The Systems Security Engineering Capability Maturity Model (SSE-CMM)

Similar documents
Security Engineering Best Practices. Arca Systems, Inc Boone Blvd., Suite 750 Vienna, VA

Overview of the Systems Security Engineering Capability Maturity Model (SSE-CMM)

IA Metrics Why And How To Measure Goodness Of Information Assurance

Software and Systems Engineering. Software and Systems Engineering Process Improvement at Oerlikon Aerospace

Why Would You Want to Use a Capability Maturity Model?

Software Process Improvement CMM

Concept of Operations for the Capability Maturity Model Integration (CMMI SM )

Risk Management Guide for Information Technology Systems. NIST SP Overview

MKS Integrity & CMMI. July, 2007

Capability Maturity Model Integration (CMMI ) Version 1.2 Overview

HKITPC Competency Definition

The Software Development Life Cycle: An Overview. Last Time. Session 8: Security and Evaluation. Information Systems Security Engineering

SW Process Improvement and CMMI. Dr. Kanchit Malaivongs Authorized SCAMPI Lead Appraisor Authorized CMMI Instructor

EASPI EASPI. The Integrated CMMI-based Improvement Framework for Test and Evaluation. Jeffrey L. Dutton Principal Consultant

Computer Security. Evaluation Methodology CIS Value of Independent Analysis. Evaluating Systems Chapter 21

The Role of Internal Audit In Business Continuity Planning

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Space project management

Taking Information Security Risk Management Beyond Smoke & Mirrors

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

State of Oregon. State of Oregon 1

CMS Policy for Configuration Management

Life Cycle Models, CMMI, Lean, Six Sigma Why use them?

Using CMMI Effectively for Small Business Panel

Department of Administration Portfolio Management System 1.3 June 30, 2010

Capability Maturity Model Integration (CMMI ) Overview

Costar Software Estimating Tool

Why Make the Switch? Evidence about the Benefits of CMMI

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

System/Data Requirements Definition Analysis and Design

Fundamentals of Information Systems, Fifth Edition. Chapter 8 Systems Development

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

SECURITY RISK MANAGEMENT

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

Key Success Factors for Delivering Application Services

The Capability Maturity Model for Software, Version 1.1

Enterprise Security Tactical Plan

CMS Information Security Risk Assessment (RA) Methodology

Fundamentals of Measurements

Flexible, Life-Cycle Support for Unique Mission Requirements

Treasury Board of Canada Secretariat (TBS) IT Project Manager s Handbook. Version 1.1

Security Software Engineering: Do it the right way

Software Process Improvement Software Business. Casper Lassenius

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC

Overview of SAE s AS6500 Manufacturing Management Program. David Karr Technical Advisor for Mfg/QA AFLCMC/EZSM david.karr@us.af.

Department of Homeland Security Federal Government Offerings, Products, and Services

Governance, Risk, and Compliance (GRC) White Paper

Leveraging CMMI framework for Engineering Services

PROCESS IMPROVEMENT CAPABILITY MATURITY MODEL

Implementing Program Protection and Cybersecurity

Department of Defense INSTRUCTION

PRIORITIZING CYBERSECURITY

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

The Role of Internal Audit in Risk Governance

Evaluation and Integration of Risk Management in CMMI and ISO/IEC 15504

Manag. Roles. Novemb. ber 20122

Reaching CMM Levels 2 and 3 with the Rational Unified Process

CMMI Version 1.2. SCAMPI SM A Appraisal Method Changes

Engineering Standards in Support of

Process In Execution Review (PIER) and the SCAMPI B Method

PSM. Using CMMI To Improve Contract Management Within DCMA. Guy Mercurio, DCMA Boston, MA

MEASURES FOR EXCELLENCE. Software Process Improvement: Management. Commitment, Measures. And Motivation

What CMMI Cannot Give You: Good Software

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Program Lifecycle Methodology Version 1.7

Design Specification for IEEE Std 1471 Recommended Practice for Architectural Description IEEE Architecture Working Group 0 Motivation

Certified Information Security Manager (CISM)

IT and Cybersecurity. Workforce Development with CompTIA Certification

Five Core Principles of Successful Business Architecture

Case Study of CMMI implementation at Bank of Montreal (BMO) Financial Group

A Guide to Open Source Transformation Services. How and Why Organizations are Making the Move to Open Source

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Assessing Your Information Technology Organization

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Develop Project Charter. Develop Project Management Plan

Cisco Advanced Services for Network Security

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Software Engineering of NLP-based Computer-assisted Coding Applications

A Report on The Capability Maturity Model

Performing Effective Risk Assessments Dos and Don ts

<name of project> Software Project Management Plan

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Office of the Chief Information Officer

Security Testing. Claire L. Lohr, CSQE, CSDP, CTAL F. Scot Anderson, CISSP April 7, 2009 V 1.

Software Development Best Practices

PROJECT MANAGEMENT PLAN CHECKLIST

Quality Systems Frameworks. SE 350 Software Process & Product Quality 1

Information Technology Security Certification and Accreditation Guidelines

ReMilNet Service Experience Overview

Transcription:

The Systems Security Engineering Capability Maturity Model (SSE-CMM) Karen Ferraiolo ISSEA Director of Technical Development karen.ferraiolo@exodus.net 410-309-1780

Topics Why define security engineering practices? How can they best be defined? Who developed and supports the SSE-CMM? What is security engineering? How does the SSE-CMM* define practices for security engineering? What is the relation between the SSE-CMM and other methods of obtaining assurance? * SSE-CMM = Systems Security Engineering Capability Maturity Model 2

Where are we now? Security needs are changing global interconnection massive complexity release of beta versions of products evolutionary development of systems 3

Where are we now? (cont.) Security products/systems come to market through: lengthy and expensive evaluation no evaluation results: technology growth more rapid than its assimilation unsubstantiated security claims Security services viewed as an art relies on individual expertise Secure system operation and maintenance everyone has security concerns improved practices are needed today 4

The Relevance of Competencies 5

What is needed? Continuity Repeatability Efficiency Assurance 6

What tools are currently available to address the problem? Tool Target Benefit ISO-9000 CMMs CISSP ISO-13335 Quality Assurance Process for Software Engineering/ Organizational Processes Security Engineering Professionals Security Management Processes Defined Software QA Process Continuously Improved Processes Individual Certification Defined Security Management Processes CMM = Capability Maturity Model CISSP = Certification of Information Systems Security Professionals 7

Why use the CMM approach to define practices? Accepted way of defining practices and improving capability Increasing use in acquisition as an indicator of capability Return on Investment for software indicates success productivity gains per year: 9-67% yearly reduction in time to market: 15-23% yearly reduction in post-release defect reports: 10-94% value returned on each dollar invested: 4-8.8% Statistics from: Benefits of CMM-Based Software Process Improvement: Initial Results, CMU/SEI-94-TR-13, August 1994 8

Why was the SSE-CMM developed? Objective: advance security engineering as a defined, mature, and measurable discipline Project Goal: Develop a mechanism to enable: selection of appropriately qualified security engineering providers focused investments in security engineering practices capability-based assurance 9

Who developed the SSE-CMM? SSE-CMM Project Original work and project infrastructure sponsored by NSA Additional support provided by OSD and Communications Security Establishment (Canada) Collaborative effort by industry and government on their own funding 10

SSE-CMM Project Participants 44 Pioneers Arca Systems, Inc. BDM International Inc. Booz-Allen and Hamilton, Inc. Communications Security Establishment (Canadian) Computer Sciences Corporation Data Systems Analysts, Inc. Defense Information Systems Agency E-Systems Electronic Warfare Associates - Canada, Ltd. Fuentez Systems Concepts G-J Consulting GRC International, Inc. Harris Corp. Hughes Aircraft Institute for Computer & Information Sciences Institute for Defense Analyses Internal Revenue Service ITT Aerospace JOTA System Security Consultants Inc. Lockheed Martin Merdan Group, Inc. MITRE Corporation Mitretek Systems Motorola National Center for Supercomputing Applications National Institute for Standards and Technology National Security Agency Naval Research Laboratory Navy Command, Control, Operations Support Center; Research, Development, Testing, and Evaluation Division (NRaD) Northrop Grumman Office of the Secretary of Defense Oracle Corporation pragma Systems Corp. San Antonio Air Logistics Center Science Applications International Corp. SPARTA, Inc. Stanford Telecom Systems Research & Applications Corp. Tax Modernization Institute The Sachs Groups tomega Engineering Trusted Information Systems TRW Unisys Government Systems 11

What is ISSEA? ISSEA Advisory Council SSE-CMM Support Organization Board of Sustaining Members Selected by SSE-CMM Project to continue support Non-profit professional membership organization Oversees SSO in furthering development and use of the SSE-CMM receives advice and guidance from Advisory Council and Board of Sustaining Members * ISSEA = International Systems Security Engineering Association 12

Membership Options Organizations Sustaining Membership Charter Sustaining Membership Individuals Individual membership 13

ISSEA s Current Activities ISO* Standardization ISSEA approved as Publicly Available Standard (PAS) Submitter Annual Conference February 28 - March 2, 2001 Appraiser Certification developing program for appraiser and facilitator certification Training 2 and 4 day courses in model and appraisal method SSE Textbook * ISO = International Organization for Standardization 14

What is Security Engineering? Definition: No precise definition exists today! Goals: Understand Security Risks Establish Security Needs Develop Security Guidance Determine Acceptable Risks Establish Assurance 15

Who practices security engineering? Developers Product vendors Integrators Buyers Security evaluation organizations System administrators Consulting/service organizations Program/project management 16

When is security engineering practiced? Pre-concept Concept exploration and definition Demonstration and validation Engineering, development, and manufacturing Production and deployment Operations and support Disposal 17

Who needs to know about security? Enterprise Engineering Systems Engineering Software Engineering Human Factors Engineering Communications Engineering Hardware Engineering Test Engineering Systems Administration 18

What do security engineering activities encompass? Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications Security Emanations Security Computer Security 19

How does the SSE-CMM define best practices? Domain Aspect process areas base practices Organizational Capability Aspect implementation of process areas institutionalization of process areas 20

SSE-CMM Base Architecture Three Domain Process Categories Security Engineering Project Organization Five Capability Levels Performed Informally Planned and Tracked Well Defined Quantitatively Controlled Continuously Improving 21

SSE-CMM Process Categories Engineering Processes Project Processes Organizational Processes 22

SSE-CMM Organizational Process Areas Define Organization s Security Engineering Process Improve Organization s Security Engineering Process Manage Security Product Line Evolution Manage Security Engineering Support Environment Provide Ongoing Skills and Knowledge Coordinate with Suppliers 23

SSE-CMM Project Process Areas Ensure Quality Manage Configurations Manage Program Risk Monitor and Control Technical Effort Plan Technical Effort 24

SSE-CMM Engineering Process Areas Administer Security Controls Assess Impact Assess Security Risk Assess Threat Assess Vulnerability Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security 25

The Security Engineering Product, System, or Service Process Engineering Process Process Assurance Process Process Risk Risk Process Process Assurance Argument Risk Information 26

The Security Engineering Process Product, System, or Service Engineering Process Process Assurance Process Process Risk Risk Process Process Assurance Argument Risk Information 27

Security Risk Area Purpose: To identify combinations of threat, vulnerability, and impact that deserve further attention Goals: Determine Metrics Gather Threat, Vulnerability, and Impact Information Identify and Assess Risks 28

What is Risk? Definition The expected value (likelihood * consequence) associated with an unwanted event Approaches All involve notions of consequence, threat, and vulnerability 29

Risk Definitions Events: threat-vulnerability pairs that lead to unwanted outcomes Likelihood: the probability that an unwanted event will occur Likelihood = Threat Vulnerability 30

Risk Definitions Consequence: the impact, either harm or loss, associated with an exploited vulnerability Risk: combines the concepts of likelihood and consequence Risk = Likelihood Consequence 31

The Model Assess Threat Assess Vulnerability Assess Impact Assess Security Risk Risk Threat Information Vulnerability Information Impact Information Risk Information 32

PA 04: Assess Threat Goal Threats to the security of the system are identified and characterized BP 04.01 BP 04.02 BP 04.03 BP 04.04 BP 04.05 BP 04.06 Identify Natural Threats Identify Man-made Threats Identify Threat Units of Measure Assess Threat Agent Capability Assess Threat Likelihood Monitor Threats and Their Characteristics 33

PA 05: Assess Vulnerability Goal An understanding of system security vulnerabilities within a defined environment is achieved BP.05.01 BP.05.02 BP.05.03 BP.05.04 BP.05.05 Select Vulnerability Analysis Method Identify Vulnerabilities Gather Vulnerability Data Synthesize System Vulnerability Monitor Vulnerabilities and Their Characteristics 34

PA 02: Assess Impact Goal The security impacts of risks to the system are identified and characterized BP.02.01 BP.02.02 BP 02.03 BP 02.04 BP 02.05 BP 02.06 Prioritize Capabilities Identify System Assets Select Impact Metrics Identify Metric Relationship Identify and Characterize Impacts Monitor Impacts 35

PA 03: Assess Security Risk Goals An understanding of the security risk associated with operating the system within a defined environment is achieved Risks are prioritized according to a defined methodology BP.03.01 BP 03.02 BP 03.03 BP 03.04 BP 03.05 BP 03.06 Select Risk Analysis Method Exposure Identification Assess Exposure Risk Assess Total Uncertainty Prioritize Risks Monitor Risks and Their Characteristics 36

The Security Engineering Product, System, or Service Process Engineering Process Process Assurance Process Process Risk Risk Process Process Assurance Argument Risk Information 37

What Is Assurance? Definition: the degree of confidence that security needs are satisfied What are security needs? What is confidence? How can we measure? 38

Assurance Area Purpose: To generate and communicate confidence that the enterprise has satisfied its security needs Goals: Appropriate evidence is collected efficiently Clear and convincing argument establishing confidence is created 39

The Model Verify and and Validate Security Verification and Validation Evidence Build Assurance Argument Assurance Argument Many Many other other PAs Many PAs Many other other PAs PAs Many other other PAs PAs Evidence 40

Assurance Arguments Top Level Claim People Argument Process Argument Environment Argument Technology Argument 41

PA 11: Verify and Validate BP.11.01 BP.11.02 BP.11.03 BP.11.04 BP.11.05 Security Goals Solutions meet security requirements Solutions meet the customer's operational security needs Identify Verification and Validation Targets Define Verification and Validation Approach Perform Verification Perform Validation Provide Verification and Validation Results 42

PA 06: Build Assurance Argument Goal The work products and processes clearly provide the evidence that the customer s security needs have been met BP.06.01 BP.06.02 BP.06.03 BP.06.04 BP.06.05 Identify Assurance Objectives Define Assurance Strategy Control Assurance Evidence Analyze Evidence Provide Assurance Argument 43

The Security Engineering Product, System, or Service Process Engineering Process Process Assurance Process Process Risk Risk Process Process Assurance Argument Risk Information 44

What is Engineering? Solving problems Requirements Identify candidate solutions Tradeoff analyses System configuration Part of overall systems processes Not an isolated activity Must balance considerations of performance, safety, human factors, etc 45

Security Engineering Area Purpose: To solve engineering problems involving security Goals: Determine customer security needs Develop solutions and guidance on security issues Coordinate with other engineering groups Monitor security posture 46

The Model Specify Security Needs Risk Information Monitor Security Posture Requirements, Policy, etc... Coordinate Security Configuration Information Provide Security Input Solutions, Guidance, etc... Administer Security Controls 47

PA 10: Specify Security Needs Goal A common understanding of security needs is reached between all parties, including the customer BP.10.01 Gain Understanding of Customer s Security Needs BP.10.02 Identify Applicable Laws, Policies, and Constraints BP.10.03 Identify System Security Context BP.10.04 Capture Security View of System Operation BP.10.05 Capture Security High-Level Goals BP.10.06 Define Security Related Requirements BP.10.07 Obtain Agreement 48

PA 09: Provide Security Input Goals All system issues are reviewed for security implications and are resolved in accordance with security goals All members of the project team have an understanding of security so they can perform their functions The solution reflects the security input provided BP.09.01 BP.09.02 BP.09.03 BP.09.04 BP.09.05 BP.09.06 Understand Security Input Needs Determine Security Constraints and Considerations Identify Security Alternatives Analyze Security of Engineering Alternatives Provide Security Related Guidance Provide Operational Security Guidance 49

PA 07: Coordinate Security Goals All members of the project team are aware of and involved with security engineering activities to the extent necessary to perform their functions Decisions and recommendations related to security are communicated and coordinated BP.07.01 BP.07.02 BP.07.03 BP.07.04 Define Coordination Objectives Identify Coordination Mechanisms Facilitate coordination Coordinate Security Decisions and Recommendations 50

PA 01: Administer Security Controls Goal Security controls are properly configured and used BP.01.01 BP.01.02 BP.01.03 BP.01.04 Establish Security Responsibilities Manage Security Configuration Manage Security Awareness, Training, and Education Programs Manage Security Services and Control Mechanisms 51

PA 08: Monitor Security Posture Goals Both internal and external security related events are detected and tracked Incident responses are in accordance with policy Changes to the operational security posture are identified and handled in accordance with the security objectives BP 08.01 BP 08.02 BP 08.03 BP 08.04 BP 08.05 BP.08.06 BP.08.07 Analyze Event Records Monitor Changes Identify Security Incidents Monitor Security Safeguards Review Security Posture Manage Security Incident Response Protect Security Monitoring Artifacts 52

How does the SSE-CMM define best practices? Domain Aspect process areas base practices Organizational Capability Aspect implementation of process areas institutionalization of process areas 53

SSE-CMM Base Architecture Three Domain Process Categories Security Engineering Project Organization Five Capability Levels Performed Informally Planned and Tracked Well Defined Quantitatively Controlled Continuously Improving 54

Organizational Capability Measures Incremental Improvement 3 Well-Defined Define a standard process Perform the defined process Coordinate practices 2 Planned and Tracked Plan Performance Disciplined Performance Verify Performance Track Performance 5 Continuously Improving Improve organizational capability Improve process effectiveness 4 Quantitatively Controlled Establish measurable quality goals Objectively manage performance 1 Performed Informally Base Practices Performed 55

SSE-CMM Model Architecture Domain Base Base Base Base Base Base Practices Areas Process Areas Areas Process Category Capability 5 Generic Practices Common Features Capability Level 4 3 2 1 0 56

Applying Capability Measures to Base Practices: the Rating Profile 5 4 Capability Level 3 2 1 0 PA01 PA02 PA03 PA04 PA05 Process Area 57

The SSE-CMM Appraisal Process Planning Phase Scope Appraisal Collect Preliminary Evidence Preparation Phase Prepare Appraisal Team Administer Questionnaire On-Site Phase Executive Brief/ Opening Meeting Interview Leads/ Practitioners Reporting Phase Develop Final Report Plan Appraisal Consolidate Evidence Analyze Evidence/ Questionnaire Analyze Data Establish Findings Develop Rating Profile Manage Records Conduct Wrap Up Report Appraisal Outcomes to Sponsor Manage Appraisal Artifacts Report Lessons 58 Learned

Using the SSE-CMM Acquisition Decisions System Development Product Vendors Compliance Service Providers Critical Business Operations SSE-CMM 59

Where is it taking hold? US National Security Agency (NSA) evaluating INFOSEC assessors capability trusted product evaluation support applying within to improve Canadian Communications Security Establishment (CSE) evaluating contractors capability trusted product evaluation support best practices for Canadian CERTs United States Agency for International Development framework for model security program component of best practices framework Internal Revenue Service Information Systems pilot program for improving security practices SSE-CMM Project Pilot Program organizations used results to improve practices 60

Contributors to Product/Project Success Product/Project Cost/Quality/Timeliness Process People Technology 61

Determining the right combination Top Level Claim People Argument Process Argument Environment Argument Technology Argument 62 Reference: Williams, Jeffrey; Jelen, George, A Framework for Reasoning about Assurance, April 23, 1998

Summary Why define best practices? Focus investments in security engineering practices How can they best be defined? Use an accepted and proven mechanism What is security engineering? No precise definition, but can discuss goals How does the SSE-CMM define best practices? Domain base practices Capability measures What is the relation between the SSE-CMM and other methods of obtaining assurance? SSE-CMM guides effectiveness of process all contribute to assurance 63

For More Information International Systems Security Engineering Association: www.issea.org Systems Security Engineering Capability Maturity Model www.sse-cmm.org 64

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information