Fri Apr 8 06:49:41 PDT 2016

Overarching: Maturity level: What maturity level should the information protection program have?


Options:

Option 0: None - no maturity is needed or desired.
Option 1: Initial maturity is adequate to the need.
Option 2: Repeatable maturity is reasonable and prudent.
Option 3: Defined maturity is workable for the business.
Option 4: Managed maturity is necessary for business functioning.
Option 5: Optimizing is vital to business success.


Decision:

IF Information technologies are the fundamental key to enterprise success, THEN Optimizing
OTHERWISE IF Information technologies are vital to the business, or consequences of protection failure are high, THEN at least Managed
OTHERWISE IF Information technologies are important to the business, or consequences of protection failure are medium, THEN at least Defined
OTHERWISE IF Information technologies are regularly undertaken for business purposes, THEN at least Repeatable
OTHERWISE IF The organization is small and information technology is a minor function not vital to enterprise success, THEN Initial
OTHERWISE None.


Maturity levels:

Component Maturity level
. .
. .
. .
. .
. .
The current state of maturity for components

Basis:

The Capability Maturity Model as applied to security afford the following levels of maturity and their characteristics:

  • Level 0: None
  • Level 1: Initial Few processes are defined, and success depends on individual talent and heroic effort.
  • Level 2: Repeatable The necessary process discipline is in place to repeat earlier successes on projects with similar applications
  • Level 3: Defined The process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects
  • Level 4: Managed Both the process and end-products are quantitatively understood and controlled using detailed measures
  • Level 5: Optimizing Continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies

The CyberSecurity Capability Maturity Model (C2M2) is a variation on this these described roughly as follows:

  • Level 0: Practices are not performed
  • Level 1: Initial practices are performed but may be ad hoc
  • Level 2: Practices are documented, Stakeholders are identified and involved, Adequate resources are provided to support the process, Standards or guidelines are used to guide practice implementation.
  • Level 3: Activities are guided by policy (or other directives) and governance, Policies include compliance requirements for specified standards or guidelines, Activities are periodically reviewed for conformance to policy, Responsibility and authority for practices are assigned to personnel, Personnel performing the practice have adequate skills and knowledge, and Practices are more complete or advanced than at Level 2.
  • NO LEVEL 4 or 5

By way of comparison, The CMM used in this SoP has essentially identical Levels 0 and 1. CMM level 2 is between C2M2 Levels 1 and 2. CMM Level 3 is roughly C2M2 level 2, CMM Level 4 is roughly equivalent to C2M2 level 3, and CMM level 5 exceeds all C2M2 levels. The CMM can be rated according to the following analytical framework:

Domain: Security Engineering None Initial Repeatable Defined Managed Optimizing
-Process areas            
- Base practices            
01 - Administer security controls:
- Establish responsibilities            
- Manage configuration            
- Manage awareness, training, and education programs            
- Manage services and control mechanisms            
02 - Assess impact:
- Prioritize capabilities            
- Identify system assets            
- Select metrics            
- Identify metric relationship            
- Identify and characterize consequences            
- Monitor consequences            
03 - Assess security risk:
- Select risk analysis method            
- Identify exposures            
- Assess exposure risks            
- Assess total uncertainty            
- Prioritize risks            
- Monitor risks and characteristics            
04 - Assess threat:
- Identify natural and human threats            
- Identify units of measure for threats            
- Assess threat capabilities and intents            
- Assess likelihood            
- Monitor threats and characteristics            
05 - Assess vulnerability:
- Select vulnerability analysis method            
- Identify vulnerabilities            
- Gather vulnerability data            
- Synthesize system vulnerabilities            
- Monitor vulnerabilities and characteristics            
06 - Build assurance argument:
- Identify assurance objectives            
- Define assurance strategy            
- Control assurance evidence            
- Analyze evidence            
- Provide assurance argument            
07 - Coordinate security:
- Define coordination objectives            
- Identify coordination mechanisms            
- Facilitate coordination            
- Coordinate decisions and recommendations            
08 - Monitor system security posture:
- Analyze event records            
- Monitor changes            
- Identify incidents            
- Monitor safeguards            
- Review security posture            
- Manage incident response            
- Protect monitoring artifacts            
09 - Provide security input:
- Understand security input needs            
- Determine constraints and considerations            
- Identify alternatives            
- Analyze engineering alternatives            
- Provide engineering guidance            
- Provide operational guidance            
10 - Specify security needs:
- Gain understanding of protection needs            
- Identify applicable laws and regulations            
- Identify system security context            
- Capture view of system operation            
- Define requirements            
- Obtain agreement on protection            
11 - Verify and validate security:
- Identify V&V targets            
- Define V&V approach            
- Perform Validation            
- Perform verification            
- Provide V&V results            
Organization:
institutionalization of process areas            
implementation of process areas            
12 - Ensure Quality            
13 - Manage Configurations            
14 - Manage Project Risk            
15 - Monitor and Control Technical Effort            
16 - Plan Technical Effort            
17 - Define Systems Engineering Process            
18 - Improve Systems Engineering Process            
19 - Manage product line evolution            
20 - Manage systems engineering support environment            
21 - Provide ongoing skills and knowledge            
22 - Coordinate with suppliers            
Project:
- Ensure Quality            
- Manage configurations            
- Manage program risk            
- Monitor and control technical effort            
- Plan technical effort            
CMM Rating Framework
Capability Level Definitions
Capability Level Item within level Achieved? Value Risk Management Engineering Assurance Coordination
0 Initial - none: 0
1 Initial: few processes are defined, and success depends on individual talent and heroic effort 1.0
1.1 base practices performed 1.0        
Total for level per KPA        
2 Repeatable: the necessary process discipline is in place to repeat earlier successes on projects with similar applications 2.0
requirements management 0.1        
project planning 0.1        
project tracking and oversight 0.1        
subcontract management 0.1        
quality assurance 0.1        
configuration management 0.1        
2.1 - planning performance 0.1        
2.2 - disciplined performance 0.1        
2.3 - verifying performance 0.1        
2.4 - tracking performance 0.1        
Total for level per KPA        
3 Defined: the process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects 3.0
process focus 0.1        
process definition 0.1        
training programs 0.1        
integrated management 0.1        
product engineering 0.1        
Intergroup coordination 0.1        
Peer reviews 0.1        
3.1 - defining a standard process 0.1        
3.2 - perform the defined process 0.1        
3.3 - Coordinate practices 0.1        
Total for level per KPA        
4 Managed: both the process and end-products are quantitatively understood and controlled using detailed measures 4.0  
quality management 0.25        
quantitative process management 0.25        
4.1 - establishing measurable performance goals 0.25        
4.2 - objectively managing performance 0.25        
Total for level per KPA        
5 Optimizing: continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies 5.0
defect prevention 0.2        
technology change management 0.2        
process change management 0.2        
4.1 - improving organizational capability 0.2        
4.2 - improving process effectiveness 0.2        
Total for level per KPA        
Grand totals per KPA        
CMM Capability Level Definitions
Key Process Areas
Area Commitment to Perform Ability to Perform Activities Performed Measurement and Analysis Verifying Implementation
1) Security Risk Management - processes dealing with estimating risk at each of the maturity levels; .....
2) Engineering - processes involved with architecting a system and managing security requirements; .....
3) Assurance Management - processes dealing with generating, managing, presenting assurance evidence; .....
4) Coordination - processes that coordinate security engineering activities with other engineering disciplines. .....
CMM Key Process Areas
Process Maturation Goals
  • - controllability: ability to predict, measure, and control cost, schedule, and quality;
  • - codification: state-of-the-art knowledge is codified within the practices;
  • - trustability: degree of assurance that practices are performing as intended.
Organizational Maturational Goals
  • - institutionalization: organization-wide use of defined process;
  • - integration: organization-wide process integration;
  • - improvement: continuous process improvement.
Doing a CMM appraisal:
Prepare
scope appraisal
plan appraisal
Pre-onsite
Prepare appraisal team
Administer questionnaire
Collect evidence
Analyze evidence and answers
Onsite phase
Interview executives
interview leads and practitioners
establish findings
develop rating profile
report results
Post-appraisal
Report lessons learned
Report appraisal outcomes
Manage appraisal artifacts
The CMM Appraisal Process
CMM Appraisal Matrix
Level 5
Level 4
Level 3
Level 2
Level 1
01020304050607080910111213141516171819202122
The CMM Appraisal Matrix
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved