Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Chapter 9

advertisement 
Cybersecurity: Engineering a
Secure Information Technology
Organization, 1st Edition
Chapter 9
The Systems Security Engineering
Capability Maturity Model (ISO 21827)
Objectives
• Follow a staged enhancement process to increase
system security capability
• Ensure capability maturity based on best practices
• Assess supplier fitness based on specified capability
requirements
• Assess internal capability based on a best-practice
model
• Target critical areas of security need based on a
formal profile
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
2
Overview of the SSE-CMM
• The Systems Security Engineering Capability
Maturity Model (SSE-CMM)
– Also known as ISO/IEC 21827
– Specifies a set of behaviors that an organization can
adopt to ensure secure system and software
engineering practice
– Built around a staged grouping of security
engineering best practices
– Specifies security engineering practices for the
organization as a whole
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
3
Overview of the SSE-CMM
• SSE-CCM ensures that appropriate interactions
take place with other disciplines, such as:
–
–
–
–
–
System software and hardware
Human factors security
Test engineering
System management
Operations and maintenance
• The model provides recommendations to ensure
acquisition, system management, certification,
accreditation, and evaluation
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
4
Overview of the SSE-CMM
• Security controls are divided into two areas:
– Security Base Practice
– Project and Organizational Base Practice
• Security Base Practice includes 11 high-level
control areas with a number of underlying controls
• Project and Operational Base Practice also include
11 high-level control areas and their own control
objectives
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
5
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
6
Overview of the SSE-CMM
• The capability maturity of the 22 control areas can
be judged using a five-level scale:
–
–
–
–
–
Level 1, Performed Informally
Level 2, Planned and Tracked
Level 3, Managed
Level 4, Quantitative Management
Level 5, Optimizing
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
7
Overview of the SSE-CMM
• SSE-CMM allows an organization to manage
product engineering risk at the organizational,
enterprise, or project level
• Activities support managers, suppliers, buyers,
developers, participants, and other stakeholders
– By dictating a single set of key practices that can
help manage a broad variety of risks while
developing and procuring systems and software
• The model helps improve the management of risks
associated with purchasing or developing software
or systems
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
8
Overview of the SSE-CMM
• An organization can increase its security
engineering capability using the SSE-CMM
– Can use it to help develop, manufacture, test,
support, or maintain ICT systems and components
• Best-practices of the SSE-CMM help stakeholders
develop a shared understanding of the
relationships required to coordinate :
– Schedules
– Processes
– Development practices
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
9
Background: The SSE-CMM
Collaboration
• SSE-CMM project grew out of a joint effort between
government and industry
– Was aimed at developing a model for security
engineering
• Overall goal was to provide a mechanism for
selecting qualified security engineering suppliers
– To underwrite overall capability-based assurance
• Originated at the National Security Agency (NSA)
in 1993
• Eventually involved 42 companies and other
government agencies
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
10
Background: The SSE-CMM
Collaboration
• The model was approved by the ISO as an
international standard in 2002
– A second edition was approved by the ISO in 2008
• The model can be used to evaluate best practices
for enhanced system and software engineering
capability
– Makes it an excellent tool for determining supplier
abilities and to make decisions about threats and
risks that might be present in a worldwide ICT supply
chain
• Ability to ensure trust is essential for global business
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
11
Background: The SSE-CMM
Collaboration
• The final product of this effort was the registration
of ISO 21827 as a full international standard in
2002
• The International System Security Engineering
Association (ISSEA) was named as the assessor and
registrar
– For organizations wanted to accredit their systems and
software engineering processes to the standard
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
12
Structure of the SSE-CMM/ISO 21827
Standard
• SSE-CMM is meant to support self-assessment
• Assesses processes based on a defined set of key
functional elements and produces a set of ratings
– Ratings are expressed in the form of a process
profile
– Evaluate each process on a sliding scale
• SSE-CMM assessment greatly increases the level
of trust in the ISO 12207-2008 acquisition process
– By reducing uncertainty in supplier selection
• Suppliers can determine the capability maturity of
their own system security processes
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
13
Structure of the SSE-CMM/ISO 21827
Standard
• Allows customers to identify common security risks
associated with a given procurement project
• Also allows customers to balance business needs,
requirements, and estimated project costs
– Against the known capability of competing suppliers
• SSE-CMM compares the actual security capability
of a selected process against a target capability
profile
– The outcomes of that comparison help the
organization better identify missing or vulnerable
security engineering functions
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
14
The Base Practices of the SSE-CMM
• The SSE-CMM embodies a set of standard base
practices
– Formal practices to ensure that work is executed
correctly
• Goal of base practices: to disconnect the security
engineering process from the practices associated
with overall good management
• The model employs two dimensions called:
– Domain dimension
– Capability dimension
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
15
The Base Practices of the SSE-CMM
• The domain dimension consists of all the base
practices that collectively define security
engineering
– Requires the organization to have a formalized
security process in place
• The capability dimension consists of standard best
practices to ensure correct process management
– Apply across a wide range of domains
– Represents activities that should normally occur
while executing security base practices
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
16
The Base Practices of the SSE-CMM
• Related base practices are organized into common
process areas for ease of use
• Process area: distinct collection of related
practices with common features
• Each process area embodies a set of
organizational actions intended to successfully
carry out the purposes of base practice
– Applies across the lifecycle of the enterprise and
does not overlap with other base practices
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
17
The Base Practices of the SSE-CMM
• Each process area can be addressed as a distinct
entity and can be implemented in multiple contexts
throughout an organization and for various
products
• Satisfying the purpose of the process is the first
step in building process capability
• The model does stipulate that security objectives
are achieved by executing the base practices that
underlie each process area
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
18
Project and Organizational Base
Practices
• Project process areas are an important part of the
SSE-CMM
– They characterize actions that must be performed to
satisfy the generic security practice goals of the
standard
• Each process area itemizes an explicit set of
security activities that have to be carried out for the
security engineering process to be considered
secure
• The next few slides summarize some process
areas
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
19
Project and Organizational Base
Practices
• PA12 - Ensure Quality - to address system quality
and the quality of the process used to create the
system
– Actions specified in this process are used to
measure and improve quality
• PA13 - Manage Configurations - to maintain the
status of all project configurations and to
analyze/control changes to the system and its
configurations
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
20
Project and Organizational Base
Practices
• PA14 - Manage Project Risks - to identify, assess,
monitor, and mitigate risks to ensure the success of
systems engineering activities
– And the overall technical effort
• PA15 - Monitor and Control Technical Effort contains the activities that control the project’s
technical aspects
– As well as its systems engineering effort
– Activities include directing, tracking, and reviewing
the project’s accomplishments, results and risks
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
21
Project and Organizational Base
Practices
• PA16 - Plan Technical Effort - defines the plans
that guide the project
– Plans provide the basis for scheduling, costing,
controlling, tracking, and negotiating the technical
work involved in system engineering
• PA17 - Define Systems Engineering Process specifies and manages the organization’s standard
system engineering
• PA18 - Improve Systems Engineering Process describes continuing activities to measure and
improve systems engineering
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
22
Project and Organizational Base
Practices
• PA19 - Manage Product Line Evolution - ensures
that product development efforts achieve their
strategic business purposes
– Covers the practices associated with managing a
product line, but not the product engineering itself
• PA20 - Manage Systems Engineering Support
Environment - applies to systems engineering
support at both the project and organization level
– The aim of this area is to maximize support
capability
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
23
Project and Organizational Base
Practices
• PA21 - Provide Ongoing Skills and Knowledge provides training for the organization’s security
engineering to ensure that project personnel have
the necessary knowledge and skills to achieve
objectives
• PA22 - Coordinate with Suppliers - to manage work
done by other organizations based on a defined
process
– Other organizations include vendors, subcontractors,
and partners
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
24
Assuring an Organization’s System
Security Engineering Capability
• The SSE-CMM is meant to provide a general set of
criteria for security best practice
– Can be used to assess the security status of
software and system engineering processes
• Organizations perform the evaluation by
determining the presence or absence of a set of
security best practices
– The comparison is then used to plan, manage,
monitor, control, and improve the security of all
technical processes in the 12207-2008 standard
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
25
Assuring an Organization’s System
Security Engineering Capability
• At the management level
– The SSE-CMM generates practical information that
allows decision makers to evaluate security of
software operation against business needs
• The model focuses on process assessment,
process improvement, and capability determination
• SSE-CMM is useful for supply chain risk
assessment
– Assurance that a chain of suppliers is functioning
properly
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
26
Assuring an Organization’s System
Security Engineering Capability
• The SSE-CMM’s documentation and its baseline
security practices are linked to the concepts in
process areas of ISO 12207-2008
• Process domains for systems and software
engineering in the SSE-CMM are the same as
those covered by 12207:
–
–
–
–
Acquisition
Supply
Technical and implementation processes
Project, project-enabling, and supporting processes
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
27
Architectural Components of the SSECMM
• SSE-CMM implements two hierarchies:
– The first consists of the traditional set of process
categories, composed of base practices
– Processes are then rated in terms of a second
“assessment” hierarchy based on capability levels
• The base practices represent unique actions taken
within the process
– Have to be performed in order to achieve the
purposes of the process
• The model requires an organization to judge
whether each practice is being executed correctly
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
28
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
29
Process Capability Assessment
• Capability level: the assessed level of
competency for the execution of a practice
• Capability levels create a way of progressing
through the improvement of any given process
• The reference model has six levels:
–
–
–
–
–
–
Incomplete
Performed
Managed
Established
Predictable
Optimizing
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
30
Process Capability Assessment
• Process maturity: the level of capability of a
process based on practices and common features
• Escalating levels of process maturity are built on a
foundation of increasingly capable practices
• Each process maturity level provides a major
enhancement in capability from the process
provided by its predecessors
• The successful satisfaction of a capability level
within one process may require the presence of
another process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
31
Process Capability Assessment
• The SSE-CMM capability levels:
– Incomplete - the process has no easily identifiable
work products or outputs
– Performed - base practices of the process are
generally performed
• Their performance might not be rigorously planned
and tracked
– Managed - performance is planned and tracked, and
the organization verifies that practices were
performed according to specified procedures
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
32
Process Capability Assessment
• The SSE-CMM capability levels (cont’d):
– Established - base practices are performed
according to a well-defined process using approved,
tailored versions of standards and documented
processes
– Predictable - execution of the process is fully reliable
because detailed measures of performance are
collected and analyzed
– Optimizing - organization establishes goals for
determining the effectiveness of quantitative
processes based on goals
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
33
Process Capability Evaluations
• SSE-CMM processes probably exist at different
levels of capability in most organizations
• The order of the actions initiated at each capability
level is necessary
– Certain activities must be performed before other
actions can be effective
• Common features: correct characteristics of a
practice that can be confirmed by observation
• The SSE-CMM has common features that address
a specific aspect of process implementation
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
34
Process Capability Evaluations
• Common features and their required activities
provide a baseline for improving process capability
• The generic base and organizational practices
grouped into each common feature provide a basis
for understanding the actions required to achieve a
given capability level
• If some requirements were not achieved for a
common feature at a given capability level:
– The assessment shows where the organization is
operating at the lowest completed capability level
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
35
Process Capability Evaluations
• The capability levels of the SSE-CMM are based
on a set of defined base and organizational
practices
• Organizations can identify an explicit sequence for
implementing these practices
– But the order is not implicit in the model itself
• The capabilities needed for any given process
depend on its context
– Context influences the degree to which an auditor
can compare the overall results of a process
maturity assessment with required practice
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
36
Determining Capability Using the SSECMM Assessment Model
• The SSE-CMM assessment model can give an
organization an overall rating of capability maturity
– Or it can provide an assessment of the capability of
a specific process instance
• A process instance is a unique occurrence of a
process
– Can be used to ensure repeatability
• Practice adequacy is a rating of the extent to which
a practice meets its purpose
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
37
Determining Capability Using the SSECMM Assessment Model
• The results of practice adequacy assessment
support the organization’s overall business
requirements
– Helps managers decide whether the processes are
effective in achieving their goals
– Helps identify significant causes of poor quality or
time and cost overruns
– Helps set priorities for improving the process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
38
The SSE-CMM Assessment Process
• Overall aim of the assessment process is to make
an organization’s base practices:
– Repeatable
– Reliable
– Consistent
• Base practices enable an organization to take
objective measurements of SSE-CMM processes
– By stipulating a comprehensive set of activities that
indicate capability
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
39
The SSE-CMM Assessment Process
• Considerations when using the model to improve
security engineering:
– How the assessment results are interpreted and
applied
– How the model’s best practices are implemented as a
result of that interpretation
– How the implementation is measured and judged to be
effective
– How the organization can make a business case from
the assessment results
– How an organization can create and sustain a culture
of improving capability and security
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
40
Using Targeted Assessments to
Ensure Supplier Capability
• Organizations can use the SSE-CMM to determine
supplier capability
– By comparing perceived risks against potential
return on investment
• A supplier capability assessment can also provide
trust for complex situations and future projects
• SSE-CMM helps the customer rate potential
suppliers against target capability levels
– Customer can see potential gaps in a supplier’s
security engineering and other capabilities
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
41
Using Targeted Assessments to
Ensure Supplier Capability
• A capability assessment can be used to tell:
– The supplier what risks are associated with a new
project
– The customer whether the supplier’s system security
engineering is trustworthy
• The ability of suppliers and customers to know the
above provides them with a major competitive
advantage for doing business in a global economy
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
42
Summary
• Organizations should perform a set of prescribed
activities to ensure that they have secure engineering
• Each organization creates a protection to describe the
base practices it will assess
• Base practices specify the what but not the how of
system engineering
• In addition to base practices, the other common
features of the SSE-CMM are the organizational
practices
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
43
Summary
• The context and situation are important when defining
the actual form of a base practice
• An organization can apply a standard process to
evaluate its capability maturity in system security
engineering
• An organization can use the SSE-CMM to determine
supplier capability; these determinations can establish
trust in a global outsourced environment
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
44
Related documents
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
ARS Results
ARS Results
Improving Critical Infastructure Cybersecurity
Improving Critical Infastructure Cybersecurity
MARKETING MANAGEMENT
MARKETING MANAGEMENT
Download
advertisement