Information technology security standards - An Australian perspective

Abstract

From a telecommunications perspective, standards facilitate the implementation of distributed applications. Such systems can be implemented using components produced by different suppliers, at different times, and in ways that involve a minimum of proprietary intellectual property. As such open systems become widely implemented, it is becoming increasingly important to have standards for security services and mechanisms to allow the interests of all interconnected parties to be protected. This paper discusses the role of standards in providing a link between the large body of available theory, and business needs. A standardised approach has the following advantages: – agreement can be reached on the meaning of security terminology; – security mechanisms can be subject to international, expert scrutiny before adoption; – common security mechanisms can be developed in such a way that re-use is possible; and – the limited amount of available technical expertise can be efficiently used and made accessible to all parts of industry and government. When an analysis is made of security standardisation activities around the world, it is quickly appreciated that we are in fact well away from realising an optimum approach to security standards development. However, there is still much to be gained from the standardisation process. This paper looks at the range of security standardisation activities, and then focuses on the work being done to develop generic (basic) security building block standards in the International Organisation for Standardisation (ISO)/International Electrotechnical Commission (IEC), Joint Technical Committee 1, Subcommittee 27. The range of Subcommittee 27 activities is summaxised, and an update is given of progress to date. This status is then placed in the perspective of related Australian standardisation activity.