IT Security Requirements | Open Security Architecture

IT Security Requirements describe functional and non-functional requirements that need to be satisfied in order to achieve the security attributes of an IT system.

Security requirements can be formulated on different abstraction levels. At the highest level they reflect security objectives, such as 'The system must maintain the confidentiality of all data classified as confidential'. More useful for architects and designers are requirements that describe concretely what must be done to assure security.

Requirement Types

Secure Functional Requirements: Security-related descriptions integrated into each functional requirement. Typically also specifies what shall not happen. Can be derived from misuse cases.
Functional Security Requirements: Security services that need to be achieved by the system: authentication, authorization, backup, server-clustering, etc. Derived from best practices, policies, and regulations.
Non-Functional Security Requirements: Security-related architectural requirements like robustness or minimal performance and scalability. Derived from architectural principles and good practice standards.
Secure Development Requirements: Required activities during system development to assure the outcome is not subject to vulnerabilities: data classification, coding guidelines, test methodology. Derived from frameworks like CLASP.

References

Software Security Assurance State of the Art Report (SOAR)
IEEE Software magazine special issue on security (2008 Jan/Feb)
SQUARE method by Carnegie Mellon SEI