security_framework_template:
  metadata:
    template_type: "security-framework-documentation"
    version: "1.0"
    framework_date: "{{framework_date}}"
    architect: "{{architect_name}}"
    security_level: "{{enterprise|standard|basic}}"
    compliance_requirements: "{{gdpr|ccpa|hipaa|sox|all}}"
    classification: "{{internal|confidential|restricted}}"

  security_strategy:
    security_philosophy: "{{zero_trust|defense_in_depth|risk_based}}"
    primary_threats:
      - threat_1: "{{threat_description}}"
        impact: "{{high|medium|low}}"
        likelihood: "{{high|medium|low}}"
      - threat_2: "{{threat_description}}"
        impact: "{{high|medium|low}}"
        likelihood: "{{high|medium|low}}"
    security_objectives:
      - objective_1: "{{confidentiality_requirements}}"
      - objective_2: "{{integrity_requirements}}"
      - objective_3: "{{availability_requirements}}"

  authentication_framework:
    primary_method: "{{jwt|oauth|saml|ldap}}"
    multi_factor_authentication:
      enabled: "{{true|false}}"
      methods: "{{totp|sms|email|biometric}}"
      enforcement_level: "{{required|optional|conditional}}"
    session_management:
      session_timeout: "{{timeout_duration}}"
      concurrent_sessions: "{{max_sessions}}"
      security_controls: "{{httponly|secure|samesite}}"

  authorization_model:
    access_control_type: "{{rbac|abac|dac|mac}}"
    user_roles:
      role_1:
        name: "{{role_name}}"
        permissions: "{{permission_list}}"
        access_level: "{{read|write|admin|full}}"
      role_2:
        name: "{{role_name}}"
        permissions: "{{permission_list}}"
        access_level: "{{read|write|admin|full}}"
    resource_protection:
      sensitive_data_access: "{{encryption_required|access_logging|approval_workflow}}"
      api_endpoint_protection: "{{authentication_required|rate_limiting|input_validation}}"

  data_protection:
    encryption_standards:
      data_at_rest: "{{aes_256|aes_128|rsa}}"
      data_in_transit: "{{tls_1_3|tls_1_2|ssl}}"
      key_management: "{{aws_kms|azure_key_vault|hashicorp_vault|custom}}"
    data_classification:
      highly_sensitive: "{{data_types}}"
      sensitive: "{{data_types}}"
      internal: "{{data_types}}"
      public: "{{data_types}}"
    retention_policies:
      user_data: "{{retention_period}}"
      activity_logs: "{{retention_period}}"
      audit_logs: "{{retention_period}}"
      backup_data: "{{retention_period}}"

  api_security:
    authentication_method: "{{bearer_token|api_key|oauth}}"
    rate_limiting:
      requests_per_minute: "{{rate_limit_number}}"
      burst_allowance: "{{burst_percentage}}"
      blocked_duration: "{{block_duration}}"
    input_validation:
      validation_methods: "{{schema_validation|sanitization|whitelist}}"
      security_headers: "{{csp|hsts|cors|x_frame_options}}"
    api_versioning:
      versioning_strategy: "{{url_path|header|query_param}}"
      deprecation_policy: "{{notice_period}}"

  infrastructure_security:
    hosting_security:
      cloud_provider: "{{aws|azure|gcp|vercel|custom}}"
      network_security: "{{vpc|firewall|security_groups}}"
      access_controls: "{{iam|rbac|policies}}"
    database_security:
      database_type: "{{postgresql|mysql|mongodb|custom}}"
      encryption: "{{tde|column_encryption|full_encryption}}"
      access_controls: "{{rls|database_roles|connection_limits}}"
    application_security:
      container_security: "{{image_scanning|runtime_protection|secrets_management}}"
      dependency_management: "{{vulnerability_scanning|automated_updates|security_monitoring}}"

  monitoring_and_response:
    security_monitoring:
      monitoring_tools: "{{siem|ids|log_analysis|custom}}"
      alert_thresholds: "{{failed_auth|suspicious_activity|data_access}}"
      response_times: "{{detection_time|response_time|recovery_time}}"
    incident_response:
      classification_levels: "{{critical|high|medium|low}}"
      response_team: "{{incident_commander|security_analyst|engineering_lead}}"
      escalation_procedures: "{{internal_escalation|external_notification|regulatory_reporting}}"

  compliance_framework:
    regulatory_requirements:
      gdpr_compliance:
        enabled: "{{true|false}}"
        data_subject_rights: "{{access|rectification|erasure|portability}}"
        legal_basis: "{{consent|contract|legitimate_interest}}"
      additional_compliance: "{{ccpa|hipaa|sox|pci_dss}}"
    audit_requirements:
      audit_frequency: "{{quarterly|annually|continuous}}"
      audit_scope: "{{full_system|critical_components|compliance_specific}}"
      documentation_requirements: "{{policies|procedures|evidence}}"

  security_testing:
    automated_testing:
      sast_tools: "{{sonarqube|codeql|semgrep}}"
      dast_tools: "{{owasp_zap|burp_suite|netsparker}}"
      dependency_scanning: "{{snyk|github_security|npm_audit}}"
    manual_testing:
      penetration_testing: "{{frequency|scope|methodology}}"
      code_review: "{{security_checklist|peer_review|automated_review}}"
      red_team_exercises: "{{frequency|scope|objectives}}"

  implementation_roadmap:
    phase_1:
      duration: "{{weeks_1_2}}"
      deliverables: "{{foundation_security}}"
      success_criteria: "{{basic_protection|compliance_ready}}"
    phase_2:
      duration: "{{weeks_3_4}}"
      deliverables: "{{advanced_security}}"
      success_criteria: "{{comprehensive_protection|monitoring_active}}"
    phase_3:
      duration: "{{weeks_5_6}}"
      deliverables: "{{monitoring_compliance}}"
      success_criteria: "{{full_visibility|compliance_validated}}"

  security_metrics:
    technical_metrics:
      - metric_name: "{{mean_time_to_detection}}"
        target_value: "{{target_time}}"
        measurement_method: "{{automated_monitoring|manual_analysis}}"
      - metric_name: "{{mean_time_to_response}}"
        target_value: "{{target_time}}"
        measurement_method: "{{incident_tracking|response_logging}}"
    business_metrics:
      - metric_name: "{{security_incidents}}"
        target_value: "{{incidents_per_quarter}}"
        measurement_method: "{{incident_reporting|trend_analysis}}"
      - metric_name: "{{compliance_score}}"
        target_value: "{{percentage_compliance}}"
        measurement_method: "{{audit_results|self_assessment}}"

  documentation_requirements:
    technical_documentation:
      - document_type: "{{security_architecture}}"
        description: "{{architecture_diagrams}}"
        audience: "{{technical_team|auditors|management}}"
      - document_type: "{{incident_response_playbook}}"
        description: "{{response_procedures}}"
        audience: "{{incident_response_team|all_staff}}"
    compliance_documentation:
      - document_type: "{{privacy_policy}}"
        description: "{{user_facing_privacy_policy}}"
        audience: "{{end_users|regulators}}"
      - document_type: "{{data_processing_agreements}}"
        description: "{{legal_compliance_documents}}"
        audience: "{{legal_team|partners|auditors}}"

  training_requirements:
    developer_training:
      topics: "{{secure_coding|owasp_top_10|security_testing}}"
      frequency: "{{quarterly|annually|as_needed}}"
      assessment: "{{required|optional|certification_based}}"
    user_training:
      topics: "{{password_security|phishing_awareness|data_privacy}}"
      delivery_method: "{{online_training|workshops|documentation}}"
      compliance_tracking: "{{completion_required|progress_monitoring}}"

  risk_assessment:
    risk_evaluation_criteria:
      impact_levels: "{{critical|high|medium|low}}"
      likelihood_levels: "{{very_likely|likely|possible|unlikely}}"
      risk_tolerance: "{{zero_tolerance|low_tolerance|moderate_tolerance}}"
    risk_mitigation:
      mitigation_strategies: "{{accept|mitigate|transfer|avoid}}"
      residual_risk_acceptance: "{{management_approval_required}}"
      review_frequency: "{{quarterly|annually|after_incidents}}"