SECURITY STANDARDS
ICAO
ICAO MRTD
- ICAO MRTD - ICAO 9303 - ePassports - BAC - complemented by BSI's EAC etc
- Part 1: Machine Readable Passports
- Volume 1: Passports with Machine Readable Data Stored in Optical Character Recognition Format
- Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability
- Part 2: Machine Readable Visa
- Part 3: Machine Readable Official Travel Documents
- Volume 1: Official Travel Documents with Machine Readable Data Stored in Optical Character Recognition Format
- Volume 2: Specifications for Electronically Enabled Official Travel Documents with Biometric Identification Capability
- BSI's ePassport standards such as TR 03110 EAC, PACE etc
International standards bodies - ISO, ITU-T, ETSI
ISO
- ISO.ch
- Standard process: NP (new project), WD (working draft), CD/FCD (committee draft/final), DIS/FDIS (draft international standard/final),
IS (international standard)
- ISO SC 27 homepage - variant 1
- ISO SC 27 homepage - variant 2
- ISO TC68 Financial services
- ISO 9362 BIC
- ISO 9564-1 PIN (Personal Identificaton Number) Management and Security
- ISO 12812 Mobile payments
- ISO 13616 IBAN
- ISO 22307 PIA for financial services
- JTC1 SC 17 Cards:
- WG 1 Physical characteristics and test methods for ID-cards
- WG 3 ID cards - Machine Readable Travel Documents
- WG 4 ICC - contact cards
- WG 8 ICC - contactless cards
- WG 10 Motor verhicle driver license and related documents
- WG 11 Application of biometrics to cards and personal identification
- ISO SC 27 Security techniques:
- WG 1 ISMS
- WG 2 Cryptography and security mechanisms
- WG 3 Security evaluation
- WG 4 Security controls and services
- WG 5 Privacy, identity and biometrics security
- ISO SC 37 Biometrics:
- WG 1 Harmonized Biometric Vocabulary
- WG 2 Biometric Technical Interfaces
- WG 3 Biometric Data Interchange Formats
- WG 4 Technical Implementation of Biometric Systems
- WG 5 Biometric Testing and Reporting
- WG 6 Cross-Jurisdictional and Societal Aspects of Biometrics
- ISO crypto register
- ISO SC 27 - on COSIC Server (uid/psw required - includes
a link to freely available standards)
ISO conformity assessment
- ISO/IEC 17000 (2020) Conformity assessment - Vocabulary and general principles
- ISO/IEC 17011 Conformity assessment Requirements for accreditation bodies accrediting conformity assessment bodies
- ISO/IEC 17020, Conformity assessment - Requirements for the operation of various types of bodies performing inspection
- ISO/IEC 17021-1, Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1 Requirements
- ISO IEC 17021-2 Requirements for bodies providing audit and certification of management systems -Part 2- Competence requirements for auditing and certification of environmental management systems
- ISO/IEC 17021-3 Conformity assessment Requirements for bodies providing audit and certification of management systems Part 3 Competence requirements for auditing and certification of quality management systems
- ISO/IEC 17024, Conformity assessment - General requirements for bodies operating certification of persons
- ISO/IEC 17025 (2017) General requirements for the competence of testing and calibration laboratories
- ISO-IEC 17029 Conformity assessment, General principles and requirements for validation and verification bodies
- ISO/IEC 17065 Conformity assessment - Requirements for bodies certifying products, processes and services
- ISO/IEC 17067, Conformity assessment Fundamentals of product certification and guidelines for product certification schemes
- ISO/TS 17033 - Ethical claims and supporting information Principles and requirements
- ISO/TS 22003, Food safety management systems Requirements for bodies providing audit and certification of food safety management systems
ISO 27K and BS 7799 related
BS 7799 Part 1 'Code of practice for information security management' evolved into ISO 17799 and into ISO 27002,
Part 2 'ISMS specifications' was further extended into the 2700X family
ISO 15408 Common Criteria (and related)
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
CC versions and main documents
CC:2022 is the last version. CC V3.1 R5 version is the last from the 3.1 series, and may optionally be used for evaluation starting no later than the 30th of June 2024.
STs conformant to CC:2022 based on PPs certified according to CC3.1 will be accepted up to the 31st of December 2027.
CC:2022 has 5 parts.
- Part 1: Introduction and general model
- Specifying security requirements (Security Problem Definition, Security Objectives, Security Requirements (SFR, SAR))
- Security components (Hierarchy, operations, dependencies)
- Packages (named sets of security components or security requirements
- PPs
- Modular requirements (PP modules, PP configs)
- STs
- Evaluation and results
- Composition of assurance
- Annexes
- Part 2: Security Functional Requirements (SFR)
- Part 3: Security Assurance Requirements (SAR)
- Part 4: Framework for the specification of evaluation methods and activities
- Part 5: Pre-defined packages of security requirements
The corresponding CEM:2022 consists of one part.
CC v3.1 has 3 parts.
- Part 1: Introduction and general model
- Terms and definitions - common and class specific (ADV (development), AGD (guidance), ALC (life-cycle support), AVA (vulnerability assessment), ACO (composition), ... classes - specified in Part 3)
- TOE
- Tailoring security requirements (assignment, selection, refinement), dependencies and extensions
- Protection Profiles and packages
- Evaluation results (PP evaluation, ST/TOE evaluation)
- Specification of Security Target (ST)
- Two roles:
- Before and during the evaluation, the ST specifies “what is to be evaluated”. The ST serves as a basis for agreement between the developer and the evaluator on the exact security
properties of the TOE and the exact scope of the evaluation.
- After the evaluation, the ST specifies “what was evaluated”. The ST serves as a basis for agreement between the developer or re-seller of the TOE and the potential consumer of the TOE.
- Contents:
- security objectives, showing how the solution to the security problem is divided between security objectives for the TOE and security objectives for the operational environment of the TOE
- security requirements, with a translation of the security objectives for the TOE into security functional requirements (SFRs)
- security assurance requirements (SARs)
- structured into ASE_INT, ASE_CCL, ASE_SPD, ASE_REQ (containing SFR and SAR), etc.
- Specification of PP
- A PP is typically a statement of need where a user community, a regulatory entity, or a group of developers define a common set of security needs. A PP gives consumers a means of referring to this set, and facilitates future evaluation against these needs.
- Conformance claim
- Security problem definition
- Security objectives
- Security requirements
- Part 2: Security functional components
- Classes: FAU, FCO, FCS, FDP, FIA, etc.
- Part 3: Security assurance components
- EAL
- ADV (development), AGD (guidance), ALC (life-cycle support), AVA (vulnerability assessment), ACO (composition), ... classes
Other info
Security evaluation standards
- IS 18045 Methodology for IT security evaluation
- IS 21827 System Security Engineering - Capability Maturity Model
- TR 15292 Registration procedure for Protection Profiles
- TR 15408 Evaluation criteria for IT security ('Common Criteria')
- TR 15443 Framework for IT security assurance
- TR 15446 Guide on the production of PP and ST
- TR 15947 Intrusion detection
- TR 19790 Security requirements for cryptographic modules
- TR 19791 Security assessment of operational systems
- TR 19792 Framework for security evaluation and testing of biometrics
NATO
Security techniques
- ISO - BS 25999 BCP - readiness for business continuity (see also ISO 27031)
- ISO WD 29147 Responsible vulnerability disclosure
- ISO 29100 Privacy framework
- ISO 29115 Entity Authentication Assurance (DIS in 2012)
- ISO 29146 A framework for access management
- ISO/IEC 11889 Trusted Platform Module
ISO Biometrics
- ISO/IEC 2382-37 Biometric vocabulary
- ISO 19092-1 Financial Services - Biometrics - Control objectives to manage biometric information
- ISO 19092-2 Syntax
- ISO/IEC 19784 Biometric application programming interface (BioAPI)
- ISO/IEC 19785 Common Biometric Exchange Formats Framework (CBEFF) - based on NISTIR 6529-A
- ISO/IEC 19794 Biometric data interchange formats - use of image data facilitates interoperability between e.g. minutiae-based, pattern-based and other matching algorithms
- Part 1: Framework
- Part 2: Finger minutiae data
- Part 3: Finger pattern spectral data
- Part 4: Finger image data
- Part 5: Face image data
- Part 6: Iris image data
- Part 7: Signature/sign behavioural data
- Part 8: Finger pattern skeletal data
- ISO/IEC 19795 Biometric performance testing and reporting
- Part 1: Principles and framework
- Part 2: Testing methodologies for technology and scenario evaluation
- Part 3: Modality-specific testing
- Part 4: Interoperability performance testing
- Part 5: Access control scenario and grading scheme
- Part 6: Testing methodologies for operational evaluation
- Part 7: Testing of on-card biometric comparison algorithms
- ISO/IEC 24708 Biometrics - BioAPI Interworking Protocol
- ISO/IEC 24709 Conformance testing for the biometric application programming interface (BioAPI)
- ISO/IEC 24713 Biometric profiles for interoperability and data interchange
- ISO/IEC 24714 Jurisdictional and societal considerations for commercial applications
- ISO/IEC 24722 Multi-modal and other multi-biometric fusion
- ISO/IEC 24741 Biometrics tutorial
- ISO/IEC 24745 Biometric information protection
- ISO/IEC 29109 Conformance testing methodology for biometric data interchange formats defined in ISO/IEC 19794
- ISO/IEC 29141 Tenprint capture using biometric application programming interface (BioAPI)
- ISO/IEC TR 29144:2014 The use of biometric technology in commercial Identity Management applications and processes
- ISO/IEC 29159 Biometric calibration, augmentation and fusion data
- ISO/IEC 29794 Biometric sample quality
ISO blockchain and DLT standards
ISO TC 307 blockchain and distributed ledger technology - Chairperson (until end 2019): Mr Craig Dunn
Blockchain: distributed ledger system with confirmed blocks organized in an append-only, sequential chain using cryptographic links.
Consensus: agreement among nodes that a transaction is valid and that there is a consistent set and ordering of the transactions stored in the distributed ledger.
Distributed ledger: ledger that is shared and synchronized in a distributed manner
Structure
- ISO/TC 307/SG 1 Reference architecture, taxonomy and ontology
- ISO/TC 307/SG 2 Use cases
- ISO/TC 307/SG 3 Security and privacy
- ISO/TC 307/SG 4 Identity
- ISO/TC 307/SG 5 Smart contracts
- ISO/TC 307/SG 6 Governance of blockchain and distributed ledger technology systems
- ISO/TC 307/SG 7 Interoperability of blockchain and distributed ledger technology systems
- ISO/TC 307/WG 1 Terminology
- ISO/TC 307/WG 2 Security, privacy and identity
Standards and work in progress
- ISO 22739 Blockchain and distributed ledger technologies - Terminology and concepts
- ISO 23257 Blockchain and distributed ledger technologies Reference architecture
- ISO/NP TR 23244 Blockchain and distributed ledger technologies - Overview of privacy and personally identifiable information (PII) protection
- ISO/NP TR 23245 Blockchain and distributed ledger technologies - Security risks and vulnerabilities
- ISO/TR 23455:2019(en) - Blockchain and distributed ledger technologies Overview of and interactions between smart contracts in blockchain and distributed ledger technology systems
- ISO/NP TR 23246 Blockchain and distributed ledger technologies - Overview of identity
Other
- ISO 19941 for interoperability
- ISO 29003 identity proofing - introducing LOIP - levels of identity proofing
ISO crypto standards
Refer to crypto-timestamping
Hashing and MAC
- IS 10118 Hashing
- IS 9797 MAC
Encryption
- IS 18033 Encryption
- IS 10116 Modes of operation
- IS 15946 ECC
Authentication
- IS 9798 Entity authentication
- ISO/IEC 20009: Anonymous entity authentication
- IS 13888 Non-repudiation:
- ISO/IEC 13888-1:2009 Non-repudiation - Part 1: General
- ISO/IEC 13888-2:2010 Non-repudiation - Part 2: Mechanisms using symmetric techniques
- ISO/IEC 13888-3:2010 Non-repudiation - Part 3: Mechanisms using asymmetric techniques
- IS 18014 Time-stamping
Trusted Platform Module
The TPM is a security chip connected to the CPU that provides isolated storage of encryption keys and of Platform Configuration Registers (PCRs).
These PCRs hold hash values, which can only be updated by extending them.
An extension consists of appending the current register value to the input, hashing it and storing the resulting hash in the register.
The registers are complemented by a 'measurement log' which consists of a list of items that have been executed.
Replaying the log should result in the same value as stored in the register.
This can be used to record the boot process of a platform by 'extending' every piece of code to be executed into a register before the code is loaded.
The first item loaded, the bootloader, cannot be measured in this way and is therefore referred to as the 'root of trust for measurement'.
Remote attestation allows a platform to report the measurements collected during boot.
Signing
Basics
- IS 9796 Signatures with message recovery
- IS 14888 Signatures with appendix
- ISO/IEC 20248:2018 is an ISO/IEC 9594-8 application specification for automated identification services.
It specifies a method whereby data stored within a barcode and/or RFID tag are structured, encoded and digitally signed.
- ISO/IEC 9594-8 Public Key Infrastructure: digital signatures and certificates
Long term signature
- ISO 14533-1:2012, Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES)
- ISO 14533-2:2012, Processes, data elements and documents in commerce, industry and administration Long term signature profiles Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES)
Blind signature
- ISO/IEC 18370 Blind Signature
Anonymous signatures
- ISO/IEC 20008: Anonymous digital signatures
- ISO/IEC 29191: Requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures
Other
- IS 7064 Check character systems
Management
Assurance and testing
- ISO 29128 crypto protocols assurance levels
- ISO/IEC 24759:2008 Methods to test whether a cryptographic module conforms to the requirements specified in ISO/IEC 19790:2006.
Biometric protection
- NP 24745 Biometric template protection
Authenticated encryption
- IS 19772 Authenticated encryption
Generation
- IS 18031 Random bit generation
- IS 18032 Prime number generation
ISO smart card standards
Also CEN and ETSI/3GPP are very influencial in this field.
- IS 7816 family
- -1 Physical characteristics
- -2 Dimensions and location of the contacts
- -3 Electronic signals and transmission protocols
- -4 Interindustry commands for interchange
- -5 Numbering system and registration procedure for application identifiers
- -6 Interindustry data elements
- -7 Interindustry commands for structured card query language (SCQL)
- -8 Security related interindustry commands
- -9 Additional interindustry commands and security attributes
- -10 Electronic signals and answer to reset for synchronous cards
- IS 10373 Basic test methods for cards
- IS 10536 Proximity cards - up to 2 mm contactless cards (abandoned)
- IS 14443 Proximity cards - up to 10 cm contactless cards -A (Mifare), -B (RATP)
- IS 15693 Vincinity cards - up to 1,5 m contactless cards - also referred to as RFID
- IS 18000 RFID Air interface standard
- IS 24727 Interoperability for cards (draft - 24727)
ISO other standards
Identity
Other
- ISO 17021:2006 Certification bodies (e.g. for ISO/IEC 27001)
- ISO 10181 Security Framework (including access control) - corresponds to X.800 series
- ISO 12931:2012 Performance criteria for authentication solutions used to combat counterfeiting tools (from ISO/TC 246 Anti-counterfeiting tools)
- ISO 15947 IDS
- ISO 22857 Protection of medical information
- ISO/PAS 28001:2006 Security management systems for the supply chain - Best practices from implementing supply chain security
- ISO/PAS 28001:2006 Security management systems for the supply chain - Guidelines for the implementation of ISO/PAS 28000
- ISO/IEC 29003 Identity proofing
- ISO/IEC CD 29184 Information technology - Online privacy notices and consent (see also Kantara)
- ISO 31000 Risk Management
- CD 13569 Banking - information security guidelines
- IS 18028 Network security
- IS 18043 Intrusion detection systems
- IS 18044 Incident management
- CD 13569 Banking - information security guidelines
- Historical: TR 13335 GMITS - guidelines for the management of IT security
- IS 13335-1 MICTS - Concepts and models for managing and planning ICT security (contains reworked GMITS parts 1 and 2)
- IS 13335-2 MICTS - Information security risk management (contains reworked GMITS parts 3 and 4, part 5 went to 18028)
ISO other standards - TTP and related
- ISO 14516 Guidelines for TTP services
- ISO 19626 Trusted communication platform for electronic documents - legally provable way of dematerialisation, Jasmine Jaegyong Chang, 2017
- ISO 21188:2018 Public key infrastructure for financial services Practices and policy framework
ISO other standards - healthcare
- ISO 17090-1 Health informatics - PKI - digital certificates in the medical domain, security and interoperability
- ISO 17090-2 Health informatics - PKI - the application of digital certificates
- ISO 17090-3 Health informatics - PKI - management aspects
- ISO TS 21547:2010 Health informatics - Security requirements for archiving of electronic health records - Principles
- ISO TR 21548:2010 Health informatics - Security requirements for archiving of electronic health records - Guidelines
ISO other standards - transport and vehicle related
- ISO/TR 12859:2009 ITS System Architecture - Privacy aspects in ITS standards and systems
- ISO/TS 24534-5:2008 Automatic vehicle and equipment identification -- Electronic Registration Identification (ERI) for vehicles -- Part 5: Secure communications using symmetrical techniques
ISO other standards - IT governance
- ISO/IEC 38500:2015 Information technology Governance of IT for the organization
ISO other standards - devices
- ISO/SAE 21434 Road Vehicles Cybersecurity Engineering Standard
ISA - International Society of Automation
ITU-T
- ITU-T
- X.509
- X.841, X.842, ...
- H.235 security for multi-media terminals
EU standards and related matters
Europe's Standard Development Organisations are CEN, CENELEC and ETSI. Regarding security standards, there is the SOG-IS group. Furthermore there's Enisa.
ENISA - certification schemes
- Enisa - working on:
- EUCC - the European Cybersecurity Certification Scheme on Common Criteria
- A Schema for Certification schemes based on Common Criteria (280 pages)
- Assurance level defined in CSA (Art.52, basic, substantial, high)
- Matrix of criteria (AVA_VAN.1-5) mapping to those levels
- The EUCC Scheme shall not allow for conformity self-assessments.
- EUCS - the European Certification Scheme for Cloud Services
- EU5G - the European Cybersecurity Certification Scheme for 5G
CEN
- CWA's - CEN Workshop Agreements
- CWA's - CEN Workshop Agreements - pointer
- CWA 14167-1/4 Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures
- CWA 14169 Secure Signature-Creation Devices "EAL 4+"
- CWA 14170 Security Requirements for Signature Creation Applications
- CWA 14171 General guidelines for electronic signature verification
- CWA 14172 -1/8 EESSI Conformity Assessment Guidance
- CWA 14174 FINREAD
- CWA 14355 Guidelines for the implementation of Secure Signature Creation Devices
- CWA 14365-1/2 Guide on the Use of Electronic Signatures
- CWA 14722 Embedded FINREAD
- CWA 14890-1/2 Application Interface for smart cards used as Secure Signature Creation Devices
- CWA 15264 eAuthentication
- CWA 15499-1 Personal Data Protection Audit Framework (EU Directive EC 95/46) Part I: Baseline Framework - The protection of Personal Data in the EU
- CWA 15499-2 Personal Data Protection Audit Framework (EU Directive EC 95/46) Part II: Checklists, questionnaires and templates for users of the framework - The protection of Personal Data in the EU
- CWA 15262 Inventory of Data Protection Auditing Practices
- CWA 15263 Analysis of Privacy Protection Technologies, Privacy- Enhancing Technologies (PET), Privacy Management Systems (PMS) and Identity Management systems (IMS), the Drivers thereof and the need for standardization
- CWA 15292 Standard form contract to assist compliance with obligations imposed by article 17 of the Data Protection Directive 95/46/EC (and implementation guide)
- EN 15713:2009 Secure disposal of confidential material
- Relevant extract
CENELEC
ETSI
EU standards were particularly successful in mobile communication such as GSM. These standards were originally driven through CEPT (European Conference on Post and Telecommunications Administrations).
In 1988, ETSI took over, and in 2001 GSM standardisation was transferred to the global 3GPP.
Areas covered by ETSI:
- GSM and 3GPP
- SAGE (algorithms such as for GSM (A3, A5, A8), 3GPP (Milenage family), UMTS radio interface (UEA1, UIA1, both based
on SAGE's Kasumi, actually a variation of Mitsubishi's Misty1)
- TETRA and DECT
- EMTEL (emergency) and MESA (safety)
- LI - Lawfull Interception
- TIPHON, SPAN, TISPAN (Telecom and Internet Converged Services and Protocols for Advanced Networks)
- Broadcasting, satellite, IPCablecom
For ETSI security and crypto standards refer to ETSI security standards.
For the different types of ETSI standards refer to the ETSI standards information page.
SOG-IS
Aim
Coordinate the standardisation of Common Criteria protection profiles and certification policies between European Certification Bodies.
Selected EU Member States participate in SOG-IS - Senior Officials Group Information Systems Security. The SOG-IS agreement was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria.
SOG-IS participants subscribe to the MRA, the Mutual Recognition Agreement of Information Technology Security Certificates.
Scope
Scope is
- Smartcards and Similar Devices
- Hardware Devices with Security Boxes
Publishes Joint Interpretation Library (JIL) Interpretations for Security Certification according to eIDAS Regulation 910/2014. Relevant for eIDs and related material.
Participants
SOG-IS participants can be:
- Qualified/Authorising participants, e.g. France with ANSSI, Germany with BSI, etc.
- Consuming participants, e.g. Belgium.
Participants include a.o.:
- FR: Agence Nationale de l'Agence Nationale de la Sécurité des Systèmes d'Information - ANSSI
- DE: Bundesamt für Sicherheit in der Informationstechnik - BSI
- UK: CESG
- NL: Netherlands National Communications Security Agency, Ministry of Interior and Kingdom Relations (BZK) - NLNCSA
- SE: Swedish Defence Materiel Administration (FMV)
- ES: Organismo de Certificación la Seguridad las Tecnologías Información, CCN Centro Criptológico Nacional
- FI: Finnish Communications Regulatory Authority (FICORA)
- NO: Norwegian National Security Authority, operates the Norwegian Certification Authority for IT Security (SERTIT)
Other
GSMA
- GSMA NESAS - network equipment security assurance scheme
Standards from consortia
Global de-facto standards and related matters
- OASIS SAML, XACML, web services, ebXML, WS Biometric Device, ...
- W3C and IETF - XMLDSIG
- http://www.ietf.org/rfc/rfc2807.txt - XML Signature Requirements
- http://www.ietf.org/rfc/rfc3275.txt - XML-Signature Syntax and Processing
- other RFC's address canonical XML, XPath and related matters
- W3C and IETF - ref XaDES
Emerging: BS 1008:2208 Evidential weight and legal admissibility of electronic information
IETF
Refer also to cryptostandards.
Other
US standards and related matters
NIST
Selection
- SP 800-26 Self assessment guide for IT systems
- SP 800-51 CVE - Common Vulnerability and Exposure standard
- SP 800-53 Recommended security controls for federal government systems
- FIPS PUB 140 - cryptographic hardware implementation
- FIPS PUB 201 PIV - Personal Identity Verification
ANSI - American National Standards Institute
- US - ANSI
ANSI/NIST Biometrics
- ANSI/NIST - American National Standards Institute / National Institute of Standards and Technology Standards
- ANSI/NIST-ITL-1 Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information in Traditional Format
- ANSI/NIST-ITL-2 Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information in NIEM-conformant XML format
ANSI other standards
- RBAC - ANSI INCITS 359-2004, accepted Feb 2004
- ANSI X9F Data and information security for financial services
Other
- US - CERT
- US - Lawrence Livermore National Laboratory
- US - CIAC Security site
- US - NCSC
- US - NCSC - Orange Book
- US - Security definitions - tip from Dieter Gollman
- US - DOD Orange Book - url?
- OpenGroup.org/Security (a.o. GSS-API, AZN-API...)
- OpenGroup.org/Jericho (secure boundaryless information flow)
- US - INCITS - InterNational Committee for Information Technology Standards
ANSI/INCITS
- ANSI/INCITS 359 - RBAC
- ANSI INCITS 358 The BioAPI Specification
- ANSI INCITS 398 Common Biometric Exchange Formats Framework (CBEFF)
- ANSI INCITS 434 Tenprint Capture Using BioAPI
- ANSI INCITS 442 Biometric Identity Assurance Services (BIAS)
- ANSI INCITS 429 Conformance Testing Methodology for ANSI INCITS 358
- ANSI INCITS 377 Finger Pattern-Based Format for Data Interchange
- ANSI INCITS 378 Finger Minutiae Format for Data Interchange
- ANSI INCITS 379 Iris Image Interchange Format
- ANSI INCITS 381 Finger Image Format for Data Interchange
- ANSI INCITS 383 Biometric Profile Interoperability and Data Interchange Biometrics-Based Verification and Identification of Transportation Workers
- ANSI INCITS 385 Face Recognition Format for Data Interchange
- ANSI INCITS 394 Application Profile for Interoperability, Data Interchange and Data Integrity of Biometric-Based Personal Identification for Border Management
- ANSI INCITS 395 Signature/Sign Format (for Data Interchange)
- ANSI INCITS 396 Hand Geometry Format for Data Interchange
- ANSI INCITS 423 Conformance Testing Methodology Standard for Biometric Data Interchange Format Standards
- ANSI INCITS 439 Fusion Information Format for Data Interchange
- ANSI INCITS 421 Biometric Profile Interoperability and Data Interchange DoD Implementations
- ANSI INCITS 422 Application Profile for Commercial Biometric Physical Access Control
- ANSI INCITS 409 Biometric Performance Testing and Reporting