WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -2071,7 +2071,26 @@ Security profiles are associated with sets of risk factor levels.
# Annex D (informative): Risk evaluation guidance
## D.1 Mapping of risks to requirements
## D.1 Explanation of Risk Modeling Approach
The risk modeling approach followed in this document can be applied to two situations:
1. _Covered_: For Manufacturers of products with use cases that are present in the text of this document, it states the mitigations which the product shall implement and provides guidance on how to verify that the mitigations are implemented in a product. Furthermore, it describes why that unique set of mitigations is sufficient for the use case.
1. _Not Covered_: For Manufacturers of products whose use case does not precisely match use cases covered in the present document, the methodology used herein may be further used to derive the appropriate set of mitigations for a given product, and to communicate this justification in a structured way. This could inform revisions of this document and the list of use cases over time.
**Methodology**
This section describes the metholodogy followed in the current text.
1. Document a comprehensive range of foreseeable use cases for products of this type.
1. For a particular use case, document the inherent and product-specific risk factors likely to affect products of that type which are not already covered by other relevant standards.
1. For that use case, document environmental risk factors likely to affect products of that type which are not already covered by other relevant standards.
1. For each risk factor identified in the prior two steps, document appropriate mitigations which should be present to mitigate the specific risk. If multiple mitigations relate to a common risk factor, indicate a risk-based prioritization to provide guidance on when each mitigation is appropriate. For each mitigation, also document at least one verification methodology.
1. Create a mapping between each use case and each risk factor, assigning a proportionality score. The scoring range should start from zero, representing the inapplicability of a risk factor to a use case, and increase monotonically based on both the likelihood and severity of potential harm or impact.
1. For each use case, verify that the proportional risk score (relative to other use cases) is informational. For example, use cases that are expected to pose little risk of harm, in the event of a cybersecurity incident, to the end user should have a lower score than use cases which are expected to pose higher risk of harm. This score is subjective and informative only.
1. Combine the output of the prior two steps to derive the completed list of required mitigations for each use case.
