Merge pull request #92 from eclipse-score/masc2023_add_initial_security_management

initial security management

Author: masc2023

process/_assets/score_process_area_overview.drawio.svg

@@ -31,6 +31,7 @@ Process Areas
    requirements_engineering/index.rst
    safety_analysis/index.rst
    safety_management/index.rst
+   security_management/index.rst
    tool_management/index.rst
    verification/index.rst
    process_management/index.rst

process/process_areas/index.rst

@@ -0,0 +1,27 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Guidance
+########
+
+.. toctree::
+   :maxdepth: 1
+
+   security_management_guideline
+   security_management_feature_security_wp_template
+   security_management_module_security_plan_template
+   security_management_security_manual_template
+   security_management_checklist_security_package
+   security_management_checklist_security_plan
+   security_management_process_reqs

process/process_areas/security_management/guidance/index.rst

@@ -0,0 +1,65 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Package Formal Review Checklist
+========================================
+
+.. gd_chklst:: Security Package Formal Review Checklist
+   :id: gd_chklst__security_package
+   :status: valid
+   :complies: std_req__isosae21434__prj_management_6471, std_req__isosae21434__prj_management_6491, std_req__isosae21434__prj_management_6492
+
+**1. Purpose**
+
+The purpose of this review checklist is to report status of the formal review for the security package.
+
+**2. Checklist**
+
+.. list-table:: Security Package Checklist
+        :header-rows: 1
+
+        * - Id
+          - Security package activity
+          - Compliant to ISO SAE 21434?
+          - Comment
+
+        * - 1
+          - Is a security package provided which matches the security plan (i.e. all planned work products referenced)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 2
+          - Is the argument how security is achieved, provided in the security package, plausible and sufficient?
+          - NO
+          - The argument is intentionally not provided by the Project.
+
+        * - 3
+          - Are the referenced work products available?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 4
+          - Are the referenced work products in released state, including the process security audit?
+          - NO
+          - Security audit is currently not planned, tailored out.
+
+        * - 5
+          - If security related deviations from the process or security concept are documented, are these argued understandably?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 6
+          - Are the requirements for post-development available?
+          - [YES | NO ]
+          - <Rationale for result>

process/process_areas/security_management/guidance/security_management_checklist_security_package.rst

@@ -0,0 +1,108 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Plan Review Checklist
+==============================
+
+.. gd_chklst:: Security Plan Review Checklist
+   :id: gd_chklst__security_plan
+   :status: valid
+   :complies: std_req__isosae21434__prj_management_6411, std_req__isosae21434__prj_management_6421, std_req__isosae21434__prj_management_6422, std_req__isosae21434__prj_management_6423, std_req__isosae21434__prj_management_6424, std_req__isosae21434__prj_management_6425, std_req__isosae21434__prj_management_6426, std_req__isosae21434__prj_management_6427, std_req__isosae21434__prj_management_6428, std_req__isosae21434__prj_management_6429, std_req__isosae21434__prj_management_64210, std_req__isosae21434__prj_management_64211, std_req__isosae21434__prj_management_6431, std_req__isosae21434__prj_management_6432, std_req__isosae21434__prj_management_6441, std_req__isosae21434__prj_management_6442, std_req__isosae21434__prj_management_6443, std_req__isosae21434__prj_management_6451, std_req__isosae21434__prj_management_6452, std_req__isosae21434__prj_management_6453, std_req__isosae21434__prj_management_6461, std_req__isosae21434__prj_management_6462
+
+**1. Purpose**
+
+The purpose of this security plan review checklist is to report status of the review for the security plan.
+
+**2. Checklist**
+
+.. list-table:: Security Plan Checklist
+        :header-rows: 1
+
+        * - Id
+          - Security plan activity
+          - Compliant to ISO SAE 21434?
+          - Comment
+
+        * - 1
+          - Is the rationale for the security work products tailoring included?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 2
+          - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 3
+          - Does the security plan define all needed activities for security management (incl. Review and Security Audit)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 4
+          - Does the security plan define all needed activities for SW development, integration and verification?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 5
+          - Does the security plan define all needed activities for security analysis?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 6
+          - Does the security plan define all needed activities for supporting processes (incl. tool mgt)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 7
+          - Does the security plan document a responsible for all activities?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 8
+          - If Off-the-shelf (e.g. existing OSS) software components is used, is it planned to be analysed?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 9
+          - Is a security manager and a technical/module lead appointed for the project?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 10
+          - Is security plan sufficiently linked to the project plan?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 11
+          - Is security plan updated iteratively to show the progress?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 12
+          - If Out-of-context software components is used, are the assumptions documented?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 13
+          - Does the security plan define all needed activities for SBOM generation?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 14
+          - Does the security plan define regular vulnerability scans for the generated SBOM?
+          - [YES | NO ]
+          - <Rationale for result>
+
+.. note::
+    Off-the-shelf means existing software which may used w/o modification, e.g. existing OSS

process/process_areas/security_management/guidance/security_management_checklist_security_plan.rst

@@ -0,0 +1,24 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Feature Security Work Products Template
+=======================================
+
+.. gd_temp:: Feature Security Work Products Template
+   :id: gd_temp__feature_security_wp
+   :status: valid
+   :complies:
+
+   For the content see here: (tbd https://github.com/eclipse-score/process_description/issues/109)
+   ref:`feature_security_wp_template`