Upgrade Vol. VI, issue 4 (August 2004)
Upgrade: Home Page
Upgrade: Editorial Information
Upgrade: Schedule
Upgrade: News
Upgrade: Latest Issue
Upgrade: Past Issues
Contact Upgrade
Upgrade: Search Page
Upgrade, The European Journal for the Informatics Professional
Interested in subscribing to our Newslist? Click here
Next issue (October 2005)
Monographic section dedicated to
"Computing Omnipresence"
Upgrade, Vol. VI, issue no. 4: cover page by Antonio Crespo Foix, © ATI 2005

Vol. VI, issue no. 4,
August 2005
Standardization
for ICT Security
 Published on behalf of CEPIS by Novática (ATI, Spain)

Contents
Editions in other languages

Guest Editors:

Paloma García-López, Stefanos Gritzalis, and Javier López-Muñoz

Contents
Editions of the monograph in other languages
  • Italian, by Tecnoteca / ALSI (summary, abstracts and presentation online)  **available soon**
  • Spanish, by Novática (full edition printed  --already available--; summary, abstracts and some articles online **already available**)


Editorial Team of Upgrade

Chief Editor: Rafael Fernández Calvo, <rfcalvo AT ati DOT es>
Associate Editors:
François Louis Nicolet, <nicolet AT acm DOT org>; Roberto Carniel, <rcarniel AT dgt DOT uniud DOT it>; Zakaria Maamar, <Zakaria DOT Maamar AT zu DOT ac DOT ae>; Soraya Kouadri Mostéfaoui, <soraya DOT kouadrimostefaoui AT unifr DOT ch>

(E-mail addresses written with anti-spamming disguise)

Acrobat Reader is required to display PDF files
CEPIS (Council of European Professional Informatics Societies) promotes Upgrade
UPENET (UPGRADE European NETwork), promoted by CEPIS
Novática, journal and magazine of ATI (Spain), publishes Upgrade
ALSI (Italy) promotes the Italian edition of Upgrade
Tecnoteca (Italy) promotes the Italian edition of Upgrade
SI (Swiss Informaticians Society) cooperates with Upgrade
EUCIP: European Certification of Informatics Professionals
 
Monograph

Standardization for ICT Security
 		Mosaic

Paper


 UPENET
(UPGRADE European NETwork)

Paper from the Spanish journal "Novática"

Monograph: Standardization for ICT Security
Published on behalf of CEPIS by Novática (ATI, Spain)
 Guest Editors: Paloma García-López, Stefanos Gritzalis, and Javier López-Muñoz

Presentation
ICT Standardization: An International and Cross-sectorial Task [HTML] [PDF: 2 pages, 639 KB]
Paloma García-López, Stefanos Gritzalis, and Javier López-Muñoz - Guest Editors
Abstract: The guest editors present the monograph and briefly introduce the papers it consists of, that take a look at the world of regularization and standardization of ICT (Information and Comunications Technologies) from the viewpoint of security.

Where Do the Voluntary Standards and Recommendations Regarding Information Security Come From? [PDF: 9 pages, 839 KB]
Paloma García-López
Abstract: This paper explains how standards are developed by technical committees that make part of recognised standardization bodies. These committees have a balanced membership of stakeholders in their respective fields. As far as information security is concerned, the main international committee is JTC1/SC27 “Security Techniques”. In the information security area the decision was made by this committee of dealing with the subject matter from the point of view of security management. Accordingly the called Management Model 27000, The Information Security Management System (ISMS), has been established that we will describe in this paper..

CEN/ISSS and Its Contribution to European Standardization in Security of Information Technologies [PDF: 4 pages, 579 KB]
Luc Van den Berghe
Abstract: In this paper a wide overview of the ICT (Information and Communications Technologies) standardization activities that are taking place in the European arena is presented, with special emphasis on the area of ICT security. The pivotal role that CEN/ISSS (Comité Européen de Normalisation / Information Society Standardization System) and its numerous working groups and workshops are playing is described.

International Standardization of Information and IT Security - Current and Future SC27 Activites [PDF: 5 pages, 610 KB]
Ted Humphreys
 Abstract: This article provides an overview of the work of SC 27, an international centre of expertise in the field of information and IT security standards that has been at the forefront of this work for over a decade. It also looks at its future programme of work in the specific area of information security management, an increasingly important area in a world where protection of organisational information assets is critical.

Common Criteria International Standards [PDF: 6 pages, 703 KB]
Miguel Bañón
Abstract: This article offers an overview of the Common Criteria International Standards, which are the de facto standards, developed by a group of governmental organizations, for the evaluation and certification of the security of Information Technology products. It includes also a description of the work being done to further develop these standards

Security Metrics and Measurements for IT [PDF: 3 pages, 572 KB]
José A. Mañas-Argemí
Abstract: Security is a rising concern both for technicians in charge of information systems, and for managers that need confidence on their performance in order to reach the company objectives, and to establish relationships with other companies (the so called electronic commerce). Metrics are needed to know current state, to improve it, and to manage investments. A common understanding is needed vertically (within one organisation) and horizontally (across different organisations).

IT Security Audits from A Standardization Viewpoint [PDF: 5 pages, 584 KB]
Marina Touriño-Troitiño
Abstract: Information System Auditing and standardization of Information Technology Security are two fields that converge and which mutually enhance each other in terms of their main aim: to provide trust to users and organizations about the level of protection of the information processed by means of Information and Communications Technologies (ICT). However, they have different scope and involve different tasks for professionals in the IT Audit business and for those which are responsible of actual security of Information Systems. This paper covers both aspects.

Legislation, Standards and Recommendations Regarding Electronic Signature [PDF: 5 pages, 587 KB]
Josep-Lluís Ferrer-Gomila and Apol·lònia Martínez-Nadal
Abstract: The current legal framework governing electronic signature is apparently adequate and comprises a considerable number of technical standards and recommendations. In this article we will show how in certain aspects European Union legislation is in line with technical recommendations, but in others the law is a little out of synch with technology. There is still some way to go before the two disciplines converge. There can be little doubt that when they do it will lead to a greater use of electronic signatures, a technology which has many clear benefits to offer society.

The X.509 Privilege Management Standard [PDF: 6 pages, 890 KB]
David Chadwick
Abstract: This paper provides an overview of Privilege Management Infrastructures (PMIs), as standardised in the 2001 edition of X.509. It briefly compares PMIs to PKIs (Public Key Infrastructures) and then describes how an X.509 PMI was first implemented in the PERMIS authorisation infrastructure. The paper highlights many features of a practical PMI implementation that were not part of the X.509 (2001) standard, and that had to be solved in the PERMIS implementation. Many of these features are now being or already have been specified in recent standards from OASIS (Object-Oriented Administrative Systems-development in Incremental Steps), the IETF (Internet Engineering Task Force), the GGF (Global Grid Forum), and the forthcoming 2005 edition of X.509. The paper also points out several features that still remain to be standardised.

ICT Security Standards for Healthcare Applications [PDF: 8 pages, 606 KB]
Spyros Kokolakis and Costas Lambrinoudakis
Abstract: Healthcare has always been a favouring area for the application of Information and Communication Technologies (ICT) and healthcare organisations were among the first to incorporate information systems in their operation. Following the trend, Health Information Systems (HIS) have followed an evolutionary course leading to a new generation of e-Health systems. Personalization of service, ubiquitous information management, integration of intelligent and communicating devices, are only a few of the new features that HIS are expected to embed in the near future.  Moreover, HIS store and process information, which is characterised as highly sensitive. Therefore, privacy and security have been acknowledged as high-priority issues and critical factors for the adoption and effective integration of ICT in the healthcare sector. Furthermore, when considering a shared care environment with the participation of many independent healthcare organisations and the requirement for exchanging electronic healthcare records, the situation becomes much more complex since the implementation of global security policy may turn out to be an over ambitious task. This paper presents some of the most important international and European Health Informatics Standards, highlighting their contribution towards Health Information Systems’ interoperability, fulfilment of safety, security and legal requirements and  market efficiency.
Back to top of the page
The Guest Editors

Paloma García-López is an Industrial Engineer by the Universidad Politécnica de Madrid, Spain. In 1999 she joined AENOR (Asociación Española de Normalización y Certificación), where she is currently Head of the ICT Service in the Standardization Division. She coordinates the national standardization activities for ICT products and services, and is an active participant in European and international programs in this field. She is chairwoman of the Spanish National Committees AEN/CTN71 “Tecnologías de la Información” and SC27 “Técnicas de seguridad”, that makes part of the former. <pgarcial AT aenor DOT es>

Stefanos Gritzalis  holds a BSc in Physics, an MSc in Electronic Automation, and a PhD in Informatics all from the University of Athens, Greece. Currently he is an Associate Professor, the Head of the Department of Information and Communication Systems Engineering, University of the Aegean, Greece, and the Director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). He has been involved in several national and EU funded R&D projects in the areas of Information and Communication Systems Security. These research programs include SNOCER (FP6 SME-1), CRL Study (DG Enterprise), KEYSTONE (DG XIII), COSACC (DG XIII), EUROMED-ETS (DG XIII), ERMIS (DG XVI), PD4/5 (DG XIII), etc. His published scientific work includes seven books on Information and Communication Technologies topics, and more than ninety journal and national and international conference papers. The focus of these publications is on Information and Communication Systems Security. He has served on program and organizing committees of national and international conferences on Informatics and is a reviewer for several scientific journals. He was a Member of the Board (Secretary General, Treasurer) of the Greek Computer Society. He is a member of the ACM and the IEEE. <sgritz AT aegean DOT gr>

Javier López-Muñoz holds a PhD in Computer Science. He is a member of the Area of Telematics Engineering of the Dept. of Computer Languages and Sciences at the Universidad de Málaga, Spain, where he lectures as an Associate Professor at the Higher School of Informatics Engineering and carries out research work as part of the University’s GISUM group (Software Engineering Group), in which he coordinates the security subgroup. His research is currently centred on the field of security in communication networks and electronic commerce, a field in which he has carried out part of his research work in various USA university centres specialising in the subject. In GISUM he is the technical head of several research projects relating to practical aspects of ICT security, perhaps the most important of which is the international Global PKI project of Japan’s Telecommunications Advancement Organization. He is ATI’s representative at IFIP’s TC11 (Securityand Protection in Information Processing Systems), co-editor of the “Security” section of Novática and has been guest editor for some other monographs of UPGRADE and Novática. <jlm AT lcc DOT uma DOT es>

Back to top of the page
Mosaic [PDF: 2 pages, 639 KB]

Web Services
QoS Information & Computation (QoS-IC) Framework for QoS-Based Discovery of Web Services
Laila Taher, Rawshan Basha and Hazem El Khatib
Abstract: Quality of Service (QoS) is  an important criterion for Web service selection. In this paper, we propose a generic QoS Information and Computation (QoS_IC) framework for QoS-based selection mechanism for Web services, which relies on a proposed QoS ontology. QoS_IC framework establishes QoS ontology between providers and consumers to provide a common understanding of QoS parameters and their semantics. QoS_IC framework uses a Similarity Distance Measure [1] technique in the underlying QoS selection algorithm. We also introduce QoS modes, which designate modes of QoS computation to help consumers adapt to different system conditions of the providers.
Back to top of the page
UPENET (UPGRADE European NETwork) [PDF: 4 pages, 613 KB]

From Novática (ATI Spain)
Software Patents
Ariba versus ePlus: A Software Patent Lawsuit in The USA
Llorenç Pagés-Casas

This paper was first published, in Spanish, by Novática (issue no. 174, Mar.-Apr. 2005, pp. 72–74). Novática, a founding member of UPENET, is a bimonthly journal published, in Spanish, by the Spanish CEPIS society ATI (Asociación de Técnicos de Informática – Association of Computer Professionals).

Abstract: In the summer of 2002 the journal “Purchasing Magazine Online” published a list of the most important companies (more than 50, most of them American) in the area of supply chain management software. Barely a year later, a note appeared in the same journal announcing that the company ePlus had taken out a software patent on supply chain management software. The announcement was remarkable for two reasons: firstly because ePlus was not on the list of major companies in that area published the previous year, and secondly because the patent referred to functionalities such as the electronic verification of inventory availability or the transfer of information from ERP (Enterprise Resource Planning) or other systems to purchase orders, functionalities which the supply chain management software industry had already been providing for several years. This is how software patents work in the USA. In this article we will be taking a closer look at the subject by studying the specific case of a lawsuit which went to court and was finally settled a few weeks ago.
Back to top of the page
Monograph: Standardization for ICT Security

Presentation
ICT Standardization: An International and Cross-sectorial Task  [PDF: 12 pages, 613 KB]
Paloma García-López, Stefanos Gritzalis, and Javier López-Muñoz - Guest Editors
 
1 Introduction

More often than we might think, we work with documents known as international standards or with documents directly based on those standards. In fact, a considerable percentage of the research carried out in national and international universities, companies and research centres, is founded on the existence of such standards. Far from being simply documents ‘discovered’ by chance and signed by an anonymous author whose identity will never be known, they are actually produced under the auspices of officially recognised standardization bodies.

The increasingly multi-sectoral nature of voluntary standards is evidenced by the fact that an ever growing number of sectors are seeing standardization as a basis for providing users and customers with higher quality services and products.

With regard to the international framework concerned with Information Technologies (IT) related aspects, there is a joint committee formed by two standardization bodies; ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission, focusing on the electrical areas of each field). The joint technical committee is known as JTC1 (Joint Technical Committee 1).

Standardization and Certification (S&C) activities in the field of Information Technologies are increasingly more relevant to organizations and the general public. This is particularly true of everything related to information security, and not only concerning product manufacturing and marketing requirements but also information management standardization carried out by organizations in order to protect the information they are handling.

This monograph takes a look at the world of regularization and standardization from the viewpoint of security. If for many years the field of security has been a kind of ‘dark’ space in comparison with other areas of Information Technology, this is even truer in the case of standards regulating the security techniques which are nowadays embedded in so many applications and ICT systems. This monograph aims to bring this aspect of ICT security out of the shadows and into the spotlight. It is made up of nine articles which cover the aspects of ICT standardization that we consider to be of most interest to our readers.

2 The Contents of This Monograph

The first group of articles focuses on familiarizing readers with the various standardization bodies. Thus, first of all, Paloma García-López, in her article Where Do the Voluntary Standards and Recommendations Regarding Information Security Come from? provides an introduction to the world of standardization. The article looks at the origin and drafting methods of IT security related standards presently used by the various stakeholders. It presents an overview of the main international and European documents, and – taking Spain as an example – describes how individual countries participate in these developments, while a special section is dedicated to the drafting processes behind these standards. The following article CEN/ISSS and Its Contribution to European Standardization in Security of Information Technologies, from Luc Van den Berghe, presents the topic from CEN/ISSS’s (Comité Européen de Normalisation / Information Society Standardization System) viewpoint, and describes the effort it is making to provide an environment in which documents and specifications can be developed wherever an area of interest is identified. Next, Ted Humphreys, in his article International Standardization of Information and IT Security - Current and Future SC27 Activites, introduces us to the work of Sub-Committee 27, a part of the abovementioned international committee, ISO/IEC/JTC1, and its future work programme in the specific area of information security management, providing readers with a view of the future outlook and the upcoming shift in content in this field – in short, how the orientation of standards is changing in response to the demands of present day organizations in such a changing world.

Next up are a series of articles of a more general nature which take a look at the keys to the future of standards and the requirements of the various interested groups which need to be met in order to enable the development, advance, and penetration of our oft-mentioned Information Society.

In this group of articles, Miguel Bañón, in Common Criteria International Standards, introduces readers to the “Common Criteria for Information Technology Security Evaluation” and the “Common Methodology for Information Technology Security Evaluation”, which are internationally accepted standards used to evaluate and certify security products. Meanwhile, in his article Security Metrics and Measurements for IT, José A. Mañas-Argemí looks into the need to measure the level of security that we have implemented in an organization, from the point of view of both that organization’s technical requirements and its management measures. The author argues that metrics are essential for knowing an organization’s current security status, improving it, and managing expenditure and investment on security.

In the same vein, in IT Security Audits from A Standardization Viewpoint, Marina Touriño shows how information security auditing and the regulatory framework are converging worlds, ones which are mutually beneficial in the quest for the heightened security levels that our Information Society requires.

The following article, Legislation, Standards and Recommendations Regarding Electronic Signature”, by Josep-Lluís Ferrer-Gomila and Apol·lònia Martínez-Nadal, shows how European Union legislation and technical recommendations are convergent, although they also point to an occasional lack of alignment with prevailing law.

In the final group of articles, David Chadwick, in The X.509 Privilege Management Standard provides an overview of Privilege Management Infrastructures (PMIs) and how the X.509 standard has evolved since its publication in 2001 until the latest 2005 edition which is soon to be published. Finally, the monograph closes with an article by Spyros Kokolakis and Costas Lambrinoudakis entitled ICT Security Standards for Healthcare Applications who make an interesting contribution concerning security standards applied to telemedicine or e-Health, which is currently an emerging field at the intersection between medical IT, public health, and business. This field involves health services and information delivered or enhanced by the Internet and related technologies, and the article describes how the Public Health system has always been a pioneer in the use of security regulations and standards specifically developed and adapted to this controversial area of IT application.

Let us remark that the customary “Useful References” for readers who wish to understand in greater detail the matter being covered, have not been included this time because the papers above contain a lot of them (see, for instance, the glossary of accronyms in the paper by Luc Van den Berghe).

In closing we would like to thank the authors, all of them recognised specialists in the field of ICT standardization, for all their interesting contributions and the editors of Novática and UPGRADE for the confidence they have placed in us by asking us to edit this monograph.  

Translation by Steve Turpin
Back to top of the page
Last updated on September 30th, 2005 by the Editorial Team of Upgrade

Copyright © CEPIS 2005. All rights reserved unless otherwise stated.