Due: Monday, Feb. 16. You'll be submitting this one, and most subsequent assignments via Canvas. We'll be setting up the link there shortly.
Note: you can work with one other student on this project. If you do so, be sure to identify both members of the team and include a sentence explaining the contributions of each.
Imagine that you are a security consultant to a large organization; (you can choose whether the organization is commercial or governmental). The organization annually purchases hundreds of COTS (commercial-off-the-shelf) software and/or hardware products from a variety of vendors, both foreign and domestic. These products vary widely in functionality, importance to the organizational mission, complexity, cost, etc.
Management has recently become concerned that purchasing and deploying COTS products might introduce exploitable security vulnerabilities into the organization's computing infrastructure. They would like you to formulate a strategy to manage this risk.
Write a draft proposal to the management of your organization suggesting a screening procedure that could be applied prior to the deployment within your organization of any newly acquired COTS product. You can assume that the product has been purchased but is awaiting deployment. The outcome of the screening procedure should be a determination either that the product is "adequately secure" for deployment within the company infrastructure or that it is not. Your procedure can use technical and/or non-technical methods.
Your draft proposal should justify your suggested procedure, explaining how it manages the security risks inherent in using COTS products.
The reason a draft proposal is requested is that this is a surprisingly complex question on which you could spend months. This problem is called supply chain security. Spend an hour or so thinking about this problem in the context above and write up your initial ideas as a draft. You will be refining your procedure in a later assignment. There is no page limit; write as much as you need to address this question, but not a lot more.