Consensus WE BUILD IT. Giving Industry a Direct Voice in the IEEE Standards Association Corporate Program Giving Industry a Direct Voice in the IEEE Standards Association Consensus WE BUILD IT. 445 Hoes Lane, Piscataway, NJ 08854 USA standards.ieee.org Tel. +1 732-981-0060 Fax +1 732-562-1571

More information

Service assurance for communications service providers White paper. Improve service quality and enhance the customer experience.

Service assurance for communications service providers White paper. Improve service quality and enhance the customer experience. Service assurance for communications service providers White paper Improve service quality and enhance the customer experience. December 2007 2 Contents 2 Overview 2 Move to a competitive business model

More information

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances ACL WHITEPAPER Automating Fraud Detection: The Essential Guide John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances Contents EXECUTIVE SUMMARY..................................................................3

More information