Documente Academic
Documente Profesional
Documente Cultură
SCRM Standards
ACSAC Conference
December, 2010
Agenda
Cyber Security Standards and ICT SCRM Standards Landscape
The Landscape
ISO/IEC
Joint Technical Committee 1
(Information Technology)
Subcommittee 27 (SC27)
(IT Security Techniques)
Working Group 1
Information Security
Management Systems
Working Group 2
Cryptography and
Security Mechanisms
Working Group 3
Security Evaluation
Criteria
Working Group 5
Identity Management
and Privacy
Technologies
Working Group 4
Security Controls and
Services
Governance (WG1)
Terminology
Guidelines
Requirements
ISO/IEC 27001
ISMS Requirements
ISO/IEC 27002
Code of Practice
ISO/IEC 27004
Measurement
ISO/IEC 27003
ISMS Guidelines
ISO/IEC 27006
Audit & Certification Requirements
ISO/IEC 27007
Audit
Guidelines
ISO/IEC 27008
Guidance for auditors
on ISMS controls
ISO/IEC 27005
Risk Management
Tamper Protection
Study Period
ISO/IEC 15408 Common Criteria
ISO/IEC 27036
Supplier Relationships
ISO/IEC 27034
Application Security
ISO/IEC 27033
Network Security
Revised 12207:
Life cycle
processes for
SW
Revised
15289:
Documentation
Interoperation
Revised
16326:
Project
Mgmt
Revised
15939:
Measurement
Revised 15288:
Life cycle
processes for
systems
Other
standards
providing
details of
selected
system
processes
15026:
Additional
practices for
higher
assurance
systems
Assurance
Case
Revised
16085:
Risk
Mgmt
Common vocabulary, process architecture, and process description conventions
Over the past 2 years one of the focus areas for the US has been
ICT SCRM standards
ICT SCRM And Hoc Group was established in February 2009
Developed consensus-based USNB proposal for ICT Supply Chain Assurance Standard and
presented at SC27 meeting in November 2009
Based on the US proposal a Study Period was established to explore the need to develop ICT
Supply Chain Security Standard
The following slides tell the story of what happened at the conclusion of the study period
Study Period was active for a year with the report briefed out in
October 2010 at SC27 meeting in Berlin
Inputs
When we arrived
Four sets of meetings were scheduled to discuss:
ISF proposal
ICT Supply Chain Security Study Period Results
ISO/IEC 27036, Guidelines for Security of Outsourcing 3rd WD review
Cloud Computing Security Proposal
We were worked with SC27 leadership and delegates to sequence these meetings to
ensure logical flow and to allow for attendance by all interested parties
Tuesday Afternoon
ICT SCRM Study Period
Wednesday
ICT SCRM Study Period
Thursday
ISO/IEC 27036
ICT SCRM Study Period
10
Liaison Officers
ISF
ISACA
France
Japan
Korea
Luxembourg
Malaysia
Russia
Singapore
South Africa
Sweden
Switzerland
United Kingdom
United States of America
11
12
13
Management Systems: ISO/IEC 27000 family; ISO 28000, Supply Chain Resiliency;
ISO/IEC 20000, IT Service Management
Risk Management: ISO 31000, ISO/IEC 27005, and ISO/IEC 16085
Lifecycle Processes and Practices, software acquisition, and software assurance
ISO/IEC/IEEE 15288 (systems), ISO/IEC/IEEE 12207 (software), IEEE 1062 (software
acquisition), ISO/IEC15026 (software assurance)
ISO TMB NWIP on Outsourcing
Proposed liaisons with other standards bodies
14
Whats next?
Preliminary drafts of ISO/IEC 27036 Parts 1, 2, and 3 are due to SC27 Secretariat no later
than December 18
ISO/IEC 27036 editors will restructure existing text into new Parts 1 and 2
ISO/IEC 27036 Part 3 editor will create an outline and preliminary draft based on the ICT
SCRM Study Period outputs
Preliminary drafts will be distributed to the National Bodies for comment and reviewed and
revised at the Spring 2010 meeting
CS1 will review all drafts and comment back to SC27
And then we will go to the next meeting, review, revise, and repeat until we are done within
the required timeframe of 3-5 years
15
Nadya Bartol
Senior Associate
16