Open Trusted Technology Forum (OTTF) Members' Meeting
Monday, April 24, 2017
Objective of Meeting
The objectives for the Monday sessions were as follows:
To discuss the outreach strategy for 2017
The goal was to revisit the major OTTF deliverables and the outreach strategy activities that were agreed at the last member meeting in San Francisco, and outline any next steps for achieving each of the objectives.
- To provide an overview of the Security Forum activities in order to increase awareness of their work and discuss further any activities that might be of interest to the O-TTPS – and vice versa
Monday morning was focused on presenting the OTTF Strategy for a recap and discussion along with a presentation from Jay Spaulding, the Security Forum Director, which offered a review and interactive discussion of their work.
Monday afternoon was spent at the Plenary session on Security and Risk Management featuring presentations on blockchain theory and supply chain applications, as well as a presentation by Sally Long, Director of the OTTF, on the Open Trusted Technology Provider Standard (O-TTPS – ISO/IEC 20243) and the Factor Analysis for Information Security (Open FAIR) standard.
O-TTPS – ISO/IEC 20243
The presentation covered the work of The Open Group Trusted Technology Forum. A synopsis of the OTTF work is included below.
The Open Trusted Technology Provider™ Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS) is the first standard with a certification program that specifies measurable conformance criteria for both product integrity and supply chain security practices.
The standard defines a set of best practices that information and communication technology (ICT) providers should follow throughout the full lifecycle of their products from design through disposal – including their supply chains – in order to mitigate the risk of tainted and counterfeit components.
The O-TTPS Version 1.1 was released in July 2014. This version was submitted to the International Standards Organization (ISO) and approved as ISO/IEC 20243:2015.
The OTTF also developed the O-TTPS Certification Program, which was launched in February 2014 and includes third-party assessment by O-TTPS Recognized Assessors to evaluate evidence of conformance to the standard, as defined in the publicly available O-TTPS Assessment Procedures. The certification is available to all ICT providers in the supply chain: Original Equipment Manufacturers (OEMs), hardware and software component suppliers, Value-Add Resellers, and Distributors.
In January, 2015, The Open Group announced an additional tier in the certification program: the Self-Assessed tier, which offers applicants the option of conducting their own assessment. The O-TTPS Certification Program provides certificates for conformance to the O-TTPS and ISO/IEC 20243:2015 as the standards are technically equivalent.
The presentation covered the issues, including the cybersecurity threats, that are driving the need for enterprises to better evaluate their risk posture and respond with appropriate levels of security measures. A synopsis of Open FAIR is included below.
Open FAIR provides a taxonomy and method for understanding, analyzing, and measuring information risk. It allows organizations to:
- Speak in one language concerning their risk using the standard taxonomy and terminology, and communicate risk effectively to senior management
- Consistently study and apply risk analysis principles to any object or asset
- View organizational risk in total
- Challenge and defend risk decisions
- Compare risk mitigation options
Open FAIR consists of two standards:
- The Risk Taxonomy (O-RT) standard defines a taxonomy for the factors that drive information security risk
- The Risk Analysis (O-RA) standard defines an approach to risk analysis based on the taxonomy
It is important to note that the Open FAIR standard can be effectively applied to other security risk types – beyond information risk.
The brainstorming discussion on the OTTF and Security Forum strategy was captured on Monday as a basis for continuing the discussion on Tuesday.
To continue strategy discussions on Tuesday.