Package Physical

The physical boundary and means of access control to a private space has been compromised.

Untrusted, potentially malicious agents have or could have physical access to the space.

Access to physical space Space is controlled, and authorised users verified using biometrics registered by a trusted authority.

Users in the role Human have a biometric ID such as a fingerprint registered with the system, enabling them to pass a biometric ID check to access space Space.

Access to physical space Space is controlled, and authorised users verified using a chip and pin (2 factor) key card issued by a trusted authority.

Users in the role Human are issued with a 2-factor authentication key they can use to verify their identity and access space Space.

Access to physical space Space is controlled by means of physical locks to which only authorised users have a key, and is also continuously occupied at times when physical intrusion is feasible (e.g. at night).

Indicates that private space Space is secured physically by measures not included in the system model. The threat of intrusion into Space by malicious outsiders into Space will be ignored, though insider attacks by those authorised to be in Space will not. Note that this represents an expectation, and so is a prior mitigation only which is ignored in current (run-time) risk calculations.

Indicates that threats from as well as to the space Space can be ignored, i.e. that the risk model intentionally does not consider physical attacks from Space. This is only permitted if Space is the inferred global public space (the World) used when no locations are asserted in the model. This control strategy is a way to specify that physical security is out of scope for devices with no explicitly specified location(s), i.e. that they are considered physically secure.

Indicates that threats to Host from space Space should be considered, even though Host has no explicit location and is inferred to be in the global public space (the World). This control strategy is a way to specify that despite Host having no explicitly defined location, physical security is in scope, and the device is considered to be physically insecure. It addresses modelling error threats but not security threats to Host from Space.

Inconsistent controls to resolve treatment of hosts with no explicit location. Used only as a trigger for modelling error threats.

Users in the role Human have physical ID such as an ID card or passport, registered with the system.

Access to physical space Space is controlled, and authorised users verified using physical ID such as a passport or ID card issued by a trusted authority.

Users in the role Human are issued with a physical key enabling them to access space Space.

Access to physical space Space is controlled by means of physical locks, to which authorised users have a key.

The physical space Space is patrolled at frequent intervals to ensure it is free of intruders. Note this does not prevent intrusion, e.g. to steal a device, but it does prevent some types of attacks where the intruder would need uninterrupted access, e.g. use of a device in the space for a significant period.

A physical lock prevents access to a space, which incorporates a means to identity authorised users of the space using biometrics.

A physical lock prevents access to a space, which incorporates a means to identity authorised users of the space using a chip and pin card.

Used at a private space to indicate that the space is secure due to it being continuously occupied at times when undetected physical intrusion is feasible, e.g. a user residence occupied at night when intrusion is most likely, or a business premises that operates 24x7.

Indicates that physical threats from this location can be ignored. This can only be used at the global inferred location (the World) where hosts are assumed to be if no other location is specified or inferred. This control provides a means for SSM users to signal that physical attacks are out of scope for any host with no other location, i.e. that such hosts are assumed to be in an unspecified but secure location.

Indicates that physical threats from this location should not be ignored. This can only be used at the global inferred location (the World) where hosts are assumed to be if no other location is specified or inferred. This control provides a means for SSM users to signal that physical attacks are to be considered on any host with no other location, i.e. that such hosts are assumed to be in an unspecified (inferred) and insecure location.

Authorised users are allowed entry to the space only after checking their physical ID documents. This may be done by a human guard.

The human has been issued with a key giving them access to a locked space or device they are authorised to use.

A physical lock prevents access to a space, preventing access by users who do not possess a physical key to the space.

The space is checked physically at suitable intervals to detect any physical alteration or removal of system assets.

Indicates that a private space is considered to be secure against intrusion, but without specifying the security measures used, i.e. physical security of a specific private space is out of scope.

A space from which another space can be entered.

A nearby space.

A second or subsequent space in a pattern.

A far away space.

A space.

The (inferred) global public space.

A public space with a boundary, so it can feasibly be checked or inspected despite being a public space. The boundary may be a physical perimeter (e.g. as in a public building), or non-physical (e.g. a region within an open space whose boundary is specified on a map). Note that access to the space cannot be restricted. A separate PrivateSpace type is used for bounded spaces with a secure perimeter and access restrictions.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Represents a bounded physical space that can be secured to restrict access.

Represents an open physical space that anyone can access, lacking even a defined boundary so it cannot even be patrolled or inspected. Use the Bounded Space type for more localised regions or public buildings, etc.

Represents a physical space in which devices may be located or from which networks may be accessed.

A singleton subclass of Public Space representing all unsecured physical locations that are not in any other Space.

Trustworthiness of users with physical access to a space.

Control over the means of access to a space.