Security Analysis Checklist#

Security Analysis Checklist Template
status: valid
tags: security_analysis
contained by: wf__vy_sec_analyses

Purpose The purpose of this Security Analysis checklist template is to collect the topics to be checked during verification of the Security Analysis.

Checklist

Table 54 Security Analysis Checklist#

Review ID

Acceptance Criteria

Guidance

Passed

Remarks

Issue link

REQ_01_01

Is / are the attribute sufficient set correctly?

The mitigations shall have a direct influence on the threat by (accept, avoid, reduce, share) to mitigate the risk.

The mitigations are sufficient.

<yes|no>

REQ_01_02

Are the templates defined used?

See Security Analysis Threat Scenario Templates / Security Analysis Threat Templates and also Security Analysis Process Requirements

Templates are used to generate the security analysis.

<yes|no>

REQ_01_03

Were the threat scenarios / threat models applied?

See Security Analysis threat sc... (gd_guidl__sec_ana_threat_scenarios) / STRIDE Threat Model (gd_guidl__threat_models_stride)

The applicable items of the threat scenarios / threat models are used to ensure a structured analysis. For all not applicable items an argument shall be given in the content of the document.

<yes|no>

REQ_01_04

Are the threat effects clearly and completely described?

Use the generic threat effect descriptions and enlarge the description if it’s applicable to the considered element.

The effects of the threat are described completely. The effect can be recognized easily.

<yes|no>

REQ_01_06

Is the attribute “mitigated by” linked correctly?

Check if the correct threat effect is linked via “mitigated by”.

The “mitigated by” link is correct.

<yes|no>

REQ_01_07

Is the sufficiency of the “mitigated by” (accept, avoid, reduce, share) described or can it be recognized easily?

The sufficiency of the “mitigated by” is described in the content of the document. It can be recognized easily.

The “mitigated by” shows clearly that a threat can be mitigated by the linked requirement by (accept, avoid, reduce, share). It shall be described in the content.

<yes|no>

REQ_01_08

Is the overall result of the Security Analysis described in the report?

It shall be shown in the report if the Security Analysis is finished and if all artifacts are “valid” and “sufficient”.

The results of the Security Analysis are described in the report. The report is available Platform Verification Report (wp__verification_platform_ver_report).

<yes|no>
gd_chklst__security_analysis
Process Checklist