Bright Stove

Reflecting information risk journey

Leaving Limassol

leave a comment »

Another week has gone by, closing off the 5th ISO/IEC JTC 1/SC 27/WG 4 meeting at Limassol, Cyprus.  There were some fun during the week, but more importantly, work-wise, significant progress has been accomplished for a number of projects–thanks to the project editors, rappoteurs, and experts.

One of the projects is the ISO/IEC 27032 on "Guidelines for Cybersecurity". The members have agreed upon a working definition and the scope of the document has also been refined. By the next working draft (WD), we should see more and more focus on the contents, i.e., the guidance that are required to improve the security and safety of the Cyberspace environment. Yes, the term Cyberspace has been agreed upon, and is the focused and targeted environment where the guidelines should apply. It is now agreed that Cyberspace is the complex environment that has no physical form but results from the interaction of software and people connected through a variety of technology devices/systems. Cybersecurity is about the security of this complex environment, which needs organizations, including service providers to play a role to ensure the security and safety of the environment. This definition matches the scope that I helped drafted earlier, along the line of thoughts that were previously discussed.

Of the three Study Periods that progressed from the previous meeting (in April 2008), two have resulted in new work item proposals (NP), for the development of a "Guidelines on Security of Outsourcing", and a "Guidelines on Identification, Collection and/or Acquisition, and Preservation of Digital Evidence", respectively. The former should help organizations in the implementation of security controls required for ICT and other outsourcing activities, and I envisage this to be important not simply for the outsourcing works that have been ongoing in the industry, but also the move towards Cloud Computing, in which the use of external services are likely to proliferate in the near term. The latter NP was motivated firstly by the need to implement controls to support relevant sections in ISO/IEC 27002 on digital evidence collection and preservation, and more importantly, establishing a baseline of controls that could potentially be relied upon to support cross-border investigation needs. The Study Period that did not emerge as a new project was the work on the "Categorization and Classification of Information Security Incidents" study. This work item was recognized to be relevant and important to help organizations prepare for incident handling and management. However, a number of experts felt that it should be developed as an integral part of the ISO/IEC 27035 standard on "Information Security Incident Management", a revision of the previous ISO/IEC TR 18044:2002 of the same title. Through a voting process, the decision was taken to have the work integrated as such.

The other three projects, ISO/IEC 27031 on "ICT Readiness for Business Continuity", ISO/IEC 27033 on "Network Security", and ISO/IEC 27034 on "Application Security" focused their efforts mainly on refining the various drafts, editing, and making the contents more readable and usable by the respective intended audiences. While the actual completion of these standards are not in the very near term, I can certainly say that they are making positive progress, and if things continue in the current pace and development, in about 12-18 months period, we should start to see new publications coming out from these projects, probably one after another, starting with the Network Security Part 1 document to get to its finish line first.

On the fun side, I was invited during the gala dinner on Wednesday to participate in a acrobatic dance in which the dancers placed drinks on my head. The dancer himself did the stunt with 10 glasses of drinks on his head. I was made to believe that they were adding the number of glasses each round, but in reality, there were only two glasses. While I felt that the weight on my head has not changed, which was strange, I didn’t protest but danced on. This made everybody happy.  Anyway, it was all for the fun of it, and everyone had a great evening. Perception always prevail, and makes one gains confidence in the process. This time, it was for fun. In real life, it could be something else.

P1130538  P1130527

During the week, I was introduced to a well-paved jogging path that runs from the Grand Resort along the edge of the beach all the way westward for more than 5km. I had a few satisfying runs in the week along that path, clocking another 30+km for the week.


Saturday morning, with four hours before my flight out from Larnaca (Cyprus International airport), I joined two colleagues for a short tour of Limassol, visiting the archeological site, medieval museum and ancient stadium nearby. It is indeed a beautiful island.


Written by mengchow

October 12, 2008 at 6:56 am

Posted in Security Standards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: