Commit 39b1e918 authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Update data minimization requirement to sync with OS

parent 414c5fe3

EN-304-625.md

+5 −3
Original line number Diff line number Diff line
@@ -1243,6 +1243,8 @@ The product shall provide a method by which an authorized user can securely tran 


### 5.2.X **TR-DMIN**:



#### 5.2.X.x Requirement



The product shall minimize the data processed.



#### 5.2.X.x **MI-DJST**: Document and justify processed data
@@ -1253,13 +1255,13 @@ All sources of data processed by the product in its secure-by-default configurat 


  * Objective: Minimize data processed



  * Preparation: List all potential sources of data for the product. For each source of data, identify a method to detect whether the product is processing data from that source. List all states of the product with different exposed interfaces of the product in its secure-by-default configuration, including but not limited to initial configuration, startup, in use, idle, shutdown, and reset, if applicable. For each distinct source of data processed in any state of the product in its secure-by-default configuration, describe the data processed and why it must be processed for the product to perform its functions.

  * Preparation: List all potential sources of data for the product. For each source of data, identify a method to detect whether the product is processing data from that source.



  * Activities: Using the list of sources of data, the list of states of the product, and the method to detect whether the product is processing data from that source, list all sources of data processed in each state. Compare to the documented list.

  * Activities: Using the list of sources of data, and the method to detect whether the product is processing data from that source, list all sources of data processed. Compare to the documented list.



  * Verdict: All sources of processed data are documented, including rationale => PASS, otherwise => FAIL



  * Evidence: List of sources of data, list of product states, documentation of each source of data, list of sources of data processed in each state, connection between each discovered source of processed data to its documentation

  * Evidence: List of sources of data, documentation of each source of data, list of sources of data processed, connection between each discovered source of processed data to its documentation



#### 5.2.X.x Mapping of mitigations to risk factors and security profiles