diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index d1033f604..b19aa456b 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -100,19 +100,20 @@ erDiagram COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : is_based_on PROJECT |o--o{ COMPLIANCE_ASSESSMENT : contains COMPLIANCE_ASSESSMENT ||--o{ REQUIREMENT_ASSESSMENT: contains + APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by + FRAMEWORK ||--o{ REQUIREMENT_NODE : contains REQUIREMENT_ASSESSMENT }o--|| REQUIREMENT_NODE : implements REQUIREMENT_ASSESSMENT }o--o{ APPLIED_CONTROL : is_answered_by REQUIREMENT_ASSESSMENT }o--o{ EVIDENCE : is_proved_by APPLIED_CONTROL }o--o| REFERENCE_CONTROL : implements REQUIREMENT_NODE }o--o{ THREAT : addresses - FRAMEWORK ||--o{ REQUIREMENT_NODE : contains - APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by RISK_ASSESSMENT }o--|| RISK_MATRIX : applies PROJECT |o--o{ RISK_ASSESSMENT : contains RISK_ASSESSMENT ||--o{ RISK_SCENARIO : contains RISK_SCENARIO }o--o{ APPLIED_CONTROL : is_mitigated_by RISK_SCENARIO }o--o{ THREAT : derives_from RISK_SCENARIO }o--o{ ASSET : threatens + RISK_SCENARIO }o--o{ QUALIFICATION : bears RISK_ACCEPTANCE }o--o{ RISK_SCENARIO : covers RISK_ASSESSMENT_REVIEW }o--|| RISK_ASSESSMENT : reviews RISK_SCENARIO }o--o{ VULNERABILITY : exploits @@ -120,6 +121,8 @@ erDiagram USER }o--o{ RISK_SCENARIO : owns USER }o--o{ APPLIED_CONTROL : owns USER }o--o{ ASSET : owns + ASSET ||--o{ SECURITY_OBJECTIVE : has + SECURITY_OBJECTIVE }o--|| QUALIFICATION : implements PROJECT { string ref_id @@ -289,8 +292,9 @@ erDiagram string type asset parent_asset url reference_link - json security_objectives - json disaster_recovery_objectives + int rto + int rpo + int mtd } RISK_SCENARIO { @@ -307,7 +311,6 @@ erDiagram json target_risk_vector string strength_of_knowledge string justification - json qualifications string threat_actor } @@ -337,6 +340,19 @@ erDiagram string reviewer } + QUALIFICATION { + string ref_id + string name + string description + json translations + int order + bool is_objective + } + + SECURITY_OBJECTIVE { + int value + } + ``` ### Requirement mappings @@ -407,37 +423,47 @@ Projects have the following fields: - Description - Status: --/Design/Development/Production/End of life/Dropped -## Assets, security and disaster recovery objectives +## Qualifications -Assets are context objects defined by the entity using CISO Assistant. They are optional, assessments can be done without using them. +Qualifications are qualities/objectives that can be used to qualify risk scenarios or to set security objectives to primary assets. Some of them are hardcoded, but in the PRO version the administrator can define additional values and rename existing ones. -Assets are of type primary or supporting. A primary asset has no parent, a supporting asset can have parent assets (primary or supporting), but not itself. +The following values are preloaded: -Primary assets have security objectives that are evolutive, so they are catched in a json field. +abbreviation | q_order | so_order | name | description | translations | urn +-------------|---------|----------|------------------|-------------|--------------|------------------------------------------------ +C | 1 | 1 | confidentiality | | ... | urn:intuitem:risk:qualification:confidentiality +I | 2 | 2 | integrity | | ... | urn:intuitem:risk:qualification:integrity +A | 3 | 3 | availability | | ... | urn:intuitem:risk:qualification:availability +P | 4 | 4 | proof | | ... | urn:intuitem:risk:qualification:proof +Aut | 5 | 5 | authenticity | | ... | urn:intuitem:risk:qualification:authenticity +Priv | 6 | 6 | privacy | | ... | urn:intuitem:risk:qualification:privacy +Safe | 7 | 7 | safety | | ... | urn:intuitem:risk:qualification:safety +Rep | 8 | | reputation | | ... | urn:intuitem:risk:qualification:safety +Ope | 9 | | operational | | ... | urn:intuitem:risk:qualification:operational +Leg | 10 | | legal | | ... | urn:intuitem:risk:qualification:legal +Fin | 11 | | financial | | ... | urn:intuitem:risk:qualification:financial -Security objectives are specific goals or requirements that an organization, system, or process aims to achieve in order to ensure its security and protect its primary assets. +Qualifications that have so_order defined can be used to set security objectives to primary assets. -There is a global parameter that defines a list of security objectives with a corresponding scale and a corresponding boolean allowing to select or hide a security objective. The following security objectives are pre-defined: +The role of urn is to enable updates with a library, and to facilitate export/import between instances (not in MVP). - ref_id | Name | Description | default scale | default select value ---------|----------------------------|-------------|---------------|--------------------- - C | Confidentiality | ... | 1-4 | True - I | Integrity | ... | 1-4 | True - A | Availability | ... | 1-4 | True - P | Proof | ... | 1-4 | True - Auth | Authenticity | ... | 1-4 | False - Priv | Privacy | ... | 1-4 | False - Safe | Safety | ... | 1-4 | False +Note: the order can be changed in a translation. This makes easy to transform CIAP (English) in DICP (French) (not in MVP). -The following disaster recovery objectives (measured in seconds) are pre-defined: +## Assets, security and disaster recovery objectives - ref_id | Name | Description ---------|----------------------------|------------ - RTO | Recovery Time Objective | ... - RPO | Recovery Point Objetive | ... - MTD | Maximum Tolerable Downtime | ... +Assets are context objects defined by the entity using CISO Assistant. They are optional, assessments can be done without using them. + +Assets are of type primary or supporting. A primary asset has no parent, a supporting asset can have parent assets (primary or supporting), but not itself. + +The following disaster recovery objectives (measured in seconds) can be defined on assets: -In a future version, users will be able to define custom security objectives. + Abbreviation | Name | Description +--------------|----------------------------|------------ + RTO | Recovery Time Objective | ... + RPO | Recovery Point Objetive | ... + MTD | Maximum Tolerable Downtime | ... + +Assets have security objectives. Security objectives are specific goals or requirements that an organization, system, or process aims to achieve in order to ensure its security and protect its primary assets. They are a subset of qualifications. Security objectives are measured using a specifc scale. For now, the following scales are defined: - 0-3: coded as 0-3 @@ -461,9 +487,7 @@ FIPS-199 | 1 | moderate FIPS-199 | 2 | moderate FIPS-199 | 3 | high -Security objectives can be evaluated for each asset. The default value is Null. The corresponding json field is composed of a list of tuples {security_objective_ref_id, value}. - -When a security objective is hidden in the global parameters, it is simply not proposed for new edition. However, a security objective that is already used in an asset is kept and editable even if it is hidden globally. Thus, when selecting or hiding a security objective, no value is changed in asset. +THe scale to use is a global parameter. It has no impact on the encoding in the database, which always uses the internal value. ## Frameworks @@ -623,7 +647,6 @@ The following inference rules are used: A risk assessment is based on scenarios, covered by Applied controls. Gathering the risk scenarios constitutes the "risk identification" phase. - The risk matrix cannot be changed once the risk assessment is created. A risk assessment has an _risk_assessment_method_ field that can take the following values: 0 (risk matrix)/1 (Open FAIR). This cannot be changed once the risk assessment is created. Similarly, the risk matrix cannot be changed once the risk assessment is created. @@ -634,9 +657,7 @@ A risk scenario contains a treatment option with the values --/open/mitigate/acc A risk scenario also contains a "strength of knowledge", within the values --/0 (Low)/1 (Medium)/2 (High). This can be used to represent a third dimension of risk, as recommended by the Society for Risk Analysis. The field "justification" can be used to expose the knowledge. -A risk scenario also contains a "qualification" field, containing an array with the following possible values: Confidentiality, Integrity, Availability, Proof, Authenticity, Privacy, Safety, Reputation, Operational, Legal, Financial. The qualification can cover none, one or several of the values. - -Note: the list of qualifications is a superset of security objectives. +A risk scenario also contains qualifications. The risk evaluation is automatically done based on the selected risk matrix. @@ -1257,9 +1278,8 @@ erDiagram ```mermaid erDiagram - ATTACK_PATH }o--|| RO_TO : derives - RO_TO }o--o{ FEARED_EVENT : corresponds_to FEARED_EVENT }o--o{ ASSET : affects + STAKEHOLDER }o--|| ENTITY : qualifies EBIOS_RM_STUDY }o--o{ RO_TO : contains EBIOS_RM_STUDY }o--o{ STAKEHOLDER : contains EBIOS_RM_STUDY }o--o{ OPERATIONAL_SCENARIO : contains @@ -1270,11 +1290,13 @@ erDiagram EBIOS_RM_STUDY }o--o{ COMPLIANCE_ASSESSMENT: leverages EBIOS_RM_STUDY }o--|| RISK_MATRIX : leverages EBIOS_RM_STUDY }o--o{ RISK_ASSESSMENT : generates + ATTACK_PATH }o--|| RO_TO : derives + RO_TO }o--o{ FEARED_EVENT : corresponds_to OPERATIONAL_SCENARIO }o--|{ ATTACK_PATH : derives OPERATIONAL_SCENARIO }o--o{ THREAT : leverages ATTACK_PATH }o--o{ STAKEHOLDER : leverages STAKEHOLDER }o--o{ APPLIED_CONTROL : reinforces - STAKEHOLDER }o--|| ENTITY : qualifies + FEARED_EVENT }o--o{ QUALIFICATION : bears EBIOS_RM_STUDY { string ref_id @@ -1294,7 +1316,6 @@ erDiagram string ref_id string name string description - json qualifications int gravity bool selected string justification