Within the context of secure plug-and-play interoperability, cybersecurity is the process and capability of preventing unauthorized access or modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD\/PoCD. The process part of cybersecurity is risk analysis of use cases specific to a PHD\/PoCD. For PHDs\/PoCDs, this standard defines an iterative, systematic, scalable, and auditable approach to identification of cybersecurity vulnerabilities and estimation of risk. This iterative vulnerability assessment uses the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) classification scheme and the embedded Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vulnerabilities are reduced to an acceptable level of risk.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 2<\/td>\n | undefined <\/td>\n<\/tr>\n | ||||||
| 5<\/td>\n | European foreword Endorsement notice <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | Blank Page <\/td>\n<\/tr>\n | ||||||
| 9<\/td>\n | Title page <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | Important Notices and Disclaimers Concerning IEEE Standards Documents <\/td>\n<\/tr>\n | ||||||
| 14<\/td>\n | Participants <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 18<\/td>\n | Contents <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 1. Overview 1.1 General <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 1.2 Scope 1.3 Purpose 1.4 Word usage <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 2. Definitions, acronyms, and abbreviations 2.1 Definitions 2.2 Acronyms and abbreviations 3. Risk management <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 4. Software of unknown provenance 5. Multi-component system vulnerability assessment 6. Threat modeling 6.1 General <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 6.2 Data flow diagram 6.3 STRIDE classification scheme 7. Scoring system 7.1 General 7.2 CVSS <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 7.3 eCVSS <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 8. Process for vulnerability assessment 8.1 Iterative vulnerability assessment 8.2 System context 8.2.1 Use case description <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 8.2.2 Actors <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 8.2.3 Assets 8.2.4 Mapping actors to assets 8.3 System decomposition 8.3.1 General 8.3.2 Trust boundaries 8.3.3 Threat model <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 8.3.4 Vulnerability list <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 8.4 Scoring 8.4.1 General 8.4.2 eCVSS metric guidelines <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 8.4.3 Suggested collateral damage <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 8.4.4 System-wide metrics 8.4.5 Risk level thresholds 8.5 Mitigation 8.6 Iteration <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | Annex A (informative) Bibliography <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | Annex B (informative) STRIDE <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | Annex C (informative) embedded Common Vulnerability Scoring System <\/td>\n<\/tr>\n | ||||||
| 45<\/td>\n | Annex D (informative) Microsoft TMT2Excel Macro <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | Annex E (informative) Example insulin delivery device vulnerability assessment <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Health informatics. Device interoperability – Foundational. Cybersecurity. Processes for vulnerability assessment<\/b><\/p>\n |