HAS 56: Remove process-based requirement (1c5930ce) · Commits · STAN4CRA / EN 304 620 Virtual Private Networks Part 1

EN-304-620.md

+2 −2

Original line number	Diff line number	Diff line
		@@ -724,8 +724,8 @@ Mitigations for Likelihood:

		TODO KEVX - the more enterprise-appropriate version of KEVA

		* Medium to Low: (KEVD or KEVA or KEVX), (KEVM or KEVT or SCAN), (SUVP or SUAP or SUOE or SUAO), VULH
		* High to Low: KEVD, (KEVA or KEVX), (KEVM or KEVT or SCAN), (SUAP or SUAO), SUCS, SUAU, SUVH, SURP, SURC, SUSR, SUMV, SUED, VULH
		* Medium to Low: (KEVD or KEVA or KEVX), (KEVT or SCAN), (SUVP or SUAP or SUOE or SUAO), VULH
		* High to Low: KEVD, (KEVA or KEVX), (KEVT or SCAN), (SUAP or SUAO), SUCS, SUAU, SUVH, SURP, SURC, SUSR, SUMV, SUED, VULH

		### C.4.5 TH-UEAC: Unauthorised endpoint access

clauses/5.Requirements.md

+7 −22

Original line number	Diff line number	Diff line
		@@ -63,21 +63,6 @@ The product shall implement secure update by via administrator actions before or
		* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
		* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results

		#### 5.2.2.4 MI-KEVM: Documentation of mitigation of known exploitable vulnerabilities

		The product's development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall conform with the process described in prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling" [\[2\]](#_ref_2). The product is deemed to be compliant with this requirement if it:

		1. has no known exploitable vulnerabilities
		1. has known exploitable vulnerabilities whose age is consistent with the specification of how long vulnerabilities may go unfixed after public disclosure, as described in the vulnerability handling procedure for the product
		1. for each detected vulnerability, has documentation of how the risk has been mitigated

		* Reference: TR-NKEV
		* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
		* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components
		* Activities: Compare the generated list of known exploitable vulnerabilities with the documentation of the known exploitable vulnerabilities that have been fixed or mitigated in the product
		* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
		* Evidence: Documented vulnerability handling policy, list of vulnerabilities, documentation of mitigations or age of vulnerability, correlation of list of vulnerabilities with documentation of mitigations or age of vulnerability

		#### 5.2.2.5 MI-KEVT: Testing for known exploitable vulnerabilities

		The product shall be tested for all known exploitable vulnerabilities to demonstrate that each has been mitigated. The product shall be considered conformant with this requirement if it:
		@@ -1097,7 +1082,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
		### 5.3.2 SP-1 Individual consumer required mitigations

		1. (KEVD or KEVA)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (SUVP or SUAP or SUOE or SUAO)
		1. AUTH-6
		1. CDST
		@@ -1108,7 +1093,7 @@ This clause lists all the mitigations necessary to meet requirements for each se

		### 5.3.3 SP-2 Privacy conscious household required mitigations

		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (SUAP or SUAO)
		1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4))
		1. AUTH-1
		@@ -1155,7 +1140,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
		### 5.3.4 SP-3 Journalist or activist required mitigations

		1. (FZ95 or BTIN or IMSL)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (RSET or INST or DELE)
		1. (SUAP or SUAO)
		1. AUTH-1
		@@ -1219,7 +1204,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
		### 5.3.5 SP-4 Small organization required mitigations

		1. (FZ95 or BTIN or IMSL)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4))
		1. (RSET or INST or DELE)
		1. (SUAP or SUAO)
		@@ -1277,7 +1262,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
		### 5.3.5 SP-5 Large enterprise required mitigations

		1. (FZ95 or BTIN or IMSL)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (RSET or INST or DELE)
		1. (SUAP or SUAO)
		1. AUTH-1
		@@ -1336,7 +1321,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
		TODO: update security analysis to better allow for this security profile's needs be met (without overprescribing)

		1. (FZ95 or BTIN or IMSL)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. TRAF-1 or (TRAF-2 and TRAF-4)
		1. (RSET or INST or DELE)
		1. SUDC
		@@ -1371,7 +1356,7 @@ TODO: update security analysis to better allow for this security profile's needs
		## 5.3.X SP-7 Mesh VPN required mitigations

		1. (FZ95 or BTIN or IMSL)
		1. (KEVM or KEVT or SCAN)
		1. (KEVT or SCAN)
		1. (RSET or INST or DELE)
		1. (SUAP or SUAO)
		1. AUTH-1