Domain: Security Engineering | None | Initial | Repeatable | Defined | Managed | Optimizing
|
---|
-Process areas | | | | | |
|
- Base practices | | | | | |
|
01 - Administer security controls:
|
- Establish responsibilities | | | | | |
|
- Manage configuration | | | | | |
|
- Manage awareness, training, and education programs | | | | | |
|
- Manage services and control mechanisms | | | | | |
|
02 - Assess impact:
|
- Prioritize capabilities | | | | | |
|
- Identify system assets | | | | | |
|
- Select metrics | | | | | |
|
- Identify metric relationship | | | | | |
|
- Identify and characterize consequences | | | | | |
|
- Monitor consequences | | | | | |
|
03 - Assess security risk:
|
- Select risk analysis method | | | | | |
|
- Identify exposures | | | | | |
|
- Assess exposure risks | | | | | |
|
- Assess total uncertainty | | | | | |
|
- Prioritize risks | | | | | |
|
- Monitor risks and characteristics | | | | | |
|
04 - Assess threat:
|
- Identify natural and human threats | | | | | |
|
- Identify units of measure for threats | | | | | |
|
- Assess threat capabilities and intents | | | | | |
|
- Assess likelihood | | | | | |
|
- Monitor threats and characteristics | | | | | |
|
05 - Assess vulnerability:
|
- Select vulnerability analysis method | | | | | |
|
- Identify vulnerabilities | | | | | |
|
- Gather vulnerability data | | | | | |
|
- Synthesize system vulnerabilities | | | | | |
|
- Monitor vulnerabilities and characteristics | | | | | |
|
06 - Build assurance argument:
|
- Identify assurance objectives | | | | | |
|
- Define assurance strategy | | | | | |
|
- Control assurance evidence | | | | | |
|
- Analyze evidence | | | | | |
|
- Provide assurance argument | | | | | |
|
07 - Coordinate security:
|
- Define coordination objectives | | | | | |
|
- Identify coordination mechanisms | | | | | |
|
- Facilitate coordination | | | | | |
|
- Coordinate decisions and recommendations | | | | | |
|
08 - Monitor system security posture:
|
- Analyze event records | | | | | |
|
- Monitor changes | | | | | |
|
- Identify incidents | | | | | |
|
- Monitor safeguards | | | | | |
|
- Review security posture | | | | | |
|
- Manage incident response | | | | | |
|
- Protect monitoring artifacts | | | | | |
|
09 - Provide security input:
|
- Understand security input needs | | | | | |
|
- Determine constraints and considerations | | | | | |
|
- Identify alternatives | | | | | |
|
- Analyze engineering alternatives | | | | | |
|
- Provide engineering guidance | | | | | |
|
- Provide operational guidance | | | | | |
|
10 - Specify security needs:
|
- Gain understanding of protection needs | | | | | |
|
- Identify applicable laws and regulations | | | | | |
|
- Identify system security context | | | | | |
|
- Capture view of system operation | | | | | |
|
- Define requirements | | | | | |
|
- Obtain agreement on protection | | | | | |
|
11 - Verify and validate security:
|
- Identify V&V targets | | | | | |
|
- Define V&V approach | | | | | |
|
- Perform Validation | | | | | |
|
- Perform verification | | | | | |
|
- Provide V&V results | | | | | |
|
Organization:
|
institutionalization of process areas | | | | | |
|
implementation of process areas | | | | | |
|
12 - Ensure Quality | | | | | |
|
13 - Manage Configurations | | | | | |
|
14 - Manage Project Risk | | | | | |
|
15 - Monitor and Control Technical Effort | | | | | |
|
16 - Plan Technical Effort | | | | | |
|
17 - Define Systems Engineering Process | | | | | |
|
18 - Improve Systems Engineering Process | | | | | |
|
19 - Manage product line evolution | | | | | |
|
20 - Manage systems engineering support environment | | | | | |
|
21 - Provide ongoing skills and knowledge | | | | | |
|
22 - Coordinate with suppliers | | | | | |
|
Project:
|
- Ensure Quality | | | | | |
|
- Manage configurations | | | | | |
|
- Manage program risk | | | | | |
|
- Monitor and control technical effort | | | | | |
|
- Plan technical effort | | | | | |
|