@@ -383,14 +383,21 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below. Note that the numeric identifiers are just that—identifiers. They are not intended to implied tiered security needs.
* End-point configuration
***CFG-L-1** End-point has limited user configuration options, such as choosing a region to connect to
***CFG-L-2** End user is provided clear configuration instructions and software is supplied directly by manufacturer or MDM
* Account management and authentication of endpoints
***AUT-L-0** Customer uses third party identity provider
***AUT-L-1** Account details are managed by the customer through a centralized identity system (e.g. active directory)
***AUT-L-2** Each system used by the customer involves its own set of account information & secrets
### 4.5.1 End-point configuration
Affects likelihood of threats involving misconfiguration.
***CFG-L-0** End-point requires no configuration
***CFG-L-1** End-point requires simple configuration, such as choosing a region to connect to
***CFG-L-2** End-point requires configuration by a skilled administrator
### 4.5.2 Account management and authentication of endpoints
Affects likelihood of threats involving authentication.
***AUT-L-0** Customer uses third party identity and authentication provider
***AUT-L-1** Identity and authentication are managed by the customer through a centralized identity system
***AUT-L-2** Each system used by the customer involves its own set of account information and secrets
