Bright Stove

Reflecting information risk journey

Return from the old Portuguese Town

leave a comment »

Yet another week of SC 27 Working Group (WG) meeting has gone by. Melaka, or Malacca as I know it since my childhood days, also well known as the old Portuguese Town, has not changed much since my previous visit a few years ago. What have changed are the addition of a number of shopping malls (more perhaps), and a few more night markets. In one of the evening, a friend drove a few of us to the Portuguese Settlement to have a feel of history. Unfortunately, I can’t really tell what’s past and now, as all buildings are well painted, and the hawker stalls nearby that supposed to be selling Portuguese foods were just like another seafood center. Anyway, we enjoyed the sunset and a slightly reasonable (but not superb, and seems over-priced) seafood dinner. My friends in China would probably say “你太客气啦!”:-)

DSC_6058 DSC_6059

This week is supposed to be the SC 27 Plenary meeting, but most European delegates and other countries’ delegates who happened to be in Europe the week before could not make the trip, including the Chair, Vice-Chair, and Secretary, as a result of flights cancellation and delays brought by the eruption of volcano Eyjafjallajoekull at Iceland. The SC 27 Plenary was therefore postponed to October 2010, to be held after the WG meeting in Berlin.

An article “Not up in the air” from the Economist has a good analysis of the incident, and the risk management lessons to be learnt. The article emphasizes the need for preparedness and responsiveness, highlighting that “the aim is less about trying to predict what unlikely events may come along, and more about creating mechanisms and relationships that would help the firm and its partners respond with agility if disaster did strike”. This statement aligns nicely with one of the projects that WG 4 has been working on since its inception in 2006, i.e., ISO/IEC 27031 – “Guidelines for ICT Readiness for Business Continuity”. In this meeting, it has successfully progressed to the Final Draft International Standards (FDIS) status for final balloting before it gets published as a full international standard (IS). This was managed with one of the editors (UK) participating in the meeting remotely (thru’ WebEx and Skype).

Another project, ISO/IEC 27033-3 – “Network Security – Part 3: Reference network scenarios – Threats, design techniques, and control issues” has also reached its FDIS status at the close of the WG meeting. Together with Part 2 of ISO/IEC 27033 on “Guidelines for the design and implementation of network security” reaching its Final Committee Draft (FCD) status, which is one stage before FDIS, the first three parts of this standard series is coming to completion quite soon. Part 1 – “Overview and Concepts” was published as an IS in December 2009.

While the project editor for Network Security – Part 4: “Securing Communications between networks using security gateways” could not make it in person, his remote collaboration (from the airport at Geneva) with the acting Editor worked well and managed to complete the disposition of comments to allow the project to move forward towards its second working draft. There was also commitment from US and Singapore delegations volunteering editorships to start working on Part 5 (VPN) and 6 (Wireless), respectively, dropping the previous Part 6 (IP Convergence) and changing the previous Part 7 to Part 6 (Wireless).

Besides ISO/IEC 27033-2, two other projects, namely, ISO/IEC 27035 – “Information Security Incident Management”, and ISO/IEC 27034-1 – Application Security – Part 1: “Overview and Concepts” also reached FCD status. These two projects were fortunate for not being too impacted by the volcano circumstances as the editors were all available on sites throughout the meeting to work through the comments with the participating delegates.

Projects remaining at working draft status were ISO/IEC 27034 – Application Security – Part 2 – “Reference Normative Framework”, ISO/IEC 27036 – “Guidelines for security of outsourcing”, in which its editor managed to arrive only on Thursday, and ISO/IEC 27037 – “Guidelines for the identification, collection, acquisition, and preservation of digital evidence”. Note that the title for 27037 has a minor change, if you could tell the difference—which I will leave you to find out as an exercise 🙂

The project, ISO/IEC 29149, which is a technical report on the “Best Practices for Time Stamping Services” received about 32 pages of comments from a number of national bodies, and while the editor (from Spain) was not able to make the trip, the acting editor (from US) managed to work through the comments with the participating delegates to allow it to progress to a 2nd PDTR status – quite near to publication status as well. Just one more stage and it will be done.

The two study periods, on Supply Chain Security, and Storage Security, respectively, was decided to have an extension by another six months each, given that a number of interested national bodies’ delegates were not able to join the meeting. As for the new work item on Redaction (to be allocated ISO/IEC 27038), it couldn’t start as well as the editor was also held back by the volcano incident till Thursday afternoon. These three work items therefore allow for more deliberation offline, and hopefully a successful start in the Berlin meeting in October 2010.

The list of projects in WG 4 has grown quite quickly in the past four years (eight meetings so far), and the series of standard number (27031-27039) is only left with one number to be allocated (27039). Not sure which of the two study periods will be the chosen one for this last number. Not to worry, with the help of SC 27 Secretariat, WG 4 has managed to get another two blocks of standards number reserved, i.e., 27070-27079 and 27090-27099.

At the WG 4 Roadmap meeting, a number of potential future projects were also discussed. Ideas include guidance for vulnerability management, security events log management, and possibly security operation management. We look forward for more input for further discussion and deliberation as we progress to realize the WG 4 Roadmap Framework.

While some of the delegates proceed from the close of the WG 4 meeting to their holiday destinations in Malaysia and around Asia, and others took their return trip to their home or other business destinations, the rest of us, Conveners and Acting Conveners, stayed on for the Security Standards seminar organized by Standards Malaysia and CyberSecurity Malaysia on Saturday. The theme of the event was “The Importance of Security Standards in a Globalized Economy”. At the seminar, the keynote speaker from CyberSecurity Malaysia spoke about the evolving trends and challenges in the Cyber world, and outlined Malaysia’s national Cyber security strategy for addressing the key concerns. The central focus of the strategy was on protecting the national critical information infrastructure (CII). One of the measures was the formal adoption of ISO/IEC 27001 standards by law for all CII providers, which means that all CII providers will need to be certified through this scheme within a specific period. Another measure is the adoption of Common Criteria and schemes to promote the development and certification of locally developed security products to support the security needs of CII systems. All interesting stuff indeed. The rest of the seminars were focused on discussing the scope and progress of the five WGs in SC 27, and the roles of their respective standards with regards to information security in the global economy.

That same afternoon, I got on to the Luxury coach and was back to Singapore by early evening, and returned to Beijing the next day. There was a little misadventure on a taxi ride in Singapore, but I will leave it for a future blog if I can still remember it then. 🙂

Advertisements

Written by mengchow

April 29, 2010 at 2:57 pm

Posted in Security Standards

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: