Motivation

For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and transmission media are important telecommunication business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly continue the business activity, information security management is extremely necessary. For this reason, Recommendation X.1051 has been developed to cover meaningful guidelines of information security management for telecommunications organizations.

Based on the guideline for information security management, more detailed management technologies on risks and incidents have also been developed. Furthermore, new areas in relation with Recommendation X.1051 should be investigated and more specific management technologies such as asset identification and security policy need to be considered. The aim is to develop a set of Recommendations on security management for telecommunications based on Recommendation X.1051 in ITU-T.

On the other hand, corporate governance requirements place increasing demands on telecommunications organizations to demonstrate that they have effective internal control arrangements in place. One significant development is the inclusion of information security as part of operational risk in the wider corporate governance definition. To meet this requirement, organizations need to develop a framework of accountability and control to address the rising number of security threats and to demonstrate effective corporate control and compliance with related laws and regulations. Therefore, in parallel with the approach to study on the above detailed implementation methodologies based on Recommendation X.1051, an information security governance framework that encompasses information technology and information security should also be studied.

In the course of the studies, a full collaborative effort between ITU-T and ISO/IEC JTC 1 will be continued to ensure the widest possible compatibility of security solutions. The success of solutions developed as national standards in many countries also need to be considered.

This Question differs from Questions in Study Group 2 in that Study Group 2 deals with the exchange of network management information between network elements and management systems and between management systems in TMN environment. This Question deals primarily with the protection of business assets, including information and processes in view of information security management.

Recommendations under responsibility of this Question as of 1 December 2008: E.409 (in conjunction with SG 2), X.1051 and X.1055.

Question

Study items to be considered include, but are not limited to:

1. How should information assets in telecommunications systems be identified and managed?
2. How should information security policy for telecommunications systems be identified and managed?
3. How should specific security management issues for telecommunications organizations be identified?
4. How should information security management system (ISMS) for telecommunications organizations be properly constructed by using the existing standards (ISO/IEC and ITU-T)?
5. How should measurement of information security management in telecommunications be identified and managed?
6. How should an information security governance framework be identified and managed?
7. What enhancements to existing Recommendations under review or new Recommendations under development should be adopted to reduce impact on climate changes (e.g., energy savings, reduction of green house gas emissions, implementation of monitoring systems, etc.) either directly or indirectly in telecommunication/ICT or in other industries?

Tasks

Tasks include, but are not limited to:

1. Review the existing management Recommendations/Standards in ITU-T and ISO/IEC as for assets identification and security policy management. (2Q2009).
2. Study and develop a framework of information security management functions described in Recommendation X.1051. (1Q2009 - 2Q2009).
3. Study and develop a methodology of assets identification management for telecommunications based on the concept of Recommendation X.1051. (1Q2009 - 4Q2010).
4. Study and develop security policy management for telecommunications based on the concept of Recommendation X.1051. (1Q2009 - 4Q2010).
5. Study and develop information security management for small and medium telecommunications organizations based on the concept of Recommendation X.1051. (1Q2009 - 4Q2010).
6. Study and develop a methodology to construct information security management system (ISMS) for telecommunications organizations based on the existing standards (ISO/IEC and ITU-T). (1Q2009 - 4Q2010).
7. Study and develop an information security governance which includes the framework and implementation guidelines for telecommunications. (1Q2009 - 4Q2010).
8. Propose outline of new Recommendations. (4Q2010).
9. Assess the outputs of above activities in view of usability for telecommunications facilities and services. Produce draft Recommendations. (4Q2010 - 4Q2011).
10. Maintenance and enhancements of Recommendations in the X.105x-series. (1Q2009 - 4Q2011).
11. Consent new Recommendations. (1Q2012).

Relationships

Recommendations: X.800-, X.1000-, X.1100- and X.1200-series

Questions: ITU-T Qs 1, 2, 4, 5, 6, 7, 8, 9, 10, 11/17, 16/13 and 14/15

Study groups: ITU-T SGs 2, 9, 11, 13, 15 and 16; ITU-R; ITU-D

Standardization bodies: ISO/IEC JTC 1/SC 27; ETSI; TTC; NIST