Commit e66c34e7 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Update secure data deletion and transfer requirement

parent bddfcc4e

EN-304-626.md

+106 −42
Original line number Diff line number Diff line
@@ -694,21 +694,21 @@ FIXME add the separate concept of users apart from accounts 


#### 4.5.1.x Sensitivity of Data



**[RF-SENS]:** Sensitivity of data collected, as measured by impact of loss of its integrity, confidentiality, or availability.

**[RF-SEND]:** Sensitivity of data collected, as measured by impact of loss of its integrity, confidentiality, or availability.



* SENS-0: foreseeable use does not include collection of sensitive data

* SENS-1: foreseeable use limits collection of sensitive data

* SENS-2: foreseeable use may collect arbitrary amounts of sensitive data

* SENS-3: foreseeable use collects extensive amounts of sensitive data by default

* SEND-0: foreseeable use does not include collection of sensitive data

* SEND-1: foreseeable use limits collection of sensitive data

* SEND-2: foreseeable use may collect arbitrary amounts of sensitive data

* SEND-3: foreseeable use collects extensive amounts of sensitive data by default



#### 4.5.1.x Sensitivity of Functions



**[RF-SENS]:** Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.

**[RF-SENF]:** Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.



* SENS-0: foreseeable use does not provide sensitive functions

* SENS-1: foreseeable use limits provision of sensitive functions

* SENS-2: foreseeable use may provide arbitrary sensitive functions

* SENS-3: foreseeable use provides sensitive functions by default

* SENF-0: foreseeable use does not provide sensitive functions

* SENF-1: foreseeable use limits provision of sensitive functions

* SENF-2: foreseeable use may provide arbitrary sensitive functions

* SENF-3: foreseeable use provides sensitive functions by default



#### 4.5.1.x Physical Access by Threat Actors to the Device
@@ -808,15 +808,15 @@ FIXME add the separate concept of users apart from accounts 


FIXME needs updates



|Risk Factor | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|Risk Factor | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|------------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**Use Case**|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-LR**   |    0 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       0 |

|**UC-IoT-1**|    0 |    0 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|**UC-IoT-2**|    0 |    0 |    1 |    0 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |

|**UC-IoT-3**|    0 |    0 |    1 |    0 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |

|**UC-OT-1** |    0 |    0 |    1 |    0 |    1 |    0 |    0 |    0 |    0 |    2 |    2 |    2 |       8 |

|**UC-OT-2** |    0 |    0 |    0 |    0 |    2 |    0 |    0 |    0 |    0 |    1 |    1 |    1 |       6 |

|**UC-IoT-2**|    0 |    0 |    1 |    1 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |

|**UC-IoT-3**|    0 |    0 |    1 |    1 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |

|**UC-OT-1** |    0 |    0 |    1 |    1 |    1 |    0 |    0 |    0 |    0 |    2 |    2 |    2 |       8 |

|**UC-OT-2** |    0 |    0 |    0 |    1 |    2 |    0 |    0 |    0 |    0 |    1 |    1 |    1 |       6 |

|**UC-MOB-1**|    1 |    1 |    2 |    3 |    1 |    3 |    0 |    3 |    2 |    2 |    2 |    2 |      22 |

|**UC-MOB-2**| | | | | | | | | | | | | -- |

|**UC-WE-1** |    1 |    1 |    1 |    2 |    1 |    2 |    0 |    0 |    0 |    1 |    1 |    0 |      10 |
@@ -825,14 +825,14 @@ FIXME needs updates 
|**UC-PC-2** |    1 |    2 |    2 |    1 |    0 |    0 |    2 |    2 |    1 |    2 |    1 |    1 |      14 |

|**UC-LA-1** |    1 |    2 |    2 |    1 |    1 |    1 |    1 |    2 |    2 |    2 |    2 |    2 |      19 |

|**UC-LA-2** |    1 |    2 |    2 |    1 |    1 |    1 |    1 |    2 |    2 |    2 |    2 |    1 |      18 |

|**UC-SE-1** |    0 |    0 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |       9 |

|**UC-SE-2** |    1 |    1 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      11 |

|**UC-SE-3** |    2 |    3 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      13 |

|**UC-IF-1** |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    1 |    0 |    2 |       5 |

|**UC-IF-2** |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    2 |    1 |    1 |       5 |

|**UC-IF-3** |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    2 |    1 |       8 |

|**UC-FI-1** |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    2 |       8 |

|**UC-FI-2** |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    1 |       7 |

|**UC-SE-1** |    0 |    0 |    2 |    2 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      11 |

|**UC-SE-2** |    1 |    1 |    2 |    2 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      13 |

|**UC-SE-3** |    2 |    3 |    2 |    2 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      15 |

|**UC-IF-1** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    1 |    0 |    2 |       7 |

|**UC-IF-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    2 |    1 |    1 |       7 |

|**UC-IF-3** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    2 |    1 |      10 |

|**UC-FI-1** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    2 |      10 |

|**UC-FI-2** |    0 |    0 |    1 |    2 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    1 |       9 |



**Discussion**
@@ -1581,6 +1581,8 @@ All exposed interfaces on the product in any state that is part of its reasonabl 


The product shall provide a method of deleting all data and settings and resetting the product to its secure-by-default configuration.



Guidance: Overwriting all storage or encrypting all data and deleting the key are two secure deletion mechanisms.



#### 5.2.X.x **MI-RSET**:



The product shall reset to its secure-by-default state after a power cycle or reset command.
@@ -1591,17 +1593,79 @@ The product shall reset to its secure-by-default state after a power cycle or re 


  * Preparation: Document every kind of data or setting that may be stored on the product, how to store it on the product, and how to read it from the product



  * Activities: For each kind of user data or setting that may be stored on the product, write an instance of the data or setting stored on the product that is different from the default, read it from the product, power cycle or reset the product, and read the data again

  * Activities: For each kind of user data or setting that may be stored on the product, write an instance of the data or setting stored on the product that is different from the default and read it from the product; once all kinds of data have been written and read, power cycle or reset the product, and read each kind of data again



  * Verdict: If any data or setting is the same for both of the reads => FAIL, otherwise => PASS



  * Evidence: Record of each type of data or setting, what data or setting was written, what data or setting was returned by the first read, and what data or setting was returned by the second read, comparison of each one



#### 5.2.X.x **MI-INST**:



The product shall reset to its secure-by-default state after a reinstallation that securely deletes all previous user data or settings.



  * Reference: TR-SCDL



  * Objective: Secure deletion



  * Preparation: Document every kind of data or setting that may be stored on the product, how to store it on the product, and how to read it from the product



  * Activities: For each kind of user data or setting that may be stored on the product, write an instance of the data or setting stored on the product that is different from the default and read it from the product; once all kinds of data have been written and read, reinstall the product with the secure delete option, and read the data or settings again



  * Verdict: If any data or setting is the same for both of the reads => FAIL, otherwise => PASS



  * Evidence: Record of each type of data or setting, what data or setting was written, what data or setting was returned by the first read, and what data or setting was returned by the second read, comparison of each one



#### 5.2.X.x **MI-DELE**:



The product shall reset to its secure-by-default state after the secure deletion function is used.



  * Reference: TR-SCDL



  * Objective: Secure deletion



  * Preparation: Document every kind of data or setting that may be stored on the product, how to store it on the product, and how to read it from the product



  * Activities: For each kind of user data or setting that may be stored on the product, write an instance of the data or setting stored on the product that is different from the default and read it from the product; once all kinds of data have been written and read, activate the secure deletion function, and read the data or settings again



  * Verdict: If any data or setting is the same for both of the reads => FAIL, otherwise => PASS



  * Evidence: Record of each type of data or setting, what data or setting was written, what data or setting was returned by the first read, and what data or setting was returned by the second read, comparison of each one



#### 5.2.X.x Mapping of mitigations to risk factors and security profiles



| Risk factors | Requires mitigations |

|--------------|----------------------|

| SEND < 1     | None                 |

| all others   | RSET or INST or DELE |



| Security Profile | Requires mitigations |

|------------------|----------------------|

| LR, IoT-1        | None                 |

| all others       | RSET or INST or DELE |



> FIXME: Make the method of deletion depend on risk tolerance (low or med: simple reformat, high: overwrite once or delete key to encryped storage)



### 5.2.X **TR-SDTR**: Secure data transfer



The product shall provide a method to securely transfer all data and settings from the product to other products or systems.

The product shall provide a method to securely transfer all data and settings from the product.



#### 5.2.X.x **MI-DTTH**: Secure data transfer from product



The product shall provide a method by which an authorized user can securely transfer all data and settings from the product.



  * Reference: TR-SDTR



  * Objective: Secure data transfer



  * Preparation: List all data and settings.



  * Activities: For each kind of data or setting, read the data or setting as an authorized user, then attempt read the data or setting as an unauthorized user, if any exists



  * Verdict: All data and settings can be read by the authorized user, and no data or setting can be read by an unauthorized user



  * Evidence: List of data and settings, log message showing success or failure of each read by the authorized user and, if applicable, the unauthorized user



#### 5.2.X.x **MI-DTTH**: Data transfer

#### 5.2.X.x **MI-DTTH**: Secure read of data



The product shall provide a method by which an authorized user can securely read all data and settings from the product.
@@ -1998,7 +2062,7 @@ Risk Tolerances are applied to the foreseeable risks associated to each Security 


Description: A non-internet-connected device such as a bluetooth speaker



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

| UC-IoT-1 |    0 |    0 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |
@@ -2016,7 +2080,7 @@ Description: A non-internet-connected device such as a bluetooth speaker 


Description: An internet-enabled power switch



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-IoT-2  |    0 |    0 |    1 |    0 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |
@@ -2034,7 +2098,7 @@ Description: An internet-enabled power switch 


Description: An internet-connected "smart home" device, such as a thermostat, fridge, or alarm system



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-IoT-3  |    0 |    0 |    1 |    0 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |
@@ -2074,7 +2138,7 @@ Description: Stateless multi-user terminal 


Description: A personal computer in a fixed and generally safe location



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-PC-1   |    1 |    2 |    2 |    1 |    0 |    0 |    2 |    2 |    1 |    2 |    1 |    2 |      15 |
@@ -2091,7 +2155,7 @@ Description: A personal computer in a fixed and generally safe location 


Description: An enterprise workstation in a fixed and generally safe location



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-PC-2**    |    1 |    2 |    2 |    1 |    0 |    0 |    2 |    2 |    1 |    2 |    1 |    1 |      14 |
@@ -2104,7 +2168,7 @@ Description: An enterprise workstation in a fixed and generally safe location 


Description: A personal laptop



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-LA-1**    |    1 |    2 |    2 |    1 |    1 |    1 |    1 |    2 |    2 |    2 |    2 |    2 |      19 |
@@ -2117,7 +2181,7 @@ Description: A personal laptop 


Description: Enterprise laptop



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-LA-2**    |    1 |    2 |    2 |    1 |    1 |    1 |    1 |    2 |    2 |    2 |    2 |    1 |      18 |
@@ -2130,7 +2194,7 @@ Description: Enterprise laptop 


Description: Personal server



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|



* Risk Factor Score: --
@@ -2142,7 +2206,7 @@ Description: Personal server 


Description: An enterprise server in a datacenter with no user accounts



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-SE-1**    |    0 |    0 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |       9 |
@@ -2155,7 +2219,7 @@ Description: An enterprise server in a datacenter with no user accounts 


Description: An enterprise server in a datacenter with only trusted user accounts



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-SE-2**    |    1 |    1 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      11 |
@@ -2168,7 +2232,7 @@ Description: An enterprise server in a datacenter with only trusted user account 


Description: An enterprise server in a datacenter hosting many untrusted user accounts



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-SE-3**    |    2 |    2 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    0 |      13 |
@@ -2181,7 +2245,7 @@ Description: An enterprise server in a datacenter hosting many untrusted user ac 


Description: Internet infrastructure on private network



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-IF-1**    |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    1 |    0 |    2 |       5 |
@@ -2194,7 +2258,7 @@ Description: Internet infrastructure on private network 


Description: Internet infrastructure on filtered network



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-IF-2**    |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    2 |    1 |    1 |       5 |
@@ -2207,7 +2271,7 @@ Description: Internet infrastructure on filtered network 


Description: Internet infrastructure on open internet



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-IF-3**    |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    2 |    1 |       8 |
@@ -2220,7 +2284,7 @@ Description: Internet infrastructure on open internet 


Description: Firewall for personal network



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-FI-1**    |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    2 |       8 |
@@ -2233,7 +2297,7 @@ Description: Firewall for personal network 


Description: Firewall for enterprise network



| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

| Use Case | NUSR | CUSR | DATA | SEND | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**UC-FI-2**    |    0 |    0 |    1 |    0 |    0 |    0 |    1 |    0 |    0 |    3 |    1 |    1 |       7 |