UAF incorporates the Security views of the Canadian DNDAF. That metamodel enables capturing of:
▪Risk – A statement of the impact of an event on Assets. It represents a constraint on an Asset in terms of adverse effects, with an associated measure. The measure is used to capture the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Software related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.
▪SecurityControl – A type of OperationalActivity that specifies a safeguard or countermeasure prescribed for OperationalPerformer. It is intended to protect the confidentiality, integrity, and availability of its information.
▪EnhancedSecurityControl – A type of Activity that represents an enhanced SecurityControl. It specifies a safeguard or countermeasure prescribed for a ResourcePerformer. It is intended to protect the confidentiality, integrity, and availability of the Resource’s information and to meet a set of defined security requirements
▪SecurityControlFamily – A type that organizes security controls into a family.
▪ResourceMitigation – a resource that mitigates Risk against an asset. It is a subtype of ResourceArchitecture, which in turn is a subtype of ResourcePerformer.
▪SecurityEnclave – Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location
▪SecurityConstraint – A type of rule that captures a formal statement to define access control policy language.
▪Caveat – A statement of the impact of an event on Assets. It represents a constraint on an Asset in terms of adverse effects, with an associated measure. The measure is used to capture the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Software related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.