Commit 90d85573 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

First outlines

parent 558df22c

EN-304-622.md

+23 −1
Original line number Original line Diff line number Diff line
@@ -198,6 +198,7 @@ The following referenced documents may be useful in implementing an ETSI deliver 




- <a name="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

- <a name="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

- <a name="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems

- <a name="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems

- <a name="_ref_i.1">[i.3]</a> EU 2023/2854 "Data Act"





- <a name="_ref_i.2">[i.x]</a> &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".

- <a name="_ref_i.2">[i.x]</a> &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".
@@ -212,6 +213,7 @@ For the purposes of the present document, the following terms apply: 
**Security Information and Event Managment system (SIEM):** solution analysing security data from multiple sources to the user

**Security Information and Event Managment system (SIEM):** solution analysing security data from multiple sources to the user

**Managed Security Service Provider (MSSP):** third party or manufacturer service that provides some or all SIEM functions to a customer

**Managed Security Service Provider (MSSP):** third party or manufacturer service that provides some or all SIEM functions to a customer

**Extract, Transform, and Load (ETL):** data collection process ingesting information

**Extract, Transform, and Load (ETL):** data collection process ingesting information

**Data processing**: set of operations which is performed on data [i.3, Article 2 (7)]





## 3.2 Abbreviations

## 3.2 Abbreviations
@@ -618,7 +620,27 @@ For backwards compatibility, use of other combinations of options other what is 




### 5.2.6 Remote Data Processing Systems

### 5.2.6 Remote Data Processing Systems





<mark>AMS: August and Daniel are working on this. Skip for now.</mark>

RDPS is a remote system which has an essential role for one or more functions of the PwDE.

That function can be the software update mechanism, if it is an integral part of the product. <mark>Verify this</mark>



As the RDPS is part of the PwDE, the deployment environment of the PwDE doesn't matter in this evaluation.

The PwDE doesn't know how or where it is used, but does control the RDPS.



Common use for RDPS is to store the profile or configuration data outside of the device, in order to use it with similar devices, or access the data from a web interface.

The system can also be a log storage or metrics collection endpoint, which is part of the PwDE design, but those have a dedicated section in this standard with detailed requirements.



CRA applicability has as subtle difference in how the application is desigend.

A website that is accessed with a browser is not in scope, but a online service which is used from an installed application is in scope.



General risks to consider with RDPS:



- Data integrity and confidentiality

  - Data corruption in transit

  - Lack of data validation

  - MitM

  - Multitenant data leakage

  - Offline fallback

- Unauthorized access and credential missuse





## 5.3 Risk Mitigations

## 5.3 Risk Mitigations