1 / 44

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 9 The Systems Security Engineering Capability Maturity Model (ISO 21827). Objectives. Follow a staged enhancement process to increase system security capability

venice
Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 9 The Systems Security Engineering Capability Maturity Model (ISO 21827)

  2. Objectives • Follow a staged enhancement process to increase system security capability • Ensure capability maturity based on best practices • Assess supplier fitness based on specified capability requirements • Assess internal capability based on a best-practice model • Target critical areas of security need based on a formal profile Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. Overview of the SSE-CMM • The Systems Security Engineering Capability Maturity Model (SSE-CMM) • Also known as ISO/IEC 21827 • Specifies a set of behaviors that an organization can adopt to ensure secure system and software engineering practice • Built around a staged grouping of security engineering best practices • Specifies security engineering practices for the organization as a whole Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. Overview of the SSE-CMM • SSE-CCM ensures that appropriate interactions take place with other disciplines, such as: • System software and hardware • Human factors security • Test engineering • System management • Operations and maintenance • The model provides recommendations to ensure acquisition, system management, certification, accreditation, and evaluation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. Overview of the SSE-CMM • Security controls are divided into two areas: • Security Base Practice • Project and Organizational Base Practice • Security Base Practice includes 11 high-level control areas with a number of underlying controls • Project and Operational Base Practice also include 11 high-level control areas and their own control objectives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. Overview of the SSE-CMM • The capability maturity of the 22 control areas can be judged using a five-level scale: • Level 1, Performed Informally • Level 2, Planned and Tracked • Level 3, Managed • Level 4, Quantitative Management • Level 5, Optimizing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. Overview of the SSE-CMM • SSE-CMM allows an organization to manage product engineering risk at the organizational, enterprise, or project level • Activities support managers, suppliers, buyers, developers, participants, and other stakeholders • By dictating a single set of key practices that can help manage a broad variety of risks while developing and procuring systems and software • The model helps improve the management of risks associated with purchasing or developing software or systems Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. Overview of the SSE-CMM • An organization can increase its security engineering capability using the SSE-CMM • Can use it to help develop, manufacture, test, support, or maintain ICT systems and components • Best-practices of the SSE-CMM help stakeholders develop a shared understanding of the relationships required to coordinate : • Schedules • Processes • Development practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. Background: The SSE-CMM Collaboration • SSE-CMM project grew out of a joint effort between government and industry • Was aimed at developing a model for security engineering • Overall goal was to provide a mechanism for selecting qualified security engineering suppliers • To underwrite overall capability-based assurance • Originated at the National Security Agency (NSA) in 1993 • Eventually involved 42 companies and other government agencies Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. Background: The SSE-CMM Collaboration • The model was approved by the ISO as an international standard in 2002 • A second edition was approved by the ISO in 2008 • The model can be used to evaluate best practices for enhanced system and software engineering capability • Makes it an excellent tool for determining supplier abilities and to make decisions about threats and risks that might be present in a worldwide ICT supply chain • Ability to ensure trust is essential for global business Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. Background: The SSE-CMM Collaboration • The final product of this effort was the registration of ISO 21827 as a full international standard in 2002 • The International System Security Engineering Association (ISSEA) was named as the assessor and registrar • For organizations wanted to accredit their systems and software engineering processes to the standard Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. Structure of the SSE-CMM/ISO 21827 Standard • SSE-CMM is meant to support self-assessment • Assesses processes based on a defined set of key functional elements and produces a set of ratings • Ratings are expressed in the form of a process profile • Evaluate each process on a sliding scale • SSE-CMM assessment greatly increases the level of trust in the ISO 12207-2008 acquisition process • By reducing uncertainty in supplier selection • Suppliers can determine the capability maturity of their own system security processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Structure of the SSE-CMM/ISO 21827 Standard • Allows customers to identify common security risks associated with a given procurement project • Also allows customers to balance business needs, requirements, and estimated project costs • Against the known capability of competing suppliers • SSE-CMM compares the actual security capability of a selected process against a target capability profile • The outcomes of that comparison help the organization better identify missing or vulnerable security engineering functions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. The Base Practices of the SSE-CMM • The SSE-CMM embodies a set of standard base practices • Formal practices to ensure that work is executed correctly • Goal of base practices: to disconnect the security engineering process from the practices associated with overall good management • The model employs two dimensions called: • Domain dimension • Capability dimension Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. The Base Practices of the SSE-CMM • The domain dimension consists of all the base practices that collectively define security engineering • Requires the organization to have a formalized security process in place • The capability dimension consists of standard best practices to ensure correct process management • Apply across a wide range of domains • Represents activities that should normally occur while executing security base practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. The Base Practices of the SSE-CMM • Related base practices are organized into common process areas for ease of use • Process area: distinct collection of related practices with common features • Each process area embodies a set of organizational actions intended to successfully carry out the purposes of base practice • Applies across the lifecycle of the enterprise and does not overlap with other base practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. The Base Practices of the SSE-CMM Each process area can be addressed as a distinct entity and can be implemented in multiple contexts throughout an organization and for various products Satisfying the purpose of the process is the first step in building process capability The model does stipulate that security objectives are achieved by executing the base practices that underlie each process area Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. Project and Organizational Base Practices • Project process areas are an important part of the SSE-CMM • They characterize actions that must be performed to satisfy the generic security practice goals of the standard • Each process area itemizes an explicit set of security activities that have to be carried out for the security engineering process to be considered secure • The next few slides summarize some process areas Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Project and Organizational Base Practices • PA12 - Ensure Quality - to address system quality and the quality of the process used to create the system • Actions specified in this process are used to measure and improve quality • PA13 - Manage Configurations - to maintain the status of all project configurations and to analyze/control changes to the system and its configurations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Project and Organizational Base Practices • PA14 - Manage Project Risks - to identify, assess, monitor, and mitigate risks to ensure the success of systems engineering activities • And the overall technical effort • PA15 - Monitor and Control Technical Effort - contains the activities that control the project’s technical aspects • As well as its systems engineering effort • Activities include directing, tracking, and reviewing the project’s accomplishments, results and risks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Project and Organizational Base Practices • PA16 - Plan Technical Effort - defines the plans that guide the project • Plans provide the basis for scheduling, costing, controlling, tracking, and negotiating the technical work involved in system engineering • PA17 - Define Systems Engineering Process - specifies and manages the organization’s standard system engineering • PA18 - Improve Systems Engineering Process - describes continuing activities to measure and improve systems engineering Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. Project and Organizational Base Practices • PA19 - Manage Product Line Evolution - ensures that product development efforts achieve their strategic business purposes • Covers the practices associated with managing a product line, but not the product engineering itself • PA20 - Manage Systems Engineering Support Environment - applies to systems engineering support at both the project and organization level • The aim of this area is to maximize support capability Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. Project and Organizational Base Practices • PA21 - Provide Ongoing Skills and Knowledge - provides training for the organization’s security engineering to ensure that project personnel have the necessary knowledge and skills to achieve objectives • PA22 - Coordinate with Suppliers - to manage work done by other organizations based on a defined process • Other organizations include vendors, subcontractors, and partners Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Assuring an Organization’s System Security Engineering Capability • The SSE-CMM is meant to provide a general set of criteria for security best practice • Can be used to assess the security status of software and system engineering processes • Organizations perform the evaluation by determining the presence or absence of a set of security best practices • The comparison is then used to plan, manage, monitor, control, and improve the security of all technical processes in the 12207-2008 standard Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Assuring an Organization’s System Security Engineering Capability • At the management level • The SSE-CMM generates practical information that allows decision makers to evaluate security of software operation against business needs • The model focuses on process assessment, process improvement, and capability determination • SSE-CMM is useful for supply chain risk assessment • Assurance that a chain of suppliers is functioning properly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Assuring an Organization’s System Security Engineering Capability • The SSE-CMM’s documentation and its baseline security practices are linked to the concepts in process areas of ISO 12207-2008 • Process domains for systems and software engineering in the SSE-CMM are the same as those covered by 12207: • Acquisition • Supply • Technical and implementation processes • Project, project-enabling, and supporting processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Architectural Components of the SSE-CMM • SSE-CMM implements two hierarchies: • The first consists of the traditional set of process categories, composed of base practices • Processes are then rated in terms of a second “assessment” hierarchy based on capability levels • The base practices represent unique actions taken within the process • Have to be performed in order to achieve the purposes of the process • The model requires an organization to judge whether each practice is being executed correctly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. Process Capability Assessment • Capability level: the assessed level of competency for the execution of a practice • Capability levels create a way of progressing through the improvement of any given process • The reference model has six levels: • Incomplete • Performed • Managed • Established • Predictable • Optimizing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. Process Capability Assessment Process maturity: the level of capability of a process based on practices and common features Escalating levels of process maturity are built on a foundation of increasingly capable practices Each process maturity level provides a major enhancement in capability from the process provided by its predecessors The successful satisfaction of a capability level within one process may require the presence of another process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Process Capability Assessment • The SSE-CMM capability levels: • Incomplete - the process has no easily identifiable work products or outputs • Performed - base practices of the process are generally performed • Their performance might not be rigorously planned and tracked • Managed - performance is planned and tracked, and the organization verifies that practices were performed according to specified procedures Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Process Capability Assessment • The SSE-CMM capability levels (cont’d): • Established - base practices are performed according to a well-defined process using approved, tailored versions of standards and documented processes • Predictable - execution of the process is fully reliable because detailed measures of performance are collected and analyzed • Optimizing - organization establishes goals for determining the effectiveness of quantitative processes based on goals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. Process Capability Evaluations • SSE-CMM processes probably exist at different levels of capability in most organizations • The order of the actions initiated at each capability level is necessary • Certain activities must be performed before other actions can be effective • Common features: correct characteristics of a practice that can be confirmed by observation • The SSE-CMM has common features that address a specific aspect of process implementation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Process Capability Evaluations • Common features and their required activities provide a baseline for improving process capability • The generic base and organizational practices grouped into each common feature provide a basis for understanding the actions required to achieve a given capability level • If some requirements were not achieved for a common feature at a given capability level: • The assessment shows where the organization is operating at the lowest completed capability level Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. Process Capability Evaluations • The capability levels of the SSE-CMM are based on a set of defined base and organizational practices • Organizations can identify an explicit sequence for implementing these practices • But the order is not implicit in the model itself • The capabilities needed for any given process depend on its context • Context influences the degree to which an auditor can compare the overall results of a process maturity assessment with required practice Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Determining Capability Using the SSE-CMM Assessment Model • The SSE-CMM assessment model can give an organization an overall rating of capability maturity • Or it can provide an assessment of the capability of a specific process instance • A process instance is a unique occurrence of a process • Can be used to ensure repeatability • Practice adequacy is a rating of the extent to which a practice meets its purpose Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Determining Capability Using the SSE-CMM Assessment Model • The results of practice adequacy assessment support the organization’s overall business requirements • Helps managers decide whether the processes are effective in achieving their goals • Helps identify significant causes of poor quality or time and cost overruns • Helps set priorities for improving the process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. The SSE-CMM Assessment Process • Overall aim of the assessment process is to make an organization’s base practices: • Repeatable • Reliable • Consistent • Base practices enable an organization to take objective measurements of SSE-CMM processes • By stipulating a comprehensive set of activities that indicate capability Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. The SSE-CMM Assessment Process • Considerations when using the model to improve security engineering: • How the assessment results are interpreted and applied • How the model’s best practices are implemented as a result of that interpretation • How the implementation is measured and judged to be effective • How the organization can make a business case from the assessment results • How an organization can create and sustain a culture of improving capability and security Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. Using Targeted Assessments to Ensure Supplier Capability • Organizations can use the SSE-CMM to determine supplier capability • By comparing perceived risks against potential return on investment • A supplier capability assessment can also provide trust for complex situations and future projects • SSE-CMM helps the customer rate potential suppliers against target capability levels • Customer can see potential gaps in a supplier’s security engineering and other capabilities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. Using Targeted Assessments to Ensure Supplier Capability • A capability assessment can be used to tell: • The supplier what risks are associated with a new project • The customer whether the supplier’s system security engineering is trustworthy • The ability of suppliers and customers to know the above provides them with a major competitive advantage for doing business in a global economy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Summary • Organizations should perform a set of prescribed activities to ensure that they have secure engineering • Each organization creates a protection to describe the base practices it will assess • Base practices specify the what but not the how of system engineering • In addition to base practices, the other common features of the SSE-CMM are the organizational practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  44. Summary • The context and situation are important when defining the actual form of a base practice • An organization can apply a standard process to evaluate its capability maturity in system security engineering • An organization can use the SSE-CMM to determine supplier capability; these determinations can establish trust in a global outsourced environment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related