.. # ******************************************************************************* # Copyright (c) 2025 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. # # This program and the accompanying materials are made available under the # terms of the Apache License Version 2.0 which is available at # https://www.apache.org/licenses/LICENSE-2.0 # # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* Security Plan Formal Review Report ================================== .. note:: Document header .. document:: [Your Module Name] Security Plan Formal Review :id: doc__mod_temp_module_name_security_plan_fdr :status: draft :safety: ASIL_B :security: YES :realizes: wp__fdr_reports :tags: template .. attention:: The above directive must be updated according to your Module. - Modify ``Your Module Name`` to be your Module Name - Modify ``id`` to be your Module Name in upper snake case preceded by ``doc_`` and succeeded by ``_security_plan_fdr`` - Adjust ``status`` to be ``valid`` - Adjust ``safety`` and ``tags`` according to your needs **1. Purpose** The purpose of this review checklist is to provide a guidence for reviewing the Security Plans for each module. Each Module Security Plan shall have one checklist filled. **2. Checklist** See also the review concept for further information about reviews in general and inspection in particular. .. list-table:: Security Plan Checklist :header-rows: 1 * - Id - Security Plan activity - Compliant to ISO SAE 21434? - Comment * - 1 - Is the rationale for the Security Work Products tailoring included? - [YES | NO ] - * - 2 - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? - [YES | NO ] - * - 3 - Does the Security Plan define all needed activities for security management (including review and security audit)? - [YES | NO ] - * - 4 - Does the Security Plan define all needed activities for SW development, integration and verification? - [YES | NO ] - * - 5 - Does the Security Plan define all needed activities for security analysis? - [YES | NO ] - * - 6 - Does the Security Plan define all needed activities for supporting processes (incl. tool mgt)? - [YES | NO ] - * - 7 - Does the Security Plan document a responsible for all activities? - [YES | NO ] - * - 8 - If OSS software components is used, is it planned to be qualified? - [YES | NO ] - * - 9 - Is a Security Manager and a Project Lead appointed for the project? - [YES | NO ] - * - 10 - Is Security Plan sufficiently linked to the Project Plan? - [YES | NO ] - * - 11 - Is Security Plan updated iteratively to show the progress? - [YES | NO ] - * - 12 - If Out-of-context software components is used, are the assumptions documented? - [YES | NO ] - * - 13 - Does the Security Plan define all needed activities for SBOM generation? - [YES | NO ] - * - 14 - Does the Security Plan define regular vulnerability scans for the generated SBOM? - [YES | NO ] - .. note:: Off-the-shelf means existing software which may used without modification, e.g. existing OSS