Non-functional requirements: Security

One of the most important non-functional requirements is security. Security requirements can come in many different forms:

  1. Privacy - Requirements can dictate protection for sensitive information. Some types of privacy requirements include: data encryption for database tables, policies regarding the transmission of data to 3rd parties (e.g., scrambling user account numbers), etc... Sources for privacy requirements could be legislative or corporate.
  2. Physical - These requirements relate to the the physical protection of the system. Other types of physical requirements include items such as elevated floors (for server cooling), fire prevention systems, etc...
  3. Access - Access requirements define account types / groups and their access rights. An example of an access requirements could be to limit each account to one login at a time or to restrict where an application can be deployed or used.

While most clients can tell you what availability or capacity they expect to need, it is less likely they may know everything about the security aspects. As such, I suggest you ask security specialists for their advice and opinions. The Journal of Object Technology has a great article on Engineering Security Requirements by Donald G. Firesmith. I suggest you look there for a more complete look at security.

1 comment:

Marcus Ting-A-Kee said...

I receive daily emails from TechRepublic on general IT issues. One of the recent emails spoke about the potential implications to a company of a data breach.

A new bill (the Cyber-Security Enhancement and Consumer Data Protection Act of 2006) sponsored by the House Judiciary Committee Chairman James Sensenbrenner requires private companies to report significant data breaches to the federal government within two weeks. If the bill passes, the punishment for failure to divulge security leaks could be jail time (Toni Bowers).

If this bill becomes law this will impact the governance surrounding many systems. Mind you, I would not say that this does anything to the non-functional requirements for the system.