1

Document the Security Objective

• Add a description of the security objective in the description field of the quality of service requirement work item. Be sure that the security objective refers to a specific asset and is testable. Leave design to the architects and developers.
• If the brief description is not sufficient for complete understanding, write a more detailed form, providing goals and rationale. Clarify an vague or ambiguous areas of the objective.

2

Attach Supporting Information

• Attach any references to regulatory information where applicable. Attach any scenarios that relate to the security objective. If the security objective affects all of the scenarios or a majority of them, simply note this rather than attaching very large numbers.

Security requirements have been placed in the quality of service requirement list.