Skip to content

Commit

Permalink
Update data-model.md
Browse files Browse the repository at this point in the history 
- use sql instead of json for qualifications/security objectives.
- rto/rpo/mtd as simple fields
  • Loading branch information
@eric-intuitem
eric-intuitem committed Nov 30, 2024
1 parent 38fab3e commit 31c45e4
Showing 1 changed file with 59 additions and 38 deletions.
97 changes: 59 additions & 38 deletions documentation/architecture/data-model.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,26 +100,29 @@ erDiagram
COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : is_based_on
PROJECT |o--o{ COMPLIANCE_ASSESSMENT : contains
COMPLIANCE_ASSESSMENT ||--o{ REQUIREMENT_ASSESSMENT: contains
APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by
FRAMEWORK ||--o{ REQUIREMENT_NODE : contains
REQUIREMENT_ASSESSMENT }o--|| REQUIREMENT_NODE : implements
REQUIREMENT_ASSESSMENT }o--o{ APPLIED_CONTROL : is_answered_by
REQUIREMENT_ASSESSMENT }o--o{ EVIDENCE : is_proved_by
APPLIED_CONTROL }o--o| REFERENCE_CONTROL : implements
REQUIREMENT_NODE }o--o{ THREAT : addresses
FRAMEWORK ||--o{ REQUIREMENT_NODE : contains
APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by
RISK_ASSESSMENT }o--|| RISK_MATRIX : applies
PROJECT |o--o{ RISK_ASSESSMENT : contains
RISK_ASSESSMENT ||--o{ RISK_SCENARIO : contains
RISK_SCENARIO }o--o{ APPLIED_CONTROL : is_mitigated_by
RISK_SCENARIO }o--o{ THREAT : derives_from
RISK_SCENARIO }o--o{ ASSET : threatens
RISK_SCENARIO }o--o{ QUALIFICATION : bears
RISK_ACCEPTANCE }o--o{ RISK_SCENARIO : covers
RISK_ASSESSMENT_REVIEW }o--|| RISK_ASSESSMENT : reviews
RISK_SCENARIO }o--o{ VULNERABILITY : exploits
VULNERABILITY }o--o{ APPLIED_CONTROL : is_fixed_by
USER }o--o{ RISK_SCENARIO : owns
USER }o--o{ APPLIED_CONTROL : owns
USER }o--o{ ASSET : owns
ASSET ||--o{ SECURITY_OBJECTIVE : has
SECURITY_OBJECTIVE }o--|| QUALIFICATION : implements
PROJECT {
string ref_id
Expand Down Expand Up @@ -289,8 +292,9 @@ erDiagram
string type
asset parent_asset
url reference_link
json security_objectives
json disaster_recovery_objectives
int rto
int rpo
int mtd
}
RISK_SCENARIO {
Expand All @@ -307,7 +311,6 @@ erDiagram
json target_risk_vector
string strength_of_knowledge
string justification
json qualifications
string threat_actor
}
Expand Down Expand Up @@ -337,6 +340,19 @@ erDiagram
string reviewer
}
QUALIFICATION {
string ref_id
string name
string description
json translations
int order
bool is_objective
}
SECURITY_OBJECTIVE {
int value
}
```

### Requirement mappings
Expand Down Expand Up @@ -407,37 +423,47 @@ Projects have the following fields:
- Description
- Status: --/Design/Development/Production/End of life/Dropped

## Assets, security and disaster recovery objectives
## Qualifications

Assets are context objects defined by the entity using CISO Assistant. They are optional, assessments can be done without using them.
Qualifications are qualities/objectives that can be used to qualify risk scenarios or to set security objectives to primary assets. Some of them are hardcoded, but in the PRO version the administrator can define additional values and rename existing ones.

Assets are of type primary or supporting. A primary asset has no parent, a supporting asset can have parent assets (primary or supporting), but not itself.
The following values are preloaded:

Primary assets have security objectives that are evolutive, so they are catched in a json field.
abbreviation | q_order | so_order | name | description | translations | urn
-------------|---------|----------|------------------|-------------|--------------|------------------------------------------------
C | 1 | 1 | confidentiality | | ... | urn:intuitem:risk:qualification:confidentiality
I | 2 | 2 | integrity | | ... | urn:intuitem:risk:qualification:integrity
A | 3 | 3 | availability | | ... | urn:intuitem:risk:qualification:availability
P | 4 | 4 | proof | | ... | urn:intuitem:risk:qualification:proof
Aut | 5 | 5 | authenticity | | ... | urn:intuitem:risk:qualification:authenticity
Priv | 6 | 6 | privacy | | ... | urn:intuitem:risk:qualification:privacy
Safe | 7 | 7 | safety | | ... | urn:intuitem:risk:qualification:safety
Rep | 8 | | reputation | | ... | urn:intuitem:risk:qualification:safety
Ope | 9 | | operational | | ... | urn:intuitem:risk:qualification:operational
Leg | 10 | | legal | | ... | urn:intuitem:risk:qualification:legal
Fin | 11 | | financial | | ... | urn:intuitem:risk:qualification:financial

Security objectives are specific goals or requirements that an organization, system, or process aims to achieve in order to ensure its security and protect its primary assets.
Qualifications that have so_order defined can be used to set security objectives to primary assets.

There is a global parameter that defines a list of security objectives with a corresponding scale and a corresponding boolean allowing to select or hide a security objective. The following security objectives are pre-defined:
The role of urn is to enable updates with a library, and to facilitate export/import between instances (not in MVP).

ref_id | Name | Description | default scale | default select value
--------|----------------------------|-------------|---------------|---------------------
C | Confidentiality | ... | 1-4 | True
I | Integrity | ... | 1-4 | True
A | Availability | ... | 1-4 | True
P | Proof | ... | 1-4 | True
Auth | Authenticity | ... | 1-4 | False
Priv | Privacy | ... | 1-4 | False
Safe | Safety | ... | 1-4 | False
Note: the order can be changed in a translation. This makes easy to transform CIAP (English) in DICP (French) (not in MVP).

The following disaster recovery objectives (measured in seconds) are pre-defined:
## Assets, security and disaster recovery objectives

ref_id | Name | Description
--------|----------------------------|------------
RTO | Recovery Time Objective | ...
RPO | Recovery Point Objetive | ...
MTD | Maximum Tolerable Downtime | ...
Assets are context objects defined by the entity using CISO Assistant. They are optional, assessments can be done without using them.

Assets are of type primary or supporting. A primary asset has no parent, a supporting asset can have parent assets (primary or supporting), but not itself.

The following disaster recovery objectives (measured in seconds) can be defined on assets:

In a future version, users will be able to define custom security objectives.
Abbreviation | Name | Description
--------------|----------------------------|------------
RTO | Recovery Time Objective | ...
RPO | Recovery Point Objetive | ...
MTD | Maximum Tolerable Downtime | ...

Assets have security objectives. Security objectives are specific goals or requirements that an organization, system, or process aims to achieve in order to ensure its security and protect its primary assets. They are a subset of qualifications.

Security objectives are measured using a specifc scale. For now, the following scales are defined:
- 0-3: coded as 0-3
Expand All @@ -461,9 +487,7 @@ FIPS-199 | 1 | moderate
FIPS-199 | 2 | moderate
FIPS-199 | 3 | high

Security objectives can be evaluated for each asset. The default value is Null. The corresponding json field is composed of a list of tuples {security_objective_ref_id, value}.

When a security objective is hidden in the global parameters, it is simply not proposed for new edition. However, a security objective that is already used in an asset is kept and editable even if it is hidden globally. Thus, when selecting or hiding a security objective, no value is changed in asset.
THe scale to use is a global parameter. It has no impact on the encoding in the database, which always uses the internal value.

## Frameworks

Expand Down Expand Up @@ -623,7 +647,6 @@ The following inference rules are used:

A risk assessment is based on scenarios, covered by Applied controls. Gathering the risk scenarios constitutes the "risk identification" phase.


The risk matrix cannot be changed once the risk assessment is created.

A risk assessment has an _risk_assessment_method_ field that can take the following values: 0 (risk matrix)/1 (Open FAIR). This cannot be changed once the risk assessment is created. Similarly, the risk matrix cannot be changed once the risk assessment is created.
Expand All @@ -634,9 +657,7 @@ A risk scenario contains a treatment option with the values --/open/mitigate/acc

A risk scenario also contains a "strength of knowledge", within the values --/0 (Low)/1 (Medium)/2 (High). This can be used to represent a third dimension of risk, as recommended by the Society for Risk Analysis. The field "justification" can be used to expose the knowledge.

A risk scenario also contains a "qualification" field, containing an array with the following possible values: Confidentiality, Integrity, Availability, Proof, Authenticity, Privacy, Safety, Reputation, Operational, Legal, Financial. The qualification can cover none, one or several of the values.

Note: the list of qualifications is a superset of security objectives.
A risk scenario also contains qualifications.

The risk evaluation is automatically done based on the selected risk matrix.

Expand Down Expand Up @@ -1257,9 +1278,8 @@ erDiagram
```mermaid
erDiagram
ATTACK_PATH }o--|| RO_TO : derives
RO_TO }o--o{ FEARED_EVENT : corresponds_to
FEARED_EVENT }o--o{ ASSET : affects
STAKEHOLDER }o--|| ENTITY : qualifies
EBIOS_RM_STUDY }o--o{ RO_TO : contains
EBIOS_RM_STUDY }o--o{ STAKEHOLDER : contains
EBIOS_RM_STUDY }o--o{ OPERATIONAL_SCENARIO : contains
Expand All @@ -1270,11 +1290,13 @@ erDiagram
EBIOS_RM_STUDY }o--o{ COMPLIANCE_ASSESSMENT: leverages
EBIOS_RM_STUDY }o--|| RISK_MATRIX : leverages
EBIOS_RM_STUDY }o--o{ RISK_ASSESSMENT : generates
ATTACK_PATH }o--|| RO_TO : derives
RO_TO }o--o{ FEARED_EVENT : corresponds_to
OPERATIONAL_SCENARIO }o--|{ ATTACK_PATH : derives
OPERATIONAL_SCENARIO }o--o{ THREAT : leverages
ATTACK_PATH }o--o{ STAKEHOLDER : leverages
STAKEHOLDER }o--o{ APPLIED_CONTROL : reinforces
STAKEHOLDER }o--|| ENTITY : qualifies
FEARED_EVENT }o--o{ QUALIFICATION : bears
EBIOS_RM_STUDY {
string ref_id
Expand All @@ -1294,7 +1316,6 @@ erDiagram
string ref_id
string name
string description
json qualifications
int gravity
bool selected
string justification
Expand Down

0 comments on commit 31c45e4

Please sign in to comment.