ABSTRACT
System requirements are not rigid and set. The important element is that the system requirements address all functions the system is expected to perform so that risks can be avoided. A good requirements document can be the critical element that provides the integrity of the system and the customer a product that has the right functionality to meet the mission and business needs. Defining system security requirements is equivalent to the Systems Engineering (SE) activity, Define System Requirements. In the SE process, the system is defined in terms of functional characteristics and operational concepts. The inputs include the customer's defined Information Management Plan, which are derived from the Information Management Model (IMM) and the Information Protection Policy (IPP). The IMM is the source document describing the customer's needs based on identifying users, processes, and information. The IPP contains the threats to the information management and the security services and controls needed to counter those threats.
