Define software scope and boundaries
Identify security-relevant software functions
Identify and prioritize software assets
Identify possible security threats
Approval: Security Threats
Create a security requirement specification document
Define the acceptable risk levels
Approval: Acceptable Risk Levels
Perform a risk assessment
Review regulatory, legal, and compliance requirements
Design security controls based on requirements
Approval: Security Controls Design
Test the effectiveness of security controls
Approval: Security Controls Testing
Review and amend the security requirement specification document
Approval: Final Security Requirement Specification Document
Create a strategy for maintaining and updating security requirements
Approval: Security Maintenance Strategy
Communicate software security requirements to all stakeholders