Home' RTCA Documents for Review : DO-356A Contents 176
© RTCA, 2018
The following figure represents the firewall’s effectiveness points without taking
assurance into account. In this case, the actual effectiveness could vary as much as
between 1 and 6 points on the scale.
Applying security assurance measures to the development as well as extensive testing
decreases the likelihood of bad configuration and use of buggy software. The level of
uncertainty therefore decreases. Although the possibility of failure is still there, the
confidence in the effect of the security measure is increased.
Assurance activities help to narrow down the actual effectiveness and possible
effectiveness points to be assigned. In this case and as an example, thanks to
assurance activities the specific firewall can have an actual effectiveness in the range
from 4 to 6 effectiveness points.
It is therefore important to back up effectiveness assessment with high levels of
assurance whenever needed in order to ensure a high confidence level for the security
Basic system design with high development assurance levels, on the other hand, will
usually not help to counter security threats unless functional restrictions are derived
from the assurance process, that have a mitigating effect. In such a case, those derived
security measures should be assessed as security measures (not the assurance
process itself). The fact that the development process has a high assurance level will
therefore not have a mitigating effect by itself. If this assurance level prescribes a
security measure like input validation, for example, the effectiveness points are
evaluated according to the effect of the validation (the derived security measure).
Combined Effectiveness Assessment
Figure 3-8 in section 3.6.3 shows which mathematical rules to apply in which case.
When defining the effectiveness points, the relation between security measures or their
effectiveness only under certain circumstances (e.g. specific cases of the general
scenario) have to be taken into account. It has to be avoided that the effectiveness is
increased more than once through what is effectively the same security measure. If two
or more security measures are only in effect alternatively (e.g. when different attack
paths are possible), the less effective one should be evaluated for the threat scenario
While each individual security measure has a generic effectiveness, the additional
applicability of these points (in combination with other security measures) needs to be
evaluated with respect to the independence, diversity and isolation of the existing
All relations other than full independence, diversity and isolation will reduce the
combined effectiveness of security measures with regard to the sum of their separate
effectiveness. The combined effectiveness needs to be taken into account for the threat
scenario instead of the separate effectiveness of the related security measures. A
justification is needed for the partial applicability of the added points. Otherwise the
worst case has to be assumed (i.e. full dependence, lack of diversity and isolation, so
that only the points of the least effective individual security measure are applied).
If the sum of the effects of all applicable security measures which work on the same
effectiveness criterion (preparation means, window of opportunity, execution means)
even after considering independence exceeds the regular maximum which is supposed
to be attributed to this criterion as defined above, the combined effect should not exceed
the criterion’s maximum combined effect (given in the respective section and in Table
6-35 below) unless a valid rationale is given. The reason is that, for example in the case
Links Archive Navigation Previous Page Next Page