Now that we’re equipped with our cybersecurity concept and requirements, we need to beta test our requirements and verify how effective our initial cybersecurity design is. In ISO/SAE 21434, this phase is called Refinement of Requirements and Design.
Iteration of our cybersecurity requirements will begin at this phase. The goal of this phase is to ensure your requirements and design will hold up with your design processes. To help improve the design and requirements, the refinement is a means to improve the design over cycles of verification.
For example, assume our system is a cloud based infrastructure using Amazon Web Services (AWS). A cybersecurity requirement for this infrastructure is to ensure all data at rest is kept private and secure. Under this requirement, a concept of readily detecting all bucket misconfigurations is implemented before deploying into production. This is because a misconfigured bucket with loose permissions can be readable by unauthenticated parties which, in turn, infringe on the Confidentiality of customer data.
During the refinement and verification phase it was discovered that data in transit will need to be private and secure also. So the requirement is amended to ensure all data at rest and in transit is kept private and secure.
A basic example, but this is an exercise to the reader to think about future-proofing their infrastructures through iteration.
The V model provides an encapsulating scope in the shape of a V, the model is used to follow a hardware and software product lifecycle such as RMS & S-SDLC. As stated previously, this model can be thought of a machine with input such as design and it leverages security controls to adhere to requirements. As the machine runs, will iterate over the inputs and produce an improved version of it.