Recently, ENISA has published version 1.0 of a document that seems highly interesting, title "Indispensable baseline security requirements for the procurement of secure ICT products and services" (link).
It is a document elaborated by a group of experts named by different Member States (in particualr, by Austria, France, Germany, Czech Republic, Spain, The Netherlands and Finalnd) that is applicalbe to service providers.
Before mapping security requirements listed in the ENISA document with LEET Security methodology, let us introduce some reflections about it:
Finally, and as promised, in the following table we have mapped minimum requirements of ENISA document with sections in LEET Security rating methodology, identifying also, what are the requirements in this methodolody for the minimum rating level (aka 'D D D'). Still considering that LEET Security is focused in services, not on products, we can see an overlap of more that 50% between both documents.
Req. ENISA | LEET Security | Level DDD requirements |
Security by Design | [SO.05] Security requirements of Information Systems | |
[MO.01] Audit logging | x | |
[SD.05] Control of technical vulnerabilities | x | |
Least Privilege | [AC.03] User identification and authentication | |
[AC.01] Business requirements for access control | x | |
[AC.04] Password management system | x | |
Strong Authentication | [AC.02] Secure log-on procedures | |
Asset Protection | [CR.01] Key management | x |
[FS.05] Physical media in transit protection | ||
[NC.05] Safeguard confidentiality over public networks | ||
Supply Chain Security | [MO.02] Monitoring system use | |
Documentation Transparency | [SO.04] Security of system documentation | |
[SO.01] Change Management | x | |
Quality Management | [TP.02] Supply-chain assurance | x |
Service Continuity | [SD.05] Control of technical vulnerabilities | x |
EU Jurisdiction | [CO.01] Compliance with legal requirements | x |
Data Usage Restriction | [TP.01] Shared processing | x |
N/A | [SO.03] Information Management and Handling Procedures | x |
[PS.02] Training and Awareness | x | |
[FS.01] Physical Security Perimeter | x | |
[FS.03] Equipment location and protection | x | |
[RE.04] Information backups | x | |
[RE.06] Information security aspects of BCM | x | |
[CO.02] Compliance with security policies and standards, and technical pro. | x | |
[NC.02] Network routing controls | x | |
[IH.01] Reporting infosec events and weaknesses | x | |
[IH.02] Management of infosec incidents and improvements | x |