-
-
-
-
-- The SRP must strictly adhere to responsible disclosure standards when disclosing vulnerabilities.
-
-
- |
-
-
-
-
-
-- The SRP must not sell details of vulnerabilities or exploits to entities other than the organization responsible for securing the product.
-
-
- |
-
-
-
-
-
-- SRP executives and board members must proactively disclose affiliations that may cause an appearance of conflict of interest. For example, any affiliations with organizations that sell exploits, law enforcement, military, or intelligence organizations must be disclosed.
-
-
- |
-
-
-
-
-
-- If the SRP is trying to conduct a self-audit or vouch for works created by the SRP or an affiliated company, OCP-SAFE does not recognize this.
-
-
- |
-
-
-
-
-
-- If the SRP has any affiliations with manufacturers or companies that are applying for an OCP SAFE Audit through the same SRP, this affiliation must be disclosed.
-
-
- |
-
-
-
-
-
-- If the SRP forms affiliations with manufacturers or companies that intend to undergo an OCP SAFE Audit, this affiliation must be declared at the time it is established.
-
-
- |
-
-
-
-
-
-- The SRP must enforce the above requirements on employees, staff and contractors
-
-
- |
-
-
-
-### Information Security Policies
-
-1. Does the SRP have an Information Security Policy (ISP) in place?
-2. Does the ISP include security objectives at all business functions and levels?
-3. Has the ISP been established and approved by management?
-4. Has the ISP been published and communicated to all employees and relevant external parties within the supporting
- supply chain?
-5. Is the ISP reviewed at planned intervals (no longer than one year), or if significant changes occur, to evaluate
- continuing suitability, adequacy and effectiveness?
-6. Has a method been established to enable individuals to confirm their acceptance of and compliance with the ISP?
-7. Is the ISP supported by a suite of risk specific information/cybersecurity policies, for example an Access Control
- Policy, Acceptable Use Policy, Malware Policy etc?
-8. Does the organization have a named and defined role that is responsible for Information Security?
-9. Do you manage Information Security and Information Technology separately?
-10. Are contacts maintained with relevant authorities to help anticipate forthcoming changes in relevant laws or
- regulations?
-11. Is Information Security addressed in project management regardless of the type of the project?
-12. Is a high-level working group (or equivalent) assigned responsibility for managing Information Security projects?
-13. Does your ISP, or a separate specific Policy, address the risks associated with remote access?
-14. Does your ISP cover all devices with access to business networks, systems, or data (e.g. laptops, mobile devices)
- and all Program Participant data, regardless of IT media?
-
-### Human Resources
-
-1. Is there an employee pre-screening policy that includes criminal, credit, and professional / academic references as
- allowed by local law?
-2. Are organizational and individual responsibilities for Information Security clearly defined in the terms and
- conditions of employment contracts and within the job specifications?
-3. Are non-disclosure agreements current and in place with all staff who have access to organizational assets hosting
- customer information?
-4. Is there training in place to ensure that employees and contractors receive appropriate Information Security
- awareness training and updates to organizational policies and procedures?
-5. Is security awareness training incorporated as part of the induction process (within a maximum of four weeks after
- joining the organization)?
-6. Are all staff required to complete an annual session of security awareness training?
-7. Does the security awareness training include a testing component (e.g., to test employees' handling of emails, links,
- attachments etc.)?
-8. Is security awareness training commensurate with differing levels of responsibilities and access?
-9. Do employees responsible for Information Security undergo additional specific training (e.g., Information Security
- Operations)?
-10. Is there a disciplinary process, that would be invoked as a consequence of non-compliance referenced, in all relevant
- policies and related training?
-11. Is there a policy/documented process to ensure that HR notify security/access administration of an
- employee's/contractor's termination or change of status for access rights removal?
-12. Is there a policy / documented process to ensure that all employees are aware of their continuing responsibilities
- and duties after leaving the organization?
-
-### Management of Information Assets
-
-1. Do you maintain registers of Program Participant relevant information, device and software assets?
-2. Is ownership (an authorized and responsible manager) assigned to each information asset?
-3. Is there an individual who is responsible for approving access to Program Participant data?
-4. Is the Information Security policy supported by detailed acceptable use policies (AUPs) that define the way in which
- individuals are expected to use information and systems within the SRP?
-5. Is there a policy/ documented process to ensure that assets (laptops, mobile phones, ID cards, user accounts,
- hardware, software, documents) are destroyed, returned or revoked upon employee termination?
-6. Is there a documented procedure that ensures that all information assets are correctly classified and aligned with
- the Program Participant classification scheme?
-7. Does the handling of information assets in accordance with the information classification include how assets must be;
- stored, transmitted, destroyed, encrypted?
-8. Do you have a way of separating/ labeling Program Participant data from other information that you store?
-9. Do you have any Data Loss Prevention (DLP) controls in place?
-10. Is there a documented procedure for the secure disposal, re-purpose and / or destruction of physical media (e.g.,
- paper documents, CDs, DVDs, tapes, disk drives, etc.) in accordance with Program Participant requirements and in
- accordance with Program Participants information classification scheme? (e.g. NIST SP-800-88)
-11. Do you protect Program Participant data that is transferred or transmitted?
-
-### Access Control
-
-1. Do you have an implemented access control policy which covers the granting and revoking of access to systems?
-2. Is there a documented and implemented process to ensure access rights are reviewed on a scheduled basis and removed
- upon termination of employment?
-3. Are inactive user accounts monitored, identified, removed or disabled (either through manual or automated processes)?
-4. Do you review access rights on a scheduled basis using a formal process?
-5. Are procedures established and maintained to prohibit the use of generic administration user accounts, according to
- the systems' configuration capabilities?
-6. Is an authorisation process maintained, including a record of all privileges allocated?
-7. Is there a documented procedure in place concerning the use of networks and network services relating to connections
- to sensitive and/or critical business applications?
-8. Do you store and monitor audit logs of access to systems containing Program Participant data?
-9. Do you operate an Onboarding Process which ensures that employees or subcontractors are only given access to systems
- based on the requirements of their role and all are issued unique login credentials?
-10. Does your Onboarding process assign permissions to Joiners based on their role (rather than copying existing user
- permissions)?
-11. Does your Onboarding process accommodate for employees moving into different roles within the SRP (Movers)?
-12. Does your Onboarding process ensure any admin access must be gained by using an accountable escalation mechanism,
- e.g., Sudo or Windows Access control?
-13. Does your Onboarding process ensure admin accounts are forced to use Multi-Factor Authentication (e.g., SMS, Authy,
- Authenticator etc.)?
-14. Do you have a documented and implemented Password Policy that utilizes recognized practices as prescribed by NIST
- SP800-63B?
-15. Is password reset authority restricted to authorized persons and/or an automated password reset tool?
-16. Are user IDs and passwords communicated/distributed separately?
-17. Is the use of privileged utility programs restricted and monitored?
-
-### Cryptography
-
-1. Does the SRP have an implemented policy on the use of cryptographic controls for the protection of customer
- information?
-2. Are risk assessments undertaken to determine the type, strength and quality of encryption algorithms required to
- protect customer information?
-3. Is customer information copied to removable media encrypted?
-4. Is customer information encrypted when being transmitted across networks?
-5. Does the SRP have an implemented policy that addresses the generation, storing, archival, retrieval, distribution,
- retirement and destruction of cryptographic keys?
-6. Does the SRP have an implemented policy that addresses the generation, storing, archival, retrieval, distribution,
- retirement and destruction of cryptographic keys?
-7. Does the implementation of the encryption policy consider the impact of using encrypted information on controls that
- rely on content inspection - e.g. malware detection?
-8. Does the implementation of the encryption policy account for regulations and national restrictions that might apply
- to the use of cryptographic techniques and the issues of cross-border flow of customer encrypted information?
-
-### Physical and Environmental Security
-
-1. Is there a physical security program approved by management, communicated to all employees and relevant parties, and
- has an owner assigned to maintain and review?
-2. Are physical security perimeters defined and used to protect areas at all locations that contain Program Participant
- information?
-3. Is access to areas where Program Participant information is processed or stored logged in a physical book or an
- electronic audit trail maintained?
-4. Is access to areas where Program Participant information is processed or stored controlled by appropriate access
- controls - i.e. key card, token, fob, biometric reader, etc.?
-5. Are entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards for areas where
- Program Participant information is stored or processed?
-6. Are all staff, contractors and visitors required to immediately report a lost or stolen access card that would
- provide access to the area where Program Participant information is processed or stored?
-7. Are visitors required to produce identification, such as a driving License or Passport etc., before being granted
- access to areas where Program Participant information is stored or processed?
-8. Are visitors to areas where Program Participant information is processed or stored escorted at all times?
-9. Do you or your subcontractors operate procedures for logging and tracking hardware containing Program Participant
- data being taken off-site?
-10. Do you operate and technically enforce a 'Clear Screen' policy requiring that computers and terminals should be left
- logged off or protected with a screen and keyboard locking mechanisms controlled by a password, token or similar
- user authentication mechanism when unattended?
-11. Do you operate a clear desk policy that requires sensitive business information, on paper or electronic storage
- media, to be locked away (ideally in a safe or cabinet or other forms of security furniture) when not required,
- especially when the area is vacated?
-
-### Operations Security
-
-1. Do you have a documented and implemented hardening/standard build with security controls for servers, desktops, and
- VMs
-2. Does the hardening/standard build ensure vendor default password(s) are changed and unneeded ports, protocols and
- services etc. are disabled?
-3. Is there a change management procedure in place to cover changes to the SRP, business processes, network, hardware
- and information systems?
-4. Are all changes subject to a review and approval process?
-5. Do you operate a vulnerability management process that ensures the timely patching of your computers and
- applications?
-6. Have you deployed anti-malware/anti-virus software that is updated regularly on all endpoints and servers?
-7. Are files received via email/download scanned when they enter the network?
-8. Are IT systems that host Program Participant information regularly backed up?
-9. Do back-up controls ensure that the availability of Program Participant information can be sustained in line with
- Program Participant's business requirements?
-10. In the case of Program Participant relevant systems and services, do backup arrangements cover all systems
- information, applications and data necessary to recover the complete system?
-11. Are system administrators and operators' activities monitored and logged in a non-modifiable way?
-12. Are resources monitored and projections made with customer involvement of future capacity requirements?
-13. Do you have hardening standards in place to ensure vendor default password are changed and unneeded ports, protocols
- and services etc. are disabled?
-14. Are your hardening standards enforced across all Program Participant relevant systems?
-15. Are there controls that prevent or detect the use of known or suspected malicious websites (for example, website
- blacklisting)?
-16. Are event logs of user activities, exceptions, faults and information security events produced, kept and regularly
- reviewed for Program Participant relevant systems?
-17. Is access to logging information restricted to authorized personnel only?
-
-### Communication (Network) Security
-
-1. Has the SRP established and documented responsibilities for the management of IT networking?
-2. Are controls in place to safeguard the confidentiality and integrity of the SRP's data that passes over public and
- wireless networks - e.g. encryption?
-3. Have security requirements been identified and included in all outsourced network service agreements?
-4. Do your internal network designs conform to the ‘defense in depth’ principle whereby the use of multiple security
- controls or security layers are deployed to mitigate the risk of one component of the network’s defense being
- compromised or circumvented?
-5. Are devices and computer systems of low trust level such as remote access servers and wireless network access points
- located in dedicated network security zones?
-6. Are mission-critical and highly sensitive assets located in dedicated security zones?
-7. Are network and security management systems located in dedicated security zones?
-8. Are systems in development and/or testing located in different zones than production systems?
-9. Where applicable, are there procedures in place for the protection of electronic Program Participant information
- transmitted in the form of an email attachment?
-10. Are your staff, including permanent, contract and temporary resource, advised not to discuss Program Participant
- business/information not already in the public domain in their personal social/social media interactions?
-
-### System Acquisition, Development, & Maintenance
-
-1. Are formal principles for the engineering of secure systems established, documented, maintained and applied?
-2. Are new IT systems subject to a rigorous information security assurance process prior to 'go live'?
-3. Are all IT systems that handle Program Participant information subject to a periodic (at least annual) 're-assurance'
- process?
-4. Does the selection of controls consider the sensitivity of data to be processed, stored and transmitted by the system
- under development?
-5. Are applications developed through a formal System Development Life Cycle (SDLC) procedure?
-6. Do you supervise and monitor the activity of outsourced system development?
-7. Do you provide details of an approved threat model that relates to the information that will be handled, processed,
- stored and transmitted by the system to the external developer?
-8. Do your development procedures meet or exceed recognised good practices, e.g. OWASP?
-9. Is the use of embedded credentials within applications prohibited?
-10. Is the use of 'live' data containing personally identifiable information for testing purposes prohibited?
-11. Does the SRP develop control data sets for the specific use of system testing?
-12. Are your development, testing and operational environments separated?
-13. Are automated tools, such as code analysis tools or vulnerability scanners employed?
-14. Do you conduct application-level security penetration testing prior to deployment?
-15. Are re-tests undertaken to confirm the closure of previously identified vulnerabilities?
-
-### Supplier Relationships
-
-1. Is an accurate record maintained of all suppliers that process or otherwise handle Program Participant data?
-2. In all instances where a supplier will handle Program Participant information, are the information security
- requirements for mitigating associated risks agreed with the supplier and documented?
-3. All suppliers of outsourced IT systems or services subject to a rigorous information security assurance and
- periodic 're-assurance' process?
-4. Do Program Participant relevant supplier agreements include monitoring and/or other methods for validating that the
- products and services being provided remain appropriately secure?
-5. Do supplier agreements require the propagation of the SRP's information security requirements throughout the
- supplier's subcontractors and suppliers?
-6. Do you ensure that your suppliers are unable to extract or remove copies of Program Participant data unless
- explicitly required in the service being provided?
-7. If access to Program Participant data is required by your suppliers, do you make Program Participant aware prior to
- access being granted and obtain consent?
-8. When you end your relationship with a supplier, do you make sure they securely destroy or return Program Participant
- information?
-9. Are service reports produced by suppliers and regular account meetings held?
-10. Are your suppliers contractually obliged to provide information about Program Participant relevant information
- security incidents in a timely manner?
-
-### Information/Cyber Security Incident Management
-
-1. Do you operate documented processes for the monitoring, detecting, analyzing and reporting of information/cyber
- security events?
-2. Are all employees, contractors, temporary resources and suppliers aware of what is described as an information/cyber
- security event?
-3. Are all employees, contractors, temporary resources and suppliers aware of their responsibility to report
- information/cyber security events as quickly as possible?
-4. Is the information/cyber security event reporting mechanism easily accessible and readily available?
-5. Are information/cyber security events first assessed prior to being declared as incidents?
-6. Are information/cyber security incidents classified and prioritized?
-7. Do you have a documented Information/Cyber Security Incident Response Procedure?
-8. Do the documented incident procedures require the collection of evidence as soon as possible after the occurrence?
-9. Do the documented incident procedures require the conducting of information/cyber security forensic analysis?
-10. Do the documented incident procedures include escalation requirements and parameters?
-11. Do the documented incident procedures require all response activities and actions are logged for later analysis?
-12. Do the documented incident procedures restrict the communication of information to only those with a 'need to know'?
-13. Do the documented incident procedures require post-incident analysis to be undertaken to identify the 'root cause'
- of the incident?
-14. Are there documented processes that details who within Program Participant must be informed of a relevant incident,
- the circumstances and when they must be informed and by what method?
-15. Are there formal documented procedures for the identification, collection, acquisition and preservation of
- information that can serve as evidence in relation to an information/cyber security incident?
-16. Are formal documented procedures followed when dealing with evidence for the purposes of disciplinary and legal
- action?
-17. Is knowledge gained from analyzing and resolving security incidents used to reduce the likelihood or impact of
- future incidents?
-
-### Information Security Aspects of Business Continuity Management
-
-1. Has a Business Impact Analysis (BIA) been conducted on all Program Participant relevant systems, applications and
- platforms?
-2. Has the SRP identified Program Participant's requirements for the availability of its information?
-3. Are information security continuity requirements captured within the SRP's business continuity and/or disaster
- recovery processes?
-4. Has the SRP ensured that personnel with the necessary responsibility, authority and competence to manage a business
- continuity impacting incident are in place?
-5. Does the SRP exercise and test its BCM/DR capability on a regular basis?
-6. Are the SRP's information processing facilities implemented with sufficient redundancy to meet Program Participant's
- availability requirements?
-7. Have redundant architectures been implemented where availability cannot otherwise be guaranteed?
-8. Are redundant architectures tested regularly?
-
-### Compliance (Security Governance, Risk, and Compliance)
-
-1. Does the SRP have a privacy officer or other individual responsible for providing guidance to managers, users and
- service providers on their responsibilities and specific privacy related procedures?
-2. Does the SRP undertake privacy impact assessments on new IT systems/services or when a significant change or upgrade
- to an IT system/service is planned?
-3. Are the SRP's IT systems regularly reviewed for compliance with the SRP's information/cyber security policies?
-4. Are penetration tests regularly undertaken?
-5. Are electronic vulnerability scans regularly undertaken?
-6. Are effectiveness measures defined for all controls?
-7. Is the SRP's approach to managing information security and its implementation independently reviewed at planned
- intervals or when significant changes occur?
-8. Are the results of independent reviews recorded, reported to the management that initiated them and the records
- maintained?
-9. Are actions identified to correct non-compliance with policies recorded and acceptable remediation tracked?
-
-##
+## Introduction
-## Technical Requirements
+This document shows what information we want to see from Security Review Providers to consider their application as OCP S.A.F.E. review providers. If you are interested in applying, please send us a document with answers to all the questions and we will review your application. If you are approved, you will have to join the OCP and pay the membership fee in order to be added as OCP S.A.F.E. review provider.
-The criteria and questions below will be evaluated in totality. A prospective SRP does not need to address everything
-listed below in granular detail. The OCP will assess each CSP application and the responses to each of the following
-requirements. The requirements should be viewed as desired but not essential. The more requirements a potential
-SRP can demonstrate, the stronger the case for acceptance as an approved SRP.
+## Technical expertise
-### Scope 1 assessments
+We need to see evidence that you are capable of performing reviews covering the scopes outlined [here](review_areas.md). The more evidence you can provide the better. This is the most important part of considering your application. We understand that it is difficult to provide evidence due to NDAs. However, without sufficient evidence we have no way to judge whether you are capable of performing reviews to a high standard and will therefore not admit you to the program.
-1. Redacted real engagement reports applicable to each discipline demonstrating quality of assessment and reporting.
- Reports need to be in a format to be made public.
- 1. Embedded code review in languages (list of languages)
- 2. Review of documentation and evidence as outlined in Assessment Scope -> Documentation.
- 3. Assessment of cryptographic systems
-2. List and URL’s of documents, blog posts, white papers published by SRP
-3. List of tools developed internally by SRP (IP controlled)
-4. List of tools of developed and made public by SRP
+These items can be suitable evidence, but we are open to anything you think might be helpful:
-### Scope 2 assessments
+1. Appropriately-redacted reports of real engagements
+2. Public tools you developed, e.g. GitHub links
+3. Blog posts, white papers and other public documents
+4. Descriptions of internal tools you have
+5. Descriptions of physical facilities/equipment/tools, e.g. for fault injection and side-channel analysis
-Where SRP wishes to perform Scope 2 assessments, Scope 1 plus;
+## Business processes
-1. The following list is relevant to the assessment of trusted execution environments, both software and hardware
- including hybrids. In addition to CPUs examples of assessments of host aware devices such as GPUs, network
- interfaces, bulk storage;
- 1. Redacted real engagement reports applicable to each discipline demonstrating quality of assessment and reporting.
- Reports need to be in a format to be made public.
- 2. List and URL’s of documents, blog posts, white papers published by SRP
- 3. List of tools developed internally by SRP (IP controlled)
- 4. List of tools of developed and made public by SRP
+If you are SOC 2 or ISO27001 accredited you can tell us that instead of responding to the questions here.
-### Scope 3 assessments
+1. Do you have an Information Security Policy defined and if so can you share that with us?
+2. Do all your employees receive IT security training when joining and regularly thereafter?
+3. Is there at least one person designated to ensure IT security in your organization? What qualifies them for this?
+4. How do you ensure source code and other confidential data you receive from vendors does not leak? How do you ensure confidential data is fully erased after an engagement?
+5. What protections do you have in place against insiders stealing confidential data?
+6. What does your screening process for potential employees entail?
+7. What access control systems do you have in place? How do you ensure access is fully revoked when an employee leaves?
+8. What endpoint protection and intrusion detection systems do you have?
+9. How do you plan to protect the private key that will be used for signing your OCP S.A.F.E. reports?
+10. Is all data you store encrypted at rest?
+11. What physical security do your offices have?
+12. Are all your computers configured to lock their screen after a certain amount of time has elapsed?
+13. Do all your systems require at least two factor authentication for access?
+14. How do you monitor your computers and other devices for public vulnerabilities and ensure they get patched in a timely manner?
+15. What logging systems do you have in place to make sure you can analyze what happened in case of a potential security breach?
-The assessments described in this document do not require a laboratory. The assessments can be performed entirely on
-design and implementation documents prior to manufacturing. However, an SRP that can perform these types of analysis
-when requested is appreciated.
+## Code of Conduct
-Where SRP wishes to perform Scope 3 assessments, Scope 2 plus;
+Please confirm that your organization will adhere to the following code of conduct for the duration of you being an OCP S.A.F.E. review provider.
-1. Demonstration of experience and skills is required for side channel analysis covering voltage, power, time domains;
- 1. Redacted real engagement reports applicable to each discipline demonstrating quality of assessment and reporting.
- Reports need to be in a format to be made public.
- 2. List and URL’s of documents, blog posts, white papers published by SRP
- 3. List of tools developed internally by SRP (IP controlled)
- 4. List of tools of developed and made public by SRP
-2. Optional: Laboratory, facilities and equipment to support side channel and fault injection attacks;
- 1. Electronic debug interface exercising and discovery tools (HW and SW)
- 2. Fault injection equipment
- 3. Time, voltage, power domain side channel measurement and analysis equipment relevant to the devices in this scope
- 4. Silicon assessment tools such as
+1. We will not sell vulnerabilities or exploits to entities other than the organizations responsible for securing the respective product.
+2. We will disclose all affiliations that might appear to be conflicts of interest to the OCP S.A.F.E. leadership, as well as the vendor before starting a review. For example affiliations with exploit sellers, law enforcement, military and intelligence.
+3. We will disclose any relationship we have with the vendor, other than performing security reviews, to the OCP S.A.F.E. leadership before starting a review.