1 / 24

System Security Engineering - Capability Maturity Model SSE-CMM

Page 2. Overview. Project Status - Ron KnodeNSA - Mary SchankenCSE - Steve BoothFAA - Ron KnodeCSIS - Ron ThompsonE

fountain
Download Presentation

System Security Engineering - Capability Maturity Model SSE-CMM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Page 1 System Security Engineering - Capability Maturity Model (SSE-CMM) Project Status Report Ron Knode, Computer Sciences Corporation SSE-CMM Project Steering Group Chair 4 June 1998

    2. Page 2 Overview Project Status - Ron Knode NSA - Mary Schanken CSE - Steve Booth FAA - Ron Knode CSIS - Ron Thompson E&Y Canada - Chris Pick EWA Canada - Jim Robbins CSC - Ron Knode Others

    3. Page 3 Topics SSE-CMM Project Goals Accomplishments Current Activities Reflections of the SSE-CMM Future Plans Project Schedule

    4. Page 4 Why was the SSE-CMM developed? History Objective advance security engineering as a defined, mature, and measurable discipline Project Goal Develop a mechanism to enable: selection of appropriately qualified security engineering providers focused investments in security engineering practices capability-based assurance Why the CMM approach? accepted way of improving process capability increasing use in acquisition as indicator of process capability

    5. Page 5 Envisioned Uses Engineering Organizations Define processes / practices Use for competitive edge (in source selections) Focus improvement efforts Acquirers Standard RFP language and bidder evaluation Understanding programmatic risks Avoid protests (uniform assessments) Greater level of confidence in end results Security Evaluation Organizations Alternative to extensive evaluation/re-evaluation confidence in integration of security engineering with other disciplines confidence in end results

    6. Page 6 Project Structure 2nd Phase

    7. Page 7 Points of Contact Project Sponsor: Mary Schanken NSA, V243 410-859-6094 schanken@romulus.ncsc.mil Steering Group: Ron Knode Computer Sciences Corporation 410-691-6580 rknode@csc.com Model Maintenance: Jeff Williams Arca Systems, Inc. 703-734-5611 williams@arca.com Appraisal Method: Mal Fordham IIT Research Institute 301-918-1022 mfordham@atg.iitri.com

    8. Page 8 Project Participants 45 pioneers

    9. Page 9 Project History/Accomplishments April 93-December 94 Initial R&D January 95 1st Public Workshop Working Groups Formed Summer/Fall 96 SSE-CMM Pilot Program October 96 SSE-CMM v1.0 Early SSE-CMM Pilot Results Spring 97 Appraisal Method v1.0 Summer 97 SSE-CMM v1.1 Appraisal Method v1.1 Pilot Results 14-17 July 97 2nd Public Workshop

    10. Page 10 Pilot Sites TRW: System Integrator CSC: Service Provider - Risk Assessment Hughes: System Integrator GTIS (Canada): Service Provider - Certification Authority Data General: Product Vendor

    11. Page 11 Current Activities The Project pursuing ISO standard planning for transition to new support organization (July 1999) seeking more commitments of intended use by acquisition organizations The Model updating risk-related process areas reviewing SEI CMM Integration Project results

    12. Page 12 Current Activities (cont.) The Appraisal Method updating to accommodate 3rd party capability evaluations (available May 1999) Assurance researching security metrics Support Activities developing plan for qualification of SSE-CMM appraisers researching approaches for uniformity of appraisals designing SSE-CMM data repository

    13. Page 13 Reflections of the SSE-CMM Where is it taking hold? US National Security Agency (NSA) Canadian Communications Security Establishment (CSE) US Federal Aviation Administration (FAA) (Draft) FAA Order 1600.69 (FAA Information Systems Security Program)

    14. Page 14 Reflections of the SSE-CMM More applications and opportunities Canadian Security Intelligence Service (CSIS) Ernst & Young Electronic Warfare Associates (EWA) Computer Sciences Corporation (CSC) Others ...

    15. Page 15 Working Group Schedule This is your chance!! Join now! Meetings are held the 2nd week of each month: Monday Profiles, Assurance, and Metrics Life Cycle Support Tuesday Model Maintenance Wednesday Sponsorship, Planning, and Adoption Thursday Steering Group Friday Appraisal Method

    16. Page 16 Future Plans Oct 98 Model v2.0 Appraisal Method v2.0 (Draft) Oct 98 ISO submission - Project transition phase Oct 98 - Feb 99 Conduct Appraisal Method beta testing (?) May 99 Appraisal Method v2.0 published July 99 SSE-CMM “Project” phase ends - new support organizations begins operations

    17. SSE-CMM Overview

    18. Page 18 SSE-CMM Model Architecture (based on SE-CMM Architecture)

    19. Page 19 Security Engineering Process Areas Administer System Security Controls Assess Impacts Assess Risk Assess Threats Assess Vulnerabilities Build Assurance Argument Coordinate Security Monitor System Security Posture Provide Security Input Specify Security Needs Verify and Validate Security Reference the SSE-CMM - review goals of the PAs.Reference the SSE-CMM - review goals of the PAs.

    20. Page 20 Basis for Engineering Process Areas (Security Engineering Providers) The Security Engineering PAs were developed from the perspective of what providers provide and what people want to “buy” with respect to security engineering services.The Security Engineering PAs were developed from the perspective of what providers provide and what people want to “buy” with respect to security engineering services.

    21. Page 21 Project/Organization PAs (based on SE-CMM with Security Considerations) Project Ensure Quality Manage Configurations Manage Program Risk Monitor and Control Technical Effort Plan Technical Effort Organization Define Organization’s Security Engineering Process Improve Organization’s Security Engineering Process Manage Security Product Line Evolution Manage Security Engineering Support Environment Provide Ongoing Skills and Knowledge Coordinate with Suppliers The Project and Organization PAs were adopted from the SE-CMM and interpreted for the security engineering domain, where needed.The Project and Organization PAs were adopted from the SE-CMM and interpreted for the security engineering domain, where needed.

    22. Using the SSE-CMM

    23. Page 23 Appraisal Results: a Rating Profile

    24. Page 24 The Appraisal Process (based on the SE-CMM Appraisal Method)

    25. Page 25 Using the SSE-CMM

More Related