Wikipedia

Open Trusted Technology Provider Standard: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Danreddy (talk | contribs)
108 edits
Danreddy (talk | contribs)
108 edits
Making more neutral
Line 9:
 
<!-- EDIT BELOW THIS LINE -->
The Open Trusted Technology Provider™ Standard (O-TTPS) (''Mitigating Maliciously Tainted and Counterfeit Products'') is a standard of [[The Open Group]], that has also been approved for publication as a standard of the [[International Organization for Standardization]] and the [[International Electrotechnical Commission]] through [[ISO/IEC JTC 1]] and is now also known as ISO/IEC 20243 <ref>{{cite web|title=ISO/IEC 20243:2015|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=67394|website=ISO.org|publisher=ISO.org|accessdate=24 September 2015}}</ref>. ItThe standard consists of a set of guidelines, requirements, and recommendations that align with [[best practice]]s for the security of the global supply chain and the integrity of [[commercial off-the-shelf]] (COTS) [[information and communication technology]] (ICT) products. Version 1.1 is the latest version of the standard.

This standard was built by technology industry and consumer members of [[The_Open_Group| The Open Group's Trusted Technology Forum]] (OTTF)<ref>{{cite web|title=Open Group Trusted Technology Forum|url=http://opengroup.org/subjectareas/trusted-technology|website=opengroup.org|publisher=The Open Group|accessdate=11 May 2015}}</ref>.
 
The standard focuses on organizational practices that, according to The Open Group, may, when properly adhered to, provide assurance against maliciously tainted and counterfeit products throughout the COTS ICT product life cycle. The life cycle described in the standard encompasses the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. The current version of standard may be downloaded from the Open Group's publication library<ref>{{cite web|title=Open Group's Publication Library|url=https://www2.opengroup.org/ogsys/catalog/C147|website=opengroup.org|publisher=The Open Group|accessdate=22 June 2015}}</ref>
Line 16 ⟶ 18:
== Background ==
 
The O-TTPS was writtendeveloped in response to a changing landscape and the increased sophistication of cybersecurity attacks worldwide, as well as increased risks for product vulnerability across the supply chain due to the changing threat landscape.<ref name="United States House of Representatives Commerce and Energy Committee">{{cite web|title=IT Supply Chain Security: Review of Government and Industry Efforts|url=http://energycommerce.house.gov/hearing/it-supply-chain-security-review-government-and-industry-efforts|publisher=US House of Representatives|archivedate=27 March 2012}}</ref> The intent is to help providers build products with integrity and to enable their customers to have more confidence in the technology products they buy.<ref>{{cite web|author1=Messmer, Ellen|title=Defense Department wants secure, global high-tech supply chain|url=http://www.networkworld.com/article/2196759/malware-cybercrime/defense-department-wants-secure--global-high-tech-supply-chain.html|website=networkworld.com|publisher=IDG (International Data Group)|accessdate=30 March 2015|archivedate=15 December 2010}}</ref> Private and public sector organizations rely largely on COTS ICT products to run their operations. These products are often produced globally, with processes like design, development and manufacturing taking place inat different locationssites acrossin themultiple globecountries.<ref>{{cite news|last1=Lennon|first1=Mike|title=USCC Releases Report on Chinese Capabilities for Cyber Operations and Cyber Espionage|url=http://www.securityweek.com/uscc-commissioner-cyberattacks-getting-harder-chinas-leaders-claim-ignorance|accessdate=25 January 2016|work=Security Week|issue=9 March 2012|publisher=Wired Business Media|date=9 March 2012}}</ref>With increasedThe securityOTTP-S threatsis worldwide, ICT providers needdesigned to showmitigate thatthe theirrisk productof organizationscounterfeit canand acttainted to reduce defectscomponents and vulnerabilitiesto inhelp theirassure productsproduct whileintegrity ensuring the security of theirand supply chainschain andsecurity reducingthroughout the risklifecycle of counterfeitthe and tainted productsproduct. <ref>{{cite web|title=Cybersecurity: An Examination of the Communications Supply Chain (testimony before Committee on Energy and Commerce Subcommittee on Communications and Technology U.S. House of Representatives|url=http://www.itic.org/dotAsset/3/a/3a48cdde-f1e5-4080-9773-315bf14a5142.pdf|publisher=Information Technology Industry Council|accessdate=24 September 2015}}</ref><ref>{{cite news|last1=Prince|first1=Brian|title=Consortium Pushes Security Standards for Technology Supply Chain|url=http://www.securityweek.com/consortium-pushes-security-standards-technology-supply-chain|accessdate=25 January 2016|work=SecurityWeek|issue=March 5, 2012|publisher=Wired Business Media|date=5 March 2012}}</ref>
 
[[The_Open_Group| The Open Group's Trusted Technology Forum]] (OTTF) is a vendor-neutral international forum that uses a formal consensus based process for collaboration and decision making on the creation of standards and certification programs for information technology, including the O-TTPS. In the forum, ICT providers, integrators and distributors work with organizations and governments to develop standards that specify secure engineering and manufacturing methods along with supply chain security practices.<ref>{{cite web|url=http://opengroup.org/subjectareas/trusted-technology|title=Open Group Trusted Technology Forum|website=opengroup.org|publisher=The Open Group|accessdate=11 May 2015}}</ref>
 
The Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain[13] provides mapping between The National Institute for Standards and Technology (NIST) Cybersecurity Framework and related organizational practices listed in the O-TTPS.    
 
The Forum has published an Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain<ref>{{cite web|url=http://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm|title=Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain|website=NIST.Gov cybersecurity industry resources|publisher=The Open Group|accessdate=24 September 2015}}</ref> that The [[National Institute for Standards and Technology]] (NIST) lists as a cybersecurity industry resource. The document provides mapping between the NIST Cybersecurity Framework<ref>{{cite web|url=http://www.nist.gov/cyberframework/|title=Cybersecurity Framework|website=NIST.Gov|publisher=NIST.Gov|accessdate=24 September 2015}}</ref> and related organizational practices listed in the O-TTPS.
 
.The OTTF is managed like other forums in The Open Group using a formal consensus based process for building, publishing and managing its work. The OTTF aims to provide a vendor-neutral forum for technology and communications providers, integrators and distributors to work with customers and governments to develop standards that information technology providers can use to evaluate their engineering and manufacturing methods that enhance the security of global supply chains and the integrity of COTS ICT products. Membership in The Open Group is not required to download and use the O-TTPS or to seek compliance against the standard, but an organization must be a member of the OTTF to contribute to and vote on the work of the forum. <ref>{{cite web|title=Membership|url=http://www.opengroup.org/getinvolved/becomeamember|publisher=opengroup.org}}</ref>
 
== Purpose ==
Line 26 ⟶ 34:
 
The Forum supports the development and utilization of global standards, accreditation programs, procurement strategies and related activities to decrease the risk of tainted and counterfeit components and products.
<ref>{{cite web|title=Help technology providers and their customers to “Build with Integrity, Buy with Confidence"™|url=http://www.opengroup.org/content/trusted-technology-forum-build-integrity-buy-confidence|website=opengroup.org|publisher=The Open Group|accessdate=13 April 2015}}</ref>. The Forum has published an Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain<ref>{{cite web|title=Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain|url=http://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm|website=NIST.Gov cybersecurity industry resources|publisher=The Open Group|accessdate=24 September 2015}}</ref> that The [[National Institute for Standards and Technology]] (NIST) lists as a cybersecurity industry resource. The document provides mapping between the NIST Cybersecurity Framework<ref>{{cite web|title=Cybersecurity Framework|url=http://www.nist.gov/cyberframework/|website=NIST.Gov|publisher=NIST.Gov|accessdate=24 September 2015}}</ref> and related organizational practices listed in the O-TTPS.
 
== Measurement and Accreditation ==
Retrieved from "https://en.wikipedia.org/wiki/Open_Trusted_Technology_Provider_Standard"