Software SCRM during Retirement Flashcards
The retirement of software includes.
Decommissioning (or deletion) of the software from operations, but also disposal of the data processed, transmitted, or stored by the software, if the data is no longer needed for business operations, or if there is no regulatory requirement to maintain the data.
When acquirers fail to establish end-of-life decommissioning or disposal requirements or rules.
The likelihood of unauthorized access and disclosure
threats increase considerably.
Acquisition Lifecycle Phase
Media sanitization, overwriting (formatting) data, disk degaussing, physical destruction, removal of sensitive information, and cryptographic keys.
Acquisition Lifecycle Phase - Planning (Initiation)
Perform an initial risk assessment to determine
assurance requirements (protection needs
elicitation); Develop acquisition strategy and formulate plan with evaluation criteria.
Acquisition Lifecycle Phase - Contracting
Include SCRM as part of the acquisition
advertisement (RFP, RFQ, etc.); Develop contractual and technical controls requirements; Perform Supplier Risk Assessment (Supplier Sourcing); Evaluate Supplier Responses; Establish Intellectual Properties (IP) ownership and responsibilities; Negotiate and award contract.
Acquisition Lifecycle Phase - Development & Testing
Evaluate conformance to assurance requirements; Conduct code reviews; Ensure security of code repositories; Ensure security of built tools and environment; Conduct security testing.
Acquisition Lifecycle Phase - Acceptance
Validate anti-tampering resistance and controls; Verify authenticity (code signing) & anticounterfeiting
controls; Verify supplier claims.
Acquisition Lifecycle Phase - Delivery (Handover)
Maintain Chain of Custody; Secure transfer; Enforce code escrows (if required); Comply with export control & foreign trade data regulations.
Acquisition Lifecycle Phase - Deployment (Installation/Configuration)
Configure the software securely; Implement perimeter (network) defense controls; Validate System-of-Systems (SoS) security.
Acquisition Lifecycle Phase - Operations & Monitoring
Check runtime integrity assurance controls; Patch & Upgrade; Implement termination access controls; Check custom code extensions; Continuously monitor software/supplier; Manage security incidents.
Acquisition Lifecycle Phase - Retirement (Decommissioning / Disposal)
Decommission (delete) or replace software; Dispose data to avoid risk of data remanence.
The three goals of software supply chain includes.
Conformance, trustworthiness and authenticity.
Location agnostic protection means
The security of the software is not dependent on where (location) it is developed, but instead, it is dependent on the maturity of the software development practices.
Contracts based is that
Both parties engaged in the transaction mutually agree to abide by any terms of the agreement. Contracts are legally binding.
