1. 26.10.2004 Walter Fumy@ siemens.com SC 27 IT Security Techniques Business Plan & Report on Marketing Initiatives

2. 25.10..2004  Walter Fumy@siemens.com ISO/IEC JTC 1/SC 27: Information technology - Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete ISO/IEC JTC 1/SC 27: Information technology - Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete SC 27 Secretariat DIN Ms. K. Passia SC 27 Secretariat DIN Ms. K. Passia Working Group 1 Requirements, services, guidelines Convener Mr. T. Humphreys Working Group 1 Requirements, services, guidelines Convener Mr. T. Humphreys Working Group 2 Security techniques and mechanisms Convener Mr. K. Naemura Working Group 2 Security techniques and mechanisms Convener Mr. K. Naemura Working Group 3 Security evaluation criteria Convener Mr. M. Ohlin Working Group 3 Security evaluation criteria Convener Mr. M. Ohlin SC 27 “IT Security Techniques” Standardization of generic IT security services and techniques, including identification of generic requirements for IT system security services, development of security techniques and mechanisms (cryptographic and non-cryptographic), development of security guidelines, development of management support documentation and standards, development of criteria for IT security evaluation and certification of IT systems, components, and products.

3. 25.10..2004  Walter Fumy@siemens.com Membership of SC 27 O-members: Argentina, Indonesia, Estonia, Hungary, Ireland, Israel, Lithuania, Serbia and Montenegro, Romania, Slovakia, Turkey Canada USA founding P-Members (in 1990) Brazil China Japan Belgium Denmark Finland France Germany Italy Netherlands Norway Spain Sweden Switzerland UK USSR Korea Australia 1994 Russian Federation 1996 Poland 1999 Malaysia Czech Republic Ukraine 2001 India South Africa 2002 Austria Kenya 2003 SingaporeLuxembourg New Zealand additional P-Members

4. 25.10..2004  Walter Fumy@siemens.com SC 27 Collaboration (I) ITU-T Q10/SG17 Collaboration in order to progress common or twin text documents and to publish common standards Security information objects Guidelines on the use and management of Trusted Third Party services Specification of TTP services to support the application of digital signatures IT Network Security (new) Code of practice for information security (new) The International Common Criteria Project (ICCP) long-standing technical liaison SC 27 published the Common Criteria as IS 15408-1, -2, -3 close cooperation with CCIMB (and CCEB) has allowed the NBs of those countries not represented on the CCIMB to review, comment and contribute to the project

5. 25.10..2004  Walter Fumy@siemens.com SC 27 Collaboration (II) ISO/IEC JTC 1/SC 37 ‘Biometrics’ ISO TC 68 ‘Banking and Related Financial Services’ Joint Coordination Committee on Security Work TC 68 and SC 27 collaborate on IT security standards of mutual interest, including Message authentication Protection Profiles Security guidelines Biometrics Fruitful liaisons with many other organizations within ISO/IEC JTC 1 including SC 6, SC 7, SC 17, and SC 36, within ISO including TC 215, and to several external organizations including the European Committee for Banking Standards (ECBS), ETSI, and ISSEA.

6. 25.10..2004  Walter Fumy@siemens.com Recent SC 27 Publications IS 10118: Hash-functions – Part 3: Dedicated hash-functions (2 nd edition) IS 13888: Non-repudiation – Part 1: General (2 nd edition) TR 15446: Guide on the production of protection profiles and security targets IS 18014: Time stamping services – Part 3: Mechanisms producing linked tokens

7. 25.10..2004  Walter Fumy@siemens.com Approved for Publication IS 13335: Management of information and communications technology security Part 1: Concepts and models for information and communications technology security management TR 15433: A framework for IT security assurance – Part 1: Overview and framework Part 2: Assurance methods IS 15946: Cryptographic techniques based on elliptic curves – Part 4: Digital signatures with message recovery IS 18028: IT network security – Part 4: Remote access TR 18044: Information security incident management

8. 25.10..2004  Walter Fumy@siemens.com New Projects and Study Periods Recently approved NP 18043: Deployment and operation of Intrusion Detection Systems (Oct 2004) NP 24742: Information security management and measurements (Oct 2004) NP 24743: Information Security Management Systems (Oct 2004) NP 24745: Biometric template protection (Oct 2004) Study Periods Information security management systems (ISMS). Security management and biometrics. Authentication of biometric data. Object identifiers and ASN.1 syntax.

9. 25.10..2004  Walter Fumy@siemens.com SC 27 & Privacy Technology IT Security Technology is related to Privacy Technology SC 27 does have some expertise in Privacy SC 27 is developing standards related to Privacy Technology PAS DIS 20886: “Privacy Framework” was assigned to SC 27 PTSG has recognized SC 27 as one option for moving forward SC 27 would welcome such assignment, and in this case probably form a WG dedicated to Privacy Technology

10. 25.10..2004  Walter Fumy@siemens.com Progress Report 42 Ballots November 2003 – October 2004 6FDIS ballots 15FCD ballots 13CD ballots 4NP Ballots 3DTR ballots 1PDTR ballot

11. 25.10..2004  Walter Fumy@siemens.com Marketing Initiatives Position of a PR officer established in 2002 Press Releases Publications ISO Focus, January 2004 ISMS Journal, April 2004 ISO Focus, July 2004 Presentations & Panels ITU-T Cybersecurity Symposium, Florianopolis, October 2004 ICC Roundtable: Technology for security & safety, Paris, Oct 25 “Roadmap”

12. 25.10..2004  Walter Fumy@siemens.com Terminology Toolbox of Techniques Hierarchical Security Management Model (SC 27 View) Frameworks provide a simplified description of interrelationships used to organize concepts, methods and technologies Principles provide generally accepted high-level basic rules used as a foundation to guidance Element Standards provide specific requirements that apply to a defined area of security management Application Guides and Supplements provide detailed descriptions offering guidance on how element standards may be applied in specific situations

13. 25.10..2004  Walter Fumy@siemens.com Application Guides and Supplements Element Standards Frameworks Principles Terminology Toolbox of Techniques Hierarchical Security Management Model (SC 27 View) Information Security Mgt System (NP 24743) ISM Metrics & Measurements (NP 24742) Code of Practice for ISM (IS 17799 / ITU-T X.???) MICTS-1: Models and concepts MICTS-2: Risk management Information Security Management Principles Information Security Mgt Framework IT Network Security (IS 18028 / ITU-T X.???) IT Intrusion Detection Framework (TR 15947) Info Security Incident Management (TR 18044) Guidelines for TTP Services (IS 14516 / ITU-T X.842) Healthcare ISMS Guide (TC 215) T-ISMS: Telecom ISMS Guide (ITU-T X.1051) Financial ISMS Guide (TC 68) SC 27 SD 6 Updated and harmonized ISO Guide 73 IS 19011 Auditing

14. 25.10..2004  Walter Fumy@siemens.com Summary SC 27 is responsible for 74 projects, including 38 active projects More Information & Contact SC 27 web-page: scope, organization, work items, etc. http://www.din.de/ni/sc27/ http://www.din.de/ni/sc27/ Catalogue of SC 27 Projects & Standards http://www.din.de/ni/sc27/doc7.html http://www.din.de/ni/sc27/doc7.html SC 27 Secretariat:Krystyna.Passia@din.deKrystyna.Passia@din.de SC 27 Chairman:Walter.Fumy@siemens.comWalter.Fumy@siemens.com

15. 25.10..2004  Walter Fumy@siemens.com SC 27 - Meeting Calendar 2003 April 28–May 6Québec, Canada WGs & Plenary Oct 20-24 Paris, FranceWGs 2004 April 19-27Singapore WGs & Plenary Oct 18-22 Fortaleza, BrazilWGs 2005 April 11-19Vienna, AustriaWGs & Plenary Nov 7-11Kuala Lumpur, MalaysiaWGs