BS PD CEN ISO/TS 19299:2015

BS PD CEN ISO/TS 19299:2015 is an information security framework for allorganizational and technical entities of an EFC scheme and in detail for the interfaces between them,based on the system architecture defined in ISO 17573. The security framework describes a set ofrequirements and associated security measures for stakeholders to implement and thus ensure asecure operation of their part of an EFC system as required for a trustworthy environment according toits security policy.The scope of this Technical Specification comprises the following:

• definition of a trust model (Clause 5);Basic assumptions and principles for establishing trust between the stakeholders.
• security requirements (Clause 6);
• security measures – countermeasures (Clause 7);Security requirements to support actual EFC system implementations.
• security specifications for interface implementation (Clause 8);These specifications represent an add-on for security to the corresponding standards. Figure 5above shows the relevant interfaces and the corresponding relevant interface standards, asillustrated in Figure 6.
• key management (Clause 9);Covering the (initial) setup of key exchange between stakeholders and several operationalprocedures like key renewal, certificate revocation, etc.
• security profiles (Annex A);
• implementation conformance statement (Annex B) provides a checklist to be used by an equipmentsupplier, a system implementation, or an actor of a role declaring his conformity to this TechnicalSpecification;
• general information security objectives of the stakeholders (Annex C) which provide a basicmotivation for the security requirements;
• threat analysis (Annex D) on the EFC system model and its assets using two different complementarymethods, an attack-based analysis, and an asset-based analysis;
• security policy examples (Annex E and Annex F);
• recommendations for privacy-focused implementation (Annex G);
• proposal for end-entity certificates (Annex H).

Cross References:ISO 12813:2015ISO 12855:2015ISO 13141:2015ISO 14906:2011 EN 15509:2014CEN/TS 16702-1:2014ISO 17575-1:2015ISO/IEC 7816-3ISO/IEC 8825-1ISO/IEC 9594-8:2014ISO/IEC 9797-1:2011ISO/IEC 11770-1:2010ISO/IEC 11770-3:2015ISO/IEC 18031ISO/IEC 18033-2ISO/IEC 19790ISO/IEC 27001ISO/IEC 27002:2013ISO/IEC 27005IETF RFC 4301:2005IETF RFC 4347:2006IETF RFC 4648:2006IETF RFC 5035:2007IETF RFC 5246:2008IETF RFC 5280:2008IETF RFC 5746:2010FIPS 140-2:2002ISO 7498-2:1989ISO/IEC 8825-2ISO/IEC 8825-4ISO/IEC 9646-7:1995ISO 17573:20102004/52/EC95/46/EC2006/24/EC2008/597/ECISO/IEC 27000:2014ISO/IEC 27003:2010IETF RFC 2634NIST 800-131A:2011ISO/IEC 14888-1:2008 ISO/IEC 14888-2:2008ISO/IEC 14888-3:2006ISO/IEC 18033-3:2010ISO/IEC 10118-3ISO/IEC 10181-1:1996ISO/TS 14907-2:2011ISO 15782-1:2009ISO/TS 17575-3:2011ISO/TS 17575-3:2011/Corrigendum 1:2013 CEN/TS 16702-2:2014CEN/TR 16690:2014CEN/TR 16092:2011ETSI/TR 102 893:2010ETSI ES 674 200-1