Proposed draft new version of the Part 1 and 2 of the ...€¦ · Web viewTELECOMMUNICATION...

INTERNATIONAL TELECOMMUNICATION UNION

TELECOMMUNICATIONSTANDARDIZATION SECTORSTUDY PERIOD 2017-2020

SG17-TD1060STUDY GROUP 17

Original: English

Question(s): 1/17 Geneva, 20-29 March 2018

TD

Source: Editor

Title: Proposed (2018-03) version of Part 1 & 2 of the Security Compendium

Purpose: Discussion

Contact: Sandor Mazgon E-mail: [email protected]

This TD is for Q1/17 of Study Group 17 to maintain the Catalogue of ITU-T Recommendations dealing with security and the Compendium of ITU-T approved security definitions,( i.e.) review and improve Part 1 & Part 2 of the Security Compendium following the conclusions of the WTSA-16.

The Security Compendium will be made available on ITU-T web site (here) by the Secretariat, when Q1/17 (SG17) approves it. The Security Compendium provides information on ITU security activities, first of all on approved, new and revised security related Recommendations (as Part 1), as well as approved, new and amended definitions and abbreviations of security related Recommendations (as Part 2). Other security activities of ITU-T are summarized in the Security Roadmap, especially in Pt.2

The proposed draft new version of the Part 1 and 2 of the Security Compendium (see attached files) is revised and expanded on the last approved version (see table below). Part 1 and 2 of the Security Compendium are continuously reviewed complementing the development of the security related Recommendations. Such a compendium is to be revised each time, the group responsible for the Question 1/17 has a meeting, where the Security Compendium is discussed and approved. Any help and advice to make it more relevant is fully appreciated. HISTORY::

Security Compendium

Number of listed Rec.s in Pt.1

Number of listed Def.s

Number of listed Abbr.s

Number of listed Rec.s in Pt.2

References

Version 2005 56 553 156 56Version 2008 261 1130 800 261Version 2009-09. 293 1614 1133 293 TD 543-545 SG17/T09Version 2010-04 293 1614 1133 293 TD 747-748 SG17/T09Version 2010-12 300 1668 1176 300 TD 1288 Plen/SG17/T09Version 2011-04 TD1679 Plen/SG17/T09Version 2011-09 TD1991 Plen/SG17/T09Version 2012-01 344 2357 1765 344 TD 2568 Plen/SG17/T09Version 2012-09 349 2839 1962 349 TD 3137 Plen/SG17/T09Version 2013-04 379 3272 2233 408 TD 215 Plen/SG17/T13Version 2013-07 396 3560 2747 422 TD 567 Plen/SG17/T13Version 2014-01 400 3649 2795 426 TD 911 Plen/SG17/T13Version 2014-09 410 3793 2894 434 TD 1274 Plen/SG17/T13Version 2015-04. 422 4059 3288 445 TD 1597 Plen/SG17/T13Version 2015-09 430 4116 3549 455 TD 1974 Plen/SG17/T13Version 2016-03 440 4299 3651 466 TD 2338r1Plen/SG17/T13Version 2016-09 465 4508 3856 490 TD 2747r1Plen/SG17/T13 Version 2017-03 503 4737 4100 503 TD 123 r1 Plen/SG17/T17Version 2017-09 524 4926 4456 524 TD 658 r1 Plen/SG17/T17Version 2018-03 533 5008 4539 533 This document

mailto:[email protected]

http://www.itu.int/en/ITU-T/studygroups/2013-2016/17/ict/Pages/ict-part02.aspx

http://www.itu.int/en/ITU-T/studygroups/com17/Pages/telesecurity.aspx

- 2 –SG17-TD1060

- 3 –SG17-TD1060

Security Compendium version (2018-03) is based on version (2017-09) and is amended as followsCatalogue of approved ITU-T Recommendations related to telecommunication security

New and revised items for the Part 1 of the Security CompendiumAll references to Questions of Study Groups are relevant to T17 i.e. to study period 2017-2020

Rec Date Temp Title Main purpose and security aspects Question Source/NoteX.1040 (2017-10) X.salcm Security reference

architecture for lifecycle management of e-commerce business data

E-commerce services provide online shopping and other services in open networks, and have several characteristics and benefits: they are efficient, convenient and wide-reaching. However, these e-commerce service ecosystems face security vulnerabilities. This Rec. analyses the main features and typical security threats faced by e-commerce systems, and provides a security reference architecture for lifecycle management of e-commerce business data.

Q.2/17 published

X.1053 (2017-11) X.sgsm Code of practice for information security controls based on ITU-T X.1051 for small and medium-sized telecommunication organizations

Provides guidelines for the implementation of information security management (ISM) that targets small and medium-sized telecommunication organizations (SMTOs) based on Rec. ITU-T X.1051. Security features (confidentiality, integrity, and availability) and terminologies used are in line with those used in Rec. ITU-T X.1051, to provide telecommunication services, even in SMTOs. Telecommunication organizations need to interconnect and/or share their telecommunication services and facilities, and/or use the telecommunication services and facilities of other telecommunication organizations. Therefore, the management of information security in telecommunication organizations is mutually dependent, and may include any and all areas of network infrastructure, services, applications and other facilities. Regardless of operational scale, service areas, service types, or number of employees, telecommunication organizations should implement appropriate controls to ensure confidentiality, integrity, availability, and any other security property of telecommunication. This Rec. provides SMTOs, and those responsible for information security, together with security vendors, auditors, telecommunication terminal vendors, and application content providers, with a common set of general security control objectives based on Rec. ITU-T X.1051. It further provides these organizations with specific controls and information security management guidelines that allow for the selection and implementation of such controls.

Q.3/17 published

X.1127 (2017-09) X.msec-9 Functional security requirements and architecture for mobile

Smartphones are rapidly proliferating and have become a nearly indispensable part of daily life. Unfortunately, many smartphone users have had their phones stolen. A smartphone anti-theft measure, i.e., a

Q.6/17 published

- 4 –SG17-TD1060

Rec Date Temp Title Main purpose and security aspects Question Source/Notephone anti-theft measures kill switch tool, for use in the event it is lost or stolen, should provide the

capability to: a) remotely delete the authorized user's data that is on the smartphone; b) render the smartphone inoperable to an unauthorized user; c) prevent reactivation without the authorized user's permission to the extent technologically feasible; and d) reverse the inoperability if the smartphone is recovered by the authorized user, and restore user data on the smartphone to the extent feasible. This Rec. focuses on the functional security requirements and functional architecture for smartphone anti-theft mechanisms based on the general requirements described by the GSMA.

X.1146 (2017-10) X.websec-8 Secure protection guidelines for value-added services provided by telecommunication operators

With the rapid development of network and user-terminal capability, more and more telecom operators provide various services based on their network resources to the users. These services are called value-added services, which add additional value to basic telecommunication services (e.g., voice call, SMS, MMS and data access). Typical value-added services are including Mobile Office Automation, e-Reading, e-Commerce, etc. In many cases, the value-added services will involve sensitive operations or critical dada, which will be the target of the malicious attackers. Malicious users may utilize the service vulnerabilities to get benefits or do harm to the service and other users. This Rec. provides technical measures to counter threats and attacks to help the operators to assure the security of the value-added service, and also protect the users’ benefits.

Q.7/17 published

X.1213 (2017-09) X.sbb Security capability requirements for countering smartphone-based botnets

Along with the rapid development of mobile Internet devices and the widespread use of smartphones, surveys from worldwide organizations show that botnets, formerly targeting mostly personal computer (PC)-based networks, are now being replicated very quickly on smartphones. Currently, countries and regions with differing conditions and ecosystems have varying levels of constraints on the propagation of smartphone-based botnets. Analytical reports from various security companies and investigative organizations show noticeably different statistical data on the severity of the propagation of smartphone-based botnets. The potential threat of smartphone-based botnets is increasing very quickly in some regions and could possibly spread worldwide and turn from a regional issue into a serious global issue. This Rec. provide security capability requirements for countering smartphone-based

Q.4/17 published

- 5 –SG17-TD1060

Rec Date Temp Title Main purpose and security aspects Question Source/Notebotnets. The intent is to study the challenges presented by smartphone-based botnets, and their specific threats to, and requirements on, operators' networks as well as on the smartphones themselves. This Rec. focuses on threat analysis and requirement enumeration. The purpose is to safeguard operators' infrastructures and smartphones, ensure operators' services and service qualities, and to enhance user experience.

X.1248 (2017-09) X.cspim Technical requirements for countering instant messaging spam

Identifies types and characteristics of spam over instant messaging (SPIM) and specifies technical requirements for countering it. As instant messaging (IM) increases in popularity, the proliferation of SPIM becomes an increasingly serious problem. The characteristics of IM, such as being Internet protocol (IP)-based with widespread usage that is free of charge, potentially allows SPIM to spread widely and uncontrollably. If SPIM problems are not carefully addressed, they can have negative impacts on the utilization of the IM service itself.

Q.5/17 published

X.1250 (2009-09) X.idmreq Baseline capabilities for enhanced global identity management and interoperability

Describes baseline capabilities for global identity management (IdM) interoperability [i.e., to enhance exchange and trust in the identifiers used by entities in telecommunication/information technology (IT) networks and services]. The definitions and need for IdM are highly context-dependent and often subject to very different policies and practices in different countries. The capabilities include the protection and control of personally identifiable information (PII).

Q.10/17 published

X.1541 (2017-09) X.iodef Incident object description exchange format version 2

Describes the information model for the incident object description exchange format (IODEF) version 2 and provides an associated data model specified with XML schema. The IODEF specifies a data model representation for sharing commonly exchanged information about computer security or other incident types. This is achieved by listing the relevant clauses of IETF RFC 7970 and showing whether they are normative or informative.

Q.4/17 revised, published

X.Sup29 (2017-09) X.sup-gcspi Guidelines on countermeasures against short message service phishing and smishing attacks

Provides universal guidelines on short message service (SMS) phishing which is a fraudulent technique through mobile phones by causing phishing frauds with smartphones, acquiring personal information on the smartphones, or by enabling small amounts of money to be approved and paid while the account holder is not aware of the approval. The purpose of this Supplement is to universalize the guideline for countermeasures against SMS phishing incident by defining a security guideline about security technology against SMS phishing incident and

Q.5/17 published

- 6 –SG17-TD1060

Rec Date Temp Title Main purpose and security aspects Question Source/Notemethod, and specification of report contents.

X.Sup30 (2017-09) X.sup-sgmvno Security guidelines for mobile virtual network operators

A mobile virtual network operator (MVNO) is a mobile communication services provider that does not own the wireless network infrastructure over which the MVNO provides services to its customers. An MVNO leases the wireless capacity from traditional network operators and packages it for a specific application. Typically, an MVNO owns its customer base, sales channel and specific brand, while providing competitive billing policies. An MVNO conventionally covers a range of different business approaches to providing mobile services. There are four common operating models of MVNOs: reseller, service operator, full MVNO and mobile virtual network enabler (MVNE). Generally, the security capabilities of MVNOs are weaker than those of traditional network operators. MVNOs are becoming the main targets of security exploits; therefore, it is very important to develop security guidelines for MVNOs. This Supplement analyses the main features of MVNOs and the typical security threats that they face. Based on the structure of MVNOs, this Supplement provides a security framework for MVNOs, including security objectives and security requirements.

Q.2/17 published

X.Sup31 (2017-09) X.sup-oid-iot Guidelines for using object identifiers for the Internet of things

Provides guidelines on how to use object identifiers (OIDs) to identify objects in the Internet of things (IoT). It includes guidelines on how to structure OIDs, how to implement resolution systems as well as how to establish management procedures based on existing ITU-T Rec.s and international standards. And provides detailed considerations for establishing OID-based IoT identification systems, including considerations when designing/choosing identification schemes for OIDs, considerations when establishing a resolution system and considerations when establishing OID authorities and operational procedures.

Q.11/17 published

J.125 (2007-12) J.bpi Link privacy for cable modem implementations

Provides MAC layer privacy (encryption and authentication) services for DOCSIS CMTS-CM communications. This Rec. referred to as Baseline Privacy Interface Plus or BPI+, has the following two goals: a) provide cable modem users with data privacy across the cable network; and b) provide cable operators with service protection; i.e., prevent unauthorized users from gaining access to the network's RF MAC services. BPI+ provides a level of data privacy across the shared medium cable network equal to or better than that provided by dedicated line network access services (analog modems or digital

SG9 published

- 7 –SG17-TD1060

Rec Date Temp Title Main purpose and security aspects Question Source/Notesubscriber lines).

M.3020 (2017-07) Management interface specification methodology

Describes the management interface specification methodology (MISM). It describes the process to derive interface specifications based on user requirements, analysis and design (RAD). Guidelines are given on RAD using unified modelling language (UML) notation; however, other interface specification techniques are not precluded. The guidelines for using UML are described at a high level in this ITU-T Rec.

Q.7/2

- 8 –SG17-TD1060

List of security definitions and (abbreviations) extracted from approved ITU-T RecommendationsNew and revised items/lines for the Part 2 of the Security Compendium

Term Abbr Definition of the term Rec# Clause Date Referred source

data 2) Bits or bytes transported over the medium or via a reference point that individually convey information. Data includes both user (application) data and any other auxiliary information (overhead, including control, management, etc.). Data does not include bits or bytes that, by themselves, do not convey any information, such as the preamble.

X.1040 §3.1.6 (2017-10) G.9960

data lifecycle management

Defines how data are managed and maintained as it flows through the business processes across all phases of the data lifecycle. Note: The data lifecycle management mainly consists of five phases: data creation, data usage, data storage, data transmission and data destruction.

X.1040 §3.2.1 (2017-10)

data security 2) Preservation of data to guarantee availability, confidentiality and data integrity. X.1040 §3.1.8 (2017-10) ISO/IEC 29182-2

data transmission

The process of transferring data from one place to another place by communication. X.1040 §3.2.2 (2017-10)

sensitive data Data with potentially harmful effects in the event of disclosure or misuse. X.1040 §3.1.11 (2017-10) ISO 5127threat 3)g Potential cause of an unwanted incident, which may result in harm to a system or

organization.X.1040 §3.1.10 (2017-10) ISO/IEC

27000confidentiality or non-disclosure agreement

A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes.

X.1053 §3.1.1 (2017-11)

data centre A facility used to house computer systems and associated components, such as telecommunication and storage systems.

X.1053 §3.1.2 (2017-11)

outsourcing When an enterprise contracts out one or more of its internal processes and/or functions to an outside company. Outsourcing moves enterprise resources to an outside enterprise and keeps a retained capability to manage the relationship with the outsourced processes.

X.1053 §3.1.3 (2017-11)

parent company A company that owns enough voting stock in another firm to control management and operations by influencing or electing its board of directors.

X.1053 §3.1.4 (2017-11)

small and medium-sized telecommunication organization

SMTO A telecommunication organization classified as a small and medium-sized business in accordance with the legislation or the regulations of the country or region in which the business is registered.

X.1053 §3.1.5 (2017-11)

data sanitization Actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

X.1127 §3.1.1 (2017-09) NIST SP 800-88

device hardware The physical components that together make a functioning mobile device including screen, keys, printed circuit board, chips, SIM card, removable storage, etc.

X.1127 §3.2.1 (2017-09)

- 9 –SG17-TD1060


device software All software programs on the device and SIM card, including applications, operating system, boot loader, boot-ROM, and firmware.

X.1127 §3.2.2 (2017-09)

device user The authorized user of the mobile device. X.1127 §3.2.3 (2017-09)kill switch A way to disable crucial functions of a mobile device. NOTE – It is essentially a function

within the mobile equipment device, so that if triggered e.g., by a message of some format is sent to it, then the mobile device will cease to operate as it is intended to, and can only be reactivated or reused if the device owner authorizes the reactivation of the device.

X.1127 §3.1.4 (2017-09) GSMA

secure tunneling A protocol that allows for the secure transfer of data or message from one network location to another. NOTE – Secure tunneling generally supports entity authentication, message integrity, and message confidentiality.

X.1127 §3.2.4 (2017-09)

threat 3)h Potential cause of an unwanted incident, which may result in harm to a system or organization.

X.1127 §3.1.7 (2017-09) ISO/IEC 27000

tunnel 2) Data path between networked devices which is established across an existing network infrastructure. NOTE – Tunnels can be established using techniques such as protocol encapsulation, label switching, or virtual circuits.

X.1127 §3.1.8 (2017-09) ISO/IEC 27033-1

equipment or operating system security

Network equipment are securely configured and protected, while the operating system of the servers are carefully configured.

X.1146 §6 (2017-10)

network topology security

Servers that provide value-added services are deployed in well-designed network security domains and under appropriate security measures.

X.1146 §6 (2017-10)

platform or software security

The vulnerabilities of software platforms and third-party components, generally used in the development of value-added services, directly affect service security.

X.1146 §6 (2017-10)

service process security

A series of operation sequences designed to implement the service function. The security mechanisms of all operation sequences should be sufficient to ensure service security.

X.1146 §6 (2017-10)

terminal security Users need to access services using different terminals, such as personal computers, tablet computers and mobile phones, whose security protections are also essential to service security.

X.1146 §6 (2017-10)

user identity authentication

A method of confirming the user's identity. According to the verification result, the value-added service reacts appropriately. Generally speaking, there are mainly three ways of verifying a user's identity, based on: – what the user knows, e.g., a password (static); – what the user has possession of, for example, a smart card, a SMS password, a universal serial bus key or a dynamic password; – who the user is, based on unique physical characteristics, e.g., fingerprints, handwriting, DNA, retinal imaging and body biometrics.

X.1146 §7.1 (2017-10)

value-added A service that is offered in addition to or in conjunction with basic telecommunication services X.1146 §3.2.1 (2017-10)

- 10 –SG17-TD1060


service such as voice call, short message service (SMS), multimedia messaging service (MMS) and data access. These value-added services allow operators to drive up their average revenue per user (ARPU). The scope of value-added services in this Recommendation is limited to those provided by telecommunication operators and the servers hosting such services reside in operators' networks. Typical value-added services include mobile office automation, e-reading and e-commerce.

value-added services security

To guarantee the of value-added services, five different areas should be considered. 1) Network topology security. 2) Equipment or operating system security. 3) Platform or software security. 4) Service process security. 5) Terminal security. The security of the first three levels 1) to 3) and 5) is related to common hardware and software security, for which many security guidelines can be followed. As for 4), comprehensive guidelines are absent at the time of publication. Consequently, Rec ITU-T X.1146 focuses on security protection of the service process.

X.1146 §6 (2017-10)

instant messaging

IM 3) An exchange of content between a set of participants in near real time. Generally, the content is short text messages, although that need not be the case.

X.1248 §3.1.1 (2017-09) IETF RFC 3428

agent 2)b An entity that acts on behalf of another entity. X.1250 §3.2.1 (2009-09)anonymity 4) The property that an entity cannot be identified within a set of entities. NOTE –

Anonymity prevents the tracing of entities or their behaviour such as user location, frequency of a service usage, and so on.

X.1250 §3.2.2 (2009-09)

attribute 4)b Information bound to an entity that specifies a characteristic of the entity. X.1250 §3.2.3 (2009-09)authentication 11) See entity authentication. X.1250 §3.2.4 (2009-09)authentication assurance

2) Confidence reached in the authentication process that the communication partner is the entity which it claims to be or is expected to be.

X.1250 §3.2.5 (2009-09)

claim 1) An assertion made by a claimant of the value or values of one or more identity attributes of a digital subject, typically an assertion which is disputed or in doubt.

X.1250 §3.2.7 (2009-09)

entity 6) Anything that has separate and distinct existence and that can be identified in context. NOTE – An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, a software application, a service, etc., or a group of these individuals. In the context of telecommunications, examples of entities include access points, subscribers, users, network elements, networks, software applications, services and devices, interfaces, etc.

X.1250 §3.2.8 (2009-09)

entity authentication

2)a A process to achieve sufficient confidence in the binding between the entity and the presented identity.

X.1250 §3.2.9 (2009-09)

federation 4)a An association of users, service providers and identity providers. X.1250 §3.2.10 (2009-09)identifier 3)a One or more attributes used to identify an entity within a context. X.1250 §3.2.11 (2009-09)

- 11 –SG17-TD1060


identity management

1)a A set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: a) assurance of identity information (e.g., identifiers, credentials, attributes); b) assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and c) supporting business and security applications.

X.1250 §3.2.14 (2009-09)

identity pattern 1)a A structured expression of attributes of an entity (e.g., the behaviour of an entity) that could be used in some identification processes.

X.1250 §3.2.16 (2009-09)

identity service bridge provider

6) An identity service provider that acts as an intermediary among other identity service providers.

X.1250 §3.2.13 (2009-09)

identity service provider

1)a An entity that verifies, maintains, manages, and may create and assign identity information of other entities.

X.1250 §3.2.15 (2009-09)

manifestation 1)a An observed or discovered (i.e., not self-asserted) representation of an entity. (Compare with assertion.)

X.1250 §3.2.17 (2009-09)

pseudonym 1)a An identifier, whose binding to an entity is not known or is known to only a limited extent, within the context in which it is used.

X.1250 §3.2.18 (2009-09)

requesting entity 1)a An entity making an identity representation or claim to a relying party within some request context.

X.1250 §3.2.19 (2009-09)

trust 5) The firm belief in the reliability and truth of information; or in the competence of an entity to act appropriately, within a specified context.

X.1250 §3.2.21 (2009-09)

user 4)a Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network.

X.1250 §3.2.22 (2009-09)

user-centric An IdM system that can provide the (IdM) user with the ability to control and enforce various privacy and security policies governing the exchange of identity information, including PII, between entities.

X.1250 §3.2.23 (2009-09)

caller ID spoofing

The process of changing the caller ID to any number other than the calling number. X.Sup29 §3.2.4 (2017-09)

caller identification

A telephone service that transmits a caller's telephone number to the called party's telephone equipment when the call is being set up.

X.Sup29 §3.2.5 (2017-09)

malware 4) Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity and/or availability. NOTE – Viruses, Trojan horses, worms, spyware, adware, rootkits are examples of malware.

X.Sup29 §3.1.1 (2017-09) ISO/IEC 27033-1

phishing 8) An attack to acquire sensitive information such as usernames, passwords, and credit card details for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

X.Sup29 §3.2.1 (2017-09)

short message SM 1)b Information that is conveyed from a sending user to a receiving user via an SM-SC. X.Sup29 §3.1.2 (2017-09) ETSI TS

- 12 –SG17-TD1060


102 507short message service centre

SM-SC 1)b Function unit, which is responsible for the relaying and store-and-forwarding of a short message (SM) between two SM-TEs. NOTE – The SM-SC can functionally be separated from or integrated in the network.

X.Sup29 §3.1.3 (2017-09) ETSI TS 102 507

smishing An attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device.

X.Sup29 §3.2.2 (2017-09)

uniform resource locator

URL A reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.

X.Sup29 §3.2.3 (2017-09)

application security

For an MVNO the security requirements of application systems protect information processing processes via security tools or strategies to eliminate hidden dangers like SQL injection, cross-site scripting and Web Trojans.

X.Sup30 §8 (2017-09)

data security Data asset attributes can usually be described by confidentiality, integrity and availability. For an MVNO the security requirements of data should include encryption, key management, key escrow, data backup and recovery, etc.

X.Sup30 §8 (2017-09)

full MVNO model

The full MVNO (operating) model of MVNOs suits players aiming to achieve additional differentiation from service operators and mobile network operators (MNOs), by offering leading edge products and services, and achieving a high degree of independence at the outset. The full MVNO model may be the best approach for some players who would otherwise select the reseller or service operator models and introduce differentiating services into their offerings at a later date. This is because the control provided by the full MVNO model may offer better short-and long-term opportunities.

X.Sup30 §6 (2017-09)

MVNE model The MVNE (operating) model of MVNOs acts as an interface between a reseller or service operator and a host MNO.

X.Sup30 §6 (2017-09)

network security For an MVNO the network security requirements should consist of boundary protection, intrusion prevention, network redundancy, DDoS protection, encrypted communication, etc.

X.Sup30 §8 (2017-09)

operating models of MVNOs

There are four operating models of MVNOs: the reseller model, the service operator model, the full MVNO model, and the MVNE model.

X.Sup30 §6 (2017-09)

physical security For an MVNO the physical security is the premise to construct a complete security architecture of information systems. Physical security requirements should not be limited to physical issues only, but should involve administrative and technical measures, which could consist of biometric authentication schemes, environment monitoring, power supply protection, crime prevention through environment design, etc

X.Sup30 §8 (2017-09)

reseller model The reseller (operating) model of MVNOs suits an organization that can leverage its existing distribution channels to sell mobile services, but has little need to innovate the services it provides or differentiate itself from other players. Typically, this means selling no-frills voice

X.Sup30 §6 (2017-09)

- 13 –SG17-TD1060


and messaging services.security requirements for MVNOs

The security requirements for MVNOs mainly include the following six aspects: physical, network, system, application, data, and terminal security.

X.Sup30 §8 (2017-09)

service operator model

The service operator (operating) model of MVNOs suits those organizations that wish to gain control over the services they provide, both in terms of pricing and service innovation. This means the service operator model suits players that seek to address specific customer segments, by differentiating themselves from other players in those segments through innovation in pricing and/or service content.

X.Sup30 §6 (2017-09)

system security For an MVNO the security requirements of systems should consider identification, authentication, authorization, access control, intrusion prevention, operation audit, etc.

X.Sup30 §8 (2017-09)

terminal security For an MVNO the security requirements of terminals should comprise patch management, virus protection, intrusion detection, data protection, etc.

X.Sup30 §8 (2017-09)

application-specific OID resolution process

Actions by an application to retrieve application-specific information from the information returned by the general OID resolution process.

X.Sup31 §3.1.1 (2017-09) ITU-T X.672

general OID resolution process

That part of the ORS where an ORS client obtains information from the DNS (recorded in a zone file) about any specified OID and returns it to an application.

X.Sup31 §3.1.2 (2017-09) ITU-T X.672

mobile virtual network operator

MVNO A wireless communication services provider that does not own the wireless network infrastructure over which it provides services to its customers.

X.Sup31 §3.2.1 (2017-09)

BPI+ security association

A BPI+ security association (SA) is the set of security information a CMTS and one or more of its client CMs share in order to support secure communications across the cable network.

J.125 §5.1.3 (2007-12)

DOCSIS The term for a system or device compliant with any one of the Cable Television Laboratories, Inc. ("CableLabs") series of specifications located at: http://www.cablemodem.com/specifications/.

J.125 §3.1 (2007-12)

DOCSIS 1.0 A system or device compliant with the following Data Over Cable Service Interface Specifications [SCTE22-1], [SCTE22-2], [SCTE22-3], [DOCSIS4]. Note: See §2/J.125 References.

J.125 §3.2 (2007-12)

DOCSIS 1.1 A system or device compliant with the following Data Over Cable Service Interface Specifications: [ITU-T J.112-B], [SCTE23-3], [DOCSIS4] and this Recommendation. Note: See §2/J.125 References.

J.125 §3.3 (2007-12)

DOCSIS 2.0 A system or device compliant with the following Data Over Cable Service Interface Specifications [ITU-T J.122], [SCTE79-2], [DOCSIS4] and this Recommendation. Note: See

J.125 §3.4 (2007-12)

- 14 –SG17-TD1060


§2/J.125 References.HMAC HMAC is a mechanism for message authentication using cryptographic hash functions J.125 §5.2.1 (2007-12) RFC

2104agent 4) Encapsulates a well-defined subset of management functionality. It interacts with

managers using a management interface. From the manager's perspective, the agent behaviour is only visible via the management interface. NOTE – Considered equivalent to IRPAgent in 3GPP TS 32.150

M.3020 §3.2.1 (2017-07)

information object class

IOC 2) Describes the information that can be passed/used in management interfaces and is modelled using the stereotype "Class" in the UML meta-model. For a formal definition of information object class and its structure of specification, see Annex B/M.3020.

M.3020 §3.2.2 (2017-07)

information service

Describes the information related to the entities (either network resources or support objects) to be managed and the way that the information may be managed for a certain functional area. Information services are defined for all IRPs. NOTE – Considered identical to the definition of information service found in 3GPP TS 32.150.

M.3020 §3.2.3 (2017-07)

information type Specification of the type of input parameters of operations. M.3020 §3.2.4 (2017-07)integration reference point

An architectural concept that is described by a set of specifications for the definition of a certain aspect of the management interface, comprising a requirements specification, an information service specification, and one or more solution set specifications. NOTE – Considered identical to the definition of IRP found in 3GPP TS 32.150.

M.3020 §3.2.5 (2017-07)

lower camel case

It is the practice of writing compound words in which the words are joined without spaces. Initial letter of all except the first word shall be capitalized. Examples: 'managedNodeIdentity' and 'minorDetails' are the lower camel case (LCC) for "managed node identity" and "minor details" respectively.

M.3020 §3.2.6 (2017-07)

management goals

High-level objectives of a user in performing management activities. M.3020 §3.2.7 (2017-07)

management interface

The realization of management capabilities between a manager and an agent, allowing a single manager to use multiple agents and a single agent to support multiple managers. NOTE – Q, C2B/B2B and Itf-N (3GPP) are examples of management interfaces.

M.3020 §3.2.8 (2017-07)

management role

Defines the activities that are expected of the operational staff or systems that perform telecommunications management. Management roles are defined independent of other components, i.e., telecommunications resources and management functions.

M.3020 §3.2.9 (2017-07)

management scenario

A management scenario is an example of management interactions from a management service.

M.3020 §3.2.10 (2017-07)

manager 2) Models a user of agent(s) and it interacts directly with the agent(s) using management interfaces. Since the manager represents an agent user, it gives a clear picture of what the agent is supposed to do. From the agent perspective, the manager behaviour is only visible via

M.3020 §3.2.11 (2017-07)

- 15 –SG17-TD1060


the management interface. NOTE – Considered equivalent to IRPManager in 3GPP TS 32.150.

matching information

Specification of the type of a parameter (possibly reference to IOC or attribute of IOC). M.3020 §3.2.12 (2017-07)

naming attribute It is a class attribute that holds the class instance identifier. NOTE – See examples of naming attribute in 3GPP TS 32.300.

M.3020 §3.2.13 (2017-07)

protocol-neutral specification

Defines the management interfaces in support of management capabilities without concern for the protocol and information representation implied or required by, e.g., CORBA and XML.

M.3020 §3.2.14 (2017-07)

protocol-specific specification

Defines the management interfaces in support of management capabilities for one specific choice of management technology (e.g., CORBA). NOTE – Considered equivalent to solution set in 3GPP TS 32.150.

M.3020 §3.2.15 (2017-07)

telecommunications resources

Telecommunications resources are physical or logical entities requiring management, using management services.

M.3020 §3.2.16 (2017-07)

upper camel case

It is the lower camel case except that the first letter is capitalized. Examples: 'ManagedNodeIdentity' and 'MinorDetails' are the upper camel case (UCC) for "managed node identity" and "minor details" respectively.

M.3020 §3.2.17 (2017-07)

well known abbreviation

WKA An abbreviation can be used as the modelled element name or as a component of a modelled element name. The abbreviation, when used in such manner, must be documented in the same document where the modelled element is defined.

M.3020 §3.2.18 (2017-07)

- 16 –SG17-TD1060

List of security (definitions and) abbreviations extracted from approved ITU-T RecommendationsNew and revised items/lines for the Part 2 of the Security Compendium

Term

Abbr Explanation of the abbreviation Rec# Clause Date Referred source

B2C Business to Customer X.1040 §4 (2017-10)C2C Customer to Customer X.1040 §4 (2017-10)CISO Chief Information Security Officer X.1053 §4 (2017-11)SME Small Medium Enterprise X.1053 §4 (2017-11)SMTO Small and Medium-sized Telecommunication Organization X.1053 §4 (2017-11)2FA 2-Factor authentication, two-factor authentication X.1127 §4 (2017-09)CRLDP CRL distribution point X.1127 §V.3 (2017-09)GSMA Groupe Speciale Mobile Association X.1127 §4 (2017-09)HMAC default keyed-hash message authenticationcode X.1127 §V.2 (2017-09)HTTP Hyper-Text Transfer Protocol X.1127 §4 (2017-09)PKCS#12 Personal Information Exchange Syntax v1.1. X.1127 §V.3. (2017-09) IETF RFC 7292SFA single-factor authentication X.1127 §7.4.2. (2017-09)TFA three-Factor Authentication X.1127 §4 (2017-09)U Universal X.1127 §4 (2017-09)2G second Generation X.1146 §4 (2017-10)3G third Generation X.1146 §4 (2017-10)4G fourth Generation X.1146 §4 (2017-10)2FA Two Factor Authentication X.1213 §4 (2017-09)2G Second Generation of mobile telecommunication X.1213 §4 (2017-09)3G Third Generation of mobile telecommunication X.1213 §4 (2017-09)4G Fourth Generation of mobile telecommunication X.1213 §4 (2017-09)HTTP Hyper Text Transfer Protocol X.1213 §4 (2017-09)PNG Portable Network Graphic X.1213 §4 (2017-09)QRcode Quick Response code X.1213 §4 (2017-09)SM-SC Short Message Service Centre X.Sup29 §4 (2017-09)SM-TE Short Message Technical Equipment X.Sup29 §4 (2017-09)CSRF Cross-Site Request Forgery X.Sup30 §4 (2017-09)IAM Identity and Authorization Management X.Sup30 §4 (2017-09)MVNE Mobile Virtual Network Enabler X.Sup30 §4 (2017-09)MVNO Mobile Virtual Network Operator X.Sup30 §4 (2017-09)WAF Web Application Firewall X.Sup30 §4 (2017-09)AIDC Automatic Identification and Data Collection X.Sup31 §4 (2017-09)

- 17 –SG17-TD1060

APP Application X.Sup31 §4 (2017-09)OID-IRI Object Identifier – Internationalized Resource Identifier X.Sup31 §4 (2017-09)ORS OID Resolution System X.Sup31 §4 (2017-09)AK Authorization Key J.125 §9.1 (2007-12)BPI Baseline Privacy Interface J.125 §5 (2007-12)BPKM Baseline Privacy Key Management J.125 §4 (2007-12)CMCI cable-modem-to-customer-premises-equipment interface J.125 §5 (2007-12)CMTS-NSI cable modem termination system – network side interface J.125 §5 (2017-09)DA/SA destination and source address J.125 §6.1 (2007-12)DES US Data Encryption Standard J.125 §4 (2007-12)DOCSIS MAC DOCSIS Media Access Control J.125 §5 (2007-12)EDE mode encrypt-decrypt-encrypt mode J.125 §7. (2007-12)EH Extended Header J.125 §Fig.6-1. (2007-12)FCRC Fragment CRC J.125 §Fig.6-2. (2007-12)Frag Fragmentation J.125 §Fig.6-2. (2007-12)FSM finite state machine J.125 §7.1.2 (2007-12)HFC hybrid fibre/coax J.125 §5 (2017-09)HMAC Keyed-Hashing for Message Authentication J.125 §4 (2007-12)KEK key encryption key (Note: in DOCSIS a two-key triple DES encryption key) J.125 §7. (2007-12)KEY_SEQ key sequence number J.125 §Fig.6-1. (2007-12)LSB least significant bit J.125 §Fig.6-1. (2007-12)OSSI Operations Support System Interface J.125 §2. (2007-12)RSA RSA Laboratories J.125 §4 (2007-12)SA source address J.125 §Fig.6-1. (2007-12)SAID Security Association Identifier J.125 §5 (2007-12)SET Secure Electronic Transaction Specification J.125 §Bibl. (2007-12)SHS Secure Hash Standard J.125 §2. (2007-12)SID Service Identifier J.125 §4 (2007-12)TEK Traffic Encryption Key J.125 §4 (2017-09)ADM Administrative (usage: requirements category) M.3020 §4 (2017-07)C SS-Conditional (qualifier) M.3020 §B.1.1 (2017-07)CM Conditional-Mandatory M.3020 §4 (2017-07)CM Configuration Management M.3020 §Bibl (2017-07)CO Conditional-Optional M.3020 §4 (2017-07)CON Conceptual (usage: requirements category) M.3020 §4 (2017-07)FMC Fixed Mobile Convergence M.3020 §Bibl (2017-07)FUN Functional (usage: requirements category) M.3020 §4 (2017-07)

- 18 –SG17-TD1060

IOC Information Object Class M.3020 §4 (2017-07)LCC Lower Camel Case M.3020 §4 (2017-07)M Mandatory (qualifier) M.3020 §B.1.1 (2017-07)MCC Mobile Country Code M.3020 §4 (2017-07)MISM Management Interface Specification Methodology M.3020 §4 (2017-07)MNC Mobile Network Code M.3020 §4 (2017-07)NON Non-functional (usage: requirements category) M.3020 §4 (2017-07)O Optional (qualifier) M.3020 §B.1.1 (2017-07)OO Object Oriented M.3020 §4 (2017-07)SNC Sub Network Connection M.3020 §4 (2017-07)SOA Service Oriented Architecture M.3020 §4 (2017-07)SS Solution Set M.3020 §4 (2017-07)SS Solutions set M.3020 §B.1.1 (2017-07)UCC Upper Camel Case M.3020 §4 (2017-07)WKA Well Known Abbreviation M.3020 §4 (2017-07)

____________________

Proposed draft new version of the Part 1 and 2 of the ...€¦ · Web viewTELECOMMUNICATION...

Documents

Transcript of Proposed draft new version of the Part 1 and 2 of the ...€¦ · Web viewTELECOMMUNICATION...