The IT Law Wiki


Security capabilities are

typically defined by bringing together a specific set of safeguards and countermeasures (i.e., security controls) that together produce the capability. Acquisition personnel develop security specifications for contracting purposes that address security requirements from a different perspective. And finally, another group individuals working at the design, development, and implementation level (i.e., system developers, systems integrators, and systems/security engineers) will allocate the security controls to various components within the information system, develop a set of derived security requirements from the controls (at a much lower level of detail), and subsequently implement specific security functions at the mechanism level in the hardware, software, and firmware components.[1]