WIXLIB

TheSystems Security EngineeringCapability Maturity Model(SSE-CMM)Karen FerraioloISSEA Director of Technical Developmentkaren.ferraiolo@exodus.net410-309-1780

Topics Why define security engineering practices? How can they best be defined? Who developed and supports the SSE-CMM? What is security engineering? How does the SSE-CMM* define practices for security engineering?What is the relation between the SSE-CMMand other methods of obtaining assurance?* SSE-CMM Systems Security Engineering Capability Maturity Model2

Where are we now? Security needs are changing––––global interconnectionmassive complexityrelease of beta versions of productsevolutionary development of systems3

Where are we now? (cont.) Security products/systems– come to market through: lengthy and expensive evaluation no evaluation– results: technology growth more rapid than its assimilation unsubstantiated security claims Security services– viewed as an art– relies on individual expertise Secure system operation and maintenance– everyone has security concerns– improved practices are needed today4

The Relevance of Competencies5

What is needed? Continuity Repeatability Efficiency Assurance6

What tools are currently availableto address the problem?ToolTargetBenefitISO-9000Quality AssuranceProcess for esDefined Software QAProcessContinuously ImprovedProcessesCMMsCISSPISO-13335Individual CertificationDefined SecurityManagement ProcessesCMM Capability Maturity ModelCISSP Certification of Information Systems Security Professionals7

Why use the CMM approachto define practices? Accepted way of defining practices and improving capabilityIncreasing use in acquisition as an indicator ofcapabilityReturn on Investment for software indicatessuccess––––productivity gains per year:yearly reduction in time to market:yearly reduction in post-release defect reports:value returned on each dollar invested:915104- 67%- 23%- 94%- 8.8%Statistics from:“Benefits of CMM-Based Software Process Improvement:Initial Results,” CMU/SEI-94-TR-13, August 19948

Why was the SSE-CMMdeveloped? Objective:– advance security engineering as a defined, mature, andmeasurable discipline Project Goal:– Develop a mechanism to enable: selection of appropriately qualified securityengineering providers focused investments in security engineering practices capability-based assurance9

Who developed the SSE-CMM? SSE-CMM Project– Original work and project infrastructure sponsoredby NSA– Additional support provided by OSD andCommunications Security Establishment (Canada)– Collaborative effort by industry and government ontheir own funding10

SSE-CMM Project Participants44 Pioneers Arca Systems, Inc.BDM International Inc.Booz-Allen and Hamilton, Inc.Communications Security Establishment (Canadian)Computer Sciences CorporationData Systems Analysts, Inc.Defense Information Systems AgencyE-SystemsElectronic Warfare Associates - Canada, Ltd.Fuentez Systems ConceptsG-J ConsultingGRC International, Inc.Harris Corp.Hughes AircraftInstitute for Computer & Information SciencesInstitute for Defense AnalysesInternal Revenue ServiceITT AerospaceJOTA System Security Consultants Inc.Lockheed MartinMerdan Group, Inc.MITRE CorporationMitretek Systems MotorolaNational Center for Supercomputing ApplicationsNational Institute for Standards and TechnologyNational Security AgencyNaval Research LaboratoryNavy Command, Control, Operations Support Center;Research, Development, Testing, and EvaluationDivision (NRaD)Northrop GrummanOffice of the Secretary of DefenseOracle Corporationpragma Systems Corp.San Antonio Air Logistics CenterScience Applications International Corp.SPARTA, Inc.Stanford TelecomSystems Research & Applications Corp.Tax Modernization InstituteThe Sachs GroupstOmega EngineeringTrusted Information SystemsTRWUnisys Government Systems11

What is ISSEA?ISSEAAdvisoryCouncil SSE-CMMSupportOrganizationBoard ofSustainingMembersSelected by SSE-CMM Project to continue supportNon-profit professional membership organizationOversees SSO in furthering development and use of theSSE-CMMreceives advice and guidance from Advisory Council andBoard of Sustaining Members* ISSEA International Systems Security Engineering Association12

Membership Options Organizations– Sustaining Membership– Charter Sustaining Membership Individuals– Individual membership13

ISSEA’s Current Activities ISO* Standardization– ISSEA approved as Publicly Available Standard(PAS) Submitter Annual Conference– February 28 - March 2, 2001 Appraiser Certification– developing program for appraiser and facilitatorcertification Training– 2 and 4 day courses in model and appraisal method SSE Textbook* ISO International Organization for Standardization14

What is Security Engineering? Definition: Goals:–––––No precise definition exists today!Understand Security RisksEstablish Security NeedsDevelop Security GuidanceDetermine Acceptable RisksEstablish Assurance15

Who practices securityengineering? Developers Product vendors Integrators Buyers Security evaluation organizations System administrators Consulting/service organizations Program/project management16

When is security engineeringpracticed? Pre-concept Concept exploration and definition Demonstration and validation Engineering, development, and manufacturing Production and deployment Operations and support Disposal17

Who needs to know aboutsecurity? Enterprise Engineering Systems Engineering Software Engineering Human Factors Engineering Communications Engineering Hardware Engineering Test Engineering Systems Administration18

What do security engineeringactivities encompass? Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications SecurityEmanations SecurityComputer Security19

How does the SSE-CMM definebest practices? Domain Aspect– process areas– base practices Organizational Capability Aspect– implementation of process areas– institutionalization of process areas20

SSE-CMM Base Architecture Three Domain Process Categories– Security Engineering– Project– Organization Five Capability Levels–––––Performed InformallyPlanned and TrackedWell DefinedQuantitatively ControlledContinuously Improving21

SSE-CMM Process nizationalProcesses22

SSE-CMM OrganizationalProcess Areas Define Organization’s Security Engineering ProcessImprove Organization’s Security EngineeringProcessManage Security Product Line EvolutionManage Security Engineering SupportEnvironmentProvide Ongoing Skills and KnowledgeCoordinate with Suppliers23

SSE-CMM Project ProcessAreas Ensure Quality Manage Configurations Manage Program Risk Monitor and Control Technical Effort Plan Technical Effort24

SSE-CMM EngineeringProcess Areas Administer Security ControlsAssess ImpactAssess Security RiskAssess ThreatAssess VulnerabilityBuild AssuranceArgument Coordinate Security Monitor Security PostureProvide Security InputSpecify SecurityNeedsVerify and ValidateSecurity25

The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation26

The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation27

Security Risk Area Purpose:– To identify combinations of threat, vulnerability, andimpact that deserve further attention Goals:– Determine Metrics– Gather Threat, Vulnerability, and Impact Information– Identify and Assess Risks28

What is Risk? Definition– The expected value (likelihood * consequence)associated with an unwanted event Approaches– All involve notions of consequence, threat, andvulnerability29

Risk Definitions Events: threat-vulnerability pairs that lead to unwanted outcomesLikelihood: the probability that an unwantedevent will occurLikelihood Threat Vulnerability30

Risk Definitions Consequence: the impact, either harm or loss, associated with an exploited vulnerabilityRisk: combines the concepts of likelihood andconsequenceRisk Likelihood Consequence31

The 32

PA 04: Assess ThreatGoal Threats to the security of the system are identified andcharacterizedBP 04.01BP 04.02BP 04.03BP 04.04BP 04.05BP 04.06Identify Natural ThreatsIdentify Man-made ThreatsIdentify Threat Units of MeasureAssess Threat Agent CapabilityAssess Threat LikelihoodMonitor Threats and TheirCharacteristics33

PA 05: Assess VulnerabilityGoal An understanding of system security vulnerabilitieswithin a defined environment is lect Vulnerability AnalysisMethodIdentify VulnerabilitiesGather Vulnerability DataSynthesize System VulnerabilityMonitor Vulnerabilities and TheirCharacteristics34

PA 02: Assess ImpactGoal The security impacts of risks to the system areidentified and characterizedBP.02.01BP.02.02BP 02.03BP 02.04BP 02.05BP 02.06Prioritize CapabilitiesIdentify System AssetsSelect Impact MetricsIdentify Metric RelationshipIdentify and Characterize ImpactsMonitor Impacts35

PA 03: Assess Security RiskGoals An understanding of the security risk associated withoperating the system within a defined environmentis achieved Risks are prioritized according to a defined methodologyBP.03.01BP 03.02BP 03.03BP 03.04BP 03.05BP 03.06Select Risk Analysis MethodExposure IdentificationAssess Exposure RiskAssess Total UncertaintyPrioritize RisksMonitor Risks and Their Characteristics36

The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation37

What Is Assurance? Definition:– “the degree of confidence that security needs aresatisfied” What are security needs? What is confidence? How can we measure?38

Assurance Area Purpose:– To generate and communicate confidence that theenterprise has satisfied its security needs Goals:– Appropriate evidence is collected efficiently– Clear and convincing argument establishing confidenceis created39

The anyotherPAsManyotherPAsManyotherMany otherPAsPAsManyManyotherotherPAsPAsEvidence40

Assurance ArgumentsTop ArgumentTechnologyArgument41

PA 11: Verify and ValidateSecurityGoals Solutions meet security requirements Solutions meet the customer's operational security ify Verification and ValidationTargetsDefine Verification and ValidationApproachPerform VerificationPerform ValidationProvide Verification and ValidationResults42

PA 06: Build AssuranceArgumentGoal The work products and processes clearly provide theevidence that the customer’s security needs have ntify Assurance ObjectivesDefine Assurance StrategyControl Assurance EvidenceAnalyze EvidenceProvide Assurance Argument43

The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation44

What is Engineering? Solving problems––––RequirementsIdentify candidate solutionsTradeoff analysesSystem configuration Part of overall systems processes– Not an isolated activity– Must balance considerations of performance, safety,human factors, etc 45

Security Engineering Area Purpose:– To solve engineering problems involving security Goals:––––Determine customer security needsDevelop solutions and guidance on security issuesCoordinate with other engineering groupsMonitor security posture46

The rements,Policy, uritySecuritySolutions,Guidance, ntrols47

PA 10: Specify Security NeedsGoal A common understanding of security needs is reachedbetween all parties, including the customerBP.10.01 Gain Understanding of Customer’s SecurityNeedsBP.10.02 Identify Applicable Laws, Policies, andConstraintsBP.10.03 Identify System Security ContextBP.10.04 Capture Security View of System OperationBP.10.05 Capture Security High-Level GoalsBP.10.06 Define Security Related RequirementsBP.10.07 Obtain Agreement48