Requirements
Requirements, i.e., legal, functional, and non-functional requirements, as well as constraints, are the basis for item definition and security analysis.
Use the EnCo SOX requirements management module (RM) to create and manage your requirements.
Import requirements from other RM tools via interchange formats ReqIF (XML) or Excel
Additionally, SOX provides full synchronization of requirements with the following tools:
https://enco-software.atlassian.net/wiki/pages/resumedraft.action?draftId=2811789313
PTC Windchill https://enco-software.atlassian.net/wiki/pages/createpage.action?spaceKey=SUD&title=IBM%20Doors%20%28DNG%29&linkCreation=true&fromPageId=3440591650
https://www.atlassian.com/software/jira (external link)
Jama.
Please follow the link to a video presenting integration with, for example, Intland codebeamer: SOX-CB Synchronization.
Requirements can be classified as security-related after security goals and their associated ASILs have been defined.
...
System Design and Item Definition
With Eclipse PapyrusTM, SOX provides a full functional system modeling tool based on UML 2.5 and SysML 1.6.
...
Use a SysML requirement diagram to model requirements and their relations.
Use a SOX concepts diagram (SCD) to model requirements and their relations to other model elements like system elements, functions, and malfunctions.
Use a SOX concepts diagram (SCD) to represent the system elements of the item. You may add the item’s functions and their malfunctions, as well as requirements and security goals.
Use an internal block diagram (IBD) to model the boundary of the item, interactions between the parts of the item and with other systems in the context of the item.
...
TARA and ATA
With the TARA module you analyze damage and threat scenarios related to the cybersecurity assets of your
item. This module has now migrated to the new web-based C-SOX interface. To discover the working method, kindly refer to C-SOX TARA (SOX 4.1 or Better) new TARA.
...
With the ATA module you further analyze a threat scenario in order to rate the attack feasibility of that threat.
...
...
Security Concept
Based on your security goals, derive cybersecurity requirements and model your cybersecurity concept (CSC).
Use the SOX requirements module for documentation and management.
Use SOX concepts diagram or SysML requirement diagram to graphically represent your CSC:
Model structure and dependencies between security goals and derived cybersecurity requirements.
Connect requirements to system elements or functions.
Use the report designer to present the security concept as a document including all the results of security analysis as diagrams or tables.
...
Further Analysis: FMEA and FTA
A Failure Mode and Effects Analysis (FMEA) or Failure Tree Analysis (FTA) might be used to further analyze the effects of an cyber attack.
...
...
Report Designer
Create templates for your reports and use them in your SOX projects. You can also create reports from scratch. SOX content can be added to reports easily by dragging and dropping.
Kindly refer to:
Report Designer in C-SOX Report Designer (FSC / TSC)
C-SOX: Report Designer (generation of e.g. Generation of, Inter Alia, FSC / TSC Documentation)