Using Security Requirements with Conditions

Security goals – information classification

You can use multiple conditions to distribute your requirements. In the example below we have used information classification but other options (for example tags) is also available.

Open the security requirement you created and click the **“Specifications” **tab and then click the “Add Specification” button:

After finishing the text click add condition and choose “Security goals”:

In the example above, the 2-factor requirement will be added to all applications where information with confidentiality classification 2 data is handled. Since “Supplier” is selected the requirement is directed towards suppliers to support 2 factor or Azure AD integration.

In this example it makes sense to also add a requirement to your own organization to ensure the application is configured correctly. To do so, add another requirement with slightly different wording and select “Our organization” as responsible for fulfilment.

Using tags to distribute Security Requirements

Create another requirement and click “add condition” Select “With tags” from the selection

Add the tag you want to use.

In the example above the requirement will be added to all applications managed by a supplier that you have added the tag “critical systems” to.

Please note that if an application is managed in-house, you can ensure that both “Supplier” and “Our organization” requirements are distributed to your organization. Please see section “distribution of security requirements” below for more details.