Initially, requirements are specified for the product, frequently embedded in a variety of specification types:

• System-level requirements are described in a System Requirements Specification (SyRS)
• A Software Requirements Specification (SRS) describes use cases for software, and associated functional and non-functional requirements
• Interface requirements are specified in an Interface Requirements Specification (IRS)
• Hardware requirements may be specified in a hardware functional or hardware requirements specification.

A process of requirements derivation is used to derive requirements from the system level to individual components.

Security engineers in a waterfall development program progress through the life cycle phases as time progresses. One of the first activities to complete is a security requirements analysis. Just as products have functional requirements allocated to them, those products must also have security requirements allocated.

Engineers use many sources to identify security requirements. These can include Security Technical Implementation Guides (STIGs), compliance requirements, and system threat models.

A useful tool for creating and tracking security requirements is the Security Requirements Traceability Matrix (SRTM). An SRTM maps security requirements to their implementation within components of the product, discusses the method for their verification, and tracks that verification status.

As the name suggests, the matrix can be used to track security requirements for closure as an input to a security test plan and procedures document.