BS ISO-IEC 20243-2015 pdf free download – Information Technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products.
What potential security risks may be inherited from supply chains, both for software and hardware, and how does the Original Equipment Manufacturer (OEM) assess and manage these risks?
What supply chain security practices can mitigate potential risks of significant supply chain attacks?
What are the risks to confidentiality, integrity, and availability of a customer’s environment or critical infrastructure as a result of procurement by customers of counterfeit components and products?
What software or technology development or engineering practices can help reduce product integrity risks?
How is product integrity and risk managed through the adoption of industry best practices and assurance programs?
Because COTS ICT products are used extensively in both private industry and government acquisition, an alignment of interests exists between enterprise customers and government customers. There is a shared business value in understanding the factors that contribute to the integrity of COTS ICT products and supply chain security, identifying those practices that can improve product integrity and supply chain security, accrediting providers who follow those best practices, and knowing how to identify trustworthy products that were built by Trusted Technology Providers.
2.2.2 Objectives and Benefits
The technology supply chain continues to become more globalized, segmented, and specialized. All commercial and government acquirers, integrators, software developers, hardware providers, and manufacturers are members of the global technology supply chain. Consequently, every member of this global community has a responsibility to ensure the security of the end-to-end technology supply chain.
The Open Group Trusted Technology Forum (OTTF) is intended to facilitate the evolution of the O-TTPF (Framework) and O-TTPF-related Standards to allow compliant providers to address the ever-changing supply chain landscape and new threats as they emerge.
The OTTF also intends to provide an accreditation program that will allow providers a market differentiator associated with having that status, which could result in better and more frequent business partnerships among Trusted Technology Providers and integrators. Integrators: Integrators will be able to buy products and components (hardware and software) from Trusted Technology Providers and suppliers enabling that part of their integration work that is based on out-sourcing and partnerships, to be more secure and trustworthy. In addition, integrators who follow the O-TTPS and are Trusted Technology Providers will realize the same benefits as the providers (above). Acquirers: Acquirers will be able to consider a provider’s adherence to the O-TTPS as one element of their own comprehensive commercial technology procurement and risk management strategy.
|Marketplace at Large: Over time, widespread use of and/or reference to the OTTF’s work products will help realize security enhancements throughout the global information infrastructure in a manner that promotes trust, accountability, and global innovation.
By working together, the members of the OTTF have brought to the table their own best practices and have created a composite set of best practice requirements and recommendations to be codified in this and future Standards. The OTTF work is notable in representing consensus for commercially reasonable best practices from industry in addressing the threats in focus. Once the Standards have been approved and published they will be available for large and small organizations throughout the world, to reference and incorporate into their practices with the intent of raising the bar for all providers and component suppliers. This, in and of itself, would be a major benefit for global providers and customers, including governments.
2.3 Recognizing the coTS ICT Context
lt is important in defining this Standard of best practice requirements and recommendations, tooutline the cOTS ICT context and limitations. ldentifying self-imposed and practical limitationsenables businesses to focus upon making improvements in those critical areas that will help todeliver the practical improvements at the heart of this Standard.Clearly stating such limitationsis essential to avoiding effort not focused on tangible improvements; for example:
Addressing unsolvable problems
Allowing scope to creep beyond succinctly constructed problem statements
Equally important to optimizing this Standard is limiting focus to those supply chain risks thatare specifically associated with a targeted supply chain attack. There is a clear differencebetween the variety of supply chain business risks (e.g., a supplier going out of business orselling a bad product) and those risks associated with a targeted supply chain attack (e.g.,someone maliciously corrupting a component within a product being sold).Two of the principaltargeted attack areas relate to tainted and counterfeit products. Suppliers and customers shouldrightly be concerned about these areas and they are discussed in Chapter 3 of this Standard.Afocus on best practices in these risk areas is likely to lead to the critical improvements that bothbuyers and sellers want, and an improved global market encompassing trustworthy suppliers andtrustworthy products.BS ISO-IEC 20243 pdf download.