ImageVerifierCode 换一换
格式:PDF , 页数:30 ,大小:831.90KB ,
资源ID:737310      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-737310.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI TR 187 023-2012 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Security Assurance Profile for Secured Telecommunications Ope.pdf)为本站会员(sumcourage256)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI TR 187 023-2012 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Security Assurance Profile for Secured Telecommunications Ope.pdf

1、 ETSI TR 187 023 V1.1.1 (2012-03) Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Assurance Profile for Secured Telecommunications Operations; Statement of needs for security assurance measurement in operational telecom infrastructures Tech

2、nical Report ETSI ETSI TR 187 023 V1.1.1 (2012-03) 2Reference DTR/TISPAN-07049-NGN Keywords assurance, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non

3、 lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived diffe

4、rence in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware th

5、at the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/p

6、ortal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PL

7、UGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Associa

8、tion. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 3Contents Intellectual Property Rights 5g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Risk, Trust and

9、Assurance 8g34.1 Operational Security Assurance . 8g34.2 Concepts . 10g34.2.1 The Target of Measurement (TOM) . 10g34.2.2 The Security Assurance Views (SAV) 10g34.3 General use of Assurance Profiles 11g34.3.1 How an AP should be used . 11g34.3.2 What an AP is not intended to provide . 11g34.4 Implem

10、enting an assurance program using Assurance Profiles . 12g34.4.1 Assurance program definition . 12g34.4.2 Assurance program implementation methodology . 12g34.4.3 Use of Assurance Profile 14g35 Building an Assurance Profile 15g36 Assurance Profile components . 17g36.1 Assurance profile reference 17g

11、36.2 Target of Measurement 18g36.2.1 Dependencies 18g36.2.2 Component requirements 18g36.2.3 Explanation . 18g36.2.4 Example of application . 19g36.3 Security Problem Definition . 20g36.3.1 Dependencies 20g36.3.2 Component requirements 20g36.3.3 Explanation . 20g36.3.4 Example of application . 20g36

12、.4 Compliance Claims 21g36.4.1 Dependencies 21g36.4.2 Component requirements 21g36.4.3 Explanation . 21g36.4.4 Example of application . 22g36.5 Security Objectives. 22g36.5.1 Dependencies 22g36.5.2 Component requirements 22g36.5.3 Explanation . 22g36.5.4 Example of application . 22g36.6 Security Req

13、uirements . 23g36.6.1 Dependencies 23g36.6.2 Component requirements 23g36.6.3 Explanation . 23g36.6.4 Example of application . 24g36.7 Measurement Objectives 24g36.7.1 Dependencies 24g3ETSI ETSI TR 187 023 V1.1.1 (2012-03) 46.7.2 Component requirements 24g36.7.3 Explanation . 24g36.7.4 Example of ap

14、plication . 25g36.8 Measurement Requirements . 25g36.8.1 Dependencies 25g36.8.2 Component requirements 25g36.8.3 Explanation . 25g36.8.4 Example of application . 26g36.9 Security Assurance Views 27g36.9.1 Dependencies 27g36.9.2 Component requirements 27g36.9.3 Explanation . 27g36.9.4 SAV Objects . 2

15、7g36.9.5 Metrics 28g36.9.6 Example of application . 28g37 Claiming compliance with an Assurance Profile . 28g3History 30g3ETSI ETSI TR 187 023 V1.1.1 (2012-03) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The informatio

16、n pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI

17、Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the update

18、s on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). Introduction An Assur

19、ance Profile (AP) document is a formalization of needs in which equipment vendors, solution providers, service integrators, operators and service providers or even final users can define a common set of security assurance measurement requirements for a service infrastructure. An Assurance Profile gi

20、ves a means of referring to this set, and facilitates future evaluation against these needs. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 61 Scope The present document presents the structure of the Assurance Profiles. 2 References References are either specific (identified by date of publication and/or edi

21、tion number or version number) or non-specific. For specific references,only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected loc

22、ation might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the prese

23、nt document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 15408: “Information technology - Security techniques - Evaluation cr

24、iteria for IT security (also known as Common Criteria)“. i.2 ETSI TS 187 016: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Identity Protection (Protection Profile)“. i.3 ETSI TR 187 002: “Telecommunications and Internet converged S

25、ervices and Protocols for Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and Risk Analysis“. i.4 ISO 27005: “ Information technology - Security techniques - Information security risk management“. i.5 Directive 95/46/EC of the European Parliament and of the Council

26、 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. i.6 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy i

27、n the electronic communications sector (Directive on privacy and electronic communications). i.7 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic commu

28、nications services or of public communications networks and amending Directive 2002/58/EC. i.8 COM 96/C 329/01: Council Resolution of 17 January 1995 on the lawful interception of telecommunications. i.9 ETSI TS 102 165-1: “Telecommunications and Internet converged Services and Protocols for Advance

29、d Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 73 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: operational

30、 security assurance: ground for confidence that security controls are running as expected in an operational system. security assurance measurement requirements: elements of evidence that need to be measured within a service infrastructure to gain assurance that the security controls are running as e

31、xpected Security Assurance View (SAV): specifically focused representation of the security assurance measurement results. Target of Measurement (TOM): minimal part of a service infrastructure where security controls are implemented and for which continuous security assurance measurement is required

32、3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA Authentication, Authorization and Accounting AP Assurance Profile AP_SSO Assurance Profile_Security CC Common Criteria CCL Compliance ClaimsCPE Customers Premises Equipment CPE Customers Premises Equip

33、ment ECN Electronic Communication Network ECN Electronic Communication Network ECS Electronic Communication Service ECS Electronic Communication Service HR Human Resources IO Infrastructure Object 4 General concepts and use of Assurance Profiles IPTV Internet Protocol TeleVision IP-VPN Internet Prot

34、ocol-Virtual Private Network MR Measurement Requirement NGN Next Generation Network NGN-R NGN-Release NOC Network Operations Center NT Network Termination NT Network Termination OS Operating System OSR Operational Security Requirements SAV Security Assurance View SAV Security Assurance ViewsSLA Serv

35、ice Level Agreement SOC Security Operations CenterSPD Security Problem Definition SSO System Security Objectives TOE Target of Evaluation TOM Target of Measurement TSF ToE Security Function TVRA Threat Vulnerability Risk Analysis ETSI ETSI TR 187 023 V1.1.1 (2012-03) 84 Risk, Trust and Assurance An

36、assurance profile is the expression of requirements to deploy a security assurance program in order to measure, monitor and maintain security assurance of a telecommunications infrastructure for a particular service. Such a program can be illustrated in the following diagram where assurance manageme

37、nt is a continuation of risk management and an input for trust management. We address in the present document security assurance by measurement: infrastructures measured by metrics that generate evidence that leads to assurance. Ri sk sMetricsEvi d en ceAssurance Confidencethatgeneratewhichleadstoth

38、attheminimizeInfrastructuresthat threaten themeasuredbywhich givesAssuranceManagementMeasurementMonitoringTrust managementRisk ManagementAssistanceCountermeasuresthatgeneratewhichleadstothattheminimizeFigure 1: Risk, Assurance and Trust 4.1 Operational Security Assurance We define operational securi

39、ty assurance, as ground for confidence that security controls are running as expected in an operational system; this is illustrated in figure 2. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 9Inherent RisksKnown/identified RisksSecurity Objectives / Security PolicySecurity Controls (Security Architecture)De

40、ployed Security ControlsRunning Security ControlsOK NOKOKRisksManagementDesignImplementationSystemOperationResidual risksImplementation drift Operational driftOperational Security Assurance:Are Security Controls running as expected?OKOK OK NOKOKDeploymentDeployment driftISO 15408Common CriteriaTarge

41、t of MeasurementISO 27005TVRAOperational Security AssuranceFigure 2: Operational Security Assurance definition Operational security assurance is the last step in the overall security life cycle process. Figure 2 presents the different steps and how security assurance is related to all of them. Figur

42、e 2 also shows how some of the most relevant standards are related to these different steps. The first step is called risk management. A service infrastructure is exposed to threats and is subject to vulnerabilities (inherent risks). Managing risks consists in first identifying those risks (risk ass

43、essment) and then deciding the ones that can be covered by security objectives and those that are considered residual risks (risk treatment and risk acceptance). There are several standards concerned with risk management e.g. ISO 27005 i.4 and ETSI TVRA i.9 are some of the most appropriate and used

44、standards related to IT and telecommunications infrastructures. The second step is the design and implementation of security controls that will lead to the security architecture. The drift that can occur is called implementation drift and can be measured with ISO 15408 standards i.1 that brings assu

45、rance that the implemented system achieves expected security objectives. The third step is the deployment phase where security architecture is deployed and configured. During this step, implemented security controls can be deactivated or modified by configuration. Drift that can occur is called depl

46、oyment drift. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 10The last step is the operational phase. In this phase, an operational drift can occur: procedures could not be applied, configuration of equipments could be modified, equipments could be down, services could be unavailable, etc. The implementatio

47、n of a security assurance program allows the evaluation (with more or less precision depending on the assurance level) of this operational drift. To achieve and quantify this drift, measures are performed on the target of measurement. 4.2 Concepts 4.2.1 The Target of Measurement (TOM) An Assurance P

48、rofile (AP) refers to a particular service infrastructure. It defines a Target of Measurement (TOM) as the minimal part of this infrastructure that needs to be measured continuously in order to evaluate the operational security assurance for the service. The Target of Measurement is in general the m

49、inimal set of elements that enforce or contributes to the security of the service. 4.2.2 The Security Assurance Views (SAV) The Assurance Profile introduces the concept of Security Assurance View (SAV). Each Security Assurance View, defined in an Assurance Profile, gives a particular representation of the measurement results (i.e. information on the operational security assurance of the service). An Assurance Profile contains one or several Security Assurance Views. Each Security Assurance View has a specific focus (e.g. a regulation, a standard, a

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1