Bright Stove

Reflecting information risk journey

Archive for April 2010

Return from the old Portuguese Town

leave a comment »

Yet another week of SC 27 Working Group (WG) meeting has gone by. Melaka, or Malacca as I know it since my childhood days, also well known as the old Portuguese Town, has not changed much since my previous visit a few years ago. What have changed are the addition of a number of shopping malls (more perhaps), and a few more night markets. In one of the evening, a friend drove a few of us to the Portuguese Settlement to have a feel of history. Unfortunately, I can’t really tell what’s past and now, as all buildings are well painted, and the hawker stalls nearby that supposed to be selling Portuguese foods were just like another seafood center. Anyway, we enjoyed the sunset and a slightly reasonable (but not superb, and seems over-priced) seafood dinner. My friends in China would probably say “你太客气啦!”:-)

DSC_6058 DSC_6059

This week is supposed to be the SC 27 Plenary meeting, but most European delegates and other countries’ delegates who happened to be in Europe the week before could not make the trip, including the Chair, Vice-Chair, and Secretary, as a result of flights cancellation and delays brought by the eruption of volcano Eyjafjallajoekull at Iceland. The SC 27 Plenary was therefore postponed to October 2010, to be held after the WG meeting in Berlin.

An article “Not up in the air” from the Economist has a good analysis of the incident, and the risk management lessons to be learnt. The article emphasizes the need for preparedness and responsiveness, highlighting that “the aim is less about trying to predict what unlikely events may come along, and more about creating mechanisms and relationships that would help the firm and its partners respond with agility if disaster did strike”. This statement aligns nicely with one of the projects that WG 4 has been working on since its inception in 2006, i.e., ISO/IEC 27031 – “Guidelines for ICT Readiness for Business Continuity”. In this meeting, it has successfully progressed to the Final Draft International Standards (FDIS) status for final balloting before it gets published as a full international standard (IS). This was managed with one of the editors (UK) participating in the meeting remotely (thru’ WebEx and Skype).

Another project, ISO/IEC 27033-3 – “Network Security – Part 3: Reference network scenarios – Threats, design techniques, and control issues” has also reached its FDIS status at the close of the WG meeting. Together with Part 2 of ISO/IEC 27033 on “Guidelines for the design and implementation of network security” reaching its Final Committee Draft (FCD) status, which is one stage before FDIS, the first three parts of this standard series is coming to completion quite soon. Part 1 – “Overview and Concepts” was published as an IS in December 2009.

While the project editor for Network Security – Part 4: “Securing Communications between networks using security gateways” could not make it in person, his remote collaboration (from the airport at Geneva) with the acting Editor worked well and managed to complete the disposition of comments to allow the project to move forward towards its second working draft. There was also commitment from US and Singapore delegations volunteering editorships to start working on Part 5 (VPN) and 6 (Wireless), respectively, dropping the previous Part 6 (IP Convergence) and changing the previous Part 7 to Part 6 (Wireless).

Besides ISO/IEC 27033-2, two other projects, namely, ISO/IEC 27035 – “Information Security Incident Management”, and ISO/IEC 27034-1 – Application Security – Part 1: “Overview and Concepts” also reached FCD status. These two projects were fortunate for not being too impacted by the volcano circumstances as the editors were all available on sites throughout the meeting to work through the comments with the participating delegates.

Projects remaining at working draft status were ISO/IEC 27034 – Application Security – Part 2 – “Reference Normative Framework”, ISO/IEC 27036 – “Guidelines for security of outsourcing”, in which its editor managed to arrive only on Thursday, and ISO/IEC 27037 – “Guidelines for the identification, collection, acquisition, and preservation of digital evidence”. Note that the title for 27037 has a minor change, if you could tell the difference—which I will leave you to find out as an exercise 🙂

The project, ISO/IEC 29149, which is a technical report on the “Best Practices for Time Stamping Services” received about 32 pages of comments from a number of national bodies, and while the editor (from Spain) was not able to make the trip, the acting editor (from US) managed to work through the comments with the participating delegates to allow it to progress to a 2nd PDTR status – quite near to publication status as well. Just one more stage and it will be done.

The two study periods, on Supply Chain Security, and Storage Security, respectively, was decided to have an extension by another six months each, given that a number of interested national bodies’ delegates were not able to join the meeting. As for the new work item on Redaction (to be allocated ISO/IEC 27038), it couldn’t start as well as the editor was also held back by the volcano incident till Thursday afternoon. These three work items therefore allow for more deliberation offline, and hopefully a successful start in the Berlin meeting in October 2010.

The list of projects in WG 4 has grown quite quickly in the past four years (eight meetings so far), and the series of standard number (27031-27039) is only left with one number to be allocated (27039). Not sure which of the two study periods will be the chosen one for this last number. Not to worry, with the help of SC 27 Secretariat, WG 4 has managed to get another two blocks of standards number reserved, i.e., 27070-27079 and 27090-27099.

At the WG 4 Roadmap meeting, a number of potential future projects were also discussed. Ideas include guidance for vulnerability management, security events log management, and possibly security operation management. We look forward for more input for further discussion and deliberation as we progress to realize the WG 4 Roadmap Framework.

While some of the delegates proceed from the close of the WG 4 meeting to their holiday destinations in Malaysia and around Asia, and others took their return trip to their home or other business destinations, the rest of us, Conveners and Acting Conveners, stayed on for the Security Standards seminar organized by Standards Malaysia and CyberSecurity Malaysia on Saturday. The theme of the event was “The Importance of Security Standards in a Globalized Economy”. At the seminar, the keynote speaker from CyberSecurity Malaysia spoke about the evolving trends and challenges in the Cyber world, and outlined Malaysia’s national Cyber security strategy for addressing the key concerns. The central focus of the strategy was on protecting the national critical information infrastructure (CII). One of the measures was the formal adoption of ISO/IEC 27001 standards by law for all CII providers, which means that all CII providers will need to be certified through this scheme within a specific period. Another measure is the adoption of Common Criteria and schemes to promote the development and certification of locally developed security products to support the security needs of CII systems. All interesting stuff indeed. The rest of the seminars were focused on discussing the scope and progress of the five WGs in SC 27, and the roles of their respective standards with regards to information security in the global economy.

That same afternoon, I got on to the Luxury coach and was back to Singapore by early evening, and returned to Beijing the next day. There was a little misadventure on a taxi ride in Singapore, but I will leave it for a future blog if I can still remember it then. 🙂

Written by mengchow

April 29, 2010 at 2:57 pm

Posted in Security Standards

Arriving at Malacca

leave a comment »

It is the time of the year for yet another ISO/IEC JTC 1/SC 27 Working Group and Plenary meeting. The host for the next nine days is the Malaysian national body (NB), represented by Standards Malaysia. As in many previous meetings, the venue is a place that has more holiday goers than IT folks. Here we come, Malacca (or Melaka in the local language).

DSC_6036 DSC_6048

While we embarked on our journey looking forward to catching up with the familiar faces and getting ready for a week of intensive discussion on the various projects, the news of the volcano eruption in Iceland causing massive disruption/cancellation of air flights in a number of European countries emerged. Unlike previous meetings, this looks like it is not going to be just yet another SC 27 and WG meeting as we have planned.

At 5pm this afternoon, the delegates who have already checked into the hotel at Malacca gathered and held a VoIP conference with two conveners (WG 1 and WG 3) who are still held up in Europe, and deliberated on the contingency plan for the meetings that are starting from Monday. At the end of an hour of discussion, all agreed to push forward as per planned, but with additional provision to enable remote participation by delegates who are still held up at the various airports, hotels, or home (if they are slightly luckier). The responsiveness of the group as a whole to such an event was admirable, as this is something we did not have a plan, and there was no precedent to fall back upon as well.

As of this evening, about one-third of the delegates who have registered for the meeting have either have their flight delayed or cancelled. In WG 4, six co-editors, and two editors have declared unable make it or make it on time for the 8th WG 4 meeting. A number of them are still trying to get on a later flight out, even though we cannot really predict how the weather condition will change with that of the volcano in Iceland. The fortunate thing is that these six co-editors all have counterparts who are able to make it to Malacca, except for one project (27036). Nevertheless, the project (27036) was able to find an acting editor to support its proceeding this week.

For this meeting, WG 4 has eleven projects in progress, including a new project on Redaction (to be numbered 27038). Two study periods, i.e., Supply Chain Security Controls, and Storage Security have been scheduled for discussion to determine if they should be put up as new work items before the end of the week. As of December 2009, the new Part 1 for Network Security: Overview and Concept (ISO/IEC 27033-1) has been published as an International Standard (IS). Thanks to Robin Moses and Laura Kuiper for their efforts to the completion of this new standard. At this point, I’m still optimistic that at least two thirds of the projects could still progress as per planned, while the rest may need some adjustments to be made to bring at least some progress by the end of this coming week. The former list should include 27031, 27032 (Cybersecurity), 27033-2/3 (Network Security), 27034-1/2 (Application Security), 27035 (Incident Management), and 27037 (Digital Evidence), and the Study Periods. We shall see by then.

Written by mengchow

April 18, 2010 at 3:09 pm

Posted in Security Standards

%d bloggers like this: