Commit c1d9adcb authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Add a few more risk factors and security profiles

parent 746bd010

EN-304-620-1.md

+47 −7
Original line number Diff line number Diff line
@@ -381,9 +381,13 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises. 


## 4.5 Risk factors



### 4.5.1 General



The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below. Note that the numeric identifiers are just that—identifiers. They are not intended to implied tiered security needs.



### 4.5.1 End-point configuration

### 4.5.2 List of risk factors



#### 4.5.2.1 End-point configuration



Affects likelihood of threats involving misconfiguration.
@@ -391,7 +395,7 @@ Affects likelihood of threats involving misconfiguration. 
  * **CFG-L-1** End-point requires simple configuration, such as choosing a region to connect to

  * **CFG-L-2** End-point requires configuration by a skilled administrator



### 4.5.2 Account management and authentication of endpoints

#### 4.5.2.2 Account management and authentication of endpoints



Affects likelihood of threats involving authentication.
@@ -399,6 +403,39 @@ Affects likelihood of threats involving authentication. 
  * **AUT-L-1** Identity and authentication are managed by the customer through a centralized identity system

  * **AUT-L-2** Each system used by the customer involves its own set of account information and secrets



#### 4.5.2.3 Sensitivity of data



Affects impact of threats involving loss of data confidentiality, availability, or integrity.



  * **DAT-L-0** User data is generally trivial and unimportant

  * **DAT-L-1** User data is moderately important

  * **DAT-L-2** User data is important for preservation of human rights of user



#### 4.5.2.4 Sensitivity of functions



Affects impact of threats involving loss of availability of product functions.



  * **FUN-L-0** Loss of function would be a minor annoyance (e.g. preventing accessing unimportant web sites)

  * **FUN-L-1** Loss of function would impede daily activities

  * **FUN-L-2** Loss of function would threaten human rights of user



#### 4.5.2.5 Availability of administration



Affects likelihood and impact of all threats.



  * **[ADM-L-0]** Skilled administration, fully resourced

  * **[ADM-L-1]** Skilled administration, partially resourced

  * **[ADM-L-2]** Unskilled administration



### 4.5.3 Mapping of use cases to risk factors



| Use case                           | CFG | AUT | DAT | FUN | ADM |

|------------------------------------|-----|-----|-----|-----|-----|

| UC-1 | Individual consumer         |   1 |   0 |   0 |   0 |   2 |

| UC-2 | Privacy conscious household |   1 |   0 |   1 |   1 |   1 |

| UC-3 | Journalist or activist      |   1 |   1 |   2 |   2 |   1 |

| UC-4 | Small organization          |   2 |   1 |   1 |   1 |   0 |



## 4.6 Security profiles



### 4.6.1 Overview
@@ -411,13 +448,16 @@ Security profiles will be mapped to the security requirements necessary to mitig 


### 4.6.2 Mapping of security profile to risk factors



Each security profile will consist of the security requirements necessary to mitigate the threats related to the associated types of risk factors.

| Security profile                   | CFG | AUT | DAT | FUN | ADM |

|------------------------------------|-----|-----|-----|-----|-----|

| SP-1  Individual consumer          |   1 |   0 |   0 |   0 |   2 |

| SP-2  Privacy conscious household  |   1 |   0 |   1 |   1 |   1 |

| SP-3  Journalist or activist       |   1 |   1 |   2 |   2 |   1 |

| SP-4  Small organization           |   2 |   1 |   1 |   1 |   0 |



TODO risk factors, security profiles

### 4.6.3 Mapping of security profile to technical requirements and mitigations



| Security profile | INS     | PHY     | CFG     | EPH     | AUT     |

|------------------|---------|---------|---------|---------|---------|

| SEC-0            | INS-L-3 | PHY-L-0 | CFG-L-3 | EPH-L-2 | AUT-L-0 |

TBD



## 4.7 Essential functions