Recent Developments in ISO Security Standardization and JTC 1/SC 27 Walter Fumy, SC 27 Chairman
[email protected]
9th ETSI Security Workshop Sophia Antipolis, January 2014
Agenda • ISO Level • Alignment of Management System Standards (MSS) • New Security Coordination Initiative
• SC 27 Level • WG 1: New editions of ISO/IEC 27001 & ISO/IEC 27002 • WG 2: Advanced Crypto Techniques, Intentional Weaknesses in Crypto Standards? • WG 3, WG 4, WG 5 (⇒ Session 4) • Collaboration with ETSI
2
ISO Management System Standards (MSS) • ISO 9001 Quality systems - Model for quality assurance in design/development, production, installation and servicing was published in December 1987 • Since then the range of ISO management system standards expanded from environment (1996) through to security (2000) and business continuity (2012) • Many companies use more than one management system standard • In order to make this easier, ISO has decided that all MSSs should have the same structure and contain many of the same terms and definitions. This will make it easier and cheaper to use the standards, and help auditors. • All ISO's management system standards are based on the principle of continual improvement (aka PDCA). • Audits are a vital part of ISO's management system approach as they enable an organization to check how far their achievements meet their objectives • ISO 19011:2011 provides specific guidance on internal and external management system audits • Accredited ISO MSS certifications approach 1.5 million per year 3
ISO Survey 2012 • ISO does not perform certification – organizations looking to get certified to an ISO standard must contact an independent certification body • The ISO Survey counts certificates issued by certification bodies that have been accredited by members of the International Accreditation Forum (IAF)
• The ISO Survey 2012 shows a significant increase in certificates for ISO 27001 (information security, +13%), ISO 22000 (food safety management, +20%) and for energy management (ISO 50001, +332%) • at least 19.577 ISO/IEC 27001:2005 certificates issued in 103 countries • top three countries for the number of certificates: Japan, UK and India • top three for growth in 2012: Romania, Japan and China http://www.iso.org/iso/home/standards/certification/iso-survey.htm
4
Annex SL
of the Consolidated ISO Supplement of the ISO/IEC Directives All ISO technical work, including the development of standards, is carried out under the overall management of the Technical Management Board (TMB). ISO/TMB*) has produced Annex SL with the objective of delivering consistent and compatible MSSs. Annex SL (previously ISO Guide 83) defines the framework for a generic ISO management system standard •
All new ISO MSS have to adhere to this framework and all current ISO MSS will migrate at their next revision
•
In future all ISO MSS should be consistent and compatible - they should all have the same look and feel
•
For management system auditors, it will mean that for all audits there will be a core set of generic requirements that need to be addressed, no matter which discipline.
•
This could be the beginning of the end of the conflicts, duplication, confusion and misunderstanding from different ISO MSS
•
MSS writers can concentrate their development efforts on the discipline-specific requirements of their MSS. *) via its Joint Technical Coordination Group on MSS 5
ISO MSS use of Annex SL
Current status of harmonization (Examples) Published • ISO 22301:2012, Societal security – Business continuity management systems – Requirements (deviation on definition of “Risk”) • ISO 22313:2012, Societal security – Business continuity management systems –
Guidance • ISO 39001:2012, Road-traffic safety management systems – Requirements with
guidance for use • ISO/IEC 27001:2013, Information technology – Security techniques –
Information security management systems – Requirements Under development / in revision • ISO 34001, Security management system – Requirements • ISO 14001, Environmental management systems – Requirements with guidance
for use • ISO 9001, Quality management systems – Requirements 6
16.12.2012 Source: ISO Security Forum, October 2013
Intern/Vertraulich
7
16.12.2012 Source: ISO Security Forum, October 2013
Intern/Vertraulich
https://www.iso.org/obp/ui/
8
ISO Security Forum, October 2013
Recommendation to the Technical Management Board (TMB) Establishment of a Joint Technical Coordination Group for the security sector (JTCG-Security) with terms of reference to include •
Share experiences, challenges, opportunities for collaboration and harmonization across work items and harmonize existing projects where appropriate
•
Harmonize terms and definitions, including the definition of "security"
•
Identify gaps in security standardization activities and resulting opportunities
•
Avoid overlap and duplication
•
Review the TC/SC structure and scopes and propose modifications as appropriate for TMB approval
•
Provide advice to ISO committees and groups on security-related issues
•
Promote ISO security-related activities (communications function)
•
Develop a vision for security-related activities, and organize a bi-annual (depending on length of term) security conference
•
…
9
JTC 1/SC 27 – IT Security Techniques
Mission & Scope SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: • Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security; • Cryptographic mechanisms; • Security evaluation criteria and methodology; • Security services; • Security aspects of identity management, biometrics and privacy.
10
JTC 1/SC 27 – IT Security Techniques
Organization
ISO/IEC JTC 1/SC 27
IT Security techniques Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete
SC 27 Secretariat DIN Ms. K. Passia
Working Group 1
Working Group 2
Working Group 3
Working Group 4
Working Group 5
Information security management systems Convener Mr. T. Humphreys
Cryptography and security mechanisms
Security evaluation, testing and specification
Security controls and services
Convener Mr. T. Chikazawa
Convener Mr. M. Bañón
Convener Mr. J. Amsenga
Identity management and privacy technologies Convener Mr. K. Rannenberg
http://www.jtc1sc27.din.de/en
Projects Facts & Figures Projects • • •
Total no of projects: 206 No of active projects: 79 Published standards: 130
(11 new projects in 2013) (22 publications in 2013)
Standing Documents • • • •
SD6 Glossary of IT Security terminology (http://www.jtc1sc27.din.de/sbe/SD6) SD7 Catalogue of SC 27 Projects and Standards (http://www.jtc1sc27.din.de/sbe/SD7 SD11 Overview of SC 27 (http://www.jtc1sc27.din.de/sbe/SD11) SD12 Assessment of cryptographic algorithms and key lengths (http://www.jtc1sc27.din.de/sbe/SD12 )
More information •
http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/iso_technic al_committee.htm?commid=45306
12
Recent Publications (1/2) •
ISO/IEC TR 15443: Security assurance framework — Part 1: Introduction and concepts (2nd ed.) — Part 2: Analysis (2nd ed.)
•
ISO/IEC 27000: Information security management systems – Overview and vocabulary (3rd ed.)
•
ISO/IEC 27001: Information security management systems – Requirements (2nd ed.)
•
ISO/IEC 27002: Code of practice for information security management (2nd ed.)
•
ITU-T Recommendation X.1054 | ISO/IEC 27014: Governance of information security
•
ISO/IEC TR 27015: Information security management guidelines for financial services
•
ISO/IEC TR 27019: Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy industry
•
ISO/IEC 27033: Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
•
ISO/IEC 27036: Information security for supplier relationships — Part 1: Overview and concepts — Part 3: Guidelines for information and communication technology supply chain security
13
Recent Publications (2/2) •
ISO/IEC 27037: Guidelines for identification, collection, acquisition and preservation of digital evidence
•
ISO/IEC 20008: Anonymous digital signatures — Part 1: General — Part 2: Mechanisms using a group public key
•
ISO/IEC 20009: Anonymous entity authentication — Part 1: General — Part 2: Mechanisms based on signatures using a group public key
•
ISO/IEC 29192: Lightweight cryptography — Part 4: Mechanisms using asymmetric techniques
•
ISO/IEC 29101: Privacy architecture framework
•
ISO/IEC 29115: Entity authentication assurance framework
•
ISO/IEC 29191: Requirements for partially anonymous, partially unlinkable authentication
•
ISO/IEC 30111: Vulnerability handling processes
14
ISO/IEC 27001
ISMS Requirements • ISO/IEC 27001:2013 is a certification and auditable standard • based on a mandatory risk based approach • aims at achieving effective information security through continual improvement process (PDCA model) • uses the same management systems process model as ISO 9001 (QMS) and ISO 14001 (EMS) • aligned with Annex SL
• ISO/IEC 27001:2005 was a revised version of BS 7799 Part 2:2002 • 2nd edition of ISO/IEC 27001:2013-10-01
ISO/IEC 27001:2013
Major benefits of the new edition • ISO/IEC 27001:2013 takes into account the experiences of users who have implemented, or sought certification to ISO/IEC 27001:2005 • provides a more flexible, streamlined approach, which should lead to a more effective risk management • improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities • ISO/IEC 27001:2013 fits the new high-level structure used in all ISO management system standards (Annex SL) • integration with other management systems becomes an easy option
16
ISO/IEC 27002
Code of practice for information security management
ISO/IEC 27002 is a catalogue of best practices, not a certification or auditable standard • based on BS 7799-1:1999 • 1st edition ISO/IEC 17799:2000 • 2nd edition ISO/IEC 17799:2005 • renumbered as ISO/IEC 27002:2005 in 2007 • 3rd edition of ISO/IEC 27002 published 2013-10-01
http://www.iso.org/iso/home/store/catalogue_tc/catal ogue_tc_browse.htm?commid=45306
Security policies Organisation of information security Human resources security Asset management Access control Cryptography Physical & environmental security Operations security Communications security Systems acquisition, development & maintenance Supplier relationships Security incident management Business continuity management Compliance
SC 27/WG 1
ISMS Family of Standards IS 27001 ISMS Requirements IS 27000 ISMS Overview and vocabulary
IS 27006 Accreditation requirements
IS 27010 ISMS for inter-sector communications
IS 27002 Code of practice
IS 27007 ISMS Auditing guidelines
IS 27011 / ITU-T X.1051 Telecom sector ISMS guidelines based on 27002
IS 27003 ISMS Implementation guidance
TR 27008 ISMS Guide for auditors on ISMS controls
TR 27015 ISMS guidelines for financial and services
WD 27009
TR 27019 Energy industry ISMS guidelines based on 27002
IS 27004 Information security mgt measurement
Use and application of 27001 for sector-specific 3rd party certifications
IS 27005 Information security risk management Supporting Guidelines
CD 27017 Code of practice for cloud computing services based on 27002
Accreditation Requirements and Auditing Guidelines
Sector Specific Requirements and Guidelines
SC 27/WG 2
Cryptography and Security Mechanisms
Entity Authenticat ion (IS 9798)
NonKey Mgt Repudiation Cryptographic Protocols (IS 11770) (IS 13888)
Message Check Hash Authenticat Character Functions Messageion Authentication Codes Systems (IS 10118) (IS 9797) (IS 7064)
Biometric Template Protection (IS 24745)
Authenticat Modes of Encryption & ed Operation Encryption Modes of Operation (IS 10116) (IS 19772)
Time Stamping Services (IS 18014)
ECC Techniques (IS 15946) Signatures Signatures Lightweight giving Msg with Digital SignaturesAppendix Crypto Recovery (IS 29192) (IS 9796) (IS 14888)
Encryption (IS 18033)
Prime Random Bit Number Generation Parameter Generation Generation (IS 18031) (IS 18032)
ISO/IEC 29192 - Lightweight Cryptography ISO/IEC 29192-1: General, 1st edition 2012 ISO/IEC 29192-2: Block ciphers, 1st edition 2012 • •
64-bit block cipher PRESENT (key size 80 or 128 bits) 128-bit block cipher CLEFIA (key size 128, 192 or 256 bits)
ISO/IEC 29192-3: Stream ciphers, 1st edition 2012 • •
Enocoro (key size 80 or 128 bits) Trivium (key size 80 bits)
ISO/IEC 29192-4: Mechanisms using asymmetric techniques, 1st edition 2013 • • •
identification scheme cryptoGPS authentication and key exchange mechanism ALIKE (Authenticated Lightweight Key Exchange – pka SPAKE) ID-based signature scheme IBS
ISO/IEC 29192-5: Hash-functions, WD 20
Advanced Crypto @ SC 27/WG 2 also includes ISO/IEC 18033 – Encryption algorithms – Part 5: Identity-based ciphers (status: CD) ISO/IEC 18370 – Blind digital signatures – Part 1: General (WD) – Part 2: Discrete logarithm based mechanisms (WD) ISO/IEC 20008 – Anonymous digital signatures – Part 1: General, 2013 – Part 2: Mechanisms using a group public key, 2013 ISO/IEC 20009 – Anonymous entity authentication – Part 1: General, 2013 – Part 2: Mechanisms based on signatures using a group public key, 2013 – Part 3: Mechanisms based on blind signatures (WD) – Part 4: Mechanisms based on weak secrets (WD) WG 2 Study Periods include • Homomorphic encryption schemes • Homomorphic secret sharing schemes • Broadcast encryption 21
Intentional Weaknesses in Crypto Standards?
Discussion in the Media In recent weeks there has been much discussion in both the press and in academic circles regarding intentional weaknesses in crypto standards. •
“The agency has influenced the international standards upon which encryption systems rely”
•
“NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document [provided by Edward Snowdon].
It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. ‘Eventually, NSA became the sole editor,’ the document states.” 18.10.2013
22
Dealing with Encryption To deal with encryption, agencies may •
work with security product vendors to subvert the underlying cryptography, e.g. • •
make the random number generator less random, thus reducing effective key lengths implant backdoors which leak the key somehow
•
work with standards bodies to promote weak algorithms
•
leverage secret mathematical breakthroughs
•
construct quantum computers
•
…
23
Dual_EC_DRBG
Flawed Deterministic Random Bit Generation •
NIST Special Publication 800-90:2006 includes four different algorithms called “deterministic random bit generators,” or DRBGs.
•
Documents provided by Edward Snowden indicate the NSA played a crucial role in writing NIST SP 800-90.
•
Possible weaknesses were identified in one of the algorithms specified, the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) scheme.
•
NIST has recommended that Dual_EC_DRBG should not be used, see http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf “Concern has been expressed about one of the DRBG algorithms in SP 800-90/90A and ANS X9.82:
the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm. This algorithm includes default elliptic curve points for three elliptic curves […], recent community commentary has called into question the trustworthiness of these default elliptic curve points.”
•
Dual_EC_DRBG is also specified in ANS X9.82 and in the current (2011) edition of ISO/IEC 18031: Random bit generation.
•
Dual_EC_DRBG is included in many cryptographic libraries (e.g., offered by Microsoft, Cisco, Symantec and RSA).
24
Way Forward ISO/IEC 18031 •
Cautionary note on the use of Dual_EC_DRBG http://isotc.iso.org/livelink/livelink/open/16315553
•
Study Period initiated to carefully review the security issues for Dual_EC_DRBG and to revise ISO/IEC 18031 as appropriate. The Study Period will further analyse if other mechanisms in this standard are affected.
General •
Always ensure a sufficient amount of independent cryptographic research.
•
Fight a general mistrust in NIST proposals – do not forget NIST has done a great job with cryptographic competitions, both a decade ago with the AES and recently with SHA-3.
•
ISO can (and should) play a vital role in the restoration of trust in cryptography and cryptographic security, because ISO provides an open, free and independent framework for assessing security of cryptographic mechanisms.
25
20+3 Years of SC 27
… and the tour continues • April 7-15, 2014 Hong Kong, China (WGs and Plenary) • Oct 20-24, 2014 Mexico City, Mexico (WGs) • May 4-12, 2015 Kuching, Malaysia (WGs and Plenary) • Oct 26-30, 2015 Jaipur, India (WGs)
https://en.wikipedia.org/wiki/ISO/IEC_JTC_1/SC_27
26
Collaboration with ETSI •
April 2013: Joint security workshop between ETSI and SC 27 to explore areas of mutual interest and future collaboration. •
•
Workshop identified 12 specific areas for potential collaboration and recommended to establish/continue collaborative dialogues and/or liaisons to further cooperative working.
ETSI
SC 27
Topic
TC M2M
WG 2
use of SC27 standards
TC M2M
WG 5
privacy and identity management
TC ESI
WG 4
trust services
TC ITS
WG 3
trusted platforms
TC ITS
WG 1
ISO/IEC 27009 for Trust Services
TC ITS
WG 5
use of privacy and identity management frameworks
TC NTECH
WG 3
design for assurance
TC NTECH
WG 5
privacy
MTS
WG 3
Cat C Liaison
ISG ISI
WG 4
continued collaborative dialogue
ISG ISI
WG 1
information security indicators and measurements
SAGE
WG 2
cryptographic algorithms
Next coordination meeting: tonight
27
Thank you for your attention!
[email protected]
