Security Management Workflows#

For a detailed explanation of workflows and their role within the process model, please refer to the Introduction.

Create/Maintain Security Plan
status: valid
tags: security_management
contains: gd_guidl__security_plan_definitions, gd_temp__feature_security_wp, gd_temp__module_security_plan
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__platform_mgmt, wp__issue_track_system, wp__tailoring
outputs: wp__module_security_plan, wp__platform_security_plan
responsible: rl__security_manager
approved by: rl__project_lead
supported by: rl__safety_manager
satisfied by: gd_req__security_doc_status, gd_req__security_wp_status
The Security Manager is responsible for the planning and coordination of the security activities for the platform/module.
The Security Manager creates and maintains the security plan.
For this a template exists to guide the creator of the security plan.
wf__cr_mt_security_plan
Workflow
Create/Maintain Security Package
status: valid
tags: security_management
contains: gd_guidl__security_package, gd_temp__feature_security_wp, gd_temp__module_security_plan, gd_guidl__security_plan_definitions
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__module_security_plan, wp__platform_security_plan, wp__issue_track_system
outputs: wp__module_security_package, wp__platform_security_package
responsible: rl__security_engineer
approved by: rl__security_manager
supported by: rl__committer
The Security Manager is NOT responsible to provide the argument for the achievement of security.
But the Security Manager creates and maintains the security package in the sense of a collection of security related work products.
The generation and the maintenance of this draft security package shall be automated as much as possible.
It does not contain the final argumentation of the security of the product.
As the security package is only a collection of work products, the security plan (template) can be used for documentation.
wf__cr_mt_security_package
Workflow
Perform Security Audit
status: valid
tags: security_management
contains: gd_guidl__security_plan_definitions
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__module_security_plan, wp__platform_security_plan, wp__module_security_package, wp__platform_security_package
outputs: wp__audit_report_security
responsible: rl__external_auditor
approved by: rl__project_lead
supported by: rl__security_manager, rl__security_engineer
The external auditor is responsible to perform a security audit.
The Security Manager and the process community shall support the external auditor during this.
The Project Manager and and the Security Manager shall approve the audit report.

This is currently tailored out (needs discussion).
wf__p_fs_audit_security
Workflow
Perform Formal Security Reviews
status: valid
tags: security_management
contains: gd_guidl__security_plan_definitions, gd_chklst__security_plan, gd_chklst__security_package
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__module_security_plan, wp__platform_security_plan, wp__module_security_package, wp__platform_security_package
outputs: wp__fdr_reports_security
responsible: rl__external_auditor
approved by: rl__project_lead
supported by: rl__security_manager, rl__security_engineer
The external auditor is responsible to perform the formal reviews on Security plan and Security Analysis.
The Security Manager shall support the external auditor during the reviews.
The Project Lead and and the Security Manager shall approve the formal reviews.
Therefore a checklists exist to guide the creator of the relevant security documents.

This is currently tailored out (needs discussion).
wf__p_formal_security_rv
Workflow
Create/Maintain Security Manual
status: valid
tags: security_management
contains: gd_guidl__security_manual, gd_temp__security_manual, gd_guidl__security_plan_definitions
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__requirements_feat_aou, wp__requirements_feat, wp__feature_arch, wp__feature_fmea, wp__feature_dfa, wp__requirements_comp_aou, wp__requirements_comp, wp__component_arch, wp__sw_component_fmea, wp__sw_component_dfa
outputs: wp__platform_security_manual, wp__module_security_manual
responsible: rl__security_engineer
approved by: rl__security_manager
supported by: rl__committer
The Security Engineer collects the necessary input for the security manuals on
platform and module level and documents it.
He makes sure all items are in valid state for a release of the security manual.
Also for the security manual a template exists as a guidance.
wf__cr_mt_security_manual
Workflow
Create/Maintain SBOM
status: valid
tags: security_management
contains: gd_guidl__security_plan_definitions
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__issue_track_system, wp__module_security_plan, wp__platform_security_plan, wp__module_security_package, wp__platform_security_package
outputs: wp__sw_platform_sbom, wp__sw_module_sbom
responsible: rl__committer
approved by: rl__security_manager, rl__security_engineer, rl__project_lead
supported by: rl__infrastructure_tooling_community, rl__process_community, rl__security_team, rl__contributor
The Committer is responsible to create and the maintain the SBOM for the platform/module.
The Committer makes sure all components and dependencies are identified and made available.
wf__cr_mt_security_sbom
Workflow
Monitor/Verify Security
status: valid
tags: security_management
contains: gd_guidl__security_plan_definitions
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__issue_track_system, wp__module_security_plan, wp__platform_security_plan, wp__module_security_package, wp__platform_security_package, wp__audit_report, wp__fdr_reports, wp__sw_platform_sbom, wp__sw_module_sbom
outputs: wp__issue_track_system, wp__module_sw_release_note, wp__platform_sw_release_note
responsible: rl__security_manager
approved by: rl__project_lead
supported by: rl__security_team
The Security Manager is responsible for the monitoring of the security activities against the security plan.
The Security Manager is responsible to verify, that the preconditions for the “release for production”, which are part of the release notes, are fulfilled.
The Security Manager is responsible to verify the correctness, completeness and consistency of the release notes.
The Security Manager is responsible for the monitoring of security information as defined in the security plan.
The Security Manager is responsible to identify weaknesses and vulnerabilities based on received information, and to analyse and manage the vulnerabilities until closure.
Beside reporting vulnerabilities in the Issue tracking system (wp__issue_track_system), also Eclipse general vulnerability tracker may be used.
wf__mr_vy_security
Workflow
Consult and Execute Security Trainings
status: valid
tags: security_management
contains: gd_temp__module_security_plan
has: doc_concept__security_management_process, doc_getstrt__security_management_process
needs input: wp__module_security_plan, wp__platform_security_plan, wp__policies, wp__process_description
outputs: wp__training_path
responsible: rl__security_manager
approved by: rl__project_lead
supported by: rl__security_engineer, rl__safety_manager, rl__quality_manager
The security manager Security Manager (rl__security_manager) consults all project/platform stakeholder as defined in Concept Description (doc_concept__security_management_process) for security topics and executes regularly security trainings.
wf__consult_exe_sec_training
Workflow

RAS(IC) for Security Management:#