I commenti ed i suggerimenti per la release finale possono essere inviati a sp800-98 AT nist DOT gov usando il subject "Comments on Public Draft SP 800-98" entro il 27 ottobre 2006.
Indice del documento
- Executive Summary
- 1. Introduction
- 1.1 Authority
- 1.2 Purpose and Scope
- 1.3 Document Structure
- 2. RFID Technology
- 2.1 Automatic Identification and Data Capture (AIDC) Technology
- 2.2 RFID System Components
- 2.3 RF Subsystem
- 2.3.1 Tag Characteristics
- 2.3.2 Interrogator Characteristics
- 2.3.3 Tag-Interrogator Communication
- 2.4 Enterprise Subsystem
- 2.4.1 Middleware
- 2.4.2 Analytic Systems
- 2.4.3 Network Infrastructure
- 2.5 Inter-Enterprise Subsystem
- 2.5.1 Open System Networks
- 2.5.2 Object Naming Service (ONS)
- 2.5.3 Discovery Service
- 2.6 Summary
- 3. RFID Applications and Application Requirements
- 3.1 RFID Application Types
- 3.1.1 Asset Management
- 3.1.2 Tracking
- 3.1.3 Matching
- 3.1.4 Process Control
- 3.1.5 Access Control
- 3.1.6 Automated Payment
- 3.1.7 Supply Chain Management
- 3.2 RFID Information Characteristics
- 3.3 RFID Transaction Environment
- 3.3.1 Distance between Interrogator and Tag
- 3.3.2 Transaction Speed
- 3.3.3 Network Connectivity and Data Storage
- 3.4 The Tag Environment between Transactions
- 3.4.1 Data Collection Requirements
- 3.4.2 Human and Environmental Threats to Tag Integrity
- 3.5 RFID Economics
- 3.6 Summary
- 4. RFID Risks
- 4.1 Business Process Risk
- 4.2 Business Intelligence Risk
- 4.3 Privacy Risk
- 4.4 Externality Risk
- 4.4.1 Hazards of Electromagnetic Radiation
- 4.4.2 Computer Network Attacks
- 4.5 Summary
- 5. RFID Security Controls
- 5.1 Management Controls
- 5.1.1 RFID Usage Policy
- 5.1.2 IT Security Policies
- 5.1.3 Agreements with External Organizations
- 5.1.4 Minimizing Sensitive Data Stored on Tags
- 5.2 Operational Controls
- 5.2.1 Physical Access Control
- 5.2.2 Appropriate Placement of Tags and Interrogators
- 5.2.3 Secure Disposal of Tags
- 5.2.4 Operator and Administrator Training
- 5.2.5 Separation of Duties
- 5.2.6 Non-revealing Identifier Formats
- 5.3 Technical Controls
- 5.3.1 Tag Data Protection
- 5.3.2 RF Interface Protection
- 5.4 Summary
- 6. RFID Privacy Considerations
- 6.1 Privacy Principles
- 6.2 Federal Privacy Requirements for Federal Agencies
- 6.3 Applicable Privacy Controls
- 6.4 Embedding Privacy Controls
- 6.5 Summary
- 7. Recommended Practices
- 8. Case Studies
- 8.1 Case Study #1: Personnel and Asset Tracking in a Health Care Environment
- 8.1.1 Phase 1: Initiation
- 8.1.2 Phase 2: Acquisition/Development
- 8.1.3 Phase 3: Implementation
- 8.1.4 Phase 4: Operations/Maintenance
- 8.1.5 Phase 5: Disposition
- 8.1.6 Summary and Evaluation
- 8.2 Case Study #2: Supply Chain Management of Hazardous Materials
- 8.2.1 Phase 1: Initiation
- 8.2.2 Phase 2: Acquisition/Development
- 8.2.3 Phase 3: Implementation
- 8.2.4 Phase 4: Operations/Maintenance
- 8.2.5 Phase 5: Disposition
- 8.2.6 Summary and Evaluation
IsacaRoma link
Chi è Manlio Torquato?
Manlio si occupa di sicurezza informatica da tanti anni. È tra i fondatori dell'Associazione Nazionale Esperti di Sicurezza e Compliance (ANESC [5])Per IsacaRoma Newsletter ha scritto:
- Dal vulnerability assessment al vulnerability management [6]
- NIST: Guida ai Sistemi di Intrusion Detection e Prevention (IDP) [7]
- La macchina del tempo – luglio 2004 [8]
- L’Italia secondo il Critical Information Infrastructure Protection (CIIP) Handbook [9]
- Letture sotto l’ombrellone per i Security Manager [10]
- Phishing – attacco all’autenticazione a due fattori [11]
- Zero day attack [12]
Contatti? [13]