Rules Information Assets REQ.001 Identified Information Assets. REQ.002 Identify dependencies or components. REQ.004 Asset Owners are Defined. REQ.005 Monetary Value of Assets is Defined. REQ.006 Identify threats to assets. REQ.008 Generate system threat model. Session REQ.023 Close inactive users sessions. REQ.026 Encrypt client-side session information. REQ.027 Allow session lockout. REQ.028 Allow user logout. REQ.029 Cookies with security attributes. REQ.030 Avoid object reutilization. REQ.031 Discard user session data. REQ.032 Avoid session ID leakages. Business Management REQ.033 Restrict administrative access. Files REQ.037 Parameters without sensitive data. REQ.043 Define explicit content type. REQ.044 Define explicit charset. REQ.047 Classify critical files for monitoring. Architecture REQ.052 Identify critical components. REQ.055 Document system security cases. REQ.058 Document security events. REQ.061 Document security chapter. REQ.070 Define automated security testing. Logs REQ.075 Record exceptional events in logs. REQ.079 Record exact occurrence time of events. REQ.080 Prevent log modification. REQ.083 Avoid sensitive data logging. REQ.084 Allow transaction history queries. REQ.085 Allow session history queries. Access Control REQ.094 Specify rules in declarative mood. REQ.095 Define users with privileges. REQ.096 Set user required privileges. REQ.097 Define control access model. REQ.098 Safeguard information assets. REQ.099 Vehicles and people access control. REQ.100 Seal windows containing assets. REQ.101 Assign ID cards to workforce members. REQ.103 Manage access cards. REQ.105 Avoid assets leakage. REQ.109 Monitor restricted areas. REQ.110 Prevent theft in facilities. REQ.111 Define suitable physical controls. REQ.113 Manage access points. REQ.114 Deny access with inactive credentials. Credentials REQ.126 Set password restoring mechanism. REQ.127 Store hashed passwords. REQ.128 Define unique data source. REQ.131 Deny multiple password changing attempts. REQ.132 Passphrases with minimum 4 words. REQ.133 Passwords with at least 20 characters REQ.134 Store passwords with salt. REQ.136 Force temporary passwords changing. REQ.141 Force re authentication. REQ.142 Change system default credentials. REQ.143 Unique Access Credentials. REQ.144 Purify accounts periodically. Cryptography REQ.145 Protect system cryptographic keys. REQ.146 Set timeout to cryptographic keys. REQ.147 Use pre-existent mechanisms. REQ.148 Set minimum size of asymmetric encryption. REQ.149 Set minimum size of symmetric encryption. REQ.150 Set minimum size for hash functions. REQ.151 Separate keys for encryption and signatures. Source REQ.156 Source code without sensitive information. REQ.158 Define secure programming language. REQ.160 Encode system outputs. REQ.161 Define secure default options. REQ.169 Use parameterized sentences. REQ.173 Discard unsafe inputs. Data REQ.177 Store data securely. REQ.179 Define backup frequency. REQ.181 Transmit data using secure protocols. REQ.183 Delete sensitive data securely. REQ.186 Use minimum level of privileges. REQ.191 Protect data with maximum level. REQ.301 Notify configuration changes. Foreign Devices REQ.194 Authorize device access to resources. REQ.198 Authorize foreign device usage. REQ.199 Authorize foreign devices access. REQ.200 Keep record of foreign devices. Physical Devices REQ.201 Detect device tampering. REQ.202 Delete sensitive information. Mobile Devices REQ.214 Allow data destruction. Numbers REQ.223 Uniform distribution in random numbers. REQ.224 Use secure cryptographic mechanisms. Authentication REQ.226 Avoid account lockouts. REQ.229 Request access credentials. REQ.231 Define biometric verification component. REQ.234 Protect authentication credentials. Development Process REQ.240 Check code with automated tools. REQ.241 Define security requirements. REQ.242 Avoid production support in applications. Business Process REQ.243 Manage security events. REQ.244 Manage information backup. Services REQ.265 Restrict access to critical processes. Networks REQ.255 Allow access only to the necessary ports. REQ.256 Restrict server ports access. REQ.257 Access based on user credentials. REQ.259 Segment organization network. System REQ.269 Use principle of least privilege. Control REQ.296 Install physical intrusion alarms. REQ.297 Install sensors on information assets.