News

Standards for Smart Cities: SC 41 Chair presents at international conference in Burkina Faso

Posted by on Aug 6, 2018 in Uncategorized | 0 comments

Chair ISO/IEC JTC 1/SC 41

Francois Coallier, Chair ISO/IEC SC 41: IoT and related technologies

The Chair of ISO/IEC JTC 1/SC 41: IoT and related technologies, Francois Coallier, gave a keynote presentation during the 1st International Conference on Smart Cities and Communities held on 24-26 July 2018 in Ouagadougou, Burkina Faso.

The presentation gave an overview of the relevance and great number of standards which already benefit smart city infrastructure. Coallier highlighted the work of JTC 1 towards smart city ICT frameworks through Working Group 11: Smart Cities and SC 41, the latter of which covers aspects such as trustworthiness and the need to ensure security, privacy, safety and resilience of systems in smart cities.

He noted a number of key liaisons with other ISO/IEC subcommittees, which work on specific areas, including:

  • SC 7: Software and systems engineering
  • SC 27: IT Security
  • SC 37: Biometrics
  • SC 38: Cloud computing
  • SC 40: IT governance and IT service management
  • SC 42: Artificial intelligence, which also covers big data.

See full presentation here

Sponsored by the town of Ouagadougou , participants came mostly from Benin, Burkina Faso, Côte d’Ivoire and Senegal and included ministers, experts and representatives from a number of universities.

ISO/IEC JTC 1/SC 23 Plenary meeting, Geneva

Posted by on Aug 1, 2018 in Uncategorized | 0 comments

ISO/IEC JTC 1/SC 23 held its 19th plenary meeting in Geneva, Switzerland on 26 June. The meeting was scheduled in conjunction with the 113th Ecma TC31 meeting and hosted by the National Body of Switzerland.

SC 23 continues to provide technically rigorous standards that meet user requirements, and has published 138 standards in the field of ‘Digitally Recorded Media for Information Interchange and Storage’.

New projects

In the meeting, the current standardization activities regarding Optical disk reliability and File format etc. were discussed and confirmed.  In addition, new projects were established to develop Amendment 1 to four BD standards (ISO/IEC 30190 to 30193) to realize 4K/8K broadcast recording on BD disks, as originally requested by the Blu-ray Disc Association (BDA).

Another discussion addressed how to find new work items for potential future standardization, considering drastic changes of storage environments in the future.

The need to address storage capacity through standardization

With the continued expansion of IoT, AI and big data, an enormous quantity of digital data will be created, distributed and kept in storage systems. It is estimated that the total amount of digital data distributed worldwide will grow from 16.1 ZB in 2016, through 44 ZB in 2020, to 163 ZB in 2025. (Source: IDC White Paper ©2017 IDC.)

Since the growth rate of total capacity of data storage will be slower than that of data creation and distribution, it is assumed that users will face serious storage capacity problems in the near future.

Further, there will be the fundamental problem of how to achieve sustainable and realistic energy-consumption growth as we move into an era in which digital data will greatly increase. It is estimated that significant volumes of data must be moved to offline “cold” storage to resolve the issue, and SC 23 believes that optical discs do have superior fundamental features for cold storage applications, such as ultra-low energy-consumption, long life, water-proof function, and so on.

Recognizing such likely scenarios in the future means that innovation and standardization activities for new digital data storage systems will be important and worthwhile, not only for SC 23 but also for the other standardization committees.

SC 23 is expecting to welcome more experts from across the entire domain of digital data storage to discuss potential future standardization for a sustainable future, in collaboration with any related JTC 1/SCs and technology organizations.

 

ISO/IEC JTC 1/SC 40 – Plenary 2018 – Lisbon, Portugal

Posted by on Jul 4, 2018 in News | 0 comments

Chair ISO/IEC JTC 1/SC 40

Chair ISO/IEC JTC 1/SC 40, Jan Begg was interviewed by hosts itSMF Portugal

During the five-day meetings, hosted by IT System Management Forum (itSMF) Portugal, more than 75 experts from 19 countries participated in a very busy work programme.

Begg highlighted some of the many projects that were discussed, including:

  • Handbook (Practical Guide) to the 20000 series of international standards for IT – Service management.
  • Governance of IT-enabled investments covering the complex world of organizations when they work on innovating and improving their business processes.
  • Standards for IT – Continual performance improvement of IT enabled services, which cover outsourced infrastructure, are in the early stages.
  • Liaisons – work with other committees, in particular with ISO/IEC JTC1/SC 42 for Artificial Intelligence – a very exciting and innovative area.

Many other items were discussed over the five-day meeting, which the Chair described as, “Happy, constructive and wonderful”.

A View From the Top – Henri Barthel – SC31 Chair & Vice President – GS1 Gobal

Posted by on Jul 2, 2018 in News | 0 comments

Taken from the AIM website

AIM Matters talks to the leaders who are making a difference

Earlier this month, a group of international industry leaders met in Chicago for their 2018 SC31 Plenary meeting. While not everyone is involved in developing or updating standards, no one — industry professionals, consumers or businesses — can function in their daily activities without having standards that establish the parameters of the world today. Fortunately, the members of ISO/IEC JTC1/SC31 lead the AIDC industry in creating, monitoring and updating the standards that help to guarantee compliance on a global basis.

AIM Matters was fortunate to have the opportunity to speak with Mr. Barthel during the recent Plenary and presents in this issue the podcast of that interview. In it, Chairman Barthel gives his insights on both the SC31 and the AIDC industry.

Download the podcast, click here

More about AIM

AIM – Advancing Indentification Matters – is the trusted worldwide industry association for the automatic identification industry. For nearly half a century, AIM has provided unbiased information, educational resources and standards to providers and users of these technologies. Find out more

Interview with Dr Andreas Wolf, Chair ISO/IEC JTC 1 SC/27 – IT security techniques

Posted by on Jun 4, 2018 in News | 0 comments

Why are standards important for IT security and privacy?

Standards are essential for human civilization. Standards enable the global interoperability of technical solutions while ensuring that the technical progress can be applied smoothly on a global scale. Without international standards it would be much more difficult to interact with partners in different countries or on different continents. This proved to be important for the first time during the industrial revolution more than 100 years ago, and became even more important as globalization progressed. In the past, we have seen that any technology of importance has been accompanied by mechanisms to ensure its safety and security, and that the availability of such mechanisms was an indication for the maturity of these technologies. These former technologies included the steam engine and the automobile, to mention but a few. Today, information and communication technology is one of the key technologies and may very well be the most important one of our time.

In terms of function, computer networks have now reached tremendous performance levels, computers are everywhere, and artificial intelligence is leveraging the algorithmic capabilities of IT systems to unprecedented levels. Some people say that these developments are at least as important as the industrial revolution a century ago. Similar to the mechanisms that ensured the safety of steam engines in the past, society today needs mechanisms to protect us from the risks we face due to IT systems. And this is where IT security and privacy standards come into play. Since the very Web itself is global, IT security and privacy need to be considered on a global level too. International standards have proven to be a good tool when it comes to reaching a global scale.
Neither IT security nor privacy can be addressed in a simple manner. There is no such thing as: “The IT security”. There are many approaches to a vast range of challenges. But they can all be categorized and their impact can be measured and evaluated with respect to common rules developed by an international community of experts. Requirements and recommendations like these determine the value of international standards because they were developed by applying best practices and the wisdom of a countless number of experts from many different countries. In this sense, standards educate the industry, they help avoid unnecessary mistakes, and they support the efficient use of intellectual resources.

The aspect of privacy is even more complicated. While IT security aspects are evaluated more or less similarly around the globe, privacy issues are influenced by cultural and societal factors. It is a matter of fact that different countries or regions have different cultural backgrounds, different traditions, and different legislation on data protection and privacy. This makes it all the more important to define a common vocabulary on privacy concepts, and to make the privacy features and properties of IT systems or applications measurable and comparable. The best way to achieve this is to develop sound and appropriate international standards.

IT security has departed from its niche as a topic of interest merely for governments, the military and the financial sector and has become relevant to everyone who owns a computer or smartphone, i.e. virtually to all of us. Coming full circle with the industrial revolution: IT technology will reach maturity and will be trusted by society as soon as we have a set of well-established international standards in place that covers all relevant aspects of IT security and privacy.

What is ISO/IEC JTC1’s role in IT security and privacy standards? What part is SC 27 playing?
In global terms, JTC 1, the parent committee of SC 27, is, as its name “Information Technology” suggests, the leading committee on IT standardization. Within JTC 1/SC 27 is responsible for developing standards on information security management, IT security, cryptography, security management, IT security evaluation, data protection, privacy and other related topics. Past experience has shown that security and privacy related topics like these have become more and more cross-sectional and interdisciplinary. This means that topics covered by SC 27 become more relevant for many application areas, not just for information technology. This importance is indicated by the more than 70 committees and organizations liaising with SC 27, proving that there is a need to support many standardization domains with IT security and privacy standards. Almost half of these liaisons connect SC 27 with other JTC 1 committees.
Admittedly SC 27 does attract a large number of highly renowned experts in their respective fields who have been delegated to SC 27 by its current 52 Participating and 25 Observing Members but maintaining these liaisons would consume a lot of resources. JTC 1 serves as a platform that enables easier exchange with its other committees and bundles the forces of its committees in order to develop standards much faster, easier and with optimal quality. What’s more, SC 27 is in the comfortable position that many of our expert delegates work in several standardization committees, complementing the official liaison efforts in a very target-oriented manner.

But our liaisons are not one-way streets. SC 27 too supports other committees, providing them with the expertise of SC 27 and regularly making use of their domain knowledge in our standards.
SC 27 has meanwhile published 178 International Standards, and is currently running projects to develop 64 new standards. This perfectly illustrates the high and even growing importance of SC27 in standardization business. As we all know, standards are developed by contributions that come from individual experts who dedicate time and effort to the topics they are heavily involved with. The large and growing number of published standards indicates that SC 27 is continuously attracting contributing experts who are delegated by many National Bodies and who represent more or less the entire IT industry – once again demonstrating the enormous importance of the activities by SC 27.

What lies ahead for SC 27 in the years to come?
If we take a closer look at SC 27 and its history, we can see how SC 27 evolved over the past 25 years. It has grown in terms of the experts participating in its standardization projects, in terms of the Participating and Observing Members, the projects under preparation, and in terms of the different topics addressed. This development is highlighted by the structure of SC 27, which is made up of five working groups:
• WG 1 Information security management systems
• WG 2 Cryptography and security mechanisms
• WG 3 Security evaluation, testing and specification
• WG 4 Security controls and services
• WG 5 Identity management and privacy technologies
These working groups cover several aspects of SC 27’s focus areas of work. All of these aspects have ongoing relevance to our work while their impact on technology and society is increasing. SC 27 started out with information security techniques and cryptography, security management systems were included at a later stage; its newest field of work is the thematic complex of identity management and privacy. Many of our projects have to be continuously maintained and extended to new application fields. It would be not fair to mention only a few of these projects; SC 27 is currently working on many important projects. Some of them might be more well-known than others, e. g. the information security management standards covered by ISO/IEC 27000 series and the evaluation criteria for IT security (Common Criteria) in the multipart standard ISO/IEC 15408.

Within SC 27, we maintain cooperation between the working groups through regular exchange between the delegated experts. As all SC 27 working groups meet parallel twice a year, the experts may move between the groups, keeping information flowing. However, we have come to see that the growing number of topics calls for the involvement of experts from several communities and committees. In order to address such close cooperation and to accelerate the joint development of standards, we will need to travel down new roads. One option could be to set up joint working groups between SC 27 and other committees. SC 27 has already initialized such a joint working group with ISO TC 307 “Blockchain and distributed ledger technologies” and we are hopeful that this will be successful. It is quite likely, however, that we will need other mechanisms as well if we are to be able to responsively develop more new standards in line with needs in an even shorter space of time.

SC 27 will face a number of technological challenges in the coming years. Emerging technologies will grow and need to be enhanced with security aspects. These technologies include, for instance, the Internet of Things, Smart Cities, or Distributed Ledger technologies, to name just a few. It is foreseeable that any item that can be distinguished and seen as an individual will soon have to have its own identity. And that identity will need to be a secure identity. There are some expectations that the transition brought about by emerging technologies will be quite disruptive; SC 27’s task is to enable the maintenance of IT security aspects and to support the development of interoperable IT security methods required to serve future needs.

But this is only one aspect. SC 27 and its experts are also aware of their responsibility to develop good standards that allow privacy aspects to be considered in an appropriate manner. In the past, preventing harm meant ensuring that a steam engine did not explode. In today’s IT systems, this also means preventing data misuse, especially the misuse of personal data. Even if there is no international consent on the exact content of privacy rules, SC 27 is determined to provide best practice experiences and to develop measures to describe and evaluate different, conceivable levels of privacy protecting technology in order to allow a precise description and a useful comparison of products and systems.

Last, but not least, SC 27 has what could be described as a luxury problem. As the SC 27 community is growing rapidly, and as our meetings attract an ever-increasing number of experts, it is becoming more and more difficult for the National Bodies to host upcoming events. The perfect organization with excellent logistics, which is provided by the meeting hosts and which is highly appreciated by all participants, requires enormous effort, and is in no way trivial. Sometimes, simply finding meeting facilities and hotel rooms to host five working groups and their experts is a challenge, not to mention that almost all of the working groups are additionally split into sub-groups. A perfectly organized event for participants involves an incredible amount of hard work behind the scenes for the host.

Meeting time is limited, and the number of projects is growing. We now need to find new ways to make our work more efficient, e.g. by focusing meetings on the work that needs to be carried out there and preparing as much as possible in advance, or by organizing meetings in a more compact way. This kind of optimized organization is a task for management staff: the chairpersons, the secretariat, and the conveners. Fortunately, they are supported by the Management Advisory Group, a panel of highly renowned SC 27 experts.

Can you tell us about your experience in developing standards, and why you are interested in IT security and privacy?
The first time I consciously came across an International Standard in my business life was more than a decade ago when I was responsible for the Common Criteria evaluation of a biometric speaker recognition system from the manufacturer’s perspective. As it happened, CC is today an SC 27 standard. This brought me in touch with some standardization groups at DIN, the German Institute for Standardization. The one I decided to become a member of was NIA-37, the mirror of SC 37 “Biometrics”. During that time, I started working with one of the major players in the fingerprint industry, and so it was quite a logical decision for me to become involved in biometrics standardization. At the same time, I also developed an affinity to border control technologies which brought me closer to SC 17 “Cards and security devices for personal identification” and SC 31 “Automatic identification and data capture techniques”.

Now, working for Bundesdruckerei, the German State Printer, I am the editor of ISO/IEC 19794-5 and ISO/IEC 39794-5, the facial image data format standards which are mostly applied in passports and other Machine Readable Travel Documents (MRTDs). Furthermore, I am the editor of ISO/IEC TR 29196 “Guidance for biometric enrolment” in SC 37. In SC 17, I am the editor of the ICAO Portrait Quality TR and in SC 31 one of the two editors of ISO/IEC 30116 which deals with the machine readability of the Machine Readable Zone of an MRTD. I am the liaison officer between SC 37 and CEN/TC 224 and from SC 37 to SC 17. Additionally, I convene CEN/TC224 Working Group 19 which deals with breeder documents.

All of these topics have certain security aspects which are becoming increasingly important. It was therefore a natural step for me to extend my standardization work to SC 27. I especially saw for myself the close connection between IT security, privacy, and biometrics since I was involved in the development of passport, passport inspection, and border control technology. Several projects, the most important one probably being FIDELITY, funded by the European Commission in the Seventh Framework Programme, led me closer into the interconnection between new ID management technologies, data handling, IT security, and privacy considerations.

Participating in SC 27, I saw that I already knew many of the experts working in this committee from my standardization activities in the past. Taking into account the cross-sectional character of IT security and privacy, this did not come as a surprise. In recent years, and fulfilling several roles in standardization groups, I have learned a lot about the power of qualified consent as the fundamental concept on how to write good standards. It is therefore both a challenge and a pleasure to me to chair SC 27, and to support our experts in their effort to strive for good IT security and privacy standards. The chairmanship is mostly a service role, and sometimes it is a guidance and leadership role. But it is always a task that allows me to work with many good experts from all over the world, where I can learn from them and share my experiences with them. In that sense, I am happy to be elected to serve as the next Chair of SC 27.

Are there other organizations or committees also working in this area? What are their relationships to SC 27?
As information security management, IT security and privacy have always been cross-sectional and interdisciplinary issues, it is no wonder that SC 27 has many interfaces with other organizations. Besides traditionally IT-sensitive sectors (banking, government or the military), upcoming application domains (smart home, smart cities or IoT) have now come to understand their need for IT security. This means that the number of partners applying SC 27 standards or referring to SC 27 standards in their own products is growing quickly. Additionally, SC 27 receives more and more requests to develop products for specific application domains.

SC 27 liaises with more than 70 organizations, including JTC 1 sister committees and other groups from other standardization organizations like ISO, IEC, ITU, CEN, CENELEC, or ETSI, to mention but a few. We also liaise with industrial organizations and project consortia. All this illustrates the recognition that SC 27 has in the IT security and privacy community. We always strive to make everyone aware of our standardization topics and to avoid duplicate work. Finally, it does not necessarily matter that much who wrote a certain standard, as long as there are no competing standards and as long as standards are comprehensive, applicable and accepted. Sometimes, it is the best choice to develop standards in SC 27, while at other times, it makes more sense to liaise with a partner and to ensure SC 27’s expertise is reflected in the partner’s document. Developing standards is not a purely academic exercise; it is performed by stakeholders who have strong interests, both commercial and political. After all, the market needs standards that support stakeholders working on certain problems, and these standards are needed quickly, in high quality, and tailored to the needs of all countries.

All the standardization committees I have worked with in the past have developed a very enjoyable culture of cooperation. Arguments are the major force, and consensus is reached by moderating the interests of all stakeholders. This does not mean that there are no conflicts between the participating experts and National Bodies. But SC 27, like all other standardization committees, and in particular, all of its experts and officers, is committed to resolving such conflicts, to reaching consensus and to developing standards that are as good as possible. This is one of the sources of joy when working with SC 27.