O-TTPS: for ICT Product Integrity and Supply Chain Security – A Management Guide
eBook - ePub

O-TTPS: for ICT Product Integrity and Supply Chain Security – A Management Guide

  1. 82 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

O-TTPS: for ICT Product Integrity and Supply Chain Security – A Management Guide

About this book

This Management Guide provides guidance on why a technology provider should use the Open Trusted Technology Provider Standard (O-TTPS) – Mitigating the Risk of Tainted and Counterfeit Products (approved by ISO/IEC as ISO/IEC 20243:2015) and why they should consider certification to publicly register their conformance to the standard. The O-TTPS is the first standard with a certification program that specifies measurable conformance criteria for both product integrity and supply chain security practices. The standard defines a set of best practices that ICT providers should follow throughout the full life cycle of their products from design through disposal, including their supply chains, in order to mitigate the risk of tainted and counterfeit components. The introduction of tainted products into the supply chain poses significant risk to organizations because altered products can introduce the possibility of untracked malicious behavior. A compromised electronic component or piece of malware enabled software that lies dormant and undetected within an organization could cause tremendous damage if activated remotely. Counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, or revenue and brand equity loss. As a result, customers now need assurances they are buying from trusted technology providers who follow best practices with their own in-house secure development and engineering practices and also in securing their out-sourced components and their supply chains. This guide offers an approach to providing those assurances to customers. It includes the requirements from the standard and an overview of the certification process, with pointers to the relevant supporting documents, offering a practical introduction to executives, managers, and those involved directly in implementing the best practices defined in the standard. As the certification program is open to all constituents involved in a product's life cycle this guide should be of interest to: • ICT provider companies (e.g. OEMs, hardware and software component suppliers, value-add distributors, and resellers), • Business managers, procurement managers, product managers and other individuals who want to better understand product integrity and supply chain security risks and how to protect against those risks and, • Government and commercial customers concerned about reducing the risk of damage to their business enterprises and critical infrastructures, which all depend heavily on secure ICT for their day-to-day operations.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access O-TTPS: for ICT Product Integrity and Supply Chain Security – A Management Guide by Sally Long in PDF and/or ePUB format, as well as other popular books in Education & Architecture General. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Van Haren Publishing
Year
2017
eBook ISBN
9789401800945
Topic
Education
Subtopic
Architecture General

illustration

This document is intended for business managers, procurement managers, program managers, and other individuals who want to better understand product integrity and supply chain security information and communication technology (ICT) risks and how to protect their organization against those risks. It offers an approach toward mitigating those risks that has emerged through industry consensus, and which has been designed specifically for ICT providers.
This chapter provides an introduction to the adoption of the Open Trusted Technology Provider™ Standard – Mitigating the Risk of Maliciously Tainted and Counterfeit Products (O-TTPS), which was approved as ISO/IEC 20243:2015, and the O-TTPS Certification Program that helps assure conformance to the Standard. It also offers insight into the threats and risks that drive the need for this approach and the business rationale for adoption.
Topics addressed in this chapter include:
• Executive Summary
• Threats and Risks
• Background
• Introduction to the Standard and the O-TTPS Certification Program
• Business Rationale for Becoming an Open Trusted Technology Provider
Note: If the reader is already familiar with the cybersecurity and supply chain risks and the benefits to the O-TTPS approach and prefers to understand better what the Certification Program entails and how to prepare for the Program, then please refer to Chapter 2 through Chapter 7.

1.1 Executive Summary

In today’s world, customers recognize their ever-increasing reliance on information and ICT to deliver mission-critical operations. They are cognizant and appreciative of the benefits of globalization in ICT, but are equally aware of the cybersecurity risks that come with worldwide development and global supply chains, risks from the effects of counterfeit or maliciously tainted products that could result in damage to their business environments or their mission-critical operations, and those users who depend on them.
Likewise, providers are keenly aware of the challenges related to building-in product integrity and supply chain security during the development, and throughout the life cycle, of their products. In today’s global world, information technology supply chains depend on complex and inter-related networks of component suppliers across a wide range of global partners. Suppliers deliver hardware and software components to Original Equipment Manufacturers (OEMs) and Original Design Manufacturers (ODMs) who build products from the components, and in turn deliver products to customers directly or through a value-add reseller (who may add even more components) or to system integrators who integrate them with products from multiple providers at a customer site. This example of complexity leaves ample opportunity for malicious components to enter the supply chain and leave accessible exploits or vulnerabilities that can potentially be exploited.
The introduction of tainted products into the supply chain can pose significant risk to organizations because altered products can introduce the possibility of untracked malicious behavior. A compromised electronic component or piece of software that lies dormant and undetected within an organization could cause tremendous damage if activated remotely. Counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, or revenue and brand equity loss. As a result, customers now need assurances that they are buying from trusted technology providers who follow best practices with their own in-house secure development and engineering practices but also in securing their supply chains.
One approach to providing those assurances calls for leveraging the O-TTPS, an international standard for both establishing and maintaining product integrity and supply chain security, along with its accompanying Certification Program. The Standard is the first standard aimed at assuring both the integrity of COTS ICT products and the security of their supply chains. It is also the first standard with a Certification Program that specifies measurable conformance criteria for product integrity and supply chain security practices.
The Standard defines a set of best practices for COTS ICT providers to mitigate the risk of maliciously tainted and counterfeit components from being incorporated into any phase of a product’s life cycle. This encompasses design, sourcing, build, fulfillment, distribution, sustainment, and disposal. The best practices apply to in-house development, outsourced development and manufacturing, and to global supply chains. It is not intended to satisfy all supply chain security and secure engineering questions, but it represents an important, foundational level of assurance based on proven and consistent practices.
The O-TTPS Certification Program, which is process-based and assures conformance to the best practices defined in the Standard, is applicable to all ICT providers in the chain: OEMS, ODMs, integrators, hardware and software component suppliers, value-add distributors, and resellers. When an applicant is certified for conformance, the applicant is granted the use of the Certification Logo and Trademark; the certification is acknowledged on a public registry; and the certified organization is identified as an Open Trusted Technology Provider, a mark that will resonate with technology customers and stakeholders.
When an organization is considering applying for certification, there are two major options to consider: the Scope of Certification and the tier of certification for which they will apply. An organization can choose between a Self-Assessed tier or a Third-Party Assessed tier.
Both tiers are backed by a warranty of conformance between The Open Group and the organization. Companies seeking certification need to understand the process and their obligations related to the Trademark License Agreement, the Certification Policy, and the Certification Agreement, in warranting conformance to the Standard in accordance with their chosen Scope of Certification.
The chief benefit of becoming an Open Trusted Technology Provider is that it helps providers “Build with Integrity” so that buyers can “Buy with Confidence”. Achieving certification can ensure a level of protection that mitigates product and supply chain risks to customers while offering an ICT provider a means of demonstrating adherence to best practices to their stakeholders and customers, thus acting as a market differentiator. The technology providers who are certified and listed on the public registry assure customers acquiring COTS ICT that they are conformant to the best practices requirements defined in the Standard and will remain conformant, or they will be removed from the registry. By being certified as an Open Trusted Technology Provider a provider can more clearly articulate its security posture to its customers, who often contend with competing providers who assert that they meet a variety of inconsistent security requirements when responding to technology procurements.
Additionally, a provider could reduce its internal costs by adopting common requirements from the O-TTPS, which can be measured objectively. This can encourage companies to move away from custom requirements toward a consistent, recognized industry baseline.
This Management Guide highlights the risks associated with a global economy and global supply chains and the benefits for addressing those risks through international standards and vendor-neutral conformance programs. It offers additional details on the Standard and how to prepare for certification.

1.2 Threats and Risks

This section provides an introduction to some of the threats that drive the need for mitigating the risk of taint and counterfeit components from ICT products.

1.2.1 Risk Lies in Complexity, Including the Global Economy

Most thoughtful and sophisticated ICT customers and providers manage the security of their organizations based on risk. They consider the risk based on the threats, the vulnerabilities, the potential impact of cyber attacks, the likelihood of them occurring, and the best methods to manage those risks. As cyber attacks increase in sophistication, stealth, and severity, governments and larger enterprises have begun to take a more comprehensive and insistent view of the criticality of risk management and product assurance. Unfortunately, we are exposed to cyber attacks with increasing regularity. In addition to enhancing information security by improving security practices across the enterprise, governments and enterprises have begun including in their assessment of risk the risk from suppliers and third-party providers, which is directly related to the practices IT providers use to ensure the security and protect the integrity of their products as they move through the complex global supply chain. It is often not economically feasible – nor does it in any way eliminate supplier risk – to simply restrict ICT acquisition based on geographical preferences. The key from a risk management perspective is to examine these providers’ global organizational practices as components and products are developed, manufactured, and delivered throughout the world regardless of country of origin or destination.

1.2.2 Maliciously Tainted and Counterfeit Components

Maliciously tainted products pose significant security risks. For example, they could allow unauthorized access to sensitive corporate data, including potential theft of intellectual property, or allow attackers to take control of the organization’s cyber assets for any number of malicious purposes. Normal functional testing is often ineffective in uncovering sophisticated exploits. One risk is that high quality, malicious software or malware-enabled counterfeit components may lie dormant and undetected for long periods until the attacker chooses to launch the malevolent feature.
Like maliciously tainted components, counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, revenue and brand equity loss, compromised data, and the disclosure or theft of intellectual property. With the complex make up of today’s global supply chain, comes the risk of more sophisticated maliciously tainted or high quality counterfeit parts making their way into operational environments. Thus, a compromised or maliciously designed electronic component or piece of software, with otherwise normal functionality, could cause tremendous damage when activated by a triggering event, or under conditions imposed by the attacker.
A risk-based approach to acquisition of ICT will not perfectly eliminate risk but will allow the enterprise to manage it pursuant to the organization’s risk posture. The threats of exploitation of vulnerabilities in software, and compromising hardware through counterfeits, can be mitigated by technology providers responsibly following recognized, independently confirmed best practices. This means that it is imperative for buyers of ICT to make their acquisitions from providers who follow secure development and engineering practices in-house while developing their own products, but who also follow best practices to secure their supply chains.
Government and critical infrastructure organizations have expressed interest in understanding how providers manage the risks inherent in globalized product development and manufacturing and are asking the following questions:
How can ICT customers and providers manage this risk in an efficient and cost-effective manner?
• What are the foundational practices that should be required to offer assurance as a baseline?
• Where can customers find an international standard that has been vetted as practical and effective?
• Is there a standard that has measurable conformance criteria to mitigate cyber and technology development and supply chain security risks?
The Standard and the O-TTPS Certification Program discussed in this Management Guide provide the answer to some of those important questions.

1.3 Background

For some time customers, including governments, have been moving away from building their own customized systems and products for higher assurance, and are instead using more COTS ICT products, typically because they are better, less expensive, widely available, more reliable, and fit for necessary purposes. This naturally introduces a greater risk of maliciously tainted or counterfeit elements than when development and production are done in-house.
This paradigm shift led to some initial roundtable discussions with government and industry to explore what it would take to be able to identify trusted technology providers and their COTS ICT products. These discussions spawned the creation of an ad hoc working group, which in 2010 transitioned to oversight by The Open Group as The Open Group Trusted Technology Forum (OTTF) (the Forum). The development of the Standard and Certification Program is the result of work by the Forum, which is an organized collaboration among representatives from government, academia, and the IT industry. The Forum members, which include representatives from numerous industry leaders – that both cooperate and compete – set out to develop a systematic approach to address the risks articulated above. The Forum worked for several years to identify and share their effective practices for product integrity, product development, and supply chain securi...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. 1 Introduction
  6. 2 The Standard
  7. 3 Organizing and Preparing for Certification
  8. 4 The Certification Process
  9. 5 Self-Assessed Certification Process
  10. 6 Third-Party Assessed Certification Process
  11. 7 Summary of the Certification Steps
  12. A O-TTPS Requirements
  13. B Additional Resources
  14. Index