@@ -335,22 +335,21 @@ For each SIEM system placed on the market, the manufacturer shall develop a thre
The risk profile is derived from intended and reasonably foreseeable uses of the product. The following risk factors shall be addressed when developing the risk profile.
#### 4.5.1.1 Network Size and Complexity
#### 4.5.1.1 Number of ingested sources
**[COM]** The manufacturer shall determine the expected size and complexity of network and implement security requirments or mitigations sufficent for the variety and number of potential threats against different scale networks and networks containing multiple types of devices.
**[COM]**The manufacturer shall determine the expected size and complexity of ingested sources and implement security requirments or mitigations sufficent for the variety and number of potential threats against networks containing multiple types of devices.
- COM-1 Small network (under X devices) of same device type.
- COM-2 Large network (over X devices) or network of varied devices.
- COM-3 Large network (over X devices) of varied types.
* COM-1 Small
* COM-2 Medium
* COM-3 Large
#### 4.5.1.2 Degree of exposure
#### 4.5.1.2 API exposure
**[EXP]** A SIEM system may have varying degrees of exposure to untrusted users, public networks and external networks. The manufacturer shall implement security requirements and mitigations appropriate to the product's reasonably foreseeable level of exposure.
- EXP-0 Internal network
- EXP-1 Intra-connected network
- EXP-2 Other kinds of secure network?
- EXP-3 Dubious network/public internet
* EXP-0 Dedicated networks segment for event ingestion
* EXP-1 Mixed network segments for ingestion
* EXP-2 Ingestion API avaialble in publicly connectible interface
<mark>
1. Interfaces or sources that are just used
@@ -369,28 +368,11 @@ The risk profile is derived from intended and reasonably foreseeable uses of the
<mark>How well the admin knows the company?</mark>
#### 4.5.1.4 SIEM System Deployment Isolation
**[ISO]**
**[ISO]**:
- ISO-0 SIEM system is hosted and managed on dedicated server or servers
- ISO-1 SIEM system is managed and hosted on server shared with other systems
- ISO-2 SIEM system is managed and hosted on remote server
#### 4.5.1.5 Physical Access by Threat Actors to System
**[PHY]**: Manufacturers of SIEM systems may implement protective measures to mitigate physical access based threats to the device.
- PHY-0: only used in environments with authorized users
- PHY-1: may be incidentally exposed to untrusted users
- PHY-2: used primarily by untrusted users, e.g. the general public
#### 4.5.1.6 Support Period
**[SUP]**: Manufacturers shall implement protections and implement safeguards appropriate to the support period of a SIEM System
- SUP-0: Support period of less than five years.
- SUP-1: Support period of five to ten years.
- SUP-2: Support period of ten years or longer.
* ISO-0 SIEM system has dedicated resources on dedicated tenant
* ISO-1 SIEM system has shared resources with other isolated tenants
* ISO-2 SIEM system shares resources and is installed on a shared tenant
