@@ -297,15 +297,15 @@ More about assets in [Annex C.1 Assets](#c1-assets) and [Annex C.2 Data](#c11-da
## 4.4 Use cases
This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. Each use case is mapped to a security level, which is a collection of risks and the security requirements necessary to mitigate them.
This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. Each use case is mapped to a security profile, which is a collection of risks and the security requirements necessary to mitigate them.
Manufacturer shall delcare what risk factors it's product is meant to be evaluated at.
As the technical definition of NMS describes the product being a system [Section 1.2] with connected elements like routers, NMS is an aggregate product.
As the technical definition of NMS describes the product being a system [Section 1.2](#12-products-in-scope) with connected elements like routers, NMS is an aggregate product.
Aggregate product can have components, like OS and virtual networking interfaces, which are evaluated outside of the scope of this standard.
Manufacturer shall be responsible of implementing all security measurments regardless of what subcomponents are in use.
Manufacturer shall be responsible of implementing all security measurements regardless of what subcomponents are in use.
### 4.4.1 Distributed deployment
@@ -443,19 +443,17 @@ Security profiles are associated with sets of risk factor levels.
## 4.7 Essential functions
> List the essential functions of the product, including:
>
> - What it does during its intended or reasonably foreseeable use?
> - How its functions are configured?
> - How it keeps itself secure and functioning?
These essential functions lists, as an example, what the product does during it's intentent use, how it's functions are covered and how it keeps it self secure and functioning.
- Network element configuration and change management
- Role based access control
- Performance metrics assuring that the operation of the network is in the nominal levels
- Fault discovery
- Fault discovery and recovery
- Dynamic routing and switching control based on requests. Used extensively with Software Defined Networks.
- Device discovery
- Device inventory management
- User authorization
- Produce logs and traces for security and operational analysis
## 4.8 Operational Environment
@@ -476,9 +474,14 @@ A NMS is often a compilation of different subsystems performing the task of the
### 4.10.1 General
### 4.10.2 Security functions provided outside the product
For each security requirement, a product may:
1. Provide all necessary security functions itself
2. Require security functions be provided by some other part of its context
3. Provide security functions for the use of other components
> Describe what security functions are delegated to other components.
### 4.10.2 Security functions provided outside the product
The following security functionalities may be handled by other components in the system:
@@ -551,10 +554,7 @@ The metrics can be for example the last time when the managed element has been s
# Annex B (informative): Relationship between the present document and any related ETSI standards (if any)
> List any related ETSI standards and how they interact with the present document.
# Annex C (informative): Risk identification and assessment methodology
@@ -608,7 +608,7 @@ The manufacturer shall follow the CRAs pricibles of implementing high level of c
### C.1.2 Product functions
> See the functions in Section 4.4.
See the functions in [Section 4.7 Essential functions](#47-essential-functions).
## C.2 Threats
@@ -676,7 +676,7 @@ The manufacturer shall follow the CRAs pricibles of implementing high level of c
## C.4 Risk assessments of threats
> For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security levels.
> For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security profiles.
