Commit 991968ef authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Add documentation of sources of data processed requirement

parent 3760c281

EN-304-625.md

+30 −0
Original line number Diff line number Diff line
@@ -1144,6 +1144,36 @@ All sources of data processed by the device in its secure-by-default configurati 
|---------------------|----------------------|

| any                 | DJST                 |



### 5.2.X **TR-DMIN**:



The device shall minimize the data processed.



#### 5.2.X.x **MI-DJST**: Document and justify processed data



All sources of data processed by the device in its secure-by-default configuration shall be documented. All sources of data processed shall have a documented rationale for why its processing is necessary for the functioning of the product in its secure-by-default configuration.



  * Reference: TR-DMIN



  * Objective: Minimize data processed



  * Preparation: List all potential sources of data for the product. For each source of data, identify a method to detect whether the device is processing data from that source. List all states of the product with different exposed interfaces of the product in its secure-by-default configuration, including but not limited to initial configuration, startup, in use, idle, shutdown, and reset, if applicable. For each distinct source of data processed in any state of the product in its secure-by-default configuration, describe the data processed and why it must be processed for the product to perform its functions.



  * Activities: Using the list of sources of data, the list of states of the product, and the method to detect whether the device is processing data from that source, list all sources of data processed in each state. Compare to the documented list.



  * Verdict: All sources of processed data are documented, including rationale => PASS, otherwise => FAIL



  * Evidence: List of sources of data, list of product states, documentation of each source of data, list of sources of data processed in each state, connection between each discovered source of processed data to its documentation



#### 5.2.X.x Mapping of mitigations to risk factors and security profiles



| Risk factors        | Requires mitigations |

|---------------------|----------------------|

| any                 | DJST                 |



| Security Profile    | Requires mitigations |

|---------------------|----------------------|

| any                 | DJST                 |



### 5.2.X **TR-XXXX**: Encryption related stuff



Need to specify encryption related stuff that is not covered by ACM.