Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next level solutions 1 Security: It’s Just Good Systems Engineering Ronda R. Henning Harris Corporation

Published byChristina Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Next level solutions 1 Security: It’s Just Good Systems Engineering Ronda R. Henning Harris Corporation"— Presentation transcript:

1 next level solutions 1 Security: It’s Just Good Systems Engineering Ronda R. Henning Harris Corporation Rhenning@harris.com

2 next level solutions 2 Introduction Security engineering is a “black art” –A high risk item to cost and schedule –Limited skilled personnel –Criteria for completion beyond control of customer organization –Mission requirements & security requirements conflict

3 next level solutions 3 A potential solution The Common Criteria for IT Security Evaluation (ISO 15048) –Provides a standard notation for requirements –Categorizes system security Functional – what the system does Assurance – the lifecycle processes that “assure” a system performs correctly Evolving case law from COTS product use –National Information Assurance Partnership –Common Criteria Interpretations

4 next level solutions 4 Assurance Grounds for confidence that an entity meets its security objectives” Evaluation Assurance Level (EAL) –Defines specific criteria for each category –Higher the category, greater the formalism Assessment done by a third party

5 next level solutions 5 Assurance Requirements Categorized in 7 areas: 1.Configuration Management 2.Delivery and Operation 3.Development Correspondence 4.User Guidance 5.Lifecycle Support 6.Testing 7.Vulnerability Assessment

6 next level solutions 6 In Perspective The CMMI –Integrated guidance on product and process development activities –Integrated content from varied disciplines – Process framework areas are: Project Management Support Engineering Process Management

7 next level solutions 7 More Perspective iCMM – FAA variant CMM Process Categories –Management –Life Cycle –Support A trend: supporting processes that are designed to improve relative quality of a system in operational use.

8 next level solutions 8 A Correspondence Exercise FAA-iCMM v2.0 Process Area CMMI-SE/SW/IPPD*/A** Process Area Common Criteria Assurance Class/Family PA 00 Integrated Enterprise Management *Organizational Environment for Integration Organizational Process Performance PA 01 NeedsRequirements Development Functional Specification (ADV_FSP) PA 02 RequirementsRequirements Development Requirements Management Representation Correspondence (ADV_RCR)

9 next level solutions 9 A Correspondence Exercise FAA-iCMM v2.0 Process Area CMMI-SE/SW/IPPD*/A** Process Area Common Criteria Assurance Class/Family PA 03 DesignTechnical SolutionHigh-level Design (ADV_HLD) Security Policy Modeling (ADV_SPM) PA 06 Design Implementation Technical SolutionImplementation Representation (ADV_IMP) TSF Internals (ADV_INT) Low Level Design (ADV_LLD)

10 next level solutions 10 Summary of Correspondence All Common Criteria Assurance Class families have a home in the CCMI/iCMM process areas Common Criteria emphasizes: –Correctness in Implementation Correspondence –Test Coverage –Configuration Management

11 next level solutions 11 A Caveat Risk is “different” –Normally defined as impediments to achievement from perspective of mission functionality vs. cost or schedule In Security Parlance –Risk is the probability of compromise or exploitation of a vulnerability Compromise could be considered an impediment to achievement of mission

12 next level solutions 12 Significance Security DOES map to process improvement activities that are defined and in place without major distortion Need to integrate the security practices with the Maturity Model Practices –Example: Configuration Management Processes need to include security configuration information and patch management

13 next level solutions 13 Significance Security can be an integrated process Use of existing process improvement frameworks facilitates that integration Result: Organizations follow good security practices without knowing it!

14 next level solutions 14 A Caveat Do not rush out and say: –Because we are a CMMI Level X, we routinely work at Common Criteria Evaluation Assurance Level Y –There are security extensions that have to be incorporated. –A good organizational process helps, but needs adaptation.

15 next level solutions 15 Conclusion Existing Maturity Model Process Areas accommodate all assurance requirements as defined in the Common Criteria Best practices for security could easily be extended into an organization’s maturity model framework Mitigate risk, reduce security cost, improve discipline integration Make security a defined, repeatable activity.

Download ppt "Next level solutions 1 Security: It’s Just Good Systems Engineering Ronda R. Henning Harris Corporation"

Similar presentations

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.
Kai H. Chang COMP 6710 Course NotesSlide CMMI-1 Auburn University Computer Science and Software Engineering Capability Maturity Model Integration - CMMI.

Kai H. Chang COMP 6710 Course NotesSlide CMMI-1 Auburn University Computer Science and Software Engineering Capability Maturity Model Integration - CMMI.
Experience World Class Processes!© Adaptive Processes Consulting Juggling the Balls Art of Managing Multiple Standards Implementation LN Mishra Principal.

Experience World Class Processes!© Adaptive Processes Consulting Juggling the Balls Art of Managing Multiple Standards Implementation LN Mishra Principal.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Intro to Rational Unified Process Software Process Improvement Marion Lepmets 8.12.2003.

Intro to Rational Unified Process Software Process Improvement Marion Lepmets
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.

The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.
Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.

Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.
The Systems Security Engineering Capability Maturity Model (ISO 21827)

The Systems Security Engineering Capability Maturity Model (ISO 21827)
Security Controls – What Works

Security Controls – What Works
1 SWE 205 - Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.

1 SWE Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
SE 450 Software Processes & Product Metrics 1 Quality Systems Frameworks.

SE 450 Software Processes & Product Metrics 1 Quality Systems Frameworks.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.

Software Process CS 414 – Software Engineering I Donald J. Bagert Rose-Hulman Institute of Technology December 17, 2002.
IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.

IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.
SPIN-BG Seminar Intermediate Concepts of CMMI

SPIN-BG Seminar Intermediate Concepts of CMMI
Process: A Generic View n A software process  is a roadmap to building high quality software products.  provides a framework for managing activities.

Process: A Generic View n A software process  is a roadmap to building high quality software products.  provides a framework for managing activities.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google