1、 ETSI TR 187 023 V1.1.1 (2012-03) Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Assurance Profile for Secured Telecommunications Operations; Statement of needs for security assurance measurement in operational telecom infrastructures Tech
2、nical Report ETSI ETSI TR 187 023 V1.1.1 (2012-03) 2Reference DTR/TISPAN-07049-NGN Keywords assurance, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non
3、 lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived diffe
4、rence in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware th
5、at the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/p
6、ortal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PL
7、UGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Associa
8、tion. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 3Contents Intellectual Property Rights 5g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Risk, Trust and
9、Assurance 8g34.1 Operational Security Assurance . 8g34.2 Concepts . 10g34.2.1 The Target of Measurement (TOM) . 10g34.2.2 The Security Assurance Views (SAV) 10g34.3 General use of Assurance Profiles 11g34.3.1 How an AP should be used . 11g34.3.2 What an AP is not intended to provide . 11g34.4 Implem
10、enting an assurance program using Assurance Profiles . 12g34.4.1 Assurance program definition . 12g34.4.2 Assurance program implementation methodology . 12g34.4.3 Use of Assurance Profile 14g35 Building an Assurance Profile 15g36 Assurance Profile components . 17g36.1 Assurance profile reference 17g
11、36.2 Target of Measurement 18g36.2.1 Dependencies 18g36.2.2 Component requirements 18g36.2.3 Explanation . 18g36.2.4 Example of application . 19g36.3 Security Problem Definition . 20g36.3.1 Dependencies 20g36.3.2 Component requirements 20g36.3.3 Explanation . 20g36.3.4 Example of application . 20g36
12、.4 Compliance Claims 21g36.4.1 Dependencies 21g36.4.2 Component requirements 21g36.4.3 Explanation . 21g36.4.4 Example of application . 22g36.5 Security Objectives. 22g36.5.1 Dependencies 22g36.5.2 Component requirements 22g36.5.3 Explanation . 22g36.5.4 Example of application . 22g36.6 Security Req
13、uirements . 23g36.6.1 Dependencies 23g36.6.2 Component requirements 23g36.6.3 Explanation . 23g36.6.4 Example of application . 24g36.7 Measurement Objectives 24g36.7.1 Dependencies 24g3ETSI ETSI TR 187 023 V1.1.1 (2012-03) 46.7.2 Component requirements 24g36.7.3 Explanation . 24g36.7.4 Example of ap
14、plication . 25g36.8 Measurement Requirements . 25g36.8.1 Dependencies 25g36.8.2 Component requirements 25g36.8.3 Explanation . 25g36.8.4 Example of application . 26g36.9 Security Assurance Views 27g36.9.1 Dependencies 27g36.9.2 Component requirements 27g36.9.3 Explanation . 27g36.9.4 SAV Objects . 2
15、7g36.9.5 Metrics 28g36.9.6 Example of application . 28g37 Claiming compliance with an Assurance Profile . 28g3History 30g3ETSI ETSI TR 187 023 V1.1.1 (2012-03) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The informatio
16、n pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI
17、Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the update
18、s on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). Introduction An Assur
19、ance Profile (AP) document is a formalization of needs in which equipment vendors, solution providers, service integrators, operators and service providers or even final users can define a common set of security assurance measurement requirements for a service infrastructure. An Assurance Profile gi
20、ves a means of referring to this set, and facilitates future evaluation against these needs. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 61 Scope The present document presents the structure of the Assurance Profiles. 2 References References are either specific (identified by date of publication and/or edi
21、tion number or version number) or non-specific. For specific references,only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected loc
22、ation might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the prese
23、nt document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 15408: “Information technology - Security techniques - Evaluation cr
24、iteria for IT security (also known as Common Criteria)“. i.2 ETSI TS 187 016: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Identity Protection (Protection Profile)“. i.3 ETSI TR 187 002: “Telecommunications and Internet converged S
25、ervices and Protocols for Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and Risk Analysis“. i.4 ISO 27005: “ Information technology - Security techniques - Information security risk management“. i.5 Directive 95/46/EC of the European Parliament and of the Council
26、 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. i.6 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy i
27、n the electronic communications sector (Directive on privacy and electronic communications). i.7 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic commu
28、nications services or of public communications networks and amending Directive 2002/58/EC. i.8 COM 96/C 329/01: Council Resolution of 17 January 1995 on the lawful interception of telecommunications. i.9 ETSI TS 102 165-1: “Telecommunications and Internet converged Services and Protocols for Advance
29、d Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 73 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: operational
30、 security assurance: ground for confidence that security controls are running as expected in an operational system. security assurance measurement requirements: elements of evidence that need to be measured within a service infrastructure to gain assurance that the security controls are running as e
31、xpected Security Assurance View (SAV): specifically focused representation of the security assurance measurement results. Target of Measurement (TOM): minimal part of a service infrastructure where security controls are implemented and for which continuous security assurance measurement is required
32、3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA Authentication, Authorization and Accounting AP Assurance Profile AP_SSO Assurance Profile_Security CC Common Criteria CCL Compliance ClaimsCPE Customers Premises Equipment CPE Customers Premises Equip
33、ment ECN Electronic Communication Network ECN Electronic Communication Network ECS Electronic Communication Service ECS Electronic Communication Service HR Human Resources IO Infrastructure Object 4 General concepts and use of Assurance Profiles IPTV Internet Protocol TeleVision IP-VPN Internet Prot
34、ocol-Virtual Private Network MR Measurement Requirement NGN Next Generation Network NGN-R NGN-Release NOC Network Operations Center NT Network Termination NT Network Termination OS Operating System OSR Operational Security Requirements SAV Security Assurance View SAV Security Assurance ViewsSLA Serv
35、ice Level Agreement SOC Security Operations CenterSPD Security Problem Definition SSO System Security Objectives TOE Target of Evaluation TOM Target of Measurement TSF ToE Security Function TVRA Threat Vulnerability Risk Analysis ETSI ETSI TR 187 023 V1.1.1 (2012-03) 84 Risk, Trust and Assurance An
36、assurance profile is the expression of requirements to deploy a security assurance program in order to measure, monitor and maintain security assurance of a telecommunications infrastructure for a particular service. Such a program can be illustrated in the following diagram where assurance manageme
37、nt is a continuation of risk management and an input for trust management. We address in the present document security assurance by measurement: infrastructures measured by metrics that generate evidence that leads to assurance. Ri sk sMetricsEvi d en ceAssurance Confidencethatgeneratewhichleadstoth
38、attheminimizeInfrastructuresthat threaten themeasuredbywhich givesAssuranceManagementMeasurementMonitoringTrust managementRisk ManagementAssistanceCountermeasuresthatgeneratewhichleadstothattheminimizeFigure 1: Risk, Assurance and Trust 4.1 Operational Security Assurance We define operational securi
39、ty assurance, as ground for confidence that security controls are running as expected in an operational system; this is illustrated in figure 2. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 9Inherent RisksKnown/identified RisksSecurity Objectives / Security PolicySecurity Controls (Security Architecture)De
40、ployed Security ControlsRunning Security ControlsOK NOKOKRisksManagementDesignImplementationSystemOperationResidual risksImplementation drift Operational driftOperational Security Assurance:Are Security Controls running as expected?OKOK OK NOKOKDeploymentDeployment driftISO 15408Common CriteriaTarge
41、t of MeasurementISO 27005TVRAOperational Security AssuranceFigure 2: Operational Security Assurance definition Operational security assurance is the last step in the overall security life cycle process. Figure 2 presents the different steps and how security assurance is related to all of them. Figur
42、e 2 also shows how some of the most relevant standards are related to these different steps. The first step is called risk management. A service infrastructure is exposed to threats and is subject to vulnerabilities (inherent risks). Managing risks consists in first identifying those risks (risk ass
43、essment) and then deciding the ones that can be covered by security objectives and those that are considered residual risks (risk treatment and risk acceptance). There are several standards concerned with risk management e.g. ISO 27005 i.4 and ETSI TVRA i.9 are some of the most appropriate and used
44、standards related to IT and telecommunications infrastructures. The second step is the design and implementation of security controls that will lead to the security architecture. The drift that can occur is called implementation drift and can be measured with ISO 15408 standards i.1 that brings assu
45、rance that the implemented system achieves expected security objectives. The third step is the deployment phase where security architecture is deployed and configured. During this step, implemented security controls can be deactivated or modified by configuration. Drift that can occur is called depl
46、oyment drift. ETSI ETSI TR 187 023 V1.1.1 (2012-03) 10The last step is the operational phase. In this phase, an operational drift can occur: procedures could not be applied, configuration of equipments could be modified, equipments could be down, services could be unavailable, etc. The implementatio
47、n of a security assurance program allows the evaluation (with more or less precision depending on the assurance level) of this operational drift. To achieve and quantify this drift, measures are performed on the target of measurement. 4.2 Concepts 4.2.1 The Target of Measurement (TOM) An Assurance P
48、rofile (AP) refers to a particular service infrastructure. It defines a Target of Measurement (TOM) as the minimal part of this infrastructure that needs to be measured continuously in order to evaluate the operational security assurance for the service. The Target of Measurement is in general the m
49、inimal set of elements that enforce or contributes to the security of the service. 4.2.2 The Security Assurance Views (SAV) The Assurance Profile introduces the concept of Security Assurance View (SAV). Each Security Assurance View, defined in an Assurance Profile, gives a particular representation of the measurement results (i.e. information on the operational security assurance of the service). An Assurance Profile contains one or several Security Assurance Views. Each Security Assurance View has a specific focus (e.g. a regulation, a standard, a