The documentation that supports an information system must contain a security chapter.
The system documentation must sustain the design and usage of the defined security features.
The security of the information is a non-functional feature of the systems, the documentation thereof must support the previously established definitions in order to protect the information handled by the system.
The design documentation should include the designed abuse cases, the necessary security requirements to protect the information and the design of established controls. This documentation helps in the validation of security implementation.
In the user documentation, the configuration and use of controls that each user profile can apply should be detailed step by step.
The design documents did not establish the abuse-cases and security requirements that the application needs and therefore the necessary controls for information protections were not implemented.
The security configuration parameters were not documented, users do not use the defined security controls.
Layer: Business layer
Asset: Security architecture
Type of control: Recommendation