All.Net

Fri Apr 8 06:51:39 PDT 2016

Overarching: Maturity level: What maturity level does the information protection program have?

Options:

Option 0: None - no maturity is needed or desired.
Option 1: Initial maturity is adequate to the need.
Option 2: Repeatable maturity is reasonable and prudent.
Option 3: Defined maturity is workable for the business.
Option 4: Managed maturity is necessary for business functioning.
Option 5: Optimizing is vital to business success.

Decision:

IF Information technologies are the fundamental key to enterprise success, THEN Optimizing
OTHERWISE IF Information technologies are vital to the business, or consequences of protection failure are high, THEN at least Managed
OTHERWISE IF Information technologies are important to the business, or consequences of protection failure are medium, THEN at least Defined
OTHERWISE IF Information technologies are regularly undertaken for business purposes, THEN at least Repeatable
OTHERWISE IF The organization is small and information technology is a minor function not vital to enterprise success, THEN Initial
OTHERWISE None.

Maturity levels:

Component	Maturity level
.	.
.	.
.	.
.	.
.	.

The current state of maturity for components

Basis:

The Capability Maturity Model as applied to security afford the following levels of maturity and their characteristics:

Level 0: None
Level 1: Initial Few processes are defined, and success depends on individual talent and heroic effort.
Level 2: Repeatable The necessary process discipline is in place to repeat earlier successes on projects with similar applications
Level 3: Defined The process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects
Level 4: Managed Both the process and end-products are quantitatively understood and controlled using detailed measures
Level 5: Optimizing Continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies

The CyberSecurity Capability Maturity Model (C2M2) is a variation on this these described roughly as follows:

Level 0: Practices are not performed
Level 1: Initial practices are performed but may be ad hoc
Level 2: Practices are documented, Stakeholders are identified and involved, Adequate resources are provided to support the process, Standards or guidelines are used to guide practice implementation.
Level 3: Activities are guided by policy (or other directives) and governance, Policies include compliance requirements for specified standards or guidelines, Activities are periodically reviewed for conformance to policy, Responsibility and authority for practices are assigned to personnel, Personnel performing the practice have adequate skills and knowledge, and Practices are more complete or advanced than at Level 2.
NO LEVEL 4 or 5

By way of comparison, The CMM used in this SoP has essentially identical Levels 0 and 1. CMM level 2 is between C2M2 Levels 1 and 2. CMM Level 3 is roughly C2M2 level 2, CMM Level 4 is roughly equivalent to C2M2 level 3, and CMM level 5 exceeds all C2M2 levels. The CMM can be rated according to the following analytical framework:

Domain: Security Engineering	None	Initial	Repeatable	Defined	Managed	Optimizing
-Process areas
- Base practices
01 - Administer security controls:
- Establish responsibilities
- Manage configuration
- Manage awareness, training, and education programs
- Manage services and control mechanisms
02 - Assess impact:
- Prioritize capabilities
- Identify system assets
- Select metrics
- Identify metric relationship
- Identify and characterize consequences
- Monitor consequences
03 - Assess security risk:
- Select risk analysis method
- Identify exposures
- Assess exposure risks
- Assess total uncertainty
- Prioritize risks
- Monitor risks and characteristics
04 - Assess threat:
- Identify natural and human threats
- Identify units of measure for threats
- Assess threat capabilities and intents
- Assess likelihood
- Monitor threats and characteristics
05 - Assess vulnerability:
- Select vulnerability analysis method
- Identify vulnerabilities
- Gather vulnerability data
- Synthesize system vulnerabilities
- Monitor vulnerabilities and characteristics
06 - Build assurance argument:
- Identify assurance objectives
- Define assurance strategy
- Control assurance evidence
- Analyze evidence
- Provide assurance argument
07 - Coordinate security:
- Define coordination objectives
- Identify coordination mechanisms
- Facilitate coordination
- Coordinate decisions and recommendations
08 - Monitor system security posture:
- Analyze event records
- Monitor changes
- Identify incidents
- Monitor safeguards
- Review security posture
- Manage incident response
- Protect monitoring artifacts
09 - Provide security input:
- Understand security input needs
- Determine constraints and considerations
- Identify alternatives
- Analyze engineering alternatives
- Provide engineering guidance
- Provide operational guidance
10 - Specify security needs:
- Gain understanding of protection needs
- Identify applicable laws and regulations
- Identify system security context
- Capture view of system operation
- Define requirements
- Obtain agreement on protection
11 - Verify and validate security:
- Identify V&V targets
- Define V&V approach
- Perform Validation
- Perform verification
- Provide V&V results
Organization:
institutionalization of process areas
implementation of process areas
12 - Ensure Quality
13 - Manage Configurations
14 - Manage Project Risk
15 - Monitor and Control Technical Effort
16 - Plan Technical Effort
17 - Define Systems Engineering Process
18 - Improve Systems Engineering Process
19 - Manage product line evolution
20 - Manage systems engineering support environment
21 - Provide ongoing skills and knowledge
22 - Coordinate with suppliers
Project:
- Ensure Quality
- Manage configurations
- Manage program risk
- Monitor and control technical effort
- Plan technical effort

CMM Rating Framework Capability Level Definitions

Capability Level	Item within level	Achieved?	Value
0 Initial - none:		0
1 Initial:	few processes are defined, and success depends on individual talent and heroic effort	1.0
	1.1 base practices performed		1.0
Total for level per KPA
2 Repeatable:	the necessary process discipline is in place to repeat earlier successes on projects with similar applications	2.0
	requirements management		0.1
	project planning		0.1
	project tracking and oversight		0.1
	subcontract management		0.1
	quality assurance		0.1
	configuration management		0.1
	2.1 - planning performance		0.1
	2.2 - disciplined performance		0.1
	2.3 - verifying performance		0.1
	2.4 - tracking performance		0.1
Total for level per KPA
3 Defined:	the process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects	3.0
	process focus		0.1
	process definition		0.1
	training programs		0.1
	integrated management		0.1
	product engineering		0.1
	Intergroup coordination		0.1
	Peer reviews		0.1
	3.1 - defining a standard process		0.1
	3.2 - perform the defined process		0.1
	3.3 - Coordinate practices		0.1
Total for level per KPA
4 Managed:	both the process and end-products are quantitatively understood and controlled using detailed measures	4.0
	quality management		0.25
	quantitative process management		0.25
	4.1 - establishing measurable performance goals		0.25
	4.2 - objectively managing performance		0.25
Total for level per KPA
5 Optimizing:	continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies	5.0
	defect prevention		0.2
	technology change management		0.2
	process change management		0.2
	4.1 - improving organizational capability		0.2
	4.2 - improving process effectiveness		0.2
Total for level per KPA
Grand totals per KPA

CMM Capability Level Definitions Key Process Areas

Area	Commitment to Perform	Ability to Perform	Activities Performed	Measurement and Analysis	Verifying Implementation
1) Security Risk Management - processes dealing with estimating risk at each of the maturity levels;	.	.	.	.	.
2) Engineering - processes involved with architecting a system and managing security requirements;	.	.	.	.	.
3) Assurance Management - processes dealing with generating, managing, presenting assurance evidence;	.	.	.	.	.
4) Coordination - processes that coordinate security engineering activities with other engineering disciplines.	.	.	.	.	.

CMM Key Process Areas Process Maturation Goals

- controllability: ability to predict, measure, and control cost, schedule, and quality;
- codification: state-of-the-art knowledge is codified within the practices;
- trustability: degree of assurance that practices are performing as intended.

Organizational Maturational Goals

- institutionalization: organization-wide use of defined process;
- integration: organization-wide process integration;
- improvement: continuous process improvement.

Doing a CMM appraisal:

Prepare
	scope appraisal
	plan appraisal
Pre-onsite
	Prepare appraisal team
	Administer questionnaire
	Collect evidence
	Analyze evidence and answers
Onsite phase
	Interview executives
	interview leads and practitioners
	establish findings
	develop rating profile
	report results
Post-appraisal
	Report lessons learned
	Report appraisal outcomes
	Manage appraisal artifacts

The CMM Appraisal Process CMM Appraisal Matrix

Level 5
Level 4
Level 3
Level 2
Level 1
	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22