Commit 5928c791 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Update secure data read and transfer requirements

parent e66c34e7

EN-304-626.md

+28 −23
Original line number Diff line number Diff line
@@ -793,14 +793,14 @@ FIXME add the separate concept of users apart from accounts 
* ADMN-1: foreseeable use always has skilled administrators available on call

* ADMN-2: foreseeable use may involve unskilled administrators



#### 4.5.1.x Support and forseeable Updates

#### 4.5.1.x Support and Foreseeable Updates



**[RF-SUPP]:** How long the product is expected to be in use, and whether the product is expected to be updated throughout its life cycle.



* SUPP-0: foreseeable use does not require that the operating system be updated at any point in its lifecycle

* SUPP-1: foreseeable use limits the installation of updates to skilled administrators with access to the operating system

* SUPP-2: foreseeable use includes the installation of updates by end-users with access to the operating system

* SUPP-3: forseeable use necessitates that the manufacturor provide frequent, automatic, and/or time-sensitive updates to the product, and may reasonably include a requirement for over-the-air updates.

* SUPP-3: foreseeable use necessitates that the manufacturor provide frequent, automatic, and/or time-sensitive updates to the product, and may reasonably include a requirement for over-the-air updates.



### 4.5.2 Mapping of Use Cases to Risk Factors
@@ -829,10 +829,10 @@ FIXME needs updates 
|**UC-SE-2** |    1 |    1 |    2 |    2 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      13 |

|**UC-SE-3** |    2 |    3 |    2 |    2 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      15 |

|**UC-IF-1** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    1 |    0 |    2 |       7 |

|**UC-IF-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    2 |    1 |    1 |       7 |

|**UC-IF-3** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    2 |    1 |      10 |

|**UC-IF-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    2 |    1 |    2 |       8 |

|**UC-IF-3** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    2 |    2 |      11 |

|**UC-FI-1** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    2 |      10 |

|**UC-FI-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    1 |       9 |

|**UC-FI-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    2 |      10 |



**Discussion**
@@ -1645,51 +1645,56 @@ The product shall reset to its secure-by-default state after the secure deletion 


> FIXME: Make the method of deletion depend on risk tolerance (low or med: simple reformat, high: overwrite once or delete key to encryped storage)



### 5.2.X **TR-SDTR**: Secure data transfer

### 5.2.X **TR-SDTR**: Secure data read and transfer



The product shall provide a method to securely transfer all data and settings from the product.

The product shall provide a method to read all data and settings from the product, and if provided, securely transfer data and settings to another product.



#### 5.2.X.x **MI-DTTH**: Secure data transfer from product

#### 5.2.X.x **MI-SDRF**: Secure data read from product



The product shall provide a method by which an authorized user can securely transfer all data and settings from the product.

The product shall provide a method by which an authorized user can securely read all data and settings from the product.



  * Reference: TR-SDTR



  * Objective: Secure data transfer

  * Objective: Secure data read



  * Preparation: List all data and settings.

  * Preparation: List all data and settings



  * Activities: For each kind of data or setting, read the data or setting as an authorized user, then attempt read the data or setting as an unauthorized user, if any exists



  * Verdict: All data and settings can be read by the authorized user, and no data or setting can be read by an unauthorized user

  * Verdict: All data and settings can be read by the authorized user, and no data or setting can be read by an unauthorized user => PASS, otherwise FAIL



  * Evidence: List of data and settings, log message showing success or failure of each read by the authorized user and, if applicable, the unauthorized user



#### 5.2.X.x **MI-DTTH**: Secure read of data

#### 5.2.X.x **MI-SDTR**: Secure data transfer to another product



The product shall provide a method by which an authorized user can securely read all data and settings from the product.

The product shall provide a method by which an authorized user can securely transfer all data and settings from the product to another product.



  * Reference: TR-SDTR



  * Objective: Secure data transfer



  * Preparation: List all data and settings.

  * Preparation: Prepare methods by which an unauthorized user could read the data during transfer as outlined in the risk assessment



  * Activities: For each kind of data or setting, read the data or setting as an authorized user, then attempt read the data or setting as an unauthorized user, if any exists

  * Activities: Read the data and settings, initiate the data transfer, and attempt to read the data and settings as an unauthorized user, then read the data and settings from the target product and compare with the data and settings read from the source product



  * Verdict: All data and settings can be read by the authorized user, and no data or setting can be read by an unauthorized user

  * Verdict: No data or settings were read by an an unauthorized user, and the data and settings read from the original product and target product are the same wherever technically possible => PASS< otherwise FAIL



  * Evidence: List of data and settings, log message showing success or failure of each read by the authorized user and, if applicable, the unauthorized user

  * Evidence: List of data and settings, log messages from the attempts to read data as the unauthorized user, data and settings as read from the source product and as read from the target product, comparison explaining technical reasons for any differences in the two veresions



#### 5.2.X.x Mapping of mitigations to risk factors and security profiles





| Risk factors        | Requires mitigations |

|---------------------|----------------------|

| any                 | RSET and DTTH        |

| DATA < 1 & CONF < 2 | None                 |

| DATA < 2 & CONF < 2 | SDRF                 |

| all others          | SDRF & SDTR          |



| Security Profile   | Requires mitigations |

|---------------------|----------------------|

| any                 | RSET and DTTH        |

|--------------------|----------------------|

| LR, IoT-1, UC-OT-2 | None                 |

| IoT-3, WE-1        | SDRF                 |

| all others         | SDRF & SDTR          |



### 5.2.X **TR-DMIN**: