0

The safety requirement confuses me when I look at security risk assessment methodologies. Looking at safety alone, it usually is related to the physical aspect and the physical interactions between a system and the user. But it also looks like that physical security objectives can address some of the safety requirements?

  • Are security (especially security) and safety interconnected?
  • If you're trying to assess the security and safety level of a given system/environment. How can you study the two separately? or is it even possible?

My confusion arose from reading some of the risk assessment methodologies and then they talk about the safety and security requirements for an organization for example, but the safety was not addressed explicitly.

NoRel
  • 1
  • 5
  • For safety, are you referring to the SSIL (Software Safety Integrity Level)? There are various industry standards for that, varying by jurisdiction. – Chenmunka Oct 27 '21 at 14:18

1 Answers1

-1

They certainly can be interconnected, which means that they usually need to be considered together. Sometimes they will have the same requirements, and sometimes they will have conflicting requirements.

For example, consider a server room that has a door with electronic access control on the door. Normal staff should not be allowed into a server room, because:

  • Server rooms are dangerous places and untrained people shouldn't be left along in them.
  • Server rooms hold sensitive information, and only trusted individuals should be allowed in.

So having swipe-card controlled access meets both safety and security requirements.

However, what happens if the power to the door control goes out?

  • From a safety perspective, it should be possible to open the door if the power is out (so you can escape the building) - it should fail into a "safe" state.
  • From a security perspective, the door should remain locked if the power goes out (so unauthorised people can't get in) - it should fail into a "secure" state.

If you only considered one side (safety or security), then you'll probably end up with a system that only has one of them. You need to consider both sides, and then find an appropriate balance between them based on the organisations requirements (or implement additional controls that allow you to meet both requirements, such as a door that fails closed with no power, but has a mechanical override).

Gh0stFish
  • 4,664
  • 14
  • 15