SOX Security Workflow at a Glance

Requirements

Requirements, i.e., legal, functional, and non-functional requirements, as well as constraints, are the basis for item definition and security analysis.

• Use the EnCo SOX requirements management module (RM) to create and manage your requirements.

• Import requirements from other RM tools via interchange formats ReqIF (XML) or Excel

• Additionally, SOX provides full synchronization of requirements with the following tools:

  • https://enco-software.atlassian.net/wiki/pages/resumedraft.action?draftId=2811789313

  • IBM Doors (DNG)

  • PTC Windchill

  • Jira | Issue & Project Tracking Software | Atlassian (external link)

  • Polarion

  • Jama.

Please follow the link to a video presenting integration with, for example, Intland codebeamer: SOX-CB Synchronization.

Requirements can be classified as security-related after security goals and their associated ASILs have been defined.

System Design and Item Definition

With Eclipse Papyrus^TM, SOX provides a full functional system modeling tool based on UML 2.5 and SysML 1.6.

• Model your system architecture directly in SOX using standard UML/SysML diagrams.

• Import UML/SysML models via XMI 2.1 from other tools.

• In addition to XMI, SOX provides full interfaces to the following design tools:

  • MagicDraw (to be implemented)

  • Enterprise Architect (to be implemented).

Define the item and describe its functionality:

• Use a SysML requirement diagram to model requirements and their relations.

• Use a SOX concepts diagram (SCD) to model requirements and their relations to other model elements like system elements, functions, and malfunctions.

• Use a SOX concepts diagram (SCD) to represent the system elements of the item. You may add the item’s functions and their malfunctions, as well as requirements and security goals.

• Use an internal block diagram (IBD) to model the boundary of the item, interactions between the parts of the item and with other systems in the context of the item.

TARA and ATA

With the TARA module you analyze damage and threat scenarios related to the cybersecurity assets of your
item. This module has now migrated to the new web-based C-SOX interface. To discover the working method, kindly refer to new TARAUNDEFINED.

With the ATA module you further analyze a threat scenario in order to rate the attack feasibility of that threat.

• Assess the attack feasibility of a threat scenario by analyzing individual attack paths.

• Create an ATA document from threat identified in TARA.

• Calculate attack feasibility, propagate it to the threat and pass over the rating to threat scenario in TARA.

• You may also connect requirements to gates in ATA.

References:

ATA (Attack Tree Analysis)UNDEFINED

Attack Tree Analysis

Security Concept

Based on your security goals, derive cybersecurity requirements and model your cybersecurity concept (CSC).

• Use the SOX requirements module for documentation and management.

• Use SOX concepts diagram or SysML requirement diagram to graphically represent your CSC:

  • Model structure and dependencies between security goals and derived cybersecurity requirements.

  • Connect requirements to system elements or functions.

• Use the report designer to present the security concept as a document including all the results of security analysis as diagrams or tables.

Further Analysis: FMEA and FTA

A Failure Mode and Effects Analysis (FMEA) or Failure Tree Analysis (FTA) might be used to further analyze the effects of an cyber attack.

FMEA: Derive FMEA from a system element by right-clicking on it in model explorer. As described in section [Link] model information is used to set up FMEA structure as well as function and failure net. A detailed description of the SOX FMEA module is given in the guise of the FMEA User Guide (PDF). Kindly visit: SOX Tutorials.

References:

FMEA (Failure Mode and Effects Analysis)UNDEFINED

FMEA

FTA: Malfunctions available in the model can be used in FTA. If a malfunction net is created in FMEA or system design, a complete failure tree can be added to an FTA document. A new FTA document can also be created on a malfunction being the root element of the failure tree.

References:

FTA

FTA (Fault Tree Analysis)UNDEFINED

Report Designer

Create templates for your reports and use them in your SOX projects. You can also create reports from scratch. SOX content can be added to reports easily by dragging and dropping. 

Kindly refer to:

Report Designer in C-SOXUNDEFINED

C-SOX: Report Designer (Generation of, Inter Alia, FSC / TSC Documentation)UNDEFINED