Capability Maturity Model

1
Capability Maturity Model

• Systems Engineering and Security
• Sources
• CMU SEI CMM website http//www.sei.cmu.edu/cmm/cm
  ms/cmms.html
• The CISSP Prep Guide Mastering the Ten Domains
  of Computer Security by Ronald L. Krutz, Russell
  Dean Vines (August 24, 2001), John Wiley Sons.
  ISBN 0471413569. Appendix D
• Information Technology Project Management, 2nd
  Ed. by Kathy Schwalbe (2002), Course Technology.
  ISBN 0619035285. Pp. 218-219.

2
Capability Maturity Model

• In 1986, in collaboration with Mitre Corporation,
  the SEI of CMU developed a methodology for
  measuring the maturity of software development
  processes
• Process capability is defined as the quantifiable
  range of expected results that can be achieved by
  following a process.

3
CMM Principles

• Major changes must be sponsored by senior
  management
• Focus on fixing the process, not assigning blame
• Understand the current process first
• Change is continuous
• Improvement requires investment
• Retaining improvement requires periodic
  reinforcement

4
Capability Maturity Model

• I - Initiating.
• Laying the groundwork for a successful
  improvement effort.
• D Diagnosing
• Determining where you are relative to where you
  want to be
• E Establishing
• Planning the specifics of how you will reach your
  destination
• A Acting
• Doing the work according to the plan
• L Learning
• Learning from the experience and improvement your
  ability

5
System

• Is defined as follows
• An integrated composite of people, products, and
  processes that provide a capability to satisfy a
  need or objective
• An assembly of things or parts forming a complex
  or unitary whole a collection of components
  organized to accomplish a specific function or
  set of functions
• An interacting combination of elements that are
  viewed in relation to function.

6
Systems Engineering SE-CMM

• Systems Engineering is defined as the selective
  application of scientific and engineering efforts
  to
• Transform an operational need into a description
  of the system configuration that best satisfies
  the operational need according to the measures of
  effectiveness
• Integrate related technical parameters and ensure
  compatibility of all physical, functional, and
  technical program interfaces in a manner that
  optimizes the total system definition and design
• Integrate the efforts of all engineering
  disciplines and specialties into the total
  engineering effort

7
CMM Systems Engineering

• The model provides a guide for selecting process
  improvement strategies by determining the current
  capabilities of specific processes and
  identifying the issues most critical to quantity
  and process improvement within a particular
  domain.
• A CMM may take the form of a reference model to
  be used as a guide for developing and improving a
  mature and defined process

8
SSE-CMM

• Takes a process-based approach to information
  systems security
• Based on the SE-CMM
• The methodology and metrics of the SE-CMM are
  duplicated in the SSE-CMM in that they provide a
  reference for comparing existing the best systems
  security engineering practices against the
  essential systems security engineering elements
  described in the model
• SSE-CMM is the primary element of the proposed
  HIPAA-CMM
• HIPAA - Health Insurance Portability and
  Accountability Act

9
SSE-CMM

• Two dimensions to measure the capability of an
  organization to perform specific activities
• Domain
• Capability

10
Domain Capability

• Domain dimension consists of all the practices
  that collectively define security engineering.
• Base Practices (BPs)
• Capability dimension represents practices that
  indicate process management and
  institutionalization of capability.
• Generic Practices (GPs)

11
SSE-CMM Process Areas - BP

• Technical
• PA01 Administer Security Controls
• PA02 Assess Impact
• PA03 Assess Security Risk
• PA04 Assess Threat
• PA05 Assess Vulnerability
• PA06 Build Assurance Argument
• PA07 Coordinate Security
• PA08 Monitor Security Input
• PA09 Provide Security Input
• PA10 Specify Security Needs
• PA11 Verify and Validate Security

12
SSE-CMM Process Areas - BP

• Project and Organizational Practices
• PA12 Ensure Quality
• PA13 Manage Configuration
• PA14 Manage Project Risk
• PA15 Monitor and Control Technical Effort
• PA16 Plan Technical Effort
• PA17 Define Organizations Systems Engineering
  Process
• PA18 Improve Organizations Systems Engineering
  Process
• PA19 Manage Product Line Evolution
• PA20 Manage Systems Engineering Support
  Environment
• PA21 Provide Ongoing Skills and Knowledge
• PA22 Coordinate with Suppliers

13
SSE-CMM Process Areas - GP

• Level 1 Performed Informally
• Level 2 Planned and Tracked
• Level 3 Well Defined
• Level 4 Quantitatively Controlled
• Level 5 Continuously Improving

14
SSE-CMM Process Areas - GP

• Level 1 Performed Informally
• BPs are Performed
• Level 2 Planned and Tracked
• 2.1. Planning Performance
• 2.2. Disciplined Performance
• 2.3. Verifying Performance
• 2.4. Tracking Performance

15
SSE-CMM Process Areas - GP

• Level 3 Well Defined
• 3.1. Defining a Standard Process
• 3.2. Perform the Defined Process
• 3.3. Coordinate the Process

16
SSE-CMM Process Areas - GP

• Level 4 Quantitatively Controlled
• 4.1. Establishing Measurable Quality Goals
• 4.2. Objectively Managing Performance
• Level 5 Continuously Improving
• 5.1. Improving Organizational Capability
• 5.2. Improving Process Effectiveness