Skip to main content

Prerequisites

  • The TARA module is in Draft status with all records analyzed (verdicts computed)
  • At least one user in the project has the project_approver role assigned
  • You have edit permissions on the riskSpecification document

Steps

1. Complete the TARA Analysis

Before sending for review, verify that the TARA module is complete:
  • All TARA records have taraImpact and five attack feasibility factors scored
  • The taraVerdict formula has computed a verdict for every record
  • Treatment decisions (treatmentChoice) are recorded for all records
  • Cybersecurity goals are linked where treatmentChoice is Reducing or Avoiding
  • Claims are documented where treatmentChoice is Retaining or Sharing
Switch to the Overview Risksheet view to quickly scan all records for completeness. Missing verdicts or empty treatment fields are easy to spot in this consolidated view.

2. Send for Review

  1. Open the TARA module in Polarion (document view, not Risksheet)
  2. Click the workflow action Send for Review
  3. Polarion automatically transitions the document from Draft to In Review
The AddDefaultSigners workflow function runs automatically, populating the signature request with all users holding the project_approver role. These signers are assigned the “Approver” signer role targeting the “approved” status.
You do not need to manually select reviewers. All project_approver role holders are added as required signers automatically. To change who reviews documents, adjust the role membership in Polarion project administration.

3. Review the TARA Content

As a reviewer with the project_approver role:
  1. Open the TARA module in Risksheet view
  2. Walk through each view in the 5-step workflow order:
    • 1. Identify Threats — verify stakeholder, CIAx, damage, threat, and path entries
    • 2. Assess Feasibility — confirm attack factor scores are justified
    • 3. Risk Assessment — check that impact ratings align with damage scenarios
    • 4. Risk Treatment — validate treatment choices and linked goals/controls
    • 5. Req & Verification — confirm downstream requirements and test cases exist
  3. Use CommentBased reviews (configured in the Risksheet) to leave inline feedback

4. Approve the Document

  1. Return to the document view (not Risksheet)
  2. Click the workflow action Approve
  3. Provide your electronic signature when prompted
The atLeastOne signature policy means a single project_approver signature is sufficient. Once the minimum signatures are collected, the document transitions from In Review to Approved.
Your electronic signature certifies that you have reviewed the TARA analysis and found it acceptable. This signature is recorded in Polarion’s audit trail and is visible in baseline comparisons.

5. Publish the Document

After approval, a project lead can finalize the document:
  1. Open the approved document
  2. Click the workflow action Publish
  3. The document transitions to Published status
Publishing creates a read-only baseline. No further edits are possible without initiating a rework cycle.

Verification

After publishing, confirm: