ISO/IEC 20243-1:2023 情報技術 | ページ 6

3.1

Acquirer

One who procures hardware and software products and services to create solutions that meet their customers’ requirements.

3.2

Artifact

Something that results from applying a process.

3.3

Asset

Anything you can use that is considered a thing of value (e.g., tool).

3.4

Backdoor

An intentional and undisclosed mechanism (to the customer/user) in a product, service, or facility which is intended to provide access to assets and artifacts by an unauthorized party.

3.5

Best Practice

Provides a clear description of a set of tried and tested processes, procedures, and guidelines that, when practically applied to an operation, brings a business advantage.

3.6

Certification Authority

Provides certification and/or testing services, especially those involved with conformance certification and/or testing.

3.7

Certification Program

A process in which certification of competency or credibility is provided. As used in this document, it is a process that a supplier goes through to certify that they meet the requirements of the Open Trusted Technology Provider Standard (O-TTPS).

3.8

Component

Refers to either hardware or software; for hardware, it refers to any physical, cyber-active element, and for software, it refers to any module or executable within a system or application.

3.9

Component Supplier

Entity that supplies components, typically as business partners to providers.

3.10

Configuration Management

A formal process which ensures the proper management, control, and tracking of change to product development and manufacturing assets and artifacts.

3.11

Conformance Assessment

The act of determining the consistency of an implementation to a specification, or the adherence of a business operation to a best practice or process definition.

3.12

Contractors/System Integrators

Provide services and solutions to customers; typically used on large projects that deal with multiple providers.

3.13

COTS

Commercial Off-The-Shelf hardware and software.

3.14

Counterfeit Product

A product that is produced other than by, or for, the provider, or is supplied to the provider by other than a provider’s authorized channel and is presented as being legitimate even though it is not.

3.15

Development Method

System (or Software) Development Life Cycle (SDLC) development-based method. Applicable to both hardware and software-based products.

3.16

Downstream

Any entity that is further down the supply chain process from the subject; i.e., the acquirer is downstream from the integrator (see Upstream).

3.17

Engineering Method

Method that is focused on manufacturing or development processes and practices; for products with significant hardware-based technology components (chips, firmware, systems, etc.).

3.18

Framework

Defines a set of structured processes and templates that facilitates solving a complex problem. As used in this document, a set of best practices identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor’s products as more secure and trusted.

3.19

Grey Market

Distribution channels which, while legal, are unofficial, unauthorized, or unintended by the original manufacturer.

3.20

ICT

Information and Communications Technology.

3.21

IEC

International Electrotechnical Commission.

3.22

Integrator

A third-party organization that specializes in combining products from several suppliers to produce systems for a customer.

3.23

Integrity

The condition of not being marred or violated; unimpaired or uncorrupted condition; original perfect state; soundness.

Note 1 to entry: This definition is aligned with ISO/IEC 27000:2009.

3.24

ISO

International Organization for Standardization.

3.25

Legitimate Product

The item is produced by the provider and is acquired through a provider’s authorized channel.

3.26

Lifecycle

A progression through a series of differing stages of development. Commonly referred to as System Development Life Cycle (SDLC). The course of events that brings a new product into existence and follows its growth into a mature product and into eventual disposal.

3.27

Mitigation

Any action, device, procedure, technique, or any other measure that reduces the vulnerability or risk.

3.28

ODM

Original Design Manufacturer.

3.29

OEM

Original Equipment Manufacturer.

3.30

Open CA

The Open Group IT Architect Certification Program.

3.31

Open Source

Generically, the term “open source” refers to a program in which the source code is available to the general public for use and/or modification from its original design free-of-charge; i.e., open. Open source code is typically created as a collaborative effort in which programmers improve upon the code and share the changes within the community. Open source sprouted in the technological community as a response to proprietary software owned by corporations.

[SOURCE:Wikipedia]

3.32

OSS

Open Source Software – software that is developed collaboratively using an open (visible) development process.

3.33

OTTF

The Open Group Open Trusted Technology Forum. A global standards initiative to provide a collaborative, open environment for technology companies, customers, government, and supplier organizations to create and promote guidelines for manufacturing, sourcing, and integrating trusted, secure technologies.

3.34

O-TTPF

Open Trusted Technology Provider Framework. Initially released as a White Paper in February 2011, revised in November 2015, and updated and published as a Guide in September 2021 (see Bibliography [5]), it serves as the basis for the work defined here, future updates, and additional standards. The O-TTPF is a compendium of organizational guidelines and best practices that if implemented enhance the security and integrity of Commercial Off-The-Shelf (COTS) Information and Communications Technology (ICT) products throughout the entire product lifecycle, including the supply chain aspects of that lifecycle. The content of the O-TTPF is the result of industry collaboration and research as to the contemporary practical.

3.35

O-TTPS

A standard established by consensus within the OTTF and approved through The Open Group Company Review process that provides a set of organizational commercial requirements that enhance the security of the global supply chain and the integrity of COTS ICT products. It provides a set of guidelines and best practice requirements and recommendations that help assure against tainted and counterfeit products throughout the COTS ICT product lifecycle encompassing the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

3.36

Product Lifecycle Categories

3.37

Product Sustainment Management

Product support, release maintenance, and defect management are offered to customers while the product is generally available.

3.38

Providers

As used in this document, a midstream vendor developing products and managing the supply chain to provide acquirers and integrators with trustworthy products.

3.39

PSIRT

Product Security Incident Response Team.

3.40

RBA

Responsible Business Alliance.

3.41

Risk

An event or condition that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets and artifacts, activities, and operations.

3.42

Risk Management

The process concerned with the identification, measurement, control, and mitigation of risk.

3.43

Security-Critical

A business partner that provides or a process that uses a logic-bearing or software component for a product; encompasses all aspects of security, including physical, cyber, and supply chain security.

3.44

Standards Body

Any organization whose primary activities are developing, coordinating, promulgating, revising, amending, re-issuing, interpreting, or otherwise producing standards that are intended to address the needs of some relatively wide base of affected adopters.

3.45

Supplier

An upstream vendor who develops hardware or software components for providers.

3.46

Supply Chain

A set of organizations, people, activities, information, and resources for creating and moving a product or service (including its sub-elements) from suppliers through to customers. One of the two major categories in this document is Supply Chain Security.

3.47

Supply Chain Attack (general)

An attempt to disrupt the creation of goods by subverting the hardware, software, or configuration of a commercial product, prior to customer delivery (e.g., manufacturing, ordering, or distribution) for the purpose of introducing an exploitable vulnerability.

3.48

Supply Chain Risk Management

The identification, assessment, prioritization, and mitigation of business, technical, and physical risks as they pertain to the manufacturing process including the use of third-party components and services in addition to the delivery of the product to the end user.

3.49

Supply Chain Security

The manufacturing and/or development process performs its intended function in an unimpaired manner, free from deliberate or inadvertent manipulation. Extends the NIST definition [NIST SP 800-12].

3.50

System Lifecycle

The phases of a system or proposed system that address its existence from inception to retirement.

3.51

Tainted Product

A product that is produced by the provider and is acquired through a provider’s authorized channel but has been tampered with maliciously.

Note 1 to entry: All instances, within this document, of the use of the words: taint, tainted, tainting refer to malicious taint, maliciously tainted, and malicious tainting, respectively.

3.52

Technology Provider

See Provider.

3.53

Technology Supply Chain

The manufacturing and/or development process used to produce and deliver hardware or software technology products and their configuration.

3.54

Technology Supply Chain Attack

An attack that subverts the hardware, software, or configuration of a product, prior to customer delivery, for the purpose of introducing an exploitable vulnerability.

3.55

Technology-neutral

An approach whereby the decision to use technology required to meet a stated need is free of any bias.

3.56

Threat

The intention and capability of an adversary to undertake actions that would be detrimental through disruption of processes or subversion of knowledge.

3.57

Trusted Technology Provider

An organization that has been successfully certified as being conformant to the requirements defined in the Open Trusted Technology Provider Standard (O-TTPS).

3.58

Upstream

Any entity who is further up the supply chain process from the subject; i.e., vendors who supply component parts or solutions (software or hardware) to providers or integrators (see Downstream).

3.59

VAR

Value-Add Reseller.

3.60

Vendor

Builds products or components (hardware or software).

3.61

Vendor-neutral

An approach whereby the decision to use a vendor required to meet a stated technology need is free of any bias.

3.62

Vulnerability

A weakness in the design, implementation, or operation of an asset, artifact, system, or network that can be exploited.

3.63

Vulnerability Analysis

The process of determining whether a product contains vulnerabilities and categorizing their potential severity.