Loading EN-304-620-1.md +39 −39 Original line number Diff line number Diff line Loading @@ -739,33 +739,33 @@ Mitigations for Likelihood: * Medium to Low: SSCA, SCFS * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS, NUTI-\* * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS, NUTI-1, NUTI-2 Mitigations for Impact: * Medium to Low: LOGG-1, CDST * High to Low: LOGG-\*, CDST * High to Low: LOGG-1, LOGG-2, CDST ### C.4.4 TH-KEVU: Known exploitable vulnerabilities Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorised access to product assets. | Risk factors | Likelihood | Security profiles | |----------------------------------|------------|------------------------| | max(DAT, FUN, COM) = 2 & ADM = 2 | High | SP-4 | | all others | Medium | SP-1, SP-2, SP-3, SP-5 | |------------------------|------------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Table: _Table C.3_ | Risk factors | Impact | Security profiles | |------------------------|--------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | |-------------------|--------|------------------------| | max(DAT, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Table: _Table C.4_ Requirements that mitigate this threat: NKEV, SSDD, SCUD, LOGG, VULH Requirements that mitigate this threat: NKEV, SSDD, SCUD, NUTI, LOGG, VULH All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to: Loading Loading @@ -848,10 +848,10 @@ Mitigations for Impact: Attacker may read or modify traffic by capturing and relaying activity to and from endpoints. | Risk factors | Likelihood | Security profiles | |-----------------------------|------------|-------------------| | ADM > 0 & max(DAT, FUN) = 2 | High | SP-3, SP-4 | | all others | Medium | SP-2, SP-5 | | DAT = 0 & FUN = 0 | Low | SP-1 | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max(DAT, FUN) = 0 | Low | SP-1 | Table: _Table C.9_ Loading @@ -869,13 +869,13 @@ Mitigations for Likelihood: * Medium to Low: CRYPT-2 * High to Low: CRYPT-\* * High to Low: CRYPT-1, CRYPT-2 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.8 TH-LEAK: Sensitive data leaks Loading @@ -890,9 +890,9 @@ Attacker may read sensitive data sent outside the VPN connection by the product. Table: _Table C.11_ | Risk factors | Impact | Security profiles | |--------------|--------|------------------------| | DAT > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Table: _Table C.12_ Loading @@ -900,15 +900,15 @@ Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT Mitigations for Likelihood: * Medium to Low: ROUT-1, ROUT-2, CONF-\*, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-\* * Medium to Low: ROUT-1, ROUT-2, CONF-1, CONF-2, CONF-3, CONF-4, CONF-5, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-1, IPv6-2 * High to Low: ROUT-\*, CONF-\*, DNSL-\*, IPv6-\* * High to Low: ROUT-1, ROUT-2, ROUT-3, CONF-1, CONF-2, CONF-3, CONF-4, CONF-5, DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6, DNSL-7, DNSL-8, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.9 TH-PLNS: Transmitting sensitive data in the clear in a single endpoint VPN Loading Loading @@ -936,13 +936,13 @@ Mitigations for Likelihood: * Medium to Low: EISO, CRYPT-2, ROUT-1, AUTH-1, AUTH-2 * High to Low: EISO, DNSL-6, CRYPT-\*, ROUT-\*, AUTH-\* * High to Low: EISO, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.10 TH-PLNM: Transmitting sensitive data in the clear in multi-endpoint VPN Loading Loading @@ -970,13 +970,13 @@ Mitigations for Likelihood: * Medium to Low: NUTI-1, CRYPT-2, ROUT-1, AUTH-1, AUTH-2 * High to Low: NUTI-\*, DNSL-6, CRYPT-\*, ROUT-\*, AUTH-\* * High to Low: NUTI-1, NUTI-2, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.10 TH-UNAA: Unauthorised authentication Loading Loading @@ -1009,7 +1009,7 @@ Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1 * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\* * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2 ### C.4.11 TH-LDEL: Attacker removes evidence of compromise Loading Loading @@ -1067,15 +1067,15 @@ Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Mitigations for Likelihood: * Medium to Low: CONF-5, (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-\* * Medium to Low: CONF-5, (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-1, IPv6-2 * High to Low: TRAF-1, IPv6-\* * High to Low: TRAF-1, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\*, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST ### C.4.12 TH-CONF: Access to assets via configuration errors in a multi-endpoint VPN Loading @@ -1101,15 +1101,15 @@ Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, DMIN, LOGG Mitigations for Likelihood: * Medium to Low: CONF-5, (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-\* * Medium to Low: CONF-5, (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-1, IPv6-2 * High to Low: NUTI-\*, IPv6-\* * High to Low: NUTI-1, NUTI-2, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\*, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST ### C.4.13 TH-META: Compromise of PII due to metadata and traffic analysis Loading @@ -1117,7 +1117,7 @@ Attacker may use user metadata such as IP addresses and traffic analysis to comp | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3, | | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | Table: _Table C.25_ Loading Loading @@ -1217,7 +1217,7 @@ Attacker may get unauthorised access to personally identifiable information stor | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3, | | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | Table: _Table C.25_ Loading @@ -1237,7 +1237,7 @@ Mitigations for Impact: * Medium to Low: NPII-1 * High to Low: NPII-\* * High to Low: NPII-1, NPII-2, NPII-3, NPII-4 ## C.5 Mapping of use cases to risk factors and security profiles Loading clauses/5.Requirements.md +90 −16 Original line number Diff line number Diff line Loading @@ -1085,29 +1085,65 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. (KEVD or KEVA) 1. (KEVM or KEVT or SCAN) 1. (SUVP or SUAP or SUOE or SUAO) 1. AUTH-6 1. CDST 1. LOGG-1 1. SCFS 1. SSCA 1. VULH ### 5.3.3 SP-2 Privacy conscious household required mitigations 1. (KEVM or KEVT or SCAN) 1. (SUAP or SUAO) 1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. AUTH-1 1. AUTH-2 1. AUTH-3 1. AUTH-5 1. AUTH-6 1. CDST 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. NPII-1 1. ROUT-1 1. ROUT-2 1. SCFS 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. VULH ### 5.3.3 SP-2 Privacy conscious household required mitigations ### 5.3.4 SP-3 Journalist or activist required mitigations 1. (KEVD or KEVA) 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (RSET or INST or DELE) 1. (SUVP or SUAP or SUOE or SUAO) 1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. (SUAP or SUAO) 1. AUTH-1 1. AUTH-2 1. AUTH-3 Loading @@ -1115,22 +1151,38 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. AUTH-5 1. AUTH-6 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-1 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-3 1. DNSL-4 1. DNSL-5 1. DNSL-6 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FAIR 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. LOGG-2 1. NPII-1 1. NPII-2 1. NPII-3 1. NPII-4 1. NUTI-1 1. NUTI-2 1. ROUT-1 1. ROUT-2 1. ROUT-3 Loading @@ -1138,12 +1190,22 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SDRF 1. SDTR 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. TRAF-1 1. VULH ### 5.3.4 SP-3 Journalist or activist required mitigations ### 5.3.5 SP-4 Small organization required mitigations 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. (RSET or INST or DELE) 1. (SUAP or SUAO) 1. AUTH-1 Loading @@ -1169,7 +1231,6 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FAIR 1. FDRP 1. IPv6-1 Loading @@ -1180,9 +1241,6 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. LOGG-1 1. LOGG-2 1. NPII-1 1. NPII-2 1. NPII-3 1. NPII-4 1. NUTI-1 1. NUTI-2 1. ROUT-1 Loading @@ -1200,12 +1258,11 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SURP 1. SUSR 1. SUVH 1. TRAF-1 1. VULH ### 5.3.5 SP-4 Small organization required mitigations ### 5.3.5 SP-4 Large enterprise required mitigations 1. (KEVD or KEVA) 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (RSET or INST or DELE) 1. (SUAP or SUAO) Loading @@ -1216,23 +1273,32 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. AUTH-5 1. AUTH-6 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-1 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-3 1. DNSL-4 1. DNSL-5 1. DNSL-6 1. DNSL-7 1. DNSL-8 1. DOST 1. FAIR 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. LOGG-2 1. NPII-1 (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. NUTI-1 1. NUTI-2 1. ROUT-1 Loading @@ -1242,4 +1308,12 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SDRF 1. SDTR 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. VULH Loading
EN-304-620-1.md +39 −39 Original line number Diff line number Diff line Loading @@ -739,33 +739,33 @@ Mitigations for Likelihood: * Medium to Low: SSCA, SCFS * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS, NUTI-\* * High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS, NUTI-1, NUTI-2 Mitigations for Impact: * Medium to Low: LOGG-1, CDST * High to Low: LOGG-\*, CDST * High to Low: LOGG-1, LOGG-2, CDST ### C.4.4 TH-KEVU: Known exploitable vulnerabilities Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorised access to product assets. | Risk factors | Likelihood | Security profiles | |----------------------------------|------------|------------------------| | max(DAT, FUN, COM) = 2 & ADM = 2 | High | SP-4 | | all others | Medium | SP-1, SP-2, SP-3, SP-5 | |------------------------|------------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Table: _Table C.3_ | Risk factors | Impact | Security profiles | |------------------------|--------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | |-------------------|--------|------------------------| | max(DAT, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Table: _Table C.4_ Requirements that mitigate this threat: NKEV, SSDD, SCUD, LOGG, VULH Requirements that mitigate this threat: NKEV, SSDD, SCUD, NUTI, LOGG, VULH All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to: Loading Loading @@ -848,10 +848,10 @@ Mitigations for Impact: Attacker may read or modify traffic by capturing and relaying activity to and from endpoints. | Risk factors | Likelihood | Security profiles | |-----------------------------|------------|-------------------| | ADM > 0 & max(DAT, FUN) = 2 | High | SP-3, SP-4 | | all others | Medium | SP-2, SP-5 | | DAT = 0 & FUN = 0 | Low | SP-1 | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max(DAT, FUN) = 0 | Low | SP-1 | Table: _Table C.9_ Loading @@ -869,13 +869,13 @@ Mitigations for Likelihood: * Medium to Low: CRYPT-2 * High to Low: CRYPT-\* * High to Low: CRYPT-1, CRYPT-2 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.8 TH-LEAK: Sensitive data leaks Loading @@ -890,9 +890,9 @@ Attacker may read sensitive data sent outside the VPN connection by the product. Table: _Table C.11_ | Risk factors | Impact | Security profiles | |--------------|--------|------------------------| | DAT > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Table: _Table C.12_ Loading @@ -900,15 +900,15 @@ Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT Mitigations for Likelihood: * Medium to Low: ROUT-1, ROUT-2, CONF-\*, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-\* * Medium to Low: ROUT-1, ROUT-2, CONF-1, CONF-2, CONF-3, CONF-4, CONF-5, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-1, IPv6-2 * High to Low: ROUT-\*, CONF-\*, DNSL-\*, IPv6-\* * High to Low: ROUT-1, ROUT-2, ROUT-3, CONF-1, CONF-2, CONF-3, CONF-4, CONF-5, DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6, DNSL-7, DNSL-8, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.9 TH-PLNS: Transmitting sensitive data in the clear in a single endpoint VPN Loading Loading @@ -936,13 +936,13 @@ Mitigations for Likelihood: * Medium to Low: EISO, CRYPT-2, ROUT-1, AUTH-1, AUTH-2 * High to Low: EISO, DNSL-6, CRYPT-\*, ROUT-\*, AUTH-\* * High to Low: EISO, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.10 TH-PLNM: Transmitting sensitive data in the clear in multi-endpoint VPN Loading Loading @@ -970,13 +970,13 @@ Mitigations for Likelihood: * Medium to Low: NUTI-1, CRYPT-2, ROUT-1, AUTH-1, AUTH-2 * High to Low: NUTI-\*, DNSL-6, CRYPT-\*, ROUT-\*, AUTH-\* * High to Low: NUTI-1, NUTI-2, DNSL-6, CRYPT-1, CRYPT-2, ROUT-1, ROUT-2, ROUT-3, AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5, AUTH-6 Mitigations for Impact: * Medium to Low: LOGG-1 * High to Low: LOGG-\* * High to Low: LOGG-1, LOGG-2 ### C.4.10 TH-UNAA: Unauthorised authentication Loading Loading @@ -1009,7 +1009,7 @@ Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1 * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\* * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2 ### C.4.11 TH-LDEL: Attacker removes evidence of compromise Loading Loading @@ -1067,15 +1067,15 @@ Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Mitigations for Likelihood: * Medium to Low: CONF-5, (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-\* * Medium to Low: CONF-5, (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-1, IPv6-2 * High to Low: TRAF-1, IPv6-\* * High to Low: TRAF-1, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\*, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST ### C.4.12 TH-CONF: Access to assets via configuration errors in a multi-endpoint VPN Loading @@ -1101,15 +1101,15 @@ Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, DMIN, LOGG Mitigations for Likelihood: * Medium to Low: CONF-5, (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-\* * Medium to Low: CONF-5, (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)), IPv6-1, IPv6-2 * High to Low: NUTI-\*, IPv6-\* * High to Low: NUTI-1, NUTI-2, IPv6-1, IPv6-2 Mitigations for Impact: * Medium to Low: AUTH-3, LOGG-1, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-\*, CDST * High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST ### C.4.13 TH-META: Compromise of PII due to metadata and traffic analysis Loading @@ -1117,7 +1117,7 @@ Attacker may use user metadata such as IP addresses and traffic analysis to comp | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3, | | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | Table: _Table C.25_ Loading Loading @@ -1217,7 +1217,7 @@ Attacker may get unauthorised access to personally identifiable information stor | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3, | | PII = 2 & DATA = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | Table: _Table C.25_ Loading @@ -1237,7 +1237,7 @@ Mitigations for Impact: * Medium to Low: NPII-1 * High to Low: NPII-\* * High to Low: NPII-1, NPII-2, NPII-3, NPII-4 ## C.5 Mapping of use cases to risk factors and security profiles Loading
clauses/5.Requirements.md +90 −16 Original line number Diff line number Diff line Loading @@ -1085,29 +1085,65 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. (KEVD or KEVA) 1. (KEVM or KEVT or SCAN) 1. (SUVP or SUAP or SUOE or SUAO) 1. AUTH-6 1. CDST 1. LOGG-1 1. SCFS 1. SSCA 1. VULH ### 5.3.3 SP-2 Privacy conscious household required mitigations 1. (KEVM or KEVT or SCAN) 1. (SUAP or SUAO) 1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. AUTH-1 1. AUTH-2 1. AUTH-3 1. AUTH-5 1. AUTH-6 1. CDST 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. NPII-1 1. ROUT-1 1. ROUT-2 1. SCFS 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. VULH ### 5.3.3 SP-2 Privacy conscious household required mitigations ### 5.3.4 SP-3 Journalist or activist required mitigations 1. (KEVD or KEVA) 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (RSET or INST or DELE) 1. (SUVP or SUAP or SUOE or SUAO) 1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. (SUAP or SUAO) 1. AUTH-1 1. AUTH-2 1. AUTH-3 Loading @@ -1115,22 +1151,38 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. AUTH-5 1. AUTH-6 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-1 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-3 1. DNSL-4 1. DNSL-5 1. DNSL-6 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FAIR 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. LOGG-2 1. NPII-1 1. NPII-2 1. NPII-3 1. NPII-4 1. NUTI-1 1. NUTI-2 1. ROUT-1 1. ROUT-2 1. ROUT-3 Loading @@ -1138,12 +1190,22 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SDRF 1. SDTR 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. TRAF-1 1. VULH ### 5.3.4 SP-3 Journalist or activist required mitigations ### 5.3.5 SP-4 Small organization required mitigations 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. (RSET or INST or DELE) 1. (SUAP or SUAO) 1. AUTH-1 Loading @@ -1169,7 +1231,6 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. DNSL-7 1. DNSL-8 1. DOST 1. EISO 1. FAIR 1. FDRP 1. IPv6-1 Loading @@ -1180,9 +1241,6 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. LOGG-1 1. LOGG-2 1. NPII-1 1. NPII-2 1. NPII-3 1. NPII-4 1. NUTI-1 1. NUTI-2 1. ROUT-1 Loading @@ -1200,12 +1258,11 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SURP 1. SUSR 1. SUVH 1. TRAF-1 1. VULH ### 5.3.5 SP-4 Small organization required mitigations ### 5.3.5 SP-4 Large enterprise required mitigations 1. (KEVD or KEVA) 1. (FZ95 or BTIN or IMSL) 1. (KEVM or KEVT or SCAN) 1. (RSET or INST or DELE) 1. (SUAP or SUAO) Loading @@ -1216,23 +1273,32 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. AUTH-5 1. AUTH-6 1. CDST 1. CONF-1 1. CONF-2 1. CONF-3 1. CONF-4 1. CONF-5 1. CRYPT-1 1. CRYPT-2 1. DNSL-1 1. DNSL-2 1. DNSL-3 1. DNSL-4 1. DNSL-5 1. DNSL-6 1. DNSL-7 1. DNSL-8 1. DOST 1. FAIR 1. FDRP 1. IPv6-1 1. IPv6-2 1. KEVA 1. KEVD 1. LMEM 1. LOGG-1 1. LOGG-2 1. NPII-1 (NUTI-1 or TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4)) 1. NUTI-1 1. NUTI-2 1. ROUT-1 Loading @@ -1242,4 +1308,12 @@ This clause lists all the mitigations necessary to meet requirements for each se 1. SDRF 1. SDTR 1. SSCA 1. SUAU 1. SUCS 1. SUED 1. SUMV 1. SURC 1. SURP 1. SUSR 1. SUVH 1. VULH
