[SystemSafety] Data communication security system standards

Thu Jan 15 11:41:45 CET 2015

Concerning the industrial applications (not tertiary IT), this is the scope of the Ad Hoc Work Group 1 of IEC SC65 as the same issue exists with IEC 62443 than with ISO 27000 series. In addition, the focus of the workgroup is to embed (or not) the security in the product within the frame (or not) of IEC 61508…

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque at sagem.com

From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of M Mencke
Sent: Thursday, January 15, 2015 10:56 AM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: [SystemSafety] Data communication security system standards

Dear all,
I have some questions regarding the scope of some of the standards developed by ISO/IEC JTC 1/SC27 – IT Security Techniques. They are listed here:
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=45306&published=on
It is divided into 5 principal Working Groups; Information security management systems (ISMS), Cryptography and security mechanisms, Security evaluation, testing and specification, Security controls and services, and Identity management and privacy technologies.
The standard I am currently investigating is a standard within the scope of WG 1, the ISO 27001. It is possible for a company to hold ISO 27001 certification. One of the sections of this standard concerns network security, and compliance with this standard assumes that the adequate protection mechanisms have been put in place by the company. However, as far as I can see, the application of the standard is limited to the organization itself. Therefore, the ISMS would be implemented only within the company. What I would like to know is if a company supplies a system which implements different types of network traffic, whether the protection mechanisms implemented within the networks for trusted/untrusted communication can be certified by a particular standard. The ISO 27001 standard relates to the organization, I would like to know if the data communications of the product itself can be certified. In the link I sent above there is a rather large number of standards, including ones regarding network security techniques. However, I do not have access to all of them, and I was wondering if these standards are intended for organizations or products, and whether anyone has seen certification of products according to these standards in practice.
On the other hand, there is the NITS 800-30 and one of the standards it references, the ISO/IEC 27005:2011. However, the ISO/IEC 27005 is also included within the list of standards applicable only to organizations, here: https://www.iso.org/obp/ui/#iso:pub:PUB200004:en
Therefore, I have some doubts regarding whether compliance with the NITS 800-30 or the ISO/IEC 27005 automatically implies that the organization’s products also comply with these standards.
Any opinions would be appreciated.
Kind regards,
Myriam.
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150115/07b32a5b/attachment.html>