Open jgb1128 opened 1 month ago
Would agree that we need to fix these inconsistencies. I still believe threats remain unchanged for cloud but we do now propose new inputs for the SPD including assumptions.
We will remove the following sentence from the section:
It is not expected that a cloud environment will introduce new threats, assumptions, or organizational security policies. However,
Start the paragraph with "The PP writers...."
3rd paragraph 1st sentence (note I combined 2 comments for this issue) "It is not expected that a cloud environment will introduce new threats, assumptions, or organizational security policies.
Additional threats are expected to be present. This is reflected by the sentence "This ensures that cloud-specific threats are adequately mitigated." in Subsection "Key Takeaways" on p. 39 of this document. I think additional assumptions are expected to be introduced. This is reflected by the Section "CCitC Suggested Inputs to a Security Problem Definition". Additional assumptions are required for example for trusted platform administrator in addition to the assumption, that the TOE admin is trustworthy.