@@ -77,169 +77,8 @@ The Technical Body should advise the ETSI Secretariat if the above default natio
## 4.3 Product overview and architecture
## 4.5 Risk Factors
To obtain conformity with this standard, each NMS placed on the market, the manufacturer should perform an assessment following the methods detailed in Annex C and applying the criteria of Clause 6.
This assessment can provide a risk profile of the intended purpose and foreseeable uses of the NMS product.
When following this standard such an assessment should consider the interplay between:
- The complexity of foreseeable uses
- The likelihood of incidents, given the foreseeable uses
- The impact of incidents, given the foreseeable uses
- The complexity of foreseeable use
- The likelihood of an incident, given the foreseeable use
- The impact of an incident, given the foreseeable use
The technical requirements in clause 5 reflect the risks and provide mitigations for the use cases provided in clause 4.6 and intended deployment of NMS products.
Individual risks are judged using the risk factors described here, and determine the degree and type of security needed for specific related security requirements.
Clause 5.X maps each use case to a set of mitigations that reflect these risk factors and the overall risk of the product as a combination of the likelihood and potential impact of incidents.
Risk factor analysis of all appropriate risk factors can be combined to determine an overall risk of the product and label its risk as low, medium, or high. With this approach, each risk factor provides a description of high or low risk related to a particular aspect of the product and when combined a way to judge its overall security needs.
The risk is combination of likelihood and impact.
Each risk factor is evaluated using defined criteria for likelihood and impact. The resulting risk level is determined as low, medium, or high according to Table 4.5-1.
The set of resulting risk levels is then used to determine the applicable requirements in clause 5.
The end result is a three tier low-medium-high evaluation of that given risk factor.
A set of risk factors is used to determine what requirements apply to the product in the later section [5 Requirements specifications](#5-requirements-specifications).
The expectations on security are a sum of deployment, its environment, likelihood and impact. Therefore this risk factor is evaluated directly as perceived by the market the product is made available.
**Key:** [CENT] </br>
**Rationale:** Critical entity's operations are governance is defined by laws and guidances like the NIS2 [i.16] in addition to nation specific regulation.
Entities that require higher level of protection also expects more accuracy and scrunity from the product.
The deployment context may include additional mechanisms to detect and respond to security compromise.
[CENT] </br> risk level is **low** if:
- The product is intended for or foreseaably used to manage networks whose product user entity status is undefined.
- Product's intended deployment target is a household or a small business with under a thousand users.
[CENT] </br> risk level is **medium** if:
- The product is intended for or foreseaably used to manage networks whose entity status is undefined.
- The product serves for a medium-sized enterprise.
- or the number of managed elements is a thousand or over.
[CENT] </br> risk level is **high** if:
- The product is targeted important or essential entities.
| [4.4.2.2 Telecom network] | high | high | high | TBD |
The To Be Defined (TBD) represent manufacturer design choices and what market the product is intended to be used in.
The product can be targeted to an audience, where the given risk factor evaluation is different.
For example the [4.4.2.1 Office network] evaluation table could be expanded to all existing combinations of low, medium, and high, in the risk factors that has TBD in place.
When the same product is provided to multiple different markets, highest risk factor selection appears as an appropriate selection.
[4.4.1.1 IoT network with monitoring data collection]:#4411-iot-network-with-monitoring-data-collection
[4.4.1.2 Home network deployment]:#4412-home-network-deployment
[4.4.2.1 Office network]:#4421-office-network
[4.4.2.2 Telecom network]:#4423-telecom-network
## 4.6 Security Profile
In the present context a security profile is the identification and mapping of assets, threats, resulting risks, and mitigating objectives that are furthermore covered by security requirements. The mapping thereby ensures that all identified threats are repelled or mitigated.
All products with digital elements have a common set of requirements which is essential to be addressed regardless of the system design or of the intended market.
These essential security requirements are defined in the CRA [\[i.1\]](#_ref_i.1). The present document tries also to identify risk factors that are not obvious in all scenarios.
@@ -1255,23 +1255,140 @@ Other Union legislation may be applicable to the product(s) falling within the s
This Annex applies state of the art methodology to identify assets, threats, identify and evaluate risk factors, and define security profiles applicable to the different use cases identified in the product context.
<mark> Editor's Note: The standard may implement an existing methodology, referencing the standards where it is defined. However, this methodology shall not compete with the legal obligation to draft an overall risk assessemnt. Alternatively, the following structure has been proposed as part of the EC comments received, that may be adapted as relevant for each vertical:
<br>
B.1 Assets
<br>
B.2 Risk factors
<br>
B.3 Assumptions
<br>
B.4 Threats (including connection to risk factors)
<br>
B.5 Mapping of risk factors to use cases
<br>
B.6 Mapping of risk factors to security profiles
<mark> Editor's Note: The standard may implement an existing methodology, referencing the standards where it is defined. However, this methodology shall not compete with the legal obligation to draft an overall risk assessemnt.
</mark>
<mark>Use technical language and focus what is relevant from a product perspective</mark>
## B.1 Asets
## B.2 Risk Factors
This assessment provides a risk factors for the intended purpose and foreseeable uses of the product.
When following this standard such an assessment should consider the interplay between:
- The complexity of foreseeable uses
- The likelihood of incidents, given the foreseeable uses
- The impact of incidents, given the foreseeable uses
- The complexity of foreseeable use
- The likelihood of an incident, given the foreseeable use
- The impact of an incident, given the foreseeable use
The technical requirements in clause 5 reflect the risks and provide mitigations for the use cases provided in intended deployment of the product.
Individual risks are judged using the risk factors described here, and determine the degree and type of security needed for specific related security requirements.
Clause 5.X maps each use case to a set of requirements that reflect these risk factors and the overall risk of the product as a combination of the likelihood and potential impact of incidents.
Risk factor analysis of all appropriate risk factors can be combined to determine an overall risk of the product and label its risk as low, medium, or high.
With this approach, each risk factor provides a description of high or low risk related to a particular aspect of the product and when combined a way to judge its overall security needs.
The risk is combination of likelihood and impact.
Each risk factor is evaluated using defined criteria for likelihood and impact.
The resulting risk level is determined as low, medium, or high according to Table B.1.0-1.
The set of resulting risk levels is then used to determine the applicable requirements in clause 5.
- Managed network is complex with sophisticated functions and supporting services
- Managed network includes multiple interconnected sites
### B.2.3 Critical entity
The expectations on security are a sum of deployment, its environment, likelihood and impact. Therefore this risk factor is evaluated directly as perceived by the market the product is made available.
**Key:**[CENT](#b13-critical-entity)</br>
**Rationale:** Critical entity's operations are governance is defined by laws and guidances like the NIS2 [i.16] in addition to nation specific regulation.
Entities that require higher level of protection also expects more accuracy and scrunity from the product.
The deployment context may include additional mechanisms to detect and respond to security compromise.
risk level is **low** if:
- The product is intended for or foreseaably used to manage networks whose product user entity status is undefined.
- Product's intended deployment target is a household or a small business with under a thousand users.
risk level is **medium** if:
- The product is intended for or foreseaably used to manage networks whose entity status is undefined.
- The product serves for a medium-sized enterprise.
- or the number of managed elements is a thousand or over.
risk level is **high** if:
- The product is targeted important or essential entities.