Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Psalm 34:8

Taste and see that the Lord is good; blessed is the one who takes refuge in him.

Hebrews 11:1

Now faith is confidence in what we hope for and assurance about what we do not see.

Business doesn't really like security.  I really don't know why.  If you are a manager in a business, you manage two things: people and risk.  In security, we manage risk; therefore, we do half of what managers do.  You would think they should understand what it is that we do and how necessary it is, but so often we, in security, are considered to be "the knights who say no."  We put up barriers to prevent people from getting hurt, or doing something wrong, or getting into trouble, and people see our barriers as preventing them from actually doing their jobs.

When we want to talk about security requirements, the requirements that we have in the field of security, really what we are talking about is the requirements that the business actually has.

But when we get down to the specifics in terms of security requirements, we break them down into two types.  The first is the functional requirement.  That is what you actually want to have done: the actual tool.  For example, maybe we want to prevent viruses from getting into our computers and wreaking havoc.  We want an antivirus scanner.  That is the functional requirement: scanning for viruses and preventing them from getting into our systems.

But then we have a second type of requirement. The assurance requirement. The assurance requirement is a little bit more abstract, but it's the kind of thing that asks the question: Is the tool working? Is the tool actually doing what you want it to do? Is the tool being effective at what it was originally designed or purchased to do?

In terms of the Christian life, one might see an example like this.  The functional requirement is salvation.  God has provided our salvation.  We are saved.  We are not going to be punished in eternity.  We will be with God in eternity.  That is the functional requirement.

And what is the assurance requirement there?  Well, faith.  God has said that we are saved, and we take him at his word.  We have faith.

Hmmmm.  There might be a few problems with that assurance requirement.  Are we really sure?

In the security world, we might want a requirement with a few more metrics to it. For example, in our virus scanner example, we might want the virus scanner to report how many viruses have been caught and held. As a matter of fact, maybe we will ask the scanner to quarantine the viruses so that we can examine them at some point and ensure that they were, in fact, viruses.

In the Christian world, we rely on the fact that God is always with us.  Now, yes, that's a fact, but it may not necessarily be perceptible.  Yes, there are those fortunate people who feel God's presence at all times, particularly when times are tough.  But that's never been my experience.  And when you are a grieving widower, and a depressive, to boot, it might be nice to get something a little bit more substantial every once in a while.  Faith is good.  Hard to hug, though.

I came up with another example of functional versus assurance requirements during the pandemic period.  When you go to a restaurant, or a fast food place more likely, you will notice the signs saying that hand hygiene, hand washing, was a requirement for all employees.  This, of course, is to prevent infections.  It's to prevent spreading disease.  I suppose that's why this occurred to me during the pandemic.

The functional requirements are that people have clean hands when they're handling food.  In terms of hand washing, though, the assurance requirements really aren't there.  If it's a fast food place, yes, you can see the signs displayed saying that employees must wash their hands, but you don't see them wash their hands.  They probably wash their hands in the washroom.  That's out of sight to you.

But in some of the fast food places, you will actually see the employees, while they are preparing your food, wearing plastic gloves.  You can see the gloves.  You can see that they prevent the employees from touching the food.  So you can tell that there is not going to be any cross-contamination.  You can also see that the employees, when they are finished with your sandwich and move on to the next sandwich, strip off their gloves and get a new pair.

An optional requirement, that of preventing cross-contamination and infection and disease, is the same in both cases.  But in the case of hand washing, we don't have any assurance requirement.  In the case of the gloves, we do.

(It's possible that you could get a similar visibility with regard to the hand washing if the hand washing station was, in fact, out front and visible to the public.  That might possibly be off-putting in other ways.)

In a similar way, if our church has a program of hangout food to the homeless, that is the functional requirement.  However, we could have an assurance requirement, if we also had a kind of drop-in facility for the homeless.  If we staffed it with volunteers from the church, who are willing to actually talk to the homeless people who came in, then we could check to see if, in fact, they hand out to food where it is appreciated and did in fact make some difference in their lives.

Another example of security requirements from the pandemic was the question of masking in schools, and particularly elementary schools.  Now, initially, it was felt that masking was a major requirement in school.  After all, all teachers (and I know because I'm one), feel that children are little infection factories.  They catch everything that's going and then they spread it everywhere.  They are little germ spreaders.  So the functional requirement was, yes!  We should have masking in schools!  All kids in schools should wear masks!  At all times!

And then we started to figure out that kids didn't wear masks in schools all the time.  And particularly they didn't wear masks on the way to and from school, walking and talking in groups with their friends.  There was even a meme that did the rounds noting that kids actually swapped masks!  (Swapping face masks is not an ideal way to prevent airborne infections.)

Now, the insurance requirement, in this particular case, was detailed contact tracing.  Figuring out when new cases arose and where they got the infection from.  And lo and behold, it was determined that, quite contrary to what all of us as teachers thought, there was actually surprisingly little infection spread in the school environment.  Almost none, in fact, in comparison to the transmission vectors for the rest of the pandemic.

So, what are our Christian requirements?  What are the functional requirements, and associated assurance requirements?

Well, we have the requirement to love our neighbor, and we try to fulfill that requirement.  We have, for example, ministries to the homeless.  There are a number of churches in town who go to the homeless population.  They attempt to provide some sustenance and support for the homeless.  Possibly this is in the form of a bag lunch.  In one case, there is another church that makes up sandwiches and distributes them via the Salvation Army's Community Response Unit truck.

But where is the assurance requirement?  Where is any indication that the sustenance is actually going to the homeless?  Well, I suppose you are directly handing the sandwiches or bags to the homeless.  How do we know that this is effective?  How do we know that this is actually addressing a need?  Handing out a sandwich is one thing, but are we stopping and talking to these people?  Do we talk to them long enough to find out, really find out, more than just a quick expression of gratitude so that they will get another sandwich next time, that this addresses a need that they have.  Do they need sandwiches?  Do they need something else?  Do they need clothing?  Do they need to contact a friend or a family member?  Do we even know?

We have other types of service that we do, that have specific functional requirements.  For example, there are those who go on vacationary trips, building schools or other facilities for people in third world countries.  We need to have some kind of follow-up and feedback from those in those countries to ensure that we what we are doing what we are building is in fact of use to them.

Do we want to know?  Is *our* assurance requirement that we remain in ignorance, so that we can assume that we have fulfilled the functional requirement?

On one occasion in our downtown, an acquaintance noticed a discarded piece of clothing.  With much disgust, he asserted that that was ingratitude for you.  He was associated with a program that handed out clothing to the homeless.  Now here was one of their pieces of clothing, lying, discarded, as if it had no value whatsoever.

The thing is, it was wet.  What use is wet clothing to the homeless?  It will not keep them warm.  As a matter of fact, it's a danger.  Wet clothing will leech away heat faster than if you are even stark naked.  And why should they carry wet clothing around with them?  Once again, that's a danger.  Wet clothing is going to wet the dry clothing that you are wearing.  Once again, you risk hypothermia.  And, in any case, where is a homeless person going to be able to dry a piece of wet clothing?

In this case, the security requirement wasn't clothing; it was warmth.  And there was no assurance requirement that assured us that the clothing would remain dry.

As I said, a lot of people in business consider that security is something that can be discarded as unnecessary.  In church we need to present in the same way as security people, constantly reminding people that we, as security, are there to support the business.  Our objectives are their objectives.  We are there to help them.

In the same way, with the church, what is the church there for?  Who is the church there to help?  What are the objectives?  And then, what are the assurance requirements that let us know that the functional requirements are in fact being met.  We need to know that our functional requirements of teaching are getting through to the congregation.  We need to know that our functional requirements of supporting them, in their endeavors, are followed up by assurance requirements in terms of either pastoral care or small groups, where we get to know what their requirements for support are.

If we don't, we could just be wasting everybody's time.

Theological Lessons from Information Security

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-02-47-integrityrobert-slade.html

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-115-footprints-and-key.html

Sermon - TLIS - 1.1.7 - Security Frameworks

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-117-security-frameworks.html

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

https://fibrecookery.blogspot.com/2024/07/sermon-34-edit-audit-prophet.html

Sermon - TLIS - 1.5.1 - Manage Everything

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-105-manage-everything.html

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-171-organizational-roles.html

Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

https://fibrecookery.blogspot.com/2026/02/sermon-73-muster-station-safe-and.html

Sermon - TLIS - 10.3.1 - Intellectual Property

https://fibrecookery.blogspot.com/2026/04/sermon-tlis-1031-intellectual-property.html

Sermon - TLIS - 10.5.1 - Privacy

https://fibrecookery.blogspot.com/2023/12/sermon-tlis-1051-privacy-theological.html

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence

https://fibrecookery.blogspot.com/2025/01/sermon-54-liability-and-negligence.html

Sermons: https://fibrecookery.blogspot.com/2023/09/sermons.html