Cybersecurity

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16]. The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6). The target audience of this document includes: - business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs; - application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used; - developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

• Security requirements capture methodology;
• Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services;
• Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
• Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
• Security aspects of identity management, biometrics and privacy;
• Conformance assessment, accreditation and auditing requirements in the area of information security;
• Security evaluation criteria and methodology.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas.

SC 17 continues to deliver card standards that are ubiquitous in their use by the worldwide cards industry. Perhaps the biggest issue facing the cards world and particularly payments cards, is the need to expand the Issuer Identification Numbering scheme (IINs) from its present 6-digit IIN to an 8-digit IIN going forward. Support from ISO to spread the word in this regard would be very much appreciated by the experts in SC17.

Standardization in the area of:

• Identification and related documents
• Cards
• Security devices and tokens

and interface associated with their use in inter-industry applications and international interchange

CACAO TC members are developing a standard to implement the course of action playbook model for cybersecurity operations.
 
In order to defend against cyber threats, organizations must manually identify, create, and document the prevention, mitigation, and remediation steps that, together, form a course of action playbook. However, today, there is is no standardized way to document and share these playbooks across organizational boundaries and technology solutions. CACAO addresses this problem by defining a sequence of cyber defense actions that can be executed for each type of playbook. It will specifically enable organizations to:

1. create course of action playbooks in a structured machine-readable format,
2. digitally sign course of action playbooks,
3. securely share course of action playbooks across organizational boundaries and technological solutions, and
4. document processing instructions for course of action playbooks in a machine readable format.

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services. This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).

This document, as a basis for the other parts of the ISO 15118 series, specifies terms and definitions, general requirements and use cases for conductive and wireless HLC between the EVCC and the SECC. This document is applicable to HLC involved in conductive and wireless power transfer technologies in the context of manual or automatic connection devices. This document is also applicable to energy transfer either from EV supply equipment to charge the EV battery or from EV battery to EV supply equipment in order to supply energy to home, to loads or to the grid. This document provides a general overview and a common understanding of aspects influencing identification, association, charge or discharge control and optimisation, payment, load levelling, cybersecurity and privacy. It offers an interoperable EV-EV supply equipment interface to all e-mobility actors beyond SECC. The ISO 15118 series does not specify the vehicle internal communication between battery and other internal equipment (beside some dedicated message elements related to the energy transfer).

ISO 15118-2:2014 specifies the communication between battery electric vehicles (BEV) or plug-in hybrid electric vehicles (PHEV) and the Electric Vehicle Supply Equipment. The application layer message set defined in ISO 15118-2:2014 is designed to support the energy transfer from an EVSE to an EV. ISO 15118-1 contains additional use case elements describing the bidirectional energy transfer. The implementation of these use cases requires enhancements of the application layer message set defined herein. The purpose of ISO 15118-2:2014 is to detail the communication between an EV (BEV or a PHEV) and an EVSE. Aspects are specified to detect a vehicle in a communication network and enable an Internet Protocol (IP) based communication between EVCC and SECC. ISO 15118-2:2014 defines messages, data model, XML/EXI based data representation format, usage of V2GTP, TLS, TCP and IPv6. In addition, it describes how data link layer services can be accessed from a layer 3 perspective. The Data Link Layer and Physical Layer functionality is described in ISO 15118-3.

The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.

Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely. Domains are reviewed to emphasize security, stability, and privacy in a multi-tenant environment. The CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing builds on previous iterations through dedicated research, public participation from CSA members, working groups, and industry experts. This version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. The goal of the fourth version of Security Guidance for Critical Areas of Focus in Cloud Computing is to provide guidance and inspiration to support business goals while managing and mitigating the risks associated with cloud computing adoption.

The shift from traditional client/server to service-based models is transforming the way technology departments think about, designing, and delivering computing technology and applications. However, the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.

Security for Cloud Computing: 10 Steps to Ensure Success provides a practical reference to help enterprise information technology (IT) and business decision makers analyze the security implications of cloud computing on their business.
 
The guide includes a list of ten steps designed to help decision makers evaluate and compare security and privacy offerings from different cloud providers in key areas, covering:

• Security and privacy challenges pertinent to cloud computing and considerations that organizations should weigh when migrating data, applications, and infrastructure
• Threats, technology risks, and safeguards for cloud computing environments and the insight needed to make informed IT decisions on their treatment
• A Cloud Security Assessment to assess the security capabilities of cloud providers

 
Version 3.0 introduces new and updated security standards, worldwide privacy regulations, and stresses the importance of including security in continuous delivery and deployment approaches, among other things.

Cloud Security Standards: What to Expect and What to Negotiate is a guide to security standards, frameworks, and certifications that exist for cloud computing. This guide will help you assess the security standards support of cloud service providers.
 
As customers transition their applications and data to use cloud computing, it is important that the level of security provided in the cloud environment is equal to or better than the security provided by their traditional IT environment. Cloud security standards and their support by prospective cloud service providers and within the enterprise is a critical area of focus for cloud service customers.
 
The landscape has matured with new cloud-specific security standards, like ISO/IEC 27017 and ISO/IEC 27018 for cloud computing security and privacy, being adopted.