Enabling Enterprise Resilience through Security Automation ...

More documents

Recommendations

Info

SCRM Systems Engineering Needs1. A common language to describe supply chain exploits(1 st rule of systems engineering – needed for SCRM)2. Realistic method to prioritize mitigations3. Phased implementation approach that includes monitoring/validating effectiveness of SCRM to discourage:– BOGSAT prioritization methods with no validation that cause“spending into oblivion” OR– “Hands-up” “cannot afford” responses of smaller components, yetinterconnect into secured systems4. Standard approaches for sharing measurable security plansto incorporate into provenance processes| 19 |
(3) Need Measured, Phased ApproachAdapt NIST 800-39 Risk Management guidance:1. the multitiered organization views and process elements must be elaborated upon for the integrated organizationfor SCRM (greater depth into supply chains), and2. the risk management features must expanded to account for non-traditional IT operations (greater breadth toinclude development/acquisition operations and logistics).Example Elaborations:Tier One – Organization/<strong>Enterprise</strong> View■■■Governance and Risk Executive includes integrated structure for IT, security, logistics, contracting, and so forthRisk Management Strategy frames supply chain threats and vulnerabilities (in both products and processes)Investment Strategies include secure replacement of exploitable modulesTier Two – Mission/Business View■■Risk Awareness includes supply chain concerns, such as tainted and counterfeit products<strong>Enterprise</strong>/Infosec Architecture include development lifecycles and contracting detailsTier Three – Information System View■Appropriate activities built in across lifecycle phases (e.g., development, acquisition, sustainment, operations)| 20 |
Page 1 and 2: Software & Supply Chain Assurance:E
Page 3 and 4: ICT Supply Chain ExploitationToward
Page 6 and 7: Who is susceptible to supply chain
Page 8 and 9: Supply Chain Exploit Frame of Refer
Page 10 and 11: Domain of Custody(1) Common Languag
Page 12 and 13: (2) Countermeasure Prioritization E
Page 14 and 15: | 17 |Examples of TransferableTechn
Page 18 and 19: (4) Security “Pipework”| 22 |
Page 20 and 21: Identifying DHS Concerns about howS
Page 22 and 23: Cybersecurity and CommunicationsRes
Page 24 and 25: Why it Matters■ Industrial Espion
Page 26: Software Assurance Addresses Exploi

Enabling Enterprise Resilience through Security Automation ...

Create successful ePaper yourself

Delete template?

Save as template?