Bright Stove

A good news I’ve gotten from the SC27 Secretariat yesterday morning. In the national bodies (NB) ballot process for the three new projects in WG4, the title has already included the newly allocated number for each project. With the formal approval by JTC1 NB at the end of the ballot period last month, we now have the number allocation approved for the three projects as well. As such, we can now use these numbers to represent the respective standards that are currently being developed. However, take note that they are all in preliminary draft (towards first working draft) stage. So there’s no such ISO/IEC standards in the open at the moment; they are still projects in development:

• ISO/IEC 27031 – "ICT Readiness for Business Continuity" (Preliminary Draft)
• ISO/IEC 27032 – "Guidelines for Cybersecurity" (Preliminary Draft)
• ISO/IEC 27034 – "Guidelines for Application Security" (Preliminary Draft)

Note also the number 27033, although has been allocated for the revision of ISO/IEC 18028 ("Network Security"), it has not been formally approved at JTC1 level. This reference of the network security standard therefore still need to be quoted with an asterisk.

X.1207 "Guidelines for Telecommunication Service Providers and End-users for Addressing the Risk of Spyware and Potentially Unwanted Software" – This ITU-T Recommendation (which is ITU’s term for "standards") has finally reached a "determined" stage at the Study Group 17 Plenary on Sep 28, 2007, at the Geneva meeting. This Recommendation was first proposed in early 2005, and have gone through more than two years of review and updating. The gist of this Recommendation is to encourage a set of security and privacy best practices for Web Hosting services providers, which are normally TSP (or Internet Services Providers). The Recommendation promotes best practices around the principles of clear notices, user consents, and user controls for web hosting services. It also promotes security best practices (via TSP) to home users on safe and secure use of personal computers and the Internet, including the use of anti-virus, anti-spyware, personal firewall, and automated security updates. In addition, the Recommendation provides a working definition for the term "spyware", and "deceptive software".

• Deceptive Software — Software which performs activities on a user’s computer without: 1) first notifying the user as to exactly what the software will do on the user’s computer, or 2) asking the user whether they consent to the software doing these things. (Examples of deceptive software include programs which hijack user configurations, or programs, which cause endless pop-up advertisements which cannot be easily clicked out of by the user).
• Spyware is defined in this Recommendation as a particular type of deceptive software that collects personal information from a computer user. The personal information may include matters such as web sites most frequently visited or more sensitive information such as passwords.

As ITU-T Recommendations development process is for ITU-T members only, the draft Recommendation therefore cannot be shared here. However, upon publication, it should be freely and publicly available from ITU-T web site, since ITU has recently passed a resolution to publish all ITU-T Recommendations freely on the web. Till then, we can only wait for this Recommendation to be fully approved and published.