Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1189

Comparative Analysis on ICT Supply Chain Security Standards and Framework  

Min, Seong-hyun (Kangwon National University)
Son, Kyung-ho (Kangwon National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1189-1206 More about this Journal
Abstract
Recently, ICT companies do not directly design, develop, produce, operate, maintain, and dispose of products and services, but are outsourced or outsourced companies are increasingly in charge. Attacks arising from this are also increasing due to difficulties in managing vulnerabilities for products and services in the process of consignment and re-consignment. In order to respond to this, standards and systems for security risk management of ICT supply chain are being established and operated overseas, and various case studies are being conducted. In addition, research is being conducted to solve supply chain security problems such as Software Bill of Materials (SBOM). International standardization organizations such as ISO have also established standards and frameworks for security of ICT supply chain. In this paper, we presents ICT supply chain security management items suitable for domestic situation by comparing and analyzing ICT supply chain security standards and systems developed as international standards with major countries such as the United States and EU, and explains the necessity of cyber security framework for establishing ICT supply chain security system.
Keywords
Supply Chain Security; Supply Chain Attack; Supply Chain Risk Management;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 International Standard, - Information security for supplier relationships - Part 1: Overview and concepts", ISO/IEC 27036-1, Apr. 2014
2 International Standard, - Information security for supplier relationships - Part 2: Requirements", ISO/IEC 27036-2, Aug. 2014
3 International Standard, - Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security", ISO/IEC 27036-3, Nov. 2013
4 International Standard, - Information security for supplier relationships - Part 4: Guidelines for security of cloud services", ISO/IEC 27036-4, Oct. 2016
5 International Standard, "Information technology - (O-TTPS) - Mitigating maliciously tainted and counterfeit products - Part 1: Requirements and recommendations", ISO/IEC 20243-1, Feb. 2018
6 International Standard, "Information technology - Mitigating maliciously tainted and counterfeit products - Part 2: Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018", ISO/IEC 20243-2, Jan. 2018
7 Office of the Under Secretary of Defens e for Acquisition & Sustainment, "DFA RS 252.204-7012 Defense Industrial Base Compliance Information", Nov. 2011
8 European Cyber Security Organisation, "Overview of existing Cybersecurity standards and certification schemes v2", Dec. 2017
9 European Cyber Security Organisation, "European Cyber Security Certification A Meta-Scheme Approach v1.0", Dec. 2017
10 National Institute of Standards and Technology, "Workshop Brief on Cyber SCRM Standards Mapping"
11 National Institute of Standards and Technology, "National Institute of Standards and Technology, "Workshop Brief on Cyber SCRM Standards Mapping(Draft)" , IR 8276, Feb. 2020
12 UK Cabinet Office, "Supplier Assurance Framework: Good Practice Guide", May.2018
13 https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security
14 MITRE, "Supply Chain Attack Framew ork and Attack Patterns", Dec. 2013
15 KISA, "Cyber Threat Trend Report", Jul. 2018
16 Hyo-hyeon Son, Kwang-jun Kim and Man-hee Lee, "US supply chain securit y management system analysis.", Journal of the Korea Institute of Informati on Security & Cryptology, 29(5), pp. 1089-1097, Oct. 2019
17 Eung-kyu Lee and Jung-duk Kim, "A Case Study on ICT Supply Chain Attacks.", The Journal of Information Technology and Architecture, 16(4), pp. 383-396, Dec, 2019   DOI
18 MITRE, 'Supply Chain Attacks and Resiliency Mitigations.", Oct. 2017
19 National Institute of Standards and Technology, "Framework for Improving Critical Infrastructure Cybersecurity. version 1.0" , Feb. 2014
20 National Institute of Standards and Technology, "Framework for Improving Critical Infrastructure Cybersecurity. version 1.1" , Apr. 2018
21 National Institute of Standards and Technology, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" Special Publication 800-171 revision 2, Feb. 2020
22 National Institute of Standards and Technology," Supply Chain Risk Management Practices for Federal Information Systems and Organizations" Special Publication 800-161, Apr. 2015
23 National Institute of Standards and Technology, "Notional Supply Chain Risk Management Practices for Federal Information Systems" IR 7622, Oct. 2012
24 National Institute of Standards and Technology, "Managing Information Security Risk Organization, Mission, and Information System View" Special Publication 800-39, Mar. 2011
25 National Institute of Standards and Technology, "Minimum Security Requirements for Federal Information and Information Systems" Federal Information Processing Standards Publication 200, Mar. 2006
26 National Institute of Standards and Technology, "Security and Privacy Controls for Federal Information Systems and Organizations" Special Publication 800-53, Apr. 2013
27 Office of the Under Secretary of Defense for Acquisition & Sustainment, "Supply Chain Attack Pattern : Framework and Catalog", 2014
28 National Institute of Standards and Technology, "Assessing Security Requirements for Controlled Unclassified Information" Special Publication 800-171A, Jun. 2018