R061. Document security chapter


The documentation that supports an information system must contain a security chapter.


The system documentation must sustain the design and usage of the defined security features.


  1. The security of the information is a non-functional feature of the systems, the documentation thereof must support the previously established definitions in order to protect the information handled by the system.

  2. The design documentation should include the designed abuse cases, the necessary security requirements to protect the information and the design of established controls. This documentation helps in the validation of security implementation.

  3. In the user documentation, the configuration and use of controls that each user profile can apply should be detailed step by step.


  1. The design documents did not establish the abuse-cases and security requirements that the application needs and therefore the necessary controls for information protections were not implemented.

  2. The security configuration parameters were not documented, users do not use the defined security controls.


  • Layer: Business layer

  • Asset: Security architecture

  • Scope: Maintainability

  • Phase: Operation

  • Type of control: Recommendation


  1. BSIMM9 SM2.1: Publish data about software security internally.

  2. HIPAA Security Rules 164.312(a)(2)(ii): Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Service status - Terms of Use - Privacy Policy - Cookie Policy

Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.