@@ -355,19 +355,17 @@ The essential functions of all SIEM systems are to collect, analyze and report o
## 4.8 Operational Environment
_Describe the expected operating environment given the exclusions in Section 4.2. This includes:_
The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.
* _Physical environment (if applicable)_
* _Networks it is connected to_
* _Supporting/associated devices_
* _Supporting/associated software or services_
* _Other relevant context_
The operating environment is expected in all cases to include the expectation of malicious actors present on the devices being monitored and the networks attached to any element. The SIEM system is expected to be a high-priority target of any intrusion, and it is expected that SIEM server elements (data collection, analysis, event generation, and storage) include mitigations for compromise of themselves.
_You may be able to use the following instructions taken from the Common Internet of Things draft:_
The SIEM clients may be running on a wide variety of devices. They may be reachable over the open internet, within private networks, or over VPNs. The SIEM collection server may request data from a wide range of software running on clients, including SIEM clients but also any software that serves logs or other security information via network APIs.
_Harmonised Standards not specifying a normative environmental profile should use the following text:_
Each of the SIEM server instances may be running on the user's infrastructure or as part of an RDPS.
_The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use._
The SIEM servers may be providing events and information to other systems, including SOAR and other security-related systems. The systems consuming this data may require specific service levels to conduct their security functions properly.
The SIEM system is expected to be administered in all cases by a sophisticated user, usually a professional administrator but occasionally a home hobbyist.
