UL-2900-1:2017 pdf free download – STANDARD FOR SAFETY Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements.
3.27 MALWARE — Software designed with malicious intent to disrupt normal function, gather sensitive information, and/or access other connected systems.
3.28 NETWORK CONNECTABLE — Any device, component, or software that can be connected via physical, wireless, cellular, and other non-physical transmission means to another device, component or software or groups of devices, components or systems of software
3.29 PENETRATION TESTING — A mechanism of evaluation of a product to exploit vulnerabilities and weaknesses discovered in the vulnerability assessment phase.
3.30 PERSONALLY IDENTIFIABLE INFORMATION (P11) — Any information about an individual maintained by the product, including any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records;
AND
Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
NOTE: This can be, but is not limited to an individual’s location, health records and/or financial records that when used can determine the actual individual’s identity.
3.31 PRODUCT — The network-connectable device, software or system under test.
3.32 PROTOCOL – See COMMUNICATION PROTOCOL
3.33 REMOTE INTERFACE — An external interface potentially allowing access to individuals, entities or processes regardless of geographic distance to the product.
3.34 REMOTE ACCESS — Access to the product via a remote interface.
3.35 RISK — The potential for harm or damage, measured as the combination of the likelihood of occurrence of that harm or damage and the impact of that harm or damage.
3.36 RISK ANALYSIS — The systematic use of available information to identify threats and to estimate risk.
3.37 RISK CONTROL — Any action taken or feature implemented to reduce risk.
3.38 RISK MANAGEMENT — Systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk.
3.39 SECURE ELEMENT — A tamper-resistant platform like a chip capable of securely hosting applications and their confidential and cryptographic data and that will prevent unauthorized access.
3.40 SECURITY — The process of having acceptable levels of confidentiality, integrity, authenticity and/or availability of product data and/or functionality through risk analysis.
3.41 SENSITIVE DATA — Sensitive data is any critical security parameter that can compromise the use and security of the product such as passwords, keys, seeds for random number generators, authentication data., personally identifiable information and any data whose disclosure could jeopardize the security properties of the product.
3.42 SOFTWARE — All pre-loaded data which creates, affects, and/or modifies the functionality of the product. This includes, but is not limited to, firmware, scripts, initialization files, pre-compiled code and interpreted code. This does not include software preloaded and programmed in an IC chip for small functions that require physical access and removal of the IC chip for reprogramming.
3.43 SOFTWARE WEAKNESS — A possible flaw in the architecture, design, coding, build process or configuration of software in the product that may render the product vulnerable to a security exploit.
3.44 SOURCE CODE — Computer instructions written in a human-readable high-level computer language, usually as text, including possible comments.
3.45 SPI — is a serial peripheral shared interface bus.
3.46 STATIC ANALYSIS — A process in which source code, bytecode or binary code is analyzed without executing the code.