TC 11 - Security and Privacy Protection in Information Processing Systems - Aims and Scopes

est. 1984, revised 2006, 2009


To increase the trustworthiness and general confidence in information processing and to act as a forum for security and privacy protection experts and others professionally active in the field.


Work towards:

*    the establishment of a common frame of reference for security and privacy protection in organizations, professions and the public domain;

*    the exchange of practical experience;

*    the dissemination of information on and the evaluation of current and future protective techniques;

*    the promotion of security and privacy protection as essential elements of information processing systems.

*    The clarification of the relation between security and privacy protection.

WG11.1 - Information Security Management
est. 1985, revised 1992


As management, at any level, may be increasingly held answerable for the reliable and secure operation of the information systems and services in their respective organizations in the same manner as they are for financial aspects of the enterprise, the Working Group will promote all aspects related to the Management of Information Security.

These aspects cover a wide range, from purely managerial aspects concerning Information Security, (like upper management awareness and responsibility for establishing and maintaining the necessary policy documents), to more technical aspects (like risk analysis, disaster recovery and other technical tools) to support the Information Security management process.  


*    to study and promote methods to make senior business management aware of the value of information as a corporate asset, and to get their commitment to implementing and maintaining the necessary objectives and policies to protect these assets

*    to study and promote methods and ways to measure and assess the security level in a company and to convey these measures and assessments to management in an understandable way;

*    to research and develop new ways to identify the Information Security threats and vulnerabilities which every organization must face;

*    to research and identify the effect of new and changed facilities and functions in new hardware and software on the management of Information Security;

*    to study and develop means and ways to help information security managers to assess their effectiveness and degree of control;

*    to address the problem of standards for Information Security. 


There is a growing trend for senior business management to be held answerable for the reliable and secure operation of their information systems, as they are for control of their financial aspects. Information Security is, and should always be upper management responsibility.
Information security professionals, and WG 11.1 in particular, should therefore be responsible for the development of all types of tools, mechanisms and methods to support top management in this new responsibility. 

WG11.2 – Pervasive Systems Security
est. 1985, revised 1992, 1995, 2009


To investigate methods and issues in the area of information security related to pervasive systems; and to advance knowledge and awareness of the subject through publications, conferences and other means. The aim is to address pervasive systems security from both a functional, technical, and societal perspective.


The scope of the working group shall be to:

*    Promote the design of the new information security techniques and methods in pervasive systems.

*    Investigate and report on the information security aspects of information technology products and information services for pervasive systems.

*    Design guidelines and promote methodologies for the implementation of information security in pervasive systems.

*    Investigate intelligent token and smart card applications in information security with the aim of making the user less dependent on single fixed environment.

*    To foster public debate on the security and privacy issues that emerge when pervasive systems are deployed on a large scale.


Pervasive systems shall be defined to be large scale systems that are comprised of nodes ranging from RFID tags, through embedded systems, to personal mobile devices, interconnected by a mixture of short range wireless and wide are wired networks. The typical characteristics of a pervasive system are: resource constrained nodes, often physically unreachable or without user interface, whose interconnections often span a large number of administrative domains with conflicting interests. Security of such systems is therefore an emergent property.

WG11.3 - Data and Application Security and Privacy
est. 1987, revised 2001, 2011


To promote wider understanding of the risks to society of operating data management systems that lack adequate measures for security or privacy.

To encourage the application of existing technologies for enhancing the security and privacy of data management systems. 


To advance technologies that support:

*    the statement of security and privacy requirements for data management systems;

*    the design, implementation, and operation of data management systems that include security and privacy functions; and

*    the assurance that implemented data management systems meet their security and privacy requirements. 

WG11.4 - Network & Distributed Systems Security
est. 1985, revised 1992, 1997, 2003, 2016


*    To study and promote internationally accepted processes which will enable management and technicians to fully understand their responsibility in respect of the reliable and secure operation of the information networks which support their organizations, their customers or the general public.;

*    To study and promote education and training in the application of security principles, methods, and technologies to networking.


The scope of the working group is:

*    To promote the awareness and understanding of the network aspect of information systems security.

*    To provide a forum for the discussion, understanding and illumination of network security matters.

*    To study and identify the managerial, procedural and technical aspects of network security; and hence to define the network security issues.

*    To study and describe the risks that arise from embedding an information system in a network environment.

*    To advance technologies and practices that support network security controls, make possible the statement of requirements for network security, and in general, advance the foundation for effective network security.

*    To contribute, as feasible and appropriate, to international standards for network security.


Management in any organization is responsible for the reliable and secure operation of the information systems that support the organization. As inter and intra-organization networking between information systems become the rule as well as the daily operational environment, the scope of concern takes on new aspects and new technical details come into play.
Management must not only address the security issues of wholly internal systems together with any networks to which they might be connected, but also must assure that the protective mechanisms installed in them are not accidentally or intentionally thwarted or subverted by other systems with which data exchange connections are established.

The range of subjects includes local area networks, regional and wide area networks, homogeneous and heterogeneous networks, and the networks which can arise for varying periods of time as a result of operational requirements for temporary or semi-permanent interconnections which can exist for varying periods of time.

Such networks will include dial-up or other connections which permit an organization's employees to work from their homes, and those external connections enabling organizations to transact mutually linked business activities e.g. such as will take place under EDI agreement.

WG11.5 –
IT Assurance and Audit
est. 2013


The aim of the Working group (hereinafter referred to as WG) as part of TC-11 is to study and develop detailed knowledge on IT assurance and audit models, standards, processes and techniques to meet the needs of organizations from a wider business perspective. The WG provides professionals operating in the field thorough insight into the IT audit function in financial reporting and compliance, and offers pragmatic ideas, approaches, instruments, guidelines and tooling that contribute to responsibly utilizing a demand driven way of IT assurance in addition to the existing and common practices.

Although the application and benefits of IT assurance and audit services are definitely in no doubt, it is essential to advance these necessary products to the next and more actual and mature level with a broad organizational focus that also possesses a risk and future based characteristics


The following topics are initially part of the WG:

*    IT audit in financial statement review.

*    IT assurance reporting standards.

*    IT risk management and Enterprise Risk Management (ERM)

*    Continuous assurance and audit.

*    Information assurance.

*    Software assurance.

*    Governance, Risk and Compliance (GRC).

*    Service assurance tooling.

The WG seeks collaboration with other working groups inside and outside IFIP. Examples include, but are not limited to, Information Systems Audit and Control Association (ISACA).

WG11.6 – Identity Management
est. 2006


The aim is to promote through education, research and outreach, the awareness and understanding of:
1. Identity management in general, and, in this context:
    -      identity management applications and methodologies;
    -      optical and electronic document security;
    -      potential and actual role and function of biometrics in particular;
2. Methods and techniques that can help to evaluate (specific) biometric technologies;
    -      operational aspects of biometrics;
    -      legal aspects of the application of biometrics;
    -      impact of biometrics on society;
    -      methods and techniques that can help to improve the quality of biometric technology (performance, privacy, compliance); and
3. National identity management in particular:
    -      national identity management as (a kind of) federated identity management;
    -      national identity management as a part of multilateral identity management;
    -      (possible) role and effectiveness of identity management in fighting (inter)national fraud,     crime and terrorism;
    -      methods and techniques that can help to improve the quality of national identity management.


1. To establish and expand a common identity management lexicon so that the international community speaks the same language.
2. To propose, define and evaluate identity management applications and methodologies that will meet the standards of decision-makers in the public and private sector.
3. To propose, define and evaluate optical and electronical document security technologies that will meet the standards of decision-makers in the public and private sector.
4. To propose, define and evaluate biometric technologies and methodologies to be incorporated in (national) identity management that will meet the standards of decision-makers in the public and private sector.
5. To promote through education, research and outreach, a wider understanding of the legal, social and operational issues related to (national) identity management in general and the technologies mentioned above in particular.
6. In order to promote discussion related to research in the field, WG 11.6 will foster cooperation between:

*    International communities

*    Stakeholders, scientists and industry.

*    Technicians, sociologists, biologists, philosophers, psychologists and political scientists.

WG11.8 - Information Security Education
est. 1991


To promote information security education and training at the university level and in government and industry. 


The scope of the working group shall be to:

*     establish an international resource center for the exchange of information about education and training in information security.

*     develop model courses in information security at the university level.

*     encourage colleges and universities to include a suitable model course in information security at the graduate and/or undergraduate level in the disciplines of computer science, information systems and public service.

*     develop information security modules that can be integrated into a business educational training program and/or introductory computer courses at the college or university level.

*     promote an appropriate module about information security to colleges and universities, industry and government.

*     collect, exchange and disseminate information relating to information security courses conducted by private organizations for industry.

*     collect and periodically disseminate an annotated bibliography of information security books, feature articles, reports, and other educational media. 

WG11.9 - Digital Forensics
est. 2004


The aim of the IFIP WG11.9 group is to promote through education, research and outreach, the awareness and understanding of (i) the scientific methods and techniques that help to tell about a computer related security incident (including those that involve converging digital technology), what occurred, when it occurred, how it occurred, what resources were affected and who initiated the incident, in a manner that will support a legal action, and (ii) the operational and legal aspects of new and emerging digital technology so as to help develop such methods and techniques. 


WG11.10 – Critical Infrastructure Protection
est. 2006


The principal aim of IFIP WG 11.10 is to weave science, technology and policy in developing and implementing sophisticated, yet practical, solutions that will help secure information, computer and network assets in the various critical infrastructure sectors. Information infrastructure protection efforts at all levels – local, regional, national and international – will be advanced by leveraging the WG 11.10 membership’s strengths in sustained research and development, educational and outreach initiatives.



WG11.11 – Trust Management
est. 2006


Working Group 11.11 aims to provide a forum for cross-disciplinary investigation of the application of trust as a means of establishing security and confidence in the global computing infrastructure, recognizing trust as a crucial enabler for meaningful and mutual beneficial interactions. The working group will bring together researchers with an interest in complementary aspects of trust, from both technology oriented disciplines and the field of law, social sciences and philosophy. In this way the working group will provide the common background necessary for advancing towards an in-depth understanding of the fundamental issues and challenges in the area of trust management in open systems.

The main membership will most likely be specialized researchers, both from universities and company laboratories. Government organizations and IFIP member societies and their members will be the main users of the results of the group.

Working Group 11.11 has a link to the area of other groups, both inside and outside IFIP and the group will seek actively for close cooperation with these groups.

SCOPE of the working group (non-exhaustive and non-exclusive):

WG11.12 – Human Aspects of Information Security and Assurance
est. 2010


The Human Aspects of Information Security and Assurance Working Group seeks to promote all aspects of research that can better support and inform our use of security within information systems.


The scope of the WG11.12 includes any aspects that pertain to the attitudes, perceptions and behavior of people, and how human characteristics or technologies may be positively modified to improve the ease of use and level of protection provided.  Indicative themes within this remit will include:

It is anticipated that the activity of this Working Group will have many cross-disciplinary aspects with other groups, both inside and outside of IFIP and the group will actively seek close cooperation.

WG11.14 – Secure Engineering
est. 2013


The Working Group 11.14 aims to provide a forum for cross-disciplinary investigation of “secure services engineering” with attention also at the software-services and system aspects. The working group will bring together researchers with an interest in several area of computer science, including, security, security engineering, service engineering, software engineering, formal methods and related fields. The WG will leverage on the experience and community developed by the NESSoS Network of Excellence ( on Engineering Secure Future Internet Software Services and Systems.

We can list the main aims as:


The main membership will most likely be specialized researchers, both from universities and corporate laboratories. Government organizations and IFIP member societies and their members will be the main users of the results of the group.

Working Group 11.14 has a link to the area of other groups, both inside and outside IFIP (as the ERCIM WG on security and trust management) and the group will seek actively for close cooperation with these groups.

Scope of the working group

·       Security requirements engineering

o Emphasis on identity, privacy and trust

o Requirements languages for managing legislative constraints and socio-
       technical and economic aspects

o Conflicts resolution between security requirements and other requirements

o Privacy requirements engineering


·       Secure Service Architectures and Design

o Reasoning about security in multi-concern design models

o Security design patterns

o Support for model-driven security dynamic adaptation

o Integrate security modelling in domain-specific modelling languages

·       Security support in programming environments

o Service creation

·       Security support for service creation (by composing services or by programming new services from scratch

o Service execution

·       Security enforcement at runtime

o Middleware

·       Monitoring of business compositions

o Secure service programming

·       Adherence to programming principles and best practices 

·       Verifiable concurrency

o Platform support for security enforcement

·       Secure cross domain interactions

·       Finely grained execution monitoring

·       Supporting security assurance for FI services


·       Service composition and adaption

o Evolution of security contracts during the whole life of software

o Trustworthy market of composable services

o Assessing risk of a service compostion

o Test –bed for comparing service adaptation by contracts approaches


·       Runtime verification and enforcement

o Run-time monitoring of data flow

o Usage control properties monitoring


·       Risk and Cost-aware Secure Service Development

o Risk and cost analysis process: towards incremental and iterative process
       through Secure Service Development

o Risk composition and aggregation

o Risk and cost evolution

o Risk validation and integration

o Applying formal methods to risk management

o Runtime re-configurability of security based on risk management


·       Security assurance for services

o Early assurance

·       Step-wise refinement of security (from policies down to mechanisms)

·       Formal verification of security policies models

·       Certification and audit frameworks for scenarios involving outsourcing of services

o Implementation assurance

·       Secure programming

·       Security testing and debugging

·     Penetration testing (specially model-based penetration testing)

·     Automatic generation of test for web applications

·       Debugging

·       Secured session management for web service security       

·       Quantitative security for assurance

o Formal security metrics

o Metrics for privacy and isolation in cloud computing

o Validation and comparison frameworks for security metrics

o Compositional calculation in service-oriented systems