Overview of the SSE-CMM

Overview of the SSE-CMM

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 9 The Systems Security Engineering Capability Maturity Model (ISO 21827) Objectives Follow a staged enhancement process to increase system security capability Ensure capability maturity based on best practices Assess supplier fitness based on specified capability requirements Assess internal capability based on a best-practice model Target critical areas of security need based on a formal profile Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 2 Overview of the SSE-CMM The Systems Security Engineering Capability Maturity Model (SSE-CMM) Also known as ISO/IEC 21827 Specifies a set of behaviors that an organization can adopt to ensure secure system and software engineering practice Built around a staged grouping of security engineering best practices Specifies security engineering practices for the organization as a whole Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 3 Overview of the SSE-CMM SSE-CCM ensures that appropriate interactions take place with other disciplines, such as: System software and hardware Human factors security Test engineering System management Operations and maintenance

The model provides recommendations to ensure acquisition, system management, certification, accreditation, and evaluation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 4 Overview of the SSE-CMM Security controls are divided into two areas: Security Base Practice Project and Organizational Base Practice Security Base Practice includes 11 high-level control areas with a number of underlying controls Project and Operational Base Practice also include

11 high-level control areas and their own control objectives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 5 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 6 Overview of the SSE-CMM The capability maturity of the 22 control areas can

be judged using a five-level scale: Level 1, Performed Informally Level 2, Planned and Tracked Level 3, Managed Level 4, Quantitative Management Level 5, Optimizing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 7

Overview of the SSE-CMM SSE-CMM allows an organization to manage product engineering risk at the organizational, enterprise, or project level Activities support managers, suppliers, buyers, developers, participants, and other stakeholders By dictating a single set of key practices that can help manage a broad variety of risks while developing and procuring systems and software The model helps improve the management of risks associated with purchasing or developing software or systems Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

8 Overview of the SSE-CMM An organization can increase its security engineering capability using the SSE-CMM Can use it to help develop, manufacture, test, support, or maintain ICT systems and components Best-practices of the SSE-CMM help stakeholders develop a shared understanding of the relationships required to coordinate : Schedules Processes Development practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

9 Background: The SSE-CMM Collaboration SSE-CMM project grew out of a joint effort between government and industry Was aimed at developing a model for security engineering Overall goal was to provide a mechanism for selecting qualified security engineering suppliers To underwrite overall capability-based assurance Originated at the National Security Agency (NSA) in 1993 Eventually involved 42 companies and other government agencies Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 10 Background: The SSE-CMM Collaboration The model was approved by the ISO as an international standard in 2002 A second edition was approved by the ISO in 2008 The model can be used to evaluate best practices for enhanced system and software engineering capability Makes it an excellent tool for determining supplier abilities and to make decisions about threats and risks that might be present in a worldwide ICT supply chain Ability to ensure trust is essential for global business

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 11 Background: The SSE-CMM Collaboration The final product of this effort was the registration of ISO 21827 as a full international standard in 2002 The International System Security Engineering Association (ISSEA) was named as the assessor and registrar For organizations wanted to accredit their systems and software engineering processes to the standard Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 12 Structure of the SSE-CMM/ISO 21827 Standard SSE-CMM is meant to support self-assessment Assesses processes based on a defined set of key functional elements and produces a set of ratings Ratings are expressed in the form of a process profile Evaluate each process on a sliding scale SSE-CMM assessment greatly increases the level of trust in the ISO 12207-2008 acquisition process By reducing uncertainty in supplier selection

Suppliers can determine the capability maturity of their own system security processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 13 Structure of the SSE-CMM/ISO 21827 Standard Allows customers to identify common security risks associated with a given procurement project Also allows customers to balance business needs, requirements, and estimated project costs Against the known capability of competing suppliers SSE-CMM compares the actual security capability of a selected process against a target capability

profile The outcomes of that comparison help the organization better identify missing or vulnerable security engineering functions Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 14 The Base Practices of the SSE-CMM The SSE-CMM embodies a set of standard base practices Formal practices to ensure that work is executed correctly Goal of base practices: to disconnect the security engineering process from the practices associated

with overall good management The model employs two dimensions called: Domain dimension Capability dimension Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 15 The Base Practices of the SSE-CMM The domain dimension consists of all the base practices that collectively define security engineering Requires the organization to have a formalized security process in place The capability dimension consists of standard best

practices to ensure correct process management Apply across a wide range of domains Represents activities that should normally occur while executing security base practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 16 The Base Practices of the SSE-CMM Related base practices are organized into common process areas for ease of use Process area: distinct collection of related practices with common features Each process area embodies a set of organizational actions intended to successfully carry out the purposes of base practice

Applies across the lifecycle of the enterprise and does not overlap with other base practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 17 The Base Practices of the SSE-CMM Each process area can be addressed as a distinct entity and can be implemented in multiple contexts throughout an organization and for various products Satisfying the purpose of the process is the first step in building process capability The model does stipulate that security objectives are achieved by executing the base practices that

underlie each process area Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 18 Project and Organizational Base Practices Project process areas are an important part of the SSE-CMM They characterize actions that must be performed to satisfy the generic security practice goals of the standard Each process area itemizes an explicit set of security activities that have to be carried out for the

security engineering process to be considered secure The next few slides summarize some process areas Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 19 Project and Organizational Base Practices PA12 - Ensure Quality - to address system quality and the quality of the process used to create the system Actions specified in this process are used to measure and improve quality

PA13 - Manage Configurations - to maintain the status of all project configurations and to analyze/control changes to the system and its configurations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 20 Project and Organizational Base Practices PA14 - Manage Project Risks - to identify, assess, monitor, and mitigate risks to ensure the success of systems engineering activities And the overall technical effort

PA15 - Monitor and Control Technical Effort contains the activities that control the projects technical aspects As well as its systems engineering effort Activities include directing, tracking, and reviewing the projects accomplishments, results and risks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 21 Project and Organizational Base Practices PA16 - Plan Technical Effort - defines the plans that guide the project Plans provide the basis for scheduling, costing, controlling, tracking, and negotiating the technical work involved in system engineering

PA17 - Define Systems Engineering Process specifies and manages the organizations standard system engineering PA18 - Improve Systems Engineering Process describes continuing activities to measure and improve systems engineering Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 22 Project and Organizational Base Practices PA19 - Manage Product Line Evolution - ensures that product development efforts achieve their strategic business purposes Covers the practices associated with managing a product line, but not the product engineering itself

PA20 - Manage Systems Engineering Support Environment - applies to systems engineering support at both the project and organization level The aim of this area is to maximize support capability Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 23 Project and Organizational Base Practices PA21 - Provide Ongoing Skills and Knowledge provides training for the organizations security engineering to ensure that project personnel have the necessary knowledge and skills to achieve objectives

PA22 - Coordinate with Suppliers - to manage work done by other organizations based on a defined process Other organizations include vendors, subcontractors, and partners Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 24 Assuring an Organizations System Security Engineering Capability The SSE-CMM is meant to provide a general set of criteria for security best practice Can be used to assess the security status of software and system engineering processes

Organizations perform the evaluation by determining the presence or absence of a set of security best practices The comparison is then used to plan, manage, monitor, control, and improve the security of all technical processes in the 12207-2008 standard Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 25 Assuring an Organizations System Security Engineering Capability At the management level The SSE-CMM generates practical information that allows decision makers to evaluate security of software operation against business needs

The model focuses on process assessment, process improvement, and capability determination SSE-CMM is useful for supply chain risk assessment Assurance that a chain of suppliers is functioning properly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 26 Assuring an Organizations System Security Engineering Capability The SSE-CMMs documentation and its baseline security practices are linked to the concepts in process areas of ISO 12207-2008

Process domains for systems and software engineering in the SSE-CMM are the same as those covered by 12207: Acquisition Supply Technical and implementation processes Project, project-enabling, and supporting processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 27

Architectural Components of the SSECMM SSE-CMM implements two hierarchies: The first consists of the traditional set of process categories, composed of base practices Processes are then rated in terms of a second assessment hierarchy based on capability levels The base practices represent unique actions taken within the process Have to be performed in order to achieve the purposes of the process The model requires an organization to judge whether each practice is being executed correctly Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

28 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 29 Process Capability Assessment Capability level: the assessed level of competency for the execution of a practice Capability levels create a way of progressing through the improvement of any given process The reference model has six levels:

Incomplete Performed Managed Established Predictable Optimizing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 30 Process Capability Assessment

Process maturity: the level of capability of a process based on practices and common features Escalating levels of process maturity are built on a foundation of increasingly capable practices Each process maturity level provides a major enhancement in capability from the process provided by its predecessors The successful satisfaction of a capability level within one process may require the presence of another process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 31 Process Capability Assessment The SSE-CMM capability levels:

Incomplete - the process has no easily identifiable work products or outputs Performed - base practices of the process are generally performed Their performance might not be rigorously planned and tracked Managed - performance is planned and tracked, and the organization verifies that practices were performed according to specified procedures Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 32 Process Capability Assessment

The SSE-CMM capability levels (contd): Established - base practices are performed according to a well-defined process using approved, tailored versions of standards and documented processes Predictable - execution of the process is fully reliable because detailed measures of performance are collected and analyzed Optimizing - organization establishes goals for determining the effectiveness of quantitative processes based on goals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 33 Process Capability Evaluations

SSE-CMM processes probably exist at different levels of capability in most organizations The order of the actions initiated at each capability level is necessary Certain activities must be performed before other actions can be effective Common features: correct characteristics of a practice that can be confirmed by observation The SSE-CMM has common features that address a specific aspect of process implementation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 34 Process Capability Evaluations

Common features and their required activities provide a baseline for improving process capability The generic base and organizational practices grouped into each common feature provide a basis for understanding the actions required to achieve a given capability level If some requirements were not achieved for a common feature at a given capability level: The assessment shows where the organization is operating at the lowest completed capability level Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 35 Process Capability Evaluations The capability levels of the SSE-CMM are based

on a set of defined base and organizational practices Organizations can identify an explicit sequence for implementing these practices But the order is not implicit in the model itself The capabilities needed for any given process depend on its context Context influences the degree to which an auditor can compare the overall results of a process maturity assessment with required practice Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 36 Determining Capability Using the SSECMM Assessment Model

The SSE-CMM assessment model can give an organization an overall rating of capability maturity Or it can provide an assessment of the capability of a specific process instance A process instance is a unique occurrence of a process Can be used to ensure repeatability Practice adequacy is a rating of the extent to which a practice meets its purpose Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 37

Determining Capability Using the SSECMM Assessment Model The results of practice adequacy assessment support the organizations overall business requirements Helps managers decide whether the processes are effective in achieving their goals Helps identify significant causes of poor quality or time and cost overruns Helps set priorities for improving the process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 38 The SSE-CMM Assessment Process Overall aim of the assessment process is to make

an organizations base practices: Repeatable Reliable Consistent Base practices enable an organization to take objective measurements of SSE-CMM processes By stipulating a comprehensive set of activities that indicate capability Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 39 The SSE-CMM Assessment Process Considerations when using the model to improve

security engineering: How the assessment results are interpreted and applied How the models best practices are implemented as a result of that interpretation How the implementation is measured and judged to be effective How the organization can make a business case from the assessment results How an organization can create and sustain a culture of improving capability and security Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 40 Using Targeted Assessments to

Ensure Supplier Capability Organizations can use the SSE-CMM to determine supplier capability By comparing perceived risks against potential return on investment A supplier capability assessment can also provide trust for complex situations and future projects SSE-CMM helps the customer rate potential suppliers against target capability levels Customer can see potential gaps in a suppliers security engineering and other capabilities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 41

Using Targeted Assessments to Ensure Supplier Capability A capability assessment can be used to tell: The supplier what risks are associated with a new project The customer whether the suppliers system security engineering is trustworthy The ability of suppliers and customers to know the above provides them with a major competitive advantage for doing business in a global economy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 42

Summary Organizations should perform a set of prescribed activities to ensure that they have secure engineering Each organization creates a protection to describe the base practices it will assess Base practices specify the what but not the how of system engineering In addition to base practices, the other common features of the SSE-CMM are the organizational practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 43 Summary

The context and situation are important when defining the actual form of a base practice An organization can apply a standard process to evaluate its capability maturity in system security engineering An organization can use the SSE-CMM to determine supplier capability; these determinations can establish trust in a global outsourced environment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 44

Recently Viewed Presentations

  • L'Immobilier en Europe: cycle ou bulle

    L'Immobilier en Europe: cycle ou bulle

    Discussion - Session 1B Housing and business cycles Cross-country analysis Conference on Macroeconomics of Housing Markets Banque de France 3-4 December 2009
  • Surface Water - James Madison University

    Surface Water - James Madison University

    the curve estimates the magnitude of a flood that can be expected within a specified period of time The probability that a flow of a given magnitude will occur during any year is P = 1/RI. EX: a 50 year...
  • Lectur e9 Web: pollev.com/ucibio Text: To: 37607 Type

    Lectur e9 Web: pollev.com/ucibio Text: To: 37607 Type

    So, enzymes have active sites. Looked at enzyme structure = function. Do we need to also study "kinetics?"
  • Deterministic vs Probabilstic Modeling

    Deterministic vs Probabilstic Modeling

    Note L(w, d) = - U(w, d) Expected Utility = S U(w,d)*P(w) Objective is to find the decision option for which Expected Utility (EU) is Maximized Roots of Decision Analysis Decision Analysis established as an applied discipline and a field...
  • Title

    Title

    UK EE DE FR AT BE EU28 SK ES LT CZ LV SI MT HU IE PT CY IT PL EL HR BG RO 0.15027699999999999 0.14004800000000001 0.124709 0.12820200000000001 0.14577899999999999 ... (EURES). To help people make informed career and learning choices,...
  • Declare - Timi 58

    Declare - Timi 58

    In DECLARE - TIMI 58, the largest SGLT-2i trial, which included a broad representation of 1° and 2° prevention patients: Dapagliflozin reduced CVD/HHF and neither increased nor decreased MACE. Reduction in CVD/HHF was consistent regardless of baseline ASCVD or HF.
  • "Age of Faith" 500-1500 AD

    "Age of Faith" 500-1500 AD

    Holy Roman Empire (800 - 1806) Pope Leo III crowned Charlemagne first Holy Roman Emperor in 800, which led to future conflicts between popes and emperors. After the death of Charlemagne the Holy Roman Empire was the strongest kingdom that...
  • Financial Management

    Financial Management

    Survivors Benefit Plan (SBP) Life insurance for personnel receiving retirement pay. The SBP is a for single and married service members. Spouse is required to sign the SBP election form and should be included in the decision.