Working Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques

Similar documents

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

ISO/IEC JTC 1/SC 27 N15445

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

ISO Biometric Template Protection

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

INFORMATION SECURITY STANDARDS DEVELOPMENT IN MALAYSIA

JTC 1/SC 27Security Techniques - Översikt arbetsgrupper och standarder

Big Data Systems and Interoperability

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards

Comparative Analysis of SOA and Cloud Computing Architectures using Fact Based Modeling

Standard Big Data Architecture and Infrastructure

Cloud Computing Standards: Overview and first achievements in ITU-T SG13.

Reviewers of proposed revision to ISO/IEC :2006 SAM Processes. Call for feedback on draft of revised Tiered SAM Processes

ISO/IEC JTC1 SC32. Next Generation Analytics Study Group

This document is a preview generated by EVS

This document is a preview generated by EVS

ISO/IEC/IEEE The New International Software Testing Standards

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

IEEE SESC Architecture Planning Group: Action Plan

Security Controls What Works. Southside Virginia Community College: Security Awareness

ISO/IEC Directives Part 1

Standarization effort: ISO/IEC Software Testing

ISO/IEC 27001:2013 webinar

Walter Fumy discusses the importance of IT security standards in today s world and the role that SC 27 plays in this field.

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

INTERNATIONAL TELECOMMUNICATION UNION

ca IT Leaders Forum Working in the Cloud using the new ISO/IEC/ITU-T Cloud Computing Standards Dr David Ross, Chief Information Security Officer,

EHR Standards Landscape

DRAFT ÖNORM ISO/IEC 27005

ITU WORK ON INTERNET OF THINGS

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

EFFECTS+ Clustering of Trust and Security Research Projects, Identifying Results, Impact and Future Research Roadmap Topics

Published International Standards Developed by ISO/IEC JTC 1/SC 37 - Biometrics

This is a preview - click here to buy the full publication TECHNICAL REPORT INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL

ISO/IEC JTC 1/WG 10 Working Group on Internet of Things. Sangkeun YOO, Convenor

ISO/IEC JTC 1 Information technology. Business plan 2014

ISO COMPLIANCE WITH OBSERVEIT

How To Protect Your Computer System From Being Hacked

This document is a preview generated by EVS

ISO 9001:2015 Draft International Standard Overview

ISO/IEC JTC 1/SC 27 N15410

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

Identity and Access Management The road to sustained compliance

Information Security Awareness Training

Update on ISO TC 265 Transportation and

Master Data Management Architecture

Software Product Quality Practices Quality Measurement and Evaluation using TL9000 and ISO/IEC 9126

How To Write A Cybersecurity Framework

Cloud SSO and Federated Identity Management Solutions and Services

Software and IT Asset Management Standards: Benefits for Organizations and Individuals

Security and Privacy Controls for Federal Information Systems and Organizations

CMMI: Specific Goals and Practices

For more information, contact Joe Lewelling, AAMI's VP of Standards Development & Emerging Technologies, at jlewelling@aami.org.

ISO/IEC Part 1 the next edition

ISO JTC 1 SGBD Mtg and ACM Workshop

IT Governance: The benefits of an Information Security Management System

Identity & Access Management new complex so don t start?

THE PROCESS APPROACH IN ISO 9001:2015

International Software & Systems Engineering. Standards. Jim Moore The MITRE Corporation Chair, US TAG to ISO/IEC JTC1/SC7 James.W.Moore@ieee.

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

Information technology Security techniques Code of practice for information security controls

ISO/IEC & ediscovery (ISO/IEC 27050) Eric A. Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

ISO 27001: Information Security and the Road to Certification

Preparing yourself for ISO/IEC

Systems and software engineering Lifecycle profiles for Very Small Entities (VSEs) Part 5-6-2:

Transcription:

Working Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques Joint Workshop of ISO/IEC JTC 1/SC 27/WG 5, ITU-T SG17/Q.6, and FIDIS on Identity Management Standards Lucerne, Switzerland, 2007-09-30 Kai Rannenberg (WG5 Convener) Christophe Sténuit (Co-editor 24760) Asahiko Yamada (Editor 24761) Stefan Weiss (Editor 29100/29101) 1

Agenda WG 5 Overview Kai Rannenberg Identity Management Framework Christophe Sténuit Authentication Context for Biometrics Asahiko Yamada Privacy Framework/Architecture Stefan Weiss WG 5 Roadmap and Outlook Kai Rannenberg 2

WGs within ISO/IEC JTC 1/SC 27 IT Security Techniques Assessment WG 3 Security Evaluation WG 1 ISMS Guidelines Techniques WG 4 Security Controls & Services WG 2 Cryptography & Security Mechanisms WG 5 Identity Management & Privacy Technologies Product System Process Environment 3

WG 5 Identity Management & Privacy Technologies Scope Development and maintenance of standards and guidelines addressing security aspects of Identity management Biometrics and Privacy. 4

WG 5 Identity Management & Privacy Technologies Programme of Work Frameworks & Architectures A framework for identity management (ISO/IEC 24760) A privacy framework (ISO/IEC 29100) A privacy reference architecture (ISO/IEC 29101) Protection Concepts Biometric template protection (ISO/IEC 24745) Guidance on Context and Assessment Authentication context for biometrics (ISO/IEC 24761) Authentication Assurance (ISO/IEC 29115) 5

Agenda WG 5 Overview Kai Rannenberg Identity Management Framework Christophe Sténuit Authentication Context for Biometrics Asahiko Yamada Privacy Framework/Architecture Stefan Weiss WG 5 Roadmap and Outlook Kai Rannenberg 6

WG 5 Identity Management & Privacy Technologies IdM History October 2004 STUDY PERIOD on Identity Management established in respond to JTC 1 s request May 2005 New Work Item Proposal (NP) on A framework for identity management May 2006 First Working Draft on A framework for identity management May 2007 Third Working Draft on A framework for identity management 7

WG 5 Identity Management and Privacy Technologies Topics Identity Management Framework Identity (Efficiency vs. Misuse), Identification, References, Identifiers Identity Management: Lifecycle, Provisioning of Identities, Attributes IdM requirements, Control Objectives IdM implementation, Authentic Sources of Identity Information IdM and information access management: policy, privileges, authorization, authentication, IdMS federation Collaborative works SC27: WG 1 on management aspects, WG 3 on evaluation aspects ISO TC 68/SC 2 Financial Services Security ITU-T SG 17 (Security, languages and Telco software) ITU-T Joint Coordination Activity on Network Aspects of Identification Systems (including RFID) (JCA-NID) FIDIS (Future of Identity in the Information Society) The Open Group (IdM Forum and Jericho Forum) 8

Agenda WG 5 Overview Kai Rannenberg Identity Management Framework Christophe Sténuit Authentication Context for Biometrics Asahiko Yamada Privacy Framework/Architecture Stefan Weiss WG 5 Roadmap and Outlook Kai Rannenberg 9

24761 ACBio (Authentication Context for Biometrics) First WD issued in August 2005 Current draft, 3 rd CD, issued in July 2007 Scope: 24761 defines the structure and the data elements of ACBio instance, which is used for checking the validity of the result of a biometric verification process executed at a remote site. (The following slides explains what ACBio is) Liaison relation: SC 17 (IC card command sequence to realize ACBio) SC 37 (inclusion of ACBio in CBEFF, BioAPI extension to handle ACBio) 10

User authentication using password User Service supplier (i.e. Online shop) password password comparison Passwords are registered and stored in the system of the service supplier. 11

If you extend the system with User biometrics Service supplier (i.e. Online shop) biometric information biometric information comparison Biometric information is stored in the system of the service supplier in advance. Issue 1. Privacy issue of users biometric information Issue 2. Increase of TCO to protect biometric information 12

An improvement If you store biometric information in your personal device,. User biometric information IC Card 0000 1234 5678 9000 TAROU TOSHIBA biometric information comparison?? comparison result Service supplier (i.e. Online shop) The service supplier cannot judge whether the result is trustworthy! If it can trust the result, the degree of trustworthiness will be dependent on the precision of the devices used and other environmental factors. 13

ACBio is a solution! User biometric information IC Card 0000 1234 5678 9000 TAROU TOSHIBA biometric information comparison comparison result + ACBio ACBio Service supplier (i.e. Online shop) policy judgement The service supplier CAN judge the trustworthiness of the result of biometric verification with the information in ACBio instances. ACBio will become the essential information for remote authentication using biometrics. 14

Agenda WG 5 Overview Kai Rannenberg Identity Management Framework Christophe Sténuit Authentication Context for Biometrics Asahiko Yamada Privacy Framework/Architecture Stefan Weiss WG 5 Roadmap and Outlook Kai Rannenberg 15

ISO 29100 Privacy Framework Purpose (as defined in Working Draft 2) This International Standard defines privacy safeguarding requirements as they relate to PII processed by any information and communication system in any jurisdiction is applicable on an international scale and sets a common privacy terminology, defines privacy principles when processing PII, categorizes privacy features and relates all described privacy aspects to existing security guidelines serves as a basis for desirable additional privacy standardization initiatives, for example a technical reference architecture, the use of specific privacy technologies, an overall privacy management, assurance of privacy compliance for outsourced data processes, privacy impact assessments and engineering specifications needs to be general in nature, puts organizational, technical, procedural and regulatory aspects in perspective and addresses system-specific issues on a high-level needs to be closely linked to existing security standards that have been widely implemented into practice provides guidance concerning information and communication system requirements for processing personally identifiable information to contribute to the privacy of people on an international level, regardless of the particular national or regional laws and regulations and no matter which data systems are used 16

ISO 29100 Privacy Framework Current Outline (as defined in Working Draft 2) Scope Purpose Target Audience Normative references, Terms and Definitions, Symbols Basic Elements of the Privacy Framework The Privacy Framework The Actors Personally Identifiable Information Risks Privacy Preferences Privacy Requirements Privacy Principles Implementing Privacy Interdependencies Relating Privacy to IT-Security 17

ISO 29100 Privacy Framework Draft for Graphical Representation 18

ISO 29101 Privacy Reference Architecture Purpose (as defined in Call for Contributions) ISO 29101 A privacy reference architecture should provide guidance concerning a consistent and effective technical implementation of privacy safeguarding requirements within information and communication systems establish a privacy-enhanced system architecture that enables system architects to build necessary privacy safeguarding measures into the system in a cohesive way across system platforms and to combine them with existing security measures, all to improve the proper handling of personally identifiable information overall provide best practices in advancing the use of privacyenhancing technologies A recent Call for Contributions seeks further contributions in the form of case studies, architecture models, reports, product descriptions, white papers, research prototypes or others related to the viewpoints suggested in the following graphical representation. 19

ISO 29101 Privacy Reference Architecture Draft for Topics in Call for Contributions 20

Agenda WG 5 Overview Kai Rannenberg Identity Management Framework Christophe Sténuit Authentication Context for Biometrics Asahiko Yamada Privacy Framework/Architecture Stefan Weiss WG 5 Roadmap and Outlook Kai Rannenberg 21

WG 5 Identity Management & Privacy Technologies Preliminary Roadmap 22

WG 5 Identity Management & Privacy Technologies Thank you very much for your attention Kai.Rannenberg@m-chair.net cstenuit@ogeris.be stefanweiss@deloitte.de Yamada.Asahiko@toshiba-sol.co.jp ISO/IEC JTC 1/SC 27 IT Security Techniques www.jtc1sc27.din.de/en SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards & Projects 23