@@ -148,7 +148,7 @@ In the present document "**shall** ", "**shall not** ", "**should** ", "**should
The present document is a European harmonised standard that defines cybersecurity requirements for products with digital elements whose primary purpose is security information and event managment (SIEM) systems. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with the Cyber Resilence Act, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 [i.1].
The present document is a European harmonised standard that defines cybersecurity requirements for products with digital elements whose primary purpose is security information and event managment (SIEM) systems. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with the Cyber Resilence Act, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 [i.1].
This standard does not apply to products that contain SIEM elements or components but are part of other systems with a different core purpose. If the core purpose of the product is not that of a SIEM system, the the vertical standard covering that core purpose applys, and where no vertical standard for product's coure purpose exists the manufacturer must undertake an alternate process. However, this standard may be useful as one part such process demonstrating compliance for a product with digtial elements that contains or interacts with a SIEM system.
This standard does not apply to products that contain SIEM elements or components but are part of other systems with a different core purpose. If the core purpose of the product is not that of a SIEM system, the vertical standard covering that core purpose applies, and where no vertical standard for product's coure purpose exists the manufacturer must undertake an alternate process. However, this standard may be useful as one part such process demonstrating compliance for a product with digtial elements that contains or interacts with a SIEM system.
# 1 Scope
# 1 Scope
@@ -223,12 +223,12 @@ This section provides terms and definitions based on CEN/CLC JTC13 WG09's work o
For the purposes of the present document, the following terms apply:
For the purposes of the present document, the following terms apply:
**Administrator:** An entity that is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
**Administrator:** An entity that is responsible for management activities, including setting policies that are applied by the enterprise on the SIEM system. This administrator could be acting remotely or locally. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
**Cloud:**
**Cloud:**
Data centre or collection of data centres operated entirely by a third party which rents out space and time on their equipment, as well as providing services for managing infrastructure from outside networks.
Data centre or collection of data centres operated entirely by a third party which rents out space and time on their equipment, as well as providing services for managing infrastructure from outside networks.
**Data Processing:** Data processing covers a wide array of activities performed, including by automated means, on data or any set of data. It includes but is not limited to: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, reporting, alignment, restriction, erasure, or destruction.
**Data Processing:** Data processing covers a wide array of operations, including by automated means, on data or any set of data. It includes but is not limited to: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, reporting, alignment, restriction, erasure, or destruction.
**Extract, Transform, and Load**: Typical data collection process, that describes how the system ingests information.
**Extract, Transform, and Load**: Typical data collection process, that describes how the system ingests information.
**Data processing**: Any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction. [i.3, Article 2 (7)]
**Data processing**: Any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction. [i.3, Article 2 (7)]
@@ -248,7 +248,7 @@ Data centre or collection of data centres operated entirely by a third party whi
**Software bill of materials:**
**Software bill of materials:**
Formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements.
Formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements.
**Remote data processing solution:** A component of a product with digital elements that performs one or more data processing activities necessary for one or more functions of a product with digital elements, is outside of the consumer or product owners' care, custody and control, and has been designed, in whole or in part, by or on behalf of the manufacturer of the product with digital element’s whose function or functions it provides. Remote data processing solutions often include, but are not limited to cloud services.
**Remote data processing solution:** A component of a product with digital elements that performs one or more data processing activities necessary for one or more functions of a product with digital elements. An RDPS is outside of the consumer or product owners' custody that has been designed, in whole or in part, by or on behalf of the manufacturer of the product with digital element’s whose function or functions it provides. A remote service is still considered a remote processing data processing solution if it is that has Remote data processing solutions often include, but are not limited to cloud services.<NOTE:REFINEDEFTOMATCHCRAART3(2)>
**Sensitive Data:** Sensitive data may include all user or enterprise data or may be specific application data such as PII, emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include credentials and keys.
**Sensitive Data:** Sensitive data may include all user or enterprise data or may be specific application data such as PII, emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include credentials and keys.
@@ -657,13 +657,17 @@ For backwards compatibility, use of other combinations of options other what is
### 5.2.6 Remote Data Processing Systems
### 5.2.6 Remote Data Processing Systems
RDPS is a remote system which has an essential role for one or more functions of the PwDE.
A remote data processing solution or "RDPS" is a system which has an essential role for one or more functions of the product that it performs remotely rather then locally. While many product update methods may fit into the definition of an RDPS, product update requirements are considered seperately in term [X.X] of this document.
That function can be the software update mechanism, if it is an integral part of the product. <mark>Verify this</mark>
As the RDPS is part of the PwDE, the deployment environment of the PwDE doesn't matter in this evaluation.
All remote data processing solutions are a component of the product but its use is independent of the product's deployment environment. An RDPS may or may not be under the control of the local instance of product.
The PwDE doesn't know how or where it is used, but does control the RDPS.
Common use for RDPS is to store the profile or configuration data outside of the device, in order to use it with similar devices, or access the data from a web interface.
while it may impact the tools available to an assesor, does not significantly change the security requirements associated with the product, its intended use or its functions. Similarly a remote data processing solution remains a component of the product even if it is made and operated by a third party as long as it performs the intended functions or the product.
<<NOTE: CRA DEF (ART 3(2) "‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;"
Remote data processing solutions can perform any function of the product, and are not limited to a product's core functions. Common uses of RDPS include remote storage of profile or configuration data, often to enable simialr devices to use or access the data from a web interface.
The system can also be a log storage or metrics collection endpoint, which is part of the PwDE design, but those have a dedicated section in this standard with detailed requirements.
The system can also be a log storage or metrics collection endpoint, which is part of the PwDE design, but those have a dedicated section in this standard with detailed requirements.
CRA applicability has as subtle difference in how the application is desigend.
CRA applicability has as subtle difference in how the application is desigend.
