TACTICAL is an acronym to remember the format to layout a Requirement.

  • Tag: “Security/Transport/SSL”
  • Action: “Improve Security by ensuring all communication between tiers is protected by SSL.”
  • Classification: “Security. Tamperability”
  • Test: “Access to the system via http should not be allowed”
  • Information: (Rational/Reources/References/Recommendations)
  • Context/Exceptions: “Applicable to server components providing web pages and APIs accessible via HTTP”.
  • Allowances: “Requests via HTTP can be 302 redirected to the same url, with an HTTPS protocol.”

It's good – but note that the acronym has the following issues:

  • Which one should be the Name: Tag, or Action?
  • Classification would be better if it could be before Action