process: initial security management process

Resolves: #709, #696

Author: masc2023

docs/platform_management_plan/index.rst

@@ -31,6 +31,7 @@ Platform Management Plan
    project_management
    stakeholder_management
    safety_management
+   security_management
    risk_management
    quality_management
    config_management

docs/platform_management_plan/safety_management.rst

@@ -16,7 +16,7 @@
    :id: doc__platform_safety_plan
    :status: draft
    :safety: ASIL_B
-   :realizes: wp__platform_safety_plan
+   :realizes: wp__platform_safety_plan, wp__tailoring
    :tags: platform_management
 
 Safety management / Platform Safety Plan
@@ -117,13 +117,9 @@ Because in the S-CORE SW platform integration of safety-related systems not deve
 
 Because in the S-CORE SW platform no ASIL decomposition is planned: :need:`std_wp__iso26262__analysis_551`, :need:`std_wp__iso26262__analysis_552`
 
-.. workproduct:: Tailoring Document Platform
-   :id: wp__tailoring_platform
-   :status: valid
-   :complies: std_wp__iso26262__management_751, std_wp__iso26262__system_652, std_wp__iso26262__system_653, std_wp__iso26262__system_654, std_wp__iso26262__system_655, std_wp__iso26262__system_656, std_wp__iso26262__system_657, std_wp__iso26262__system_751, std_wp__iso26262__system_752, std_wp__iso26262__system_851, std_wp__iso26262__system_852, std_wp__iso26262__software_1151, std_wp__iso26262__software_1152, std_wp__iso26262__software_app_c_52, std_wp__iso26262__software_app_c_54, std_wp__iso26262__software_app_c_57, std_wp__iso26262__support_551, std_wp__iso26262__support_552, std_wp__iso26262__support_553, std_wp__iso26262__support_554, std_wp__iso26262__support_555, std_wp__iso26262__support_1351, std_wp__iso26262__support_1352, std_wp__iso26262__support_1353, std_wp__iso26262__support_1451, std_wp__iso26262__support_1452, std_wp__iso26262__support_1551, std_wp__iso26262__support_1651, std_wp__iso26262__analysis_551, std_wp__iso26262__analysis_552
 
-   This work product instantiation links to all the work products which are tailored out in the platform safety plan,
-   to be able to demonstrate completeness in :ref:`external_standards`
+Summary: :need:`wp__tailoring` links to all the work products which are tailored out in the platform security plan,
+to be able to demonstrate completeness in :ref:`external_standards`
 
 Approach
 ++++++++

docs/platform_management_plan/security_management.rst

@@ -20,7 +20,7 @@ Architecture Workproducts
 .. workproduct:: Feature Architecture
    :id: wp__feature_arch
    :status: valid
-   :complies: std_wp__iso26262__software_751
+   :complies: std_wp__iso26262__software_751, std_wp__isosae21434__development_1051
 
    Feature Architecture linked to Feature Requirements, i.e. interaction of components
 
@@ -33,7 +33,7 @@ Architecture Workproducts
 .. workproduct:: Component Architecture
    :id: wp__component_arch
    :status: valid
-   :complies: std_wp__iso26262__software_751, std_wp__isopas8926__4523
+   :complies: std_wp__iso26262__software_751, std_wp__isopas8926__4523, std_wp__isosae21434__development_1051
 
    Component Architecture linked to Component Requirements
 

docs/process/process_areas/architecture_design/architecture_workproducts.rst

@@ -27,7 +27,7 @@ Work Products Change Management
    :id: wp__issue_track_system
    :status: valid
    :tags: change_management
-   :complies: std_wp__iso26262__support_852, std_wp__iso26262__support_853, std_wp__iso26262__support_854, std_req__aspice_40__iic-13-16, std_wp__isopas8926__4527
+   :complies: std_wp__iso26262__support_852, std_wp__iso26262__support_853, std_wp__iso26262__support_854, std_req__aspice_40__iic-13-16, std_wp__isopas8926__4527, std_wp__isosae21434__continual_8631
 
    | - Change request
    | - Change request plan

docs/process/process_areas/change_management/change_management_workproducts.rst

@@ -28,15 +28,15 @@ Workproducts Implementation
    :id: wp__sw_implementation_inspection
    :status: valid
    :tags: safety
-   :complies: std_wp__iso26262__software_952
+   :complies: std_wp__iso26262__software_952, std_wp__isosae21434__development_1054
 
    Github review with integrated inspection checklist, only valid Detailed Design and Code get merged
 
 .. workproduct:: Software Development Plan
    :id: wp__sw_development_plan
    :status: valid
    :tags: safety
-   :complies: std_wp__iso26262__software_551, std_wp__iso26262__software_app_c_58
+   :complies: std_wp__iso26262__software_551, std_wp__iso26262__software_app_c_58, std_wp__isosae21434__development_1053
 
    Process description of SW development including
    - selection of design and programming language

docs/process/process_areas/implementation/implementation_workproducts.rst

@@ -26,4 +26,5 @@ Process Areas
    platform_management/index.rst
    requirements_engineering/index.rst
    safety_management/index.rst
+   security_management/index.rst
    verification/index.rst

docs/process/process_areas/index.rst

@@ -18,7 +18,7 @@ Work Products Platform Management
 .. workproduct:: Platform Management Plan
    :id: wp__platform_mgmt
    :status: valid
-   :complies:
+   :complies: std_wp__isosae21434__org_management_553, std_wp__isosae21434__org_management_554
 
    The Platform Management Plan shall include the plans as defined by the
    :ref:`Platform Management Plan Template <platform_templates>`.

docs/process/process_areas/platform_management/platform_management_workproducts.rst

@@ -18,35 +18,35 @@ Workproducts Requirements Engineering
 .. workproduct:: Stakeholder Requirements
    :id: wp__requirements__stkh
    :status: valid
-   :complies: std_wp__iso26262__system_651, std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__system_651, std_wp__iso26262__software_651, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    Technical requirements from a stakeholder viewpoint and assumptions of use based on the integration as SW platform SEooC in an assumed context.
 
 .. workproduct:: Feature Requirements
    :id: wp__requirements__feat
    :status: valid
-   :complies: std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__software_651, std_wp__isosae21434__development_1051
 
    Feature requirements describe in a more detailed way the functionality which will fulfill a set of stakeholder requirements. A "feature" itself represents a set of requirements. It describes the interaction of the components to form a feature. It shall also be the basis for integration testing on platform level.
 
 .. workproduct:: Component Requirements
    :id: wp__requirements__comp
    :status: valid
-   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521
+   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Requirements for components
 
 .. workproduct:: Feature Assumptions of Use
    :id: wp__requirements__feat_aou
    :status: valid
-   :complies: std_wp__iso26262__software_651
+   :complies: std_wp__iso26262__software_651, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Safety Requirements for the user of the feature, exportable requirements for the user to integrate in their req mgt system.
 
 .. workproduct:: Component Assumptions of Use
    :id: wp__requirements__comp_aou
    :status: valid
-   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521
+   :complies: std_wp__iso26262__software_651, std_wp__isopas8926__4521, std_wp__isosae21434__development_1051, std_wp__isosae21434__development_1052
 
    SW Safety Requirements for the user of the component, exportable requirements for the user to integrate in their req mgt system.
 

docs/process/process_areas/requirements_engineering/requirements_workproducts.rst

@@ -121,17 +121,3 @@ Work products
    * a development processes analysis; and
    * a complexity analysis of the pre-developed SW component; and
    * finally a SW component classification as input for the safety planning (which is to cover the determined gaps, if any, by additional verification measures).
-
-.. workproduct:: Tailoring Documents
-   :id: wp__tailoring
-   :status: valid
-   :complies: std_wp__iso26262__management_653
-
-   This work product argues why some work products are not needed in the project.
-
-   It may have several levels:
-
-   * Project/Platform
-   * Feature/Component
-
-   It belongs to the Safety Plan.

docs/process/process_areas/safety_management/workproducts.rst

@@ -0,0 +1,27 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Guidance
+########
+
+.. toctree::
+   :maxdepth: 1
+
+   security_management_guideline
+   security_management_feature_security_wp_template
+   security_management_module_security_plan_template
+   security_management_security_manual_template
+   security_management_checklist_security_package
+   security_management_checklist_security_plan
+   security_management_process_reqs

docs/process/process_areas/security_management/guidance/index.rst

@@ -0,0 +1,60 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+SecurityPackage Formal Review Checklist
+=======================================
+
+.. gd_chklst:: Security Package Formal Review Checklist
+   :id: gd_chklst__security_package
+   :status: valid
+   :complies:
+
+   **1. Purpose**
+
+   The purpose of this review checklist is to report status of the formal review for the scurity package.
+
+   **2. Checklist**
+
+.. list-table:: SecurityPackage Checklist
+        :header-rows: 1
+
+        * - Id
+          - Security package activity
+          - Compliant to ISO SAE 21434?
+          - Comment
+
+        * - 1
+          - Is a security package provided which matches the security plan (i.e. all planned work products referenced)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 2
+          - Is the argument how security is achieved, provided in the security package, plausible and sufficient?
+          - NO
+          - The argument is intentionally not provided by S-CORE.
+
+        * - 3
+          - Are the referenced work products available?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 4
+          - Are the referenced work products in released state, including the process security audit?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 5
+          - If security related deviations from the process or security concept are documented, are these argued understandably?
+          - [YES | NO ]
+          - <Rationale for result>

docs/process/process_areas/security_management/guidance/security_management_checklist_security_package.rst

@@ -0,0 +1,90 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Security Plan Review Checklist
+==============================
+
+.. gd_chklst:: Security Plan Review Checklist
+   :id: gd_chklst__security_plan
+   :status: valid
+   :complies: std_req__isosae21434__prj_management_6411, std_req__isosae21434__prj_management_6421, std_req__isosae21434__prj_management_6422, std_req__isosae21434__prj_management_6423, std_req__isosae21434__prj_management_6424, std_req__isosae21434__prj_management_6425, std_req__isosae21434__prj_management_6426, std_req__isosae21434__prj_management_6427, std_req__isosae21434__prj_management_6428, std_req__isosae21434__prj_management_6429, std_req__isosae21434__prj_management_64210, std_req__isosae21434__prj_management_64211, std_req__isosae21434__prj_management_6431, std_req__isosae21434__prj_management_6432
+
+   **1. Purpose**
+
+   The purpose of this security plan review checklist is to report status of the review for the security plan.
+
+   **2. Checklist**
+
+.. list-table:: Security Plan Checklist
+        :header-rows: 1
+
+        * - Id
+          - Security plan activity
+          - Compliant to ISO SAE 21434?
+          - Comment
+
+        * - 1
+          - Is the rationale for the security work products tailoring included?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 2
+          - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 3
+          - Does the security plan define all needed activities for security management (incl. Review and Security Audit)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 4
+          - Does the security plan define all needed activities for SW development, integration and verification?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 5
+          - Does the security plan define all needed activities for security analysis?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 6
+          - Does the security plan define all needed activities for supporting processes (incl. tool mgt)?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 7
+          - Does the security plan document a responsible for all activities?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 8
+          - If OSS software components is used, is it planned to be qualified?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 9
+          - Is a security manager and a project manager appointed for the project?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 10
+          - Is security plan sufficiently linked to the project plan?
+          - [YES | NO ]
+          - <Rationale for result>
+
+        * - 11
+          - Is security plan updated iteratively to show the progress?
+          - [YES | NO ]
+          - <Rationale for result>