1 / 97

Overview of Assessor Material

Overview of Assessor Material. The Open Trusted Technology Provider™ Standard (O-TTPS). “ Build with Integrity- Buy with Confidence™ ”.

long
Download Presentation

Overview of Assessor Material

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview of Assessor Material The Open Trusted Technology Provider™ Standard (O-TTPS) “Build with Integrity- Buy with Confidence™” Please note that most of the material in this slide set comes from existing reference documents that have been approved and published – in all cases those documents and any material that appears on the O-TTPS Accreditation website take precedence over what may appear in these slides.

  2. Overview of Assessor Material • Assessor Requirements including Training & Exam (slides 1 – 7) • The Big Picture (slides 8 - 24) • The Standard - The Open Trusted Technology Provider™ Standard (O-TTPS) (slides 25 – 35) • The Accreditation Program (slides 36- 59) • The Assessment Methodology (slides 60 – 92) • Recognized Assessor Agreement (slides 93 – 98) Training Materials Version 1.0 – February 3, 2014

  3. Part 1: Assessor Requirements including Training Material and Exam

  4. Assessor Requirements including Training Material and Exam • Context for the training and eligibility to perform assessments: • The training material and exam are open to any individual who would like to be trained to perform O-TTPS Assessments. • Individualsmust however meet additional criteria (specified in the O-TTPS Recognized Assessor Agreement and summarized in the following slides) and they must be employed by or hired by a company that is an O-TTPS Recognized Assessor company to participate in an actual O-TTPS Assessment. • An O-TTPS Recognized Assessor company is one that has signed the O-TTPS Recognized Assessor Agreement and legally agreed to all of the terms within the Agreement, including a requirement that any Assessors they assign to an O-TTPS Assessment will meet the criteria specified in the Agreement, which include completing the training program and passing the exam. • In order to successfully take the exam an individual must: • Contact The Open Group O-TTPS Accreditation Authority at: ottps-accred-auth@opengroup.org • Read all of the reference documents listed on the following slide* • Read through and understand these training slides* • Take the on-line open-book exam, • Register for and pay the exam fee • Receive a passing grade of 75% or higher. • The activities marked with an * should be completed before taking the exam. • If the Applicant does not pass the exam, they are permitted 2 re-takes per year.

  5. Assessor Requirements including Training Material and Exam • Suggested Reading – Before taking the Exam(These documents can all be found on the O-TTPS Accreditation Website at the following link: http://ottps-accred.opengroup.org/) • In order to successfully complete Preparation for the Exam an individual should read all of the reference documents listed below: • Accreditation Agreement • Accreditation Package Document, including the Assessment Report • Accreditation Policy • Accreditation Program Guide • Accreditation Requirements • Assessment Procedures • Conformance Statement Questionnaire • Implementation Selection Criteria Application (ISCA) Document • O-TTPS Recognized Assessor Agreement • The Open Trusted Technology ProviderTMStandard (O-TTPS)

  6. Assessor Requirements including Training Material and Exam • In addition to completing the training and passing the exam an individual must be employed by an O-TTPS Recognized Assessor company and meet the following criteria in order to actually participate in an O-TTPS Assessment. NOTE: that although these criteria were taken from the O-TTPS Recognized Assessor Agreement, The Agreement takes precedence over anything in these slides. It’s the responsibility of the Assessor and Recognized Assessor organization to understand and abide by ALL the terms in the Agreement. These training slides are only to increase awareness. • Personnel, Qualifications, and Training: in order to perform assessments for the O-TTPS Accreditation Program, O-TTPS Recognized Assessor shall ensure that its Assessors (employees and/or contractors) performing Assessments on its behalf have the experience, knowledge, and training in the O-TTPS Standard, Accreditation Policy, and all the technical areas of the O-TTPS. These include the following criteria, satisfaction of which O-TTPS Recognized Assessor [Company]shall attest in writing to the Accreditation Authority: • The Assessor must: • Have been trained and have a minimum of 2 years’ experience in performing process audits or assessment of process conformance to standards based upon review of process documentation and associated records of process implementation. Acceptable training and certifications are: • ISO 9001 lead auditor • ISO/IEC 27001 lead auditor • CMMI-DEV appraisers • ISO/IEC 15408 or Common Criteria evaluator with experience in evaluating life-cycle assurance requirements • An ISO/IEC 19790 or FIPS 140-2 tester with experience in testing the process requirements of that standard • Have sufficient knowledge of: • Supply chain management terminology and techniques • Technical knowledge of O-TTPS Attributes. Education and training on these topics should be included in the Assessor personnel’s training record. • The O-TTPS Attribute areas (See Section 4 of the O-TTPS for the Attributes – they are summarized on the following slide.) • Have successfully passed The Open Group Assessor examination covering the O-TTPS Standard and Accreditation program.

  7. Assessor Requirements including Training Material and Exam • The Assessor must have sufficient knowledge of the O-TTPS Attribute Areas: • PD_DES: Software/Firmware/Hardware Design Process • PD_CFM: Configuration Management • PD_MPP: Well-defined Development/Engineering Method Process and Practices • PD_QAT: Quality and Test Management • PD_PSM: Product Sustainment Management • SE_TAM: Threat Analysis and Mitigation • SE_RTP: Run-time Protection Techniques • SE_VAR: Vulnerability Analysis and Response • SE_PPR: Product Patching and Remediation • SE_SEP: Secure Engineering Practices • SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape • SC_RSM: Risk Management • SC_PHS: Physical Security • SC_ACC: Access Controls • SC_ESS: Employee and Supplier Security and Integrity • SC_BPS: Business Partner Security • SC_STR: Supply Chain Security Training • SC_ISS: Information Systems Security • SC_CTM: Counterfeit Mitigation • SC_MAL: Malware Detection

  8. Part 2: The Big Picture

  9. Securing the Global Supply ChainEnabling Providers to Raise the Bar on Security and IntegrityThe Open Group Trusted Technology Forum(OTTF) “Build with Integrity Buy with Confidence™ July, 2013

  10. The Open Group Membership Argentina Australia Austria Belgium Brazil Canada China Colombia Czech Republic Denmark Finland France Germany Hong Kong India Italy Japan Luxembourg Malaysia Poland Qatar Russian Federation Saudi Arabia Singapore South Africa Spain Sweden Switzerland Taiwan Turkey UK United Arab Emirates USA Over 40,000 participants from Over 95 countries Over 500 memberships with HQs in 40 countries from 6 continents Mexico Netherlands New Zealand Norway

  11. What Does The Open Group Do? • Membership & Events • Forums & Work Groups: Architecture, Security, Real-Time and Embedded Systems, Cloud, SOA, OTTF, etc. • International & Regional Conferences • Standards and Certification - Over 25 years experienceVoluntary consensus standards and certification programs through The Open Group Standards Process consistent with OMB Circular A-119 • People & Organizations: TOGAF®, Architects, IT Specialists, Lotteries (Quality Assurance Best Practices), O-TTPS • Products & Technology: NFC Forum, UNIX®, WAP, Architecture Tools • Defense Standards: DirecNet, FACE™

  12. The Open Group CyberSecurity Activities Trusted Technology Forum Real Time & Embedded Systems Security Forum

  13. OTTF Background • Government-industry roundtable discussion in 2009 • Initiated by DOD/AT&L, DOD/CIO and The Open Group • Government raised these issues • Moving from high assurance customized solutions to commercial off the shelf (COTS) information communication technology (ICT) • Need to confidently identify trusted COTS ICT products/providers • Government recommendation • Establish consensus on best of breed best practices based on industry experience to create a standard that enables all providers to conform to those best practices when building products. • Create an accreditation program brand that identifies trusted technology providers who conform to the standard • Response to the recommendation – Created the OTTF • Providers, integrators, government agencies, third party labs from around the globe responded to the recommendation

  14. The Challenge For Governments For Service Providers Product certification is not enough - need assurance throughout that best practices are being followed in building every product. • Trusted Products • “Buy with Confidence” For Consumers For Enterprises • Source • Make • Deliver • COTS ICT • “Build with Integrity” • Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) leverage a Global Supply Chain • The Solution Requires: • Best Practices for Entire Product Life Cycle • Best Practices followed by all Constituents in Chain • Accreditation Programs that Assure Conformance to the Standard

  15. O-TTPS: Mitigating Maliciously Tainted and Counterfeit Products • The Open Trusted Technology ProviderTMStandard (O-TTPS) released in April, 2013 – 50 page document on requirements for organizational best practices • The result of over 3 years of collaborative consensus-based effort • Apply across product life cycle. Some highly correlated to threats of maliciously tainted and counterfeit products - others more foundational but considered essential • 2 areas of requirements – often overlap depending on product and provider: • Technology Development - mostly under the provider’s in-house supervision • Supply Chain activities mostly where provider interacts with third parties who contribute their piece in the product’s life cycle Design Sourcing Build Fulfillment Distribution Sustainment Disposal Technology Development Supply Chain

  16. O-TTPS: Technology Development • Product Development/Engineering Requirements in: • Software/Firmware/Hardware Design Process • Development/Engineering Process and Practices • Configuration Management • Quality/Test Management • Product Sustainment Management • Secure Development/Engineering Requirements in: • Threat Analysis and Mitigation • Run-time Protection Techniques • Vulnerability Analysis and Response • Product Patching and Remediation • Secure Engineering Practices • Monitor and assess the impact of changes in the threat landscape

  17. O-TTPS: Supply Chain Activities • Supply Chain Requirements In: • Risk Management • Physical Security • Access Controls • Employee and Supplier Security • Business Partner Security • Supply Chain Security Training • Information Systems Security • Trusted Technology Components • Secure Transmission and Handling • Open Source Handling • Counterfeit Mitigation • Malware Detection

  18. OTTF Principles The OTTF is developing their standards and accreditation programs according to these principles: • Practical and effective - Practitioner based, evidence that it works in the field • Reasonable - Achievable and implementable by a wide variety of vendors and stakeholders • Affordable - Reasonably cost effective to implement • Open - Based on open standards and recognized industry best practices– publically available to all • Organizational/Process Based Accreditation- Flexible enough that an organization can choose their own scope of accreditation (product, product-line, entire organization)

  19. Objective: Customers Buy with More Confidence:Providers & Suppliers Can Extend Supply Chain Security Trusted Technology Products & sub components Customers “BuywithConfidence” Request O-TTPS Accredited Providers O-TTPS Compliant Suppliers will conform to the O-TTPS (Standard) – and will be Accredited –Broader than security product evaluations TrustedTechnology Provider Commercial ICT Evaluationof Security Products FollowO-TTPS Best Practices Un-trusted Suppliers and Providers who do not follow the Standard – who are not accredited

  20. Standards Body Integrator Customer/Acquirer Will seek business partners who can meet Open Trusted Technology Provider™ requirements Will seek ways of achieving market up-take/ integrity of standards Demands Accreditation certificate as evidence of conformance to Open Trusted Technology Provider™ standards Business Partners Standards Process Alliance Accreditation Process Business Partners Component Suppliers Accreditation/ Accreditation Body Provider May be hardware, software, global, open source - or not - multiple supplier layers Will seek business partners who can meet Open Trusted Technology Provider™ requirements Must be independent & vendor/technology-neutral

  21. OTTF Milestones and Time Frames 2014 2014 Early Industry Collaboration Forum Launched Framework White Paper Published Standard Development: Snapshot => Publish V 1.0 Define Conformance Criteria, Conduct Pilot Program Define & Approve O-TTPS Accreditation Program Implement and Launch Public O-TTPS Accreditation Program O-TTPS v. 1.0 published April 2013 O-TTPS Accreditation Program Approved October 2013 2010 2011 2012 2013 Program Available in Dec. Marketing Launch early Feb 2014 Q3 Q1 Q4` Q2 Q3 Q2 Q2 Q3 Q4` Q3 Q2 Q2 Q1 Q1 Q4` Q4` Q1 Q3 Q4` Q1

  22. Part 3: The Standard

  23. Introducing the O-TTPS (Standard) • What is the O-TTPS? • A standard, developed by The Open Group’s Trusted Technology Forum (OTTF) • It contains: • An explanatory section that introduces the scope of the standard. It focuses on the two threats of counterfeit products and of maliciously tainted products. • A framework used to present the attributes and requirements for supply chain security • A glossary and definitions of terms

  24. O-TTPS Focused on 2 Major Treats • Version 1 of the standard focuses on mitigating risks associated with two threats that are of concern to customers of commercial off the shelf (COTS), information and communications technology (ICT). • The two threats are: • Counterfeit Products • Maliciously Tainted Products

  25. O-TTPS Snapshot – Mitigating Risks for Tainted and Counterfeit Products • A tainted product is “produced by the provider and is acquired through reputable channels but has been tampered with maliciously”. - Could result in: • product failure, degraded performance, weakened security mechanisms allowing rogue functionality and potentially critical damage • A counterfeit product is “produced other than by or for the provider, or is supplied by other than a reputable channel, and is represented as legitimate”. – Could result in: • For customers: if product fails at critical juncture – loss of productivity, revenue • For providers: loss of revenue stream and brand damage

  26. Technology Supply Chain Threat Matrix

  27. O-TTPS Best Practice Categories • Technology Development • PD: Product Development/Engineering Methods • 5 Attributes • SE: Secure Development/Engineering Methods • 6 Attributes • Supply Chain Security • SC: Supply Chain Security Methods • 12 Attributes

  28. The O-TTPS Requirements and Recommendations • 2Categories • 3 Methods • 23 Attributes • 54 Requirements (Shall) • 29 Recommendations (Should) • Currently not assessed • Accreditation demonstrates conformance to the 54 requirements

  29. O-TTPS Technology Development Category Product Development/Engineering Method Design Process Configuration Management Quality and Test Product Sustainment Development Method Secure Development/Engineering Method Threat Analysis & Mitigation Run Time Protection Vulnerability Analysis & Response Secure Engineering Practices Product Patching & Remediation Monitoring the Threat Landscape Supply Chain Security Category Supply Chain Security Methods Risk Management Physical Security Access Controls Employee and Supplier Security and Integrity Business Partner Security Supply Chain Security Training Information Systems Security Trusted Technology Components Secure Transmission and Handling Open Source Handling Counterfeit Mitigation Malware Detection

  30. Technology Development Category PD: Product Development/Engineering Method • Attributes • PD_DES: Software/Firmware/Hardware Design Process • PD_CFM: Configuration Management • PD_MPP: Well-defined Development/ Engineering Method Process and Practices • PD_QAT: Quality and Test Management • PD_PSM: Product Sustainment Management

  31. Technology Development Attributes SE: Secure Development/Engineering Method • Attributes • SE_TAM: Threat Analysis and Mitigation • SE_RTP: Run-time Protection Techniques • SE_VAR: Vulnerability Analysis and Response • SE_PPR: Product Patching and Remediation • SE_SEP: Secure Engineering Practices • SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape

  32. Technology Development Attributes SC: Supply Chain Security • Attributes • SC_RSM: Risk Management • SC_PHS: Physical Security • SC_ACC: Access Controls • SC_ESS: Employee and Supplier Security and Integrity • SC_BPS: Business Partner Security • SC_STR: Supply Chain Security Training • SC_ISS: Information Systems Security • SC_TTC: Trusted Technology Components • SC_STH: Secure Transmission and Handling • SC_OSH: Open Source Handling • SC_CTM: Counterfeit Mitigation • SC_MAL: Malware Detection

  33. Part 4: The Accreditation Program

  34. Accreditation Program Outline • Overview Diagram & Description • Operational Flowchart • Accreditation Elements • Conformance Statement / Scope of Accreditation • Accreditation Requirements • Accreditation Agreement & Trademark License • Accreditation Policy • Assessment Methodology – Covered in next Section

  35. O-TTPS: Proposed Accreditation Program Based on Warranty & Assessed Conformance Accreditation Authority: Program Operated by The Open Group OTTF: develops and maintains Standard Membership is open to all Governance and Operation Scope Flexible. Whole organization to one product Open Trusted Technology Providers™ Warrant & Represent O-TTPS Accreditation ProgramVendor neutral program: Accreditation Authority responsible for accreditation of 3rd party assessors, appeals, certificates, logo-use, consistency across accreditations Verifies Conformance Application Success! Engages Applicants (Component Supplier, Provider, Integrator) Program logo used to support accreditation claims O-TTPS Recognized 3rd Party Assessors

  36. Accreditation Program Description • The Applicant can be a Component Supplier, a Provider, or an Integrator • The Applicant warrants and represents their conformance to requirements throughout their declared Scope of Accreditation – that is they claim that they follow the best practices through out the product life-cycle, including supply chain cycles for all of the products in their declared Scope • Scope up to Applicant: product, product(s), product-line, organization, etc. • Warranty backed by evidence of conformance and assessment of evidence by 3rd Party Assessors • The Open Group will operate vendor-neutral program, provide oversight and consistency across applications • Successful Applicant gets certificate and use of Trademark and Logo • The Open Group manages Trademark and Logo use, problem reporting and appeals process. • The accreditation period is 3 years before required renewal • Launch of a public O-TTPS accreditation program December 2014 – open to any organization – don’t need to be a member

  37. Accreditation ProgramOperational Flow Chart

  38. Accreditation Program Elements:Conformance Statement • Conformance Statement Questionnaire is: • completed by the Organization • generated from the Conformance Statement Questionnaire • Defines contact information and the draft Scope of Accreditation • Provided to Accreditation Authority (AA) • Once finalized and the accreditation is awarded it becomes a public document • References in Section in 3.3 of the Policy

  39. Accreditation Program Elements:Scope of Accreditation • The Organization declares its Scope of Accreditation • Their warranty is with respect to Scope of Accreditation. • The Organization has total latitude with this decision • enterprise-wide, product-line, business unit, or yet others may prefer to accredit only one or more individual products

  40. Accreditation Program Elements:Accreditation Requirements • The Accreditation Requirements are the O-TTPS requirements that an Organization must meet in order to demonstrate conformance to the O-TTPS. • For the case of O-TTPS 1.0 the Accreditation Requirements are: • Organizations must meet all of the mandatory/shall requirements in the Standard. • An Organization is not required to meet and will not be assessed for the recommendations/”should” requirements in the Standard • All of the requirements and the recommendations are listed in Chapter 4 of the standard. • The definition of should and shall are in Chapter 1.3 of the Standard and align with the ISO definitions.

  41. Accreditation Program Elements: Accreditation Agreement and TMLA • The Accreditation Agreement • The agreement between the Organization and the Accreditation Authority that defines the accreditation service to be provided and contains the legal commitment by the Organization to the conditions of the O-TTPS Accreditation Program. • Trademark License Agreement • The agreement that contains the legal commitment by the Organization to the conditions for use of the Accreditation Logo. • The Accreditation Agreement and the Trademark License Agreement – in conjunction with the Accreditation Requirements and the Accreditation Policy constitute the set of requirements and obligations between the Organization and the Accreditation Authority for achieving accreditation

  42. Accreditation Program Elements: Policy • Defines what can be accredited, what it means to be accredited, and the process for achieving and maintaining accreditation. • Defines the obligations of Organizations, including a requirement for an Organization to warrant and represent that within a declared Scope of Accreditation it meets the Accreditation Requirements (i.e., all the Mandatory/Shall reqs. in the O-TTPS) • The Organization has total latitude with this scope declaration it may be: enterprise-wide, product-line, business unit, or yet others may prefer to accredit only one or more individual products • The Accreditation Policy – in conjunction with the Accreditation Requirements, Accreditation Agreement, and Trademark License Agreement – constitute the set of requirements and obligations between the Organization and the Accreditation Authority for achieving accreditation

  43. Accreditation Program Elements: Policy • Section 1: Overview • 1.1 Introduction • 1.2 Terminology – very important for Assessors to refer to this section when in doubt about what a term means. The Assessment Procedures will refer out to these definitions and will include only those definitions that are not defined in the Policy or the Standard. • 1.3 Referenced Documents – Assessors should read each of these Reference Documents: (See Next Slide)

  44. Accreditation Program Elements: Referenced Documents • 1.3 Referenced Documents – Assessors should read each of these Reference Documents: • Accreditation Agreement • Accreditation Package Document, including the Assessment Report • Accreditation Policy (this document) • Accreditation Program Guide • Accreditation Requirements • Assessment Procedures • Conformance Statement • Conformance Statement Questionnaire • Implementation Selection Criteria Application (ISCA) Document • O-TTPS Recognized Assessor Agreement • The Open Trusted Technology Provider Standard (O-TTPS) • Trademark License Agreement

  45. Accreditation Program Elements: Policy • Section 2: Accreditation Process • Introduction: • Lists all of the parties involved in the Accreditation Program: Assessors should make sure they understand each of the party’s roles (reference section 1.2 for basic definitions) • Organization • Accreditation Authority (AA) • O-TTPS Recognized Assessor and its Assessor(s) • Specification Authority • Technical Review Board • The Open Group Board of Directors • Work Flow Diagram (See Next Slide) • Sections 2.1 – 2.12 Defines the various steps labeled in the Flow Diagram. • Assessors should be familiar with all steps from an operational flow perspective. • 2.6 – 2.10 Assessors should have an in depth understanding of these steps. (They will be covered in more detail in the Assessment Methodology Section.)

  46. Accreditation ProgramOperational Flow Chart

  47. Accreditation Program Elements: Policy • Section 3: Conformance • This section describes the policies relating to the conformance of the Organization at the time of accreditation and throughout the duration of the accreditation. • Covers: • Scope of Accreditation • More than one Scope of Accreditation • Accreditation Requirements • Conformance Statement

  48. Accreditation Program Elements: Policy • Section 4: Obligations of Organization • The Accreditation Agreement (between the Accreditation Authority and the Organization) requires the Organization, to the best of an Organization’s knowledge, to warrant and represent that: • Within the Scope of Accreditation, the Organization conforms to the Accreditation Requirements. • The Organization agrees to the policies expressed in the Accreditation Policy document. • This section covers: • Achieving Accreditation • Maintaining Accreditation during the Accreditation Period • Removal of Accreditation

  49. Accreditation Program Elements: Policy • Section 5: The Open Group Accreditation Logo • Basics: • Once the Accreditation Authority has notified the Organization that it is accredited, and the Trademark License Agreement has been signed, the Organization may use the Accreditation Logo in association with the Organization and its Scope of Accreditation as per the terms specified in the Trademark License Agreement. • The Accreditation Logo may be used only on or in relation to the Organization and its Scope of Accreditation • This section covers: • Trademark License Agreement • Removal of the Accreditation Logo • Reporting Misuse of the Accreditation Logo

  50. Accreditation Program Elements: Policy • Section 6: Accreditation Register • Basics: • The Accreditation Register is a web-based record of all accredited Organizations and is maintained by the Accreditation Authority. The Accreditation Register contains: • Name of the Organization • Duration the accreditation is valid before it must be renewed • Status of the accreditation, as either current or inactive • Version of the O-TTPS against which it is accredited • Conformance Statement, includes Scope of Accreditation • Pointer to the Organization’s website • This section covers: • Inclusion in the Accreditation Register • Deactivate Listing in the Accreditation Register

More Related