# HARMONISED EUROPEAN STANDARD
@@ -162,7 +162,7 @@ This category includes but is not limited to:
* general purpose operating systems
* personal computing operating systems
* mobile phone operating systemsg
* mobile phone operating systems
* server operating systems
* real-time operating systems
* embedded operating systems
@@ -359,7 +359,7 @@ An operating system abstracts the hardware and provides services to other softwa
## 4.4 Use Cases
_The following use cases are provided to assist manafacturers in selecting risk factors and security levels. This is not intended to be an exhaustive or complete list of all possible use cases._
_The following use cases are provided to assist manufacturers in selecting risk factors and security levels. This is not intended to be an exhaustive or complete list of all possible use cases._
* UC-IoT-1 A non-internet-connected device such as a bluetooth speaker
* does not store any user-specific data
@@ -397,7 +397,7 @@ _The following use cases are provided to assist manafacturers in selecting risk
* stores highly sensitive personal information
* large number of sensors allow mass collection of sensitive personal data
* size and cost make it a common target of theft
* device usage is not limited to trusted locations and loss is forseeable
* device usage is not limited to trusted locations and loss is foreseeable
* hardware and operating system configuration not intended for modification by users
* end-users frequently install software of uncertain provenance
* device frequently connects to untrusted networks
@@ -415,12 +415,12 @@ _The following use cases are provided to assist manafacturers in selecting risk
* UC-PC-1 A personal computer in a fixed and generally safe location
* hardware, software and operating system may be configured and modified by the end-user
* the user may not be either highly skilled or an authorized representative of the manufacturer
* forseeably connects to the internet and to low-trust local networks, but is not reachable from the open internet
* foreseeably connects to the internet and to low-trust local networks, but is not reachable from the open internet
* stores personal information and arbitrary files
* UC-PC-2 A personal laptop
* hardware, software and operating system may be configured and modified by the end-user
* device is a forseeable target of theft and tampering by untrusted 3rd parties
* device is a foreseeable target of theft and tampering by untrusted 3rd parties
* stores personal information and arbitrary files
* unrestricted connection to the internet
* is frequently connected to untrusted networks
@@ -478,7 +478,7 @@ Remaining use cases to code:
### 4.5.1 List of risk factors
For each operating system placed on the market, the manufacturer shall develop a threat model and risk profile based on the forseeable use of the operating system. The risk profile is derived from the forseeable use of the product. The following risk factors shall be taken into account when developing the risk profile.
For each operating system placed on the market, the manufacturer shall develop a threat model and risk profile based on the foreseeable use of the operating system. The risk profile is derived from the foreseeable use of the product. The following risk factors shall be taken into account when developing the risk profile.
Note: "account" refers to a user in the operating systems sense: a unique system identity associated with certain authorization and permissions. "User" refers to an entity that uses the device for some purpose. Users may have many accounts and accounts may have many users.
@@ -502,7 +502,7 @@ Note: "account" refers to a user in the operating systems sense: a unique system
**[DATA]:** Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.
* DATA-0: the operating system is effectively unable to store per-user data in its forseeable use
* DATA-0: the operating system is effectively unable to store per-user data in its foreseeable use
* DATA-1: the operating system is designed only to store limited data types
* DATA-2: the operating system is designed to store arbitrary data
@@ -529,59 +529,59 @@ FIXME add SENS
**[LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.
* LOSS-0: forseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms
* LOSS-1: forseeable use of the operating system is in a device with only incidental loss likelyhood
* LOSS-2: forseeable use of the operating system is in a device with moderate loss likelyhood
* LOSS-3: forseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones
* LOSS-0: foreseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms
* LOSS-1: foreseeable use of the operating system is in a device with only incidental loss likelyhood
* LOSS-2: foreseeable use of the operating system is in a device with moderate loss likelyhood
* LOSS-3: foreseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones
#### 4.5.1.7 Hardware Modifiability by End Users
**[HWMD]:** Manufacturers of operating systems shall account for forseeable risks from hardware modifications within the intended use of the product.
**[HWMD]:** Manufacturers of operating systems shall account for foreseeable risks from hardware modifications within the intended use of the product.
* HWMD-0: forseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users
* HWMD-1: forseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff
* HWMD-2: forseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer
* HWMD-0: foreseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users
* HWMD-1: foreseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff
* HWMD-2: foreseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer
#### 4.5.1.8 Software Modifiability by End Users
**[SWMD]:** Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.
* SWMD-0: forseeable use lacks any reasonable means for end-users to install or modify the software
* SWMD-1: forseeable use only allows the installation of trusted and verified software
* SWMD-2: forseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software
* SWMD-3: forseeable use actively encourages and facilitates the installation of arbitrary software
* SWMD-0: foreseeable use lacks any reasonable means for end-users to install or modify the software
* SWMD-1: foreseeable use only allows the installation of trusted and verified software
* SWMD-2: foreseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software
* SWMD-3: foreseeable use actively encourages and facilitates the installation of arbitrary software
#### 4.5.1.9 Untrusted Peripheral Devices
**[DVCS]:** Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI conenctions, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.
* DVCS-0: forseeable use has no accessible peripheral ports
* DVCS-1: forseeable use includes only trusted and safe peripheral devices
* DVCS-2: forseeable use allows for arbitrary peripheral device attachment
* DVCS-0: foreseeable use has no accessible peripheral ports
* DVCS-1: foreseeable use includes only trusted and safe peripheral devices
* DVCS-2: foreseeable use allows for arbitrary peripheral device attachment
#### 4.5.1.10 Access To The Internet
**[TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and forseeable use of the operating system.
**[TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and foreseeable use of the operating system.
* TNET-0: forseeable use has no mechanism to reasonably connect to the internet
* TNET-1: forseeable use allows internet access for only highly restricted functions, such as retrieving security updates
* TNET-2: forseeable use allows for arbitrary access to the internet, such as by browsing the web
* TNET-0: foreseeable use has no mechanism to reasonably connect to the internet
* TNET-1: foreseeable use allows internet access for only highly restricted functions, such as retrieving security updates
* TNET-2: foreseeable use allows for arbitrary access to the internet, such as by browsing the web
#### 4.5.1.11 Accessed From Untrusted Networks Including The Internet
**[FNET]:** Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.
* FNET-0: forseeable use is limited to trusted and private networks
* FNET-1: forseeable use includes untrusted local networks but not the open internet
* FNET-2: forseeable use includes being connected directly to the open internet
* FNET-0: foreseeable use is limited to trusted and private networks
* FNET-1: foreseeable use includes untrusted local networks but not the open internet
* FNET-2: foreseeable use includes being connected directly to the open internet
#### 4.5.1.12 Configurability
**[CONF]:** Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause.
* CONF-0: forseeable use of the operating system prevents or is incapable of storing configuration changes.
* CONF-1: forseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.
* CONF-2: forseeable use of the operating system includes configuration changes by end-users.
* CONF-0: foreseeable use of the operating system prevents or is incapable of storing configuration changes.
* CONF-1: foreseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.
* CONF-2: foreseeable use of the operating system includes configuration changes by end-users.
### 4.5.1 Mapping of use cases to risk factors
@@ -627,22 +627,16 @@ Aeva: Carl-Daniel's comment could also apply to enterprise computers (laptops, d
### 4.6.1 General
Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.> List the security levels and the use cases that correspond to them.
Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.
### 4.6.2 Mapping of security level to risk factors
Security levels are associated with sets of risk factor levels.
> FIXME take filled out table of use case mapping to risk factor, simplify down, set levels
> FIXME take filled out table of use case mapping to risk factor, simplify down, create security profiles or requirement sets
## 4.7 Essential functions
> List the essential functions of the product, including:
>
> - What it does during its intended or reasonably foreseeable use?
> - How its functions are configured?
> - How it keeps itself secure and functioning?
An operating system may provide, depending on the hardware available and its configuration:
