Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)
ARCH.022 Define operational security measures
SM-2758
-
Populate Confluence page for activity definition: ARCH.022 Define operational security measures
Created
Goal | Identify operational requirements needed for security risk mitigation |
---|---|
Requirements met by this process step | RiL 114.0210 05 (15) |
Inputs | AMOD-131 Security loss and threat state model AMOD-028 Operational activities and interaction definitions (single operational capability) |
Outputs | AMOD-031 Unified risk model (updated) AMOD-028 Operational activities and interaction definitions (single operational capability) (updated) |
Methodology | This step must be done jointly between system architect and security expert. For every possible security-affecting deviation If the risk level of the deviation is not negligible Decide how the risk level will be reduced to a tolerable level Document the rationale for the decision end if end for Where in the risk model to insert a risk reduction measure There are multiple points in the risk model where it is possible to reduce risk, and there is an order of preference for these. They are listed below in order of highest to lowest preference:
It is permissible to define more than one risk reduction measure for any one possible deviation. When doing so, the "Swiss cheese" model should be considered: that each measure has weaknesses, and so any set of measures should when taken together not have any common weaknesses. Defining risk reduction measures in the operational activities model Risk reduction measures in the operational layer of the model are always operational activities. Because the risk reduction measures have been determined in terms of probabilities, there is always a maximum allowable failure rate associated with any operational activity that is a risk reduction measure. Where a suitable operational activity exists in the model, it is sufficient simply to add the maximum allowable failure rate to the corresponding outgoing interaction that activity, following the modelling rules for that type of non-functional need. Where no suitable operational activity exists in the model, one should be created, and the maximum allowable security-affecting failure rate should be added to the corresponding outgoing interaction. Refer to ARCH.033 Update operational activities and interactions for instructions on updating or defining new operational activities. If there exists more than one type of security-affecting failure for any activity, each rate can be added to one outgoing interaction of the operational activity. Instructions for updating the model to reflect the risk reduction measures can be found under the process steps of group ARCH.904 - it is recommended to run these process steps in parallel with the risk assessment and mitigation process steps. |
Tools and non-human resources | Team for Capella |
Cardinality | Once per operational capability |
Completion criteria | There exists a set of risk reduction measures in the model for each possible security-affecting deviation to the current operational capability. Rationales have been recorded for each risk reduction. |
Design review | |
Step done by (Responsible) | System architect Security expert |
Provides input to/assists (Contributes) | None identified. |
Uses outputs (Informed) | None identified. |