Fully Utilizing the Threat Model


Security Targets include a threat model which outlines assumptions about how the TOE will be used, threats the TOE defends against and organizational security policies the TOE can enforce. The model goes on to specify security objectives for the TOE and, optionally, for the TOE environment.
This talk will discuss best practices in the construction of this security model and offer a general model of how to use threat analysis to ensure that the scope of the evaluation is as complete as possible.
The approach considers the complete threat landscape for the assets the TOE is helping to protect. This helps developers and evaluators to ensure that they understand the dependencies between the TOE and the environment fully. This gives a framework within which to analyze the adequacy of the TOE's physical and logical boundaries. It also provides a structured approach to determining that the IT security requirements are complete and coherent.