• No results found

Overview of the Systems Security Engineering Capability Maturity Model (SSE-CMM)

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Overview of the Systems Security Engineering Capability Maturity Model (SSE-CMM)"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

© 1996 SECAT LLC

Overview of the

Systems Security Engineering

Capability Maturity Model

(SSE-CMM)

S E

C A

T

(2)

© 1996 SECAT LLC

What is the Problem the SSE-CMM Solves?

Capability

Costs Current process Improved process

Current cost Current capability Reduced cost Reduced capability for lower cost Improved capability at lower cost Cost of process improvement

Source: Merle Whatley, Texas Instruments, Inc..

Downsizing

Process Improvement

Options depending upon business goals

CMMs are a tool for improving the ability to transition to an improved process effectively

1 SO-

(3)

© 1996 SECAT LLC

Include definition and description of the

applicable domain (e.g. systems engineering, software, etc.)

Provide a logical sequence for improvment based on 10+ years of experience

Lead to better processes & better products Provide the data necessary for effective

management of process improvement efforts Strong return on investment shown for CMMs where historical data exists

Primary Benefits of Using Any

Capability Maturity Model (CMM)

5 SO-

(4)

© 1996 SECAT LLC

Who Developed the SSE-CMM?

Steering Group Workshop Participants Author Group Application Group Key Reviewers Sponsoring Organizations: - NSA

- Office of Sec. Defense - Communications Security Establishment, Canada - Department of Defense Project participants include a collaboration of representatives from 42 companies = core team = primary critique source 1 SI-

(5)

© 1996 SECAT LLC

What is the Systems Security

Engineering Capability Maturity

Model

SM

(SSE-CMM

SM

)?

Describes the essential systems security engineering and management tasks that any organization must perform

Road map for systems security engineering & management process improvement

Systems security engineering and

management process measurement tool

CMM and Capability Maturity Model are service marks of Carnegie Mellon University

1

2

3

2 SO-

(6)

© 1996 SECAT LLC

Why Was the Model Developed?

Contractor Selection

– assist the selection of appropriately qualified providers of security engineering

Focus Improvement

– enable focused investment in security engineering tools, training, processes and management

Assurance

– provide data to justify confidence and trustworthiness in an engineering group’s security practices

1

2

3

8 SO-

(7)

© 1996 SECAT LLC

SSE-CMM Scope and Application

Model focuses on practices necessary to safeguard information- from government

classified data to financial transactions, company private material, etc.

Should be integrated with the systems

engineering effort, but requires unique talents, tools and process

Performed throughout the entire product

(8)

© 1996 SECAT LLC

SSE-CMM Based on the SE-CMM

Engineering PAs Project PAs Organizational PAs

• Administer security controls • Assess operational security risk • Build assurance argument • Coordinate security • Determine security vulnerabilties • Monitor system security posture

• Provide security input • Specify security needs • Verify & validate

security

• Ensure quality

• Manage configurations • Manage program risk • Monitor & control technical effort

• Plan technical effort

• Coordinate with suppliers • Define organization’s security engineering process • Improve organization’s security engineering process • Manage security engineering support environment

• Provide ongoing skills and knowledge

Based on SE-CMM adapted for SSE Unique to SSE

(9)

© 1996 SECAT LLC

Process Improvement Roadmap

SSE-CMM Capability Levels are based on the SE-CMM

Capability levels provide logical and structured methodology for improving how work is performed

Legend: Level Title • Characterized by • Achieved when • Primary Concept • N/A

• Organizational starting point

Not Performed

• SE process area not being done

• Essential elements performed • Doing systems engineering

Performed Informally

• Individual heroics

• Projects using defined process • Controlling local chaos

Planned & Tracked

• Work is planned & managed

• Projects use org. std. process • Sharing organizational learning

Well Defined

• Development of org. std. process

• Process metrics captured • Managing processes by data

Quantitatively Controlled

• Definition of quantitative goals

• Processes improved

• Improvement based on data

Continuously Improving

• Quantitative strategic goals

0 I II III IV V 11

(10)

SA-© 1996 SECAT LLC

How the SSE-CMM Scoring Method

Works

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 0 1 2 3 4 5 Process Area Capability Level not assessed

Not a realistic profile- for discussion purposes only

Score each process area that was assessed

– some process areas may not be applicable

– goals of assessment may affect process areas

selected for assessment

Score ranges from 0 to 5 for each process area

Some process areas are more difficult to achieve

– uniform goal in all process areas is unrealistic

15

(11)

SA-© 1996 SECAT LLC

SECAT

LCC

Formed to help companies improve their product

development processes using Capability Maturity Models as a primary tool

SECAT LLC principals are authors of CMMs, including the Systems Engineering CMM and Integrated Product

Development CMM

Offering CMM training, assessments, and process improvement guidance

SECAT LLC operates internationally, providing services for customers that include Motorola, Eastman Kodak, Defense Logistics Agency, Hughes, TRW, Northrop Grumman,

(12)

© 1996 SECAT LLC

More Information or

Obtaining SSE-CMM Project

Products

For more on the benefits of the SSE-CMM contact SECAT LLC at 714-449-0423,

[email protected], or http://www.csz.com/secat

References

Download now ( PDF - 12 Page - 41.54 KB )

Related documents

Design of Peptide Inhibitors That Bind the bZIP Domain of Epstein–Barr Virus Protein BZLF1

The designed mutations in and were made in the context of the full-length BZLF1 dimerization domain without the basic region (residues 191–245) to create two new design constructs,

DeepScores : a dataset for segmentation, detection and classification of tiny objects

In this paper, we present the DeepScores dataset with the following contributions: a) a curated dataset of a collection of hundreds of thousands of musical scores, containing tens

Outcome in patients with trochanteric and subtrochanteric femoral fractures : aspects on surgical methods, quality of life and cognitive function

The overall aim of the thesis was to evaluate the outcome in patients with stable trochanteric (Study II), unstable trochanteric (Studies I and III) and subtrochanteric (Studies I

SARTRE: SAfe Road TRains for the Environment

There are 4 principal traffic conditions: free traffic, collapsing traffic, synchronic inhomogeneous traffic and stop-go traffic*..  Free traffic.- All vehicles circulate with

Quaternionic Cayley Transform

A general criterion concerning the existence of commuting self-adjoint extensions for some pairs of symmetric operators, and which corresponds to the case when the associated

Media in the Workplace

employees do have professional contacts within their social net- work, before sharing a comment, post, picture, or video through any type of social media or

Population size structure, growth and reproduction of the European anchovy (Engraulis encrasicolus, L.) in the Lagoon of Lesina (south-western Adriatic Sea, Italy)

Population size structure, growth and reproduction of the European anchovy (Engraulis encrasicolus, L.) in the Lagoon of Lesina (south-western Adriatic Sea,

Spatial Profit Differential of Yam Marketing in Gombe Metropolis, Gombe State, Nigeria.

In comparison of the four (4) selected markets in the study area, the result shows that the maximum average selling price and as well as the average profit were obtained in