Transcription
TheSystems Security EngineeringCapability Maturity Model(SSE-CMM)Karen FerraioloISSEA Director of Technical Developmentkaren.ferraiolo@exodus.net410-309-1780
Topics Why define security engineering practices? How can they best be defined? Who developed and supports the SSE-CMM? What is security engineering? How does the SSE-CMM* define practices for security engineering?What is the relation between the SSE-CMMand other methods of obtaining assurance?* SSE-CMM Systems Security Engineering Capability Maturity Model2
Where are we now? Security needs are changing––––global interconnectionmassive complexityrelease of beta versions of productsevolutionary development of systems3
Where are we now? (cont.) Security products/systems– come to market through: lengthy and expensive evaluation no evaluation– results: technology growth more rapid than its assimilation unsubstantiated security claims Security services– viewed as an art– relies on individual expertise Secure system operation and maintenance– everyone has security concerns– improved practices are needed today4
The Relevance of Competencies5
What is needed? Continuity Repeatability Efficiency Assurance6
What tools are currently availableto address the problem?ToolTargetBenefitISO-9000Quality AssuranceProcess for esDefined Software QAProcessContinuously ImprovedProcessesCMMsCISSPISO-13335Individual CertificationDefined SecurityManagement ProcessesCMM Capability Maturity ModelCISSP Certification of Information Systems Security Professionals7
Why use the CMM approachto define practices? Accepted way of defining practices and improving capabilityIncreasing use in acquisition as an indicator ofcapabilityReturn on Investment for software indicatessuccess––––productivity gains per year:yearly reduction in time to market:yearly reduction in post-release defect reports:value returned on each dollar invested:915104- 67%- 23%- 94%- 8.8%Statistics from:“Benefits of CMM-Based Software Process Improvement:Initial Results,” CMU/SEI-94-TR-13, August 19948
Why was the SSE-CMMdeveloped? Objective:– advance security engineering as a defined, mature, andmeasurable discipline Project Goal:– Develop a mechanism to enable: selection of appropriately qualified securityengineering providers focused investments in security engineering practices capability-based assurance9
Who developed the SSE-CMM? SSE-CMM Project– Original work and project infrastructure sponsoredby NSA– Additional support provided by OSD andCommunications Security Establishment (Canada)– Collaborative effort by industry and government ontheir own funding10
SSE-CMM Project Participants44 Pioneers Arca Systems, Inc.BDM International Inc.Booz-Allen and Hamilton, Inc.Communications Security Establishment (Canadian)Computer Sciences CorporationData Systems Analysts, Inc.Defense Information Systems AgencyE-SystemsElectronic Warfare Associates - Canada, Ltd.Fuentez Systems ConceptsG-J ConsultingGRC International, Inc.Harris Corp.Hughes AircraftInstitute for Computer & Information SciencesInstitute for Defense AnalysesInternal Revenue ServiceITT AerospaceJOTA System Security Consultants Inc.Lockheed MartinMerdan Group, Inc.MITRE CorporationMitretek Systems MotorolaNational Center for Supercomputing ApplicationsNational Institute for Standards and TechnologyNational Security AgencyNaval Research LaboratoryNavy Command, Control, Operations Support Center;Research, Development, Testing, and EvaluationDivision (NRaD)Northrop GrummanOffice of the Secretary of DefenseOracle Corporationpragma Systems Corp.San Antonio Air Logistics CenterScience Applications International Corp.SPARTA, Inc.Stanford TelecomSystems Research & Applications Corp.Tax Modernization InstituteThe Sachs GroupstOmega EngineeringTrusted Information SystemsTRWUnisys Government Systems11
What is ISSEA?ISSEAAdvisoryCouncil SSE-CMMSupportOrganizationBoard ofSustainingMembersSelected by SSE-CMM Project to continue supportNon-profit professional membership organizationOversees SSO in furthering development and use of theSSE-CMMreceives advice and guidance from Advisory Council andBoard of Sustaining Members* ISSEA International Systems Security Engineering Association12
Membership Options Organizations– Sustaining Membership– Charter Sustaining Membership Individuals– Individual membership13
ISSEA’s Current Activities ISO* Standardization– ISSEA approved as Publicly Available Standard(PAS) Submitter Annual Conference– February 28 - March 2, 2001 Appraiser Certification– developing program for appraiser and facilitatorcertification Training– 2 and 4 day courses in model and appraisal method SSE Textbook* ISO International Organization for Standardization14
What is Security Engineering? Definition: Goals:–––––No precise definition exists today!Understand Security RisksEstablish Security NeedsDevelop Security GuidanceDetermine Acceptable RisksEstablish Assurance15
Who practices securityengineering? Developers Product vendors Integrators Buyers Security evaluation organizations System administrators Consulting/service organizations Program/project management16
When is security engineeringpracticed? Pre-concept Concept exploration and definition Demonstration and validation Engineering, development, and manufacturing Production and deployment Operations and support Disposal17
Who needs to know aboutsecurity? Enterprise Engineering Systems Engineering Software Engineering Human Factors Engineering Communications Engineering Hardware Engineering Test Engineering Systems Administration18
What do security engineeringactivities encompass? Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications SecurityEmanations SecurityComputer Security19
How does the SSE-CMM definebest practices? Domain Aspect– process areas– base practices Organizational Capability Aspect– implementation of process areas– institutionalization of process areas20
SSE-CMM Base Architecture Three Domain Process Categories– Security Engineering– Project– Organization Five Capability Levels–––––Performed InformallyPlanned and TrackedWell DefinedQuantitatively ControlledContinuously Improving21
SSE-CMM Process nizationalProcesses22
SSE-CMM OrganizationalProcess Areas Define Organization’s Security Engineering ProcessImprove Organization’s Security EngineeringProcessManage Security Product Line EvolutionManage Security Engineering SupportEnvironmentProvide Ongoing Skills and KnowledgeCoordinate with Suppliers23
SSE-CMM Project ProcessAreas Ensure Quality Manage Configurations Manage Program Risk Monitor and Control Technical Effort Plan Technical Effort24
SSE-CMM EngineeringProcess Areas Administer Security ControlsAssess ImpactAssess Security RiskAssess ThreatAssess VulnerabilityBuild AssuranceArgument Coordinate Security Monitor Security PostureProvide Security InputSpecify SecurityNeedsVerify and ValidateSecurity25
The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation26
The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation27
Security Risk Area Purpose:– To identify combinations of threat, vulnerability, andimpact that deserve further attention Goals:– Determine Metrics– Gather Threat, Vulnerability, and Impact Information– Identify and Assess Risks28
What is Risk? Definition– The expected value (likelihood * consequence)associated with an unwanted event Approaches– All involve notions of consequence, threat, andvulnerability29
Risk Definitions Events: threat-vulnerability pairs that lead to unwanted outcomesLikelihood: the probability that an unwantedevent will occurLikelihood Threat Vulnerability30
Risk Definitions Consequence: the impact, either harm or loss, associated with an exploited vulnerabilityRisk: combines the concepts of likelihood andconsequenceRisk Likelihood Consequence31
The 32
PA 04: Assess ThreatGoal Threats to the security of the system are identified andcharacterizedBP 04.01BP 04.02BP 04.03BP 04.04BP 04.05BP 04.06Identify Natural ThreatsIdentify Man-made ThreatsIdentify Threat Units of MeasureAssess Threat Agent CapabilityAssess Threat LikelihoodMonitor Threats and TheirCharacteristics33
PA 05: Assess VulnerabilityGoal An understanding of system security vulnerabilitieswithin a defined environment is lect Vulnerability AnalysisMethodIdentify VulnerabilitiesGather Vulnerability DataSynthesize System VulnerabilityMonitor Vulnerabilities and TheirCharacteristics34
PA 02: Assess ImpactGoal The security impacts of risks to the system areidentified and characterizedBP.02.01BP.02.02BP 02.03BP 02.04BP 02.05BP 02.06Prioritize CapabilitiesIdentify System AssetsSelect Impact MetricsIdentify Metric RelationshipIdentify and Characterize ImpactsMonitor Impacts35
PA 03: Assess Security RiskGoals An understanding of the security risk associated withoperating the system within a defined environmentis achieved Risks are prioritized according to a defined methodologyBP.03.01BP 03.02BP 03.03BP 03.04BP 03.05BP 03.06Select Risk Analysis MethodExposure IdentificationAssess Exposure RiskAssess Total UncertaintyPrioritize RisksMonitor Risks and Their Characteristics36
The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation37
What Is Assurance? Definition:– “the degree of confidence that security needs aresatisfied” What are security needs? What is confidence? How can we measure?38
Assurance Area Purpose:– To generate and communicate confidence that theenterprise has satisfied its security needs Goals:– Appropriate evidence is collected efficiently– Clear and convincing argument establishing confidenceis created39
The anyotherPAsManyotherPAsManyotherMany otherPAsPAsManyManyotherotherPAsPAsEvidence40
Assurance ArgumentsTop ArgumentTechnologyArgument41
PA 11: Verify and ValidateSecurityGoals Solutions meet security requirements Solutions meet the customer's operational security ify Verification and ValidationTargetsDefine Verification and ValidationApproachPerform VerificationPerform ValidationProvide Verification and ValidationResults42
PA 06: Build AssuranceArgumentGoal The work products and processes clearly provide theevidence that the customer’s security needs have ntify Assurance ObjectivesDefine Assurance StrategyControl Assurance EvidenceAnalyze EvidenceProvide Assurance Argument43
The Security EngineeringProcessProduct, System,or ProcessProcessRiskInformation44
What is Engineering? Solving problems––––RequirementsIdentify candidate solutionsTradeoff analysesSystem configuration Part of overall systems processes– Not an isolated activity– Must balance considerations of performance, safety,human factors, etc 45
Security Engineering Area Purpose:– To solve engineering problems involving security Goals:––––Determine customer security needsDevelop solutions and guidance on security issuesCoordinate with other engineering groupsMonitor security posture46
The rements,Policy, uritySecuritySolutions,Guidance, ntrols47
PA 10: Specify Security NeedsGoal A common understanding of security needs is reachedbetween all parties, including the customerBP.10.01 Gain Understanding of Customer’s SecurityNeedsBP.10.02 Identify Applicable Laws, Policies, andConstraintsBP.10.03 Identify System Security ContextBP.10.04 Capture Security View of System OperationBP.10.05 Capture Security High-Level GoalsBP.10.06 Define Security Related RequirementsBP.10.07 Obtain Agreement48
PA 09: Provide Security InputGoals All system issues are reviewed for security implications and areresolved in accordance with security goals All members of the project team have an understanding of securityso they can perform their functions The solution reflects the security input .09.06Understand Security Input NeedsDetermine Security Constraints andConsiderationsIdentify Security AlternativesAnalyze Security of EngineeringAlternativesProvide Security Related GuidanceProvide Operational Security Guidance49
PA 07: Coordinate SecurityGoals All members of the project team are aware of andinvolved with security engineering activities to the extentnecessary to perform their functions Decisions and recommendations related to security arecommunicated and coordinatedBP.07.01BP.07.02BP.07.03BP.07.04Define Coordination ObjectivesIdentify Coordination MechanismsFacilitate coordinationCoordinate Security Decisions andRecommendations50
PA 01: Administer SecurityControlsGoal Security controls are properly configured and usedBP.01.01BP.01.02BP.01.03BP.01.04Establish Security ResponsibilitiesManage Security ConfigurationManage Security Awareness, Training,and Education ProgramsManage Security Services and ControlMechanisms51
PA 08: Monitor Security PostureGoals Both internal and external security related events aredetected and tracked Incident responses are in accordance with policy Changes to the operational security posture are identifiedand handled in accordance with the security objectivesBP 08.01BP 08.02BP 08.03BP 08.04BP 08.05BP.08.06BP.08.07Analyze Event RecordsMonitor ChangesIdentify Security IncidentsMonitor Security SafeguardsReview Security PostureManage Security Incident ResponseProtect Security Monitoring Artifacts 52
How does the SSE-CMM definebest practices? Domain Aspect– process areas– base practices Organizational Capability Aspect– implementation of process areas– institutionalization of process areas53
SSE-CMM Base Architecture Three Domain Process Categories– Security Engineering– Project– Organization Five Capability Levels–––––Performed InformallyPlanned and TrackedWell DefinedQuantitatively ControlledContinuously Improving54
Organizational Capability MeasuresIncrementalImprovement5 Continuously ImprovingImprove organizational capabilityImprove process effectiveness4 Quantitatively ControlledEstablish measurable quality goalsObjectively manage performance3 Well-DefinedDefine a standard processPerform the defined processCoordinate practices2 Planned and TrackedPlan PerformanceDisciplined PerformanceVerify PerformanceTrack Performance1 Performed InformallyBase Practices Performed55
SSE-CMM Model essAreasAreasProcessProcessAreasProcess AreasProcess FeaturesCapabilityLevel321056
Applying Capability Measures toBase Practices: the RatingProfile54CapabilityLevel3210PA01PA02 PA03PA04PA05Process Area57
The SSE-CMM Appraisal ProcessPlanningPhaseScope AppraisalCollectPreliminaryEvidencePlan AppraisalPreparationPhaseOn-Site PhasePrepareAppraisal TeamExecutive Brief/Opening w Leads/PractitionersDevelop FinalReportAnalyze DataReport AppraisalOutcomes toSponsorEstablish FindingsDevelop RatingProfileManage RecordsConduct Wrap UpManageAppraisalArtifactsReport Lessons58Learned
Using the SSE-CMMAcquisitionDecisionsProduct VendorsSystemDevelopmentService ProvidersComplianceCritical Business OperationsSSE-CMM59
Where is it taking hold? US National Security Agency (NSA)– evaluating INFOSEC assessors’ capability– trusted product evaluation support– applying within to improve Canadian Communications Security Establishment (CSE)– evaluating contractors’ capability– trusted product evaluation support– best practices for Canadian CERTs United States Agency for International Development– framework for model security program– component of best practices framework Internal Revenue Service Information Systems– pilot program for improving security practices SSE-CMM Project Pilot Program– organizations used results to improve practices60
Contributors toProduct/Project ssPeopleTechnology61
Determining the right combinationTop ArgumentTechnologyArgument62Reference:Williams, Jeffrey; Jelen, George,“A Framework for Reasoning about Assurance,” April 23, 1998
Summary Why define best practices?– Focus investments in security engineering practices How can they best be defined?– Use an accepted and proven mechanism What is security engineering?– No precise definition, but can discuss goals How does the SSE-CMM define best practices?– Domain base practices– Capability measures What is the relation between the SSE-CMM andother methods of obtaining assurance?– SSE-CMM guides effectiveness of process– all contribute to assurance63
For More InformationInternational Systems SecurityEngineering Association:www.issea.orgSystems Security EngineeringCapability Maturity Modelwww.sse-cmm.org64
ISO* Standardization - ISSEA approved as Publicly Available Standard (PAS) Submitter Annual Conference - February 28 - March 2, 2001 Appraiser Certification - developing program for appraiser and facilitator certification Training - 2 and 4 day courses in model and appraisal method SSE Textbook