Facets of Trusworthiness

The TSF considers trustworthiness as comprising of 5 facets:

All software requires these facets to some degree according to the purpose of the software.
In order to make sure that software is appropriately trustworthy, each item of software should be reviewed for both explicit and implicit requirements for delivery of these 5 abilities.

Read more

Trustworthiness Level (TL)

The TSF recognises that software only requires a level of trustworthiness commensurate to the purpose for which it is used and therefore advocates a risk-based approach to determine the Trustworthiness Level (TL) of the software (based upon the role of the software in the system/ service and the maximum impact that a defect/deviation would have on the system/service).

There are 4 assignable levels of trustworthiness:

  • TL1 Essential Practices: Software trustworthiness delivered in a due diligence manner
  • TL2 Assessed Practices: Software trustworthiness delivered by managed processes
  • TL3 Enhanced Practices: Software trustworthiness delivered by established processes
  • TL4 Specialist Practices: Software trustworthiness delivered by predictable or optimising processes

It is intended that the TL be used to determine the appropriate set of controls to be applied to the software asset (Comprehensive Set or Baseline Set), thereby ensuring that the controls used to ensure trustworthiness are sufficient without being excessive.

Read more

Comprehensive Control Set

The TSFr was formalised through the British Standards Institution as PAS754:2014 as a specification for software trustworthiness with the intention that it be used either as a stand-alone document or as a companion/complement to other relevant standards.

PAS754:2014 defines the comprehensive set of controls organised under the 4 concepts of Governance; Risk; Controls (Personnel, Physical, Procedural, Technical); and Compliance, further expanding to cover 30 principles which are then sub-divided into 150 techniques. The Comprehensive set of controls is appropriate for software assets with a Trustworthiness Level (TL) of 3 and above.

Read more

Baseline Control Set (TS Essentials)

Trustworthy Software Essentials (TSE) was established as a subset of the comprehensive set of controls listed in the TSFr, providing a baseline set of controls organised under the mnemonic SCUDA (Scope for Use, Coding Practices, Use Tools Effectively, Defect Management and Artefact Management).

The Baseline set of controls is appropriate for software assets with a Trustworthiness Level (TL) of 1 or 2.

Further information on Trustworthy Software Essentials can be found in the below video:

Read more