Customer/user Interface Requirements
The questions below will help determine how users will connect to the system. Depending upon the data needs, this will help determine technical and security requirements.
How will customers/users connect to the system? Will they use web browsers or software on their local computers?
What connection media will customers/users use? radio, dial-up, LAN, VPN
What functions will customers/users need to perform?
Will different roles be available to customers/users so different groups will have different privileges?
How will the roles be defined, who will set them, and will the system prevent escalation of privileges?
What data will the customers/users need to enter into the system?
What information will the customers/users need to see?
How will the customer or user be identified? Do they need a login account? If there is an account for the customer/user:
How will customer/user accounts be created? Do they create the account themselves or do administrators create the account?
How will the customer/user accounts be removed? Are they removed after a period of inactivity? Are they removed by an administrator?
How are passwords reset? Is a customer/user adequately identified when they request a password to be reset?
Is there an account management plan defining how accounts are created, deleted, suspended, or how passwords are reset?
When the customer/user logs in is the account information that is sent to the server adequately encrypted or hashed?
How is customer/user account information stored? Is it encrypted adequately?
What protocol is used to authenticate the customer/user? (Windows Domain, Novell)
How are privileges controlled? Settings in database or other method?
Should account activities (logins, logoff, execution of privileges) be logged or monitored?
If user activities are logged, can accounts be deleted? Accounts may not be deleted but only suspended if user activities are logged.