Sub Group 2: October 26, 2006 Guide Draft Security Aspects in Standards SG2 v4doc

/ Document : ISO/IEC/TMB SAG-S N65 Rev.2
Date : 2006-10-27
TITLE : / 4th Draft of ISO_IEC Guide XXXX, Security Aspects- Guidelines for their inclusion in standards
SOURCE : / SAG-S Sub Group 2
REQUESTED ACTION : / For comment by 3 November 2006 to
Herman Schipper () , convenor
and copy to
Norma McCormick ()
Kathleen Higgins ()
Krister Kumlin ()
Mark Bezzina ()
Marc Siegel ()
Takahiro Ono ()
Dick Hortensius ()
Annemarie de Jong ()
DISTRIBUTION : / ISO/IEC/TMB SAG-S members

Introduction

This document is the latest version of the draft that has been discussed at the 3rd meeting of SAG-S, 25-26 October 2006 in Geneva and bears designation

Sub Group 2: October 26, 2006 Guide Draft Security Aspects in Standards SG2 v4doc.

The SAG-S considered at its 3rd meeting that the best way forward would be a stand alone guide on security aspects in standards, rather than any combination of similar guides into a new document. This may, however, be a preferred option for future development. Since the SAG-S is now a tripartite ISO/IEC/ITU-T group all organizations must have a say in the development of guides emanating from SAG-S.

At the 3rd SAG-S meeting it was therefore decided that the procedure for the further development of the document would be as follows;

  1. SAG-S members may submit any further comments on this draft until 3 November 2006 to the convenor of SAG-S Sub Group 2, Mr H.W. Schipper, with a copy to the members of SG 2. Attention is drawn to section 3 on terminology and section 5 on concepts of safety and security.
  2. An modified version will be then be finalized by Sub Group 2 and sent to the SAG-S secretariat before 24 November 2006 for distribution to IEC and ITU-T for their consideration in December 2006. This consideration specifically relates to the publication of the document as a joint guide as well as further comments of principle.
  3. Comments from ITU-T and IEC will have to received by the SAG-S secretariat before the end of January 2007 to be able to report on the document to the next meeting of the ISO/TMB on 7-8 February 2007.

Members of SAG-S Sub Group 2:

Norma McCormick ()

Kathleen Higgins ()

Krister Kumlin ()

Mark Bezzina ()

Marc Siegel ()

Takahiro Ono ()

Herman Schipper () , convenor

Supported by:

Dick Hortensius ()

Annemarie de Jong ()

N65rev2 4th Draft of ISO_IEC Guide XXXX, Security Aspects- Guidelines for their inclusion in standards

Page 1

Sub Group 2: October 26, 2006 Guide Draft Security Aspects in Standards SG2 v4doc

GUIDE XX

Security Aspects- Guidelines for their inclusion in standards

Contents / Page
Foreword ……………………………………...... …………………………………… / 1
1 Scope ……………………………………...... ……..………………………………… / 2
2 Normative references …………………...... …………..…………………………… / 3
3 Terms and definitions …………………...... ………………..……………………… / 3
4 Inclusion of security aspects in standards ……...... …………………..…………………… / 6
4.1 General …………………...... ……………………..………………… / 6
4.2Use of the words “security” and “secure” …...... …………………………..…………… / 6
5 The concepts of safety and security …………...... ………………………………..……… / 6
5.1Establishing security requirements .…………...... ………………………………..……… / 7
5.2Assessing security risks …………...... ………………………………..…………………… / 7
5.3 Tolerable risk and risk reduction ………………...... ……………………………………….. / 8
6 Achieving tolerable risk …………………………...... ……………………………………….. / 9
7 Security aspects in standards ……………………...... ………………………………………. / 10
7.1 Coordination …………………...... ……………………………………….. / 10
7.2 Analysis of standards …………………...... ……………………………………….. / 10
7.3 Preparatory work …………………...... ………………………………………. / 11
7.4 Drafting …………………...... ……………………………………….. / 12
7.4.1 General …………………...... ……………………………………….. / 12
7.4.2 Information on security aspects ……………...... ……………………………………….. / 12
7.4.2.1 Type of information …………………………...... ……………………………………….. / 12
7.4.2.2 Instructions …………………...... ………………………………………. / 13
7.4.2.3 Warning notices ……………………………...... ……………………………………….. / 13
7.4.3 Security aspects with respect to packaging ...... ………………………………………. / 13
7.4.4 Security aspects to be considered during testing ..………………………………………. / 13
Bibliography …………………...... …………………………………… / 14

GUIDE XX

Foreword

Guide XX was prepared by the Sub Group 2 of the Strategic Advisory Group on Security. The recommendations it contains apply to the drafting or revision to standards.

This Guide may be revised in due course on the basis of practical experience. Committees writing standards are invited to inform the ISO Central Secretariat or the IEC Central Office of any difficulties encountered with the implementation of its provisions.

As consideration of security aspects in standards will pose different problems it is impossible to provide a set of precise provisions that will apply in every case. Consequently, this Guide may need to be supplemented by other publications for particular fields of interest.

Security aspects — Guidelines for their inclusion in standards

1 Scope

This Guide provides standards writers with guidelines for the inclusion of securityaspects in standards. It isapplicable to any standard related to the security of people, property or the environment, or a combination of one or more ofthese (e.g. people only; people and property; people, property and the environment).

This Guide adopts a preventive approach aimed at reducing the risk arising from the use of products, processes or services. When security aspects are adequately considered in the development of standards, it furthers the objectives of promoting personal, public and environmental security, providing for protection and reducing the risk of damage or injury.

This Guide covers the consideration of security aspects in standards. It is intended for standards writers;however, this standard also provides guidance of value to those involved in design work and other activities where security aspects are being considered. It is intended to promote the use of techniques for identifying and assessing the security aspects of technical provisions in standards, and for minimizing security risks and threats. Its purpose is

a)to raise awareness that provisions in product standards can affect product security and integrity in both negative and positive ways;

b)to raise awareness that provisions in product standards should consider dual-use applications of products for conventional and security applications

c)to raise awareness that provisions in product standards should consider operations in crisis and disaster situations;

d)to raise awareness that provisions in product standards should consider deliberate misuse of products,throughout their life cycle, to create a security risk;

e)to outline the relationship between product standards and security;

f)to help avoid provisions in standards that may lead to increased security risks;

g)to emphasize the balanced approach in standard development that is required to deal with competing priorities and issues such as security, product function and performance, health and safety, and other regulatory requirements;

h)to promote the regular review and revision of existing standards in the light of technical innovations, permitting improvement in the security aspects of products, processes, and services.

NOTE 1 Safety is not a synonym of security and consequently the roles of safety and security should not be confused.

NOTE 2 The term “standard” used throughout this Guide includes International Standards, Technical Specifications, PubliclyAvailable Specifications and Guides.

NOTE 3 Although this Guide is intended primarily for use by standards writers, its underlying principles may be usedwherever securityaspects of standards are being considered.

NOTE 4 Standards may deal exclusively with securityaspects or may include clauses specific to security.

NOTE 5 Unless otherwise stated, the term “committee(s)”, when used in this Guide, is meant to cover both ISO and IECtechnical committees, subcommittees or working groups.

NOTE 6 Terms defined in clause 3 are printed in bold type throughout this Guide.

2 Normative references

The following normative documents contain provisions which, through reference in this text, constitute provisions of this International Standard. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on this International Standard are encouraged to investigate the possibility of applying the most recent editions of the normative documents, indicated below. For updated references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain registers of currently valid International Standards.

ISO Guide 64:1997, Guide for the inclusion of environmental aspects in product standards.

ISO Guide 51:1999, Safety aspects – Guidelines for their inclusion in standards

ISO Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards

ISO/IEC 17799:2005, Information technology – Code of practice for information security management

3 Terms and definitions

For the purposes of this Guide, the following terms and definitions apply.NOTE In other publications slightly different definitions may apply for the same terms, but the concepts are broadly thesame.

3.1

Standard writer – any person taking part in the preparation of standards.

3.2

Safety - freedom from unacceptable risk. Note: Adapted from ISO/IEC Guide 2:1996, definition 2.5.

3.3

Risk - combination of the probability of an event and it consequences

NOTE 1: The term “risk” is generally used only when there is at least the possibility of negative consequences.

NOTE 2: In some situations, risk arises from the possibility of deviation from the expected outcome or event.

3.4

Harm – physical injury or damage to the health of people, or damage to property, the community, or the environment.

3.5

Hazard–potential source of harm.

NOTE: The term hazard can be qualified in order to define its origin or the nature of the expected harm (e.g. physical hazard, operational hazard).

3.6

Hazardous situation - circumstance in which people, property or the environment are exposed to one or more hazards, risks, or threats.

3.7

Crisis –unstable condition involving an impending abrupt or decisive change.

NOTE: A crisis can be any global, regional, or local natural or human-caused event or business interruption that runs the risk of (1) escalating in intensity, (2) adversely impacting shareholder value or the organization’s financial position, (3) causing injury, illness or death to people or damage to property or the environment, (4) falling under close media or government scrutiny, (5) interfering with normal operations and consuming significant management time and/or financial resources, (6) adversely affecting employee morale, or (7) jeopardizing the organization’s reputation, products, processes or workforce and therefore negatively impacting its future.

3.8

Disaster - An unanticipated incident or event, including natural catastrophes, technological accidents, or human-caused events, causing widespread destruction, loss, or distress to an organization that may result in significant property damage, multiple injuries, or deaths.

3.9

Tolerable risk - risk which is accepted in a given context based on the current values of society and economic considerations.

3.10

Probability - extent to which an event is likely to occur

NOTE 1: ISO 3534-1:1993, definition 1.1 gives the mathematical definition of probability as “a real number in the scale of 0 to 1 attached to a random event. It can be related to a long-run relative frequency of occurrence or to a degree of belief that an event will occur. For a high degree of belief, the probability is near 1.”

NOTE 2: Frequency rather than probability may be used to describe risk.

NOTE 3: Degrees of belief about probability can be chosen as classes or ranks, such as

- rare/unlikely/moderate/likely/almost certain, or

- incredible/improbable/remote/occasional/probable/frequent.

3.11

Event- occurrence of a particular set of circumstances

NOTE 1: The event can be certain or uncertain

NOTE 2: The event can be a single occurrence or a series of occurrences.

NOTE 3: The probability associated with the event can be estimated for a given period of time.

3.12

Consequence - outcome of an event

NOTE 1: There can be more than one consequence from one event

NOTE 2: Consequences can range from positive to negative.

NOTE 3: Consequences can be expressed qualitatively or quantitatively

3.13

Protective measure - means used to reduce risk.

NOTE Protective measures include risk reduction by inherently safe design, protective devices, personal protectiveequipment, information for use and installation, and training.

3.14

Residual risk - risk remaining after protective measures have been taken.

3.15

Risk analysis - systematic process to identify hazards, risks, and threatsand to quantify the probabilities and expected consequences for identified risks.

3.16

Risk evaluation–process of comparing the estimated risk against a given risk criteria to determine the significance of the risk.

3.17

Risk criteria -terms of reference by which the significance of risk is assessed

NOTE: Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

3.18

Risk assessment - overall process of risk identification, analysis and evaluation.

NOTE: Risk assessment involves the process of identifying internal and external threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining critical functions necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure, and evaluating the cost of such controls

3.19

Intended use - use of a product, process or service in accordance with information provided by the supplier.

3.20

Reasonably foreseeable misuse - use of a product (throughout its life cycle), a process or service in a way not intended by the supplier, but which may result from readilypredictable human behaviour.

3.21

Security – protection from risks of unintentionally, intentionally, and naturally caused crises and disasters that disrupt and have consequences on the operation, critical assets, and continuity of the organization and its stakeholders.

3.22

Security aspects – those characteristics, elements or properties whichreduce the risk of unintentionally, intentionally, and naturally caused crises and disasters that disrupt and have consequences on the products and services, operation, critical assets, and continuity of the organization and its stakeholders.

3.23

Threats- a potential cause of an unwanted incident, which may result in harm to individuals, a system or organization, the environment or the community

NOTE: a threat can be any possible natural event or intentional action, or series of actions, with a damaging potential to any of the stakeholders, a facility, operations, the supply chain, society, economy, or operational continuity and integrity.

3.24

Impacts - consequences on the supply chain, human health, safety and the environment and includes economic and societal assets and continuity.

3.25

Supply chain - the linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers and other entities that lead to the end user.

3.26

Vulnerability –a weakness of an asset or group of assets that can be exploited by one or more threats

NOTE: Vulnerability includes the susceptibility to physical, operational, economic, business, legal, litigious or other damage.

3.27

Precautionary principle - a response to uncertainty, in the face of risks to critical assets, health, property or the environment by acting to avoid serious or irreversible potential harm, despite lack of scientific certainty as to the likelihood, magnitude, or causation of that harm.

3.28

Stakeholder (interested party) - person or entity having a vested interest in the organization’s performance, success or the impact of its activities.

NOTE: Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, facility neighbours, first responders, or society.

3.29

Dual-use - products, processes, services and technology developed for conventional uses, but which can be used for security or military applications or to produce weapons of mass destruction.

4 Inclusion of security aspects in standards

4.1General

Consideration should be given to the conventional applications of the products, processes or services the standard addresses, as well as dual-use as a security application in the design specification of each standard. Hazards, risks or threats specific to an incident, crisis or disaster situation should be considered for different products, processes or services. Products should be considered throughout their life cycle using an analysis similar to that presented in Guide 64, also including the consideration of potential misuse throughout the life cycle.

Standards should be drafted with a view to providing provisions which eliminate or reduce any identified hazards, risks or threats. Where possible, these provisions should be expressed in terms of verifiable preventive measures. Requirements for preventative measures should be expressed precisely, clearly and with technical accuracy, and the requirements for verification should be clearly stated. Where appropriate, that standard should state what security related information has to be provided to persons involved with the product, process, or service.

4.2 Use of the words “secure” and “security”

The use of the wordssecure and securityas a descriptive adjective should be avoided because the terms are not subject to a universally agreed upon or understood definition. As well, the term securemay be interpreted as an assurance of guaranteed freedom from risk.The approach in this Guide is to use the termsecurityaspects to identify those characteristics, elements or properties which may be related to hazards,threats, vulnerabilities and impacts. The Guide also encourages a commitment to prevention and mitigation of incidents (wherever practical) and to continuous improvement in the consideration of the security aspects in standards.

5.The concepts of safety and security

Consideration of security aspects in new and existing standards can contribute to increased safety, security and protection. A distinction is made between safety and security. Safety is dealt with in standards work in many different forms across a wide range of technologies and formost products, processes and services. (see ISO/IES Guide 51: Safety aspects – Guidelines for their inclusion in standards 1999). When including security aspects in standards writing, the concepts and considerations are similar to those presented in Guide 51 as the risks and threats introduced to products, processes and services may result in similar consequences but the source of the risks and threats may be different and may be the result of intentional actions rather than an unintended event.

The increasing complexity of products, processes and services enteringthe market also requires that the consideration of securityaspects be given a high priority.As is true with safety, security is not absolute. Some risk will remain, defined in this Guide as residual risk. Therefore aproduct, process or service can only be relatively secure.

Security is achieved by reducing risk to a tolerable level — defined in this Guide as tolerable risk. Tolerablerisk is determined by the search for an optimal balance between the ideal of absolute securityand the demands tobe met by a product, process or service, and factors such as benefit to the user, suitability for purpose, costeffectiveness, and conventions of the society concerned.

It follows that there is a need to review continually thetolerable level, in particular when developments, both in technology and in knowledge, can lead to economicallyfeasible improvements to attain the minimum risk compatible with the use of a product, process or service.

Security is a high priority issue. In a society in which personal and societal security concerns predominate there is a legitimate fear of an inevitable erosion of personal privacy and that this will come to be viewed as a necessary sacrifice to achieve the “common good”. Both security and safety efforts are intended to protect people, (both as individuals and as communities) physical assets and the environment. The Guide offers practical tools which can be tailored to address the security aspects of a standard under development or revision, to provide practical assistance to standards developers on what is meant by security aspects, and to encourage a balanced approach to security which enhances freedom and the protection of individual rights, including the right to privacy. The issue of balance is also important when considering the issue of the sensitivity of information, recognizing that the information generated as a result of assessment of vulnerabilities and threats can be extremely sensitive. Where necessary and appropriate, care must be taken to protect the information or restrict it from distribution.