process: initial security management process

Resolves: #709, #696

Author: masc2023

docs/platform_management_plan/index.rst

@@ -31,6 +31,7 @@ Platform Management Plan
    project_management
    stakeholder_management
    safety_management
+   security_management
    risk_management
    quality_management
    config_management

docs/platform_management_plan/safety_management.rst

@@ -16,7 +16,7 @@
    :id: doc__platform_safety_plan
    :status: draft
    :safety: ASIL_B
-   :realizes: wp__platform_safety_plan
+   :realizes: wp__platform_safety_plan, wp__tailoring
    :tags: platform_management
 
 Safety management / Platform Safety Plan
@@ -117,13 +117,9 @@ Because in the S-CORE SW platform integration of safety-related systems not deve
 
 Because in the S-CORE SW platform no ASIL decomposition is planned: :need:`std_wp__iso26262__analysis_551`, :need:`std_wp__iso26262__analysis_552`
 
-.. workproduct:: Tailoring Document Platform
-   :id: wp__tailoring_platform
-   :status: valid
-   :complies: std_wp__iso26262__management_751, std_wp__iso26262__system_652, std_wp__iso26262__system_653, std_wp__iso26262__system_654, std_wp__iso26262__system_655, std_wp__iso26262__system_656, std_wp__iso26262__system_657, std_wp__iso26262__system_751, std_wp__iso26262__system_752, std_wp__iso26262__system_851, std_wp__iso26262__system_852, std_wp__iso26262__software_1151, std_wp__iso26262__software_1152, std_wp__iso26262__software_app_c_52, std_wp__iso26262__software_app_c_54, std_wp__iso26262__software_app_c_57, std_wp__iso26262__support_551, std_wp__iso26262__support_552, std_wp__iso26262__support_553, std_wp__iso26262__support_554, std_wp__iso26262__support_555, std_wp__iso26262__support_1351, std_wp__iso26262__support_1352, std_wp__iso26262__support_1353, std_wp__iso26262__support_1451, std_wp__iso26262__support_1452, std_wp__iso26262__support_1551, std_wp__iso26262__support_1651, std_wp__iso26262__analysis_551, std_wp__iso26262__analysis_552
 
-   This work product instantiation links to all the work products which are tailored out in the platform safety plan,
-   to be able to demonstrate completeness in :ref:`external_standards`
+Summary: :need:`wp__tailoring` links to all the work products which are tailored out in the platform safety plan,
+to be able to demonstrate completeness in :ref:`external_standards`
 
 Approach
 ++++++++

docs/platform_management_plan/security_management.rst

@@ -12,8 +12,10 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
+.. _tool_management:
+
 Tool Management
-------------------------
+---------------
 
 Purpose
 +++++++

docs/platform_management_plan/tool_management.rst

@@ -20,7 +20,7 @@ Architecture Workproducts
 .. workproduct:: Feature Architecture
    :id: wp__feature_arch
    :status: valid
-   :complies: std_wp__iso26262__software_751
+   :complies: std_wp__iso26262__software_751, std_wp__isosae21434__development_1051
 
    Feature Architecture linked to Feature Requirements, i.e. interaction of components
 
@@ -33,7 +33,7 @@ Architecture Workproducts
 .. workproduct:: Component Architecture
    :id: wp__component_arch
    :status: valid
-   :complies: std_wp__iso26262__software_751, std_wp__isopas8926__4523
+   :complies: std_wp__iso26262__software_751, std_wp__isopas8926__4523, std_wp__isosae21434__development_1051
 
    Component Architecture linked to Component Requirements
 

docs/process/_assets/score_process_area_overview.drawio.svg

@@ -27,7 +27,7 @@ Work Products Change Management
    :id: wp__issue_track_system
    :status: valid
    :tags: change_management
-   :complies: std_wp__iso26262__support_852, std_wp__iso26262__support_853, std_wp__iso26262__support_854, std_wp__isopas8926__4527, std_req__aspice_40__iic-13-16, std_req__aspice_40__iic-13-07, std_req__aspice_40__iic-15-55, std_req__aspice_40__iic-15-12
+   :complies: std_wp__iso26262__support_852, std_wp__iso26262__support_853, std_wp__iso26262__support_854, std_wp__isopas8926__4527, std_req__aspice_40__iic-13-16, std_req__aspice_40__iic-13-07, std_req__aspice_40__iic-15-55, std_req__aspice_40__iic-15-12, std_wp__isosae21434__continual_8333, std_wp__isosae21434__continual_8431, std_wp__isosae21434__continual_8531, std_wp__isosae21434__continual_8631
 
    | - Change request
    | - Change request plan

docs/process/process_areas/architecture_design/architecture_workproducts.rst

@@ -18,7 +18,7 @@ Guideline
 .. gd_guidl:: Change Request Guideline
    :id: gd_guidl__change__change_request
    :status: valid
-   :complies: std_req__iso26262__support_8414, std_req__iso26262__support_8432, std_req__iso26262__support_8442, std_req__iso26262__support_8451
+   :complies: std_req__iso26262__support_8414, std_req__iso26262__support_8432, std_req__iso26262__support_8442, std_req__iso26262__support_8451, std_req__isosae21434__org_management_5441, std_req__isosae21434__continual_8321, std_req__isosae21434__continual_8322, std_req__isosae21434__continual_8323
 
 This document describes the general guidances for Change Management based on the concept which is defined :need:`[[title]]<doc_concept__change__process>`.
 

docs/process/process_areas/change_management/change_management_workproducts.rst

@@ -20,7 +20,7 @@ Impact Analysis Template
 .. gd_temp:: Impact Analysis Template
    :id: gd_temp__change__impact_analysis
    :status: valid
-   :complies: std_req__aspice_40__SUP-10-BP2, std_req__aspice_40__iic-18-57, std_req__iso26262__support_8431, std_req__iso26262__support_8432, std_req__isopas8926__4462
+   :complies: std_req__aspice_40__SUP-10-BP2, std_req__aspice_40__iic-18-57, std_req__iso26262__support_8431, std_req__iso26262__support_8432, std_req__isopas8926__4462, std_req__isosae21434__continual_8322, std_req__isosae21434__continual_8421, std_req__isosae21434__continual_8521, std_req__isosae21434__continual_8522, , std_req__isosae21434__continual_8621, std_req__isosae21434__continual_8622
 
 Type of Change Request
 ----------------------

docs/process/process_areas/change_management/guidance/change_management_guideline.rst

@@ -18,7 +18,7 @@ Guideline
 .. gd_guidl:: Documentation
    :id: gd_guidl__documentation
    :status: valid
-   :complies: std_req__iso26262__support_1041, std_req__iso26262__support_1042, std_req__iso26262__support_1043, std_req__iso26262__support_1044, std_req__iso26262__support_1045, std_req__iso26262__support_1046
+   :complies: std_req__iso26262__support_1041, std_req__iso26262__support_1042, std_req__iso26262__support_1043, std_req__iso26262__support_1044, std_req__iso26262__support_1045, std_req__iso26262__support_1046, std_req__isosae21434__org_management_5441
 
 The planning for the documents is part of the Platform Management Plan.
 

docs/process/process_areas/change_management/guidance/change_management_impact_analysis_template.rst

@@ -28,15 +28,15 @@ Workproducts Implementation
    :id: wp__sw_implementation_inspection
    :status: valid
    :tags: safety
-   :complies: std_wp__iso26262__software_952
+   :complies: std_wp__iso26262__software_952, std_wp__isosae21434__development_1054
 
    Github review with integrated inspection checklist, only valid Detailed Design and Code get merged
 
 .. workproduct:: Software Development Plan
    :id: wp__sw_development_plan
    :status: valid
    :tags: safety
-   :complies: std_wp__iso26262__software_551, std_wp__iso26262__software_app_c_58
+   :complies: std_wp__iso26262__software_551, std_wp__iso26262__software_app_c_58, std_wp__isosae21434__development_1053
 
    Process description of SW development including
    - selection of design and programming language

docs/process/process_areas/documentation_management/guidance/documentation_guideline.rst

@@ -27,4 +27,5 @@ Process Areas
    problem_resolution/index.rst
    requirements_engineering/index.rst
    safety_management/index.rst
+   security_management/index.rst
    verification/index.rst

docs/process/process_areas/implementation/implementation_workproducts.rst

@@ -18,7 +18,7 @@ Work Products Platform Management
 .. workproduct:: Platform Management Plan
    :id: wp__platform_mgmt
    :status: valid
-   :complies:
+   :complies: std_wp__isosae21434__org_management_553, std_wp__isosae21434__org_management_554
 
    The Platform Management Plan shall include the plans as defined by the
    :ref:`Platform Management Plan Template <platform_templates>`.

docs/process/process_areas/index.rst

@@ -20,7 +20,7 @@ Problem Report Template
 .. gd_temp:: Problem Template
    :id: gd_temp__problem__template
    :status: valid
-   :complies: std_req__aspice_40__SUP-9-BP1, std_req__aspice_40__SUP-9-BP2, std_req__aspice_40__SUP-9-BP3, std_req__aspice_40__SUP-9-BP4,
+   :complies: std_req__aspice_40__SUP-9-BP1, std_req__aspice_40__SUP-9-BP2, std_req__aspice_40__SUP-9-BP3, std_req__aspice_40__SUP-9-BP4, std_req__isosae21434__continual_8322, std_req__isosae21434__continual_8421, std_req__isosae21434__continual_8521, std_req__isosae21434__continual_8522, std_req__isosae21434__continual_8621, std_req__isosae21434__continual_8622
 
 
 Parts of the Problem Template shall be created automatically by the defined Issue Tracking System,

docs/process/process_areas/platform_management/platform_management_workproducts.rst

@@ -18,7 +18,7 @@ Guideline
 .. gd_guidl:: Requirements Guideline
    :id: gd_guidl__req__engineering
    :status: valid
-   :complies: std_req__isopas8926__44421, std_req__isopas8926__44422, std_req__isopas8926__44423
+   :complies: std_req__isopas8926__44421, std_req__isopas8926__44422, std_req__isopas8926__44423, std_req__isosae21434__org_management_5441
 
 This document describes the general guidances for requirements based on the concept which is defined :need:`[[title]]<doc_concept__req__process>`.
 

docs/process/process_areas/problem_resolution/guidance/problem_resolution_template.rst

@@ -18,35 +18,35 @@ Workproducts Requirements Engineering
 .. workproduct:: Stakeholder Requirements
    :id: wp__requirements__stkh
    :status: valid
-   :complies: std_wp__iso26262__system_651, std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__system_651, std_wp__iso26262__software_651, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    Technical requirements from a stakeholder viewpoint and assumptions of use based on the integration as SW platform SEooC in an assumed context.
 
 .. workproduct:: Feature Requirements
    :id: wp__requirements__feat
    :status: valid
-   :complies: std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__software_651, std_wp__isosae21434__development_1051
 
    Feature requirements describe in a more detailed way the functionality which will fulfill a set of stakeholder requirements. A "feature" itself represents a set of requirements. It describes the interaction of the components to form a feature. It shall also be the basis for integration testing on platform level.
 
 .. workproduct:: Component Requirements
    :id: wp__requirements__comp
    :status: valid
-   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521
+   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Requirements for components
 
 .. workproduct:: Feature Assumptions of Use
    :id: wp__requirements__feat_aou
    :status: valid
-   :complies: std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__software_651, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Safety Requirements for the user of the feature, exportable requirements for the user to integrate in their req mgt system.
 
 .. workproduct:: Component Assumptions of Use
    :id: wp__requirements__comp_aou
    :status: valid
-   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521
+   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Safety Requirements for the user of the component, exportable requirements for the user to integrate in their req mgt system.
 

docs/process/process_areas/requirements_engineering/guidance/requirements_guideline.rst

@@ -121,17 +121,3 @@ Work products
    * a development processes analysis; and
    * a complexity analysis of the pre-developed SW component; and
    * finally a SW component classification as input for the safety planning (which is to cover the determined gaps, if any, by additional verification measures).
-
-.. workproduct:: Tailoring Documents
-   :id: wp__tailoring
-   :status: valid
-   :complies: std_wp__iso26262__management_653
-
-   This work product argues why some work products are not needed in the project.
-
-   It may have several levels:
-
-   * Project/Platform
-   * Feature/Component
-
-   It belongs to the Safety Plan.

docs/process/process_areas/requirements_engineering/requirements_workproducts.rst

@@ -0,0 +1,27 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Guidance
+########
+
+.. toctree::
+   :maxdepth: 1
+
+   security_management_guideline
+   security_management_feature_security_wp_template
+   security_management_module_security_plan_template
+   security_management_security_manual_template
+   security_management_checklist_security_package
+   security_management_checklist_security_plan
+   security_management_process_reqs

docs/process/process_areas/safety_management/workproducts.rst

@@ -0,0 +1,65 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Package Formal Review Checklist
+========================================
+
+.. gd_chklst:: Security Package Formal Review Checklist
+   :id: gd_chklst__security_package
+   :status: valid
+   :complies: std_req__isosae21434__prj_management_6471, std_req__isosae21434__prj_management_6491, std_req__isosae21434__prj_management_6492
+
+   **1. Purpose**
+
+   The purpose of this review checklist is to report status of the formal review for the security package.
+
+   **2. Checklist**
+
+.. list-table:: Security Package Checklist
+        :header-rows: 1
+
+        * - Id
+          - Security package activity
+          - Compliant to ISO SAE 21434?
+          - Comment
+
+        * - 1
+          - Is a security package provided which matches the security plan (i.e. all planned work products referenced)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 2
+          - Is the argument how security is achieved, provided in the security package, plausible and sufficient?
+          - NO
+          - The argument is intentionally not provided by S-CORE.
+
+        * - 3
+          - Are the referenced work products available?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 4
+          - Are the referenced work products in released state, including the process security audit?
+          - NO
+          - Security audit is currently not planned, tailored out.
+
+        * - 5
+          - If security related deviations from the process or security concept are documented, are these argued understandably?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 6
+          - Are the requirements for post-development available?
+          - [YES | NO ]
+          - <Rationale for result>