Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

REQ.061 Document security chapter

This document contains the details of the security requirements related to the definition and management of logical architecture in the organization. This requirement establishes the importance of documenting all system security events in order to facilitate the response to a security breach.

Requirement

The documentation that supports an information system must contain a security chapter.

Description

The system documentation must sustain the design and usage of the defined security features.

Implementation

  1. The security of the information is a non-functional feature of the systems, the documentation thereof must support the previously established definitions in order to protect the information handled by the system.

  2. The design documentation should include the designed abuse cases, the necessary security requirements to protect the information and the design of established controls. This documentation helps in the validation of security implementation.

  3. In the user documentation, the configuration and use of controls that each user profile can apply should be detailed step by step.

Attacks

  1. The design documents did not establish the abuse-cases and security requirements that the application needs and therefore the necessary controls for information protections were not implemented.

  2. The security configuration parameters were not documented, users do not use the defined security controls.

Attributes

  • Layer: Business Layer.

  • Asset: Security Architecture

  • Scope: Maintainability.

  • Phase: Operation.

  • Type of Control: Recommendation.

References

  1. HIPAA Security Rules 164.312(a)(2)(ii): Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

  2. BSSIM9 SM2.1: Publish data about software security internally.


Service status - Terms of Use