Infer CIA ratings of tech assets #19
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Default confidentiality, integrity and availability (CIA) values of technical assets to the highest value of all data assets processed and stored by the technical asset. - Set `Confidentiality` of technical assets to `HighestConfidentiality()` iff `confidentiality` is not set. - Set `Integrity` of technical assets to `HighestIntegrity()` iff `integrity` is not set. - Set `Availability` of technical assets to `HighestAvailability()` iff `availability` is not set. - Otherwise keep the set value. - Do not require `confidentiality`, `integrity` or `availability` on `technical_assets` in JSON schema.
If no data asset is processed or stored by a technical asset and no CIA value is explicitly set, falling back to the lowest CIA value. This should happen very rarely in practice.
aceg1k
changed the title
klahnen
reviewed
May 25, 2022
| @@ -4296,6 +4296,9 @@ func parseModel(inputFilename string) { | |||
| confidentiality = model.Confidential | |||
| case model.StrictlyConfidential.String(): | |||
| confidentiality = model.StrictlyConfidential | |||
| case "": | |||
| // Temporary placeholder, will later be set to `HighestConfidentiality()` | |||
| confidentiality = -1 | |||
There was a problem hiding this comment.
suggestion: Probably it is better to use something like model.UnsetConfidentialityValue instead of a raw int.
There was a problem hiding this comment.
Thank you @klahnen, I think this is a good idea, but unfortunately I won't invest more time for now, as the present PR is working reliably for me since almost a year. Furthermore any feedback from @cschneider4711 would be great, to see if there is any intention at all to consider merging this PR.
|
@joreiche this PR joreiche#5 is for merging this PR into your fork which later may be used in #57 |
joreiche
added a commit
to joreiche/threagile
that referenced
this pull request
Feb 2, 2024
|
this pr has been resolved with #57 |
z00mi
pushed a commit
to z00mi/threagile
that referenced
this pull request
Apr 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
just another pull request from my side.
Rationale
Confidentiality, Integrity and Availability (CIA) of a tech asset may be inferred from the data that tech asset processes.
Proposal
Infer CIA based on the data assets processed. If CIA can not be inferred, i.e. if no data asset is processed (probably this rarely happens in practice), fall back to the lowest possible level. If a value for CIA is set, it takes precedence.