Is the traceability criterion useful?
Answer from a Club EBIOS member: “Two options”
Several proposals are possible to demonstrate that the problems associated with traceability are treated in an EBIOS study without considering traceability as a criterion:
- an elegant but somewhat theoretical solution: we consider the information “traces” (or “proof”, or “log”) as an essential asset, and the traceability becomes the integrity and the availability of this essential asset. This means limiting the study to the traces that induce a feared event and to put the others out of the perimeter of the essential assets, in order to avoid the columns filled with “0”;
- an applied solution: traceability is not a criterion, but a security measure. Being able to trace an action is a measure of both deterrence and recovery, and to consider traceability as such allows us to limit ourselves to the study of (really) feared events: we admit that not being able to trace is not really the feared event, but reduces the associated risk.
Another answer’s response: “Traceability is not a security criterion”
The security criteria are used to assess the impacts in case of reaching each of them, and in particular to study the security needs. In information security, only availability, integrity and confidentiality are considered as security criteria (see in particular ISO/IEC 2700x).They should not be confused with the topics of security measures or regulatory references. Indeed, the (false) need for traceability comes from the fact that we want to know what happened after an incident (detection measure) and/or various obligations (legal, regulatory, sectoral or security policy-related). It is therefore useless and even counterproductive to study the need for traceability.
In addition, a scale of needs and a scale of impacts related to traceability should be available. It is often by trying to build them that one realizes that it is a “desire of someone” that falls under security measures or coverage of a legal “risk”.
Finally, this would involve studying all the threats that lead to the loss of traceability! Actually, this is related to the good implementation of a security measure, which is not necessary to treat as a risk (or otherwise it should be done for encryption, access control, etc.).
However, as the study of the needs is a communication tool with business, it is possible to integrate traceability into the security criteria so that business becomes more involved in the process by seeing its point of view taken into account…