Template for Category/Risk org for Security Requirements

[mmccool]

• set of basic categories
• initial template for risks
• links to all system risks (but not scripting risks; to discuss, maybe do in a later pass)

---

Preview | Diff

[mmccool]

Thoughts:

• Use respec links for sections as in discovery
• Use separate security and privacy requirements sections or have a joint section? W3C generally treats them separately, but there are many requirements that overlap. Privacy is about information flow and access to information (especially PII), security is more general and concerned with confidentiality but also integrity, authentication, etc.
• Will attempt to do two sections and see if I can work out labelling, etc.
• In general - S&P G docs does not separately list "privacy threats". E.g. we don't have a "tracking" threat in the S&P G doc.

[mmccool]

Security call Nov 20: decided to merge, let Mahda work on the above additional work.