SID-OPS-09 — Platform Security Documentation
| Property | Value |
|---|---|
| Owner | platform |
| Category | process |
| CSF Function | identify |
| Group | Operational Controls |
Description
Platform-provided documentation and evidence for certification:
(1) Architecture documentation — complete description of wallet instance architecture including component interactions, trust boundaries, and data flows. (2) Sensitive data inventory — all sensitive data types identified, classified, and documented with storage locations and protection measures. (3) Threat model — documented and maintained threat model (STRIDE or equivalent) covering all wallet components and interactions. (4) SBOM — complete Software Bill of Materials maintained and monitored for known vulnerabilities. (5) Security controls validation evidence — test reports, code review records, and third-party audit results.
Partially covered: architecture in security/ and compliance/ repos, STRIDE threat model in compliance/architecture/, SBOM generation in CI.
Source References
Framework Requirements
EUDI Security Requirements: CS-I.2-ICT, CS-I.3-WI
FitCEM Wallet Instance: FIT-NF-01, FIT-NF-02, FIT-NF-03, FIT-NF-05, FIT-NF-07, FIT-NF-09
ISO 27001 Annex A: A.8.25