17/09/2020

CEN-CLC/JTC 13 Cybersecurity & Data Protection

Dr. Walter FumyChairperson JTC 13

JTC 13 ‘Cybersecurity & Data Protection’est. Nov 2017

§ JTC 13 addresses horizontal security & privacy topics of the interconnected society, driven by the European market

§ objectives include

§ become the European standardisation focal point for Cybersecurity & Data Protection§ be recognized at European and International level as a provider of best in class standards§ be identified as a strategic partner of the European commission (DG CONNECT, GROW, HOME

etc.) and of institutions, agencies and bodies within the EU system, being involved in Cybersecurity & Privacy policy (e.g., ENISA, NIS Cooperation Group, Europol/EC3), and of otherEuropean bodies/entities/consortia relevant, such as ECSO, ANEC, Digital Europe, Eurosmart, including EU funded projects/initiatives.

§ has attracted 150+ experts on cybersecurity and data protection, many of them also members of ISO/IEC/JTC 1/SC 27 ‘Information security, cybersecurity and privacy protection’

Development of standards for cybersecurity and data protection covering all aspects of the evolving information society, including but not limited to:

§ Management systems, frameworks, methodologies

§ Data protection and privacy

§ Services and products evaluation standards suitable for security assessment for large companies and small and medium enterprises (SMEs)

§ Competence requirements for cybersecurity and data protection

§ Security requirements, services, techniques and guidelines for ICT systems, services, networks and devices, including smart objects and distributed computing devices

CEN-CLC/JTC 13 Scope (1/2)

§ Included in the scope is the identification and possible adoption of documents already published or under development by ISO/IEC JTC1 and other SDOs and international bodies such as ISO, IEC, ITU-T, and industrial fora.

§ Where not being developed by other SDOs, the development of cybersecurity and data protection CEN/CENELEC publications for safeguarding information such as organizational frameworks, management systems, techniques, guidelines, and products and services, including those in support of the EU Digital Single Market.

CEN-CLC/JTC 13 Scope (2/2)

JTC 13 Cyber Security & Data Protection

Chair: Walter FumySecretariat: Martin Uhlherr (DIN)

WG 1

Chair Advisory Group

WG 4

Cybersecurityservices

WG 2

Management systems& control sets

WG 5

Data protection, privacy & identity mgt

WG 6

Productsecurity

WG 3

Security evaluation & assessment

Standardization in the domain of management system standardsincluding supporting control sets covering information and cyber security

§ Convenor: Ralph Eckmaier (AT)

§ Unmodified adoption of JTC 1 Standards initiatedØ ISO/IEC 27006: Requirements for bodies providing audit and certification of information security

management systemsØ ISO/IEC 27007: Guidelines for information security management systems auditingØ ISO/IEC TR 27008: Guidelines for auditors on information security controlsØ ISO/IEC 27017: Code of practice for information security controls based on ISO/IEC 27002

for cloud services

WG 2: Management Systems & Control Sets

§ Work programme also includes

Ø EN ISO/IEC 27000:2020 - ISMS - Overview and vocabulary

Ø EN ISO/IEC 27001:2017 - ISMS - Requirements

Ø EN ISO/IEC 27002:2017 - ISMS - Code of practice for information security controls

Ø EN ISO/IEC 27011:2020 - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations

Ø EN ISO/IEC 27018:2020 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

Ø EN ISO/IEC 27019:2020 - Information security controls for the energy utility industry

JTC 13/WG 2 (cont.)

Standards and guidelines related primarily to an organisation’s security controls and services, emphasizing standards for information security and cybersecurity

and its application to the security of information systems and their lifecycle.

§ Convenor: Andreas Fuchsberger (DE)

§ Unmodified adoption of JTC 1 Standards initiatedØ ISO/IEC 21878 - Security guidelines for design and implementation of virtualized serversØ ISO/IEC 27033 - Network security (6 parts) Ø ISO/IEC 27036 - Information security for supplier relationships (4 parts) Ø ISO/IEC 27039 - Selection, deployment and operations of intrusion detection and prevention

systems (IDPS)

§ New Work Item Proposal approved

Ø Managed Security Service Provider Requirements

WG 4: Cybersecurity Services

§ Work programme also includes

Ø EN ISO/IEC 27037:2016 - Guidelines for identification, collection, acquisition and preservation of digital evidence

Ø EN ISO/IEC 27038:2016 - Specification for digital redactionØ EN ISO/IEC 27041:2016 - Guidance on assuring suitability and adequacy of incident investigative

methodØ EN ISO/IEC 27042:2016 - Guidelines for the analysis and interpretation of digital evidenceØ EN ISO/IEC 27043:2016 - Incident investigation principles and processes

WG 4: Cybersecurity Services (cont.)

Standards and guidelines for the protection of personal data, privacy, and the management of identities, including requirements raised through relevant EU legislation.

§ Convenor: Alessandro Guarino (IT)

§ Unmodified adoption of JTC 1 Standards initiated/completedØ ISO/IEC 24760 - Framework for Identity Management (3 parts)Ø ISO/IEC 27701 - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management -

Requirements and guidelines

Ø EN ISO/IEC 29100:2020 - Privacy frameworkØ ISO/IEC 29101 - Privacy architecture frameworkØ ISO/IEC 29151 - Code of practice for personally identifiable information protectionØ ISO/IEC 29184 - Online privacy notices and consent

§ New Work Item ProposalØ Requirements for professional profiles related to personal data processing and protection

§ Feasibility StudyØ GDPR implementation guidance document with respect to ISO/IEC 27701

WG 5: Data Protection, Privacy & Identity Mgt

§ Work items transferred from disbanded CEN-CLC/JTC 8 - Privacy Management in Products & ServicesØ Feasibility study on data protection interfaceØ Feasibility study on Data Protection Professional Profiles (→ NWIP)Ø prEN 17529 - Data protection and privacy by design and by defaultØ prTR Biometrics for access control including face recognitionØ prTR Video surveillance

Ø EN ISO/IEC 29134:2020 - Guidelines for privacy impact assessment

JTC 13/WG 5 (cont.)

Standards and guidelines related to product requirements (hardware, firmware, software, services, infrastructure), and to product lifecycle processes and their related environments.

Scope is limited to products which are connected devices with a focus on horizontal applicability.

§ Convenor: Ben Kokx (NL)

§ New Work Item ProposalsØ Basic security requirements for consumer IoT devices

(initiated in preparation of a mode 5 collaboration with ETSI TC Cyber on the subject)

Ø CEN TR related to a possible standardization request from DG-GROW on the RED(to be prepared as needed)

§ Feasibility StudyØ Possibilty of standards for basic cybersecurity requirements for products and related services

§ Maintenance of TR Protection Profile for Smart Meter Minimum Security requirements(developed and published 2019-11 by CEN/CENELEC/ETSI Coordination Group on Smart Meters)

WG 6: Product Security

TR developed and published in November 2019 by CEN/CENELEC/ETSI Coordination Group on Smart Meters

§ TOE: Smart supply meter that monitors, and possibly limits, the consumption of electricity, gas, thermal energy or water provided by utilities supply markets and communicates with users via both local(“direct”) and network interfaces.

§ The meter’s basic security tasks are to ensure§ the integrity of its content, § the authenticity and integrity of instructions that it acts on, § the confidentiality of data used to provide security functions (such as cryptographic keys), and§ the confidentiality of sensitive personal information and personally identifiable information.

§ Further, the meter firmware has to be protected from tampering by a firmware integrity test, and by a secure update method using digitally signed firmware updates.

§ Evaluation assurance level EAL3+

Protection Profile for Smart Meter Minimum Security Requirements

§ Convenor: Miguel Bañon (ES)VC: Philippe Magnabosco (FR)

§ Unmodified adoption of JTC 1 Standards initiated/completedØ EN ISO/IEC 15408:2020 - Evaluation criteria for IT security (3 parts)Ø EN ISO/IEC 18045:2020 - Methodology for IT security evaluationØ EN ISO/IEC 19790:2020 - Security requirements for cryptographic modulesØ EN ISO/IEC 29147:2020 - Vulnerability disclosure Ø EN ISO/IEC 30111:2020 - Vulnerability handling processes Ø ISO/IEC 19608:202x - Guidance for developing security and privacy functional requirements

based on ISO/IEC 15408

§ New Work ItemØ prEN XXXXX - Cybersecurity evaluation methodology for ICT products

§ Feasibility StudiesØ IACS evaluation methodologyØ Security evaluation for IoT platforms

WG 3: Security Evaluation & Assessment

prEN xxxxx (under drafting)

§ intended for use for all three assurance levels asdefined in the Cybersecurity Act (i.e. basic, substantial, high)

§ methodology is comprised of different evaluation blocks including assessmentactivities that comply with the evaluationrequirements of the CSA for the three levels

§ methodology may be applied both to 3rd partyevaluation and to self-assessment

§ may be used by different candidate schemes andby different verticals

Cybersecurity Evaluation Methodology for ICT Products

prEN xxxxx Design Principles include

§ Not to be used “stand alone” but in conjunction with specifications containing specific cybersecurityrequirements

Ø Each domain (scheme) needs to provide domain specific cybersecurity requirements for theobjects to be evaluated / certified.

§ Intended to enable scheme authors to create “lightweight” schemesØ attempt to reduce the burden on the manufacturer as much as possible

(implying possibly additional burden on the evaluation lab and the certification body).

§ It should be possible to create a methodology requiring only the minimum defined by the CSA § It should be possible to recreate established lightweight methodologies, e.g., CSPN, LINCE, …

Status: 3rd WD (2020-08-11, 52 pages)

Cybersecurity Evaluation Methodology for ICT Products

§ Cooperation with the European Union§ CEN-CLC/JTC 13 and ENISA§ CCMC with DG CONNECT and DG GROW

§ Strong collaboration with ETSI, in particular with ETSI TC CYBER

§ proposed JWG in the area of consumer IoT security (← ETSI EN 303 645 and ETSI TS 103 701)

Ø to provide timely standardization responses to European Stakeholders Ø to promote the unique European Standardization system

JTC 13 Involvement in the implementationof the Cybersecurity Act

§ CEN/TC 224 Personal identification and related personal devices

§ CEN/TC 301 Road Vehicles§ CEN/TC 377/WG 1 Air traffic management§ CLC/TC 65x§ CEN/CLC/JTC 19 § ETSI TC CYBER§ ISO/IEC JTC 1/SC 27 Information security,

cybersecurity and privacy protection

§ ISO/IEC JTC 1/SC 38 Cloud computing & distributed platforms

§ ISO TC 317

JTC 13 Partnerships include

§ ANEC§ APPLiA – Home Appliance Europe§ ENISA§ European Commission§ EURALARM§ EUROSMART§ ECSO§ GlobalPlatform§ SMESEC§ SHIELD (H2020 project on cybersecurity for

health related data)

Final Remarks

§ Collaboration between JTC 13 and SC 27 according to principles of Vienna AgreementØ Document exchange via SC 27 Secretariat and/or JTC 13 SecretariatØ Nevertheless liaisons officers appointed

Ø from SC 27 to CEN/CENELEC JTC 13: Elaine Newton ( Elaine.Newton@oracle.com )

§ European SDO, however, observers from other regions are welcome. Current observers include

Ø Standards Council of CanadaØ Standards Institution of Israel

mailto:Elaine.Newton@oracle.com

17/09/2020

Thank you very much for your kind attention!

Walter.Fumy@bdr.de

https://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:2307986&cs=1E7D8757573B5975ED287A29293A34D6B

mailto:Walter.fumy@bdr.dehttps://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:2307986&cs=1E7D8757573B5975ED287A29293A34D6B