"Sensitive data shall include _[assignment: data that must be protected from unauthorized access]_.
Application Note: This is defined per ST and constrained by any EPs of this Applications PP.
Assurance Activity: The CCTL/ITSEF shall verify that the selection comprises all data that would reasonably be considered to be sensitive, including PII, cryptographic keys (for cryptographic software implementations), etc."
That's weak, but you get the idea. Requirements for protecting sensitive data (at rest, via trusted paths, etc.) will depend on this one.
Add requirement to enumerate sensitive data, e.g.
"Sensitive data shall include _[assignment: data that must be protected from unauthorized access]_.
Application Note: This is defined per ST and constrained by any EPs of this Applications PP.
Assurance Activity: The CCTL/ITSEF shall verify that the selection comprises all data that would reasonably be considered to be sensitive, including PII, cryptographic keys (for cryptographic software implementations), etc."
That's weak, but you get the idea. Requirements for protecting sensitive data (at rest, via trusted paths, etc.) will depend on this one.