Each guideline has an assigned priority. Priorities are assigned using a metric based on failure mode, effects, and criticality analysis (FMECA) [IEC 60812]. Three values are assigned for each guideline on a scale of 1 to 3 for
- severity: How
| Wiki Markup |
|---|
Each rule and recommendation has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) \[[IEC 60812|AA. C References#IEC 60812 2006]\]. Three values are assigned for each rule on a scale of 1 to 3 for |
- severity - how serious are the consequences of the rule guideline being ignored?
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation, significant harm by untrusted code)
- likelihood - how : How likely is it that a flaw introduced by ignoring the rule guideline could lead to an exploitable vulnerability?
1 = unlikely
2 = probable
3 = likely
- remediation cost - how : How expensive is it to comply with the ruleguideline?
1 = high (manual detection and correction)
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)
The three values are then multiplied together for each ruleguideline. This product provides a measure that can be used in prioritizing the application of the rulesguidelines. These The products range from 1 to 27. Rules and recommendations Guidelines with a priority in the range of 1 -to 4 are level 3 rulesguidelines, 6 -to 9 are level 2, and 12 -to 27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all rules guidelines in a level, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
The metric is designed primarily for remediation projects. It is assumed that new development efforts will conform with the entire standard.