summary report on iso/iec jtc 1/sc 27 it security techniques working
TRANSCRIPT
SUMMARY REPORT
ON
ISO/IEC JTC 1/SC 27 IT SECURITY TECHNIQUES
WORKING GROUP
MEETINGS
04 - 08 May 2015
BCCK Kuching/MALAYSIA
Prepared by:
Dr. Suresh Ramasamy
Azleyna Ariffin Nur Shahidah Senin
On Behalf
MALAYSIAN TECHNICAL STANDARDS
FORUM BHD
i
TABLE OF CONTENTS
Page
1. Abstract ................................................................................................ 1
2. List of Participants .................................................................................. 1
3. Introduction /Background ........................................................................ 1
4. Agendas/Topics ...................................................................................... 1
5. Findings ................................................................................................ 2
6. Conclusion ............................................................................................. 5
7. Acknowledgement .................................................................................. 5
Annex A ...................................................................................................... 6
1
1. Abstract
ISO/IEC JTC 1/SC 27 IT Security techniques is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC), that develops and facilitates International Standards, Technical Reports, and Technical Specifications within the field of IT security techniques.
Standardization activity by this subcommittee includes general methods, techniques and guidelines to address both security and privacy aspects. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent
out to participating national standardization bodies for ballot, comments and contributions, the meeting of ISO/IEC JTC 1/SC 27
This report outlines the attendance of selected participants from MTSFB and the
Information/Network Security Working Group.
2. List of Participants
With the assistance from MTSFB and SKMM, these are the participants participating in this event.
i. Nur Shahidah Senin (MTSFB staff, INS Secretariat)
ii. Dr. Suresh Ramasamy (INS Chairman)
iii. Azleyna Ariffin (INS Secretary)
3. Introduction /Background The SC27 meeting that is held in Kuching, Sarawak is to hold the ISO/IEC JTC/SC27 Working Group, Study Group and Plenary Meetings. The SC27 is responsible for managing and maintaining the standards responsible for
Information Security Management System.
The Information/Network Security Working Group is a working group under the Malaysian Technical Standards Forum which is tasked to produce the technical
papers regarding Information/Network Security, using the ISO/IEC 27000 series standards.
4. Agendas/Topics
i. WG participation
Participation on WG gives clear understanding into the current documents being discussed. The document discussion involved in includes the change proposal for
ISO 27011 – guidelines for telecommunications industry and ISO 27021 – a new ISO standard for competence. This also includes emergence of ISO 31000 which is
to standardize the risk management approach and request to align existing 27000 series to that document. Participation on WG2 reveals the details and changes on
2
the ISO 29192 for addition of new ciphers as well as submission of new hash algorithms for ISO 14888 and ISO 10118.
As part of the participation, the process of standards production becomes clear.
Dr. Toshito from IISEC, JP was kind enough to explain the whole process, which is documented on Annex 1 & 2 of the publicly available ISO standards.
ii. National Seminar on “Information Security and Economic Growth”
The seminar was held over 1 days conducted by SIRIM BERHAD. This seminar
provides an overview of the following ISO standards and the benefits that organizations can derive from the implementation of these Standards.
iii. ISO 27001 Implementation Training
The Implementation training was held over 2 days conducted by Cyber Security
Malaysia. The implementation training covers the ISO document outline, what are the required steps for organizations to perform. This is the excerpt of the training
requirements.
Introduction to Information Security
Introduction to Information Security Management Systems (ISMS) Objective of ISMS, scope and roles of management
ISO/IEC 27001:2013 ISMS - Requirements ISO/IEC 27002:2013 - Code of Practice For Information Security Controls
The ISO 27000 Series of Standards The following modules were covered and completed
Module 1- Introduction to ISMS
Module 2 - Establishing ISMS Module 3 - ISMS Risk Assessment Module 4 - Measurement of Controls
Module 5 - Internal ISMS Audits Module 6 - Training, Awareness and Competency
Module 7 - Management Responsibility Module 8 - ISMS Improvement
The Agenda is on Annex A
5. Findings
WG1 Meeting Defect Report - Concerning ISO/IEC 27001:2013
Based on the participation in the WG1 Meeting, especially on Defect Report,
does expose participant with the overall process of handling defects in the existing published standards. This includes processes between the WG Convenor and Submitter.
3
Even though the defect only affect the grammatical of the Clauses, it took
quite an effort by the Editor to ensure consensus obtained from all, prior registering the defect report.
Summary of voting on ISO/IEC DIS 27006:2015-01-20(E) (3rd
edition) (SC27 N14936) -- Information technology -- Security techniques – Requirements for bodies providing audit and certification of information security management systems
Participant has attended this session, on request basis by WG 1 Chairman – YM
Raja Azrina Raja Othman – as reps for MALAYSIA. This document is being
circulated for consideration at the Ballot Consultation Meeting for ISO/IEC DIS
27006. Findings :
Most of the comments made to this Standard came from JAPAN. Their
comments mainly to ensure consistency of terms used in this Standard with
the recent published and enforced ISO/IEC 27001:2013.
Nevertheless, Editor advices required as some of the sentences became
either ‘too long’ or ‘too ambiguous’.
ISACA did suggested quite number of comments / amendments, however
REJECTED by the Secretariat, as to no JUSTIFICATION made for the
changes proposed.
MY and GB, do share same views that Members that have given suggestion
for change, must provide the examples to be discuss prior to the meeting,
to give ample time for members to digest and make decision, rather than
having to discuss the matter on spot and prolong the session.
The members reviewing this Standard agreed to convert the document
status from Working Group (‘WG’) to Committee Draft (‘CD’) in the next
SC27 Meeting, schedule in Jaipur, India.
Disposition of Comments on Summary of National Body comments (SC
27 N14374) on SC 27 N13914 -- ISO/IEC CD 27011 - Information technology - Security techniques – Information security management
guidelines for telecommunications organizations based on ISO/IEC 27002
Participant has attended this session, this document was approved at the Ballot
Consultation Meeting for ITU-T X.1051 | ISO/IEC 1st CD 27011 in Mexico City,
Mexico, during the SC 27/WG week, 20th - 24th October 2014. Findings:
Main issues in completing the draft are due to the non-attendance by those
that has submitted their comments.
Aggressive attitude from members also contributed to the not-so-harmony
ways in getting the draft accepted by the Working Group (‘WG’).
4
National Seminar on “Information Security and Economic Growth”
The seminar discussed the various issues related to the "information security and
economic growth" to the organization. There are four major topics were discussed and presented by each representative of WG ISO IEC JTC 1 / SC 27. The topics discussed by the panelist very interesting and allow participants to understand the
importance of ISO standards. This makes the players can play a role in every organization.
There are several sub topics that were discussed on major topics:
Discussion 1 The Importance of Information Security Standards for Economic Growth
This topic discussed in detail the importance of SC27 standards, case study, need for security and privacy technology. Participants can obtain benefits and
challenges in implementing information security standards
Discussion 2 Information Security Best Practices for Economic Growth
This Best Practices assist organisation significantly in serving their services, process & products. Security and privacy are essential for the digital economy to
continue to serve the platform. Professor Dr. Kai Rannenberg give an explanation to the audiences regarding Frameworks & Architectures in Identify management & privacy technologies project overviews. It also discussed the Security controls &
services is part of the Best Practices.
Discussion 3
Malaysian Private Sector Participation in Information Security and Economic Growth
This topic has been discussed the Malaysian Private Sector Participation in the
formation of internet security and economic growth. Among the topics discuss is the driving factor in, turn off & key success factor in pursuing ISMS certification.
Create trust in business is one of benefit to practice ISMS. Lack of support from top management is the factors challenges to maintain the ISMS.
Discussion 4 The Role of Government in Ensuring Information Security for Economic Growth
Government and statutory agencies involved in this topic is the Sabah SCSD, MCMC, MAMPU and Sarawak ICTU. They share the government's role in ensuring
information security for economic growth. MAMPU was given a role to maintain information security peninsular Malaysia, MCMC also in the communication
industry while Sabah and Sarawak have run their own agencies such as Sabah SCSD and Sarawak ICTU. Sabah SCSD is a state government department responsible for rendering ICT services to other state agencies. Sabahnet is a main
gateway for SABAH SCSD. Sarawak ICTU responsible for coordinating and providing the lead in the application of ICT, including formulating ICT policies, and
5
Information Security in Sarawak. They explain security is not a product, it is a process.
ISO/IEC 27001 Information Security Management System (ISMS)
Implementation
The training materials and ways of presenting can be further improved by CyberSecurity Malaysia. Training should be emphasizing on HOW an organization
can align their processes against ISO 27001, in a practical way. This can be achieve thru more workgroups and exercises.
6. Conclusion
The ISO/IEC JTC1 SC27 meeting that was held in Kuching was a testament to
Malaysia’s commitment to global standards. SKMM’s role was pivotal, together with Standards Malaysia & SIRIM helped to create conducive environment for development and propagation of standards. Participation of the INS Working
Group and MTSFB representative not only shows Malaysia’s alignment and commitment to global standards, but also presents avenue for learning,
understanding and peer networking which gives long term benefits for the drafting of industry technical code under MTSFB. It is highly recommended that INS Working Group continues to be part of SC27 to keep abreast with the
developments of the standards, as well as supplement the WG ability to contribute locally and globally to place Malaysia at the forefront of nations.
7. Acknowledgement
The participants would like to thank MCMC & MTSFB for organising and funding
the participants to attend and carry forward the knowledge.
6
Annex A
7
8
9
10
11
THE MALAYSIAN TECHNICAL STANDARDS FORUM BHD
4805-2-2, Block 4805,
Persiaran Flora, CBD Perdana 2,
Cyber 12,
63000 Cyberjaya
Selangor Darul Ehsan
Malaysia
Tel: (+603) 8322 1441
Fax: (+603) 8322 0115
Website: www.mtsfb.org.my