Agenda ISO Level Alignment of Management System Standards (MSS) New Security Coordination Initiative SC 27 Level WG 1: New editions of ISO/IEC &
|
|
- Phebe Bryant
- 7 years ago
- Views:
Transcription
1 Recent Developments in ISO Security Standardization and JTC 1/SC 27 Walter Fumy, SC 27 Chairman 9th ETSI Security Workshop Sophia Antipolis, January 2014
2 Agenda ISO Level Alignment of Management System Standards (MSS) New Security Coordination Initiative SC 27 Level WG 1: New editions of ISO/IEC & ISO/IEC WG 2: Advanced Crypto Techniques, Intentional Weaknesses in Crypto Standards? WG 3, WG 4, WG 5 ( Session 4) Collaboration with ETSI 2
3 ISO Management System Standards (MSS) ISO 9001 Quality systems - Model for quality assurance in design/development, production, installation and servicing was published in December 1987 Since then the range of ISO management system standards expanded from environment (1996) through to security (2000) and business continuity (2012) Many companies use more than one management system standard In order to make this easier, ISO has decided that all MSSs should have the same structure and contain many of the same terms and definitions. This will make it easier and cheaper to use the standards, and help auditors. All ISO's management system standards are based on the principle of continual improvement (aka PDCA). Audits are a vital part of ISO's management system approach as they enable an organization to check how far their achievements meet their objectives ISO 19011:2011 provides specific guidance on internal and external management system audits Accredited ISO MSS certifications approach 1.5 million per year 3
4 ISO Survey 2012 ISO does not perform certification organizations looking to get certified to an ISO standard must contact an independent certification body The ISO Survey counts certificates issued by certification bodies that have been accredited by members of the International Accreditation Forum (IAF) The ISO Survey 2012 shows a significant increase in certificates for ISO (information security, +13%), ISO (food safety management, +20%) and for energy management (ISO 50001, +332%) at least ISO/IEC 27001:2005 certificates issued in 103 countries top three countries for the number of certificates: Japan, UK and India top three for growth in 2012: Romania, Japan and China 4
5 Annex SL of the Consolidated ISO Supplement of the ISO/IEC Directives All ISO technical work, including the development of standards, is carried out under the overall management of the Technical Management Board (TMB). ISO/TMB *) has produced Annex SL with the objective of delivering consistent and compatible MSSs. Annex SL (previously ISO Guide 83) defines the framework for a generic ISO management system standard All new ISO MSS have to adhere to this framework and all current ISO MSS will migrate at their next revision In future all ISO MSS should be consistent and compatible - they should all have the same look and feel For management system auditors, it will mean that for all audits there will be a core set of generic requirements that need to be addressed, no matter which discipline. This could be the beginning of the end of the conflicts, duplication, confusion and misunderstanding from different ISO MSS MSS writers can concentrate their development efforts on the discipline-specific requirements of their MSS. *) via its Joint Technical Coordination Group on MSS 5
6 ISO MSS use of Annex SL Current status of harmonization (Examples) Published ISO 22301:2012, Societal security Business continuity management systems Requirements (deviation on definition of Risk ) ISO 22313:2012, Societal security Business continuity management systems Guidance ISO 39001:2012, Road-traffic safety management systems Requirements with guidance for use ISO/IEC 27001:2013, Information technology Security techniques Information security management systems Requirements Under development / in revision ISO 34001, Security management system Requirements ISO 14001, Environmental management systems Requirements with guidance for use ISO 9001, Quality management systems Requirements 6
7 Intern/Vertraulich Source: ISO Security Forum, October
8 Intern/Vertraulich Source: ISO Security Forum, October
9 ISO Security Forum, October 2013 Recommendation to the Technical Management Board (TMB) Establishment of a Joint Technical Coordination Group for the security sector (JTCG-Security) with terms of reference to include Share experiences, challenges, opportunities for collaboration and harmonization across work items and harmonize existing projects where appropriate Harmonize terms and definitions, including the definition of "security" Identify gaps in security standardization activities and resulting opportunities Avoid overlap and duplication Review the TC/SC structure and scopes and propose modifications as appropriate for TMB approval Provide advice to ISO committees and groups on security-related issues Promote ISO security-related activities (communications function) Develop a vision for security-related activities, and organize a bi-annual (depending on length of term) security conference 9
10 JTC 1/SC 27 IT Security Techniques Mission & Scope SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security; Cryptographic mechanisms; Security evaluation criteria and methodology; Security services; Security aspects of identity management, biometrics and privacy. 10
11 JTC 1/SC 27 IT Security Techniques Organization ISO/IEC JTC 1/SC 27 IT Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete SC 27 Secretariat DIN Ms. K. Passia Working Group 1 Working Group 2 Working Group 3 Working Group 4 Working Group 5 Information security management systems Cryptography and security mechanisms Security evaluation, testing and specification Security controls and services Identity management and privacy technologies Convener Convener Convener Convener Convener Mr. T. Humphreys Mr. T. Chikazawa Mr. M. Bañón Mr. J. Amsenga Mr. K. Rannenberg
12 Projects Facts & Figures Projects Total no of projects: 206 No of active projects: 79 (11 new projects in 2013) Published standards: 130 (22 publications in 2013) Standing Documents SD6 Glossary of IT Security terminology ( SD7 Catalogue of SC 27 Projects and Standards ( SD11 Overview of SC 27 ( SD12 Assessment of cryptographic algorithms and key lengths ( ) More information al_committee.htm?commid=
13 Recent Publications (1/2) ISO/IEC TR 15443: Security assurance framework Part 1: Introduction and concepts (2 nd ed.) Part 2: Analysis (2 nd ed.) ISO/IEC 27000: Information security management systems Overview and vocabulary (3 rd ed.) ISO/IEC 27001: Information security management systems Requirements (2 nd ed.) ISO/IEC 27002: Code of practice for information security management (2 nd ed.) ITU-T Recommendation X.1054 ISO/IEC 27014: Governance of information security ISO/IEC TR 27015: Information security management guidelines for financial services ISO/IEC TR 27019: Information security management guidelines based on ISO/IEC for process control systems specific to the energy industry ISO/IEC 27033: Network security Part 5: Securing communications across networks using Virtual Private Networks (VPNs) ISO/IEC 27036: Information security for supplier relationships Part 1: Overview and concepts Part 3: Guidelines for information and communication technology supply chain security 13
14 Recent Publications (2/2) ISO/IEC 27037: Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 20008: Anonymous digital signatures Part 1: General Part 2: Mechanisms using a group public key ISO/IEC 20009: Anonymous entity authentication Part 1: General Part 2: Mechanisms based on signatures using a group public key ISO/IEC 29192: Lightweight cryptography Part 4: Mechanisms using asymmetric techniques ISO/IEC 29101: Privacy architecture framework ISO/IEC 29115: Entity authentication assurance framework ISO/IEC 29191: Requirements for partially anonymous, partially unlinkable authentication ISO/IEC 30111: Vulnerability handling processes 14
15 ISO/IEC ISMS Requirements ISO/IEC 27001:2013 is a certification and auditable standard based on a mandatory risk based approach aims at achieving effective information security through continual improvement process (PDCA model) uses the same management systems process model as ISO 9001 (QMS) and ISO (EMS) aligned with Annex SL ISO/IEC 27001:2005 was a revised version of BS 7799 Part 2: nd edition of ISO/IEC 27001:
16 ISO/IEC 27001:2013 Major benefits of the new edition ISO/IEC 27001:2013 takes into account the experiences of users who have implemented, or sought certification to ISO/IEC 27001:2005 provides a more flexible, streamlined approach, which should lead to a more effective risk management improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities ISO/IEC 27001:2013 fits the new high-level structure used in all ISO management system standards (Annex SL) integration with other management systems becomes an easy option 16
17 ISO/IEC Code of practice for information security management ISO/IEC is a catalogue of best practices, not a certification or auditable standard based on BS : st edition ISO/IEC 17799: nd edition ISO/IEC 17799:2005 renumbered as ISO/IEC 27002:2005 in rd edition of ISO/IEC published ogue_tc_browse.htm?commid=45306 Security policies Organisation of information security Human resources security Asset management Access control Cryptography Physical & environmental security Operations security Communications security Systems acquisition, development & maintenance Supplier relationships Security incident management Business continuity management Compliance
18 SC 27/WG 1 ISMS Family of Standards IS ISMS Requirements IS ISMS Overview and vocabulary IS Code of practice IS ISMS Implementation guidance IS Information security mgt measurement IS Information security risk management Supporting Guidelines IS Accreditation requirements IS ISMS Auditing guidelines TR ISMS Guide for auditors on ISMS controls WD Use and application of for sector-specific 3 rd party certifications Accreditation Requirements and Auditing Guidelines IS ISMS for inter-sector communications IS / ITU-T X.1051 Telecom sector ISMS guidelines based on TR ISMS guidelines for financial and services TR Energy industry ISMS guidelines based on CD Code of practice for cloud computing services based on Sector Specific Requirements and Guidelines
19 SC 27/WG 2 Cryptography and Security Mechanisms Entity Authenticat ion (IS 9798) Key Mgt (IS 11770) Non- Cryptographic Repudiation Protocols (IS 13888) Time Stamping Services (IS 18014) Hash Functions (IS 10118) Message Authenticat ion Codes (IS 9797) Message Authentication Check Character Systems (IS 7064) ECC Techniques (IS 15946) Lightweight Crypto (IS 29192) Signatures giving Msg Recovery (IS 9796) Digital Signatures Signatures with Appendix (IS 14888) Biometric Template Protection (IS 24745) Authenticat Modes of Operation (IS 10116) ed Encryption & Modes of Operation Encryption (IS 19772) Encryption (IS 18033) Random Bit Generation Parameter Generation (IS 18031) Prime Number Generation (IS 18032)
20 ISO/IEC Lightweight Cryptography ISO/IEC : General, 1 st edition 2012 ISO/IEC : Block ciphers, 1 st edition bit block cipher PRESENT (key size 80 or 128 bits) 128-bit block cipher CLEFIA (key size 128, 192 or 256 bits) ISO/IEC : Stream ciphers, 1 st edition 2012 Enocoro (key size 80 or 128 bits) Trivium (key size 80 bits) ISO/IEC : Mechanisms using asymmetric techniques, 1 st edition 2013 identification scheme cryptogps authentication and key exchange mechanism ALIKE (Authenticated Lightweight Key Exchange pka SPAKE) ID-based signature scheme IBS ISO/IEC : Hash-functions, WD 20
21 Advanced SC 27/WG 2 also includes ISO/IEC Encryption algorithms Part 5: Identity-based ciphers (status: CD) ISO/IEC Blind digital signatures Part 1: General (WD) Part 2: Discrete logarithm based mechanisms (WD) ISO/IEC Anonymous digital signatures Part 1: General, 2013 Part 2: Mechanisms using a group public key, 2013 ISO/IEC Anonymous entity authentication Part 1: General, 2013 Part 2: Mechanisms based on signatures using a group public key, 2013 Part 3: Mechanisms based on blind signatures (WD) Part 4: Mechanisms based on weak secrets (WD) WG 2 Study Periods include Homomorphic encryption schemes Homomorphic secret sharing schemes Broadcast encryption 21
22 Intentional Weaknesses in Crypto Standards? Discussion in the Media In recent weeks there has been much discussion in both the press and in academic circles regarding intentional weaknesses in crypto standards. The agency has influenced the international standards upon which encryption systems rely NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document [provided by Edward Snowdon]. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in Eventually, NSA became the sole editor, the document states
23 Dealing with Encryption To deal with encryption, agencies may work with security product vendors to subvert the underlying cryptography, e.g. make the random number generator less random, thus reducing effective key lengths implant backdoors which leak the key somehow work with standards bodies to promote weak algorithms leverage secret mathematical breakthroughs construct quantum computers 23
24 Dual_EC_DRBG Flawed Deterministic Random Bit Generation NIST Special Publication :2006 includes four different algorithms called deterministic random bit generators, or DRBGs. Documents provided by Edward Snowden indicate the NSA played a crucial role in writing NIST SP Possible weaknesses were identified in one of the algorithms specified, the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) scheme. NIST has recommended that Dual_EC_DRBG should not be used, see Concern has been expressed about one of the DRBG algorithms in SP /90A and ANS X9.82: the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm. This algorithm includes default elliptic curve points for three elliptic curves [ ], recent community commentary has called into question the trustworthiness of these default elliptic curve points. Dual_EC_DRBG is also specified in ANS X9.82 and in the current (2011) edition of ISO/IEC 18031: Random bit generation. Dual_EC_DRBG is included in many cryptographic libraries (e.g., offered by Microsoft, Cisco, Symantec and RSA). 24
25 Way Forward ISO/IEC Cautionary note on the use of Dual_EC_DRBG Study Period initiated to carefully review the security issues for Dual_EC_DRBG and to revise ISO/IEC as appropriate. The Study Period will further analyse if other mechanisms in this standard are affected. General Always ensure a sufficient amount of independent cryptographic research. Fight a general mistrust in NIST proposals do not forget NIST has done a great job with cryptographic competitions, both a decade ago with the AES and recently with SHA-3. ISO can (and should) play a vital role in the restoration of trust in cryptography and cryptographic security, because ISO provides an open, free and independent framework for assessing security of cryptographic mechanisms. 25
26 20+3 Years of SC 27 and the tour continues April 7-15, 2014 Hong Kong, China (WGs and Plenary) Oct 20-24, 2014 Mexico City, Mexico (WGs) May 4-12, 2015 Kuching, Malaysia (WGs and Plenary) Oct 26-30, 2015 Jaipur, India (WGs) 26
27 Collaboration with ETSI April 2013: Joint security workshop between ETSI and SC 27 to explore areas of mutual interest and future collaboration. Workshop identified 12 specific areas for potential collaboration and recommended to establish/continue collaborative dialogues and/or liaisons to further cooperative working. Next coordination meeting: tonight ETSI SC 27 Topic TC M2M WG 2 use of SC27 standards TC M2M WG 5 privacy and identity management TC ESI WG 4 trust services TC ITS WG 3 trusted platforms TC ITS WG 1 ISO/IEC for Trust Services TC ITS WG 5 use of privacy and identity management frameworks TC NTECH TC NTECH WG 3 WG 5 design for assurance privacy MTS WG 3 Cat C Liaison ISG ISI WG 4 continued collaborative dialogue ISG ISI WG 1 information security indicators and measurements SAGE WG 2 cryptographic algorithms 27
28 Thank you for your attention!
ISO/IEC JTC 1/SC 27 N15445
ISO/IEC JTC 1/SC 27 N15445 REPLACES: N14360 ISO/IEC JTC 1/SC 27 Information technology -- Security techniques Secretariat: DIN, Germany DOC TYPE: Business Plan TITLE: SC 27 Business Plan October 2015 September
More informationEntschuldigen Sie mich, I did not understand, parlez-vous IT Методы обеспечения защиты?
Entschuldigen Sie mich, I did not understand, parlez-vous IT Методы обеспечения защиты? World Standards Day 2015 ILNAS 2015-10-14 Cédric Mauny, Vice-Chairman of Luxembourg National Committee ISO/IEC JTC1
More informationDe Nieuwe Code voor Informatiebeveiliging
De Nieuwe Code voor Informatiebeveiliging Piet Donga, ING Voorzitter NEN NC 27 - IT Security 1 Agenda Standardisation of Information security The new Code of Practice for Information Security The Code
More informationWalter Fumy discusses the importance of IT security standards in today s world and the role that SC 27 plays in this field.
27, IT Security Techniques An Interview with Walter Fumy, Chairman of ISO/IEC JTC 1/SC Walter Fumy discusses the importance of IT security standards in today s world and the role that SC 27 plays in this
More informationJTC 1/SC 27Security Techniques - Översikt arbetsgrupper och standarder
JTC 1/SC 27Security Techniques - Översikt arbetsgrupper och standarder WG 1 Information security management systems WG 2 Cryptography and security mechanisms WG 3 Security evaulation criteria WG 4 Security
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationISO/IEC 27001:2013 webinar
ISO/IEC 27001:2013 webinar 11 June 2014 Dr. Mike Nash Gamma Secure Systems Limited UK Head of Delegation, ISO/IEC JTC 1/SC 27 Introducing ISO/IEC 27001:2013 and ISO/IEC 27002:2013 New versions of the Information
More informationISO/IEC JTC 1/SC 27 N15410
ISO/IEC JTC 1/SC 27 N15410 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany REPLACES: N14270 DOC TYPE: officers' contribution TITLE: ISO/IEC JTC 1/SC 27 corporate
More informationSD12 REPLACES: N19780
ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing
More informationPreparing yourself for ISO/IEC 27001 2013
Preparing yourself for ISO/IEC 27001 2013 2013 a Vintage Year for Security Prof. Edward (Ted) Humphreys (edwardj7@msn.com) [Chair of the ISO/IEC and UK BSI Group responsible for the family of ISMS standards,
More informationINFORMATION SECURITY STANDARDS DEVELOPMENT IN MALAYSIA
INFORMATION SECURITY STANDARDS DEVELOPMENT IN MALAYSIA By THAIB MUSTAFA, CHAIRMAN TECHNICAL COMMITTEE FOR INFORMATION SECURITY (TC/G/5) INDUSTRY STANDARDS COMMITTEE FOR INFORMATION TECHNOLOGY, COMMUNICATION
More informationWorking Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques
Working Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques Joint Workshop of ISO/IEC JTC 1/SC 27/WG 5, ITU-T SG17/Q.6, and FIDIS on Identity Management
More informationAn Overview of ISO/IEC 27000 family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT
ISO/IEC Information & ICT Security and Governance Standards in practice Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT June 4, 2009 ISO and IEC ISO (the International Organization for Standardization)
More informationCQI briefing note. Annex SL
CQI briefing note Annex SL The most important event since ISO 9001? A quarter of a century ago, in December 1987, ISO 9001 Quality systems Model for quality assurance in design/development, production,
More informationUpdates on CD/ISO 9001:2015
Updates on CD/ISO 9001:2015 Presented by Zainab Ibrahim, Senior Auditor, TUV SUD PSB Pte Ltd 30 th January 2014 27/01/2014 Corporate Presentation Slide 1 Agenda 1 About ISO 9001 & the Revision Timeline
More informationISO/IEC/IEEE 29119 The New International Software Testing Standards
ISO/IEC/IEEE 29119 The New International Software Testing Standards Stuart Reid Testing Solutions Group 117 Houndsditch London EC3 UK Tel: 0207 469 1500 Fax: 0207 623 8459 www.testing-solutions.com 1 Stuart
More informationThe new ISO standard Standard Template
How Many Business Management Systems do we Need? Hunterston A, 26 September 2012 The new ISO standard Standard Template Graham Watson Integre Ltd. Outline Background to Annex SL ISO/IEC directives TMB
More informationISO/TMB/JTCG N 359. N0359 JTCG FAQ to support Annex SL. Document type: Other committee document. Date of document: 2013-12-03.
ISO/TMB/JTCG N 359 ISO/TMB/JTCG Joint technical Coordination Group on MSS (TAG 13) Email of secretary: Convenorship: N0359 JTCG FAQ to support Annex SL Document type: Other committee document Date of document:
More informationPart 2: ICT security standards and guidance documents
Part 2: ICT security standards and guidance documents Version 3.0 April, 2007 Introduction The purpose of this part of the Security Standards Roadmap is to provide a summary of existing, approved ICT security
More informationHuman Factors in Information Security
University of Oslo INF3510 Information Security Spring 2014 Workshop Questions Lecture 2: Security Management, Human Factors in Information Security QUESTION 1 Look at the list of standards in the ISO27000
More informationISO 9001 & ISO 14001 Revisions what will change, and why?
ISO 9001 & ISO 14001 Revisions what will change, and why? Hong Kong November / December 2014 Dr Nigel H Croft Chairman, ISO/TC 176/SC 2 (Quality Systems) Member, ISO Joint Technical Coordination Group
More informationStandardising privacy and security for the cloud
Standardising privacy and security for the cloud Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements Like to thank organisers of event for inviting me to contribute.
More informationxxxxx Conformity assessment Requirements for third party certification auditing of environmental management systems - competence requirements
NEW WORK ITEM PROPOSAL Date of presentation 2011-02-25 Reference number (to be given by the Secretariat) Proposer ISO/TC 207/SC 2 ISO/TC 207 / SC 2 N 251 Secretariat NEN A proposal for a new work item
More informationCerticom Security for Government Suppliers developing client-side products to meet the US Government FIPS 140-2 security requirement
certicom application notes Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS 140-2 security requirement THE PROBLEM How can vendors take advantage
More informationINFORMATION SECURITY A MULTIDISCIPLINARY. Stig F. Mjolsnes INTRODUCTION TO. Norwegian University ofscience & Technology. CRC Press
DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H. ROSEN A MULTIDISCIPLINARY INTRODUCTION TO INFORMATION SECURITY Stig F. Mjolsnes Norwegian University ofscience & Technology Trondheim
More informationStrengths and Weaknesses of Cybersecurity Standards
Strengths and Weaknesses of Cybersecurity Standards Bart Preneel COSIC KU Leuven and iminds, Belgium firstname.lastname@esat.kuleuven.be April 7, 2014 Bart Preneel 1 What is cybersecurity? Liddell and
More informationHow To Understand The Differences Between The 2005 And 2011 Editions Of Itil 20000
A Guide to the new ISO/IEC 20000-1 The differences between the 2005 and the 2011 editions A Guide to the new ISO/IEC 20000-1 The differences between the 2005 and the 2011 editions Lynda Cooper First published
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationAnnex SL (normative) Proposals for management system standards
Annex SL (normative) Proposals for management system standards SL.1 General Whenever a proposal is made to prepare a new management system standard (MSS), or to revise an existing one, including sectoral
More informationNational Security Agency Perspective on Key Management
National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National
More informationCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY PRINCIPLES AND PRACTICE SIXTH EDITION William Stallings International Edition contributions by Mohit P Tahiliani NITK Surathkal PEARSON Boston Columbus Indianapolis New
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y
More informationWHITE PAPER CQI. Chartered Quality Institute
WHITE PAPER CQI Chartered Quality Institute ISO 14001:2015 is set to be particularly significant as a result of fundamental changes to both its structure and its contents. Complying with the revised requirements
More informationThe new 27000 Family of Standards & ISO/IEC 27001
ISO/IEC 27000 Family of Standards by Dr. Angelika Plate 07-09 June 2011, Beirut, Lebanon June 2011 The new 27000 Family of Standards & ISO/IEC 27001 June 2011 ISO/IEC 27000 Family of Standards 2 The new
More informationIl nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità
Il nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità Massimo Cacciotti Business Services Manager BSI Group Italia Agenda BSI: Introduction 1. Why we need BCM? 2. Benefits of BCM
More informationCryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager
Cryptographic and Security Testing Laboratory Deputy Laboratory Director, CST Laboratory Manager About our Cryptographic and Security Testing Laboratory Bringing together a suite of conformance testing
More informationPublic Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)
Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent
More informationCharles Corrie, Belo Horizonte, 2013-03 2
ISO Management System Standards, ISO 9001 and the Future Charles Corrie Secretary ISO/TC 176/SC 2 Established Management (system) standards ISO 9000 Quality ISO 14000 Environment IEC 60300 Dependability
More informationSPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128
SPC5 Software Cryptography Library Data brief SHA-512 Random engine based on DRBG-AES-128 RSA signature functions with PKCS#1v1.5 ECC (Elliptic Curve Cryptography): Key generation Scalar multiplication
More informationCQI. Chartered Quality Institute
CQI Chartered Quality Institute Introduction Report published in September 2014 by: International Register of Certificated Auditors (IRCA), part of The Chartered Quality Institute (CQI), 2nd Floor North,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationIAF Informative Document. Transition Planning Guidance for ISO 9001:2015. Issue 1 (IAF ID 9:2015)
IAF Informative Document Transition Planning Guidance for ISO 9001:2015 Issue 1 (IAF ID 9:2015) Issue 1 Transition Planning Guidance for ISO 9001:2015 Page 2 of 10 The (IAF) facilitates trade and supports
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationEgypt s E-Signature & PKInfrastructure
EGYPT-MCIT ITIDA Egypt s E-Signature & PKInfrastructure Seminar on Electronic Signature Algeria 8-9 Dec. 2009 By: Hisham Mohamed Abdel Wahab Head of the E-Signature CA Licensing ITIDA- MCIT EGYPT Email:
More informationImproving global standard to be a key driver of innovation. Colin MacNee. 2012, 2013, 2014 Duncan MacNee Limited. www.apcergroup.
Improving global standard to be a key driver of innovation Colin MacNee Caveat The views expressed are my own and do not represent BSI CQI IAF IBM IRCA ISO IT Governance Content Where we ve come from A
More informationCybersecurity & Privacy Innovation Forum 28. April 29. April 2015
Cybersecurity & Privacy Innovation Forum 28. April 29. April 2015 Cyber-Security and Privacy in Vertical Supply Chains Dr. Nicola Jentzsch DIW Berlin Table of Contents I. Rationale of Industrial Policy
More informationISO/IEC Directives, Part 1 Consolidated ISO Supplement Procedures specific to ISO
ISO/IEC Directives, Part 1 Consolidated ISO Supplement Procedures specific to ISO Directives ISO/IEC, Partie 1 Supplément ISO consolidé Procédures spécifiques à l ISO Sixth edition, 2015 [Based on the
More informationPreparation for ISO 45001 OH&S Management Systems
Preparation for ISO 45001 OH&S Management Systems HEALTH & SAFETY MANAGEMENT QUALITY MANAGEMENT ACCESSIBILITY ENVIRONMENTAL MANAGEMENT ENERGY MANAGEMENT ISO 45001 TIMELINE ISO project committee ISO PC
More informationQuality Management Present and Future
Quality Management Present and Future Nigel H Croft Chairman, ISO/TC176/SC2 Quality Systems Member, ISO/TC176 Chairman s Strategic Advisory Group Member, ISO/CASCO Chairman s Policy Committee Member, IAF/ILAC/ISO
More informationISO/IEC 20000 Part 1 the next edition
ISO/IEC 20000 Part 1 the next edition Lynda Cooper Independent Consultant UK representative to ISO and project editor for ISO20000 part 1 Synopsis ISO/IEC 20000 part 1 was published in 2005. Since then,
More informationFORWARD: Standards-and-Guidelines-Process.pdf. 1 http://www.nist.gov/public_affairs/releases/upload/vcat-report-on-nist-cryptographic-
NIST Cryptographic Standards and Guidelines: A Report to the NIST Visiting Committee on Advanced Technology Regarding Recommendations to Improve NIST s Approach FORWARD: In July 2014, the National Institute
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-3 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William E. Burr Hildegard Ferraiolo David Cooper I N F
More informationName: Lynda Cooper Date: November 24th. Revising ISO/IEC 20000 to fit the future of service management
Name: Lynda Cooper Date: November 24th Revising ISO/IEC 20000 to fit the future of service management Agenda Brief overview of ISO20000 Changes Why and How What Your views and how you can influence the
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationCloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)
Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee) Mike Edwards Senior Technical Staff Member, IBM Cloud Computing & SOA Standards,
More informationSafeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST
Safeguarding Data Using Encryption Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST What is Cryptography? Cryptography: The discipline that embodies principles, means, and methods
More informationTable of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationNEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013
NEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013 INTRODUCTION The Organization s tendency to implement and certificate multiple Managements Systems that hold up and align theirs IT
More informationETSI ETR 278 TECHNICAL March 1996 REPORT
ETSI ETR 278 TECHNICAL March 1996 REPORT Source: ETSI TC-SAGE Reference: DTR/SAGE-00014 ICS: 33.020 Key words: GSM, cipher algorithm Security Algorithms Group of Experts (SAGE); Report on the specification
More informationDo You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014
Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 2 Today s Reality Is Deep & Complex Global ICT Supply Chains IT and Communications
More informationUnderstanding the New ISO Management System Requirements
Understanding the New ISO Management System Requirements Understanding the New ISO Management System Requirements Dr David Brewer First published in the UK in 2013 by BSI Standards Limited 389 Chiswick
More informationOFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT
SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT Version 1.3 Crown Copyright 2015 All Rights Reserved 49358431 Page 1 of 12 About this document This document describes the features, testing and deployment
More informationAn Introduction to Cryptography as Applied to the Smart Grid
An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric
More informationISO/IEC 20000 Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1
ISO/IEC 20000 Part 1 the next edition Lynda Cooper project editor for ISO20000 part 1 Agenda The ISO20000 series Why has it changed Changes ITIL3 impact New requirements Changed requirements How to prepare
More informationISO 9001:2015 Draft International Standard Overview
BUSINESS ASSURANCE ISO 9001:2015 Draft International Standard Overview A Survey of Proposed Changes to ISO 9001:2008 Burt Holm Northern District Sales Manager 1 SAFER, SMARTER, GREENER Who is DNV GL? Is
More informationStandard Big Data Architecture and Infrastructure
Standard Big Data Architecture and Infrastructure Wo Chang Digital Data Advisor Information Technology Laboratory (ITL) National Institute of Standards and Technology (NIST) wchang@nist.gov May 20, 2016
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More information(Draft) Transition Planning Guidance for ISO 9001:2015
ISO/TC 176/SC2 Document N1223, July 2014 (Draft) Transition Planning Guidance for ISO 9001:2015 ISO 9001 Quality management systems Requirements is currently being revised. The revision work has reached
More informationca IT Leaders Forum Working in the Cloud using the new ISO/IEC/ITU-T Cloud Computing Standards Dr David Ross, Chief Information Security Officer,
ca IT Leaders Forum Working in the Cloud using the new ISO/IEC/ITU-T Cloud Computing Standards Dr David Ross, Chief Information Security Officer, Bridge Point Communications David_Ross@bridgepoint.com.au
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationUsing Information Shield publications for ISO/IEC 27001 certification
Using Information Shield publications for ISO/IEC 27001 certification In this paper we discuss the role of information security policies within an information security management program, and how Information
More informationStandards for Identity & Authentication. Catherine J. Tilton 17 September 2014
Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationNational Accreditation Board for Certification Bodies. Accreditation Criteria
Accreditation Criteria for Medical devices - Quality management systems - for regulatory purposes Certification BCB 135 October 2012 Contents 0.0 Foreword 2 1.0 Scope 2 2.0 Criteria 2 3.0 Guidance on the
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationImplementation Guidance for ISO 9001:2015
International Organization for Standardization BIBC II, Chemin de Blandonnet 8, CP 401, 1214 Vernier, Geneva, Switzerland Tel: +41 22 749 01 11, Web: www.iso.org Implementation Guidance for ISO 9001:2015
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationThe NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)
The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS) Updated: March 21, 2012 Previous Update: September 2, 2011 Original: March 10, 2009 Timothy A. Hall National Institute
More informationCertifying Information Security Management Systems
Certifying Information Security Management Systems Certifying Information Security Management Systems by Fiona Pattinson CISSP, CSDP July 2007 A brief discussion of the role of an information security
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationLatest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems
Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved
More informationSome 4 500 organizations implement ISO/IEC 27001. Information security INTERNATIONAL
Some 4 500 organizations implement ISO/IEC 27001 for information security The author reports on global progress in the implementation of the international information security management system standard
More informationIT Networks & Security CERT Luncheon Series: Cryptography
IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI
More informationMaintaining Herd Communication - Standards Used In IT And Cyber Security. Laura Kuiper
Maintaining Herd Communication - Standards Used In IT And Cyber Security Laura Kuiper So what is Cyber Security? According to ITU-T X.1205 Cybersecurity is the collection of tools, policies, security concepts,
More informationKey & Data Storage on Mobile Devices
Key & Data Storage on Mobile Devices Advanced Computer Networks 2015/2016 Johannes Feichtner johannes.feichtner@iaik.tugraz.at Outline Why is this topic so delicate? Keys & Key Management High-Level Cryptography
More informationSecurity Control Standard
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
More informationSP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter
SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals
More informationIs Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationBSI TR-03108-1: Secure E-Mail Transport. Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails
BSI TR-03108-1: Secure E-Mail Transport Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails Version: 1.0 Date: 05/12/2016 Document history Version Date Editor Description
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationCryptography and Network Security Chapter 12
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he
More information2014 IBM Corporation
2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session
More informationSelection and use of ISO 9000
Selection and use of ISO 9000 ISO in brief ISO is the International Organization for Standardization. It is made up of national standards institutes from countries large and small, industrialized and developing,
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationRevision of ISO 9001 Quality Management Systems Requirements
Revision of ISO 9001 Quality Management Systems Requirements Frequently Asked Questions When will the new ISO 9001 be published? The international standard ISO 9001:2008 Quality management systems Requirements
More informationIntegrated Information Management Systems
Integrated Information Management Systems Ludk Novák ludek.novak@anect.com ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the
More information