Web Content Display Web Content Display

2002 Features [Archive]

Web Content Display Web Content Display

2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 20022000 | 1999

Asset Publisher Asset Publisher

Information Security Techniques

2002-07-08

Information Security Techniques - An Introduction to the Canadian Advisory Committee on Information Technology Security (CAC-ITS) ISO/IEC JTC1 SC 27

by Alice Sturgeon
Chair, CAC-ITS

There is an increasing demand for security in IT systems, for universal interoperability, for electronic commerce, trade, and transactions in all fields. Standardization is the foundation for international and regional trade, for enhanced competitive positioning in specific trade areas, for coalescing differing national regulatory and legal regimes, and for promoting innovative solutions to barriers to trade and commerce. Specific economic sectors, amongst them, finance, health care, law enforcement, energy and resources, and, of course, government, are all looking for optimal methods of enhancing trade while ensuring security and privacy. The best way to achieve global electronic security is through international standardization.

The Standards Council of Canada facilitates this through the Canadian Advisory Committee on Information Technology Security (CAC-ITS). As partners in Canada's National Standards System, CAC-ITS is Canada's official standards group working towards these ends. The CAC-ITS consists of approximately 30 professionals in the field of Information Technology Security (ITS), who volunteer their time and expertise for the purpose of national and international standardization. The mandate of CAC-ITS is two-fold. First, it advises the Canadian Standards Association (the Standards Developing Organization specializing in IT standards in Canada) on national standards concerning IT security. Second, it participates in the development of international standards on ITS, as the group of Canadian experts participating in ISO/IEC JTC1 SC 27.

International organizations such as the World Trade Organization (WTO), the Organization for Economic Cooperation and Development (OECD), and the UN, frequently refer to the work of standards in general and ISO in particular. Regional groupings such as the European Union sometimes mandate international standards to enforce consistency amongst its members. A common message from these various organizations is that more standardization effort is required, more speed is required in standards production, and more topics need to be addressed. Security and privacy take a high priority because of their importance to furthering electronic communications.

When other industry-based standards development forums, such as the Internet Engineering Task Force (IETF), reach consensus, the standards they develop are turned over to ISO/IEC for completion and communication. The success of ISO/IEC and international standardization in general is completely dependent on the active and ongoing participation of the National Bodies that comprise the Sub-Committees, and, within the SCs, the individuals who commit their time, energy, and expertise. These volunteers rely on the support of their own organizations and other sponsors in order to pursue this important work.

There is a clearly identified need for internationally harmonized standards and for Canada to participate actively to ensure national needs are met. Lack of harmonized standards will not only impede electronic commerce, but will also inhibit the international use of Canadian technology and services. Many developing third world nations, with few standards of their own, look to international standards for their entry to global trade. CAC-ITS has garnered considerable respect and credibility in the international community for the dedication, integrity, and expertise of its members. The CAC-ITS believes strongly in the importance of its work, and vigorously pursues continuing financial support from the beneficiaries - essentially, all private and public sector organizations in Canada that wish to conduct business within a secure and consistent environment, both national and international.

As an example of its role in national standards, the CAC-ITS is an active participant in the federal government's initiative, led by Industry Canada, to establish an authentication framework for Canada for secure e-business. As another example, representatives also participate in the Cyber Security Forum of the Information Technology Association of Canada (ITAC). The CAC-ITS has developed and initiated the publication of a Canadian National Standard on management guidelines for IT security. The CAC-ITS is also responsive to the needs and interests of its Canadian constituent community. Many Canadian organizations use ISO standards. As an example of Canadian organizations using ISO SC 27 standards, Bell Canada has aligned its own corporate security policy on IS 17799:2000 - Code of practice for information security management. Another Canadian company, EWA-Canada Ltd., offers an independent IT security product evaluation service, and has invested considerable resources in establishing an evaluation lab with several certified experts in IT security evaluation. This work is carried out in accordance with SC 27's standard, ISO/IEC IS 15408 - Common Criteria for IT security evaluation. This company routinely uses other SC 27 and ISO standards in other areas as well.

In its international standards capacity, the CAC-ITS contributes to the development of international standards and technical reports on various aspects of IT security. The CAC-ITS has been active in the three specific areas of ISO/IEC Joint Technical Committee 1 (JTC1), Sub-Committee 27 (SC27) - Information security techniques. These three areas, and Canada's unique contributions, are:

General ITS management guidelines

The CAC-ITS has assumed a leadership role in the two seminal works in this area, Working Group 1 of SC27. The first is Technical Report 13335, Guidelines for the management of IT security, with five parts. TR 13335 was introduced over ten years ago, and its five parts have been published and revised in a dynamic update of its guidelines for public and private sector organizations. Much more recent is the second major work, International Standard (IS) 17799: Code of practice for information security management. This IS was first published in December 2000, and Canada led the way for bringing it back to committee for revision, in the effort to ensure its ongoing usefulness and relevance to the user community.

Cryptography

The CAC-ITS has, over the years, led the development of these highly technical specifications that work to ensure global consistency in the use and development of cryptographic algorithms and mechanisms. One recent example is CAC-ITS' primary editor role of draft standard 18031: Random number generation (as a security mechanism to control electronic access to data that must be kept secure).

Security assurance

Confidence in electronic transactions depends on the user's trust in the underlying IT systems. SC27 Working Group 3 develops and assesses methodologies and mechanisms for providing assurance in IT security. Commonly accepted schemes for assurance, such as draft standard 15408 - Common criteria for IT security evaluation, promote the use of IT systems for all kinds of business and communication. Canada is recognized as a leader in assurance methodologies, and the CAC-ITS currently provides the editor for the draft Technical Report 15443, Parts 1 and 3: A framework for IT security assurance.

As well as these areas within SC 27, the CAC-ITS works with other SCs that deal with subject areas closely related to security. For example, ISO/IEC JTC 1 recently approved the formation of a new SC, SC 37, to address biometrics. Security aspects of biometrics are of interest to SC 27 and in particular to CAC-ITS, in view of the dynamic and growing biometrics industry in Canada. Biometrics is, to a large extent, designed to address issues of identity authentication as well as privacy; SC 27 also addresses these areas. The CAC-ITS will therefore participate in the new SC and its Canadian mirror committee. Similarly, CAC-ITS is interested in the work of SC 17, and the CAC-SC17, on smart cards, and maintains liaison with this group. Also, CAC-ITS provides ongoing input to SC 25 on the security of home electronics systems.

The foregoing should serve to illustrate the time and effort that the volunteer members of the CAC-ITS devote to this worthwhile endeavour. In addition to the substantive work of standardization, membership in CAC-ITS involves a limited amount of administrative work to manage the committee. The Standards Council of Canada provides a significant portion of this work, through administering the national votes and circulation of draft standards and technical reports, and managing the CAC-ITS interactive web site.

Further, international SC27 meetings are held semi-annually; the participating National Bodies host these meetings on a rotating basis. Canada hosted a meeting of SC27 in October 1994. To fulfill its international obligation, the CAC-ITS, supported by the SCC, plans to host the international meeting scheduled for April 2003. CAC-ITS members are currently soliciting sponsorships and funding for this important undertaking from the various community stakeholders who benefit from the work of international standardization.

Back
Web Content Display Web Content Display

Related information:

CONSENSUS, Canada’s standardization magazine published by SCC, covers a range of standards-related topics and examines their impact on industry, government and consumers.