[VNFRQTS] break up larger rst files into toxtree

Broke all chapter files up so they follow the same patter

Change-Id: I8a2152b92f0568cf4858615054bb66fabf0ea343
Issue-ID: VNFRQTS-253
Signed-off-by: stark, steven <ss820f@att.com>

1 files changed, 563 insertions, 0 deletions

diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst
new file mode 100644
index 0000000..a0691ae
--- /dev/null
+++ b/docs/Chapter4/Security.rst
@@ -0,0 +1,563 @@
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright 2017 AT&T Intellectual Property.  All rights reserved.
+
+VNF Security
+----------------------
+
+The objective of this section is to provide the key security
+requirements that need to be met by VNFs. The security requirements are
+grouped into five areas as listed below. Other security areas will be
+addressed in future updates. These security requirements are applicable
+to all VNFs. Additional security requirements for specific types of VNFs
+will be applicable and are outside the scope of these general
+requirements.
+
+Section 5.a Security in *VNF Guidelines* outlines
+the five broad security areas for VNFs that are detailed in the
+following sections:
+
+-  **VNF General Security**: This section addresses general security
+   requirements for the VNFs that the VNF provider will need to address.
+
+-  **VNF Identity and Access Management**: This section addresses
+   security requirements with respect to Identity and Access Management
+   as these pertain to generic VNFs.
+
+-  **VNF API Security**: This section addresses the generic security
+   requirements associated with APIs. These requirements are applicable
+   to those VNFs that use standard APIs for communication and data
+   exchange.
+
+-  **VNF Security Analytics**: This section addresses the security
+   requirements associated with analytics for VNFs that deal with
+   monitoring, data collection and analysis.
+
+-  **VNF Data Protection**: This section addresses the security
+   requirements associated with data protection.
+
+VNF General Security Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section provides details on the VNF general security requirements
+on various security areas such as user access control, network security,
+ACLs, infrastructure security, and vulnerability management. These
+requirements cover topics associated with compliance, security patching,
+logging/accounting, authentication, encryption, role-based access
+control, least privilege access/authorization. The following security
+requirements need to be met by the solution in a virtual environment:
+
+General Security Requirements
+
+Integration and operation within a robust security environment is necessary
+and expected. The security architecture will include one or more of the
+following: IDAM (Identity and Access Management) for all system and
+applications access, Code scanning, network vulnerability scans, OS,
+Database and application patching, malware detection and cleaning,
+DDOS prevention, network security gateways (internal and external)
+operating at various layers, host and application based tools for
+security compliance validation, aggressive security patch application,
+tightly controlled software distribution and change control processes
+and other state of the art security solutions. The VNF is expected to
+function reliably within such an environment and the developer is
+expected to understand and accommodate such controls and can expected
+to supply responsive interoperability support and testing throughout
+the product’s lifecycle.
+
+* R-23740 The VNF **MUST** accommodate the security principle of
+  “least privilege” during development, implementation and operation.
+  The importance of “least privilege” cannot be overstated and must be
+  observed in all aspects of VNF development and not limited to security.
+  This is applicable to all sections of this document.
+* R-61354 The VNF **MUST** implement access control list for OA&M
+  services (e.g., restricting access to certain ports or applications).
+* R-85633 The VNF **MUST** implement Data Storage Encryption
+  (database/disk encryption) for Sensitive Personal Information (SPI)
+  and other subscriber identifiable data. Note: subscriber’s SPI/data
+  must be encrypted at rest, and other subscriber identifiable data
+  should be encrypted at rest. Other data protection requirements exist
+  and should be well understood by the developer.
+* R-92207 The VNF **SHOULD** implement a mechanism for automated and
+  frequent "system configuration (automated provisioning / closed loop)"
+  auditing.
+* R-23882 The VNF **SHOULD** be scanned using both network scanning
+  and application scanning security tools on all code, including underlying
+  OS and related configuration. Scan reports shall be provided. Remediation
+  roadmaps shall be made available for any findings.
+* R-46986 The VNF **SHOULD** have source code scanned using scanning
+  tools (e.g., Fortify) and provide reports.
+* R-55830 The VNF **MUST** distribute all production code from NCSP
+  internal sources only. No production code, libraries, OS images, etc.
+  shall be distributed from publically accessible depots.
+* R-99771 The VNF **MUST** provide all code/configuration files in a
+  "Locked down" or hardened state or with documented recommendations for
+  such hardening. All unnecessary services will be disabled. VNF provider
+  default credentials, community strings and other such artifacts will be
+  removed or disclosed so that they can be modified or removed during
+  provisioning.
+* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of
+  traffic by application (dropping packets not belonging to the VPN) (i.e.,
+  AVPN, IPSec VPN for Internet routes).
+* R-33981 The VNF **SHOULD** interoperate with various access control
+  mechanisms for the Network Cloud execution environment (e.g.,
+  Hypervisors, containers).
+* R-40813 The VNF **SHOULD** support the use of virtual trusted platform
+  module, hypervisor security testing and standards scanning tools.
+* R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
+  it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
+  routing and forwarding rules.
+* R-26586 The VNF **SHOULD** support the ability to work with aliases
+  (e.g., gateways, proxies) to protect and encapsulate resources.
+* R-49956 The VNF **MUST** pass all access to applications (Bearer,
+  signaling and OA&M) through various security tools and platforms from
+  ACLs, stateful firewalls and application layer gateways depending on
+  manner of deployment. The application is expected to function (and in
+  some cases, interwork) with these security tools.
+* R-69649 The VNF **MUST** have all vulnerabilities patched as soon
+  as possible. Patching shall be controlled via change control process
+  with vulnerabilities disclosed along with mitigation recommendations.
+* R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification,
+  authentication and access control of customer or VNF application users.
+* R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with
+  the requirements if not using the NCSP’s IDAM API, for identification,
+  authentication and access control of OA&M and other system level
+  functions.
+* R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support
+  User-IDs and passwords to uniquely identify the user/application. VNF
+  needs to have appropriate connectors to the Identity, Authentication
+  and Authorization systems that enables access at OS, Database and
+  Application levels as appropriate.
+* R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide
+  the ability to support Multi-Factor Authentication (e.g., 1st factor =
+  Software token on device (RSA SecureID); 2nd factor = User Name+Password,
+  etc.) for the users.
+* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support
+  Role-Based Access Control to permit/limit the user/application to
+  performing specific activities.
+* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support
+  logging via ONAP for a historical view of “who did what and when”.
+* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt
+  OA&M access (e.g., SSH, SFTP).
+* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce
+  a configurable maximum number of Login attempts policy for the users.
+  VNF provider must comply with "terminate idle sessions" policy.
+  Interactive sessions must be terminated, or a secure, locking screensaver
+  must be activated requiring authentication, after a configurable period
+  of inactivity. The system-based inactivity timeout for the enterprise
+  identity and access management system must also be configurable.
+* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
+  with the NCSP’s credential management policy.
+* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire
+  passwords at regular configurable intervals.
+* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
+  with "password complexity" policy. When passwords are used, they shall
+  be complex and shall at least meet the following password construction
+  requirements: (1) be a minimum configurable number of characters in
+  length, (2) include 3 of the 4 following types of characters:
+  upper-case alphabetic, lower-case alphabetic, numeric, and special,
+  (3) not be the same as the UserID with which they are associated or
+  other common strings as specified by the environment, (4) not contain
+  repeating or sequential characters or numbers, (5) not to use special
+  characters that may have command functions, and (6) new passwords must
+  not contain sequences of three or more characters from the previous
+  password.
+* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
+  with "password changes (includes default passwords)" policy. Products
+  will support password aging, syntax and other credential management
+  practices on a configurable basis.
+* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support
+  use of common third party authentication and authorization tools such
+  as TACACS+, RADIUS.
+* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
+  with "No Self-Signed Certificates" policy. Self-signed certificates
+  must be used for encryption only, using specified and approved
+  encryption protocols such as TLS 1.2 or higher or equivalent security
+  protocols such as IPSec, AES.
+* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API,
+  authenticate system to system communications where one system
+  accesses the resources of another system, and must never conceal
+  individual accountability.
+
+VNF Identity and Access Management Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following security requirements for logging, identity, and access
+management need to be met by the solution in a virtual environment:
+
+
+Identity and Access Management Requirements
+
+* R-95105 The VNF **MUST** host connectors for access to the application
+  layer.
+* R-45496 The VNF **MUST** host connectors for access to the OS
+  (Operating System) layer.
+* R-05470 The VNF **MUST** host connectors for access to the database layer.
+* R-99174 The VNF **MUST** comply with Individual Accountability
+  (each person must be assigned a unique ID) when persons or non-person
+  entities access VNFs.
+* R-42874 The VNF **MUST** comply with Least Privilege (no more
+  privilege than required to perform job functions) when persons
+  or non-person entities access VNFs.
+* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a
+  single layer and no developer may access production without special
+  oversight) when persons or non-person entities access VNFs.
+* R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely.
+* R-49945 The VNF **MUST** authorize VNF provider access through a
+  client application API by the client application owner and the resource
+  owner of the VNF before provisioning authorization through Role Based
+  Access Control (RBAC), Attribute Based Access Control (ABAC), or other
+  policy based mechanism.
+* R-31751 The VNF **MUST** subject VNF provider access to privilege
+  reconciliation tools to prevent access creep and ensure correct
+  enforcement of access policies.
+* R-34552 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for OWASP Top 10.
+* R-29301 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Password Attacks.
+* R-72243 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Phishing / SMishing.
+* R-58998 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Malware (Key Logger).
+* R-14025 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Session Hijacking.
+* R-31412 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for XSS / CSRF.
+* R-51883 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Replay.
+* R-44032 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Man in the Middle (MITM).
+* R-58977 The VNF **MUST** provide or support the Identity and Access
+  Management (IDAM) based threat detection data for Eavesdropping.
+* R-24825 The VNF **MUST** provide Context awareness data (device,
+  location, time, etc.) and be able to integrate with threat detection system.
+* R-59391 The VNF provider **MUST**, where a VNF provider requires
+  the assumption of permissions, such as root or administrator, first
+  log in under their individual user login ID then switch to the other
+  higher level account; or where the individual user login is infeasible,
+  must login with an account with admin privileges in a way that
+  uniquely identifies the individual performing the function.
+* R-85028 The VNF **MUST** authenticate system to system access and
+  do not conceal a VNF provider user’s individual accountability for
+  transactions.
+* R-80335 The VNF **MUST** make visible a Warning Notice: A formal
+  statement of resource intent, i.e., a warning notice, upon initial
+  access to a VNF provider user who accesses private internal networks
+  or Company computer resources, e.g., upon initial logon to an internal
+  web site, system or application which requires authentication.
+* R-73541 The VNF **MUST** use access controls for VNFs and their
+  supporting computing systems at all times to restrict access to
+  authorized personnel only, e.g., least privilege. These controls
+  could include the use of system configuration or access control
+  software.
+* R-64503 The VNF **MUST** provide minimum privileges for initial
+  and default settings for new user accounts.
+* R-86835 The VNF **MUST** set the default settings for user access
+  to sensitive commands and data to deny authorization.
+* R-77157 The VNF **MUST** conform to approved request, workflow
+  authorization, and authorization provisioning requirements when
+  creating privileged users.
+* R-81147 The VNF **MUST** have greater restrictions for access and
+  execution, such as up to 3 factors of authentication and restricted
+  authorization, for commands affecting network services, such as
+  commands relating to VNFs.
+* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2)
+  transmission of data on internal and external networks.
+* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
+* R-15671 The VNF **MUST NOT** provide public or unrestricted access
+  to any data without the permission of the data owner. All data
+  classification and access controls must be followed.
+* R-89753 The VNF **MUST NOT** install or use systems, tools or
+  utilities capable of capturing or logging data that was not created
+  by them or sent specifically to them in production, without
+  authorization of the VNF system owner.
+* R-19082 The VNF **MUST NOT** run security testing tools and
+  programs, e.g., password cracker, port scanners, hacking tools
+  in production, without authorization of the VNF system owner.
+* R-19790 The VNF **MUST NOT** include authentication credentials
+  in security audit logs, even if encrypted.
+* R-85419 The VNF **SHOULD** use REST APIs exposed to Client
+  Applications for the implementation of OAuth 2.0 Authorization
+  Code Grant and Client Credentials Grant, as the standard interface
+  for a VNF.
+* R-48080 The VNF **SHOULD** support SCEP (Simple Certificate
+  Enrollment Protocol).
+
+
+VNF API Security Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section covers API security requirements when these are used by the
+VNFs. Key security areas covered in API security are Access Control,
+Authentication, Passwords, PKI Authentication Alarming, Anomaly
+Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
+Cryptography, Business continuity, Biometric Authentication,
+Identification, Confidentiality and Integrity, and Denial of Service.
+
+The solution in a virtual environment needs to meet the following API
+security requirements:
+
+
+API Requirements
+
+* R-37608 The VNF **MUST** provide a mechanism to restrict access based
+  on the attributes of the VNF and the attributes of the subject.
+* R-43884 The VNF **MUST** integrate with external authentication
+  and authorization services (e.g., IDAM).
+* R-25878 The VNF **MUST** use certificates issued from publicly
+  recognized Certificate Authorities (CA) for the authentication process
+  where PKI-based authentication is used.
+* R-19804 The VNF **MUST** validate the CA signature on the certificate,
+  ensure that the date is within the validity period of the certificate,
+  check the Certificate Revocation List (CRL), and recognize the identity
+  represented by the certificate where PKI-based authentication is used.
+* R-47204 The VNF **MUST** protect the confidentiality and integrity of
+  data at rest and in transit from unauthorized access and modification.
+* R-33488 The VNF **MUST** protect against all denial of service
+  attacks, both volumetric and non-volumetric, or integrate with external
+  denial of service protection tools.
+* R-21652 The VNF **MUST** implement the following input validation
+  control: Check the size (length) of all input. Do not permit an amount
+  of input so great that it would cause the VNF to fail. Where the input
+  may be a file, the VNF API must enforce a size limit.
+* R-54930 The VNF **MUST** implement the following input validation
+  control: Do not permit input that contains content or characters
+  inappropriate to the input expected by the design. Inappropriate input,
+  such as SQL insertions, may cause the system to execute undesirable
+  and unauthorized transactions against the database or allow other
+  inappropriate access to the internal network.
+* R-21210 The VNF **MUST** implement the following input validation
+  control: Validate that any input file has a correct and valid
+  Multipurpose Internet Mail Extensions (MIME) type. Input files
+  should be tested for spoofed MIME types.
+* R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs.
+* R-87135 The VNF **MUST** comply with NIST standards and industry
+  best practices for all implementations of cryptography.
+* R-02137 The VNF **MUST** implement all monitoring and logging as
+  described in the Security Analytics section.
+* R-15659 The VNF **MUST** restrict changing the criticality level of
+  a system security alarm to administrator(s).
+* R-19367 The VNF **MUST** monitor API invocation patterns to detect
+  anomalous access patterns that may represent fraudulent access or
+  other types of attacks, or integrate with tools that implement anomaly
+  and abuse detection.
+* R-78066 The VNF **MUST** support requests for information from law
+  enforcement and government agencies.
+
+
+VNF Security Analytics Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section covers VNF security analytics requirements that are mostly
+applicable to security monitoring. The VNF Security Analytics cover the
+collection and analysis of data following key areas of security
+monitoring:
+
+-  Anti-virus software
+
+-  Logging
+
+-  Data capture
+
+-  Tasking
+
+-  DPI
+
+-  API based monitoring
+
+-  Detection and notification
+
+-  Resource exhaustion detection
+
+-  Proactive and scalable monitoring
+
+-  Mobility and guest VNF monitoring
+
+-  Closed loop monitoring
+
+-  Interfaces to management and orchestration
+
+-  Malformed packet detections
+
+-  Service chaining
+
+-  Dynamic security control
+
+-  Dynamic load balancing
+
+-  Connection attempts to inactive ports (malicious port scanning)
+
+The following requirements of security monitoring need to be met by the
+solution in a virtual environment.
+
+Security Analytics Requirements
+
+* R-48470 The VNF **MUST** support Real-time detection and
+  notification of security events.
+* R-22286 The VNF **MUST** support Integration functionality via
+  API/Syslog/SNMP to other functional modules in the network (e.g.,
+  PCRF, PCEF) that enable dynamic security control by blocking the
+  malicious traffic or malicious end users
+* R-32636 The VNF **MUST** support API-based monitoring to take care of
+  the scenarios where the control interfaces are not exposed, or are
+  optimized and proprietary in nature.
+* R-61648 The VNF **MUST** support event logging, formats, and delivery
+  tools to provide the required degree of event data to ONAP
+* R-22367 The VNF **MUST** support detection of malformed packets due to
+  software misconfiguration or software vulnerability.
+* R-31961 The VNF **MUST** support integrated DPI/monitoring functionality
+  as part of VNFs (e.g., PGW, MME).
+* R-20912 The VNF **MUST** support alternative monitoring capabilities
+  when VNFs do not expose data or control traffic or use proprietary and
+  optimized protocols for inter VNF communication.
+* R-73223 The VNF **MUST** support proactive monitoring to detect and
+  report the attacks on resources so that the VNFs and associated VMs can
+  be isolated, such as detection techniques for resource exhaustion, namely
+  OS resource attacks, CPU attacks, consumption of kernel memory, local
+  storage attacks.
+* R-58370 The VNF **MUST** coexist and operate normally with commercial
+  anti-virus software which shall produce alarms every time when there is a
+  security incident.
+* R-56920 The VNF **MUST** protect all security audit logs (including
+  API, OS and application-generated logs), security audit software, data,
+  and associated documentation from modification, or unauthorized viewing,
+  by standard OS access control mechanisms, by sending to a remote system,
+  or by encryption.
+* R-54520 The VNF **MUST** log successful and unsuccessful login attempts.
+* R-55478 The VNF **MUST** log logoffs.
+* R-08598 The VNF **MUST** log successful and unsuccessful changes to
+  a privilege level.
+* R-13344 The VNF **MUST** log starting and stopping of security
+  logging.
+* R-07617 The VNF **MUST** log creating, removing, or changing the
+  inherent privilege level of users.
+* R-94525 The VNF **MUST** log connections to a network listener of the
+  resource.
+* R-31614 The VNF **MUST** log the field “event type” in the security
+  audit logs.
+* R-97445 The VNF **MUST** log the field “date/time” in the security
+  audit logs.
+* R-25547 The VNF **MUST** log the field “protocol” in the security audit logs.
+* R-06413 The VNF **MUST** log the field “service or program used for
+  access” in the security audit logs.
+* R-15325 The VNF **MUST** log the field “success/failure” in the
+  security audit logs.
+* R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs.
+* R-04982 The VNF **MUST NOT** include an authentication credential,
+  e.g., password, in the security audit logs, even if encrypted.
+* R-63330 The VNF **MUST** detect when the security audit log storage
+  medium is approaching capacity (configurable) and issue an alarm via
+  SMS or equivalent as to allow time for proper actions to be taken to
+  pre-empt loss of audit data.
+* R-41252 The VNF **MUST** support the capability of online storage of
+  security audit logs.
+* R-41825 The VNF **MUST** activate security alarms automatically when
+  the following event is detected: configurable number of consecutive
+  unsuccessful login attempts
+* R-43332 The VNF **MUST** activate security alarms automatically when
+  the following event is detected: successful modification of critical
+  system or application files
+* R-74958 The VNF **MUST** activate security alarms automatically when
+  the following event is detected: unsuccessful attempts to gain permissions
+  or assume the identity of another user
+* R-15884 The VNF **MUST** include the field “date” in the Security alarms
+  (where applicable and technically feasible).
+* R-23957 The VNF **MUST** include the field “time” in the Security alarms
+  (where applicable and technically feasible).
+* R-71842 The VNF **MUST** include the field “service or program used for
+  access” in the Security alarms (where applicable and technically feasible).
+* R-57617 The VNF **MUST** include the field “success/failure” in the
+  Security alarms (where applicable and technically feasible).
+* R-99730 The VNF **MUST** include the field “Login ID” in the Security
+  alarms (where applicable and technically feasible).
+* R-29705 The VNF **MUST** restrict changing the criticality level of a
+  system security alarm to administrator(s).
+* R-13627 The VNF **MUST** monitor API invocation patterns to detect
+  anomalous access patterns that may represent fraudulent access or other
+  types of attacks, or integrate with tools that implement anomaly and
+  abuse detection.
+* R-21819 The VNF **MUST** support requests for information from law
+  enforcement and government agencies.
+* R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation
+  (without human intervention) for Known Threats with detection rate in low
+  false positives.
+* R-25094 The VNF **MUST** perform data capture for security functions.
+* R-04492 The VNF **MUST** generate security audit logs that must be sent
+  to Security Analytics Tools for analysis.
+* R-19219 The VNF **MUST** provide audit logs that include user ID, dates,
+  times for log-on and log-off, and terminal location at minimum.
+* R-30932 The VNF **MUST** provide security audit logs including records
+  of successful and rejected system access data and other resource access
+  attempts.
+* R-54816 The VNF **MUST** support the storage of security audit logs
+  for agreed period of time for forensic analysis.
+* R-57271 The VNF **MUST** provide the capability of generating security
+  audit logs by interacting with the operating system (OS) as appropriate.
+* R-84160 The VNF **MUST** have security logging for VNFs and their
+  OSs be active from initialization. Audit logging includes automatic
+  routines to maintain activity records and cleanup programs to ensure
+  the integrity of the audit/logging systems.
+
+VNF Data Protection Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section covers VNF data protection requirements that are mostly
+applicable to security monitoring.
+
+
+Data Protection Requirements
+
+* R-58964 The VNF **MUST** provide the capability to restrict read
+  and write access to data.
+* R-99112 The VNF **MUST** provide the capability to restrict access
+  to data to specific users.
+* R-83227 The VNF **MUST** Provide the capability to encrypt data in
+  transit on a physical or virtual network.
+* R-32641 The VNF **MUST** provide the capability to encrypt data on
+  non-volatile memory.
+* R-13151 The VNF **SHOULD** disable the paging of the data requiring
+  encryption, if possible, where the encryption of non-transient data is
+  required on a device for which the operating system performs paging to
+  virtual memory. If not possible to disable the paging of the data
+  requiring encryption, the virtual memory should be encrypted.
+* R-93860 The VNF **MUST** provide the capability to integrate with an
+  external encryption service.
+* R-73067 The VNF **MUST** use industry standard cryptographic algorithms
+  and standard modes of operations when implementing cryptography.
+* R-22645 The VNF **SHOULD** use commercial algorithms only when there
+  are no applicable governmental standards for specific cryptographic
+  functions, e.g., public key cryptography, message digests.
+* R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
+  Skipjack algorithms or other compromised encryption.
+* R-02170 The VNF **MUST** use, whenever possible, standard implementations
+  of security applications, protocols, and format, e.g., S/MIME, TLS, SSH,
+  IPSec, X.509 digital certificates for cryptographic implementations.
+  These implementations must be purchased from reputable vendors and must
+  not be developed in-house.
+* R-70933 The VNF **MUST** provide the ability to migrate to newer
+  versions of cryptographic algorithms and protocols with no impact.
+* R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length.
+* R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
+* R-95864 The VNF **MUST** use commercial tools that comply with X.509
+  standards and produce x.509 compliant keys for public/private key generation.
+* R-12110 The VNF **MUST NOT** use keys generated or derived from
+  predictable functions or values, e.g., values considered predictable
+  include user identity information, time of day, stored/transmitted data.
+* R-52060 The VNF **MUST** provide the capability to configure encryption
+  algorithms or devices so that they comply with the laws of the jurisdiction
+  in which there are plans to use data encryption.
+* R-69610 The VNF **MUST** provide the capability of using certificates
+  issued from a Certificate Authority not provided by the VNF provider.
+* R-83500 The VNF **MUST** provide the capability of allowing certificate
+  renewal and revocation.
+* R-29977 The VNF **MUST** provide the capability of testing the validity
+  of a digital certificate by validating the CA signature on the certificate.
+* R-24359 The VNF **MUST** provide the capability of testing the validity
+  of a digital certificate by validating the date the certificate is being
+  used is within the validity period for the certificate.
+* R-39604 The VNF **MUST** provide the capability of testing the
+  validity of a digital certificate by checking the Certificate Revocation
+  List (CRL) for the certificates of that type to ensure that the
+  certificate has not been revoked.
+* R-75343 The VNF **MUST** provide the capability of testing the
+  validity of a digital certificate by recognizing the identity represented
+  by the certificate — the "distinguished name".