ISO/IEC JTC1 SC22/WG15 Security Rapporteur Group

Issue List

1. Document Format

ISO Style Guide
referencing of TCSEC in document
terminology - ISO

Action:

The P1003.6 WG has discussed these points and during the rework of the document for Draft 7 some of the references have already been removed. Considerable work will be done in the next few months to make the document ISO like.

2. Scope The scope of P1003.6 should be extended to encompass the following functions:
a. X.400, X.500, etc.
b. Information labelling, including hard copy labelling
c. transportable label format

Action:

Information labelling has been moved into the work being done by P1003.6. Draft 8 should contain the functions offered on this topic.

All the other topics are currently considered out-of-scope for this version of P1003.6

3. Authentication There have been many comments/requests for P1003.6 to cover the topic of Authentication. This has been discussed at length by the working group and the decision is as follows:

Action:

It is not thought feasible to put this item into the scope of work for the current draft. The main reasons being:

a. It is not understood what sort of interface os expected to be defined which would help make an application portable.

b. It is NOT the intention of P1003.6 to define authenticatlon methods as these are rapidly changing and it is really an implementation question. e.g. password entering from a terminal as against using a "smart card".

It is understood, however, that other functions, notably in the network area, require to be able to authenticate the request for information that is arriving at thair node. P1003.6 is liaising with the network people to ensure that the problems are fully understood on both sides. If it is possible to define a portable interface requirement for authentication, then P1003.6 will review this requirement for inclusion in a revision of their standard.

The following points have been received from Denmark and have been included here for consistency. They will be discussed at the next meeting to see whether the group believes that they belong as issues against P1003.6 or whether they are in fact implementation details or recommendations to users:

4. Differentiated Access

Deletion of data may only be done from designated terminals and only by specially authorized users. This might also be true of the printing of lists containing certain persons information. 5.    Security report All unauthorized access-attempts should be logged. It a specific number of such attempts from the same terminal are logged within a specified time-frame, then this should be printed and immediate action should be taken. 6.    Usaqe Statistics At least once a month usage-statistics should be printed. For every operator it shall specify which transactions have been accessed or attempted to be accessed, as well as the number of times this has happened for each transaction. 7.    Complete Logging
A complete log/audit trail of all transaction made should be maintained. The log should at least contain the time, operator, transaction type, and person/seek-criteria that was the object. The log shall be kept at least six months. 8.    Chance of Operator
Passwords should be keyed-in non-readable and when the operator leaves the terminal precautions should be taken such that a password is required to use the terminal again. 9.    Password-ageing
The password should be changed at LEAST once a year. Rules pertaining to the length etc. should also exist.