Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©

Slides:



Advertisements
Similar presentations
Kai H. Chang COMP 6710 Course NotesSlide CMMI-1 Auburn University Computer Science and Software Engineering Capability Maturity Model Integration - CMMI.
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
The Systems Security Engineering Capability Maturity Model (ISO 21827)
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
2003 Indigo Technology, Inc. All Rights Reserved Integrated Process Teams Process Management Quality Assurance Configuration and Data Management Program.
2003 Indigo Technology, Inc. All Rights Reserved Alliance Portfolio Computing Infrastructure Services Customer Relationship Management Engineering Services.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Introducing Computer and Network Security
Capability Maturity Model (CMM) in SW design
Randy Marchany VA Tech Computing Center
Stephen S. Yau CSE , Fall Security Strategies.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.
IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Fraud Prevention and Risk Management
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Using Six Sigma to Achieve CMMI Levels 4 and 5
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
The Evergreen, Background, Methodology and IT Service Management Model
Integrated Capability Maturity Model (CMMI)
Copyright, 2005 Pinnacle Entertainment, Inc. 1 Auditing the Windows Network Bart A. Lewin Chief Technology Officer Pinnacle Entertainment, Inc. CS 3-2.
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
The Capability Maturity Model in Software Development Paul X. Harder, JD Government Micro Resources, Inc. September 14, 2004.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
October 27, 2005 Contra Costa Operational Area Homeland Security Strategic and Tactical Planning and Hazardous Materials Response Assessment Project Overview.
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
10/16/2015Bahill1 Organizational Innovation and Deployment Causal Analysis and Resolution 5 Optimizing 4 Quantitatively Managed 3 Defined 2 Managed Continuous.
© 2008 IBM Corporation Challenges for Infrastructure Outsourcing July 29, 2011 Atul Gupta Vice President, Strategic Outsourcing, IBM.
Holistic Approach to Security
1 ISO 9001:2000 ISO 9001 is the creation of the International Organisation for Standardisation (ISO), a Swiss-based federation of national standards bodies.ISO.
Georgia Institute of Technology CS 4320 Fall 2003.
1 © Mahindra Satyam 2009 Mahindra Satyam Confidential Welcome To CMMI Introduction.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
@2002 Copyright, Itreya Technologies CMMI kick off July 2005.
Engineering Essential Characteristics Security Engineering Process Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ENISA efforts for securing European Internet Infrastructure
1 The ISTPA Privacy Framework John Sabo Manager, Security, Privacy and Trust Initiatives Computer Associates Workshop on the Relationship between Security.
CSCE 548 Secure Software Development Security Operations.
An Introduction. Objective - Understand the difference between CMM & CMMI - Understand the Structure of CMMI.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
CSCE 548 Secure Software Development Security Operations
Agenda Control systems defined
Information Technology Controls
I have many checklists: how do I get started with cyber security?
Cybersecurity ATD technical
Use of CMMI in an Acquisition Context Using CMMI for Process Improvement at USAF Space and Missile Systems Center (SMC) Dr. Jack R. Ferguson
IS 2620: Developing Secure Systems
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Effective Risk Management in Decision Making Process
Presentation transcript:

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 1 ISO System Security Engineering Capability Maturity Model Presented By John W. Lindquist Founding Member of the HIPAA Alliance, LLC and President and CEO EWA Information & Infrastructure Technologies, Inc Park Center Rd., Ste. 200, Herndon VA th Annual HIPAA Summit Session: 5.06 On-Going HIPAA Compliance: Securing Tracked Data - March 28, 2003 Presented By John W. Lindquist Founding Member of the HIPAA Alliance, LLC and President and CEO EWA Information & Infrastructure Technologies, Inc Park Center Rd., Ste. 200, Herndon VA th Annual HIPAA Summit Session: 5.06 On-Going HIPAA Compliance: Securing Tracked Data - March 28, 2003

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 2 Problem How does management establish and track an information security program when: Risks are real Risks are nearly infinite The information environment is highly dynamic Resources are finite

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 3 The Need to Protect Information assets against damage and unauthorized disclosure is critical to your organization. 29% 28% 11% 6% 5% 4% 3% 2% Laptop Theft Virus Insider Abuse of Net Telecomm Fraud Financial Fraud System Penetration Theft of Proprietary Info Unauthorized Insider Sabotage Denial of Service Telecom Eavesdrop Active Wiretap

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 4 Information Assurance Technology alone won’t make you safe. “Get rid of the techno-babble. This is a management problem.” Steve Katz, CISO, Citibank Solutions Must Address: v People v Process v Technology

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 5 Security Aversion (Ostrich) Risk Aversion (Paranoia) Risk Management Decisions (Acceptance, Mitigation, Transference, Avoidance) $ Cost of Not Securing Cost of Securing SSE-CMM Process Maturity Level 5 Level 0 (Focused investment in IT Security) Process Maturity and the Risk Management Cost Continuum

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 6 SYSTEM SECURITY ENGINEERING CAPABILITY MATURITY MODEL SSE - CMM is both a Model and a Process A Community-owned Model (50 companies / agencies led by the US National Security Agency (NSA) and Canadian Communications Security Establishment (CSE)) Model Presents Security Engineering as a Defined, Mature and Measurable Discipline Model and Appraisal Method Enable: –Capability-based assurance i.e.. Security/trustworthiness inferred from the maturity of processes –Focused investment in security engineering tools, training, process definition, management practices and improvements based on risk assessment and available resources –Qualifying vendors, suppliers, and organizations connecting to a system

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc Performed Informally 2 Planned & Tracked 3 Well Defined 4 Quantitatively Controlled 5 Continuously Improving CAPABILITY LEVELS

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 8 PA01 PA02PA03 PA04a PA04b PA05PA06PA07PA08PA09PA10PA11PA12PA13PA14PA15PA16PA17PA18PA19PA20PA Baseline, Minimum & Target Profile Maturity Level Process Area

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 9 System Security Process Areas PA 17 Improve Organization's Security Engineering Processes PA 01 Specify Security Needs PA 02 Provide Security Input PA 03 Verify and Validate Security PA 04a Threat Assessment PA 04b Impact Assessment PA 05 Assess Security Risk PA 06 Build Assurance Argument PA 08 Administer Security Controls PA 09 Coordinate Security PA 10 Vulnerability Assessment PA 07 Monitor System Security Posture PA 11 Ensure Quality PA 12 Manage Configurations PA 13 Manage Program Risk PA 14 Monitor and Control Technical Effort PA 15 Plan Technical Effort PA 16 Define Organization's Security Engineering Process PA 18 Manage Security Product Line Evolution PA 19 Manage Security Engineering Support Environment PA 20 Provide Ongoing Skills and Knowledge PA 21 Coordinate With Suppliers

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc SSE-CMM Usage Scenarios Security Assessment Information Operations SW Vendor Services HW Vendor Trust Relationships Business Partners/other units Qualified Suppliers Operational Information Assurance ITS Business Processes/Military Information Systems Applies to all system types and all classifications levels

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc Summary Can’t Protect Everything All The Time The Dynamic Environment Requires a Flexible Response Effective Information Assurance Must Address People, Process and Technology Information Assurance is Risk Management not Risk Avoidance (There is No Silver Bullet) The SSE-CMM is an IA Tool Developed in Consideration the Above

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.