Prerequisites
- TARA modules exist with risk verdicts assessed
- You understand which TARA records require treatment by Reducing or Avoiding (these require linked goals)
What is a Cybersecurity Goal?
A cybersecurity goal is a high-level security objective derived from the TARA analysis per ISO/SAE 21434 Clause 15. Each goal:
- Describes what must be protected (the asset and CIAx property)
- Specifies the CAL (rigor of assurance activities required)
- Links back to one or more TARA records as the justification for the goal
Steps
1. Create a Cybersecurity Goal Work Item
- In the Polarion tracker, create a new work item of type
cybersecurityGoal
- Set the Title to a clear security objective statement (e.g., “Ensure integrity of sensor fusion data inputs”)
2. Set the Goal Custom Fields
Fill in the four custom fields on the cybersecurity goal:
| Field | Type | Description |
|---|
cal | enum (cybersecurityGoal-cal) | Cybersecurity Assurance Level: CAL 1, CAL 2, CAL 3, or CAL 4 |
goalCiaxProperty | enum (taraRecord-ciaxProperty) | The CIAx property this goal protects |
goalAsset | text | The asset being protected (e.g., “CAN bus communication”) |
goalRationale | rich text | Explanation of why this goal was established |
3. Assign the Correct CAL
The CAL determines the rigor of downstream cybersecurity assurance activities. Select the CAL based on the highest verdict of TARA records that will link to this goal:
| Verdict | Minimum CAL | Color in Risksheet |
|---|
| 5 (Critical) | CAL 4 | Dark Red (#b71c1c) |
| 4 (High) | CAL 3 | Red (#f44336) |
| 3 (Medium) | CAL 2 | Orange (#FF9800) |
| 1-2 (Low) | CAL 1 | Green (#4CAF50) |
The calDecorator in the Risksheet validates the assigned CAL against the verdict. If you set a CAL lower than the required minimum, a red warning badge appears in the CAL column showing “min CAL N”. Upgrade the CAL to resolve the mismatch.
4. Link Goals to TARA Records in the Risksheet
You can link goals to TARA records in two ways:
From the Risksheet (recommended):
- Open the TARA module and switch to the 4. Risk Treatment view
- Click the Cybersecurity Goal (
cybersecurityGoal) cell on a TARA record
- Select the goal from the picker (filtered by
cybersecurityGoalQuery to show only cybersecurityGoal items)
- The
hasCybersecurityGoal link is created automatically
Setting CAL from the Risksheet:
The goalCal column uses a cross-item binding (cybersecurityGoal.cal). You can set or update the CAL value directly in the Risksheet without navigating to the goal work item. Changes write back to the goal’s cal field.
Multiple TARA records can link to the same cybersecurity goal. This is common when several threats affect the same asset and CIAx property. The CAL should reflect the highest-verdict record linked to the goal.
5. Verify Goal Configuration
Check your setup:
- Open the Cybersecurity Case dashboard — all goals should appear in the Cybersecurity Goals Summary table with their CAL badges
- In the Risksheet 4. Risk Treatment view, confirm no orange outlines appear on the Cybersecurity Goal column (all Reducing/Avoiding records have goals linked)
- Confirm no red CAL mismatch badges appear in the CAL column
See Also
