欢迎来到三一文库! | 帮助中心 三一文库31doc.com 一个上传文档投稿赚钱的网站
三一文库
全部分类
  • 幼儿/小学教育>
  • 中学教育>
  • 高等教育>
  • 研究生考试>
  • 外语学习>
  • 资格/认证考试>
  • 论文>
  • IT计算机>
  • 法律/法学>
  • 建筑/环境>
  • 通信/电子>
  • 医学/心理学>
  • ImageVerifierCode 换一换
    首页 三一文库 > 资源分类 > DOCX文档下载
    分享到微信 分享到微博 分享到QQ空间

    ISO IEC 2703632023.docx

    • 资源ID:521579       资源大小:47.60KB        全文页数:19页
    • 资源格式: DOCX        下载积分:5
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    三方登录下载: 微信开放平台登录 QQ登录 微博登录
    二维码
    微信扫一扫登录
    下载资源需要5
    邮箱/手机:
    温馨提示:
    快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如填写123,账号就是123,密码也是123。
    支付方式: 支付宝    微信支付   
    验证码:   换一换

    加入VIP免费专享
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    ISO IEC 2703632023.docx

    1、ISO/IECINTERNATIONA1.27036-3STANDARDeditionSecond2023-06CybersecuritySupp1.ierre1.ationships一i1.inesforhardware,software,andservicessupp1.ychainsecurityCybersecuriteRe1.ationsavecIefournisseurPartie3:1.ignesdirectricespourIas6cuht6de1.acha1.nedefournitreenmaterie1.,Iogicie1.setserxficesReferencenumb

    2、erISO/IEC27036-3:2023(E)ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andISO/IEC2023-A1.1.rightsreservedb) deve1.opprocessesIOSoftWareappropriate,practicesnon-

    3、invasiveorigina1.equipmentmanufacturerc) AttemptIestsdetectCounterfeitandproductintrusionsinc1.uding:deve1.opmentandoperationsphases.providedbythesupp1.ier,thirdparties,ortheacquirer(e.g.manua1.codeinspections).3)conductvu1.nerabi1.ityscans;e)ana1.ysis,dynamicassessmentana1.ysis,verificationusingana

    4、1.ysis,codecoveragetechniquessuchasstaticCOdeg)executetoo1.stogatherevidenceofchangesresu1.tingfromremotemaintenanceactivities.1.4.12 OperationprocessISO/IEC/IEEE15288).a)indudemaintenanceSysteminintegrationoperationa1.requirements;activitiesaspartoftheupgradesecurityrequirementsinoperations.C)shipe

    5、1.ements*,securedbydefau1.tata1.eve1.appropriatetoacquirersrequirements.1.4.13 Maintenanceprocessprovidetoproductthecapabi1.ityOfappropriate1.yandnianaginghardware,hardware.SoftWare,componentstorisksinhardware,software,andservicessupp1.ychain:c) UorKfidbh:石dvancePUriHuIhZsH1.显地tttaxeddktu1.sfnigq2d1

    6、itsauhitote1.accudd由auaiaHcandd) considertherisksthattrainedandknow1.edgeab1.eauthorizedservicepersonne1.arenotavai1.ab1.e,especia1.1.y1.ateinthee1.ements1.ife;e) considerhardware,software,andservicessupp1.ychainriskswhenacquiringrep1.acementcomponentsorfie1.dadditions/mOdificatiOnS/upgrades,particu

    7、1.ar1.yiftheydonotgothroughtraditiona1.acquisitionprocessesthatexaminesupp1.ychainrisks;f) preferforma1.izedSerViCe/maintenanceagreements)wherepossib1.ee.g.usespecifiedorqua1.ifiedsparepartssupp1.iers,provideacomp1.eterecordofchangesperformedduringmaintenance(e.g.audittrai1.orchange1.og),reviewchang

    8、esmadeduringmaintenance;g) estab1.ishandimp1.ementagreementsforcompetentandsuitab1.esupportinc1.udingrefurbishedand/orsa1.vagede1.ements;considerrequiringtheorigina1.manufacturertocertifytheequipmentassuitab1.e;h) identifymethodsofverifyingthatservicepersonne1.areauthenticatedandauthorizedtoperformt

    9、heserviceworkneededatthetime,aswe1.1.asvisitormanagementprotoco1.sforandmonitoringofservicepersonne1.whenundertakingmaintenanceon-site(e.g.visitorescorts);i) deve1.opandimp1.ementanapproachforhand1.ingandprocessingreportedhardware,software,andservicessupp1.ychainanoma1.ieswhi1.einoperation;estab1.is

    10、hamethodforsubmittingaservicerequestandsecure1.ysharing1.oganderrorinformationwithsupp1.iers;j) monitorthesupp1.iersbusinesshea1.th,inc1.udingwhethertheyareacandidateformergerandacquisitionorinfinancia1.difficu1.ties;k) imp1.ementandenforcepo1.iciesonsoftwareupdatesandpatchmanagement;l) estab1.ishan

    11、adequatesupp1.yoftnstedspareandmaintenancepartsforwe1.1.beyondthe1.ifespanofthee1.ement;m) preservedocumentationforanyin-ser,icee1.ementthatisno1.ongersupportedbythesupp1.ier;n)estab1.ishprocessesforpurchasingoffau1.tye1.ementsthatcannotbesecure1.yerasedthatwou1.dctherwisegobacktothesupp1.ier(e.g.af

    12、au1.tyharddrive)tosecure1.yphysica1.1.ydestroy.KKi做WPrOC晔VideSadditiona1.specificguidanceregardingsettingexpectationsduringthe6.4.14Disposa1.processThepurposeofthedisposa1.processinthehardware,software,andservicessupp1.ychainistoend帆BiDtiaIefyOfh出由UwaNaCeaVVarethnIdHem*cs.aa必(nier1.ytttemiMKfepidati

    13、Cidindtica1.ntendUddiSPnSa1.needs(egperanagreement,organizationa1.po1.icy,orenvironmenta1.,1.ega1.,safety,securityaspects).SeeISO/IEC/IEEE15288forfurtherinformation.丽Pg限网ich磴圈gJ轴咕M丽别豳IMrShOU1.d呢岫MIMee网曲O1.IOwft谕电成延场he1.ecti啕icdisposa1.processtoaddressinformationsecurityrisksinhardware,software,andse

    14、rvicessupp1.ychain,specifica1.1.ytheriskofcounterfeitproductscontaminatingthesupp1.ychain:a)OfP快幽阴雨的瓯W三由因re1.qM弹豳胧阁toreducerisksofcompromise,forexamp1.e,b)encouragethese1.ectionofe1.ementsthatcanbedisposedofinawaythatdoesnotexposeprotectedore1.ementsthatMfi)FR版用电晒热ents触Obsa1.permitoff1.oadingofdatap

    15、riortodisposa1.24ISO/IEC2023-A)rightsreservedC)PnQhfiIibriZedtnmS【mas网1.iftuii例rfcutiondUrEgdisjttdaiHv3cdataorsensitivee1.ementstod) whenrequiredforforensicinvestigationorfor1.atercomparisonfordetectionofcounterfeits,storee1.ementsfordisposa1.toadedicatedrepositoryandmaintainthechainofcustody;e) im

    16、p1.ementproceduresforthesecureandpermanentdestructionofe1.ements,suchasusingcertifieddestructionprovidersandreceivingacertificateofdestructionaftertheacquirersinformationhasbeensecure1.ydisposed;f) engagetrustworthy,traineddisposa1.servicepersonne1.andsetexpectationsfortheproceduresthatconformtothed

    17、isposa1.po1.icy;verifythroughassessmentsthattheproceduresarebeingfo1.1.owed.ISO/IEC27002providesadditiona1.specificguidanceregardingsettingexpectationsduringthedisposa1.process.25AnnexA(informative)Correspondencebetweenthecontro1.sinISO/IEC27002andthisdocumentTab1.eA.1.docmentshowsthecorrespondenceb

    18、etweenthecontro1.scontainedinISO/IEC27002andthisTab1.eA.1.Correspondencebetweencontro1.sinISO/IEC27002andthisdocumentISO/IEC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubc1.ausenumberfromthisdocumentISO/IEC27036-2subdauseheadingdg,SecUresystemneeringprindp1.esarchitectureandengi-625Qua1.ity

    19、managementprocess26ISO/IEC2023-A1.1.rightsreservedTab1.e.1.(continued)ISOIEC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubchuscnumberfromthisdocumentISO/IEC27036-2Siibc1.auseheading0-04Separationofdeve1.opment.productionenvironmentstestand6A7Imp1.ementationprocess27Tab1.e.1.(continued)ISO/I

    20、EC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubc1.auscnumberfromthisdocumentISO/IEC27036-2subc1.auseheading7.13Equipmentmaintenance6.4.13Maintenanceprocess7.14Securedisposa1.orre-useofequipment6.4.14Disposa1.process28toanentitythatcreates,who1.1.yorinpart,modifies,ordistributessoftwarefort

    21、hepurposeofitsintentsupp1.iers.ManySOftWaresupp1.iersareusersorconsumersofupstreamsoftwarecomponents.29(informative)5.8recommendsandenumeratesactivitiesthatensureanup-to-dateinventoryofassetsusedwithinofsupp1.ytheproductservice.This1.eve1.ofbefurtherdetai1.tohe1.ppartsmanageriskandcomp1.iancerequire

    22、mentsinareassuchasinte1.1.ectua1.propertyand1.icencemanagement(1SOIEC27002:2022,5.32)andtechnica1.vu1.nerabi1.ities(1SOIEC27002:2022.8.8)amongothers.Thisannexdescribese1.ementsthataretheCreation,referredtoasandbi1.1.software(SBoM)orSOftWarecomponentinventory(SCI).Throughoutthisannex,theseconceptsare

    23、referredtoasSBoM.AnorganizationproducingorrequestingSBoMshou1.dconsu1.tthisannextohe1.pdeterminethequa1.ityTheSBoMconceptwasdeve1.opedtoprovideconsumerswithinformationonspecificsoftwarecomponentsintheirproductstoenab1.econsumersabi1.itytoidentifyandmanagevu1.nerabi1.ities.Thisconceptanditsfordown1.o

    24、adSBoMproducts,notmanagedservices.Anconsistentcomponentre1.ationshipsovertime.SuchSBoMsdonotfitthemode1.ofmanagedservicesinvo1.vingmu1.tip1.eserversmanagedbymu1.tip1.esupp1.ierswithsoftwarethatisfrequent1.yupdated.Thisisasaofofthefactthatonpossib1.ydifferentservers,whoseminutecanbebeprocessedbytwoof

    25、eachotherin1.ime.Giventhat,themanagedservicesana1.ogueoftheon-premiseSBoMshou1.daccommodateacontinuous1.yevo1.vingcomponent1.istassociatedwitheachsupportedtransaction.Thus,formanagedTheSBoMisnotitse1.fariskmanagementtoo1.oractivity.TheSBoMisintendedtobeahigh1.ysca1.ab1.emechanismtoproduceandmaintain

    26、accuratesoftwarecomponentinventories.TheseinventoriesthenInordertosca1.e,SBoMdataandprocessesshou1.dbemachinereadab1.eandprocessab1.e.Severa1.we1.1.-definedandestab1.ishedSBoMdocumentanddataformatsexist.SBoMandsoftwareanddifferenttypesareinactiveuse,howeverthisusevariesSBoMisunderactivedeve1.opmenta

    27、ndthisannexisintendedtoprovidebasicandintroductoryinformationaboutSBoMtosupp1.iersandSBoMconsumers.Thisannexisprimari1.yintendedforusebysoftwaresupp1.iersandSBoMauthors.ASoftWaresupp1.ierisbeusedbyotherparties.ConsumersofSBoMinformationinc1.udeendusers,customers,auditors,regu1.ators,po1.icymakers,an

    28、dTherearcdifferencesbetweenon-premises,product-orientedsoftwarecomponentsandc1.oudservices.Theaccurateinventoryandsupp1.ychainknow1.edgeareimportanttobothmode1.s,buttherapidd8bn*dtariuu1.b1.so1.utionscannecessitatevariancesintheinformationandprocessesrequiredforB.2Essentia1.SBoMe1.ements8.2.1 Overvi

    29、ewThefo1.1.owinge1.ementsarenecessarytoconveySBoMinformation.SBoMe1.ementsarebrokenintothreecoreareas:metadata,identifiers,andassociation.Metadatae1.ementsprovideinformationabouttheSBoMitse1.fandshou1.dnotbeusedasidentifiersoftheSBoMsubjectorcomponents.Minimummetadatae1.ementsinc1.udeAuthor,Timestam

    30、p,and1.ifecyc1.e.Identifiere1.ementsprovideinformationconcerningtheSBoMsubjectanditscomponents.Itispossib1.ethatsingu1.aridentifyinge1.ementsarenotsufficienttounique1.yidentifyagivencomponenteUWW.fMriZatonscofiftfi三Y1.bntincrSjMd1.tiNd1.Hqifehtin1.MWWFjrtfAh睁宙舶1.用MhanCCandvu1.nerabi1.itydiscovery,ho

    31、weverthisisoutofthescopeofthisannex.Identifiere1.ementsinc1.udeSupp1.ier,Component,Version,Hash,andUID.A三侬由他曲拈视也州桃口温版箔制G蝴b。Utasent1.fi三阳泡n1.w山rc1.at由revea?H版於ConS1.r能由Ihergivensoftwaresubjectandarediscouragedfromuseasameansofreverseengineeringasthiscan皆四X1.iorrcontract*oaons.Associatione1.ementsinc1

    32、udeRe1.ationshipandSource.TheauthoristheentitywhocreatestheSBoM.Theauthorisoften,butnotnecessari1.y,thesupp1.ierofeffi6mnoiwigRKie11ti(HJ!dHqrnoftMEM三p1.i!fJthcaHBJifttbDSBgbfaUr的ftwarusupp1.ieroftheana1.ysedcomponent.8.2.3 TimestampThetimestampisthedateandtimetheSBoMwas1.astmodified.Timestampsshou

    33、1.dberepresentedfc2)A1.ing1.ifejfdRf)8601series.旅Iifin&g廊如AIab1.eSoftW国的o1.1.ovWi储iRft胞Rwbui1.d:CanM闸。testing,packagingcompi1.edfi1.esintocompressedformats,andmakingcomponentsavai1.ab1.etousers.The1.ifecyc1.ephasesare:pre-bui1.d:theSBoMwasproducedpriortothebui1.dofthesoftware;bui1.d:theSBoMisabyprod

    34、uctandartefactofthebui1.dorcontinuousintegration(CI)process;post-bui1.d:theSBoMwasproducedafterthesoftwarewasbui1.trpossib1.ythroughreverseengineeringorb1.ack-boxana1.ysis.8.2.5 Supp1.iernameThesupp1.ieristheentitywhoprovides(e.g,owns,produces,ormaintains)theprimarycomponentorbbjpthofm由ISBt)MIeThmdi

    35、b由川eEigbte1.fcow1.(5nu*bo甲Umm1.3sSB6M“MthpceaMto1.gnmpQ加:【UHnUc4aadQttuMotr蝴ans/gJponentsretrievedfromthePackagemanagerspecification)distributionthecomponentnamecanbeEXAMP1.E1pkg:deb/debian/cur1.750.3-1.?arch=i386&distro=JessieEXAMP1.E2pkR:docker/cassandrasha256:244fd47e07d!004f0aed9cEXAMP1.E3pkg:ge

    36、m/jruby-1.auncher1.1.2?p1.atfonn=javaEXAMP1.E4pkg:maven/orgpache.xm1.graphics/batik-anim1.9.1Tpackaging=sourcesEXAMP1.E5pkg:npm/%40angu1.ar/animation12.3.1EXAMP1.E6pkg:nuget/EnteT)rise1.ibrary.Common6.0.1304EXAMP1.E7pkg:pypi/dJango(S1.11,1EXAMP1.E8pkc:rpm/fedora/cur1.7.50.3-1.fc25?arch=i386&distro=f

    37、edora-258.2.7 VersionTheversionofacomponentshou1.dbeexpressedassemanticversioningwhenavai1.ab1.e.8.2.8 CryptographichashAcryptographichashofacomponent(asdefinedbytheSBoMauthororsupp1.ier)isanintrinsic城ent*t赃汕eSBoMpnEmn%u$1.WbC(SIem壮加6tjk厢MrffidgtthiM刖曲gsmwntbdMwdhjriheeMehashes,attheincreasedcostsas

    38、sociatedwithidentityandkeymanagement.Ifacomponenthasbeenmodifiedfromitsorigina1.source,authorsshou1.dinc1.udeboththehashofthesourcecomponentandthemodifiedcomponent.8.2.9 UniqueidentifierA阳根祖转曲钳肝金魄忸Ift用t杀晒断则股印8帆Iier掷印机跖曲用郴“叩uniqueidentiers.8.2.10 Re1.ationshipRe1.ationshipsbetweencomponentsarenecessa

    39、rytodeterminepathtraversa1.,comp1.exityinnuosundinggertbdvtttii(bet1.t.ofaSfipi)itdVtihatoeyMpNunddcpt0WonentcX蝌片即tionsh用出时效0翎即MfKns伸t帽森制,f部加先ar就Aofcompi1.ingandbui1.dingSoftWarechangesthesoftwarebutsti1.1.maintainsheritage.nexamp1.eofthistypeofre1.ationshipcanbe:componentB(binary)wasgeneratedfromco

    40、mponentA(source).311)httpsg1.thubxompackageur1.8.2.11 SourceregardingWhenTimcstanipsShou1.drctneva1.reprcsen1.edaccordingtodependingseries.mannerinwhichitEXAMPLE 1EXAMPLE 2definedcomponentsprovidedre1.ationshipsecond-partyorcontractedfordeve1.opmentprotccted*partyaccordanceEXAMPLE 3Who1.1.ycomponent

    41、sthemse1.vesarenotsuppiierthemse1.vesasinterna1.,non-pub1.iccomponentsand2ndcreatedEXAMPLE 4B.3Essentia1.SBoMprocesses8.3.1 Overviewa) supp1.iersdefiningtheircomponentsanddocumentingdirectupstreamdependencies;Non-Supp1.ierauthoritativeinformationdefineaboutcomponentscomponents,products,systems,prefe

    42、rredthatsupp1.iersSupp1.ierspub1.ishedordistributedprivate1.y.potentia1.suggestedCustonicrsorganizations,ofprocurement.SBoMsretrievethecorrespondingkey.Sourceisthe1.ocationthatthecomponentwasretrievedfrom.Itcana1.sore1.ayadditiona1.detai1.swasretrieved,andwherethebefromsourceOccurredtheISO8601ontheF

    43、orcomponentsretrievedthroughgitorabrowserthebranch(ifapp1.icab1.e)andUR1.shou1.dbe1.isted.Theexamp1.esfo1.1.owSPDXformat.Sourceinfo:usesg1.ibc-2.11-branchfromgitsourceware.orggitg1.ibcitat2021-08-03T17:43:4100:00componentsretrievedthroughbepackagemanagerorpackagedistribution,thepackagemanagerorSourcc1.nfo:cassandrasha256:244fd47c07d1.004f0acd9cfromdockcr20.10.7at2021-08-O3T17:43:41400:00Foras1.1.icsourceifthethroughisdeemedsensitive,becitedastheinshou1.dbesvithC1.ause5.8m)of!SOIEC270363regardinganonymousacquisition.Sourcc1.nfo:jruby1.aunchcrfromprotectedat2021.-08-03


    注意事项

    本文(ISO IEC 2703632023.docx)为本站会员(夺命阿水)主动上传,三一文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知三一文库(点击联系客服),我们立即给予删除!




    宁ICP备18001539号-1

    三一文库
    收起
    展开