F7_SECT Security Context Viewpoint
Domain | Aspect | Maturity |
---|---|---|
Functional | Safety & Security | proposed |
Purpose
The Security Context viewpoint defines the Security Context, that describes the environment and all security relevant aspects of a System. This is the first step of the risk management process according to DIN EN ISO/IEC 27005:2024-05.
The Security Context describes all internal and external elements, boundaries, interconnections and assumptions that referes to the security of a system or an asset. DIN ISO 31000:2018-10 defines: “The context of the risk management process should be derived from an understanding of the external and internal environment in which the organisation operates and should reflect the specific environment of the activity to which the risk management process is applied.”
Applicability
The Security Context Definition Viewpoint supports the activity „Identifying and describing information security risks” [§7.2.1] within the “Information security risk assessment process” according to DIN EN ISO/IEC 27005:2024-05. It contributes the context to the Asset-based approach which identifies threat scenarios regarding assets and their vulnerabilities.
This viewpoint also supports the approach of the “Risk management process” according to ISO 15288 [§6.3.4] by enabling the definition of the context of the Risk Management process.
Supported Processes
Supported Information Items
Presentation
Stakeholder
Concern
- What are the Assumptions regarding the context Elements?
- What are the Attack Vectors?
- Who are the potential adversaries?
Exposed Concepts
The Diagram shows the concepts exposed by the viewpoint, and related concepts if necessary.
The Table shows the concepts exposed by the viewpoint, and related concepts if necessary.
Concept | Documentation |
---|---|
Security Context | The Security Context describes all internal and external elements, boundaries, interconnections and assumptions that referes to the security of a system or an asset. DIN ISO 31000:2018-10 defines: "The context of the risk management process should be derived from an understanding of the external and internal environment in which the organisation operates and should reflect the specific environment of the activity to which the risk management process is applied." |
Security Context Element | An abstract element representing a Security Context Element. Base class for specific kinds of Security Context Elements. |
Security Enviromental Element | An abstract element representing a Security Context Element occurring in the environment of an asset. |
Assumption | |
Adversary | Adversary definition from NIST Special Publication 800-30, Glossary [APPENDIX B]: “Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.” |
Attack Vector (old) | |
ADV use Attack Path to attack SO | The Aversary uses an Attack Vector to attack a Security Objective of an Asset. |
Realization of exposed Concepts
The Diagram shows the realization of exposed concepts.
The Table shows the realization of exposed concepts.