ATIS 0300074-2015 Guidelines and Requirements for Security Management Systems.pdf

1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-0300074.2015 Guidelines and Requirements for Security Management Systems As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (ATIS) brings together the top global ICT companies

2、to advance the industrys most pressing business priorities. ATIS nearly 200 member companies are currently working to address the All-IP transition, network functions virtualization, big data analytics, cloud services, device solutions, emergency services, M2M, cyber security, network evolution, qua

3、lity of service, billing support, operations, and much more. These priorities follow a fast-track development lifecycle from design and innovation through standards, specifications, requirements, business use cases, software toolkits, open source solutions, and interoperability testing. ATIS is accr

4、edited by the American National Standards Institute (ANSI). The organization is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of the oneM2M global initiative, a member of and major U.S. contributor to the International Telecommunicati

5、on Union (ITU), as well as a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit www.atis.org. AMERICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the requirements for due process, consensus, and other criteria

6、for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not nec

7、essarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made towards their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the stand

8、ards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, n

9、o person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTI

10、ON NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchasers of American National Standards may receive current info

11、rmation on all standards by calling or writing the American National Standards Institute. Notice of Disclaimer & Limitation of Liability The information provided in this document is directed solely to professionals who have the appropriate degree of experience to understand and interpret its content

12、s in accordance with generally accepted engineering or other professional standards and applicable regulations. No recommendation as to products or vendors is made or should be implied. NO REPRESENTATION OR WARRANTY IS MADE THAT THE INFORMATION IS TECHNICALLY ACCURATE OR SUFFICIENT OR CONFORMS TO AN

13、Y STATUTE, GOVERNMENTAL RULE OR REGULATION, AND FURTHER, NO REPRESENTATION OR WARRANTY IS MADE OFMERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR AGAINST INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. ATIS SHALL NOT BE LIABLE, BEYOND THE AMOUNT OF ANY SUM RECEIVED IN PAYMENT BY ATIS FOR THIS

14、DOCUMENT, AND IN NO EVENT SHALL ATIS BE LIABLE FOR LOST PROFITS OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES. ATIS EXPRESSLY ADVISES THAT ANY AND ALL USE OF OR RELIANCE UPON THE INFORMATION PROVIDED IN THIS DOCUMENT IS AT THE RISK OF THE USER. NOTE - The users attention is called to the possibility

15、that compliance with this standard may require use of an invention covered by patent rights. By publication of this standard, no position is taken with respect to whether use of an invention covered by patent rights will be required, and if any such use is required no position is taken regarding the

16、 validity of this claim or any patent rights in connection therewith. Please refer to http:/www.atis.org/legal/patentinfo.asp to determine if any statement has been filed by a patent holder indicating a willingness to grant a license either without compensation or on reasonable and non-discriminator

17、y terms and conditions to applicants desiring to obtain a license. ATIS-0300074.2015, Guidelines and Requirements for Security Management Systems Is an American National Standard developed by the ATIS Telecom Management and Operations Committee (TMOC). Published by Alliance for Telecommunications In

18、dustry Solutions 1200 G Street, NW, Suite 500 Washington, DC 20005 Copyright 2015 by Alliance for Telecommunications Industry Solutions All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission

19、 of the publisher. For information contact ATIS at 202.628.6380. ATIS is online at . ATIS-0300074.2015 Revision of ATIS-0300074.2009 American National Standard for Telecommunications Guidelines and Requirements for Security Management Systems Alliance for Telecommunications Industry Solutions Approv

20、ed January 7, 2015 American National Standards Institute, Inc. Abstract This standard aligns with the relevant ITU-T Recommendation M.3410, Guidelines and Requirements for Security Management Systems to Support Telecommunications Management. ATIS-0300074.2015 ii Foreword The information contained in

21、 this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requireme

22、nts necessary for conformance to the standard. The Alliance for Telecommunication Industry Solutions (ATIS) serves the public through improved understanding between providers, customers, and manufacturers. The Telecom Management and Operations Committee (TMOC) develops operations, administration, ma

23、intenance and provisioning standards, and other documentation related to Operations Support System (OSS) and Network Element (NE) functions and interfaces for communications networks - with an emphasis on standards development related to U.S.A. communication networks in coordination with the develop

24、ment of international standards. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word SHALL and recommendations by the word SHOULD. Where both a mandatory requirement and a recommendation are specified for the sam

25、e criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. Suggestions for improvement of this standard are welcome. They should be sent to the Alliance for Telecommunications Industry Solutions, TMOC 1200 G Street NW, Suite 5

26、00, Washington, DC 20005. At the time it approved this standard, TMOC, which is responsible for the development of this standard, had the following members: T. Barrett, TMOC Chair (AT&T) S. Kiewel, TMOC Vice Chair (iconectiv) T. Barrett, Technical Editor (AT&T) AMERICAN NATIONAL STANDARD ATIS-030007

27、4.2015 American National Standard for Telecommunications Guidelines and Requirements for Security Management Systems 1 1 Scope, Purpose, & Application 1.1 Scope It is the intention of this standard to use and align with the relevant ITU-T Recommendation. This alignment effort consists of adopting IT

28、U-T Recommendation M.3410, Guidelines and Requirements for Security Management Systems to Support Telecommunications Management. M.3410 specifies the functional requirements of a security management system (SMS) that offers a centralized view for control and security oversight of a Telecommunication

29、s Service Providers infrastructure. Because different administrations and organizations require varying levels of security support, M.3410 does not specify whether a requirement is mandatory or optional. The proforma found in Annex A of M.3410 is provided to assist administrations and other national

30、/international organizations to specify the mandatory and optional support of the requirements. The proforma is specified using the numbered requirements from M.3410. Table A.1/M.3410 contains the requirements from M.3410. According to M.3410, the user (of M.3410) should complete the other columns a

31、ccording to the guidelines provided. TMOC (as the user of M.3410) has completed this table (proforma) as shown in Annex A of this standard. 2 Normative References The following standards contain provisions which, through reference in this text, constitute provisions of this American National Standar

32、d. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. ITU-T Recom

33、mendation M.3410, Guidelines and Requirements for Security Management Systems to Support Telecommunications Management.11This document is available from the International Telecommunications Union. ATIS-0300074.2015 2 Annex A (informative) Table A. 1 - M.3410: Proforma for requirements in ITU-T Recom

34、mendation M.3410 (completed by TMOC) Security Requirement Status Comments SEC-1 m SEC-2 m TLSv1 is preferred over SSLv2, SSLv2c and SSLv3 SEC-3 m SEC-4 m Preference is a) then b) or c): a) Any command line interface application protocol should rely on IPsec based authentication and confidentiality.

35、b) Any command line interface application protocol over TCP should rely on TLSv1 or SSH based authentication and confidentiality. c) Any command line interface application protocol over UDP should rely on DTLSv1 based authentication and confidentiality. SEC-5 m SEC-6 m SEC-7 m SEC-8 m SEC-9 m SEC-10

36、 m SEC-11 m SEC-12 m SEC-13 m SEC-14 m SEC-15 m SEC-16 m SEC-17 m SEC-18 m SEC-19 m SEC-20 m SEC-21 m SEC-22 m SEC-23 m SEC-24 m ATIS-0300074.2015 3 Security Requirement Status Comments SEC-25 m SEC-26 m SEC-27 o SEC-28 m SEC-29 m SEC-30 m SEC-31 m SEC-32 m SEC-33 m SEC-34 o Predefined reports are c

37、onsidered mandatory, whereas definable report capabilities are considered optional. SEC-35 m SEC-36 m SEC-37 m SEC-38 m SEC-39 m SEC-40 m SEC-41 m SEC-42 m SEC-43 m SEC-44 m SEC-45 m SEC-46 m SEC-47 m SEC-48 m SEC-49 m SEC-50 m SEC-51 m SEC-52 m SEC-53 m SEC-54 m SEC-55 m SEC-56 m ATIS-0300074.2015

38、4 Security Requirement Status Comments SEC-57 m SEC-58 m SEC-59 m SEC-60 m SEC-61 m SEC-62 m SEC-63 m SEC-64 m Additional attributes within the security management information based may be included beyond those mandated in this requirement. SEC-65 m SEC-66 m SEC-67 m SEC-68 m SEC-69 m SEC-70 o SEC-71 m SEC-72 m SEC-73 m SEC-74 m SEC-75 m