breakpilot-compliance/ai-compliance-sdk/migrations/015_it_security_modules.sql

-- =========================================================
-- Migration 015: IT-Security Training Modules
-- =========================================================
-- 8 neue IT-Security Micro-/Annual-Trainingsmodule
-- fuer Template-Tenant und Breakpilot-Tenant
-- =========================================================

DO $$
DECLARE
    -- Tenant IDs
    tmpl_id UUID := '00000000-0000-0000-0000-000000000000';
    bp_id   UUID := '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e';

    -- Module IDs for template tenant CTM
    t_sec_pwd   UUID;
    t_sec_desk  UUID;
    t_sec_kiai  UUID;
    t_sec_byod  UUID;
    t_sec_video UUID;
    t_sec_usb   UUID;
    t_sec_inc   UUID;
    t_sec_home  UUID;

    -- Module IDs for breakpilot tenant CTM
    b_sec_pwd   UUID;
    b_sec_desk  UUID;
    b_sec_kiai  UUID;
    b_sec_byod  UUID;
    b_sec_video UUID;
    b_sec_usb   UUID;
    b_sec_inc   UUID;
    b_sec_home  UUID;
BEGIN
    -- =======================================================
    -- 1) Template Tenant Modules
    -- =======================================================
    IF EXISTS (SELECT 1 FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-PWD' LIMIT 1) THEN
        RAISE NOTICE 'IT-Security modules already exist for template tenant, skipping template insert';
    ELSE
        INSERT INTO training_modules (id, tenant_id, module_code, title, description, regulation_area, nis2_relevant, frequency_type, validity_days, risk_weight, duration_minutes, pass_threshold, sort_order)
        VALUES
            (gen_random_uuid(), tmpl_id, 'SEC-PWD',   'Passwortsicherheit & MFA',            'Sichere Passwoerter, Multi-Faktor-Authentifizierung, Passwort-Manager',              'iso27001', false, 'micro',  180, 1.5, 10, 70, 21),
            (gen_random_uuid(), tmpl_id, 'SEC-DESK',  'Sichere Datenablage & Clean Desk',    'Clean-Desk-Policy, sichere Ablage, Bildschirmsperre, Dokumentenvernichtung',         'iso27001', false, 'micro',  180, 1.5, 10, 70, 22),
            (gen_random_uuid(), tmpl_id, 'SEC-KIAI',  'Personenbezogene Daten in KI-Tools',  'DSGVO-konforme Nutzung von KI, ChatGPT & Co., Datenweitergabe-Risiken',              'dsgvo',    false, 'annual', 365, 2.5, 30, 70, 23),
            (gen_random_uuid(), tmpl_id, 'SEC-BYOD',  'BYOD & Mobile Security',              'Bring Your Own Device, Mobile Device Management, Geraetetrennung',                   'iso27001', false, 'annual', 365, 2.0, 15, 70, 24),
            (gen_random_uuid(), tmpl_id, 'SEC-VIDEO', 'Sichere Videokonferenzen',             'Datenschutz in Videokonferenzen, Screensharing-Risiken, Aufzeichnungsregeln',        'iso27001', false, 'micro',  180, 1.5, 10, 70, 25),
            (gen_random_uuid(), tmpl_id, 'SEC-USB',   'USB & Externe Medien',                 'Risiken externer Datentraeger, USB-Richtlinien, Verschluesselung',                   'iso27001', false, 'micro',  180, 1.5, 10, 70, 26),
            (gen_random_uuid(), tmpl_id, 'SEC-INC',   'Sicherheitsvorfall melden',            'Erkennung von Sicherheitsvorfaellen, Meldewege, Sofortmassnahmen, Dokumentation',    'iso27001', true,  'micro',  180, 1.5, 10, 70, 27),
            (gen_random_uuid(), tmpl_id, 'SEC-HOME',  'Homeoffice-Sicherheit',                'Sicheres Arbeiten von zuhause, VPN, WLAN-Sicherheit, physische Sicherheit',          'iso27001', false, 'annual', 365, 2.0, 15, 70, 28);
    END IF;

    -- Lookup template module IDs for CTM
    SELECT id INTO t_sec_pwd   FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-PWD';
    SELECT id INTO t_sec_desk  FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-DESK';
    SELECT id INTO t_sec_kiai  FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-KIAI';
    SELECT id INTO t_sec_byod  FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-BYOD';
    SELECT id INTO t_sec_video FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-VIDEO';
    SELECT id INTO t_sec_usb   FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-USB';
    SELECT id INTO t_sec_inc   FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-INC';
    SELECT id INTO t_sec_home  FROM training_modules WHERE tenant_id = tmpl_id AND module_code = 'SEC-HOME';

    -- Template CTM entries (skip if already exist)
    IF NOT EXISTS (SELECT 1 FROM training_matrix WHERE tenant_id = tmpl_id AND module_id = t_sec_pwd LIMIT 1) THEN
        INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
            -- SEC-PWD: R7, R8, R9
            (tmpl_id, 'R7', t_sec_pwd, true, 4),
            (tmpl_id, 'R8', t_sec_pwd, true, 4),
            (tmpl_id, 'R9', t_sec_pwd, true, 3),
            -- SEC-DESK: R9
            (tmpl_id, 'R9', t_sec_desk, true, 3),
            -- SEC-KIAI: R3, R7, R9
            (tmpl_id, 'R3', t_sec_kiai, true, 3),
            (tmpl_id, 'R7', t_sec_kiai, true, 4),
            (tmpl_id, 'R9', t_sec_kiai, true, 3),
            -- SEC-BYOD: R2, R8, R9
            (tmpl_id, 'R2', t_sec_byod, true, 4),
            (tmpl_id, 'R8', t_sec_byod, true, 4),
            (tmpl_id, 'R9', t_sec_byod, true, 3),
            -- SEC-VIDEO: R9 (optional)
            (tmpl_id, 'R9', t_sec_video, false, 5),
            -- SEC-USB: R2, R8, R9
            (tmpl_id, 'R2', t_sec_usb, true, 4),
            (tmpl_id, 'R8', t_sec_usb, true, 4),
            (tmpl_id, 'R9', t_sec_usb, true, 3),
            -- SEC-INC: R2, R7, R8, R9
            (tmpl_id, 'R2', t_sec_inc, true, 2),
            (tmpl_id, 'R7', t_sec_inc, true, 4),
            (tmpl_id, 'R8', t_sec_inc, true, 2),
            (tmpl_id, 'R9', t_sec_inc, true, 2),
            -- SEC-HOME: R8, R9
            (tmpl_id, 'R8', t_sec_home, true, 4),
            (tmpl_id, 'R9', t_sec_home, true, 3);
    END IF;

    -- =======================================================
    -- 2) Breakpilot Tenant Modules
    -- =======================================================
    IF EXISTS (SELECT 1 FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-PWD' LIMIT 1) THEN
        RAISE NOTICE 'IT-Security modules already exist for Breakpilot tenant, skipping Breakpilot insert';
    ELSE
        INSERT INTO training_modules (id, tenant_id, module_code, title, description, regulation_area, nis2_relevant, frequency_type, validity_days, risk_weight, duration_minutes, pass_threshold, sort_order)
        VALUES
            (gen_random_uuid(), bp_id, 'SEC-PWD',   'Passwortsicherheit & MFA',            'Sichere Passwoerter, Multi-Faktor-Authentifizierung, Passwort-Manager',              'iso27001', false, 'micro',  180, 1.5, 10, 70, 21),
            (gen_random_uuid(), bp_id, 'SEC-DESK',  'Sichere Datenablage & Clean Desk',    'Clean-Desk-Policy, sichere Ablage, Bildschirmsperre, Dokumentenvernichtung',         'iso27001', false, 'micro',  180, 1.5, 10, 70, 22),
            (gen_random_uuid(), bp_id, 'SEC-KIAI',  'Personenbezogene Daten in KI-Tools',  'DSGVO-konforme Nutzung von KI, ChatGPT & Co., Datenweitergabe-Risiken',              'dsgvo',    false, 'annual', 365, 2.5, 30, 70, 23),
            (gen_random_uuid(), bp_id, 'SEC-BYOD',  'BYOD & Mobile Security',              'Bring Your Own Device, Mobile Device Management, Geraetetrennung',                   'iso27001', false, 'annual', 365, 2.0, 15, 70, 24),
            (gen_random_uuid(), bp_id, 'SEC-VIDEO', 'Sichere Videokonferenzen',             'Datenschutz in Videokonferenzen, Screensharing-Risiken, Aufzeichnungsregeln',        'iso27001', false, 'micro',  180, 1.5, 10, 70, 25),
            (gen_random_uuid(), bp_id, 'SEC-USB',   'USB & Externe Medien',                 'Risiken externer Datentraeger, USB-Richtlinien, Verschluesselung',                   'iso27001', false, 'micro',  180, 1.5, 10, 70, 26),
            (gen_random_uuid(), bp_id, 'SEC-INC',   'Sicherheitsvorfall melden',            'Erkennung von Sicherheitsvorfaellen, Meldewege, Sofortmassnahmen, Dokumentation',    'iso27001', true,  'micro',  180, 1.5, 10, 70, 27),
            (gen_random_uuid(), bp_id, 'SEC-HOME',  'Homeoffice-Sicherheit',                'Sicheres Arbeiten von zuhause, VPN, WLAN-Sicherheit, physische Sicherheit',          'iso27001', false, 'annual', 365, 2.0, 15, 70, 28);
    END IF;

    -- Lookup Breakpilot module IDs for CTM
    SELECT id INTO b_sec_pwd   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-PWD';
    SELECT id INTO b_sec_desk  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-DESK';
    SELECT id INTO b_sec_kiai  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-KIAI';
    SELECT id INTO b_sec_byod  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-BYOD';
    SELECT id INTO b_sec_video FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-VIDEO';
    SELECT id INTO b_sec_usb   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-USB';
    SELECT id INTO b_sec_inc   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-INC';
    SELECT id INTO b_sec_home  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-HOME';

    -- Breakpilot CTM entries (skip if already exist)
    IF NOT EXISTS (SELECT 1 FROM training_matrix WHERE tenant_id = bp_id AND module_id = b_sec_pwd LIMIT 1) THEN
        INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
            -- SEC-PWD: R7, R8, R9
            (bp_id, 'R7', b_sec_pwd, true, 4),
            (bp_id, 'R8', b_sec_pwd, true, 4),
            (bp_id, 'R9', b_sec_pwd, true, 3),
            -- SEC-DESK: R9
            (bp_id, 'R9', b_sec_desk, true, 3),
            -- SEC-KIAI: R3, R7, R9
            (bp_id, 'R3', b_sec_kiai, true, 3),
            (bp_id, 'R7', b_sec_kiai, true, 4),
            (bp_id, 'R9', b_sec_kiai, true, 3),
            -- SEC-BYOD: R2, R8, R9
            (bp_id, 'R2', b_sec_byod, true, 4),
            (bp_id, 'R8', b_sec_byod, true, 4),
            (bp_id, 'R9', b_sec_byod, true, 3),
            -- SEC-VIDEO: R9 (optional)
            (bp_id, 'R9', b_sec_video, false, 5),
            -- SEC-USB: R2, R8, R9
            (bp_id, 'R2', b_sec_usb, true, 4),
            (bp_id, 'R8', b_sec_usb, true, 4),
            (bp_id, 'R9', b_sec_usb, true, 3),
            -- SEC-INC: R2, R7, R8, R9
            (bp_id, 'R2', b_sec_inc, true, 2),
            (bp_id, 'R7', b_sec_inc, true, 4),
            (bp_id, 'R8', b_sec_inc, true, 2),
            (bp_id, 'R9', b_sec_inc, true, 2),
            -- SEC-HOME: R8, R9
            (bp_id, 'R8', b_sec_home, true, 4),
            (bp_id, 'R9', b_sec_home, true, 3);
    END IF;

    RAISE NOTICE 'Migration 015: IT-Security modules inserted successfully';
END $$;