@@ -177,7 +177,7 @@ This section provides terms and definitions based on CEN/CLC JTC13 WG09's work o
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
1. Secuirity information and event managment systems: Software, hardware or a remote data processing solution (a service) that collects, analyzes, and reports security data from multiple sources to the user.
1.**Security information and event managment systems**: Software, hardware or a remote data processing solution (a service) that collects, analyzes, and reports security data from multiple sources to the user.
2.
@@ -192,7 +192,7 @@ For the purposes of the present document, the [following] symbols [given in ...
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
1. SIEM: Security information and event management system
1.**SIEM**: Security information and event management system
# 4 Product context
@@ -222,21 +222,49 @@ The following types of products have reduced or varied requirements under the Cy
10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <aname="_ref_i.1">[i.1]</a>;
11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <aname="_ref_i.1">[i.1]</a>.
## 4.2 Product overview and architecture
## 4.3 Product overview and architecture
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._
## 4.3 Use cases
## 4.4 Use cases
_Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same for two use cases, then it is basically the same use case for the purposes of the present document. Use cases should include both intended and reasonably foreseeable use/misuse. Use cases don't include industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc._
_When you have many use cases, group them into 3 - 5 levels of risk. These will probably be your security levels._
## 4.4 Security levels
## 4.5 Risk Factors
_List the security levels and the use cases that correspond to them._
For each SIEM system placed on the market, the manufacturer shall develop a threat model and risk profile based on the intended purpose and reasonably foreseeable use of the SIEM system. Risk factors are specific elements of a product's intended or reasonably foreseeable use that are linked to or allow specific threats. Risk factors are one part of creating a product's risk profile. They define specific security requirements and mitigations that a the manufacturer will need to apply to a product and collectively define the product's security level.
## 4.5 Essential functions
### 4.5.1 List of Risk Factors
The risk profile is derived from intended and reasonably foreseeable uses of the product. The following risk factors shall be addressed when developing the risk profile.
#### 4.5.1.1 Physical Access by Threat Actors to System
**[PHYS]**: Manufacturers of SIEM systems may implement protective measures to mitigate physical access based threats to the device.
PHYS-0: only used in environments with authorized users
PHYS-1: may be incidentally exposed to untrusted users
PHYS-2: used primarily by untrusted users, e.g. the general public
#### 4.5.1.2 Support Period
**[SUPP]**: Manufacturers shall implement protections and implement safeguards appropriate to the support period of a SIEM System
* SUPP-0: Support period of less than five years.
* SUPP-1: Support period of five to ten years.
* SUPP-2: Support period of ten years or longer.
#### 4.5.1.x
### 4.5.2 Mapping of Use Cases to Risk Factors
## 4.6 Security Levels
Security levels are a resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.
## 4.7 Essential functions
_List the essential functions of the product, including:_
@@ -244,7 +272,7 @@ _List the essential functions of the product, including:_
* _How its functions are configured_
* _How it keeps itself secure and functioning_
## 4.6 Operational Environment
## 4.8 Operational Environment
_Describe the expected operating environment given the exclusions in Section 4.2. This includes:_
@@ -260,7 +288,7 @@ _Harmonised Standards not specifying a normative environmental profile should us
_The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use._
## 4.7 Users
## 4.9 Users
_Describe the classes of users for this product, as differentiated by sophistication in understanding and taking responsibility for security risks. More sophisticated users can be expected to follow more instructions and cope with higher levels of unmitigated risks. Suggestions:_
@@ -270,13 +298,13 @@ _Describe the classes of users for this product, as differentiated by sophistica
* _IT professionals_
* _Systems integrators_
## 4.8 Risk distribution among components
## 4.10 Risk distribution among components
_Risk can be transferred between components, for example a network interface can document that secure update of its firmware must be handled by an external program, such as an operating system. In turn, the operating system can offer the security functionality of secure updates to other components in a system._
_Describe what risks are delegated to other components, as well as what security functionalities this product offers to things integrated with it._
## 4.9 Support period
## 4.11 Support period
The support period for a SIEM product shall be for a minimum of ten years unless the specific nature of the product justifies a reduced support period.
