Legal information

Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)

ARCH.022 Define operational security measures

SM-2758 - Populate Confluence page for activity definition: ARCH.022 Define operational security measures Created

GoalIdentify operational requirements needed for security risk mitigation
Requirements met by this process stepRiL 114.0210 05 (15)
Inputs

AMOD-131 Security loss and threat state model

AMOD-031 Unified risk model

AMOD-028 Operational activities and interaction definitions (single operational capability)

Outputs

AMOD-031 Unified risk model (updated)

AMOD-028 Operational activities and interaction definitions (single operational capability) (updated)

Methodology
This step must be done jointly between system architect and security expert.

For every possible security-affecting deviation

If the risk level of the deviation is not negligible

Decide how the risk level will be reduced to a tolerable level

Document the rationale for the decision

end if

end for

Where in the risk model to insert a risk reduction measure

There are multiple points in the risk model where it is possible to reduce risk, and there is an order of preference for these. They are listed below in order of highest to lowest preference:

  • Reduce the probability of a threat state occurring (i.e., reduce the probability of the transition from allowed state to threat state) (this is the same as increasing the probability that the allowed state persists);
  • Reduce the probability of a threat state persisting (this is the same as increasing the probability of recovery from the threat state to the allowed state);
  • Reduce the severity of the loss state(s) that could be caused by the threat states reached from the deviation (by increasing the probability of a transition to a less severe sub-state within the loss state).

It is permissible to define more than one risk reduction measure for any one possible deviation. When doing so, the "Swiss cheese" model should be considered: that each measure has weaknesses, and so any set of measures should when taken together not have any common weaknesses.

Defining risk reduction measures in the operational activities model

Risk reduction measures in the operational layer of the model are always operational activities. Because the risk reduction measures have been determined in terms of probabilities, there is always a maximum allowable failure rate associated with any operational activity that is a risk reduction measure.

Where a suitable operational activity exists in the model, it is sufficient simply to add the maximum allowable failure rate to the corresponding outgoing interaction that activity, following the modelling rules for that type of non-functional need.

Where no suitable operational activity exists in the model, one should be created, and the maximum allowable security-affecting failure rate should be added to the corresponding outgoing interaction.

Refer to ARCH.033 Update operational activities and interactions for instructions on updating or defining new operational activities.

If there exists more than one type of security-affecting failure for any activity, each rate can be added to one outgoing interaction of the operational activity.

Instructions for updating the model to reflect the risk reduction measures can be found under the process steps of group ARCH.904 - it is recommended to run these process steps in parallel with the risk assessment and mitigation process steps.
Tools and non-human resourcesTeam for Capella
CardinalityOnce per operational capability
Completion criteria

There exists a set of risk reduction measures in the model for each possible security-affecting deviation to the current operational capability.

Rationales have been recorded for each risk reduction.

Design review

ARCH.R.1 Operational capability review

ARCH.R.2 Operational review - consolidated

Step done by (Responsible)

System architect

Security expert

Provides input to/assists (Contributes)None identified.
Uses outputs (Informed)None identified.