ISO System Security Engineering Capability Maturity Model

Transcription

1 ISO System Security Engineering Capability Maturity Model Presented By John W. Lindquist Founding Member of the HIPAA Alliance, LLC and President and CEO EWA Information & Infrastructure Technologies, Inc Park Center Rd., Ste. 200, Herndon VA th Annual HIPAA Summit Session: 5.06 On-Going HIPAA Compliance: Securing Tracked Data - March 28,

2 Problem How does management establish and track an information security program when: Risks are real Risks are nearly infinite The information environment is highly dynamic Resources are finite 2

3 The Need to Protect 4% 4% 3% 2% 4% 4% 5% 6% 11% 28% 29% Laptop Theft Virus Insider Abuse of Net Telecomm Fraud Financial Fraud System Penetration Theft of Proprietary Info Unauthorized Insider Sabotage Denial of Service Telecom Eavesdrop Active Wiretap Information assets against damage and unauthorized disclosure is critical to your organization. 3

4 Information Assurance Solutions Must Address: People Process Technology Technology alone won t make you safe. Get rid of the techno-babble. This is a management problem. Steve Katz, CISO, Citibank 4

5 Process Maturity and the Risk Management Cost Continuum $ Cost of Not Securing Cost of Securing Security Aversion (Ostrich) Level 0 Risk Management Decisions (Acceptance, Mitigation, Transference, Avoidance) SSE-CMM Process Maturity (Focused investment in IT Security) Risk Aversion (Paranoia) Level 5 5

6 SYSTEM SECURITY ENGINEERING CAPABILITY MATURITY MODEL SSE - CMM is both a Model and a Process A Community-owned Model (50 companies / agencies led by the US National Security Agency (NSA) and Canadian Communications Security Establishment (CSE)) Model Presents Security Engineering as a Defined, Mature and Measurable Discipline Model and Appraisal Method Enable: Capability-based assurance i.e.. Security/trustworthiness inferred from the maturity of processes Focused investment in security engineering tools, training, process definition, management practices and improvements based on risk assessment and available resources Qualifying vendors, suppliers, and organizations connecting to a system 6

7 CAPABILITY LEVELS 1 Performed Informally 2 Planned & Tracked 3 Well Defined 4 Quantitatively Controlled 5 Continuously Improving 7

8 Baseline, Minimum & Target Profile Maturity Level Process Area 8 PA21 PA01 PA02 PA03 PA04a PA04b PA05 PA06 PA07 PA08 PA09 PA10 PA11 PA12 PA13 PA14 PA15 PA16 PA17 PA18 PA19 PA20

9 System Security Process Areas PA 01 Specify Security Needs PA 02 Provide Security Input PA 03 Verify and Validate Security PA 04a Threat Assessment PA 04b Impact Assessment PA 05 Assess Security Risk PA 06 Build Assurance Argument PA 07 Monitor System Security Posture PA 08 Administer Security Controls PA 09 Coordinate Security PA 10 Vulnerability Assessment PA 11 Ensure Quality PA 12 Manage Configurations PA 13 Manage Program Risk PA 14 Monitor and Control Technical Effort PA 15 Plan Technical Effort PA 16 Define Organization's Security Engineering Process PA 17 Improve Organization's Security Engineering Processes PA 18 Manage Security Product Line Evolution PA 19 Manage Security Engineering Support Environment PA 20 Provide Ongoing Skills and Knowledge PA 21 Coordinate With Suppliers 9

10 SSE-CMM Usage Scenarios Applies to all system types and all classifications levels HW Vendor Trust Relationships Qualified Suppliers Security Assessment SW Vendor Services Business Partners/other units Operational Information Assurance ITS Business Processes/Military Information Systems Information Operations 10

11 Summary Can t Protect Everything All The Time The Dynamic Environment Requires a Flexible Response Effective Information Assurance Must Address People, Process and Technology Information Assurance is Risk Management not Risk Avoidance (There is No Silver Bullet) The SSE-CMM is an IA Tool Developed in Consideration the Above 11