Tips for Getting Familiar with Your Security Products Provider
Asking these questions will help you vet your security products vendor.
3. Is there a protection profile (PP) for the product?
The manufacturer should freely provide information regarding and testing and formal validation processes (i.e. NIST, ISO and Common Criteria) that have been performed on the specific IT-connected components.
These protection profiles specifically define the essential functions and critical components inside the IT-connected components. They also cover use case scenarios and situations where acceptable risk levels are approved. Or, they could provide a plan of action to implement if countermeasures are required.
The formal validation processes provide system assurances only for a specific snapshot and period of time that the PP was delivered. It is important to verify that the PP is not outdated and is applicable to the specific systems that are being deployed. In the event the PP does not reflect current components, it is important to know what changes have been implemented to the IT component system that brings it to its current cybersecurity standard.
4. Is the manufacturer supply chain reliable and verifiable?
Can the manufacturer prove by providing technical evidence that it has evaluated the risk that an adversary may infect the supply chain? This includes sabotage, malicious introductions of unwanted functions or acts that otherwise subvert the design integrity of the product.
Systems integrators should look to the manufacturer and determine the source of origin to ensure its legitimacy. Testing procedures should be implemented for introduced information systems that can verify the initial system state is consistent with predefined checks.
The systems integrator should request and internally determine whether the manufacturer has implemented countermeasures against counterfeiting, infection of the supply chain and other threats.
5. Has the manufacturer met industry standard conformance benchmarks?
Most manufacturers follow customary practices such as ISO 9001 quality management, Six Sigma or other standards related to fault management and quality controls from a process perspective. These benchmarks include functionality, reliability, usability, efficiency, maintainability and portability into development models, and that the necessary feedback loops are in place to establish accountability through business processes.
Manufacturers that are committed and achieved these standards are reputed to have strong internal and organizational controls in place that are of value. Products sold into markets should exemplify best practices according to the industry certifications held by the manufacturer.
6. Does the product component(s) have a reference security architecture?
Most manufacturers involved in deploying logical information technology solutions create significant value to the customers by providing what is known as reference architecture. Reference architectures remove much of the guesswork on how a manufacturer solution should be deployed.
For example, virtual machines and virtualized environments with scripts allow for easy loading, configuration and data-driven forms to achieve expected outcomes, but also use proven templates and solutions for a particular application or environment.
These repeatable, proven patterns of deployment facilitate better risk management of the solution
provided by the manufacturer.
Campuses should look for and verify if reference security architecture related documentation or technical reference information exists.