温馨提示:
1. 部分包含数学公式或PPT动画的文件,查看预览时可能会显示错乱或异常,文件下载后无此问题,请放心下载。
2. 本文档由用户上传,版权归属用户,汇文网负责整理代发布。如果您对本文档版权有争议请及时联系客服。
3. 下载前请仔细阅读文档内容,确认文档内容符合您的需求后进行下载,若出现内容与标题不符可向本站投诉处理。
4. 下载文档时可能由于网络波动等原因无法下载或下载错误,付费完成后未能成功下载的用户请联系客服处理。
网站客服:3074922707
ISO_IEC_20243
_2018
Information technology Open Trusted Technology ProviderTM Standard(O-TTPS)Mitigating maliciously tainted and counterfeit products Part 1:Requirements and recommendationsTechnologies de linformation Norme de fournisseur de technologie de confiance ouverte(O-TTPS)Attnuation des produits contrefaits et malicieusement contamins Partie 1:Exigences et recommandationsINTERNATIONAL STANDARDISO/IEC20243-1Reference numberISO/IEC 20243-1:2018(E)First edition2018-02 ISO/IEC 2018 ISO/IEC 20243-1:2018(E)ii ISO/IEC 2018 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2018All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication may be reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or posting on the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCP 401 Ch.de Blandonnet 8CH-1214 Vernier,Geneva,SwitzerlandTel.+41 22 749 01 11Fax+41 22 749 09 47copyrightiso.orgwww.iso.orgPublished in SwitzerlandOpen Trusted Technology Provider Standard(O-TTPS),Version 1.1 iiiContents 1 Introduction.1 1.1 Objectives.1 1.2 Overview.1 1.3 Conformance.3 1.4 Terminology.3 1.5 Future Directions.4 2 Business Context and Overview.5 2.1 Business Environment Summary.5 2.1.1 Operational Scenario.5 2.2 Business Rationale.7 2.2.1 Business Drivers.7 2.2.2 Objectives and Benefits.8 2.3 Recognizing the COTS ICT Context.9 2.4 Overview.10 2.4.1 O-TTPF Framework Overview.11 2.4.2 Standard Overview.11 2.4.3 Relationship with Other Standards.11 3 O-TTPS Tainted and Counterfeit Risks.13 4 O-TTPS Requirements for Addressing the Risks of Tainted and Counterfeit Products.15 4.1 Technology Development.16 4.1.1 PD:Product Development/Engineering Method.16 4.1.1.1 PD_DES:Software/Firmware/Hardware Design Process.16 4.1.1.2 PD_CFM:Configuration Management.17 4.1.1.3 PD_MPP:Well-defined Development/Engineering Method Process and Practices.17 4.1.1.4 PD_QAT:Quality and Test Management.17 4.1.1.5 PD_PSM:Product Sustainment Management.18 4.1.2 SE:Secure Development/Engineering Method.18 4.1.2.1 SE_TAM:Threat Analysis and Mitigation.18 4.1.2.2 SE_RTP:Run-time Protection Techniques.19 4.1.2.3 SE_VAR:Vulnerability Analysis and Response.19 4.1.2.4 SE_PPR:Product Patching and Remediation.20 4.1.2.5 SE_SEP:Secure Engineering Practices.20 4.1.2.6 SE_MTL:Monitor and Assess the Impact of Changes in the Threat Landscape.20 4.2 Supply Chain Security.21 4.2.1 SC:Supply Chain Security.21 4.2.1.1 SC_RSM:Risk Management.21 ISO/IEC 20243-1:2018(E)ISO/IEC 2018 All rights reservedivOpen Group Standard(2014)4.2.1.2 SC_PHS:Physical Security.22 4.2.1.3 SC_ACC:Access Controls.22 4.2.1.4 SC_ESS:Employee and Supplier Security and Integrity.23 4.2.1.5 SC_BPS:Business Partner Security.23 4.2.1.6 SC_STR:Supply Chain Security Training.24 4.2.1.7 SC_ISS:Information Systems Security.24 4.2.1.8 SC_TTC:Trusted Technology Components.24 4.2.1.9 SC_STH:Secure Transmission and Handling.25 4.2.1.10 SC_OSH:Open Source Handling.25 4.2.1.11 SC_CTM:Counterfeit Mitigation.26 4.2.1.12 SC_MAL:Malware Detection.26 List of Tables Table 1:O-TTPS Constituents and their Roles.6 Table 2:Threat Mapping.14 List of Figures Figure 1:Constituents.6 Figure 2:Product Life Cycle Categories and Activities.15 ISO/IEC 20243-1:2018(E)ISO/IEC 2018 All rights reservedISO/IEC 20243-1:2018(E)ISO/IEC 2018 All rights reserved vFOREWORD ISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISO and IEC technical committees collaborate in fields of mutual interest.Otherinternationalorganizations,governmentalandnongovernmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.TheproceduresusedtodevelopthisdocumentandthoseintendedforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticularthedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives).Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.DetailsofanypatentrightsidentifiedduringthedevelopmentofthedocumentwillbeintheIntroductionand/orontheISOlistofpatentdeclarationsreceived(seewww.iso.org/patents).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.Foranexplanationonthevoluntarynatureofstandards,themeaningofISOspecifi