Frequently Asked Questions
What should be included in system diagrams, in regards to cybersecurity risks?
System Diagrams should be sufficiently detailed to permit an understanding of how the specific device design elements are incorporated into a system-level and holistic picture. Analysis of the entire system is necessary to understand the manufacturer’s threat model and the device within the larger ecosystem.
Systems diagrams should include:
- Network, architecture, flow, and state diagrams.
- The interfaces, components, assets, communication pathways, protocols, and network ports.
- Authentication mechanisms and controls for each communicating asset or component of the system including web sites, servers, interoperable systems, cloud stores, etc.
- Users’ roles and level of responsibility if they interact with these assets or communication channels.
- Use of cryptographic methods should include descriptions of the method used and the type and level of cryptographic key usage and their style of use throughout your system (one-time use, key length, the standard employed, symmetric or otherwise, etc.). Descriptions should also include details of cryptographic protection for firmware and software updates.