Muutke küpsiste eelistusi

E-raamat: Supply Chain Risk Management: Applying Secure Acquisition Principles to Ensure a Trusted Technology Product

(Univ. of Detroit Mercy, USA), (Lawrence Technological University, USA), (Oakland Community College, USA)
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 81,89 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Supply Chain Risk Management: Applying Secure Acquisition Principles to Ensure a Trusted Technology ProductSuurem pilt
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

The book presents the concepts of ICT supply chain risk management from the perspective of NIST IR 800-161. It covers how to create a verifiable audit-based control structure to ensure comprehensive security for acquired products. It explains how to establish systematic control over the supply chain and how to build auditable trust into the products and services acquired by the organization. It details a capability maturity development process that will install an increasingly competent process and an attendant set of activities and tasks within the technology acquisition process. It defines a complete and correct set of processes, activities, tasks and monitoring and reporting systems.

Foreword xi
Preface xiii
Authors xvii
Contributions xix
Chapter Structure and Summary xxi
1 Why Secure Information and Communication Technology Product Acquisition Matters 1(40)
Introduction to the Book
1(1)
Underwriting Trust and Competence
2(1)
Justification and Objectives of the Book
3(1)
The Five-Part Problem
4(3)
Putting Product Assurance into Practice
7(1)
The Supply Chain and the Weakest Link
8(1)
Visibility and Control
9(2)
Building Visibility into the Acquisition Process
11(2)
The Seven Phases of ICT Acquisition Practice
13(10)
Practice Area One: Procurement Program Initiation and Planning
14(2)
Practice Area Two: Product Requirements Communication and Bidding
16(1)
Practice Area Three: Source Selection and Contracting
16(4)
Practice Area Four: Supplier Considerations
20(1)
Practice Area Five: Customer Agreement Monitoring
21(1)
Practice Area Six: Product Acceptance
22(1)
Practice Area Seven: Project Closure
23(1)
Building the Foundation: The Role of Governance in Securing the ICT Supply Chain
23(9)
The Use of Standard Models of Best Practice
32(1)
Chapter Summary
33(5)
Key Concepts
38(1)
Key Terms
39(1)
References
40(1)
2 Building a Standard Acquisition Infrastructure 41(38)
ISO/IEC 12207
42(3)
Agreement Processes: Overview
45(2)
Acquisition Process
47(3)
Acquisition Activity: Acquisition Preparation
50(1)
Concept of Need
51(1)
Define, Analyze, and Document System Requirements
52(1)
Consideration for Acquiring System Requirements
53(1)
Preparation and Execution of the Acquisition Plan
54(1)
Acceptance Strategy Definition and Documentation
55(1)
Prepare Acquisition Requirements
56(5)
Acquisition Activity: Acquisition Advertisement
57(1)
Acquisition Activity: Supplier Selection
58(1)
Acquisition Activity: Contract Agreement
59(1)
Acquisition Activity: Agreement Monitoring
60(1)
Acquisition Activity: Closure
61(1)
Supply Process
61(14)
Supply Activity: Opportunity Identification
63(1)
Supply Activity: Supplier Tendering
63(2)
Supply Activity: Contract Agreement
65(2)
Supply Activity: Contract Execution
67(7)
Supply Activity: Product/Service Delivery and Support
74(1)
Supply Activity: Closure
75(1)
Chapter Summary
75(1)
Key Terms
76(1)
References
77(2)
3 The Three Building Blocks for Creating Communities of Trust 79(38)
Introduction to Product Trust
79(2)
Building a Basis for Trust
81(1)
The Hierarchy of Sourced Products
82(6)
The Problem with Sourced Products
88(4)
Promoting Trust through Best Practice
92(1)
Moving the Product up the Supply Chain
93(2)
The Standard Approach to Identifying and Controlling Risk
95(1)
The Three Standard Supply Chain Roles
96(9)
The Acquirer Role
97(4)
The Supplier Role
101(3)
The Integrator Role
104(1)
Information and Communication Technology Product Assurance
105(2)
Adopting a Proactive Approach to Risk
107(1)
People, the Weakest Link
108(2)
Chapter Summary
110(4)
Key Concepts
114(1)
Key Terms
115(1)
References
115(2)
4 Risk Management in the Information and Communication Technology (ICT) Product Chain 117(50)
Introduction
117(2)
Supply Chain Security Control Categorization
119(4)
Categorization Success through Collaboration
123(1)
Supply Chain Security Control Selection
124(4)
The Eight Tasks of Control Selection
128(9)
Documentation Prior to Selection
128(1)
Select Initial Security Control Baselines and Minimum Assurance Requirements
128(3)
Determine Need for Compensating Controls
131(1)
Determine Organizational Parameters
132(1)
Supplement Security Controls
132(2)
Determine Assurance Measures for Minimum Assurance Requirements
134(1)
Complete Security Plan
135(1)
Develop a Continuous Monitoring Strategy
136(1)
Supply Chain Security Control Implementation
137(4)
Implement the Security Controls Specified in the Security Plan
138(3)
Security Control Documentation
141(1)
Supply Chain Security Control Assessment
142(2)
The Four Tasks of Security Control Assessment
144(5)
Implications of Security Control Authorization to the Supply Chain
149(2)
The Four Tasks of Security Control Authorization
151(4)
Supply Chain Risk Continuous Monitoring
155(2)
The Seven Tasks of Security Continuous Monitoring
157(5)
Determine the Security Impact of Changes
158(1)
Assess Selected Security Controls
159(1)
Conduct Remediation Actions
159(1)
Update the Security Plan, Security Assessment Report, and POA&M
160(1)
Report the Security Status
160(1)
Review the Reported Security Status on an Ongoing Basis
161(1)
Implement an ICT System Decommissioning Strategy
162(1)
Chapter Summary
162(2)
Key Terms
164(1)
References
165(2)
5 Establishing a Substantive Control Process 167(36)
Introduction: Using Formal Models to Build Practical Processes
167(2)
Why Formal Models Are Useful
169(1)
NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems
170(2)
The 21 Principles for SCRM
172(10)
Principle 1: Maximize Acquirer's Visibility into the Actions of Integrators and Suppliers in the Process
173(1)
Principle 2: Ensure That the Uses of Individual Supply Chain Components Are Kept Confidential
174(1)
Principle 3: Incorporate Conditions for Supply Chain Assurance in Specifications of Requirements
175(1)
Principle 4: Select Trustworthy Elements and Components
176(1)
Principle 5: Enable a Diverse Supply Chain-Do Not Sole Source
176(1)
Principle 6: Identify and Protect Critical Processes and Elements
176(1)
Principle 7: Use Defensive Design in Component Development
176(1)
Principle 8: Protect the Contextual Supply Chain Environment
177(1)
Principle 9: Configure Supply Chain Elements to Limit Access and Exposure
177(1)
Principle 10: Formalize Service/Maintenance Agreements
177(1)
Principle 11: Test throughout the SDCL
178(1)
Principle 12: Manage All Pertinent Versions of the Configuration
178(1)
Principle 13: Factor Personnel Considerations into Supply Chain Management
179(1)
Principle 14: Promote Awareness, Educate, and Train Personnel on Supply Chain Risk
179(1)
Principle 15: Harden Supply Chain Delivery Mechanisms
179(1)
Principle 16: Protect/Monitor/Audit the Operational Supply Chain System
180(1)
Principle 17: Negotiate and Manage Requirements Changes
180(1)
Principle 18: Manage Identified Supply Chain Vulnerabilities
181(1)
Principle 19: Reduce Supply Chain Risks during Software Updates and Patches
181(1)
Principle 20: Respond to Supply Chain Incidents
181(1)
Principle 21: Reduce Supply Chain Risks during Disposal
182(1)
Making Control Structures Concrete: FIPS 200 and NIST 800-53(Rev 4)
182(1)
Application of FIPS 200 and NIST 800-53(Rev 4) to Control Formulation
183(3)
The Generic Security Control Set
186(1)
NIST 800-53 Control Baselines
186(1)
Detail of Controls
187(1)
Six Feasibility Considerations for NIST 800-53
188(2)
NIST 800-53 Catalog of Baseline Controls
190(1)
Implementing Management Control Using the Standard NIST SP 800-53 Rev. 4 Control Set
191(1)
Practical Security Control Architectures
192(1)
Control Statements
192(1)
Supplemental Guidance
193(1)
Control Enhancements
193(1)
Real-World Control Formulation and Implementation
193(1)
Limitations of the 800-53 Approach in SCRM
194(2)
Chapter Summary
196(3)
Key Concepts
199(1)
Key Terms
200(1)
References
201(2)
6 Control Sustainment and Operational Assurance 203(36)
Sustaining Long-Term Product Trust
203(2)
Step 1: Establish and Maintain Situational Awareness
205(4)
Step 2: Analyze Reported Vulnerability and Understand Operational Impacts
209(3)
Environmental Monitoring
210(1)
Vulnerability Reporting
210(1)
Vulnerability Response Management
211(1)
Step 3: Obtain Management Authorization to Remediate
212(4)
Understand Impacts
213(2)
Communicating with Authorization Decision-Makers
215(1)
Step 4: Manage and Oversee the Authorized Response
216(3)
Responding to Known Vulnerabilities with Fixes
217(1)
Responding to Known Vulnerabilities without Fixes
217(1)
Fixing an Identified ICT Supply Chain Vulnerability
218(1)
Step 5: Evaluate the Correctness and Effectiveness of the Implemented Response
219(4)
Step 6: Assure the Integration of the Response into the Larger Supply Chain Process
223(2)
Establishing a Supply Chain Assurance Infrastructure
225(3)
Policies for Operational Assurance: Method, Measurement, and Metrics
226(2)
Building a Practical Supply Chain Sustainment Function
228(2)
Generic Management Roles
230(1)
Conducting the Day-to-Day Operational Response Process
230(1)
Response Management Process Planning
231(1)
Deciding What to Secure
232(1)
Enforcing Management Control
232(1)
Status Assessment
233(1)
Maintaining Documentation Integrity
234(1)
Chapter Summary
234(3)
Key Concepts
237(1)
Key Terms
237(1)
References
238(1)
7 Building a Capable Supply Chain Operation 239(34)
Introduction
239(2)
Why a Capability Maturity Model?
241(1)
A Staged Model for Increasing Capability in Supply Chain Management
242(2)
Level One: The Initial Level
244(1)
Level Two: The Repeatable Level
244(9)
Level Two: Acquisition Planning
246(1)
Level Two: Solicitation
247(1)
Level Two: Requirements Development and Management
248(1)
Level Two: Project Management
249(1)
Level Two: Contract Tracking and Oversight
250(1)
Level Two: Evaluation
251(1)
Level Two: Transition to Support
251(2)
Level Three: The Defined Level
253(7)
Level Three: Process Definition and Maintenance
254(2)
Level Three: User Requirements
256(1)
Level Three: Project Performance Management
257(1)
Level Three: Contract Performance Management
257(1)
Level Three: Acquisition Risk Management
258(1)
Level Three: Training Program Management
259(1)
Level Four: The Quantitative Level
260(2)
Level Four: Quantitative Process Management
260(1)
Level Four: Quantitative Acquisition Management
261(1)
Level Five: The Optimizing Level
262(2)
Level Five: Continuous Process Improvement
262(1)
Level Five: Acquisition Innovation Management
263(1)
Practical Evaluation of Supply Chain Process Maturity
264(2)
Maturity Rating Schemes
266(1)
Chapter Summary
267(5)
Key Terms
272(1)
References
272(1)
Index 273
Dan Shoemaker, PhD, is principal investigator and senior research scientist at the University of Detroit Mercys Center for Cyber Security and Intelligence Studies. Dan has served 30 years as a professor at UDM with 25 of those years as department chair. He served as a co-chair for both the Workforce Training and Education and the Software and Supply Chain Assurance Initiatives for the Department of Homeland Security, and was a subject matter expert for the NICE Workforce Framework 2.0. Dan has coauthored six books in the field of cybersecurity and has authored over one hundred journal publications. Dan earned his PhD from the University of Michigan.



Ken Sigler is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. His primary research is in the areas of software management, software assurance, and cloud computing. He developed the college's CIS program option entitled "Information Technologies for Homeland Security." Until 2007, Ken served as the liaison for the college to the International Cybersecurity Education Coalition (ICSEC), of which he is one of three founding members. Ken is a member of IEEE, the Distributed Management Task Force (DMTF), and the Association for Information Systems (AIS).



Anne Kohnke, PhD, is an assistant professor of IT at Lawrence Technological University and teaches courses in both the information technology and organization development/change management disciplines at the bachelor through doctorate levels. Anne started as an adjunct professor in 2002 and joined the faculty full-time in 2011. Her research focus is in the areas of cybersecurity, risk management, and IT governance. Anne started her IT career in the mid-1980s on a help desk, and over the years developed technical proficiency as a database administrator, network administrator, systems analyst, and technical project manager. After a decade, Anne was promoted to management and worked as an IT Director, Vice President of IT and Chief Information Security Officer (CISO). Anne earned her PhD from Benedictine University.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97813152795586e.html
Märksõnad: