cybersecurity: engineering a secure information technology organization, 1st edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 9The Systems Security Engineering

Capability Maturity Model (ISO 21827)

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Follow a staged enhancement process to increase system security capability

• Ensure capability maturity based on best practices• Assess supplier fitness based on specified capability

requirements• Assess internal capability based on a best-practice

model• Target critical areas of security need based on a

formal profile


Overview of the SSE-CMM

• The Systems Security Engineering Capability Maturity Model (SSE-CMM)– Also known as ISO/IEC 21827– Specifies a set of behaviors that an organization can

adopt to ensure secure system and software engineering practice

– Built around a staged grouping of security engineering best practices

– Specifies security engineering practices for the organization as a whole




• SSE-CCM ensures that appropriate interactions take place with other disciplines, such as:– System software and hardware– Human factors security– Test engineering– System management– Operations and maintenance

• The model provides recommendations to ensure acquisition, system management, certification, accreditation, and evaluation




• Security controls are divided into two areas:– Security Base Practice– Project and Organizational Base Practice

• Security Base Practice includes 11 high-level control areas with a number of underlying controls

• Project and Operational Base Practice also include 11 high-level control areas and their own control objectives




• The capability maturity of the 22 control areas can be judged using a five-level scale:– Level 1, Performed Informally– Level 2, Planned and Tracked– Level 3, Managed– Level 4, Quantitative Management– Level 5, Optimizing




• SSE-CMM allows an organization to manage product engineering risk at the organizational, enterprise, or project level

• Activities support managers, suppliers, buyers, developers, participants, and other stakeholders– By dictating a single set of key practices that can

help manage a broad variety of risks while developing and procuring systems and software

• The model helps improve the management of risks associated with purchasing or developing software or systems




• An organization can increase its security engineering capability using the SSE-CMM– Can use it to help develop, manufacture, test,

support, or maintain ICT systems and components• Best-practices of the SSE-CMM help stakeholders

develop a shared understanding of the relationships required to coordinate :– Schedules– Processes– Development practices



Background: The SSE-CMM Collaboration

• SSE-CMM project grew out of a joint effort between government and industry– Was aimed at developing a model for security

engineering• Overall goal was to provide a mechanism for

selecting qualified security engineering suppliers– To underwrite overall capability-based assurance

• Originated at the National Security Agency (NSA) in 1993

• Eventually involved 42 companies and other government agencies




• The model was approved by the ISO as an international standard in 2002– A second edition was approved by the ISO in 2008

• The model can be used to evaluate best practices for enhanced system and software engineering capability– Makes it an excellent tool for determining supplier

abilities and to make decisions about threats and risks that might be present in a worldwide ICT supply chain

• Ability to ensure trust is essential for global businessCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition



• The final product of this effort was the registration of ISO 21827 as a full international standard in 2002

• The International System Security Engineering Association (ISSEA) was named as the assessor and registrar – For organizations wanted to accredit their systems and

software engineering processes to the standard



Structure of the SSE-CMM/ISO 21827 Standard

• SSE-CMM is meant to support self-assessment• Assesses processes based on a defined set of key

functional elements and produces a set of ratings– Ratings are expressed in the form of a process

profile – Evaluate each process on a sliding scale

• SSE-CMM assessment greatly increases the level of trust in the ISO 12207-2008 acquisition process – By reducing uncertainty in supplier selection

• Suppliers can determine the capability maturity of their own system security processes



Structure of the SSE-CMM/ISO 21827 Standard

• Allows customers to identify common security risks associated with a given procurement project

• Also allows customers to balance business needs, requirements, and estimated project costs– Against the known capability of competing suppliers

• SSE-CMM compares the actual security capability of a selected process against a target capability profile– The outcomes of that comparison help the

organization better identify missing or vulnerable security engineering functions



The Base Practices of the SSE-CMM

• The SSE-CMM embodies a set of standard base practices– Formal practices to ensure that work is executed

correctly• Goal of base practices: to disconnect the security

engineering process from the practices associated with overall good management

• The model employs two dimensions called:– Domain dimension– Capability dimension




• The domain dimension consists of all the base practices that collectively define security engineering– Requires the organization to have a formalized

security process in place• The capability dimension consists of standard best

practices to ensure correct process management– Apply across a wide range of domains– Represents activities that should normally occur

while executing security base practices




• Related base practices are organized into common process areas for ease of use

• Process area: distinct collection of related practices with common features

• Each process area embodies a set of organizational actions intended to successfully carry out the purposes of base practice– Applies across the lifecycle of the enterprise and

does not overlap with other base practices




• Each process area can be addressed as a distinct entity and can be implemented in multiple contexts throughout an organization and for various products

• Satisfying the purpose of the process is the first step in building process capability

• The model does stipulate that security objectives are achieved by executing the base practices that underlie each process area



Project and Organizational Base Practices

• Project process areas are an important part of the SSE-CMM – They characterize actions that must be performed to

satisfy the generic security practice goals of the standard

• Each process area itemizes an explicit set of security activities that have to be carried out for the security engineering process to be considered secure

• The next few slides summarize some process areas




• PA12 - Ensure Quality - to address system quality and the quality of the process used to create the system– Actions specified in this process are used to

measure and improve quality• PA13 - Manage Configurations - to maintain the

status of all project configurations and to analyze/control changes to the system and its configurations




• PA14 - Manage Project Risks - to identify, assess, monitor, and mitigate risks to ensure the success of systems engineering activities– And the overall technical effort

• PA15 - Monitor and Control Technical Effort - contains the activities that control the project’s technical aspects– As well as its systems engineering effort– Activities include directing, tracking, and reviewing

the project’s accomplishments, results and risks




• PA16 - Plan Technical Effort - defines the plans that guide the project– Plans provide the basis for scheduling, costing,

controlling, tracking, and negotiating the technical work involved in system engineering

• PA17 - Define Systems Engineering Process - specifies and manages the organization’s standard system engineering

• PA18 - Improve Systems Engineering Process - describes continuing activities to measure and improve systems engineering




• PA19 - Manage Product Line Evolution - ensures that product development efforts achieve their strategic business purposes– Covers the practices associated with managing a

product line, but not the product engineering itself• PA20 - Manage Systems Engineering Support

Environment - applies to systems engineering support at both the project and organization level– The aim of this area is to maximize support

capability




• PA21 - Provide Ongoing Skills and Knowledge - provides training for the organization’s security engineering to ensure that project personnel have the necessary knowledge and skills to achieve objectives

• PA22 - Coordinate with Suppliers - to manage work done by other organizations based on a defined process– Other organizations include vendors, subcontractors,

and partners



Assuring an Organization’s System Security Engineering Capability

• The SSE-CMM is meant to provide a general set of criteria for security best practice– Can be used to assess the security status of

software and system engineering processes• Organizations perform the evaluation by

determining the presence or absence of a set of security best practices– The comparison is then used to plan, manage,

monitor, control, and improve the security of all technical processes in the 12207-2008 standard




• At the management level– The SSE-CMM generates practical information that

allows decision makers to evaluate security of software operation against business needs

• The model focuses on process assessment, process improvement, and capability determination

• SSE-CMM is useful for supply chain risk assessment– Assurance that a chain of suppliers is functioning

properly




• The SSE-CMM’s documentation and its baseline security practices are linked to the concepts in process areas of ISO 12207-2008

• Process domains for systems and software engineering in the SSE-CMM are the same as those covered by 12207:– Acquisition – Supply– Technical and implementation processes– Project, project-enabling, and supporting processes



Architectural Components of the SSE-CMM

• SSE-CMM implements two hierarchies:– The first consists of the traditional set of process

categories, composed of base practices– Processes are then rated in terms of a second

“assessment” hierarchy based on capability levels• The base practices represent unique actions taken

within the process– Have to be performed in order to achieve the

purposes of the process• The model requires an organization to judge

whether each practice is being executed correctlyCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Process Capability Assessment

• Capability level: the assessed level of competency for the execution of a practice

• Capability levels create a way of progressing through the improvement of any given process

• The reference model has six levels:– Incomplete– Performed– Managed– Established– Predictable– Optimizing




• Process maturity: the level of capability of a process based on practices and common features

• Escalating levels of process maturity are built on a foundation of increasingly capable practices

• Each process maturity level provides a major enhancement in capability from the process provided by its predecessors

• The successful satisfaction of a capability level within one process may require the presence of another process




• The SSE-CMM capability levels:– Incomplete - the process has no easily identifiable

work products or outputs– Performed - base practices of the process are

generally performed• Their performance might not be rigorously planned

and tracked– Managed - performance is planned and tracked, and

the organization verifies that practices were performed according to specified procedures




• The SSE-CMM capability levels (cont’d):– Established - base practices are performed

according to a well-defined process using approved, tailored versions of standards and documented processes

– Predictable - execution of the process is fully reliable because detailed measures of performance are collected and analyzed

– Optimizing - organization establishes goals for determining the effectiveness of quantitative processes based on goals



Process Capability Evaluations

• SSE-CMM processes probably exist at different levels of capability in most organizations

• The order of the actions initiated at each capability level is necessary – Certain activities must be performed before other

actions can be effective• Common features: correct characteristics of a

practice that can be confirmed by observation• The SSE-CMM has common features that address

a specific aspect of process implementation




• Common features and their required activities provide a baseline for improving process capability

• The generic base and organizational practices grouped into each common feature provide a basis for understanding the actions required to achieve a given capability level

• If some requirements were not achieved for a common feature at a given capability level:– The assessment shows where the organization is

operating at the lowest completed capability level




• The capability levels of the SSE-CMM are based on a set of defined base and organizational practices

• Organizations can identify an explicit sequence for implementing these practices– But the order is not implicit in the model itself

• The capabilities needed for any given process depend on its context– Context influences the degree to which an auditor

can compare the overall results of a process maturity assessment with required practice



Determining Capability Using the SSE-CMM Assessment Model

• The SSE-CMM assessment model can give an organization an overall rating of capability maturity– Or it can provide an assessment of the capability of

a specific process instance• A process instance is a unique occurrence of a

process– Can be used to ensure repeatability

• Practice adequacy is a rating of the extent to which a practice meets its purpose



Determining Capability Using the SSE-CMM Assessment Model

• The results of practice adequacy assessment support the organization’s overall business requirements– Helps managers decide whether the processes are

effective in achieving their goals– Helps identify significant causes of poor quality or

time and cost overruns– Helps set priorities for improving the process



The SSE-CMM Assessment Process

• Overall aim of the assessment process is to make an organization’s base practices:– Repeatable– Reliable– Consistent

• Base practices enable an organization to take objective measurements of SSE-CMM processes– By stipulating a comprehensive set of activities that

indicate capability



The SSE-CMM Assessment Process

• Considerations when using the model to improve security engineering:– How the assessment results are interpreted and

applied– How the model’s best practices are implemented as a

result of that interpretation– How the implementation is measured and judged to be

effective– How the organization can make a business case from

the assessment results– How an organization can create and sustain a culture

of improving capability and security



Using Targeted Assessments to Ensure Supplier Capability

• Organizations can use the SSE-CMM to determine supplier capability– By comparing perceived risks against potential

return on investment• A supplier capability assessment can also provide

trust for complex situations and future projects• SSE-CMM helps the customer rate potential

suppliers against target capability levels– Customer can see potential gaps in a supplier’s

security engineering and other capabilities



Using Targeted Assessments to Ensure Supplier Capability

• A capability assessment can be used to tell:– The supplier what risks are associated with a new

project– The customer whether the supplier’s system security

engineering is trustworthy• The ability of suppliers and customers to know the

above provides them with a major competitive advantage for doing business in a global economy




Summary• Organizations should perform a set of prescribed

activities to ensure that they have secure engineering• Each organization creates a protection to describe the

base practices it will assess• Base practices specify the what but not the how of

system engineering• In addition to base practices, the other common

features of the SSE-CMM are the organizational practices



Summary• The context and situation are important when defining

the actual form of a base practice• An organization can apply a standard process to

evaluate its capability maturity in system security engineering

• An organization can use the SSE-CMM to determine supplier capability; these determinations can establish trust in a global outsourced environment

cybersecurity: engineering a secure information technology organization, 1st edition

Documents

ssecmman organization

secure system

product engineering

ssecmmthe capability

edition5 cengage learning

edition3 cengage learning

edition4 cengage learning

edition6 cengage learning