Skip to main content

Prerequisites

  • TARA records exist with treatmentChoice set to Reducing
  • You understand which countermeasures (controls) apply to each threat

What is a Risk Control?

A riskControl work item represents a cybersecurity countermeasure that mitigates a TARA record. Risk controls are the HOW in the TARA treatment — they define the specific mechanism that reduces or eliminates a threat. Each risk control:
  • Links to one or more TARA records via the mitigates link role
  • Is classified by riskControlType (multi-select)
  • Serves as the bridge to downstream requirements and verification

Steps

1. Open the Risk Treatment View

In your TARA Risksheet module, switch to the 4. Risk Treatment view. Focus on records where treatmentChoice is Reducing.

2. Create a Risk Control from the Risksheet

Use the Control ID (task) column to create risk controls directly within the Risksheet:
  1. Click the task cell on a TARA record row
  2. Select Create to add a new risk control
  3. The Risksheet creates a riskControl work item and automatically establishes the mitigates link between the control and the TARA record
  4. The Control (taskTitle) column displays the new control’s title
The Risksheet uses the dataTypes.task configuration where type = riskControl and role = mitigates. Every task created through the Risksheet is automatically a riskControl linked with the correct role.

3. Name and Describe the Risk Control

Click through to the newly created risk control work item and set:
FieldContent
TitleClear name for the countermeasure (e.g., “Implement TLS 1.3 on V2X communication channel”)
DescriptionDetailed specification of the control mechanism

4. Classify the Control Type

Set the riskControlType field on the risk control. This is a multi-select enumeration:
TypeDescriptionExample
Inherent Safety DesignEliminate vulnerability by designRemove unnecessary debug interfaces
Protective MeasureAdd security mechanismImplement authentication, encryption
Information for SafetyProvide warnings or guidanceDocument secure configuration procedures
A single risk control can be assigned multiple types if it spans categories. A single risk control can mitigate multiple TARA records. To link an existing control to additional records:
  1. In the 4. Risk Treatment view, click the task cell on another TARA record
  2. Select the existing risk control from the picker
  3. The mitigates link is created, and the control appears in the Control ID and Control columns
diagram After creating risk controls, establish the downstream traceability:
  1. Create or identify sysReq (requirement) work items that specify the control’s implementation
  2. Link requirements to the risk control using the implements link role
  3. These requirements will appear in the Risksheet’s Requirements column in the 5. Req & Verification view

7. Verify Controls in the Risksheet

Switch to the 5. Req & Verification view to verify:
  • The Control ID (task) column shows the linked risk control IDs
  • The Control (taskTitle) column displays the control titles
  • The Requirements column shows requirements linked to each control
  • The Verification column shows test cases linked to those requirements
If the Requirements or Verification columns appear empty even after linking, reload the Risksheet. These columns use Velocity serverRender which traverses back-links at render time.

See Also