WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -1479,9 +1479,9 @@ The product shall provide a method by which an authorized user can securely read
#### 5.2.X.x **MI-SDTR**: Secure data transfer to another product
The product shall provide a method by which an authorized user can securely transfer all data and settings from the product to another product.
If the product provides a method to transfer data and settings to another product, it shall do so securely.
* Applicability: Product has the capability for the user to write data and/or settings
* Applicability: Product has the capability for the user to write data and/or settings and to transfer them to another product.
* Reference: TR-SDTR
@@ -1489,27 +1489,25 @@ The product shall provide a method by which an authorized user can securely tran
* Preparation: Prepare methods by which an unauthorized user could read the data during transfer as outlined in the risk assessment
* Activities: Read the data and settings, initiate the data transfer, and attempt to read the data and settings as an unauthorized user, then read the data and settings from the target product and compare with the data and settings read from the source product
* Activities: Read the data or settings, initiate the data transfer, attempt to read or alter the transferred data and settings as an unauthorized user, read the new data and settings on the target product
* Verdict: No data or settings were read by an an unauthorized user, and the data and settings read from the original product and target product are the same wherever technically possible => PASS, otherwise FAIL
* Verdict: No data or settings could be read or altered by an an unauthorized user, and the data and settings read from the original product and target product are the same wherever technically possible => PASS, otherwise FAIL
* Evidence: List of data and settings, log messages from the attempts to read data as the unauthorized user, data and settings as read from the source product and as read from the target product, comparison explaining technical reasons for any differences in the two veresions
* Evidence: List of data and settings, log messages from the attempts to read or alter data as the unauthorized user, data and settings as read from the source product and as read from the target product, comparison explaining technical reasons for any differences in the two versions
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
| Risk factors | Requires mitigations |
|-------------------|----------------------|
|--------------|----------------------|
| SDS < 1 | none |
| SDS < 2 & COM < 2 | SDRF |
| SDS < 2 | SDRF |
| all others | SDRF, SDTR |
| Security Profile | Requires mitigations |
|------------------|----------------------|
| FIXME | none |
| FIXME | SDRF |
| FIXME | SDRF, SDTR |
> FIXME: Update when risk factors are fully filled out
