ISO_IEC_20243-2_2018.pdf

Information technology Open Trusted Technology ProviderTM Standard(O-TTPS)Mitigating maliciously tainted and counterfeit products Part 2:Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018Technologies de linformation Norme de fournisseur de technologie de confiance ouverte(O-TTPS)Attnuation des produits contrefaits et malicieusement contamins Partie 2:Procdures dvaluation de lO-TTPS et lISO/IEC 20243-1:2018INTERNATIONAL STANDARDISO/IEC20243-2Reference numberISO/IEC 20243-2:2018(E)First edition2018-01 ISO/IEC 2018 ISO/IEC 20243-2:2018(E)ii ISO/IEC 2018 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2018All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication may be reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or posting on the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCP 401 Ch.de Blandonnet 8CH-1214 Vernier,Geneva,SwitzerlandTel.+41 22 749 01 11Fax+41 22 749 09 47copyrightiso.orgwww.iso.orgPublished in SwitzerlandISO/IEC 20243-2:2018(E)ISO/IEC2018AllrightsreservediiiContents 1.Introduction.11.1Scope.11.2Normative References.11.3Terms and Definitions.11.3.1Distributor.11.3.2Evidence of Conformance.11.3.3Implementation Evidence.11.3.4O-TTPS Requirements.11.3.5Organization.11.3.6Pass-Through Reseller.21.3.7Process Evidence.21.3.8Scope of Assessment.21.3.9Selected Representative Product.22.General Concepts.32.1The O-TTPS.32.2Assessment Concepts:Relevance of Scope of Assessment and Selected Representative Products.32.3Relevance of IT Technology Provider Categories in the Supply Chain.43.Assessment Requirements.63.1General Requirements for Assessor Activities.63.1.1General Requirements for Evidence of Conformance.64.Assessor Activities for O-TTPS Requirements.84.1PD_DES:Software/Firmware/Hardware Design Process.84.2PD_CFM:Configuration Management.94.3PD_MPP:Well-defined Development/Engineering Method Process and Practices.114.4PD_QAT:Quality and Test Management.114.5PD_PSM:Product Sustainment Management.134.6SE_TAM:Threat Analysis and Mitigation.144.7SE_VAR:Vulnerability Analysis and Response.164.8SE_PPR:Product Patching and Remediation.174.9SE_SEP:Secure Engineering Practices.174.10SE_MTL:Monitor and Assess the Impact of Changes in the Threat Landscape.194.11SC_RSM:Risk Management.204.12SC_PHS:Physical Security.214.13SC_ACC:Access Controls.224.14SC_ESS:Employee and Supplier Security and Integrity.234.15SC_BPS:Business Partner Security.244.16SC_STR:Supply Chain Security Training.244.17SC_ISS:Information Systems Security.254.18SC_TTC:Trusted Technology Components.254.19SC_STH:Secure Transmission and Handling.264.20SC_OSH:Open Source Handling.284.21SC_CTM:Counterfeit Mitigation.294.22SC_MAL:Malware Detection.30A.1Guidance.32 ISO/IEC 20243-2:2018(E)ivISO/IEC2018AllrightsreservedFOREWORD ISO(the International Organization for Standardization)and IEC(the InternationalElectrotechnical Commission)form the specialized system for worldwide standardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutual interest.Other international organizations,governmental and nongovernmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.Theproceduresusedtodevelopthisdocumentandthoseintendedforitsfurthermaintenanceare described in the ISO/IEC Directives,Part 1.In particular the different approval criterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives).Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.Detailsofanypatentrightsidentifiedduringthedevelopmentofthedocumentwill be in the Introduction and/or on the ISO list of patent declarations received(seewww.iso.org/patents).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.Foranexplanationonthevoluntarynatureofstandards,themeaningofISOspecifictermsandexpressionsrelatedtoconformityassessment,aswellasinformationaboutISOsadherencetotheWorldTradeOrganization(WTO)principlesintheTechnicalBarrierstoTrade(TBT)seethefollowingURL:www.iso.org/iso/foreword.html.ThisdocumentwaspreparedbyTheOpenGroupandwasadopted,underthePASprocedure,byJointTechnicalCommitteeISO/IECJTC1,Information technology,inparallelwithitsapprovalbynationalbodiesofISOandIEC.AlistofallpartsintheISO20243seriescanbefoundontheISOwebsite.ISO/IEC 20243-2:2018(E)Ope