System Maintenance Security Requirements
A
system maintenance security requirement is any
security
requirement that specifies a required amount of system
maintenance security, which is a
quality factor that is defined as follows:
- System Maintenance Security
- adj.[quality factor] the extent to which something
prevents
authorized modifications during
maintenance from accidentally defeating its
security mechanisms.
The typical objectives of a system maintenance security
requirement are to:
- Ensure that authorized modifications (e.g., defect fixes,
enhancements, updates) do not accidentally defeat its
security mechanisms.
- Thereby maintain the levels of security specified in the
security requirements during the usage phase.
The following are typical examples of system maintenance
security requirements:
- “The application shall not violate its security
requirements during the replacement of a hardware
component.”
- “The application shall not violate its security
requirements during the replacement of a software
component.”
The following guidelines have been found to be useful when
producing system maintenance security requirements:
- The scope of a system maintenance security requirement
can be:
- System maintenance security requirements may conflict
with
operational availability requirements, in that the
operational availability requirements may not allow one to
take the application or component off-line during maintenance
and the repetition of security testing.
- System maintenance security requirements should
not be confused with (nor specified in terms
of) the types of security mechanisms that are typically used
to implement them:
- Maintenance and enhancement procedures.
- Associated training.
- Security regression testing.