Merge branch '79-has18-make-risk-factors-descriptive-4-5' into 'main'

## 4.5 Risk Factors

For each NMS placed on the market, the manufacturer shall develop a threat model and risk profile of the foreseeable use of the NMS, and shall consider the interplay between:

To address the risks of an NMS product prior a manufacturer's placing it on the market this standard encourages the manufacturer to threat model and risk profile of the use of the product, including its foreseeable uses, and considering the interplay between:

-   complexity of foreseeable use

-   likelihood of an incident, given the foreseeable use

-   impact of an incident, given the foreseeable use

-   The complexity of foreseeable uses

-   The likelihood of incidents, given the foreseeable uses

-   The impact of incidents, given the foreseeable uses

The security profile requirements reflects the intended deployment of the NMS.

The security profile requirements in clause X reflect use cases and intended deployment of the NMS. Security profiles are based on overall risk of the product, a combination of likelihood and potential impact of incidents. Individual risks are judged using the risk factors described here in Annex D, and determine the degree and type of security needed for specific related security requirements.  

The risk is combination of likelihood and impact.

Each risk factor has instructions when the product should be evaluated in high or low in the respected categories.

The end result is a three tier low-medium-high evaluation of that given risk factor.

A set of risk factors is used to determine what requirements apply to the product in the later section [5 Requirements specifications](#5-requirements-specifications).

Risk factor analysis of all appropriate risk factors can be combined to determine an overall risk of the product and label its risk as low, medium, or high. With this approach, each risk factor provides a description of high or low risk related to a particular aspect of the product and when combined a way to judge its overall security needs.

Each risk factor uses a three tier, low-medium-high risk structure. A set of risk factors is used to determine what requirements apply to the product in the later section [5 Requirements specifications](#5-requirements-specifications).

**Table 4.5-1: Determining risk level**

Number of affected Service Requesting Users [<a href="#_term_.SRU">SRU</a>]

**Key:** [SRU]<br/>

**Rationale:** the affected user base should be accounted for in the risk definition

**Rationale:** Affected user base are a factor when determining risk.

For **likelihood** select **low**, if:

- well defined trafic

- small amount of different traffic classes like IoT network data collection and software updates

- the SRUs are other devices with well-known communication needs

[SRU]<br/> risk **likelihood** is **low**, where:

- The NMS's managed network has well defined traffic.

- The NMS's managed network has only a small variety of traffic classes, for example: IoT network data collection and software updates.

- The NMS's managed network's SRUs are limited to other devices with well-known communication needs.

For **likelihood** select **high**, if:

- arbitrary traffic

- serving human users with possible various devices like laptops and mobile phones

[SRU]<br/> risk **likelihood** is **high**, if:

- The NMS's managed network networtk has arbitrary and poorly defined traffic.

- The NMS's managed network serves human users, each with multiple varied devices such as laptops and mobile phones.

For **impact** select **low**, if:

- single household or a small business, small ammount of SRUs

[SRU]<br/> risk **impact** is **low**, if:

- The NMS's managed network serves single household or a small business, small ammount of SRUs.

For **impact** select **high**, if:

- larger business with multiple sites connected to the same internal network structure

- public telecommunication network providers, Internet service providers, large amount of SRUs

[SRU]<br/> risk **impact** is **high**, if:

- The NMS's managed network is a larger enterprise network with multiple sites connected to the same internal network structure.

- The NMS's managed network is a public telecommunication network provider, Internet service provider, or other network with a large amount of SRUs.

[SRU]: #4511-service-requesting-users

#### 4.5.1.2 Complexity of managed network element implementation

**Key:** [Complexity]<br/>

**Rationale:** The complexity and number of devices, functions, and sites managed or performed by the NMS are a factor when determining risk.

For **likelihood** select **low**, if:

- Minimal features

- Simple functionality like IoT device that sends data to the NMS

- Some simple features enabled for basic networking functionalities like firewall, DHCP

[Complexity]<br/> risk **likelihood** is **low**, if:

- The NMS has minimal features

- The NMS receives data only from simple devices, like a network of IoT devices the that send basic availability metrics to the NMS

- The NMS also enables some simple features for basic networking functionalities like firewall, DHCP

For **likelihood** select **high**, if:

- Exposed connectivity services like VPN and SDN

- Number of provided network services is high

- Multiple interconnected sites

[Complexity]<br/> risk **likelihood** is **high**, if:

- NMS managed network is has exposed connectivity services like VPN and SDN.

- NMS provides a high number of network services.

- NMS managed network includes multiple interconnected sites

For **impact** select **low**, if:

- Limited device capabilities

- Idempotent design

[Complexity]<br/> risk **impact** is **low**, if:

- NMS managed devices have limited capabilities

- NMS uses idempotent design

For **impact** select **high**, if:

- Managed element does dynamic routing table modifications

- Complex network element with sophisticated functions and supporting services

- Multiple interconnected sites

[Complexity]<br/> **impact** is **high**, if:

- NMS managed network performs dynamic routing table modifications

- NMS managed network is complex with sophisticated functions and supporting services

- NMS managed network includes multiple interconnected sites

[Complexity]: #4512-complexity-of-managed-network-element-implementation

- The deployment context has other mechanisms that helps to identify and react to the security compromises

For risk level, select **low** if:

- NIS2 status is undefined

- The intended deployment target is a household or a small business

[NIS2] </br> risk level is **low** if:

- NMS is intended for or foreseaably used to manage networks whose NIS2 status is undefined.

- NMS's intended deployment target is a household or a small business with under a thousand users.

For risk level, select **medium** if:

- NIS2 status is undefined

- The product serves a larger audience

- The managed element is widely used and

[NIS2] </br> risk level is **medium** if:

- NMS is intended for or foreseaably used to manage networks whose NIS2 status is undefined.

- The NMS product is intended or foreeable used an audience of over a thousand users. 

- The NMS managed network element is widely used and often used to store significant amounts of personal or financial data.   

For risk level, select **high** if:

- The product is targeted to NIS2 important or essential entities

[NIS2] </br> risk level is **high** if:

- - NMS is intended for or foreseaably used to manage networks whose NIS2 status is as important or essential entities 

[NIS2]: #4513-security-expectations-of-the-deployment-context

#### 4.5.1.4 Deployment context network segmentation

**Key:** [Segment]

**Key:** [Segment] </br>

**Rationale:** The level of segementation and isolation of the NMS managed network are a factor when determining risk.

For **likelihood** select **low**, if:

- Network physically isolated from public networks with strong physical access control procedures

[Segment] </br> **likelihood** is **low**, if:

- NMS managed network is physically isolated from public networks with strong physical access control procedures.

For **likelihood** select **high**, if:

- Connected network with multiple entry points to public networks filtered by firewalls

- No segmentation used

[Segment] </br> **likelihood** is **high**, if:

- NMS managed network is connected with multiple entry points to public networks filtered by firewalls.

- NMS managed network uses no segmentation.

For **impact** select **low**, if:

- Network is segmented in a way, that management traffic is not mixed with the payload data

- Single segment is used, and the number of connect devices in the network is low

[Segment] </br> **impact** is **low**, if:

- NMS managed network is segmented in a way that does not mix management traffic with payload data.

- NMS managed network uses single segment, but the number of connect devices in the network is low.

For **impact** select **high**, if:

- Network is segmented, and the segmentation is trusted to provide additional security

- Different traffic classes including control, management and payload shares the same network segment

[Segment] </br> **impact** is **high**, if:

- NMS managed network is segmented, and the segmentation is trusted to provide additional security.

- Traffic classes including control, management and payload shares the same segment on the NMS managed network.

[Segment]: #4514-deployment-context-network-segmentation