WeeknightMVP
commented
10 years ago OK, I think we got the definition squared away in the glossary.
Closed WeeknightMVP closed 10 years ago
WeeknightMVP
commented
10 years ago OK, I think we got the definition squared away in the glossary.
Add requirement to enumerate sensitive data, e.g.
"Sensitive data shall include _[assignment: data that must be protected from unauthorized access]_.
Application Note: This is defined per ST and constrained by any EPs of this Applications PP.
Assurance Activity: The CCTL/ITSEF shall verify that the selection comprises all data that would reasonably be considered to be sensitive, including PII, cryptographic keys (for cryptographic software implementations), etc."
That's weak, but you get the idea. Requirements for protecting sensitive data (at rest, via trusted paths, etc.) will depend on this one.