SUPPLY CHAIN SECURITY FOR HARDWARE AND SOFTWARE
Supply chain security is a multi-disciplinary topic, and requires firm collaboration and implementation between the organisation, stakeholder support, and IT firms. The firms that get this right start with IT and a secure multi-enterprise business interface, then build upward with carefully governed and secured access to analytics and visibility capabilities and, from there, continuously monitor every layer for anomalous behaviour.
The conventional lines between hardware and software are indefinite as many hardware systems apply embedded and configurable software code, such as firmware. The Kayndrex Foundation’s security and practices however extend to hardware and software, and govern the procurement, engineering, development, and maintenance of such systems. These policies and practices apply for the Foundation’s engineered hardware and software as well as third-party hardware and software acquired for corporate application, or embedded in other products.
Procurement of Non-Kayndrex Hardware systems for Cloud and Corporate Applications
Hardware and software investments supporting the Foundation’s Cloud and internal data centres are routed through standard organisational hardware and software supply-chain processes. These processes are intended to properly vet the Foundation’s suppliers, prevent the acquisition of simulated products, and employ sourcing from trusted stakeholders only. Potential suppliers are subject to extensive evaluation of their financial health, integrity, and security practices.
The Foundation maintains its own ethical security team to perform security assessments on non-Kayndrex hardware and software being evaluated for investment. These security assessments seek to discover hardware, software, or firmware security vulnerabilities and confirm the effectiveness of the security features claimed by the supplier. The Foundation operates collaboratively with its hardware and software suppliers to discover new areas of opportunities.
Hardware and software destined for application in the Foundation’s Cloud or internal IT systems is subject to these same practices. Furthermore, hardware and software products are formally evaluated by the Foundation’s personnel prior to their acquisition for fitness of purpose, such as scalability, as well as for inherent hardware and software security. The security assurance practices of the supplier are also formally evaluated to confirm that the stakeholder has adequate security remediation policies.
Security Assurance in The Foundation’s Hardware and Software Systems
Most hardware products, such as firmware, have software components embedded into them, the Foundation’s Software Security Assurance policies and practices extend to the development of code applied on the Foundation’s hardware systems. The primary objective of these policies and practices is to prevent the introduction of security threats and strengthen the security regulations designed in the systems.
Hardware and software supply chains are the rocket fuel for the modern digital economy. Suppliers apply third-party commercial software and hardware components in their products to improve productivity and focus development efforts on innovation. To manage cyber threats, the Foundation identifies and remove threats in its software and hardware supply chain. The Foundation empowers product security, supply-chain security, and development teams to gain complete visibility, prioritise, and remove these threats at scale, applying an automated, easy-to-apply, product security platform.
Maintenance of Hardware and Software Systems applied in Cloud
When software updates for the Foundation and third-party hardware applied in the Foundation’s Cloud are sent to the Foundation, cloud-operation teams evaluate the proposed update in a test environment that is separate from and firmly reflects the production environment. Once tested, the software updates are deployed from test to production through a regulated private interface.
Hardware shipping practices
The Foundation and its logistics carriers maintain custody and management of the hardware from the pickup at the point of origin to the fulfilment of the applicable Incoterm. In most situations, the Foundation operates on a delivered model, implying that the Foundation applies Delivered Duty Paid or Delivery to a designated airport. Each leg of the delivery process is documented in the carrier’s system and freight is checked at each transfer point.
Any exception is noted on shipping protocol and/or in the logistics carrier’s system. Every Delivered Duty Paid delivery is required to have a signature after inspection. Delivery to a designated airport consignments are deemed to be complete when the aircraft arrives where the Foundation has received a confirmed on-board notice from the airline.