Update Security Management process#542
Update Security Management process#542sunildevda wants to merge 4 commits intoeclipse-score:mainfrom
Conversation
sunildevda
requested review from
PandaeDo,
aschemmel-tech,
masc2023 and
pahmann
as code owners
|
The created documentation from the pull request is available at: docu-html |
pahmann
left a comment
pahmann
left a comment
There was a problem hiding this comment.
Initial review finding. More findings may come in following review
process/folder_templates/modules/module_name/docs/manual/security_manual.rst
Outdated
Show resolved
Hide resolved
PandaeDo
left a comment
PandaeDo
left a comment
There was a problem hiding this comment.
Please fix build errors
process/folder_templates/modules/module_name/docs/manual/security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_package_fdr.rst
Outdated
Show resolved
Hide resolved
process/process_areas/security_management/security_management_getstrt.rst
Outdated
Show resolved
Hide resolved
| * Creates and monitors the completeness of the security package | ||
| * Creates and maintains the Security Manual | ||
| * Supports creation and maintaining of the SBOM | ||
| * Creates and maintains following Security artifcats at platform level: Platform Security Plan, Platform Security package, Platform Security Manual, Platform SBOM |
There was a problem hiding this comment.
Please check against https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workflow.html. You can use the table at the end of the page. Also it might be a idea to link to here. This would be easier to maintain
There was a problem hiding this comment.
But if we do that, we should do it also for Safety Manager to be consistent, or not?
There was a problem hiding this comment.
@PandaeDo i checked against https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workflow.html and points are mentioned in the responsibility. some are mentioned in later sentences like audit, reviews, training, and so on.
Regarding table, i am not sure if its really needed. its only a single list.
@masc2023 doing changes in safety will need one more approval from safety colleagues. in this PR i have tried to to minimal changes in safety. if these points are agreed here, we can collect all such minor points and check with safety team if they are ok and if yes plan it via a separate task. (if this is the only point then i can also do the changes in this PR but would need to check with safety if they are ok with such changes).
process/process_areas/security_management/security_management_roles.rst
Outdated
Show resolved
Hide resolved
|
|
||
| Security Manual Template | ||
| ========================= | ||
| Module Security Manual |
There was a problem hiding this comment.
Please remove Module, otherwise it is not consistent with Safety, which is just called Safety Manual in the folder structure or we need to be consistent for all documents, Safety and Security have same either using Module or not. I see also for Safety, sometimes used, sometimes not.
There was a problem hiding this comment.
We can rework this for all the templates. I would propose to remove all "Feature, Module, Component" in the document template names because it is obvious from the folder these are in. I would keep/add for all platform level ones as there will not be a dedicated folder for this. I would suggest to create a seperate ticket for this alignment.
There was a problem hiding this comment.
Ticket created here, #549, @aschemmel-tech are you able to join Security Team Meeting on Friday, 11-12 to discuss or shall we align a separate meeting for that?
There was a problem hiding this comment.
Propose at least for the Module folder, to remove all "Module" in the tree.
Propose to add Platform in the tree, beside Stakeholder Requirements
Propose for the Feature Folder to remove "Feature" in the three.
Propose for the Component Folder to remove "Component" in the three.
There was a problem hiding this comment.
As discussed, have removed module name. Let me know if anything is still missing.
| * Refusing the approval of work products as defined in the workflows | ||
| * Refusing the approval of his team's role nomination (i.e. requesting that the role will be withdrawn) | ||
|
|
||
| .. role:: Security External Auditor |
There was a problem hiding this comment.
Now we have two external Auditor, a general one in Safety Management and one for security, either one generic, covering both otherwise should rename in Safety to Safety External Auditor
There was a problem hiding this comment.
the skills needed for auditing are different. For safety it is mentioned that the external auditor needs experience in safety or is a safety manager. we cant reuse the same for security, so i created a similar one. it can happen that one person has both the skills (security and safety know how) and performs the audit. but felt its better to describe the expectation clearly.
also, copied the idea from safety where they clearly define what is the expected qualification and role of an auditor for safety and changed to security here.
There was a problem hiding this comment.
Option 1, add skills to other Role and put it to Overall Roles or keep it and change External Auditor in Safety to Safety External Auditor
| * Creates and monitors the completeness of the security package | ||
| * Creates and maintains the Security Manual | ||
| * Supports creation and maintaining of the SBOM | ||
| * Creates and maintains following Security artifcats at platform level: Platform Security Plan, Platform Security package, Platform Security Manual, Platform SBOM |
There was a problem hiding this comment.
But if we do that, we should do it also for Safety Manager to be consistent, or not?
process/process_areas/security_management/security_management_getstrt.rst
Outdated
Show resolved
Hide resolved
process/process_areas/security_management/security_management_getstrt.rst
Show resolved
Hide resolved
process/process_areas/security_management/security_management_getstrt.rst
Show resolved
Hide resolved
process/process_areas/security_management/security_management_concept.rst
Show resolved
Hide resolved
| - Link to checklist | ||
| * - SecMP_00_01 | ||
| - :need:`gd_chklst__security_plan` | ||
| - :need:`gd_chklst__module_security_plan` |
There was a problem hiding this comment.
No, Safety is also only for Module, the naming is misleading, in Safety we have no products on Platform level, see my other comments, platform to be deleted
| # ******************************************************************************* | ||
|
|
||
|
|
||
| Platform Security Plan Formal Review Report |
There was a problem hiding this comment.
no platform for safety, remove
There was a problem hiding this comment.
- could not comment for previous point so entering it here. have replaced gd_chklst__module_security_plan to gd_chklst__security_plan
- sorry to repeat, but once again even if we reuse the template for platform, how will we get to know that we need to have a review checklist also at platform level?
There was a problem hiding this comment.
Compare #574, will introduce same for safety now
process/folder_templates/platform/security_planning/platform_security_plan.rst
Outdated
Show resolved
Hide resolved
| # ******************************************************************************* | ||
|
|
||
|
|
||
| Platform Security Package Checklist |
There was a problem hiding this comment.
noting on platform for safety, remove
There was a problem hiding this comment.
as discussed, corrected safety to include platform.
There was a problem hiding this comment.
Check with your team member, #574, otherwise you will get merge issued by changing safety topics in this PR
| # SPDX-License-Identifier: Apache-2.0 | ||
| # ******************************************************************************* | ||
|
|
||
| Platform Security Manual |
There was a problem hiding this comment.
nothing on platform, remove
There was a problem hiding this comment.
where do we write assumption of use at platform level?
There was a problem hiding this comment.
Check https://github.com/eclipse-score/score/pull/2600/changes#diff-7f272b7f9c50eb63f3494528ebdc52d9263a37cf52e0e35c21f102f70f6050a4, will introduce Safety Manual, assumptions of use should be here https://eclipse-score.github.io/score/main/requirements/platform_assumptions/index.html
aschemmel-tech
left a comment
aschemmel-tech
left a comment
There was a problem hiding this comment.
See inline answers to existing comments
| Security Package Formal Review Checklist | ||
| ======================================== | ||
|
|
||
| .. gd_chklst:: Platform Security Package Formal Review Checklist |
There was a problem hiding this comment.
Also in other process areas (architecture, requirements) we did not create separate checklist guidances (gd_chklst_...) for all the different levels as these have the same content. Just the document templates stored for direct usage in the folder template section are "level specific".
process/process_areas/security_management/guidance/checklist_security_plan.rst
Show resolved
Hide resolved
|
@pahmann , @masc2023 , @PandaeDo , @aschemmel-tech I have fixed the findings. there are some open points. could you please check and provide your feedback for the new changes? |
|
Only checked for my findings and they were resolved. |
masc2023
left a comment
masc2023
left a comment
There was a problem hiding this comment.
Fine for now, need to recheck after safety templates update has been done
@sunildevda , please resolve your merge conflicts first |
5 participants
Changes as mentioned in #451