国际信息安全标准化点滴-贾颖禾 全国信息安全标准化技术委员会秘书

1、国际信息平安规范化点滴贾 颖 禾2006年7月18日.ISO对“平安了解“the safety of a state, organization or individual and protection against threats such as criminal activity, terrorism, attack, or natural disaster.security standards in this broad context.ISO的“平安定义The provision of protection against threats to people, physical as

2、sets, infrastructure, information and information technology assets including electronic networks and facilities, and to the movement of people and goods and related facilities.ISO曾经关注的九个平安领域o Training programmes and equipment for responders.(培训方案与器材)o Private sector emergency preparedness and busin

3、ess continuity.私营部门的应急预备与业务延续性o Identification techniques, including biometrics.标识技术，含生物识别技术o Emergency communications.应急通讯o Inter-modal supply chain security.结合运输供应链平安o Risk assessment.风险评价o Biological and chemical threat agents.生化要挟o Cyber security.信息网络平安o Civil defence.民防.ISO的评价Standards play a n

4、umber of important roles in supporting efforts to achieve security. For example, standards can be used to promulgate best practices and methodologies for security management. Standards can be used to specify test methods and parameters to aid in detection of threats. Standards can specify performanc

5、e requirements to ensure equipment and systems provide the necessary performance and protection in extreme conditions.ISO的评价-1Out of ISOs 205 Technical Committees (including JTC1 subcommittees), 35 have deliverables related to security. Some of these are critical and fundamental to current global ef

6、forts to provide security and combat terrorism recently-developed standards for biometrics, detection of the illicit movement of nuclear material, maritime port security, and security of IT systems are noteworthy examples.ISO的评价-2三个方面确实失：没有适时将技术委员会的任务向平安领域延伸共同运营者们需求“共同言语和框架，以便对他们各不一样的系统实施平安管理“自下而上的相

7、互隔离的视角，难以顺应全球化、系统化的平安要挟，需求“TOPDOWN的、更战略的思索。.ISO/JTC1-SC27的新构造Working Group 1: Information security management systems Working Group 2: Cryptography and security mechanisms Working Group 3: Security evaluation criteria Working Group 4: Security controls and services Working Group 5: Identity manageme

8、nt and privacy technologies.SC27第一任务组的部分新工程ISO/IEC 27000信息平安管理体系原那么与术语ISO/IEC 27001信息平安管理体系要求ISO/IEC 17799 信息平安管理适用准那么ISO/IEC27003 信息平安管理体系实施指南ISO/IEC 27004 信息平安管理丈量ISO/IEC27005信息平安风险管理ISO/IEC27006信息平安管理体系认证机构的认可要求 ISO/IEC13335信息与通讯技术平安管理.SC27第二任务组的部分新工程性18033 Encryption algorithms18033-1 General pu

9、blished in 200518033-2 Asymmetric ciphers FDIS18033-3 Block ciphers published in 200518033-4 Stream ciphers published in 200510116 Modes of operation for an n-bit block cipher algorithm brevision: FDIS19772 Authenticated encryption CD18031 Random bit generation published in 200518032 Prime number ge

10、neration published in 200515946 Cryptographic techniques based on elliptic curves15946-1 General revision: WD15946-2 Digital signatures to be merged into 14888-315946-3 Key establishment to be merged into 1177015946-4 Digital signatures with message recovery to be merged into 9796-3.SC27第二任务组的部分新工程抗

11、抵赖88 Non-repudiation88-1 General88-2 Mechanisms using symmetric techniques88-3 Mechanisms using asymmetric techniques18014 Time stamping services and protocols18014-1 Framework revision: WD18014-2 Mechanisms producing independent tokes revision: WD18014-3 Mechanisms producing linked tokens.SC27第二任务组

12、的部分新工程密钥管理11770-1 Framework11770-2 Mechanisms using symmetric techniques revision: WD11770-3 Mechanisms using asymmetric techniques revision: WD11770-4 Key establishment mechanisms based on weak secrets FDIS.SC27第三任务组的部分新工程24759 密码模块测试要求 15408-1 IT平安评价准那么 第一部分: 根本模型引见15408-2 IT平安评价准那么 第二部分: 平安功能要求 1

13、5408-3 IT平安评价准那么 第三部分: 平安保证要求 18045 IT 平安评价方法 19792 生物特征识别的平安评价 21827 系统平安工程 才干成熟度模型 (SSE-CMM) .美国NIST的特点规范化活动面大把政府运用的技术也纳入规范化轨道规范与产业结合的严密在制定规范的同时支持研发、政府机构的平安认识培育和教育根据FISMA法，投入的力度加大非常注重对国际规范化进程的影响.SHA-1的运用问题 SC27承诺将根据SHA-1及其相关攻击实例的开展，及时发布相关的SHA-1运用阐明，以指点该规范的选用。本次会议上，SHA1继续成为讨论的一项内容。从本次会议提供的文本SC27 N5

14、147以及会议讨论的情况来看，尽量防止运用SHA-1曾经成为共识，虽然没有明确提出将SHA-1从规范中删除，但从SHA-1提出者美国国家规范研讨所NIST的态度曾经可以看出SHA-1的运用将会逐渐减少。.ISO/IEC 9979的前景 2004年SC27巴西会议提出了废除ISO/IEC 9979-1999提案。本次WG2会议再次对此提案进展了讨论。从几个国家的反映和会议讨论情况来看，赞同废除该规范的声音占到了多数。.ISMS规范族的进一步完善和推进，以及ISMS认证国际互认的规范化 为了进一步完善和推进ISMS规范族的构成，SC27将新的WG1任务组的主要任务范围划定在对ISMS的研讨制定和维护管理上，同时为促进ISMS认证的国际互认，对也进展了重点研讨和讨论。基于ISO 17021和ETSI相关规范构成未来的27006的制定速度明显加快。. 信息平安产品测评认证的国际互认的规范化问题 CC依然是国际上产品测试与认证的主要根据，这次会议的重点还是在努力于CC的推行、进一步扩展国际互认。假设经过修正的CC、CEM、PP/ST的产生指南等规范在ISO/IEC得到经过，还需求与CCDB进展协调和会