Information Technology Open Trusted Technology ProviderTM

Preparing to load PDF file. please wait...

0 of 0
100%
Information Technology Open Trusted Technology ProviderTM

Transcript Of Information Technology Open Trusted Technology ProviderTM

This is a IN preview -TERNATIONA click here to buy the full publication L STANDARD

ISO/IEC 20243
First edition 2015-09-15

Information Technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products
Technologies de l’information — Norme de fournisseur de technologie de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits et malicieusement contaminés

Reference number ISO/IEC 20243:2015(E)
© ISO/IEC 2015

ISO/IEC 20243:2015(E) This is a preview - click here to buy the full publication

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org

ii

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

Contents
1 Introduction............................................................................................................... 1 1.1 Objectives ....................................................................................................... 1 1.2 Overview......................................................................................................... 1 1.3 Conformance................................................................................................... 3 1.4 Terminology ................................................................................................... 3 1.5 Future Directions ............................................................................................ 4
2 Business Context and Overview ............................................................................... 5 2.1 Business Environment Summary .................................................................... 5 2.1.1 Operational Scenario ....................................................................... 5 2.2 Business Rationale .......................................................................................... 7 2.2.1 Business Drivers.............................................................................. 7 2.2.2 Objectives and Benefits................................................................... 8 2.3 Recognizing the COTS ICT Context .............................................................. 9 2.4 Overview....................................................................................................... 11 2.4.1 O-TTPF Framework Overview ..................................................... 11 2.4.2 Standard Overview ........................................................................ 11 2.4.3 Relationship with Other Standards ................................................ 12
3 O-TTPS – Tainted and Counterfeit Risks ............................................................... 13
4 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit Products................................................................................................................... 15 4.1 Technology Development............................................................................. 16 4.1.1 PD: Product Development/Engineering Method ........................... 16 4.1.1.1 PD_DES: Software/Firmware/Hardware Design Process ............................................................... 16 4.1.1.2 PD_CFM: Configuration Management.......................... 17 4.1.1.3 PD_MPP: Well-defined Development/Engineering Method Process and Practices .................................................................. 17 4.1.1.4 PD_QAT: Quality and Test Management...................... 17 4.1.1.5 PD_PSM: Product Sustainment Management ............... 18 4.1.2 SE: Secure Development/Engineering Method ............................. 18 4.1.2.1 SE_TAM: Threat Analysis and Mitigation .................... 18 4.1.2.2 SE_RTP: Run-time Protection Techniques.................... 19 4.1.2.3 SE_VAR: Vulnerability Analysis and Response ........................................................................ 19 4.1.2.4 SE_PPR: Product Patching and Remediation ................ 20 4.1.2.5 SE_SEP: Secure Engineering Practices ......................... 20

Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.1

iii

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)
4.1.2.6 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape .................................. 20
4.2 Supply Chain Security .................................................................................. 21 4.2.1 SC: Supply Chain Security............................................................ 21 4.2.1.1 SC_RSM: Risk Management ......................................... 21 4.2.1.2 SC_PHS: Physical Security ........................................... 22 4.2.1.3 SC_ACC: Access Controls ............................................ 22 4.2.1.4 SC_ESS: Employee and Supplier Security and Integrity ................................................................... 23 4.2.1.5 SC_BPS: Business Partner Security .............................. 23 4.2.1.6 SC_STR: Supply Chain Security Training .................... 24 4.2.1.7 SC_ISS: Information Systems Security ......................... 24 4.2.1.8 SC_TTC: Trusted Technology Components.................. 24 4.2.1.9 SC_STH: Secure Transmission and Handling ............... 25 4.2.1.10 SC_OSH: Open Source Handling .................................. 25 4.2.1.11 SC_CTM: Counterfeit Mitigation .................................. 26 4.2.1.12 SC_MAL: Malware Detection ....................................... 26
List of Tables
Table 1: O-TTPS Constituents and their Roles ................................................................... 6 Table 2: Threat Mapping ................................................................................................... 14
List of Figures
Figure 1: Constituents ......................................................................................................... 6 Figure 2: Product Life Cycle – Categories and Activities................................................. 15

iv

Open Group Standard (2014)

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

Preface

The Open Group
The Open Group is a global consortium that enables the achievement of business objectives through IT standards. With more than 400 member organizations, The Open Group has a diverse membership that spans all sectors of the IT community – customers, systems and solutions suppliers, tool vendors, integrators, and consultants, as well as academics and researchers – to:
 Capture, understand, and address current and emerging requirements, and establish policies and share best practices
 Facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies
 Offer a comprehensive set of services to enhance the operational efficiency of consortia
 Operate the industry’s premier certification service
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused on development of Open Group Standards and Guides, but which also includes white papers, technical studies, certification and testing documentation, and business titles. Full details and a catalog are available at www.opengroup.org/bookstore.
Readers should note that updates – in the form of Corrigenda – may apply to any publication. This information is published at www.opengroup.org/corrigenda.

This Document
The Open Group Trusted Technology Forum (OTTF or Forum) is a global initiative that invites industry, government, and other interested participants to work together to evolve this Standard and other OTTF deliverables.
This Standard is the Open Trusted Technology Provider Standard (O-TTPS). The Standard has been developed by the OTTF and approved by The Open Group, through The Open Group Company Review process. There are two distinct elements that should be understood with respect to this Standard: the O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The Framework is an evolving compendium of organizational guidelines and best practices relating to the integrity of Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products and the security of the supply chain throughout the entire product life cycle. An early version of the Framework was published as a White Paper in February 2011 (see Referenced Documents). The Framework serves as the basis for this Standard, future updates, and additional standards. The content of the Framework is the result of industry collaboration and research as to those commonly used commercially

Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.1

v

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

reasonable practices that increase product integrity and supply chain security. The members of the OTTF will continue to collaborate with industry and governments and update the Framework as the threat landscape changes and industry practices evolve.

The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that when properly adhered to have been shown to enhance the security of the global supply chain and the integrity of COTS ICT products. It provides a set of guidelines, requirements, and recommendations that help assure against maliciously tainted and counterfeit products throughout the COTS ICT product life cycle encompassing the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

Using the guidelines documented in the Framework as a basis, the OTTF is taking a phased approach and staging O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market needs evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to address specific threats or market needs.

The Standard is aimed at enhancing the integrity of COTS ICT products and helping customers to manage sourcing risk. The authors of this Standard recognize the value that it can bring to governments and commercial customers worldwide, particularly those who adopt procurement and sourcing strategies that reward those vendors who follow the O-TTPS best practice requirements and recommendations.

Note:

Any reference to “providers” is intended to refer to COTS ICT providers. The use of the word “component” is intended to refer to either hardware or software components.

Intended Audience
This Standard is intended for organizations interested in helping the industry evolve to meet the threats in the delivery of trustworthy COTS ICT products. It is intended to provide enough context and information on business drivers to enable its audience to understand the value in adopting the guidelines, requirements, and recommendations specified within. It also allows providers, suppliers, and integrators to begin planning how to implement the Standard in their organizations. Additionally, acquirers and customers can begin recommending the adoption of the Standard to their providers and integrators.

vi

Open Group Standard (2014)

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)
Trademarks
ArchiMate®, DirecNet®, Jericho Forum®, Making Standards Work®, OpenPegasus®, The Open Group®, TOGAF®, and UNIX® are registered trademarks and Boundaryless Information Flow™, Build with Integrity Buy with Confidence™, Dependability Through Assuredness™, FACE™, Open Platform 3.0™, Open Trusted Technology Provider™, and The Open Group Certification Mark™ are trademarks of The Open Group. All other brands, company, and product names are used for identification purposes only and may be trademarks that are the sole property of their respective owners.

Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.1

vii

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

Acknowledgements

The Open Group acknowledges the contribution of the following people and organizations in the development of this Standard (presented in alphabetical order).
In particular we would like to provide a special thank you and acknowledgement to the Chair and Vice Chair of the OTTF: Andras Szakal, IBM (Chair) and Edna Conway, Cisco Systems (Vice Chair).
The contributing members of The Open Group Trusted Technology Forum (OTTF):

Contributors Jon Amis Paul Aschwald Nadya Bartol James Bean Kristen Baldwin Terry Blevins Joshua Brickman Stan Brown Ben Calloni Suresh Cheruserri YouHong (Robert) Chu Erv Comer Erin Connor Tammy Compton Edna Conway
Don Davidson Mary Ann Davidson Charles Dekle Terrie Diaz Robert Dix Holly Dunlap Bob Ellison Marcus Fedeli

Organization Dell, Inc. Hewlett-Packard Company (formerly of) Booz Allen Hamilton Juniper Networks US DoD AT&L MITRE CA Technologies CA Technologies Lockheed Martin (formerly of) Tata Consultancy Services Kingdee Software Motorola Solutions Electronic Warfare Associates (EWA) – Canada Ltd. (formerly of) SAIC Cisco Systems Inc. OTTF Vice-Chair DOD-CIO Oracle Corporation (formerly of) US DoD AT&L Cisco Systems Inc. Juniper Networks Raytheon Company SEI (formerly of) NASA

viii

Open Group Standard (2014)

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

Contributors Luke Forsyth Susan Fultz Steve Goldberg Tim Hahn Wes Higaki Ken Hong Fong Helmut Kurth Mike Lai David Ling Steve Lipner
Dr. David McQueeney Jim Mann Al Marshall Michele Moss Shawn Mullen Fiona Pattinson Brendan Peter Glenn Pittaway Andy Purdy Dan Reddy Karen Richter Jim Robinson Hart Rossman Mark Schiller Thomas Stickels Andras R. Szakal
Steve Whitlock Jim Whitmore Robert Williamson Eric Winterton Joanne Woytek Chee Wai Foong

Organization CA Technologies Hewlett-Packard Company (formerly of) Motorola Solutions IBM Corporation Apex Assurance Group (formerly of) US DoD AT&L atsec information security Microsoft Corporation Hewlett-Packard Company Microsoft Corporation O-TTPF Work Stream Co-Chair IBM Corporation Hewlett-Packard Company NASA Booz-Allen Hamilton IBM Corporation atsec information security CA Technologies Microsoft Corporation Huawei Technologies EMC Corporation IDA Hewlett-Packard Company (formerly of) SAIC (formerly of) Hewlett-Packard Company MITRE IBM Corporation OTTF Chair and O-TTPF Work Stream Co-Chair The Boeing Company IBM Corporation SAIC Booz Allen Hamilton NASA Cisco Systems Inc.

Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.1

ix

© ISO/IEC 2015 – All rights reserved

ISO/IEC 20243:2015(E)

The individuals providing early contributions to this work:

Contributor Randy Barr Rance DeLong Chris Fagan Rob Hoffman Dave McDermitt Terry Morgan Paul Nicholas Kerri Patterson Steve Venema Larry Wagoner

Name Qualys LynuxWorks (formerly of) Microsoft Corporation High Assurance Systems, Inc. (formerly of) SAIC (formerly of) Cisco Systems Inc. Microsoft Corporation (formerly of) Cisco Systems Inc. The Boeing Company NSA

The Open Group staff:

Name James Andrews Joe Bergmann James de Raeve Cathy Fox Jim Hietala Andrew Josey Sally Long Dave Lounsbury

Role The Open Group Conformance Quality Manager Open Group Government Relations, Director, RT&ES VP Certification Technical Editor VP Security Director, Standards Director, The Open Group Trusted Technology Forum (OTTF) Chief Technical Officer

x

Open Group Standard (2014)

© ISO/IEC 2015 – All rights reserved
RightsFrameworkOttfGuidelinesIntegrity