The checklist for the capture of requirements is as follows:
- Are the requirements for data integrity identified?
- Are the sensitive resources in the application identified?
- Are the sets of principles for accessing the resources identified?
- Is a security policy of an application established, including entities, actions, resources and information integrity needs?
- Has a threat model to identify the security risks been identified?
- Are the stakeholders appraised, through example scenarios, so that they understand the security policy and the security risk?
- Is the security policy kept simple?
- Are security requirements reviewed with security SMEs?
The checklist for architecture definition is:
- Has each identified threat been addressed to the level desired/required?
- Have you leveraged as much third-party security technology as possible?
- Has an integrated end-to-end architecture for security been produced?
- Have all the security principles been thought-out when designing the infrastructure?
- Have you established how the security breaches will be detected and the protocol to recover from breaches?
- Are the results of the security standpoint for all the affected views applied?
- Have SMEs reviewed the security solution?