Bright Stove

Reflecting information risk journey

12th RAISE Forum Meeting at Jinan, Shandong

leave a comment »

Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.

IMG_0269

Unlike previous gatherings, the 12th meeting started with a half-day public seminar participated by about 150 professionals mainly from Shandong, and a number of other cities in China. The keynotes of the seminar were given Mr Wu Yafei, Chair of the the ACISI (who is also Executive Director of the Information Security department of the State Information Center, SIC), and Professor Lv Shuwang (the inventor of the SMS4 cryptographic hashing algorithm).

 IMG_0274 IMG_0277

Prof Lv spoke about the nature of Internet and internet, and the importance of knowledge security. In accordance to Prof Lv, knowledge security is a natural progress from information security as we evolve from an information-based economy to knowledge-based economy. Knowledge security is critical not just to organization, or individuals, but also the issues of preserving the massive knowledge from a nation’s civilization and cultural heritage perspective. Knowledge security requires a secure Cyberspace, a Cyberspace that operates on network in which its growth, reliability, maintenance, and security are accorded with national level coordination and protection, as preserving knowledge of a nation’s culture and civilization is a national issue. Today’s Internet is however rooted in the US and not a true internet network where there’s mutual connection between a nation’s public (or citizen) network and US or other nation’s public networks. To have a truly internet network, China needs to have its own public network to begin with. Currently, China’s public Internet network (as well other many other countries’ public Internet) shares a portion of the global Internet, “like a tenant on a rental property”, says Prof Lv. As such, security problems on the Internet continues to proliferate and cannot be resolved effectively. This is not an ideal condition for China’s knowledge security. Prof Lv therefore asserts that “China doesn’t have Internet”. Nevertheless, expecting the global Internet to have its root removed and made completely open is also impractical, Prof Lv concluded.

At the public seminar, Mr Ning Jiajun, retired Chief Engineer of SIC, also shared his thoughts on the Information Security issues and challenges in China, and discussed on the need for a basic Information Security Law, or Ordinance. This is necessary to address the fundamental legal principles, and basic system requirements, in support of more comprehensive information security specialization laws for the security governance of each industry sector.

In the professional certification arena, Mr Wang Xinjie of Beijing Powertime shared the status of the new work item on Information Security (IS) Professional Certification in ISO, which is still in an extended Study Period (totaling 12 months now); the status of CISSP adoption in China (which has more than 600 certified professionals as of March 2013); and the development of a new Certified Information Security Auditor (CISP-Auditor) in China. The idea of the Information Security Auditor is focused on developing a community of professionals who will be skilled at auditing (or validating) the information security practice of organizations. The practice may be based on ISO/IEC 27001 ISMS standard, or other approaches adopted by the organization, or mandated by specific industry regulations.

In addition to the China’s experts’ presentations, representatives from RAISE Forum members also spoke in the public seminar. Mr Koji Nakao presented the status of security standardization at ISO/IEC JTC 1 SC 27 and ITU-T SG17, including the current work plan and the areas of focus in the near term. Prof Hueng Youl Youm of Soonchunhyang University, South Korea, presented the status of Personal Information Management Systems (PIMS) standardization in ISO/IEC JTC 1/SC 27 and also within Korea itself. I shared my thoughts on the Responsive Security approach for information security risk management (which I shall discuss in future blogs perhaps).

IMG_0265
  IMG_0275

The closed-door meeting of the RAISE Forum continues in the afternoon and whole day the next day at the Institute of Information and Communications Research (CIIIC). In person at the meeting were members from Japan, Singapore, South Korea, P.R. China, Thailand, and also representative of (ISC)2, while Malaysia and Chinese Taipei’s representatives joined the discussion and presentations via WebEx teleconference facility online. 

Besides the usual updates on ISO/IEC JTC 1/SC 27 and ITU-T SG 17 standards development activities, the meeting also discussed about some recent Cybersecurity development, such as the Obama’s Executive Order, Japan’s Cybersecurity strategy development, the very recent South Korea Cyber attack incident, and Thailand’s Cyber frauds incidents involving security of smartphone applications. The international standardization activities that are of interest includes the revision of the ISO/IEC 27001 and 27002 standards (both are currently at DIS stage, likely to be published before end of this year), cloud security standards, which includes ISO/IEC 27017, and 27036, and the new work item in WG 4 on the technology aspects), and PIMS related standards efforts. There were also much deliberation on the scope of a RAISE Forum project on “Information Security Audit Framework”, which is currently under development. The result of (ISC)2 2013 Workforce Study report, and the recent RAISE Forum initiated Information Security Management Practice survey results were also discussed. The latter will be shared in a separate update in a few weeks.

The meeting closed with the thanking of the organizers and sponsors, and also a short discussion on the 13th RAISE Forum meeting. This year is in fact the 10th year anniversary of the RAISE Forum, since its inauguration in Nov 2004. The 13th meeting is planned to be held before year-end, venue to be confirmed, and will be held as a 10th anniversary celebration event.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: