Today we’re releasing updated versions of two popular white papers on software supply chain security and critical infrastructure protection. These papers draw on our policies and practices that involve regular assessments of the security challenges facing our customers and our operations, as well as ongoing learnings gained through our experiences defending more than one billion users from cyber-threats. We are pleased to share our learnings on these two critical security topics.
In Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity, we describe Microsoft’s framework for incorporating software integrity risk-management practices in both the product development process and online services operations. The paper first presents an overview of our approach to providing risk-based protection for the integrity of Microsoft’s software during development and distribution. It then presents the details of our approach to assessing the risks to the supply chain and determining where to apply security controls. Finally, the paper summarizes some of the specific controls that we rely on to protect the integrity of our software products.
Critical Infrastructure Protection: Concepts and Continuum, draws upon our work with critical infrastructure owners and operators, coupled with our more than three decades of experience with our own internal systems. Modern life is increasingly reliant on a wide-ranging set of functions, services, systems, and assets, commonly referred to as infrastructures. Governments view several of these infrastructures, such as communications, banking, energy, transportation, and healthcare, as critical, since their disruption, destruction, or loss of integrity can impact a nation’s stability. We’ve found that that effective critical infrastructure protection efforts share three core principles: trustworthy policies and plans; resilient operations; and innovative investments. This paper describes how these principles, enabled by trusted collaboration, form a continuum for protecting critical infrastructure.
You can download these papers directly below or by visiting www.microsoft.com/cybersecurity: