O-TTPS for ICT Product Integrity and Supply Chain Security
A management guide
Paperback Engels 2017 9789401800921Samenvatting
This Management Guide provides guidance on why a technology provider should use the Open Trusted Technology Provider Standard (O-TTPS) - Mitigating the Risk of Tainted and Counterfeit Products (approved by ISO/IEC as ISO/IEC 20243:2015) and why they should consider certification to publicly register their conformance to the standard.
The O-TTPS is the first standard with a certification program that specifies measurable conformance criteria for both product integrity and supply chain security practices. The standard defines a set of best practices that ICT providers should follow throughout the full life cycle of their products from design through disposal, including their supply chains, in order to mitigate the risk of tainted and counterfeit components.
The introduction of tainted products into the supply chain poses significant risk to organizations because altered products can introduce the possibility of untracked malicious behavior. A compromised electronic component or piece of malware enabled software that lies dormant and undetected within an organization could cause tremendous damage if activated remotely. Counterfeit products can also cause significant damage to customers and providers resulting in rogue functionality, failed or inferior products, or revenue and brand equity loss.
As a result, customers now need assurances they are buying from trusted technology providers who follow best practices with their own in-house secure development and engineering practices and also in securing their out-sourced components and their supply chains.
This guide offers an approach to providing those assurances to customers. It includes the requirements from the standard and an overview of the certification process, with pointers to the relevant supporting documents, offering a practical introduction to executives, managers, and those involved directly in implementing the best practices defined in the standard.
As the certification program is open to all constituents involved in a product's life cycle this guide should be of interest to:
- ICT provider companies (e.g. OEMs, hardware and software component suppliers, value-add distributors, and resellers)
- Business managers, procurement managers, product managers and other individuals who want to better understand product integrity and supply chain security risks and how to protect against those risks
- Government and commercial customers concerned about reducing the risk of damage to their business enterprises and critical infrastructures, which all depend heavily on secure ICT for their day-to-day operations
Specificaties
Lezersrecensies
Inhoudsopgave
1.1 Executive Summary 1
1.2 Th reats and Risks 4
1.2.1 Risk Lies in Complexity, Including the Global Economy 4
1.2.2 Maliciously Tainted and Counterfeit Components 5
1.3 Background 6
1.4 Introduction to the Standard and the O-TTPS Certification Program 7
1.5 Business Rationale for Becoming an Open Trusted Technology Provider 9
2. The Standard 11
2.1 Technology Development 12
2.1.1 PD: Product Development/Engineering Method 12
2.1.2 SE: Secure Development/Engineering Method 13
2.2 Supply Chain Security 13
2.2.1 SC: Supply Chain Security 13
3. Organizing and Preparing for Certification 15
3.1 Preparing for Certification 15
3.1.1 Organizational Impact 15
3.1.2 Mapping Internal Policies and Practices to the Standard 17
3.1.3 Closing Gaps in Conformance 18
3.1.4 Preparing for the Assessment 18
4. The Certification Process 23
5. Self-Assessed Certification Process 27
5.1 Major Phases of Self-Assessed Certification 28
5.1.1 Phase 1: Preparing for Self-Assessed Certification 28
5.1.2 Phase 2: Performing the Assessment within the Self-Assessed Tier 28
5.1.3 Phase 3: Registering for Certification with the Certification Authority 30
5.1.4 Phase 4: Finalization by the Certification Authority 30
6. Third-Party Assessed Certification Process 31
6.1 Major Phases of the Third-Party Assessment 31
6.1.1 Phase 1: Preparing for Third-Party Assessed Certification 32
6.1.2 Phase 2: Completing the ISCA Document 34
6.1.3 Phase 3: Completing the Certification Package 36
6.1.4 Phase 4: Performing the Third-Party Assessment 37
6.1.5 Phase 5: Validation and Finalization by the Certification Authority 38
7. Summary of the Certification Steps 41
7.1 Certification Steps for Self-Assessed Tier 41
7.1.1 Preparation for Certification 41
7.1.2 Organization Conducts Self-Assessment 41
7.1.3 Registering for Certification 41
7.1.4 Completing the Conformance Statement Questionnaire 42
7.1.5 Certification Authority Reviews the Conformance Statement 42
7.1.6 Organization Signs Trademark License Agreement 43
7.1.7 Certification Awarded 43
7.2 Certification Steps for Third-Party Assessed Tier 43
7.2.1 Preparation for Certification 43
7.2.2 Registering for Certification 43
7.2.3 Completing the Conformance Statement Questionnaire 44
7.2.4 Completing the ISCA Document 44
7.2.5 Certification Authority Reviews and Approves the Conformance Statement and ISCA Document 45
7.2.6 Organization Selects an O-TTPS Recognized Assessor 45
7.2.7 Organization Prepares Certification Package 46
7.2.8 Assessor Performs the Assessment 46
7.2.9 Assessor Recommends Certification 46
7.2.10 Certification Authority Reviews the Certification Package Document 47
7.2.11 Organization Signs Trademark License Agreement 47
7.2.12 Certification Awarded 47
A: O-TTPS Requirements 49
A.1 Introduction 49
A.2 Terminology 49
A.3 Requirements and Recommendations 50
A.4 Technology Development 51
A.4.1 PD: Product Development/Engineering Method 52
A.4.2 SE: Secure Development/Engineering Method 54
A.5 Supply Chain Security 57
A.5.1 SC: Supply Chain Security 58
B: Additional Resources 66
B.1 Frequently Asked Questions 66
B.2 Case Study 66
Index 67
Rubrieken
- Advisering
- Algemeen management
- Coaching en trainen
- Communicatie en media
- Economie
- Financieel management
- Inkoop en logistiek
- Internet en social media
- IT-management / ICT
- Juridisch
- Leiderschap
- Marketing
- Mens en maatschappij
- Non-profit
- Ondernemen
- Organisatiekunde
- Personal finance
- Personeelsmanagement
- Persoonlijke effectiviteit
- Projectmanagement
- Psychologie
- Reclame en verkoop
- Strategisch management
- Verandermanagement
- Werk en loopbaan
