TTP guidelines

Guidelines for the management of Trusted Third Party services used to facilitate secure e-business communications are contained in a new technical report from the ISO.

Guidelines for the management of Trusted Third Party services used to facilitate secure e-business communications are contained in a new technical report from ISO (International Organization for Standardization).

ISO/IEC TR 14516, Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services, will enable businesses to identify the type and level of protection required from Trusted Third Parties (TTPs) and how to use those services to gain customer confidence and increase e-business security.

‘Concerns about the security of e-business expressed by those both in the business to consumer as well as business to business markets have seen a growth in security technologies,’ said Ted Humphreys, convenor of the ISO working group that has developed the report. ‘Emerging standards and technical reports such as ISO/IEC TR 14516 are aimed at helping to build a secure e-business environment that businesses can trust and rely on.’

ISO/IEC TR 14516 costs 116 Swiss francs and is available from ISO national member institutes and from the ISO Central Secretariat. The new standard is the work of joint technical committee, ISO/IEC JTC 1, Information technology, subcommittee 27, IT Security techniques, working group one.

A Trusted Third Party (TTP) is a body that provides one or more security services within IT systems such as time-stamping, key management, certificate management, electronic notary public and non-repudiation. These security services are supplied to organizations wishing to enhance trust and business confidence in e-business and to facilitate secure communications between trading partners.

ISO/IEC TR 14516 provides guidance on the management, use and deployment of TTP services and the establishment of a TTP security policy. It is designed to help users identify the type and level of protection required according to the type of service they provide and the context within which the business application is operating.

For example, the level of protection required for the authentication of administrative transactions may be different from that required for financial transactions, which may be different from that required in some healthcare applications.

The new technical report provides businesses with a security framework designed to establish assurance that transactions and messages are being delivered to the intended recipient, at the correct location, that messages are received in a timely and accurate way. It also provides, in case of any dispute that may arise, with appropriate methods for the creation and delivery of the required evidence for proof of what happened.

According to Ted Humphreys, achieving adequate levels of business confidence in the use of e-business is paramount to ensure long-term success and trust in e-business. ‘Ensuring the right level of security is in place helps build this trust and protects from a range of risk that businesses are likely to face. Building confidence in e-business technologies and services will help businesses feel that e-business can be relied upon to maintain customer and trading partner commitments and contractual obligations.’

‘Securing the e-business environment requires businesses to implement the right combination of technical controls and management guidance found in ISO/IEC TR 14516 and in other security standards such as ISO/IEC TR 13335, Information technology – Guidelines for the management of IT Security and ISO/IEC 17799, Information technology – Code of practice for information security management. Their implementation can bring us that much closer to establishing the right management infrastructure for trust in e-business.’

ISO/IEC TR 14516 is intended to be used by system managers, developers, TTP operators and enterprise users.

On the web