1、Information Technology Open Trusted Technology ProviderTM Standard (O-TTPS) Mitigating maliciously tainted and counterfeit products Technologies de linformation Norme de fournisseur de technologie de confiance ouverte (O-TTPS) Attnuation des produits contrefaits et malicieusement contamins INTERNATI
2、ONAL STANDARD ISO/IEC 20243 Reference number ISO/IEC 20243:2015(E) First edition 2015-09- 15 ISO/IEC 2015 ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reprod
3、uced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.
4、 ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 20243:2015(E)Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 iii Contents 1 Introduction.1 1.1 Objectives . 1 1.2 Ov e
5、rv iew . 1 1.3 Conform ance . 3 1.4 Terminology . 3 1.5 Future Directions 4 2 Business Context and Overview .5 2.1 Business Environment Summary 5 2.1.1 Operational Scenario . 5 2.2 Business Rationale 7 2.2.1 Business Drivers 7 2.2.2 Objectives and Benefits . 8 2.3 Recognizing the COTS ICT Context 9
6、2.4 Ov erv iew . 11 2.4.1 O-TTPF Framework Overview . 11 2.4.2 Standard Overview 11 2.4.3 Relationship with Other Standards 12 3 O-TTPS Tainted and Counterfeit Risks .13 4 O-TTPS Requirements for Addressing the Risks of Tainted and Counterfeit Products.15 4.1 Technology Development . 16 4.1.1 PD: Pr
7、oduct Development/Engineering Method . 16 4.1.1.1 PD_DES: Software/Firmware/Hardware Design Process . 16 4.1.1.2 PD_CFM: Configuration Management 17 4.1.1.3 PD_MPP: Well-defined Development/Engineering Method Process and Practices 17 4.1.1.4 PD_QAT: Quality and Test Management 17 4.1.1.5 PD_PSM: Pro
8、duct Sustainment Management . 18 4.1.2 SE: Secure Development/Engineering Method . 18 4.1.2.1 SE_TAM: Threat Analysis and Mitigation 18 4.1.2.2 SE_RTP: Run-time Protection Techniques 19 4.1.2.3 SE_VAR: Vulnerability Analysis and Response 19 4.1.2.4 SE_PPR: Product Patching and Remediation 20 4.1.2.5
9、 SE_SEP: Secure Engineering Practices . 20 ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reservediv Open Group Standard (2014) 4.1.2.6 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape 20 4.2 Supply Chain Security 21 4.2.1 SC: Supply Chain Security 21 4.2.1.1 SC_RSM: Risk Mana
10、gement . 21 4.2.1.2 SC_PHS: Physical Security . 22 4.2.1.3 SC_ACC: Access Controls 22 4.2.1.4 SC_ESS: Employee and Supplier Security and Integrity . 23 4.2.1.5 SC_BPS: Business Partner Security 23 4.2.1.6 SC_STR: Supply Chain Security Training 24 4.2.1.7 SC_ISS: Information Systems Security . 24 4.2
11、.1.8 SC_TTC: Trusted Technology Components 24 4.2.1.9 SC_STH: Secure Transmission and Handling . 25 4.2.1.10 SC_OSH: Open Source Handling 25 4.2.1.11 SC_CTM: Counterfeit Mitigation 26 4.2.1.12 SC_MAL: Malware Detection . 26 List of Tables Table 1: O-TTPS Constituents and their Roles . 6 Table 2: Thr
12、eat Mapping . 14 List of Figures Figure 1: Constituents . 6 Figure 2: Product Life Cycle Categories and Activities . 15 ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reservedOpen Trusted Technology Provider Standard (O-TTPS), Version 1.1 v Preface The Open Group The Open Group is a global consortium
13、 that enables the achievement of business objectives through IT standards. With more than 400 member organizations, The Open Group has a diverse membership that spans all sectors of the IT community customers, systems and solutions suppliers, tool vendors, integrators, and consultants, as well as ac
14、ademics and researchers to: Capture, understand, and address current and emerging requirements, and establish policies and share best practices Facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies Offer a comprehensive set of services t
15、o enhance the operational efficiency of consortia Operate the industrys premier certification service Further information on The Open Group is available at www.opengroup.org. The Open Group publishes a wide range of technical documentation, most of which is focused on development of Open Group Stand
16、ards and Guides, but which also includes white papers, technical studies, certification and testing documentation, and business titles. Full details and a catalog are available at www.opengroup.org/bookstore. Readers should note that updates in the form of Corrigenda may apply to any publication. Th
17、is information is published at www.opengroup.org/corrigenda. This Document The Open Group Trusted Technology Forum (OTTF or Forum) is a global initiative that invites industry, government, and other interested participants to work together to evolve this Standard and other OTTF deliverables. This St
18、andard is the Open Trusted Technology Provider Standard (O-TTPS). The Standard has been developed by the OTTF and approved by The Open Group, through The Open Group Company Review process. There are two distinct elements that should be understood with respect to this Standard: the O-TTPF (Framework)
19、 and the O-TTPS (Standard). The O-TTPF (Framework): The Framework is an evolving compendium of organizational guidelines and best practices relating to the integrity of Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products and the security of the supply chain throug
20、hout the entire product life cycle. An early version of the Framework was published as a White Paper in February 2011 (see Referenced Documents). The Framework serves as the basis for this Standard, future updates, and additional standards. The content of the Framework is the result of industry coll
21、aboration and research as to those commonly used commercially ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reservedvi Open Group Standard (2014) reasonable practices that increase product integrity and supply chain security. The members of the OTTF will continue to collaborate with industry and gov
22、ernments and update the Framework as the threat landscape changes and industry practices evolve. The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that when properly adhered to have been shown to enhance the security of the global supply chain and the integrity of
23、COTS ICT products. It provides a set of guidelines, requirements, and recommendations that help assure against maliciously tainted and counterfeit products throughout the COTS ICT product life cycle encompassing the following phases: design, sourcing, build, fulfillment, distribution, sustainment, a
24、nd disposal. Using the guidelines documented in the Framework as a basis, the OTTF is taking a phased approach and staging O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market needs evolv
25、e, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to address specific threats or market needs. The Standard is aimed at enhancing the integrity of COTS ICT products and helping customers to manage sourcing risk. The authors of this Standard recognize the value that it can brin
26、g to governments and commercial customers worldwide, particularly those who adopt procurement and sourcing strategies that reward those vendors who follow the O-TTPS best practice requirements and recommendations. Note: Any reference to “providers” is intended to refer to COTS ICT providers. The use
27、 of the word “component” is intended to refer to either hardware or software components. Intended Audience This Standard is intended for organizations interested in helping the industry evolve to meet the threats in the delivery of trustworthy COTS ICT products. It is intended to provide enough cont
28、ext and information on business drivers to enable its audience to understand the value in adopting the guidelines, requirements, and recommendations specified within. It also allows providers, suppliers, and integrators to begin planning how to implement the Standard in their organizations. Addition
29、ally, acquirers and customers can begin recommending the adoption of the Standard to their providers and integrators. ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reservedOpen Trusted Technology Provider Standard (O-TTPS), Version 1.1 vii Trademarks ArchiMate , DirecNet , Jericho Forum , Making Sta
30、ndards Work , OpenPegasus , The Open Group , TOGAF , and UNIX are registered trademarks and Boundaryless Information Flow, Build with Integrity Buy with Confidence, Dependability Through Assuredness, FACE, Open Platform 3.0, Open Trusted Technology Provider, and The Open Group Certification Mark are
31、 trademarks of The Open Group. All other brands, company, and product names are used for identification purposes only and may be trademarks that are the sole property of their respective owners. ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reservedviii Open Group Standard (2014) Acknowledgements Th
32、e Open Group acknowledges the contribution of the following people and organizations in the development of this Standard (presented in alphabetical order). In particular we would like to provide a special thank you and acknowledgement to the Chair and Vice Chair of the OTTF: Andras Szakal, IBM (Chai
33、r) and Edna Conway, Cisco Systems (Vice Chair). The contributing members of The Open Group Trusted Technology Forum (OTTF): Contributors Organization Jon Amis Dell, Inc. Paul Aschwald Hewlett-Packard Company Nadya Bartol (formerly of) Booz Allen Hamilton James Bean Juniper Networks Kristen Baldwin U
34、S DoD AT findings and recommendations located at: www.acq.osd.mil/dsb/reports/ADA486949.pdf. Electronic Industry Citizenship Coalition (EICC) Code of Conduct; refer to: www.eicc.info. ISO/IEC 15408: Information Technology Security Techniques Evaluation Criteria for IT Security (Common Criteria). ISO
35、/IEC 27000:2009: Information Technology Security Techniques Information Security Management Systems Overview and Vocabulary. ISO/IEC Directives, Part 2: Rules for the Structure and Drafting of International Standards. NIST 800-12: An Introduction to Computer Security: The NIST Handbook. White Paper:
36、 Open Trusted Technology Provider Framework (O-TTPF), W113, published by The Open Group, February 2011; refer to: www.opengroup.org/bookstore/catalog/w113.htm. ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reserved ISO/IEC 2015 All rights reservedOpen Trusted Technology Provider Standard (O-TTPS), V
37、ersion 1.1 1 1 Introduction This chapter introduces this Standard the Open Trusted Technology Provider Standard (O- TTPS) and the normative terminology that should be understood in relation to specific requirements and recommendations found in Chapter 4 of this document. 1.1 Objectives The Open Trus
38、ted Technology Provider Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer. Documenting best practices that
39、 have been taken from the experience of mature industry providers, rigorously reviewed through a consensus process, and established as requirements and recommendations in this Standard, can provide significant advantage in establishing a basis to reduce risk. A commitment by technology providers, la
40、rge and small, suppliers of hardware and software components, and integrators to adopt this Standard is a commitment to using specific methodologies to assure the integrity of their hardware or software Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products. This Sta
41、ndard is detailed and prescriptive enough to be useful in raising the bar for all providers and lends itself to an accreditation process to provide assurance that it is being followed in a meaningful and repeatable manner. 1.2 Overview This Standard (O-TTPS) is a set of guidelines, requirements, and
42、 recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This initial release of the Standard addresses threats related to maliciously tainted and counterfeit products. The providers product life cycle includes the
43、work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate
44、wholly outside any span of control of the provider for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) the practices detailed in the Standard will provide some level of mitigation. An example of such a
45、 practice would be the use of security labeling techniques in legitimate products. The two major threats that acquirers face today in their COTS ICT procurements, as addressed in this Standard, are defined as: 1. Maliciously tainted product the product is produced by the provider and is acquired through a providers authorized channel, but has been tampered with maliciously. ISO/IEC 20243:2015(E) ISO/IEC 2015 All rights reserved
