Domain: Security Engineering | None | Initial | Repeatable | Defined | Managed | Optimizing
|
---|
-Process areas | | | | | |
|
- Base practices | | | | | |
|
01 - Administer security controls:
|
- Establish responsibilities | | | | | |
|
- Manage configuration | | | | | |
|
- Manage awareness, training, and education programs | | | | | |
|
- Manage services and control mechanisms | | | | | |
|
02 - Assess impact:
|
- Prioritize capabilities | | | | | |
|
- Identify system assets | | | | | |
|
- Select metrics | | | | | |
|
- Identify metric relationship | | | | | |
|
- Identify and characterize consequences | | | | | |
|
- Monitor consequences | | | | | |
|
03 - Assess security risk:
|
- Select risk analysis method | | | | | |
|
- Identify exposures | | | | | |
|
- Assess exposure risks | | | | | |
|
- Assess total uncertainty | | | | | |
|
- Prioritize risks | | | | | |
|
- Monitor risks and characteristics | | | | | |
|
04 - Assess threat:
|
- Identify natural and human threats | | | | | |
|
- Identify unit s of measure for threats | | | | | |
|
- Assess threat capabilities and intents | | | | | |
|
- Assess likelihood | | | | | |
|
- Monitor threats and characteristics | | | | | |
|
05 - Assess vulnerability:
|
- Select vulnerability analysis method | | | | | |
|
- Identify vulnerabilities | | | | | |
|
- Gather vulnerability data | | | | | |
|
- Synthesize system vulnerabilities | | | | | |
|
- Monitor vulnerabilities and characteristics | | | | | |
|
06 - Build assurance argument:
|
- Identify assurance objectives | | | | | |
|
- Define assurance strategy | | | | | |
|
- Control assurance evidence | | | | | |
|
- Analyze evidence | | | | | |
|
- Provide assurance argument | | | | | |
|
07 - Coordinate security:
|
- Define coordination objectives | | | | | |
|
- Identify coordination mechanisms | | | | | |
|
- Facilitate coordination | | | | | |
|
- Coordinate decisions and recommendations | | | | | |
|
08 - Monitor system security posture:
|
- Analyze event records | | | | | |
|
- Monitor changes | | | | | |
|
- Identify incidents | | | | | |
|
- Monitor safeguards | | | | | |
|
- Review security posture | | | | | |
|
- Manage incident response | | | | | |
|
- Protect monitoring artifacts | | | | | |
|
09 - Provide security input:
|
- Understand security input needs | | | | | |
|
- Determine constraints and considerations | | | | | |
|
- Identify alternatives | | | | | |
|
- Analyze engineering alternatives | | | | | |
|
- Provide engineering guidance | | | | | |
|
- Provide operational guidance | | | | | |
|
10 - Specify security needs:
|
- Gain understanding of protection needs | | | | | |
|
- Identify applicable laws and regulations | | | | | |
|
- Identify system security context | | | | | |
|
- Capture view of system operation | | | | | |
|
- Define requirements | | | | | |
|
- Obtain agreement on protection | | | | | |
|
11 - Verify and validate security:
|
- Identify V&V targets | | | | | |
|
- Define V&V approach | | | | | |
|
- Perform Validation | | | | | |
|
- Perform verification | | | | | |
|
- Provide V&V results | | | | | |
|
Organization:
|
institutionalization of process areas | | | | | |
|
implementation of process areas | | | | | |
|
12 - Ensure Quality | | | | | |
|
13 - Manage Configurations | | | | | |
|
14 - Manage Project Risk | | | | | |
|
15 - Monitor and Control Technical Effort | | | | | |
|
16 - Plat Technical Effort | | | | | |
|
17 - Define Systems Engineering Process | | | | | |
|
18 - Improve Systems Engineering Process | | | | | |
|
19 - Manage product line evolution | | | | | |
|
20 - Manage systems engineering support environment | | | | | |
|
21 - Provide ongoing skills and knowledge | | | | | |
|
22 - Coordinate with suppliers | | | | | |
|
Project:
|
- Ensure Quality | | | | | |
|
- Manage configurations | | | | | |
|
- Manage program risk | | | | | |
|
- Monitor and control technical effort | | | | | |
|
- Plan technical effort | | | | | |
|
Capability Level | Item within level | Achieved? | Value | Risk Management | Engineering | Assurance | Coordination
|
---|
0 Initial - none: | | 0 |
|
1 Initial: | few processes are defined, and success depends on individual effort talent and heroic effort | 1.0 |
|
| 1.1 base practices performed | | 1.0 | | | |
|
Total for level per KPA | | | | | | |
|
---|
2 Repeatable: | the necessary process discipline is in place to repeat earlier successes on projects with similar applications | 2.0 |
|
| requirements management | | 0.1 | | | |
|
| project planning | | 0.1 | | | |
|
| project tracking and oversight | | 0.1 | | | |
|
| subcontract management | | 0.1 | | | |
|
| quality assurance | | 0.1 | | | |
|
| configuration management | | 0.1 | | | |
|
| 2.1 - planning performance | | 0.1 | | | |
|
| 2.2 - disciplined performance | | 0.1 | | | |
|
| 2.3 - verifying performance | | 0.1 | | | |
|
| 2.4 - tracking performance | | 0.1 | | | |
|
Total for level per KPA | | | | | | |
|
---|
3 Defined: | the process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects | 3.0 |
|
| process focus | | 0.1 | | | |
|
| process definition | | 0.1 | | | |
|
| training programs | | 0.1 | | | |
|
| integrated management | | 0.1 | | | |
|
| product engineering | | 0.1 | | | |
|
| Intergroup coordination | | 0.1 | | | |
|
| Peer reviews | | 0.1 | | | |
|
| 3.1 - defining a standard process | | 0.1 | | | |
|
| 3.2 - perform the defined process | | 0.1 | | | |
|
| 3.3 - Coordinate practices | | 0.1 | | | |
|
Total for level per KPA | | | | | | |
|
---|
4 Managed: | both the process and end-products are quantitatively understood and controlled using detailed measures | 4.0
|
| quality management | | 0.25 | | | |
|
| quantitative process management | | 0.25 | | | |
|
| 4.1 - establishing measurable performance goals | | 0.25 | | | |
|
| 4.2 - objectively managing performance | | 0.25 | | | |
|
Total for level per KPA | | | | | | |
|
---|
5 Optimizing: | continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies | 5.0
|
| defect prevention | | 0.2 | | | |
|
| technology change management | | 0.2 | | | |
|
| process change management | | 0.2 | | | |
|
| 4.1 - improving organizational capability | | 0.2 | | | |
|
| 4.2 - improving process effectiveness | | 0.2 | | | |
|
Total for level per KPA | | | | | | |
|
---|
Grand totals per KPA | | | | | | |
|
---|