DANSK DSF/IEC/TR 80001-2-9 ED. 1.0 PDF

This Technical Report establishes a SECURITY CASE framework and provides guidance to HDOs and MDMs for identifying, developing, interpreting, updating and maintaining SECURITY CASES for networked MEDICAL DEVICES. Use of this part of IEC 80001 is intended to be one of the possible means to bridge the gap between MDMs and HDOs in providing adequate information to support the HDOS RISK MANAGEMENT of IT NETWORKS. This Technical Report leverages the requirements set out in ISO/IEC 15026-2 for the development of ASSURANCE cases2). It is not intended that this SECURITY CASE framework will replace a RISK MANAGEMENT strategy, rather, the intention is to complement RISK MANAGEMENT and in turn provide a greater level of ASSURANCE for a MEDICAL DEVICE by: ‒ Mapping RISK MANAGEMENT steps to each of the IEC TR 80001-2-2 SECURITY CAPABILITIES, identifying associated threats and vulnerabilities and presenting them in the format of a SECURITY CASE with the inclusion of a re-useable SECURITY PATTERN; ‒ Providing guidance for the selection of appropriate SECURITY CONTROLS to establish SECURITY CAPABILITIES and presenting them as part of the SECURITY CASE pattern (IEC TR 80001-2-8 provides examples of such SECURITY CONTROLS); ‒ Providing EVIDENCE to support the implementation of a SECURITY CONTROL, hence providing CONFIDENCE in the establishment of each of the SECURITY CAPABILITIES.