Software Supply Chain Security: Securing the End-To-End Supply Chain for Software, Firmware, and Hardware by Cassie Crossley

Author:Cassie Crossley [Crossley, Cassie]
Language: eng
Format: epub
Tags: Business & Economics, Logistics & Supply Chain, Computers, Computer Science, Security, Network Security, Distributed Systems, General, Programming, Software Development & Engineering, Quality Assurance & Testing, Internet, Web Programming, Web Services & APIs
ISBN: 9781098133702
Google: P3sH0AEACAAJ
Amazon: 1098133706
Publisher: O'Reilly Media
Published: 2024-03-11T22:00:00+00:00

Intellectual Property and Data Controls 02–03

Control IPD-02: Maintain an ethics policy that references the data classification policy and the compliance responsibility for employees and contractors. Monitor for compliance with the policies and, when applicable, nondisclosure agreements.

Control IPD-03: Educate all employees and contractors about intellectual property and data loss risks with training on data classifications, ethics, and compliance.

Technology

In addition to risk from people within the organization, IP and data loss can result from insecure or misconfigured technologies. Many of these technology risks have already been noted in Chapter 3, which describes developer tools and other technology controls meant to reduce the security risk.

All technologies in your organization are at risk if malicious actors take possession of business or development systems that contain restricted and confidential information. Even the business enterprise applications, such as the supply chain data within the enterprise resource planning (ERP) systems, present risks specifically to software and products. For example, the enterprise applications may contain supplier assessment results such as risks, deficiencies, and action plans. If a malicious actor gains access to the risk assessments performed on suppliers, they could use that information to locate the less secure suppliers and infiltrate one, thereby jeopardizing the software supply chain.

Although preventing attacks should be the primary focus of stopping data loss, you should implement detective controls such as monitoring and logging to find irregularities, suspicious behavior, and malicious actors. This would include any systems with restricted or confidential information, such as email platforms and collaboration tools (i.e., Slack, Microsoft Teams) that your organization uses as part of the software and product lifecycle. The following sections contain some additional examples of technology risks, which frequently lead to IP and data loss.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.