Commit c52a38b5 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Rename security requirements to technical security requirements

parent 062f9588

EN-304-625.md

+9 −6
Original line number Diff line number Diff line
@@ -530,11 +530,11 @@ The support period of an operating system should generally be at least 10 years. 


## 6.1 General



## 6.2 Security requirements specifications

## 6.2 Technical security requirements specifications



_List security requirements for the product. Each requirement should be objectively verifiable on an instance of a product. Each should include an implementable method of verifying the requirement is met. Each should include a way to determine if the requirement is applicable to the product. Ideally each will include at least one concrete example of an implementation that satisfies the requirement and a test that verifies it. If the requirement allows the manufacturer to specify their own solution to the technical requirement, the requirement should include a specific way to measure the effectiveness of the risk mitigation and set a minimum level._

_List technical security requirements for the product. Each requirement should be objectively verifiable on an instance of a product. Each should include an implementable method of verifying the requirement is met. Each should include a way to determine if the requirement is applicable to the product. Ideally each will include at least one concrete example of an implementation that satisfies the requirement and a test that verifies it. If the requirement allows the manufacturer to specify their own solution to the technical requirement, the requirement should include a specific way to measure the effectiveness of the risk mitigation and set a minimum level._



_Example security requirements can be found in related standards, such as:_

_Example technical security requirements can be found in related standards, such as:_



* _Protection profiles for similar categories of product_

* _[EN-18031-2 (Radio Equipment Directive)](https://docbox.etsi.org/CYBER/CYBER/CEN-CLC/JTC13/WG09/CEN-CLC-JTC%2013-WG%209_N433_EN%2018031%20series.zip)_
@@ -548,10 +548,10 @@ _List any related ETSI standards and how they interact with the present document 


# Annex B (informative): Mapping between the present document and CRA requirements



_Table mapping security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA_

_Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements._



| CRA requirement                                 | Security requirements satisfying the CRA requirement |

|-------------------------------------------------|------------------------------------------------------|

| CRA requirement                                 | Technical security requirements(s) |

|-------------------------------------------------|-------------------------------- ---|

| No known exploitable vulnerabilities            | |

| Secure design, development, production          | |

| Secure by default configuration                 | |
@@ -595,6 +595,9 @@ _Based on the assets, what are the threats during:_ 
* _Use for intended purpose or reasonably foreseeable use_

* _When integrated into another product_



_Example threats can be found in the same documents suggested in the section on security requirements._





<mark> FIXME list threats </mark>



## C.3 Assumptions