Last week, I shared a conversation I had with Miguel Bañón, Convenor of ISO/IEC JTC 1/SC 27’s WG 3 (work group 3), that offered an overview of the current work of the WG 3, as well as some great insight into planned changes in the areas of evaluation, testing and specification for the IT security industry. Today, we’ll wrap up our two-part post with a look at the hot topics within the industry and how WG 3 might consider them.
Q: You said the 19790 ISO version of FIPS is a hot topic, why? What do you think is driving that interest?
A: There is a growing need to have international agreements and standards in the area of cryptography, not just on the algorithm side, but in our case, with regard to the security and quality of the products that implement the calculations and keep the keys secret, i.e., the cryptographic modules.
Q: What is the group’s role for the development of FIPS 140-3?
A: The NIST is one of the national bodies that is a participating member of SC 27, so the collaboration is very fluent, and in the WG 3 we have the luxury of having project editors from the NIST. The initial version of our ISO/IEC 19790 standard was heavily based on FIPS 140-2, and later we received further draft documents as input for our revised 19790, which was updated in 2012.
Q: When you’re talking about testing and conformance testing, does your group develop the test or the criteria?
A: Both, depending on the specific standard. We can cover an abstract framework with high-level evaluation criteria, or very specific test descriptions, according to the concrete need.
Q: What is the privacy seal program?
A: We have different regulations addressing personal data protection issues. These privacy seal programs try to provide a certification process to distinguish technology or services that comply with those legal and technical requirements. It is a field that we are now studying.
Q: How is cloud computing being addressed? Can you offer any specifics or projects?
A: SC 27 is divided into five working groups, addressing different aspects of IT security. For example, WG 1 is about information security management systems, WG 2 about cryptography and security mechanisms, WG 4 is concerned about security controls and services, and WG 5 deals with identity management and privacy technologies.
Cloud computing needs to be addressed from different perspectives, and the full catalog of SC 27 standards might provide a good response to these perspectives. With regard to WG 3, our proposals (ISO/IEC 19790) would allow us to measure the real assurance level of the cloud computing architecture and service, a concept that we are now revising.
Q: What is the future of WG 3? Are there any plans for expanding the group’s role or scope?
A: One aspect that is continuously expanding is the number of attendees to the SC 27, lately ranking very high as one of the most popular SCs in ISO/IEC JTC 1, and I guess this is an indicator of the growing importance of IT security. The SC 27 is always looking for ways to improve its efficiency, and nothing is taken for granted in terms of internal or working group organization. We always try to provide the best response, so the future of WG 3 will also be a part of that response.
Q: Are any of the countries that are currently observing planning on joining the group soon?
A: Countries join our parent SC 27, and then appoint experts to our WG 3. The latest five countries to join SC 27 as participating members are Macedonia, Jamaica, Perú, Israel and Mexico. The deadline for expert registration for our next meeting is about to close; at that point I’ll be able to tell you if we have piqued their attention to the point that we will be adding new experts to our WG 3.
Q: What would you like the industry to know when it comes to the work WG 3 is doing?
A: Not only is our work influencing your business, but the importance of ISO/IEC standards is growing, and it will shape more of your future business. The rules and conditions that are part of the shaping and definition of the future standards are open to all, so come and join us to draw that future.
About Miguel Bañón
Miguel Bañón has a Master’s Degree in computer science and began working in the aerospace sector (sitdev.inta.es), as researcher in the area of safety and airworthiness certification. From safety he began to cover security, and moved into the security evaluation and certification field in the mid-1990s, originally as the technical manager of the first security evaluation facility in Spain. After 13 years, he moved to consulting for both private sector and governmental organizations. In 2007, he formed Epoche & Espri (sitdev.epoche.es), the only company in Spain whose sole business is security evaluation and testing. Mr. Bañón was a member of Spain’s national standards committee in the late 1990s, and started his participation in the international WG 3 group in 1999, which he has convened since May 2009.
Corsec has completed hundreds of IT security validations for customers. For additional information about how we can help you or how hot topics of the WG 3 might affect your upcoming security validation, contact us.