View TRAK:SVp-13 Solution Risk Viewpoint

Title

TRAK_logo_60.jpg

SVp-13 - Solution Risk Viewpoint

Version

1

Date

1st January 2016

Overview

The SVp-13 - Solution Competence is part of the TRAK Solution Perspective and one of the 24 TRAK Architecture Viewpoints.

The SVp-13 architecture viewpoint is the specification for the TRAK::SV-13 Solution Risk architecture view.

Stakeholders Addressed

  • Owner of Solution
  • Acquirer of Solution
  • Developer of Solution
  • Builder of Solution
  • Operator of Solution
  • Trainer of Solution
  • Maintainer of Solution
  • User of Solution

Covered by TRAK IPR and licenses

Concerns Addressed

The SVp-13 addresses the following concerns:

  • what threats is the system of interest exposed to?
  • what are the vulnerabilities of the system of interest?
  • what are the risks posed to the system, or to a third party by the system?
  • how does the solution design mitigate or address the vulnerabilities, threats and risks?

Covered by TRAK IPR and licenses

Description

Describes the threats posed to a system as a result of vulnerabilities that expose the system of interest (or other resources) to risk. Describes how these are managed, mitigated or controlled so that the risks are kept at a tolerable level.

Typically used to represent:

  • the origins of a risk in terms of particular threats which exploit system vulnerabilities, for example to support an analysis of the security features of a system
  • how threats can cause particular events (which might be part of a sequence that leads to a top level event that needs to be prevented, mitigated or minimised - addressed in the SVp-11 Solution Event Causes Viewpoint).

Covered by TRAK IPR and licenses

Mandatory Metamodel Tuples

Identification

Analysis

As Identification +

  • Resource has Vulnerability
  • Function has Vulnerability
  • Resource Interaction has Vulnerability
  • Interaction Element has Vulnerability
  • Threat (syn. Hazard) exploits Vulnerability
  • Vulnerability results in Risk

Management & Control

As identification +

  • Risk is managed using Mitigation
  • Mitigation uses Resource
  • Mitigation uses Function

Covered by TRAK IPR and licenses

Optional Metamodel Tuples

Context – Events

  • Event can lead to exposure to Risk
  • Event causes Event

Universal

If any of these optional metamodel elements are added then the appropriate TRAK Master Architecture View must be provided.

Covered by TRAK IPR and licenses

Well-Formedness

A SV-13 view shall contain:

Identification

  • at least one (the subject) Resource
  • the subject Resource is linked to at least one Risk using ‘Resource exposed to Risk’
  • every Risk is linked to at least one Threat using ‘Threat poses Risk’
  • every Threat is linked to the subject Resource using ‘Threat to Resource’

i.e there must at least one Resource - Risk - Threat - (same) Resource path

Analysis

As Identification +

  • every Threat is linked to at least one (subject Resource) Vulnerability using ‘Threat exploits Vulnerability’
  • every (subject Resource)Vulnerability is linked to the (subject) Resource using ‘Resource has Vulnerability’
  • every (subject Resource) Vulnerability is linked to at least one Risk using ‘Vulnerability results in Risk’

Management & Control

As Identification +

  • every Risk is linked to at least one Mitigation using ‘Risk is managed using Mitigation’

Covered by TRAK IPR and licenses

Presentation

  • graphical, showing a tree depicting the causal relationships e.g. a fault tree, visualisation of tuples
  • sv13_example_block.jpg

  • textual e.g. set of tuples as assertions.

Covered by TRAK IPR and licenses

Examples

Views Needed to Construct

See Minimum Allowed View Sets

The SV-13 is the master architecture view for Mitigation, Risk, Threat and Vulnerability.

Covered by TRAK IPR and licenses

Consistency Rules

Covered by TRAK IPR and licenses

Configuration History

The TRAK Viewpoints project on Sourceforge (trakviewpoints.sourceforge.net) maintains a version-controlled repository. The change record is at trakviewpoints.svn.sourceforge.net/viewvc/trakviewpoints/trunk/?view=log

Comments

References

Other Frameworks

There are no equivalent views in MODAF, DODAF or NAF

References

Category:Framework -> Viewpoint Category:Framework -> Specification Category:Solution

Categories:

  • Solution
  •  

    © 2010 Eclectica Systems Ltd.