Update Security Management process

process/folder_templates/modules/module_name/docs/index.rst

@@ -21,5 +21,6 @@ Module Documents
 
    manual/index.rst
    safety_mgt/index.rst
+   security_mgt/index.rst
    verification/module_verification_report.rst
    release/release_note.rst

process/folder_templates/modules/module_name/docs/manual/index.rst

@@ -19,3 +19,4 @@ Manuals
    :titlesonly:
 
    safety_manual
+   security_manual

process/process_areas/security_management/guidance/security_management_security_manual_template.rst → process/folder_templates/modules/module_name/docs/manual/security_manual.rst

@@ -12,18 +12,26 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Manual Template
-=========================
-
-.. gd_temp:: Security Manual Template
-   :id: gd_temp__security_manual
-   :status: valid
-   :complies:
-
-   Will be moved to Folder Templates (tbd https://github.com/eclipse-score/process_description/issues/109)
-   For the content see here: need:`doc__module_name_security_manual`
-   Will also adapted to the latest Safety ManualTemplate
-
+Module Security Manual
+======================
+
+.. note:: Document header
+
+.. document:: [Your Module Name] Security Manual
+   :id: doc__module_name_security_manual
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__module_security_manual
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc__`` and succeeded by ``security_manual``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``security`` and ``tags`` according to your needs
 
 Introduction/Scope
 ------------------

process/folder_templates/modules/module_name/docs/security_mgt/index.rst

@@ -0,0 +1,23 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Management
+###################
+
+.. toctree::
+   :titlesonly:
+
+   module_security_plan
+   module_security_plan_fdr
+   module_security_package_fdr

process/process_areas/security_management/guidance/security_management_checklist_security_package.rst → process/folder_templates/modules/module_name/docs/security_mgt/module_security_package_fdr.rst

@@ -12,13 +12,27 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Package Formal Review Checklist
-========================================
+Security Package Formal Review Report
+=====================================
+
+.. note:: Document header
+
+.. document:: [Your Module Name] Security Package Formal Review
+   :id: doc__module_name_security_package_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``safety_package_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
-.. gd_chklst:: Security Package Formal Review Checklist
-   :id: gd_chklst__security_package
-   :status: valid
-   :complies: std_req__isosae21434__prj_management_6471, std_req__isosae21434__prj_management_6491, std_req__isosae21434__prj_management_6492
 
 **1. Purpose**
 

process/process_areas/security_management/guidance/security_management_module_security_plan_template.rst → process/folder_templates/modules/module_name/docs/security_mgt/module_security_plan.rst

@@ -12,18 +12,26 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Module Security Plan Template
-=============================
+Module Security Plan
+====================
 
-.. gd_temp:: Module Security Plan Template
-   :id: gd_temp__module_security_plan
-   :status: valid
-   :complies:
+.. note:: Document header
 
-   Will be moved to Folder Templates (tbd https://github.com/eclipse-score/process_description/issues/109)
-   For the content see here: need:`doc__module_name_security_plan`
-   Will also adapted to the latest Safety Plan Template
+.. document:: [Your Module Name] Security Plan
+   :id: doc__module_name_security_plan
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__module_security_plan
+   :tags: template
 
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``security_plan``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
 
    | **1. Security Management Context**
@@ -75,14 +83,14 @@ Module Security Plan Template
           - <automated>
 
         * - :need:`wp__fdr_reports` (module Security Plan)
-          - :need:`gd_chklst__security_plan`
+          - :need:`gd_chklst__module_security_plan`
           - <automated>
           - <Link to issue>
           - <Link to WP>
           - <automated>
 
         * - :need:`wp__fdr_reports` (module Security Package)
-          - :need:`Security Package Formal Review Checklist <gd_chklst__security_package>`
+          - :need:`Security Package Formal Review Checklist <gd_chklst__module_security_package>`
           - <automated>
           - <Link to issue>
           - <Link to WP>
@@ -110,7 +118,7 @@ Module Security Plan Template
           - <automated>
 
         * - :need:`wp__module_security_manual`
-          - :need:`gd_temp__security_manual`
+          - :need:`gd_temp__module_security_manual`
           - <automated>
           - <Link to issue>
           - <Link to WP>

process/process_areas/security_management/guidance/security_management_checklist_security_plan.rst → process/folder_templates/modules/module_name/docs/security_mgt/module_security_plan_fdr.rst

@@ -12,17 +12,31 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Security Plan Review Checklist
-==============================
+Module Security Plan Formal Review Report
+=========================================
 
-.. gd_chklst:: Security Plan Review Checklist
-   :id: gd_chklst__security_plan
-   :status: valid
-   :complies: std_req__isosae21434__prj_management_6411, std_req__isosae21434__prj_management_6421, std_req__isosae21434__prj_management_6422, std_req__isosae21434__prj_management_6423, std_req__isosae21434__prj_management_6424, std_req__isosae21434__prj_management_6425, std_req__isosae21434__prj_management_6426, std_req__isosae21434__prj_management_6427, std_req__isosae21434__prj_management_6428, std_req__isosae21434__prj_management_6429, std_req__isosae21434__prj_management_64210, std_req__isosae21434__prj_management_64211, std_req__isosae21434__prj_management_6431, std_req__isosae21434__prj_management_6432, std_req__isosae21434__prj_management_6441, std_req__isosae21434__prj_management_6442, std_req__isosae21434__prj_management_6443, std_req__isosae21434__prj_management_6451, std_req__isosae21434__prj_management_6452, std_req__isosae21434__prj_management_6453, std_req__isosae21434__prj_management_6461, std_req__isosae21434__prj_management_6462
+.. note:: Document header
+
+.. document:: [Your Module Name] Security Plan Formal Review
+   :id: doc__module_name_security_plan_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Module.
+
+    - Modify ``Your Module Name`` to be your Module Name
+    - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``_security_plan_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety`` and ``tags`` according to your needs
 
 **1. Purpose**
 
-The purpose of this security plan review checklist is to report status of the review for the security plan.
+The purpose of this review checklist is to provide a guidence for reviewing the security plans for each module.
+Each module security plan shall one checklist filled.
 
 **2. Checklist**
 

process/folder_templates/platform/index.rst

@@ -22,5 +22,10 @@ Platform
 
    safety_analysis/platform_dfa.rst
    requirements/stakeholder/chklst_req_inspection.rst
-   safety_planning/index.rst
+   safety_planning/platform_safety_plan.rst
    safety_planning/platform_safety_analysis_fdr.rst
+   security_analysis/platform_security_manual.rst
+   security_analysis/platform_security_analysis_fdr.rst
+   security_analysis/platform_security_package_fdr.rst
+   security_planning/platform_security_plan.rst
+   security_planning/platform_security_plan_fdr.rst

process/folder_templates/platform/security_analysis/platform_security_analysis_fdr.rst

@@ -0,0 +1,41 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+
+Security Analysis Checklist
+===========================
+
+.. document:: [Your Platform Name] Security Analysis Checklist
+   :id: doc__platform_name_security_analysis_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Platform.
+
+    - Modify ``Your Platform Name`` to be your Platform Name
+    - Modify ``id`` to be your Platform Name in lower snake case preceded by ``doc__`` and followed by ``_security_analysis_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety``, ``security`` and ``tags`` according to your needs
+
+
+**Purpose**
+The purpose of this Security Analysis checklist template is to collect the topics to be checked during verification of the Security Analysis.
+
+**Checklist**
+
+To be filled as part of https://github.com/eclipse-score/process_description/issues/452.

process/folder_templates/platform/security_analysis/platform_security_manual.rst

@@ -0,0 +1,92 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Platform Security Manual
+========================
+
+.. note:: Document header
+
+.. document:: Platform Security Manual
+   :id: doc__platform_security_manual
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__platform_security_manual
+   :tags: template
+
+Introduction/Scope
+------------------
+.. note:: The platform Security Manual is only performed once at platform level to analyse the dependencies between the features of the platform.
+          The results shall be used as an input for the safety analysis so that general safety mechanisms are only defined once and not in every single safety analysis.
+
+Assumed Platform Security Requirements
+--------------------------------------
+| For the <Project platform> the following security related stakeholder requirements are assumed to define the top level functionality (purpose) of the <Project platform / module name>. i.e. from these all the feature and component requirements implemented are derived.
+| <List here all the stakeholder requirements, with security relevance, the module's components requirements are derived from.>
+
+Assumptions of Use
+------------------
+
+Assumptions on the Environment
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+| Generally the assumption of the Project platform OoC is that it is integrated in a secure system, i.e. the POSIX OS it runs on is qualified and also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's security concept.
+| <List here all the OS calls the Project platform expects to be secure.>
+
+List of AoUs expected from the environment the platform / module runs on:
+
+.. needtable::
+   :style: table
+   :columns: title;id;status
+   :colwidths: 25,25,25
+   :sort: title
+
+   results = []
+
+   for need in needs.filter_types(["aou_req"]):
+      if need and "environment" in need["tags"]:
+                results.append(need)
+
+Assumptions on the User
+^^^^^^^^^^^^^^^^^^^^^^^
+| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform EooC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform EooC security package.
+| Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways:
+| 1. There are assumption which need to be fulfilled by all SW components, e.g. "every user of an IPC mechanism needs to make sure that he provides correct data (e.g. including appropriate security (access) control)" - in this case the AoU is marked as "platform".
+| 2. There are assumption which can be fulfilled by a security control realized by some other Project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module EooC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe <Project> platform persistency feature.
+
+List of AoUs on the user of the platform features or the module of this security manual:
+
+.. needtable::
+   :style: table
+   :columns: title;id;status
+   :colwidths: 25,25,25
+   :sort: title
+
+   results = []
+
+   for need in needs.filter_types(["aou_req"]):
+      if need and "environment" not in need["tags"]:
+                results.append(need)
+
+Security concept of the OoC
+----------------------------
+| <Describe here the security concept incl. which attack paths are taken care of, reactions of the implemented functions under threatened operating conditions ... if this is not already documented sufficiently in the feature documentation "security impact" section of all the features the module is used in.>
+
+Security Weaknesses, Vulnerabilities
+------------------------------------
+| Weaknesses, Vulnerabilities (bugs in security relevant SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>.
+
+References
+----------
+| <link to the user manual>
+| <other links>

process/folder_templates/platform/security_analysis/platform_security_package_fdr.rst

@@ -0,0 +1,42 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+
+Platform Security Package Checklist
+===================================
+
+.. document:: [Your Platform Name] Security Package Checklist
+   :id: doc__platform_name_security_package_fdr
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__fdr_reports
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Platform.
+
+    - Modify ``Your Platform Name`` to be your Platform Name
+    - Modify ``id`` to be your Platform Name in lower snake case preceded by ``doc__`` and followed by ``_security_package_fdr``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety``, ``security`` and ``tags`` according to your needs
+
+
+**Purpose**
+The purpose of this Platform Security package checklist template is to collect the topics to be checked during verification of the Platform Security package.
+
+**Checklist**
+.. Question: Create a task for this.
+
+To be filled.