Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jürgen Großmann, Fraunhofer FOKUS

Published byAvis Osborne Modified over 6 years ago

Similar presentations

Presentation on theme: "Jürgen Großmann, Fraunhofer FOKUS"— Presentation transcript:

1 Jürgen Großmann, Fraunhofer FOKUS
ETSI TC MTS, Security SIG in MTS (Methods for Testing and Specification) Jürgen Großmann, Fraunhofer FOKUS

2 MTS Security SIG Work Items
Case Studies: To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. TR Terminology EG Security Assurance Lifecycle TR Case Studies EG Risk-based Security Testing Security Assurance Life Cycle: Guidance to the application system designers in such a way to maximise both security assurance and the verification and validation of the capabilities offered by the systems's security measures. Risk-based Security Testing: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. Security SIG in MTS, 14th January 2014

3 SPaCIoS: Secure Provision and Consumption in the Internet of Services
TR : Security Testing Case Studies Security testing experiences from different domains Different domains Different vulnerabilities Different approaches Common evaluation Automotive (head unit) Radio protocols (ad-hoc networks) E-health (patient monitoring) Banking (banknote processing, share-based payment) ITEA DIAMONDS: Development and Industrial Application of Multi-Domain-Security Testing Technologies SPaCIoS: Secure Provision and Consumption in the Internet of Services Security SIG in MTS, 14th January 2014

4 TR 101 583: Security Testing Case Studies -- Progress
Final draft for approval for DTR/MTS SecTestCase (TR ) v0.0.5 "Security Case Studies” RATIFIED - on :49 CET by Emmanuelle Chaulot-Talmon with output status ACCEPTED Ratification comment: "TB Approved by RC without comments" Security SIG in MTS, 4-5 October 2011

5 EG 202793: Risk-based Security Testing
Document Reference DEG Document Title Methods for Testing and Specification (MTS); Risk-based security testing methodologies Document Purpose Describes a set of methodologies that combine risk assessment and testing. The methodologies are based on standards like ISO and IEEE 829/29119. Document Status Draft v0.0.2 ( ) Security SIG in MTS, 4-5 October 2011

6 EG 202793: Risk-based Security Testing
Document Progress Work plan produced Initial draft structure provided Sections on terms and concepts, risk-based security testing and test-based risk assessment drafted Open Issues Feedback from Security SIG on initial draft required Security SIG in MTS, 4-5 October 2011

7 EG 202793: Risk-based Security Testing Test-based risk assessment
Step 1: Establish Objective and Context Step 2: Testing Process: using testing for identifying/discovering threat test scenarios or areas or vulnerabilities where the risk assessment should be focused. Step 3: Risk Identification Step 4: Risk Estimation Step 5: Risk Evaluation Step 6: Testing Process: using testing to validate the correctness of the risk model.  Step 7: Risk Validation and Treatment Step 1: Establish Objective and Context: defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the remaining process. Step 2: Testing Process: using testing for identifying/discovering threat test scenarios or areas or vulnerabilities where the risk assessment should be focused. Step 3: Risk Identification: finding, recognizing and describing risks (identifying sources of risk, areas of impacts, events, their causes and their potential consequences). Step 4: Risk Estimation: comprehending the nature of risk and determining the level of risk. Step 5: Risk Evaluation: comparing the results of risk estimation with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable Step 6: Testing Process: using testing to validate the correctness of the risk model.  Step 7: Risk Validation and Treatment: validating or updating the risk model based on the risk assessment results. Security SIG in MTS, 14th January 2014

8 Risk-based Security Testing -- Work plan
Security SIG in MTS, 4-5 October 2011

9 EG 202 792: Security Assurance Lifecycle
Document Reference DEG Document Title Methods for Testing and Specification (MTS); Security Assurance Lifecycle Document Purpose Guide to the application of security capabilities in systems in such a way to maximise both security assurance and the verification and validation of the capabilities offered by the systems's security measures. Security Assurance Lifecycle Document Status Draft v0.0.3 ( ) Security SIG in MTS, 4-5 October 2011

10 EG 202 792: Security Assurance Lifecycle -- Progress
Document Progress Work Plan produced Initial draft structure agreed Design section of LifeCycle drafted Open Issues Feedback from Security SIG on initial draft required Integration of information from other tasks on Testing required for that section Assurance section of LifeCycle will be drafted once Testing information has been integrated Security SIG in MTS, 4-5 October 2011

11 TR 101583: Security testing terminology
Document Reference TR Document Title Methods for Testing and Specification (MTS); Security testing terminology Document Purpose To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. Document Status Draft v0.0.8 ( ) Security SIG in MTS, 14th January 2014

12 TR 101583: Security testing terminology -- Progress
received comments and additional sections: done integrate comments: not done move from TS -> TR: not done review by external experts: not done Move forward based on next MTS SIG meeting: next draft: before next SIG meeting (March 2014) for approval: optimally the following MTS meeting, or faster if next draft looks good and not much comments (August?) Security SIG in MTS, 14th January 2014

13 ETSI MTS - ISO/IEC JTC1 SC27
ETSI ISI/MTS liaisons to ISO/IEC JTC1 SC27 WG4/WG3 have been confirmed by the SC27, Oct. 28, 2013, Songdo Korea: Liaison Officer nominated by JTC1 SC27: Jan deMeer (DIN NIA27) SC27 WG3: IT ST Security Evaluation Criteria, Convenor M. Banon SC27 WG4: IT ST Security Controls and Services, Convenor J. Amsenga Participation at the ETSI/ISO meeting during the ETSI security workshop First contact to M. Banon to exchange documents Establish broader scope for liaison (not only by MTS SIG) Economics of Information Security and Privacy Security Evaluation, Testing, Processes, Methods and Specification Certification and Auditing Requirements and Methods SC27 IT ST PoW: Economics of Information Security and Privacy Security Evaluation, Testing, Processes, Methods and Specification Certification and Auditing Requirements and Methods Security SIG in MTS, 14th January 2014

14 Outlook Document timeline: TR 101 582 (Case Studies) approved in 2014
MTS(13)60_14 COMPLETED Jürgen  Grossman provide to Ari Takanen the terminology used in the Cases Studies draft, MTS(13)60_15 Jürgen  Grossman organize a SIG Technical Review meeting on 5th November MTS(13)60_16 JGR/IBR establish on NWI a work plan and initial contribution until next Security SIG meeting Document timeline: TR (Case Studies) approved in 2014 Terminology to be approved in 2014 EG (Security Assurance Lifecycle) and EG (Risk-based Security Testing) to be approved in 2015 Security SIG in MTS, 4-5 October 2011

Download ppt "Jürgen Großmann, Fraunhofer FOKUS"

Similar presentations

International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.

International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.
1 Accredited Standards Committee C63 ® - EMC Subcommittee 5 – Immunity Stephen R Whitesell SC-5 Chair 11/13/2014.

1 Accredited Standards Committee C63 ® - EMC Subcommittee 5 – Immunity Stephen R Whitesell SC-5 Chair 11/13/2014.
ISO Current status of development

ISO Current status of development
SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.

SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
ISO/IEC Software Testing

ISO/IEC Software Testing
ISO 9001:2015 Revision overview - General users

ISO 9001:2015 Revision overview - General users
January 2008 T. M. Kurihara, Chair, IEEE P1609Slide 1 doc: IEEE 802.11-08-0161-00-000p Submission IEEE DSRC Application Services (P1609) Status Report.

January 2008 T. M. Kurihara, Chair, IEEE P1609Slide 1 doc: IEEE p Submission IEEE DSRC Application Services (P1609) Status Report.
ISA–The Instrumentation, Systems, and Automation Society SP99 Work Group 2 Planning for TR#2 Second Edition Long Beach Meeting April 28, 2004.

ISA–The Instrumentation, Systems, and Automation Society SP99 Work Group 2 Planning for TR#2 Second Edition Long Beach Meeting April 28, 2004.
A2LA IT Program Update 2008 Assessor Conclave. A2LA IT Accreditation Scope - Any aspect of a hardware and or software environment that is under test Scope.

A2LA IT Program Update 2008 Assessor Conclave. A2LA IT Accreditation Scope - Any aspect of a hardware and or software environment that is under test Scope.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Introduction to the ISO 27000 series ISO 27000 – principles and vocabulary (in development) ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 –

Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.

ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.
Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.
WG or TG # SC17 Liaison Report Mohsen Shavandi / Virgilio Garcia Soulé SC17 Liaisons Update from SC18 Summer 2013 Meeting January 2014.

WG or TG # SC17 Liaison Report Mohsen Shavandi / Virgilio Garcia Soulé SC17 Liaisons Update from SC18 Summer 2013 Meeting January 2014.
ISO 45001 Current status of development ​ 27.11.2015 ​ ISO 45001 development process ​1​1.

ISO Current status of development ​ ​ ISO development process ​1​1.
1 ISO/PC 283/N 197 ISO 45001 Current status of development November 2015.

1 ISO/PC 283/N 197 ISO Current status of development November 2015.
The common structure and ISO 9001:2015 additions

The common structure and ISO 9001:2015 additions

Similar presentations

Ads by Google