Home' RTCA Documents for Review : DO-356A Contents 53
© RTCA, 2018
Section 3.3.3 provides additional information on how this data is used when
constructing threat scenarios. Relevant information includes:
What are the data flows? What security measures block unauthorized data
When is the security measure applicable? E.g. what targets does it
protect? E.g. what threat scenarios does it mitigate? When does it need to
be effective? How is it bypassed?
When is the security measure exposed? E.g. what threat scenarios involve
its assets? What are its interfaces and modes? How is it administered /
Assumption: The security architecture is an input for the security measure
The design of security measures and the security architecture is not
addressed here, but will be provided in a future version of this document.
The information gathered to perform security risk assessment and elaboration of
security requirements also results in the security measure characteristics, which are
summarized in Table 3-2 below.
TABLE 3-2: SECURITY MEASURE CHARACTERISTICS
Details that help to better understand and evaluate the security measure,
including interfaces, functional specification, requirements, architectural
and implementation details and references to external descriptions (e.g.
security control from NIST SP800-53  or security functional components
from Common Criteria )
Protected assets List of assets that are protected by the security measure and the applicable
security attributes (Confidentiality and/or Integrity and/or Availability)
Type of effect*
Preventive, Deterrent, Detective, Corrective or other types
Ability to protect in general (not specific to a threat scenario), e.g. ease of
use, strength of mechanism, impact reduction
A list of properties, configuration data, architectural features, etc. that are
required for the proper function of the security measure.
To track whether a security measure is planned, specified, implemented,
* Useful to the organization but not required to be included in a risk assessment
The “Security Measure Characterization” activity provides information to the “Threat
Scenario Identification” and the “Level of Threat Evaluation” activities.
Outputs for the “Threat Scenario Identification” are used to determine whether a security
measure exists on an attack path or may apply to a threat scenario. Useful information
includes type, its place in the architecture, protection capabilities, attack type coverage
and dependencies (these characteristics will later be needed for the Level of Threat
Outputs for the “Level of Threat Evaluation” are used to evaluate the dependencies
between security measures, their specific and combined effectiveness and their
robustness against attacks on the security measures. In addition to the “Threat Scenario
Identification” information, security measure characteristics should include the generic
effectiveness, vulnerabilities and a detailed description (including available
architectural, functional and technical details). Vulnerabilities in security measures are
limitations of security measures and characterized accordingly. If a Security Assurance
Level (see chapter 4) is already determined (e.g. due to a specific security architecture),
it should be included.
Links Archive Navigation Previous Page Next Page