Bright Stove

Reflecting information risk journey

Berlin Walls – Reflecting the 9th WG 4 meeting

leave a comment »

It has been six months since the Berlin meeting in October 2010. It was my first trip to Berlin then, brought about by the SC 27/WG 4 convenorship. The trip was a memorable one, not just because of the rich historical and scenic settings of the city and nearby towns, and the beautiful atmosphere of autumn, with colorful leaves along the streets in the city, or the juicy pork knuckles (a special German dish), but the events that took place through the nine days of meetings.

The progress for a number of projects wasn’t smooth this round. One of the projects that was held back was ISO/IEC 27034 Part 1 – Application Security: Overview and Concepts. At 2nd Final Committee Draft (FCD), which is very near to its completion, some National Bodies (NBs) and the SC 7 liaison officer raised concerns over its relationship with related life-cycle standards published in SC 7, and language related (syntax) issues. So it remained at 2nd FCD (which means second final committee draft) for another round of NBs review. One may think that final means done, but in our case, we often have second, and sometimes, third and forth final. Another was ISO/IEC 27033 Network Security Part 2–Guidelines for the design and implementation of network security, which should also progress to FDIS, but didn’t make it. Instead, the project editor proposed for it to revert back to working draft (WD) stage, which was supported by majority of NBs during the WG plenary. The decision was subsequently overturned at the SC 27 plenary to keep the project at FCD status for another six months of review. While there is provision in SC 27 directive for “backward progress” to happen, the WG Plenary decision to do this seemed to be the first time in the history of SC 27, and the first time was erased from the history at the SC 27 Plenary. Slow progress was also experienced in ISO/IEC 27032 – Guidelines for Cybersecurity, in which a new member of a NB who just started participating in this project wanted its scope to be revised to align with her government’s Cybersecurity policy, instead of accepting that the document has been developing with a scope that was already agreed and supported by the project members early in the process. When nationalism or personal desire kicks in, it is always painful to make progress in such multi-nationals projects that needs collaborations and cooperations to succeed.

The Berlin Walls, famous for separating the East and West Germany, came down in 1989. With its destruction, Germany has since become a unified whole for the people from both sides. Ironically, the meeting held in Berlin during the autumn was challenged by various virtual walls erected between the project editors and between some NBs’ experts. They went beyond just the WG meeting, including the Plenary. The outcomes were simply less than satisfactory. According to the Tao’s principles, this may not necessarily be a bad thing, as it provides new learning, experience, and understanding.

On another note, progresses and changes were made for a number of other projects in WG 4 at the same time. ISO/IEC 27036 was re-structured into a four-parts standards following the recommendation of the Study Period on ICT Supply Chain Security, combining the scope of ICT supply chain security, manage services, and outsourcing (and potential Cloud-sourcing in the near future) into a single (four-parts) project. The Study Period on Storage Security was successfully completed with a new work item proposal of the same title, and ISO/IEC 18043 (Selection and Deployment of Intrusion Detection Systems) was approved for revision, and would be re-numbered as ISO/IEC 27039. ISO/IEC 27037 – Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence attained consensus to elevate to 1st Committee Draft (CD) status, and ISO/IEC 27035 – Information Security Incident Management attained consensus to become Final Draft Int’l Standard (FDIS) status, which means ready for publication soon.

A number of new Study Periods (SP) were also initiated during the meeting. Two SP relating to Digital Evidence, one joint SP with WG 1, 3, and 5 on Cloud Security and Privacy, one SP on Terminology and Vocaburary, and one SP on incident response operations and management. These SP line up a whole new set of projects in the next six months to three to four years period, depending on their viability.

That week in Berlin, SC 27 also celebrated its 20 years anniversary, along with the publication of the Platinum Book and each participant was also given a T-shirt with the list of the SC 27 meeting locations printed on the back. The standard bureau of Germany, DIN, hosted a reception for the participants in one of the evening as well.

Next week, the group shall reconvene in Singapore. The multi-racial, multi-religion, and multi-cultural environment, and a vibrant city in the center of Asia that very much mirrors the make-up and complexity of the SC 27 social-grouping. Looking forward, as always.


Written by mengchow

April 7, 2011 at 8:16 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: