Unverified Commit c1317d8a authored by Aki Braun's avatar Aki Braun
Browse files

HAS 125; Move risk/requirement mapping

Resolves #362
parent 872231f3
Loading
Loading
Loading
Loading
+0 −23
Original line number Diff line number Diff line
@@ -1178,29 +1178,6 @@ This clause describes the methodology followed in the current text.
1. Develop security profiles from the use cases, which are collections of risk factor levels that can be used to fully describe the risk levels of all relevant threats. There may be one use case per security profile or multiple. There should be as many security profiles as are useful to manufacturers.
1. Using the risk factors in the security profiles and the risk formulas and mitigations for all threats, derive the completed list of required mitigations for each security profile.

## D.2 Mapping of risks to requirements

**Table D.2-1: Mapping of risks to requirements**

| Threat | Requirements                                                |
|--------|-------------------------------------------------------------|
| UEVU   | SSDD, NUTI, LOGG                                            |
| KEVU   | NKEV, SSDD, SCUD, NUTI, LOGG, VULH                          |
| UEAC   | AUTH, DMIN                                                  |
| RDOS   | AVAI                                                        |
| MITM   | CRYPT, LOGG                                                 |
| LEAK   | ROUT, CONF, DNSL, IPv6, CRYPT                               |
| PLNS   | EISO, CRYPT, AUTH, ROUT, DNSL                               |
| PLNM   | CRYPT, AUTH, ROUT, DNSL                                     |
| UNAA   | AUTH, LOGG                                                  |
| LDEL   | LOGG                                                        |
| CNFS   | CONF, TRAF, IPv6, CDST, LOGG                                |
| CNFM   | CONF, TRAF, IPv6, CDST, LOGG                                |
| META   | TODO                                                        |
| RCOM   | TODO                                                        |
| USED   | AUTH, CDST, SCDL, SDRF                                      |
| CPER   | AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDRF, LOGG |

## D.4 Risks not treated by the requirements

For each risk untreated by the product itself, a corresponding mitigation has been created to explicitly permit the risk to be transferred to the user or operational environment. These are:
+28 −3
Original line number Diff line number Diff line
@@ -1068,9 +1068,34 @@ The product shall protect data stored on the product from unauthorized access.

## 5.3 Risk mitigation sets

### 5.3.1 General

This clause lists all the mitigations necessary to meet requirements for each security profile. Security profiles are derived from the Use Cases in 4.7. See Annex C for more information.
### 5.3.1 Overview

This clause lists all the mitigations necessary to meet requirements for each security profile. Security profiles are derived from the Use Cases in 4.7. See Annex B for more information.

#### Mapping of risks to requirements

**Table 1: Mapping of risks to requirements**

_Editor's note: this table must be updated before the draft can be considered Final_

| Threat | Requirements                                                |
|--------|-------------------------------------------------------------|
| UEVU   | SSDD, NUTI, LOGG                                            |
| KEVU   | NKEV, SSDD, SCUD, NUTI, LOGG, VULH                          |
| UEAC   | AUTH, DMIN                                                  |
| RDOS   | AVAI                                                        |
| MITM   | CRYPT, LOGG                                                 |
| LEAK   | ROUT, CONF, DNSL, IPv6, CRYPT                               |
| PLNS   | EISO, CRYPT, AUTH, ROUT, DNSL                               |
| PLNM   | CRYPT, AUTH, ROUT, DNSL                                     |
| UNAA   | AUTH, LOGG                                                  |
| LDEL   | LOGG                                                        |
| CNFS   | CONF, TRAF, IPv6, CDST, LOGG                                |
| CNFM   | CONF, TRAF, IPv6, CDST, LOGG                                |
| META   | TODO                                                        |
| RCOM   | TODO                                                        |
| USED   | AUTH, CDST, SCDL, SDRF                                      |
| CPER   | AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDRF, LOGG |

### 5.3.2 SP-1 Individual consumer required mitigations