Skip to main content

Phase 1: Requirements Analysis

The Requirements Analysis phase is the foundation of the Secure Development Lifecycle (SDLC) within the Osborn project. During this phase, high-level ideas are translated into detailed, actionable tasks in Jira, with a strong focus on security and privacy from the very beginning.

A project control point must occur prior to promotion to the next phase.

Key Activities

1. Define High-Level Requirements

  • Jira Tasks: In Osborn, requirements are defined as tasks in Jira, which can be "stories," "tasks," or "bugs." These serve as the single source of truth for a given unit of work.
  • User Interface and Design: This phase includes the creation of an initial high-level user interface and visual design, which are attached to the relevant Jira task.

2. Detailed Requirement Documentation

  • Once a task is approved and refined, the requirements must be documented in greater detail within the Jira ticket's description and acceptance criteria.
  • Data Classification: A critical part of this documentation is specifying the classification of the data that will be processed and/or stored by the solution, which informs the necessary security controls.

3. Initial Risk Review

  • An initial risk review, conducted in partnership with the aligned Business Information Security Officer (BISO), is mandatory for new features or significant changes.
  • This review examines the type of data involved, potential threats, and vulnerabilities to determine the most appropriate and cost-effective security controls for the Osborn platform's AWS-first architecture.

Security and Privacy Requirements

The initial risk review should consider the following security requirements in the context of Osborn:

  • Compliance: Security measures must comply with all applicable laws, regulations, and Omnicom/Agency policies.
  • Functional Needs: Initial security requirements must support the functional needs of the system, whether it's a Django backend service or a React frontend component.
  • Environment Support: The selected computing environment (primarily AWS services) must support all security requirements.
  • Administration and Logging:
    • The system design must include security administration functions.
    • It must support a separation of functionality between users and administrator access, aligning with Osborn's multi-tenant architecture.
    • The system must be able to log security administration activities, review those logs, and protect them against deletion or alteration.
  • Third-Party Contracts: Any contract for technical support of purchased hardware or software must include provisions to prohibit unauthorized disclosure of Confidential data.

Control Point

  • A formal Control Point, which includes approvals for finance and business justification, must be successfully passed before the project can be promoted to the Architecture and Design phase.
  • In the Osborn workflow, this approval is typically managed within the Jira task itself before it moves to the "In Progress" state for development.
  • Additional reviews and assessments may be required based on the initial findings, coordinated with the BISO.