📋 Issue Type

Documentation / Security Compliance

🎯 Objective

Add dedicated Threat Detection & Investigation, Vulnerability Management, Automated Security Operations, and Resilience & Operational Readiness sections to SECURITY_ARCHITECTURE.md. These are standalone mandatory sections in both CIA and Black Trigram reference implementations but are either missing or only partially covered as subsections in riksdagsmonitor.

📊 Current State

The riksdagsmonitor SECURITY_ARCHITECTURE.md covers some topics superficially within §2.6 (Monitoring & Logging) and §4 (Security Controls Summary) but lacks the depth and structure of reference implementations:

🚀 Desired State

Add 6 dedicated sections with riksdagsmonitor-specific content:

1. ## 🕵️ Threat Detection & Investigation

• GitHub security alert monitoring (Dependabot, CodeQL, Secret scanning)
• AWS CloudTrail anomaly detection
• CloudFront access log analysis for suspicious patterns
• Detection capabilities matrix (what can vs. cannot be detected)
• Investigation procedures for static site threats

2. ## 🔎 Vulnerability Management

• Dependabot automated scanning (GitHub Actions, npm dependencies)
• Chart.js/D3.js/Papa Parse version monitoring
• Vulnerability remediation SLAs (Critical: 24h, High: 7d, Medium: 30d, Low: 90d)
• Vulnerability tracking and reporting
• Key benefits of current approach

3. ## 🤖 Automated Security Operations

• GitHub Actions automated security workflows
• Dependabot auto-merge for minor/patch updates
• Automated HTML validation (HTMLHint) and link checking (linkinator)
• SLSA attestation generation automation
• CIA data validation automation

4. ## ⚡ Resilience & Operational Readiness

• Dual deployment resilience (AWS CloudFront + GitHub Pages DR)
• Cross-region S3 replication (<15 min RPO)
• Route 53 health checks and automatic failover
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• Business continuity features

5. ## 📋 Configuration & Compliance Management

• Infrastructure as Code (GitHub Actions workflows)
• Configuration drift detection (GitHub + AWS)
• Compliance framework integration (ISO 27001, NIST CSF, CIS Controls)
• Automated compliance checking

6. ## 📊 Monitoring & Analytics

• GitHub Actions workflow monitoring
• AWS CloudWatch metrics collection
• CloudFront access log analytics
• Security metrics dashboard (if applicable)
• Key monitoring gaps and remediation plans

🔧 Implementation Approach

1. Extract relevant content from existing §2.6 and §4 into new dedicated sections
2. Add riksdagsmonitor-specific details for each section
3. Include Mermaid diagrams where appropriate
4. Add ISO 27001/NIST CSF/CIS Controls mapping to each section
5. Match the subsection pattern used in CIA/BT (### Key Components, ### Security Benefits, etc.)
6. Maintain consistency with existing document style

🤖 Recommended Agent

security-architect — Deep security operations expertise required

✅ Acceptance Criteria

• 6 dedicated sections added (Threat Detection, Vulnerability Mgmt, Automated Ops, Resilience, Config/Compliance, Monitoring)
• Each section has Control Mapping to ISO 27001/NIST CSF/CIS Controls
• Vulnerability remediation SLAs documented
• Resilience section includes RTO/RPO targets
• All content is riksdagsmonitor-specific
• At least 2 new Mermaid diagrams
• Existing content preserved (no duplication)

📚 References

• CIA sections: https://github.com/Hack23/cia/blob/master/SECURITY_ARCHITECTURE.md
• BT sections: https://github.com/Hack23/blacktrigram/blob/main/SECURITY_ARCHITECTURE.md
• Hack23 mandatory section checklist

🏷️ Labels

type:documentation, priority:high, component:security, agent:security-architect