SEC.4 Risk Treatment Validation

Linked Knowledge Nuggets:
arrow_forward "Fo(u)rces of Cybersecurity Engineering"

person Author: Timo Karasch, Florian Schmitt
Cybersecurity Goals, Controls, Requirements and Threats are important forces for cybersecurity engineering. It is nearly impossible to separate them in a timely manner. In fact, they influence each other during definition. This webinar gives a simple example of the interaction of these four forces and addresses the consistency to existing standards in Cybersecurity (ISO 21434 and Automotive SPICE for Cybersecurity). It shows a possible approach for implementation in your organization.

• school Webinar recording and slides
  

arrow_forward "Testmanagement"

person Author: Process Fellows
Test Management ensures that testing activities are strategically planned, monitored, and evaluated across all development phases. From unit tests to system-level integration, this cross-cutting discipline defines methods, tools, documents, and roles to ensure traceable and efficient verification and validation.

• school PF_Testmanagement_Extract.pdf
  Short Overview of Test Management (related to all Automotive SPICE® verification processes)

arrow_forward "Verification level vs. Verification timepoint"

person Author: Process Fellows
The execution of a verification measure is not necessarily linked to the verification time point. It is possible that a verification measure from SWE.6 is carried out as part of the verification of the SW component and integration verrifcation if the setup or the environment is better suited to this. However, it remains a verification of the SW requirements. The decisive factor is what a verification measure is derived from. However, it is important to ensure that this verification measure is included in and part of the report and in the summary of the SW verification. Pay attention to the sequences and dependencies to be followed.

• O1 Risk treatment validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures are specified based on the cybersecurity goals (Cybersecurity goal = Concept-level cybersecurity requirement associated with one or more threat scenarios.).
• O2 Validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures are selected according to defined criteria, including criteria for regression validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.).
• O3 The integrated system (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.) is validated using the specified validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures, and the results of the validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) are recorded.
• O4 Consistency (Consistency = Consistency addresses content and semantics and ensures that work products are not in contradiction to each other. Consistency is supported by bidirectional traceability.) and bidirectional traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) are established between the validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures and the cybersecurity goals (Cybersecurity goal = Concept-level cybersecurity requirement associated with one or more threat scenarios.); and bidirectional traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) is established between validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) results and validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures.
• O5 The results of the risk treatment validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) are summarized and communicated to all affected parties.

BP3 Perform risk treatment validation activities. ( O3 )

Validate the integrated system (System = A collection of interacting items organized to accomplish a specific function or set of functions within a specific environment.) using the selected risk treatment validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures. Record the validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) results and corresponding validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measure data.
Note 3: See SUP.9 for handling validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) results that deviate from expected results.

Linked Knowledge Nuggets:
arrow_forward "Archiving test results"

person Author: Process Fellows
Don’t lose your evidence. With perspective to testing, SUP.8.BP1 in combination with SUP.8.BP8 expects structured storage of test logs, verdicts, anomalies, and configuration info. This is not only a formality: It enables you to later on reproduce details about a certain system version.

BP4 Ensure consistency and establish bidirectional traceability. ( O4 )

Ensure consistency (Consistency = Consistency addresses content and semantics and ensures that work products are not in contradiction to each other. Consistency is supported by bidirectional traceability.) and establish bidirectional traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) between risk treatment validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures and cybersecurity goals (Cybersecurity goal = Concept-level cybersecurity requirement associated with one or more threat scenarios.). Establish bidirectional traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) between validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) results and validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) measures.
Note 4: Bidirectional traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) supports consistency (Consistency = Consistency addresses content and semantics and ensures that work products are not in contradiction to each other. Consistency is supported by bidirectional traceability.), facilitates impact analysis, and supports demonstration of validation (Validation = Validation demonstrates that the work item can be used by the users for their specific tasks.) coverage. Traceability (Traceability = The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master-subordinate relationship to one another.) alone, e.g., the existence of links, does not necessarily mean that the information is consistent.

Linked Knowledge Nuggets:
arrow_forward "Consistency vs. Traceability – What’s the Difference?"

person Author: Process Fellows
Consistency ensures that related content doesn’t contradict itself – e.g., requirements align with architecture and test. Traceability, in contrast, is about links: can you follow a requirement through to implementation and verification? Both are needed – consistency builds trust, traceability enables control. Typically, traceability strongly supports consistency review.

arrow_forward "The role of traceability in risk control"

person Author: Process Fellows
Traceability isn’t just about completeness — it’s about managing impact. When a requirement changes, trace links tell you what’s affected. That’s your early-warning system.

arrow_forward "The true benefit of traceability "

person Author: Process Fellows
Sometimes the creation of traceability is seen as an additional expense, the benefits are not recognized. Traceability should be set up at the same time as the derived elements are created. Both work products are open in front of us and the creation of the trace often only takes a few moments. In the aftermath, the effort increases noticeably and the risk of gaps is high. If the traceability is complete and consistent, the discovery of dependencies is unbeatably fast and reliable compared to searching for dependencies at a later stage, when there may also be time pressure. It also enables proof of complete coverage of the derived elements and allows the complete consistency check.