str-w04a-criticality-analysis-supply-chain_v2.pdf

Criticality Analysis Supply Chain: Providing Representational Assurance” SESSION ID: STR-W04A Dan Reddy (CISSP, CSSLP) Sr. Consultant Product Manager Supply Chain Assurance Lead EMC Product Security Office @danlj28 Problem  Those who buy technology for a new system need to understand the risk there are taking on from their technology providers.  Providers of technology don’t want to unduly share details behind their technology that could compromise their product’s security or their company’s competitive posture.  How to bridge the gap? “Representational Assurance”  Uses meaningful metadata about security practices that can be shared to build initial risk posture. Leveraging graphics help to analyze while scaling.  You will see how to apply this concept to a Use Case. #RSAC 2 Set the Stage for the Use Case - Actors: Public Sector System Builder seeks to acquire technology from ICT COTS Providers System Builder (Acquirer) Supplier (Provider)  Has overall system goal  Builds highly functional products  May acquire through Integrator  Cares about quality  Required to address Information  Builds secure products Communication Technology (ICT),  Good practices matter most Commercial Off-the-Shelf (COTS)  Strives to prevent “bugs” risk as part of the system  Cares about product integrity  Including Supply Chain Risk  Invests in Certs Accreditation Management (SCRM)