4.2.1. INTERNATIONAL ORGANISATION FOR STANDARDISATION (ISO)
ISO187 is the largest organisation developing standards worldwide. It is not specific to any regional limitations but operates on a global basis. The structure as well as the way standards are developed is similar to the regional standardisation bodies, with TCs reporting to the tech-nical management board, an ISO council covering the governance issues and the general as-sembly as the final authority. Security-related TCs are abundant, although not all of them spe-cifically relate to security topics in general, but cover them in specific standardisations. The following table gives relevant examples:
ISO TC Standardisation for the follow-ing topics
Intended to officially begin 1 January 2015
The current ISO/TC 223, ISO/TC 247, ISO/PC 284 (Management system for private security companies) will be merged into this new ISO/TC 292
185 GMDSS was introduced by the International Maritime Organisation (IMO). GMDSS is used in maritime emergency cases and alerts and communicates between rescue organisations and ships, but also provides general maritime safety infor-mation, for example navigational or meteorological information.
186See European Telecommunications Standards Institute, “Public Safety, Our roles and activities”, no date.
187See International Organisation for Standardisation, “Technical committees”, no date.
http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees.htm (figure continues)
ISO/
Div. standards, e.g. ISO 22311 for video surveillance which is for example used for certification by AFNOR Certification, see Chapter 6.1.
ISO/
TC 224
Security of drinking water supply
Example: ISO 24510:2007 and ISO 24512:2007 Activities relating to drinking water and wastewater services ISO/
TC 247
Fraud countermeasures and controls
Examples: ISO 12931:2012 Performance criteria for authentication solutions used to combat counterfeiting of material goods and ISO 16678:2014 Guidelines for interoperable object identification and related authentication systems to deter counterfeiting and illicit trade
Financial services Examples: ISO 9564, Financial services -- Personal Identification Number (PIN) management and security, ISO 13491-1:2007 and ISO 13491-2:2005, Banking -- Secure cryptographic devices (retail) -- Part 1: Concepts, requirements and evaluation methods -- Part 2: Security compliance checklists for devices used in financial transactions
ISO/
TC 21
Fire detection and alarm systems
Focus on safety measures ISO/
TC 92
Fire hazard mitigation for building designs, materials, products and components
Focus on safety measures
ISO/
TC 85
Protection and security against nuclear and radiological threats
Focus on safety measures
ISO/IEC JTC 1
Information technology Security-related activities in several SCs, extended description is to find below Source: Own figure
Figure 23: Overview of the work of selected ISO TCs in the security field
Within the joint technical committee between the ISO and the IEC on information technolo-gy188 (JTC 1) an important player is Sub Committee 27/Work Group 5, ‘Identity Man-agement and Privacy Technologies’. Its focus in the privacy field includes topics such as ‘A
188See ISO, ISO/IEC JTC 1 Information technology, no date.
http://www.iso.org/iso/iso_technical_committee?commid=45020
Privacy Framework’, ‘A Privacy Reference Architecture’, ‘Privacy infrastructures’, ‘Ano-nymity and Credentials’, ‘Specific Privacy Enhancing Technologies (PETs)’ and ‘Privacy Engineering’. Privacy standards developed by the work group include, in particular, ISO/IEC 29100, ISO/IEC 29101 as well as ISO/IEC 29115.
In addition, the Sub Committee 37 Biometrics has become an important feature of all kind of security products, systems and services. Several standards have been developed, especially regarding the biometric application programming interface (API), thus covering the basic functions of biometric applications, like identifying and verifying in combination with a data-base.189 Other standards are concerned with biometric data interchange formats, thus creating a common data format for the specific biometrical records in order to guarantee interoperabil-ity. This includes finger minutiae,190 finger image, 191 finger pattern spectral192 and finger pat-tern skeletal data,193 along with data of face194, iris195 and vascular196 image data, signa-ture/sign behavioural data,197 hand geometry silhouette data198 and DNA data.199 Another range of important standards and also closely relates to the data interchange formats concerns the interoperability and data interchange of biometric profiles, which are already in use, as for example for access control at airports or for biometric profiles used on Seafarers’ Identity Document (SID).200
4.2.2. INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC)
The IEC is “the world’s leading organization for the preparation and publication of Interna-tional Standards for all electrical, electronic and related technologies”201.Similarly to CEN and CENELEC, IEC and ISO cooperate on several matters, as already was shown above with the JTCs. Thus also the management and working structure of the IEC is similar to the other
189 See ISO/IEC 19784-1:2006 Information technology -- Biometric application programming interface -- Part 1: BioAPI specification; ISO/IEC 19784-2:2007, Information technology -- Biometric application programming interface -- Part 2:
Biometric archive function provider interface; ISO/IEC 19784-4:2011, Information technology -- Biometric application programming interface -- Part 4: Biometric sensor function provider interface.
190 See ISO/IEC 19794-2:2011, Information technology -- Biometric data interchange formats -- Part 2: Finger minutiae data.
191See ISO/IEC 19794-4:2011, Information technology -- Biometric data interchange formats -- Part 4: Finger image data.
192 See ISO/IEC 19794-3:2006, Information technology -- Biometric data interchange formats -- Part 3: Finger pattern spec-tral data.
193See ISO/IEC 19794-8:2011, Information technology -- Biometric data interchange formats -- Part 8: Finger pattern skele-tal data.
194See ISO/IEC 19794-5:2011, Information technology -- Biometric data interchange formats -- Part 5: Face image data.
195See ISO/IEC 19794-6:2011, Information technology -- Biometric data interchange formats -- Part 6: Iris image data.
196 See ISO/IEC 19794-9:2011, Information technology -- Biometric data interchange formats -- Part 9: Vascular image data.
197 See ISO/IEC 19794-7:2014, Information technology -- Biometric data interchange formats -- Part 7: Signature/sign time series data; ISO/IEC 19794-11:2013, Information technology -- Biometric data interchange formats -- Part 11: Signature/sign processed dynamic data.
198 See ISO/IEC 19794-10:2007, Information technology -- Biometric data interchange formats -- Part 10: Hand geometry silhouette data.
199See ISO/IEC 19794-14:2013, Information technology -- Biometric data interchange formats -- Part 14: DNA data.
200See ISO/IEC 24713-1:2008, Information technology -- Biometric profiles for interoperability and data interchange -- Part 1: Overview of biometric systems and biometric profiles; ISO/IEC 24713-2:2008, Information technology -- Biometric pro-files for interoperability and data interchange -- Part 2: Physical access control for employees at airports; ISO/IEC 24713-3:2009, Information technology -- Biometric profiles for interoperability and data interchange -- Part 3: Biometrics-based verification and identification of seafarers.
201International Electrotechnical Commission, op. cit., 2014.
standardisation bodies – although in this case a bit slimmed down – with a management board supervising the technical committees, which can either themselves create working groups and projects (PT) or maintenance teams (MT), or create subcommittees that are responsible for the WGs, PTs and the MTs.
As emphasised earlier, CENELEC and IEC collaborate based on the Dresden agreement. Spe-cific results in the field of security were the implementation of standardisations for alarm sys-tems. For the IEC, the responsible TC was the TC 79 Alarm and Electronic Security Sys-tems,202 which created several standards that have been adopted by CENELEC. These cover all kinds of requirements such as the transmissions of alarms,203 different alarm and electronic security systems (e.g. access control systems, intrusion and hold-up systems)204 and video surveillance systems.205 Recently, the IEC has also started to standardise social alarm systems which have started to become more and more popular for elderly people living alone.
Beside ISO’s and IEC’s afforementioned JTC 1/SC 37 on biometrics, another SC of JTC 1 is developing standardisations for cards and personal identification – an important tool for iden-tification at borders and thus essential for border security. The ISO/IEC JTC 1/SC 17 Cards and personal identification manages all kinds of identification cards – including ID cards for working/industrial purposes – and thus needs to cover a broad field with the standardisations.
For border security, probably the most important standard here are
ISO/IEC 7501-2:1997 Identification cards – Machine readable travel documents – Part 2: Machine readable visa; and
ISO/IEC 7501-3:2005, Identification cards – Machine readable travel documents – Part 3: Machine readable official travel documents, simplifying the correct identification of persons at border controls.
Finally, biometrics also play an important role within identification cards, which are covered by the ISO/IEC 24787:2010 Information technology -- Identification cards -- On-card bio-metric comparison.
Thus, again similar to the CENELEC, the IEC is only partly relevant regarding standardisa-tions in the security sector. It is a single standardisation body only dealing – but exhaustively – with different alarm systems and as a co-operating standardisation body with the ISO, also covering biometrics and identification cards standardisations.
4.2.3. INTERNATIONAL TELECOMMUNICATION UNION (ITU)
The ITU206 has a slightly different organisational structure compared with the other standardi-sation bodies. The ITU in general is not only responsible for standardistandardi-sations, but has also a radiocommunication sector (ITU-R) as well as a development sector (ITU-D) for the devel-opment and improvement of ICTs in developing countries. The sector which is responsible for
202See International Electrotechnical Commission, “TC 79 Alarm and electronic security systems”, 2014.
203See IEC 60839-5, Alarm systems - Part 5: Requirements for alarm transmission systems.
204 See IEC 60839-10-1:1995, Alarm systems - Part 10: Alarm systems for road vehicles - Section 1: Passenger cars; IEC 60839-11-1:2013, Alarm and electronic security systems - Part 11-1: Electronic access control systems - System and compo-nents requirements; IEC 62642:2010-2011, Alarm systems - Intrusion and hold-up systems, Part 1 – Part 8.
205See IEC 62676:2013, Video surveillance systems for use in security application – Part 1 – Part 4.
206See International Telecommunication Union, no date. http://www.itu.int.
the standardisations in the ICT sector is the ITU Telecommunication Standardisation Sector (ITU-T). On an organisational level, the general direction and structure of the ITU-T is set by the World Telecommunication Standardisation Assembly (WTSA). The priorities are divided amongst study groups (SG), of which ten study groups exist in the current period (2013 – 2016).207 The SGs are responsible for the development of normative recommendations – which are equivalent to the standards created by the other standardisation bodies – with a main concern on the interoperability of telecommunication networks. Beside the normative recommendations, ITU-T also develops, similar to the technical reports, ITU-T Handbooks, Implementer’s Guides and Supplements.
The Study Group (SG) 17 – Security is of most relevance for CRISP. It aims at the devel-opment and maintenance of the security of information and communication technologies. The SG developed a security standards roadmap which shows the security needs within the ICT sector, the current available/approved security standards of different regional and international standardisation bodies208 and the security standards currently under development.209 In the next section, only security standards approved by the ITU-T will be analysed.
The ITU-T recommendations largely deal with providing a secure way of data deliveries for a wide range of ICT and also with communication in regard to security incidents or crisis. SG 17 is structured into five WPs: Fundamental security (WP1); Network and information securi-ty (WP2); Identisecuri-ty management and cloud computing securisecuri-ty (WP3); Application securisecuri-ty (WP4) and Formal language (WP5).
Probably the most prominent ITU-T recommendation for security purposes is the recommen-dation ITU-T X.509: Information technology - Open Systems Interconnection - The Directo-ry: Public-key and attribute certificate frameworks, a joint activity of the ITU with the ISO and IEC. This recommendation is the main standard for security in web communication and largely responsible for providing a secure e-commerce. It defines public-key and attributes certificates as well as authentication services. This includes simple authentication by pass-word and strong authentication using cryptographic techniques.210
Resulting from this scope of security questions are a large number of recommendations, most-ly represented by Series X on data networks, open systems communication and security. Se-ries X covers a large number of topics. Those include
Access control and authentication mechanisms, more precisely on telebiometrics related to human physiology211 defining “quantities and units for physiological, biological or behavioural characteristics that might provide input or output to telebiometric identification or verification systems (recognition systems)”212; and
207See International Telecommunication Union, “ITU-T Study Groups (Study Period 2013 - 2016)”, 2014.
208See International Telecommunication Union, “Part 2: Approved ICT Security Standards”, 2014.
209See International Telecommunication Union, “Part 3: Security standards under development”, 2014.
210See International Telecommunication Union, “ICT Security Standard "ITU-T X.509 | ISO/IEC 9594-8" details”, 2010.
211 See ITU, “ITU-T X.1082, Telebiometrics related to human physiology”, 11.2007; amended in 10.2009 and in 05.2010;
ITU, “ITU-T X.1084, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecom-munication system”, 05.2010; ITU, “ITU-T X.1088, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecommunication system”, 05.2008; ITU, “ITU-T X.1089, Telebiometrics authentication infrastruc-ture”, 05.2008.
212See ITU, op. cit., 05.2010a, p. 1.
Other biometrical recommendations, providing a framework for different security issues related to biometrics, like privacy and authentication.213
Other topics relate to cybersecurity in general, covering:
Cybersecurity exchange techniques;214
Exchange of known vulnerabilities and exposures215 and setting special methods for the exchange of incident information as a real-time inter-network defence (RID);216 and
Methodologies on cybersecurity risk assessments for organisations.217 Furthermore, security recommendations relate to:
Requirements for the protection of digital identity;218
Common alerting protocols for emergency services;219
Risks resulting of spam and spyware;220
Security requirements for wireless networks;221
Thus as outlined already, the large amount of security standards resulting from ITU deal with security threats on different data networks and communication systems.