Controls
Means the host can connect to multiple cellular networks at the same time. |
|
The host has a SIM card installed, which has been registered to an authorised user, allowing authentication of their device, especially when connecting to networks. |
There is an access policy associated with data specifying who is authorised to access the data. |
|
This control signifies that data is static, i.e. inserted into the system during deployment and never changed. |
The Process is managed by a data governance framework such as Fybrik, which can modify its behaviour without the intervention of a human manager. |
|
Instances of the (virtual) Host can be automatically provisioned to increase capacity to meet loads from hosted processes or other virtual hosts. |
|
The host is subject to a service level agreement negotiated with its data centre that places limits on how far it can be elastically scaled up to meet demand. |
|
There is a means to enforce capacity limits for the resources allocated to a virtual host. |
Signifies that a data flow can be blocked by the sender if it is sensitive, preventing it from being consumed by the destination process. Used in contingency plan strategies to disable a data flow when the destination process may not be trustworthy. |
|
Signifies that a data flow can be blocked at the source process, preventing it being sent by that process. Used in strategies where there is a risk that the data may be compromised or where sending the data may breach compliance with regulations. |
|
Signifies that a data flow can be blocked if it is corrupt, preventing it from being consumed by the destination process. Used in contingency plan strategies to disable a data flow when it poses a danger to the process. |
|
The stored data is replicated, so the asset represents multiple copies providing protection against loss of integrity or availablity due to erroneous or malicious alteration (including encryption) or deletion. |
|
The stored data is encrypted using a Parquet encryption schema, minimising the amount of data that must be decrypted to process queries against the data. |
|
Data is encrypted. This may apply to a stored or flowing copy of specific data. |
|
Applies to a data-process relationship (represented by a logical DataUse or DataPool asset), and signifies that the data is processed in the encrypted domain. |
|
The data flow has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the data flow, or when runtime monitoring detects the data is not flowing. |
|
The process has a key for encrypting or decrypting data. |
|
The data is cryptographically verifiable. This may apply to a specific stored or flowing copy of the data. If applied to the data asset to which these relate. For now, we assume the data is normally encrypted after insertion of an integrity check. Encryption ensures updates are by authorised processes (in possession of a key), and thus the signature can be self-signed inside the outermost encryption. This avoids the need to model extra measures such as X509 to bind the signature to the authorised process, although it does mean the model only corresponds to embedded integrity checking information. |
The user has undergone training in operational management measures relevant to GDPR compliance for this system, e.g. when and how to suspend the flow of data to prevent breaches of GDPR restrictions. This control can only be applied to an Adult user. |
|
The process or data exchange has been examined by lawyers and found to be legal under the GDPR. Used where compliance does not depend only on technical measures. |
|
The organisation is registered under the Privacy Shield scheme and so can legally handle personal data under the GDPR despite being outside the EU. |
|
The jurisdiction is subject to the GDPR. That is to say, it is an EU member, EEA member, or other state (e.g. a Dependency), such that the GDPR applies to any personal data relating to its citizens and residents. |
The controller may be temporarily taken out of service to prevent unreliable behaviour that may threaten safety in the physical environment where it operates. |
|
This control indicates that a Human has been given safety training so they are able to manage risks in the physical world by preventing physical consequences of problems in the IT domain. |
|
This control applied at an IoT Controller signifies that the Controller is capable of operating in a way that is safe without receiving real time control inputs. |
|
This control applied at an IoT Controller signifies that the Controller is (temporarily) operating in a way that is safe without receiving real time control inputs. |
|
This control applied at an IoT Thing signifies that real-time updating of control inputs is not necessary for operation of the Thing. |
The human may or may not be a legally competent adult, so a check is needed to determine this. |
|
The human may not be an adult, but authorisation can be obtained from their legal guardian if needed. |
Prevents a gateway supporting mesh routing (i.e. ad hoc peer-to-peer networking) over Bluetooth connections. This is the default situation for most devices, but because it may be used, the model must include the connection and so requires a control to indicate its status. |
|
Signifies that routing between a device and an IP network via a USB/Bluetooth connection is disabled. The reference to tethering is because these routes are normally switched off by default in most devices, but are activated when mobile devices use tethering to share access to cellular (or sometimes other) network uplinks. Because such routes can be used the domain model must include them and use a control to signify their status. |
|
Applies to a device with Bluetooth connectivity, and indicates that the device is capable of displaying or confirming a numerical code or key in one of the simple secure pairing association mechanisms. |
The host or process has a means to verify possession of the shared key by another asset. |
|
The host has a shared key which can be used to prove its identity to others holding the same key. |
|
The human has undergone security training, going beyond basic password and device security and covering aspects such as malicious email threats, and physical security of mobile and fixed host devices. |
|
The process is executed in a secure enclave provided by its host. |
|
The device provides a secure enclave, an area of memory that is accessible only by a specific process, and protected by hardware that allows cryptographic bootstrapping of trust in its contents. |
|
Removal of security vulnerabilities arising from insecure default configurations prior to entry of the affected device into the system. |
|
The device has a secure BIOS and boot up sequence, ensuring its security cannot be bypassed by rebooting using an external (e.g. USB) boot device. |
|
The process is monitored to detect any software problems (errors or crashes). |
|
Signifies that a process has restricted access to the shell on its host. A user with full control over such a process cannot exploit its rights in arbitrary ways. When applied to a desktop or login service (which are intended to provide access to the shell), it means the shell itself is restricted, and can only be used to run specific applications. In this case, the remote access service controls other processes the user can access. |
|
The mobile device has a means to delete stored data which can be triggered remotely by its authorised user, e.g. if the device is lost or stolen. |
|
Signifies that the Physical Host can be under continuous visual observation within the Space where it is located. Physically large hosts will normally be observable, but for smaller hosts this depends on where in the space they are located. |
|
The device is physically protected by being built into its physical environment. |
|
The host is a personal device, carried by and therefore monitored and protected by its only user. |
|
The software for a host or process has been tested to check it is not vulnerable to certain attacks. |
|
A screen lock is automatically started after a suitably short interval of inactivity to prevent access to an interactive device, requiring password authentication to resume the session. |
|
The process software has been independently tested and certified as secure to a suitable evaluation assurance level. |
|
The process is implemented using a framework that prevents cross-site scripting attacks. |
|
Employ a well defined process for applying updates to the software running on the associated host. |
|
The host or process has a means to verify a password given by an authorised user. |
|
The host or process has a means to verify that an entity it initiates communication with is the holder of a private key corresponding to a trusted public key association such as an X509 certificate. |
|
The host or process has a means to verify that an entity that initiated communication with it is the holder of a private key corresponding to a trusted public key association such as an X509 certificate. |
|
The host or process has an asymmetric key pair, and the association with the public key is attested by a suitably trusted means, often but not necessarily via an X509 certification authority. |
|
Applies to Humans in a system role, indicating that they should not use email while acting in that role. |
|
This control indicates that the management of a device is considered out of scope. It is used to tell SSM that where no manager is specified, that was deliberate and is not an oversight. Note that this only addresses the modelling error threat used to detect a possible oversight. It does not mean other threats that could be managed by a system manager are also ignored. |
|
Represents the application of security patches to eliminate software vulnerabilities in a device or process. Should be used only for run-time decision support calculations. |
|
The process implements transport layer encryption for its communications. |
|
The service may be temporarily taken out of service to prevent it being involved in an attack that exploits a vulnerability to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
The host may be temporarily taken out of service to prevent it being involved in an attack that exploits a vulnerability to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
The process may be temporarily taken out of service to prevent it being involved in an attack by automated malware to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
The host may be temporarily taken out of service to prevent it being involved in an attack by automated malware to cause a security breach. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
The email user agent process has a means to scan emails, mark potentially malicious or unwanted emails as spam, and prevent them being seen by a user via the usual channel. |
|
The process software has been tested to verify that it functions correctly. |
|
The user has undergone training in operational security relevant to the system, e.g. when and how to impose restrictions on network connectivity or service access, and procedures to safeguard the system in response to threat intelligence, such as emergency application of (possibly untested) software patches. This control can only be applied to an Adult user. |
|
The process has an encrypted password store, enabling its user to more easily recall and use strong passwords. |
|
The device is checked physically at suitable intervals to detect physical alteration or removal. |
|
The host or process has a way to check the quality of a password when set or changed by a user. For example, it may use checks as specified in NIST-800-63. |
|
The process has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the process, or when runtime monitoring detects the process is not running. |
|
The host device has been disabled. This is not a contingency plan but a state reached after activation of a contingency plan. It should be selected in current risk calculations to determine the effect of disabling the host, or when runtime monitoring detects the host is not running. |
|
The device has been independently tested and certified as secure to a suitable evaluation assurance level. |
|
The service has a means to verify the identity of a device user based on continuous authentication data sent by the device. |
|
The user has continuous authentication identification characteristics registered with a continuous authentication verification service in the system. |
|
The process captures usage characteristics, allowing the user identity to be verified by a suitable authentication service against a previously registered profile. |
|
Disable a network (logical subnet). Most commonly used to prevent provision of an abstract subnet (e.g. a hotspot) by a mobile device when the device is in a specific location (with the control applied to the logical subnet representing implementation in that location). Note that control strategies involve controls at the providing host, so this is only possible where there is such a host. |
|
The host represents a class of identical hosts that form a scalable cluster. The control indicates that multiple hosts can be used at the same time to run a process or store a data asset, either to scale up performance or provide extra resilience. |
|
The host has a means to authenticate authorised users using biometrics. |
|
The user has undergone basic training in password security and device protection before acting in the specified role. |
|
Represents measures to restrict the number or rate of authentication attempts, and to lock out users on a permanent or temporary basis when these limits are reached. |
|
The device has software installed that protects against malware. |
|
The asset (device or service) has an enforcement point (PEP) preventing unauthorised access. Normally used in conjunction with an authentication mechanism. |
|
The subnet uses an AAA service not included in the model for network authentication and access control based on SIMs. Used for high level abstrations representing public cellular networks. |
|
The host has a means to authenticate authorised users using a chip and pin card. |
|
Applied to a host providing a logical subnet, this control signifies that provision of networking by the host can be disabled. |
|
The subnet uses encryption below OSI Layer 3, established via the CCMP protocol from IEEE.802.11i or equivalent. |
|
Means the host can connect to multiple WiFi LANs at the same time. |
|
The human has registered a password for identification purposes, which may be stored in a process acting on their behalf. |
|
The process has a way to verify a one-time key sent to an authorised device or user via a separate (out of band) communication channel. |
|
The human has a way to obtain a one-time key sent to it by a separate (out of band) communication channel. |
|
The process has a means to verify a one-time key generated by an authorised user. |
|
The human has a device for generating a one-time key by entering a PIN. |
|
Means the host can connect to multiple wired LANs at the same time. |
|
The process or host software has been formally verified and found to be correct. |
|
A service has a mechanism for self-service resetting of a user password. |
|
The host creates a log of its activities. |
|
The host or process is monitored to detect any overload situations. |
|
The process has a way to access a shared key required to access encrypted data. |
|
The host is actually a set of instances whose provisioning is independent of their management. |
|
The host is monitored to detect any software problems (errors or crashes). |
|
Data storage devices on the host that are used to store application data are encrypted. This does not protect data when the host is running as decrypion keys ust be available to running processes. However, it does prevent access to data by removing storage devices from a host, e.g. after it has been stolen. |
|
The algorithms used by the process are capable of performing calculations on encrypted data. |
|
The priority of the process has been lowered to prevent it overloading its host. This may mean the process will become unavailable, however. |
Means the default policy is to drop messages directed to a network address (interface) or via a network router (logical segment). |
|
Signifies that firewall policy exceptions allowing access to services have been removed. This prevents client-service connections if and only if the default policy is to block other connections. |
|
Means a host does not connect to a network, unless compromised. This is not the same as FWBlock, which represents a policy to drop messages on a live connection. It means the connection is not made in the first place. Typically used where a host connects to a radio network that is implemented in several locations, but should not be used in some of those locations. |
|
A policy is enforced that restricts traffic between source and destination IP addresses. Note that this may be implemented at interfaces other than the one having the destination address. |
|
Applies to the interface between a device and a subnet, and means the device has a reserved network address (fixed or in a known, restricted range). |
|
Measures can be enabled to filter DDoS attacks against the IP address for the interface. Usually this is done in the core network, by an Internet service provider, on behalf of the customer to whom the IP address is assigned. |
A physical lock prevents access to a space, which incorporates a means to identity authorised users of the space using biometrics. |
|
A physical lock prevents access to a space, which incorporates a means to identity authorised users of the space using a chip and pin card. |
|
Used at a private space to indicate that the space is secure due to it being continuously occupied at times when undetected physical intrusion is feasible, e.g. a user residence occupied at night when intrusion is most likely, or a business premises that operates 24x7. |
|
Indicates that physical threats from this location can be ignored. This can only be used at the global inferred location (the World) where hosts are assumed to be if no other location is specified or inferred. This control provides a means for SSM users to signal that physical attacks are out of scope for any host with no other location, i.e. that such hosts are assumed to be in an unspecified but secure location. |
|
Indicates that physical threats from this location should not be ignored. This can only be used at the global inferred location (the World) where hosts are assumed to be if no other location is specified or inferred. This control provides a means for SSM users to signal that physical attacks are to be considered on any host with no other location, i.e. that such hosts are assumed to be in an unspecified (inferred) and insecure location. |
|
Authorised users are allowed entry to the space only after checking their physical ID documents. This may be done by a human guard. |
|
The human has been issued with a key giving them access to a locked space or device they are authorised to use. |
|
A physical lock prevents access to a space, preventing access by users who do not possess a physical key to the space. |
|
The space is checked physically at suitable intervals to detect any physical alteration or removal of system assets. |
|
Indicates that a private space is considered to be secure against intrusion, but without specifying the security measures used, i.e. physical security of a specific private space is out of scope. |
Applies to IOT assets within a system that have associated control or sensed data, indicating that the control or sensed data asset in question is inferred rather than user-asserted. |
|
Applied to a Data or IoT Thing asset, indicates that the asset is not related to a Human data subject. |
|
The data has an access policy that is dynamically managed based on consent decisions from a data subject. |
|
The process carries out a function that is necessary to protect the vital interests of a natural person. |
|
A policy enforcement point that enforces a dynamic access policy reflecting all previous consent decisions by related users. |
|
The policy associated with the data allows restrictions to be bypassed under specific circumstances in which this is necessary. Typically used with consent based policies for cases when a data subject is not conscious or not contactable. |
|
The user interface for the human incorporates appropriate information explaining the purpose of personal data processing and providing other information as required by regulations, and a means to specify or revoke their consent to this. |
Applies to an inferred Service Channel asset representing the privileged path from client to service. Signifies that the service channel may be temporarily disabled, i.e. policy exceptions allowing client-service messages to pass through default firewall rules are switched off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
Signifies that access to a service in a specific client role may be temporarily disabled if the client is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Applies to an inferred Service Channel asset representing the privileged path from client to service. Signifies that the service channel may be temporarily disabled, i.e. policy exceptions allowing client-service messages to pass through default firewall rules are switched off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
Change from: Signifies that access to a service in a specific client role may be temporarily disabled if the client is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Signifies that access to a service in a specific client role may be temporarily disabled if their means of authentication is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Signifies that access to a service in a specific client role is disabled, i.e. the policy allowing access to a service in a specific client role has been switched off. This may represent a permanent restriction introduced by design, or a temporary situation created by a run-time response to an increased risk level. Either way, it causes a loss of availability as a side effect. |
|
Artificial control used to specify when a Process acting as a service is immune to a confused deputy attack except by exploitation of a vulnerability. |
|
A filter that scans the content of requests to a service, and refuses to forward any request in which malicious content is detected. |
|
Applies to a client-service relationship, and means the service accepts client connections only from a set of known network addresses. |
|
Signifies that a service channel (i.e. a tunnel through firewall controls) which is assumed to be in place for expected client-service connections is disabled. This is not a contingency plan but a restriction introduced by design, or as a run-time threat response. |
The organisation has team leadership capabilities, allowing management of teams of employees that fulfil system roles. |
|
The human has a registered their biometric information for identification purposes. |
|
The human has a registered chip and pin card for identification purposes. |
|
Represents a state after manual intervention by a human to address a problem. Used in control strategies for predicting the effects of such intervention prior to alerting the human. Should be deselected once this has been determined. |
|
A human has skills or expertise to prevent a threat, either by intervening in response to the threat, or by implementing a policy or preference that means the threat cannot occur. |
|
The human has obtained documentation to prove their identity from a trusted source (e.g. an employer or a national authority). |
|
The human role is staffed by individuals who have undergone a screening process to ensure they are more trustworthy than the population or community to which they belong. |
|
The legal entity has a process for screening employees before assigning them to specific roles. |
|
The role fulfiled by a Human can be handled by multiple individuals in a team, so if one Human is unable to carry out that role, it can be fulfilled by someone else. |