Overarching: Maturity level: What maturity level does the information protection program have?
Options:
Option 0: None - no maturity is needed or desired.
Option 1: Initial maturity is adequate to the need.
Option 2: Repeatable maturity is reasonable and prudent.
Option 3: Defined maturity is workable for the business.
Option 4: Managed maturity is necessary for business functioning.
Option 5: Optimizing is vital to business success.
Basis:
The Capability Maturity Model as applied to security afford the following levels of maturity and their characteristics:
- Level 0: None
- Level 1: Initial Few processes are defined, and success depends on individual talent and heroic effort.
- Level 2: Repeatable The necessary process discipline is in place to repeat earlier successes on projects with similar applications
- Level 3: Defined The process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects
- Level 4: Managed Both the process and end-products are quantitatively understood and controlled using detailed measures
- Level 5: Optimizing Continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies
The CyberSecurity Capability Maturity Model (C2M2) is a variation on this these described roughly as follows:
- Level 0: Practices are not performed
- Level 1: Initial practices are performed but may be ad hoc
- Level 2: Practices are documented, Stakeholders are identified and involved, Adequate resources are provided to support the process, Standards or guidelines are used to guide practice implementation.
- Level 3: Activities are guided by policy (or other directives) and governance, Policies include compliance requirements for specified standards or guidelines, Activities are periodically reviewed for conformance to policy, Responsibility and authority for practices are assigned to personnel, Personnel performing the practice have adequate skills and knowledge, and Practices are more complete or advanced than at Level 2.
- NO LEVEL 4 or 5
By way of comparison, The CMM used in this SoP has essentially identical Levels 0 and 1. CMM level 2 is between C2M2 Levels 1 and 2. CMM Level 3 is roughly C2M2 level 2, CMM Level 4 is roughly equivalent to C2M2 level 3, and CMM level 5 exceeds all C2M2 levels. The CMM can be rated according to the following analytical framework:
Domain: Security Engineering | None | Initial | Repeatable | Defined | Managed | Optimizing |
---|---|---|---|---|---|---|
-Process areas | ||||||
- Base practices | ||||||
01 - Administer security controls: | ||||||
- Establish responsibilities | ||||||
- Manage configuration | ||||||
- Manage awareness, training, and education programs | ||||||
- Manage services and control mechanisms | ||||||
02 - Assess impact: | ||||||
- Prioritize capabilities | ||||||
- Identify system assets | ||||||
- Select metrics | ||||||
- Identify metric relationship | ||||||
- Identify and characterize consequences | ||||||
- Monitor consequences | ||||||
03 - Assess security risk: | ||||||
- Select risk analysis method | ||||||
- Identify exposures | ||||||
- Assess exposure risks | ||||||
- Assess total uncertainty | ||||||
- Prioritize risks | ||||||
- Monitor risks and characteristics | ||||||
04 - Assess threat: | ||||||
- Identify natural and human threats | ||||||
- Identify units of measure for threats | ||||||
- Assess threat capabilities and intents | ||||||
- Assess likelihood | ||||||
- Monitor threats and characteristics | ||||||
05 - Assess vulnerability: | ||||||
- Select vulnerability analysis method | ||||||
- Identify vulnerabilities | ||||||
- Gather vulnerability data | ||||||
- Synthesize system vulnerabilities | ||||||
- Monitor vulnerabilities and characteristics | ||||||
06 - Build assurance argument: | ||||||
- Identify assurance objectives | ||||||
- Define assurance strategy | ||||||
- Control assurance evidence | ||||||
- Analyze evidence | ||||||
- Provide assurance argument | ||||||
07 - Coordinate security: | ||||||
- Define coordination objectives | ||||||
- Identify coordination mechanisms | ||||||
- Facilitate coordination | ||||||
- Coordinate decisions and recommendations | ||||||
08 - Monitor system security posture: | ||||||
- Analyze event records | ||||||
- Monitor changes | ||||||
- Identify incidents | ||||||
- Monitor safeguards | ||||||
- Review security posture | ||||||
- Manage incident response | ||||||
- Protect monitoring artifacts | ||||||
09 - Provide security input: | ||||||
- Understand security input needs | ||||||
- Determine constraints and considerations | ||||||
- Identify alternatives | ||||||
- Analyze engineering alternatives | ||||||
- Provide engineering guidance | ||||||
- Provide operational guidance | ||||||
10 - Specify security needs: | ||||||
- Gain understanding of protection needs | ||||||
- Identify applicable laws and regulations | ||||||
- Identify system security context | ||||||
- Capture view of system operation | ||||||
- Define requirements | ||||||
- Obtain agreement on protection | ||||||
11 - Verify and validate security: | ||||||
- Identify V&V targets | ||||||
- Define V&V approach | ||||||
- Perform Validation | ||||||
- Perform verification | ||||||
- Provide V&V results | ||||||
Organization: | ||||||
institutionalization of process areas | ||||||
implementation of process areas | ||||||
12 - Ensure Quality | ||||||
13 - Manage Configurations | ||||||
14 - Manage Project Risk | ||||||
15 - Monitor and Control Technical Effort | ||||||
16 - Plan Technical Effort | ||||||
17 - Define Systems Engineering Process | ||||||
18 - Improve Systems Engineering Process | ||||||
19 - Manage product line evolution | ||||||
20 - Manage systems engineering support environment | ||||||
21 - Provide ongoing skills and knowledge | ||||||
22 - Coordinate with suppliers | ||||||
Project: | ||||||
- Ensure Quality | ||||||
- Manage configurations | ||||||
- Manage program risk | ||||||
- Monitor and control technical effort | ||||||
- Plan technical effort |
Capability Level | Item within level | Achieved? | Value | Risk Management | Engineering | Assurance | Coordination |
---|---|---|---|---|---|---|---|
0 Initial - none: | 0 | ||||||
1 Initial: | few processes are defined, and success depends on individual talent and heroic effort | 1.0 | |||||
1.1 base practices performed | 1.0 | ||||||
Total for level per KPA | |||||||
2 Repeatable: | the necessary process discipline is in place to repeat earlier successes on projects with similar applications | 2.0 | |||||
requirements management | 0.1 | ||||||
project planning | 0.1 | ||||||
project tracking and oversight | 0.1 | ||||||
subcontract management | 0.1 | ||||||
quality assurance | 0.1 | ||||||
configuration management | 0.1 | ||||||
2.1 - planning performance | 0.1 | ||||||
2.2 - disciplined performance | 0.1 | ||||||
2.3 - verifying performance | 0.1 | ||||||
2.4 - tracking performance | 0.1 | ||||||
Total for level per KPA | |||||||
3 Defined: | the process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects | 3.0 | |||||
process focus | 0.1 | ||||||
process definition | 0.1 | ||||||
training programs | 0.1 | ||||||
integrated management | 0.1 | ||||||
product engineering | 0.1 | ||||||
Intergroup coordination | 0.1 | ||||||
Peer reviews | 0.1 | ||||||
3.1 - defining a standard process | 0.1 | ||||||
3.2 - perform the defined process | 0.1 | ||||||
3.3 - Coordinate practices | 0.1 | ||||||
Total for level per KPA | |||||||
4 Managed: | both the process and end-products are quantitatively understood and controlled using detailed measures | 4.0 | |||||
quality management | 0.25 | ||||||
quantitative process management | 0.25 | ||||||
4.1 - establishing measurable performance goals | 0.25 | ||||||
4.2 - objectively managing performance | 0.25 | ||||||
Total for level per KPA | |||||||
5 Optimizing: | continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies | 5.0 | |||||
defect prevention | 0.2 | ||||||
technology change management | 0.2 | ||||||
process change management | 0.2 | ||||||
4.1 - improving organizational capability | 0.2 | ||||||
4.2 - improving process effectiveness | 0.2 | ||||||
Total for level per KPA | |||||||
Grand totals per KPA |
Area | Commitment to Perform | Ability to Perform | Activities Performed | Measurement and Analysis | Verifying Implementation |
---|---|---|---|---|---|
1) Security Risk Management - processes dealing with estimating risk at each of the maturity levels; | . | . | . | . | . |
2) Engineering - processes involved with architecting a system and managing security requirements; | . | . | . | . | . |
3) Assurance Management - processes dealing with generating, managing, presenting assurance evidence; | . | . | . | . | . |
4) Coordination - processes that coordinate security engineering activities with other engineering disciplines. | . | . | . | . | . |
- - controllability: ability to predict, measure, and control cost, schedule, and quality;
- - codification: state-of-the-art knowledge is codified within the practices;
- - trustability: degree of assurance that practices are performing as intended.
- - institutionalization: organization-wide use of defined process;
- - integration: organization-wide process integration;
- - improvement: continuous process improvement.
Prepare | |
scope appraisal | |
plan appraisal | |
Pre-onsite | |
Prepare appraisal team | |
Administer questionnaire | |
Collect evidence | |
Analyze evidence and answers | |
Onsite phase | |
Interview executives | |
interview leads and practitioners | |
establish findings | |
develop rating profile | |
report results | |
Post-appraisal | |
Report lessons learned | |
Report appraisal outcomes | |
Manage appraisal artifacts |
Level 5 | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Level 4 | ||||||||||||||||||||||
Level 3 | ||||||||||||||||||||||
Level 2 | ||||||||||||||||||||||
Level 1 | ||||||||||||||||||||||
01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 |