Security-Objectives-and-Requirements
2 Security Objectives and Requirements
The next step is to identify the security objectives and security non-objectives for the product. Items with high risk factors that need mitigation by design are usually considered as security objectives and items with low risk factors for which investment in mitigation is not justified are considered as non-objectives. Each objective must clearly state the asset that needs protection and relevant threats. Any excluded objectives should also be stated and explained, to make clear that they have been considered.
Security requirements are then derived from the security objectives. The main difference between those two is that security objectives specify what needs to be protected and security requirements are the means to achieve the required protection. The Security requirements document is a major milestone in the product development life cycle and should be ready before design is started.