《ISO IEC 27036-3-2023.docx》由会员分享,可在线阅读,更多相关《ISO IEC 27036-3-2023.docx(19页珍藏版)》请在第壹文秘上搜索。
1、ISO/IECINTERNATIONA1.27036-3STANDARDeditionSecond2023-06CybersecuritySupp1.ierre1.ationships一i1.inesforhardware,software,andservicessupp1.ychainsecurityCybersecuriteRe1.ationsavecIefournisseurPartie3:1.ignesdirectricespourIas6cuht6de1.acha1.nedefournitreenmaterie1.,Iogicie1.setserxficesReferencenumb
2、erISO/IEC27036-3:2023(E)ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andISO/IEC2023-A1.1.rightsreservedb) deve1.opprocessesIOSoftWareappropriate,practicesnon-
3、invasiveorigina1.equipmentmanufacturerc) AttemptIestsdetectCounterfeitandproductintrusionsinc1.uding:deve1.opmentandoperationsphases.providedbythesupp1.ier,thirdparties,ortheacquirer(e.g.manua1.codeinspections).3)conductvu1.nerabi1.ityscans;e)ana1.ysis,dynamicassessmentana1.ysis,verificationusingana
4、1.ysis,codecoveragetechniquessuchasstaticCOdeg)executetoo1.stogatherevidenceofchangesresu1.tingfromremotemaintenanceactivities.1.4.12 OperationprocessISO/IEC/IEEE15288).a)indudemaintenanceSysteminintegrationoperationa1.requirements;activitiesaspartoftheupgradesecurityrequirementsinoperations.C)shipe
5、1.ements*,securedbydefau1.tata1.eve1.appropriatetoacquirersrequirements.1.4.13 Maintenanceprocessprovidetoproductthecapabi1.ityOfappropriate1.yandnianaginghardware,hardware.SoftWare,componentstorisksinhardware,software,andservicessupp1.ychain:c) UorKfidbh:石dvancePUriHuIhZsH1.显地tttaxeddktu1.sfnigq2d1
6、itsauhitote1.accudd由auaiaHcandd) considertherisksthattrainedandknow1.edgeab1.eauthorizedservicepersonne1.arenotavai1.ab1.e,especia1.1.y1.ateinthee1.ements1.ife;e) considerhardware,software,andservicessupp1.ychainriskswhenacquiringrep1.acementcomponentsorfie1.dadditions/mOdificatiOnS/upgrades,particu
7、1.ar1.yiftheydonotgothroughtraditiona1.acquisitionprocessesthatexaminesupp1.ychainrisks;f) preferforma1.izedSerViCe/maintenanceagreements)wherepossib1.ee.g.usespecifiedorqua1.ifiedsparepartssupp1.iers,provideacomp1.eterecordofchangesperformedduringmaintenance(e.g.audittrai1.orchange1.og),reviewchang
8、esmadeduringmaintenance;g) estab1.ishandimp1.ementagreementsforcompetentandsuitab1.esupportinc1.udingrefurbishedand/orsa1.vagede1.ements;considerrequiringtheorigina1.manufacturertocertifytheequipmentassuitab1.e;h) identifymethodsofverifyingthatservicepersonne1.areauthenticatedandauthorizedtoperformt
9、heserviceworkneededatthetime,aswe1.1.asvisitormanagementprotoco1.sforandmonitoringofservicepersonne1.whenundertakingmaintenanceon-site(e.g.visitorescorts);i) deve1.opandimp1.ementanapproachforhand1.ingandprocessingreportedhardware,software,andservicessupp1.ychainanoma1.ieswhi1.einoperation;estab1.is
10、hamethodforsubmittingaservicerequestandsecure1.ysharing1.oganderrorinformationwithsupp1.iers;j) monitorthesupp1.iersbusinesshea1.th,inc1.udingwhethertheyareacandidateformergerandacquisitionorinfinancia1.difficu1.ties;k) imp1.ementandenforcepo1.iciesonsoftwareupdatesandpatchmanagement;l) estab1.ishan
11、adequatesupp1.yoftnstedspareandmaintenancepartsforwe1.1.beyondthe1.ifespanofthee1.ement;m) preservedocumentationforanyin-ser,icee1.ementthatisno1.ongersupportedbythesupp1.ier;n)estab1.ishprocessesforpurchasingoffau1.tye1.ementsthatcannotbesecure1.yerasedthatwou1.dctherwisegobacktothesupp1.ier(e.g.af
12、au1.tyharddrive)tosecure1.yphysica1.1.ydestroy.KKi做WPrOC晔VideSadditiona1.specificguidanceregardingsettingexpectationsduringthe6.4.14Disposa1.processThepurposeofthedisposa1.processinthehardware,software,andservicessupp1.ychainistoend帆BiDtiaIefyOfh出由UwaNaCeaVVarethnIdHem*cs.aa必(nier1.ytttemiMKfepidati
13、Cidindtica1.ntendUddiSPnSa1.needs(egperanagreement,organizationa1.po1.icy,orenvironmenta1.,1.ega1.,safety,securityaspects).SeeISO/IEC/IEEE15288forfurtherinformation.丽Pg限网ich磴圈gJ轴咕M丽别豳IMrShOU1.d呢岫MIMee网曲O1.IOwft谕电成延场he1.ecti啕icdisposa1.processtoaddressinformationsecurityrisksinhardware,software,andse
14、rvicessupp1.ychain,specifica1.1.ytheriskofcounterfeitproductscontaminatingthesupp1.ychain:a)OfP快幽阴雨的瓯W三由因re1.qM弹豳胧阁toreducerisksofcompromise,forexamp1.e,b)encouragethese1.ectionofe1.ementsthatcanbedisposedofinawaythatdoesnotexposeprotectedore1.ementsthatMfi)FR版用电晒热ents触Obsa1.permitoff1.oadingofdatap
15、riortodisposa1.24ISO/IEC2023-A)rightsreservedC)PnQhfiIibriZedtnmS【mas网1.iftuii例rfcutiondUrEgdisjttdaiHv3cdataorsensitivee1.ementstod) whenrequiredforforensicinvestigationorfor1.atercomparisonfordetectionofcounterfeits,storee1.ementsfordisposa1.toadedicatedrepositoryandmaintainthechainofcustody;e) imp1.ementproceduresforthesecureandpermanentdestructionofe1.ements,suchasusingcertifieddestructionprovid
