Rules Information Assets REQ.001 Identified Information Assets. REQ.002 Identify dependencies or components. REQ.004 Asset Owners are Defined. REQ.005 Monetary Value of Assets is Defined. REQ.006 Identify threats to assets. REQ.008 Generate system threat model. SLA REQ.020 Set penalties for SLA infringements. Session REQ.023 Close inactive users sessions. REQ.026 Encrypt client-side session information. REQ.027 Allow session lockout. REQ.028 Allow user logout. REQ.029 Cookies with security attributes. REQ.030 Avoid object reutilization. REQ.031 Discard user session data. REQ.032 Avoid session ID leakages. Business Management REQ.033 Restrict administrative access. Files REQ.037 Parameters without sensitive data. REQ.039 Define maximum file size. REQ.043 Define explicit content type. REQ.044 Define explicit charset. REQ.047 Classify critical files for monitoring. Architecture REQ.050 Control calls to interpreted code. REQ.052 Identify critical components. REQ.055 Document system security cases. REQ.058 Document security events. REQ.061 Document security chapter. REQ.063 Verify security requirements. REQ.066 Define components to be tested. REQ.070 Define automated security testing. Logs REQ.075 Record exceptional events in logs. REQ.079 Record exact occurrence time of events. REQ.080 Prevent log modification. REQ.081 Store logs according to legislation. REQ.083 Avoid sensitive data logging. REQ.084 Allow transaction history queries. REQ.085 Allow session history queries. REQ.086 Generate alarms on security events. Certificates REQ.090 Use valid certificates. REQ.093 Use consistent certificates. Access Control REQ.094 Specify rules in declarative mood. REQ.095 Define users with privileges. REQ.096 Set user required privileges. REQ.097 Define control access model. REQ.098 Safeguard information assets. REQ.099 Vehicles and people access control. REQ.100 Seal windows containing assets. REQ.101 Assign ID cards to workforce members. REQ.103 Manage access cards. REQ.105 Avoid assets leakage. REQ.109 Monitor restricted areas. REQ.110 Prevent theft in facilities. REQ.111 Define suitable physical controls. REQ.113 Manage access points. REQ.114 Deny access with inactive credentials. Emails REQ.115 Filter malicious emails. REQ.117 Do not interpret HTML code. REQ.119 Hide recipients. Credentials REQ.126 Set password restoring mechanism. REQ.127 Store hashed passwords. REQ.128 Define unique data source. REQ.129 Validate previous passwords. REQ.131 Deny multiple password changing attempts. REQ.132 Passphrases with minimum 4 words. REQ.133 Passwords with at least 20 characters REQ.134 Store passwords with salt. REQ.135 Passwords with random salt. REQ.136 Force temporary passwords changing. REQ.138 Define lifespan for temporary passwords. REQ.140 Define OTP lifespan. REQ.141 Force re authentication. REQ.142 Change system default credentials. REQ.143 Unique Access Credentials. REQ.144 Purify accounts periodically. Cryptography REQ.145 Protect system cryptographic keys. REQ.146 Set timeout to cryptographic keys. REQ.147 Use pre-existent mechanisms. REQ.148 Set minimum size of asymmetric encryption. REQ.149 Set minimum size of symmetric encryption. REQ.150 Set minimum size for hash functions. REQ.151 Separate keys for encryption and signatures. Source REQ.156 Source code without sensitive information. REQ.158 Define secure programming language. REQ.159 Obfuscate Code. REQ.160 Encode system outputs. REQ.161 Define secure default options. REQ.167 Close unused resources. REQ.168 Initialize variables explicitly. REQ.169 Use parameterized sentences. REQ.174 Transactions without distinguishable pattern. REQ.173 Discard unsafe inputs. REQ.175 Protect pages from clickjacking. REQ.302 Declare dependencies explicitly Data REQ.177 Store data securely. REQ.179 Define backup frequency. REQ.181 Transmit data using secure protocols. REQ.183 Delete sensitive data securely. REQ.185 Encrypt sensitive information. REQ.186 Use minimum level of privileges. REQ.189 Specify the purpose of data collection. REQ.191 Protect data with maximum level. REQ.300 Mask Sensitive data. REQ.301 Notify configuration changes. REQ.305 Prioritize token usage. Foreign Devices REQ.194 Authorize device access to resources. REQ.198 Authorize foreign device usage. REQ.199 Authorize foreign devices access. REQ.200 Keep record of foreign devices. Physical Devices REQ.201 Detect device tampering. REQ.202 Delete sensitive information. Mobile Devices REQ.214 Allow data destruction. Hypervisor REQ.218 Control access to virtual machines. REQ.219 Manage hypervisors through software. Numbers REQ.223 Uniform distribution in random numbers. REQ.224 Use secure cryptographic mechanisms. Authentication REQ.226 Avoid account lockouts. REQ.229 Request access credentials. REQ.231 Define biometric verification component. REQ.234 Protect authentication credentials. Development Process REQ.240 Check code with automated tools. REQ.241 Define security requirements. REQ.242 Avoid production support in applications. Business Process REQ.243 Manage security events. REQ.244 Manage information backup. Networks REQ.249 Locate access points. REQ.253 Restrict network access. REQ.255 Allow access only to the necessary ports. REQ.256 Restrict server ports access. REQ.257 Access based on user credentials. REQ.258 Filter website content. REQ.259 Segment organization network. Services REQ.262 Verify third-party components. REQ.265 Restrict access to critical processes. System REQ.269 Use principle of least privilege. REQ.273 Define fixed security suite. REQ.274 Define system scope. REQ.284 Define maximum number of connections REQ.287 Generate alerts in resources. REQ.289 Secure system images and media. Control REQ.296 Install physical intrusion alarms. REQ.297 Install sensors on information assets.