Agenda ISO Level Alignment of Management System Standards (MSS) New Security Coordination Initiative SC 27 Level WG 1: New editions of ISO/IEC &

Transcription

1 Recent Developments in ISO Security Standardization and JTC 1/SC 27 Walter Fumy, SC 27 Chairman 9th ETSI Security Workshop Sophia Antipolis, January 2014

2 Agenda ISO Level Alignment of Management System Standards (MSS) New Security Coordination Initiative SC 27 Level WG 1: New editions of ISO/IEC & ISO/IEC WG 2: Advanced Crypto Techniques, Intentional Weaknesses in Crypto Standards? WG 3, WG 4, WG 5 ( Session 4) Collaboration with ETSI 2

3 ISO Management System Standards (MSS) ISO 9001 Quality systems - Model for quality assurance in design/development, production, installation and servicing was published in December 1987 Since then the range of ISO management system standards expanded from environment (1996) through to security (2000) and business continuity (2012) Many companies use more than one management system standard In order to make this easier, ISO has decided that all MSSs should have the same structure and contain many of the same terms and definitions. This will make it easier and cheaper to use the standards, and help auditors. All ISO's management system standards are based on the principle of continual improvement (aka PDCA). Audits are a vital part of ISO's management system approach as they enable an organization to check how far their achievements meet their objectives ISO 19011:2011 provides specific guidance on internal and external management system audits Accredited ISO MSS certifications approach 1.5 million per year 3

4 ISO Survey 2012 ISO does not perform certification organizations looking to get certified to an ISO standard must contact an independent certification body The ISO Survey counts certificates issued by certification bodies that have been accredited by members of the International Accreditation Forum (IAF) The ISO Survey 2012 shows a significant increase in certificates for ISO (information security, +13%), ISO (food safety management, +20%) and for energy management (ISO 50001, +332%) at least ISO/IEC 27001:2005 certificates issued in 103 countries top three countries for the number of certificates: Japan, UK and India top three for growth in 2012: Romania, Japan and China 4

5 Annex SL of the Consolidated ISO Supplement of the ISO/IEC Directives All ISO technical work, including the development of standards, is carried out under the overall management of the Technical Management Board (TMB). ISO/TMB *) has produced Annex SL with the objective of delivering consistent and compatible MSSs. Annex SL (previously ISO Guide 83) defines the framework for a generic ISO management system standard All new ISO MSS have to adhere to this framework and all current ISO MSS will migrate at their next revision In future all ISO MSS should be consistent and compatible - they should all have the same look and feel For management system auditors, it will mean that for all audits there will be a core set of generic requirements that need to be addressed, no matter which discipline. This could be the beginning of the end of the conflicts, duplication, confusion and misunderstanding from different ISO MSS MSS writers can concentrate their development efforts on the discipline-specific requirements of their MSS. *) via its Joint Technical Coordination Group on MSS 5

6 ISO MSS use of Annex SL Current status of harmonization (Examples) Published ISO 22301:2012, Societal security Business continuity management systems Requirements (deviation on definition of Risk ) ISO 22313:2012, Societal security Business continuity management systems Guidance ISO 39001:2012, Road-traffic safety management systems Requirements with guidance for use ISO/IEC 27001:2013, Information technology Security techniques Information security management systems Requirements Under development / in revision ISO 34001, Security management system Requirements ISO 14001, Environmental management systems Requirements with guidance for use ISO 9001, Quality management systems Requirements 6

7 Intern/Vertraulich Source: ISO Security Forum, October

8 Intern/Vertraulich Source: ISO Security Forum, October

9 ISO Security Forum, October 2013 Recommendation to the Technical Management Board (TMB) Establishment of a Joint Technical Coordination Group for the security sector (JTCG-Security) with terms of reference to include Share experiences, challenges, opportunities for collaboration and harmonization across work items and harmonize existing projects where appropriate Harmonize terms and definitions, including the definition of "security" Identify gaps in security standardization activities and resulting opportunities Avoid overlap and duplication Review the TC/SC structure and scopes and propose modifications as appropriate for TMB approval Provide advice to ISO committees and groups on security-related issues Promote ISO security-related activities (communications function) Develop a vision for security-related activities, and organize a bi-annual (depending on length of term) security conference 9

10 JTC 1/SC 27 IT Security Techniques Mission & Scope SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security; Cryptographic mechanisms; Security evaluation criteria and methodology; Security services; Security aspects of identity management, biometrics and privacy. 10

11 JTC 1/SC 27 IT Security Techniques Organization ISO/IEC JTC 1/SC 27 IT Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete SC 27 Secretariat DIN Ms. K. Passia Working Group 1 Working Group 2 Working Group 3 Working Group 4 Working Group 5 Information security management systems Cryptography and security mechanisms Security evaluation, testing and specification Security controls and services Identity management and privacy technologies Convener Convener Convener Convener Convener Mr. T. Humphreys Mr. T. Chikazawa Mr. M. Bañón Mr. J. Amsenga Mr. K. Rannenberg

12 Projects Facts & Figures Projects Total no of projects: 206 No of active projects: 79 (11 new projects in 2013) Published standards: 130 (22 publications in 2013) Standing Documents SD6 Glossary of IT Security terminology ( SD7 Catalogue of SC 27 Projects and Standards ( SD11 Overview of SC 27 ( SD12 Assessment of cryptographic algorithms and key lengths ( ) More information al_committee.htm?commid=

13 Recent Publications (1/2) ISO/IEC TR 15443: Security assurance framework Part 1: Introduction and concepts (2 nd ed.) Part 2: Analysis (2 nd ed.) ISO/IEC 27000: Information security management systems Overview and vocabulary (3 rd ed.) ISO/IEC 27001: Information security management systems Requirements (2 nd ed.) ISO/IEC 27002: Code of practice for information security management (2 nd ed.) ITU-T Recommendation X.1054 ISO/IEC 27014: Governance of information security ISO/IEC TR 27015: Information security management guidelines for financial services ISO/IEC TR 27019: Information security management guidelines based on ISO/IEC for process control systems specific to the energy industry ISO/IEC 27033: Network security Part 5: Securing communications across networks using Virtual Private Networks (VPNs) ISO/IEC 27036: Information security for supplier relationships Part 1: Overview and concepts Part 3: Guidelines for information and communication technology supply chain security 13

14 Recent Publications (2/2) ISO/IEC 27037: Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 20008: Anonymous digital signatures Part 1: General Part 2: Mechanisms using a group public key ISO/IEC 20009: Anonymous entity authentication Part 1: General Part 2: Mechanisms based on signatures using a group public key ISO/IEC 29192: Lightweight cryptography Part 4: Mechanisms using asymmetric techniques ISO/IEC 29101: Privacy architecture framework ISO/IEC 29115: Entity authentication assurance framework ISO/IEC 29191: Requirements for partially anonymous, partially unlinkable authentication ISO/IEC 30111: Vulnerability handling processes 14

15 ISO/IEC ISMS Requirements ISO/IEC 27001:2013 is a certification and auditable standard based on a mandatory risk based approach aims at achieving effective information security through continual improvement process (PDCA model) uses the same management systems process model as ISO 9001 (QMS) and ISO (EMS) aligned with Annex SL ISO/IEC 27001:2005 was a revised version of BS 7799 Part 2: nd edition of ISO/IEC 27001:

16 ISO/IEC 27001:2013 Major benefits of the new edition ISO/IEC 27001:2013 takes into account the experiences of users who have implemented, or sought certification to ISO/IEC 27001:2005 provides a more flexible, streamlined approach, which should lead to a more effective risk management improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities ISO/IEC 27001:2013 fits the new high-level structure used in all ISO management system standards (Annex SL) integration with other management systems becomes an easy option 16

17 ISO/IEC Code of practice for information security management ISO/IEC is a catalogue of best practices, not a certification or auditable standard based on BS : st edition ISO/IEC 17799: nd edition ISO/IEC 17799:2005 renumbered as ISO/IEC 27002:2005 in rd edition of ISO/IEC published ogue_tc_browse.htm?commid=45306 Security policies Organisation of information security Human resources security Asset management Access control Cryptography Physical & environmental security Operations security Communications security Systems acquisition, development & maintenance Supplier relationships Security incident management Business continuity management Compliance

18 SC 27/WG 1 ISMS Family of Standards IS ISMS Requirements IS ISMS Overview and vocabulary IS Code of practice IS ISMS Implementation guidance IS Information security mgt measurement IS Information security risk management Supporting Guidelines IS Accreditation requirements IS ISMS Auditing guidelines TR ISMS Guide for auditors on ISMS controls WD Use and application of for sector-specific 3 rd party certifications Accreditation Requirements and Auditing Guidelines IS ISMS for inter-sector communications IS / ITU-T X.1051 Telecom sector ISMS guidelines based on TR ISMS guidelines for financial and services TR Energy industry ISMS guidelines based on CD Code of practice for cloud computing services based on Sector Specific Requirements and Guidelines

19 SC 27/WG 2 Cryptography and Security Mechanisms Entity Authenticat ion (IS 9798) Key Mgt (IS 11770) Non- Cryptographic Repudiation Protocols (IS 13888) Time Stamping Services (IS 18014) Hash Functions (IS 10118) Message Authenticat ion Codes (IS 9797) Message Authentication Check Character Systems (IS 7064) ECC Techniques (IS 15946) Lightweight Crypto (IS 29192) Signatures giving Msg Recovery (IS 9796) Digital Signatures Signatures with Appendix (IS 14888) Biometric Template Protection (IS 24745) Authenticat Modes of Operation (IS 10116) ed Encryption & Modes of Operation Encryption (IS 19772) Encryption (IS 18033) Random Bit Generation Parameter Generation (IS 18031) Prime Number Generation (IS 18032)

20 ISO/IEC Lightweight Cryptography ISO/IEC : General, 1 st edition 2012 ISO/IEC : Block ciphers, 1 st edition bit block cipher PRESENT (key size 80 or 128 bits) 128-bit block cipher CLEFIA (key size 128, 192 or 256 bits) ISO/IEC : Stream ciphers, 1 st edition 2012 Enocoro (key size 80 or 128 bits) Trivium (key size 80 bits) ISO/IEC : Mechanisms using asymmetric techniques, 1 st edition 2013 identification scheme cryptogps authentication and key exchange mechanism ALIKE (Authenticated Lightweight Key Exchange pka SPAKE) ID-based signature scheme IBS ISO/IEC : Hash-functions, WD 20

21 Advanced SC 27/WG 2 also includes ISO/IEC Encryption algorithms Part 5: Identity-based ciphers (status: CD) ISO/IEC Blind digital signatures Part 1: General (WD) Part 2: Discrete logarithm based mechanisms (WD) ISO/IEC Anonymous digital signatures Part 1: General, 2013 Part 2: Mechanisms using a group public key, 2013 ISO/IEC Anonymous entity authentication Part 1: General, 2013 Part 2: Mechanisms based on signatures using a group public key, 2013 Part 3: Mechanisms based on blind signatures (WD) Part 4: Mechanisms based on weak secrets (WD) WG 2 Study Periods include Homomorphic encryption schemes Homomorphic secret sharing schemes Broadcast encryption 21

22 Intentional Weaknesses in Crypto Standards? Discussion in the Media In recent weeks there has been much discussion in both the press and in academic circles regarding intentional weaknesses in crypto standards. The agency has influenced the international standards upon which encryption systems rely NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document [provided by Edward Snowdon]. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in Eventually, NSA became the sole editor, the document states

23 Dealing with Encryption To deal with encryption, agencies may work with security product vendors to subvert the underlying cryptography, e.g. make the random number generator less random, thus reducing effective key lengths implant backdoors which leak the key somehow work with standards bodies to promote weak algorithms leverage secret mathematical breakthroughs construct quantum computers 23

24 Dual_EC_DRBG Flawed Deterministic Random Bit Generation NIST Special Publication :2006 includes four different algorithms called deterministic random bit generators, or DRBGs. Documents provided by Edward Snowden indicate the NSA played a crucial role in writing NIST SP Possible weaknesses were identified in one of the algorithms specified, the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) scheme. NIST has recommended that Dual_EC_DRBG should not be used, see Concern has been expressed about one of the DRBG algorithms in SP /90A and ANS X9.82: the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm. This algorithm includes default elliptic curve points for three elliptic curves [ ], recent community commentary has called into question the trustworthiness of these default elliptic curve points. Dual_EC_DRBG is also specified in ANS X9.82 and in the current (2011) edition of ISO/IEC 18031: Random bit generation. Dual_EC_DRBG is included in many cryptographic libraries (e.g., offered by Microsoft, Cisco, Symantec and RSA). 24

25 Way Forward ISO/IEC Cautionary note on the use of Dual_EC_DRBG Study Period initiated to carefully review the security issues for Dual_EC_DRBG and to revise ISO/IEC as appropriate. The Study Period will further analyse if other mechanisms in this standard are affected. General Always ensure a sufficient amount of independent cryptographic research. Fight a general mistrust in NIST proposals do not forget NIST has done a great job with cryptographic competitions, both a decade ago with the AES and recently with SHA-3. ISO can (and should) play a vital role in the restoration of trust in cryptography and cryptographic security, because ISO provides an open, free and independent framework for assessing security of cryptographic mechanisms. 25

26 20+3 Years of SC 27 and the tour continues April 7-15, 2014 Hong Kong, China (WGs and Plenary) Oct 20-24, 2014 Mexico City, Mexico (WGs) May 4-12, 2015 Kuching, Malaysia (WGs and Plenary) Oct 26-30, 2015 Jaipur, India (WGs) 26

27 Collaboration with ETSI April 2013: Joint security workshop between ETSI and SC 27 to explore areas of mutual interest and future collaboration. Workshop identified 12 specific areas for potential collaboration and recommended to establish/continue collaborative dialogues and/or liaisons to further cooperative working. Next coordination meeting: tonight ETSI SC 27 Topic TC M2M WG 2 use of SC27 standards TC M2M WG 5 privacy and identity management TC ESI WG 4 trust services TC ITS WG 3 trusted platforms TC ITS WG 1 ISO/IEC for Trust Services TC ITS WG 5 use of privacy and identity management frameworks TC NTECH TC NTECH WG 3 WG 5 design for assurance privacy MTS WG 3 Cat C Liaison ISG ISI WG 4 continued collaborative dialogue ISG ISI WG 1 information security indicators and measurements SAGE WG 2 cryptographic algorithms 27

28 Thank you for your attention!