Information Security Frameworks: CMMI
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> The last of our frameworks is going to be the CMMI.
00:00
Now the CMMI stands for
00:00
Capability Maturity Model Integrated.
00:00
We're going to talk about what it is and its purpose,
00:00
and ultimately how we can use the CMMI for
00:00
gap analysis to close
00:00
the gap of where we are versus where we want to be.
00:00
Essentially, that's done through
00:00
CMMI's use of five maturity levels.
00:00
If we talk about the CMMI,
00:00
again, Capability Maturity Model.
00:00
This comes to us from the
00:00
>> Software Engineering Institute,
00:00
>> from the good folks at Carnegie Mellon.
00:00
The fact that they have set
00:00
out a standard that essentially says,
00:00
if you have a mature process,
00:00
you will yield a quality product.
00:00
The results can often be
00:00
indicated by the steps in the process.
00:00
The more mature your processes are,
00:00
the better your product will be.
00:00
That's what it is and it served as a guideline for
00:00
software development throughout the years.
00:00
Now, it also can be used to determine
00:00
an organization's security posture
00:00
and their approach to security.
00:00
For instance, many organizations may operate
00:00
at being compliant with the level one,
00:00
>> which is initial.
00:00
>> Customer may say, "No,
00:00
we're only going to do business with you if
00:00
you're a level 3 or higher."
00:00
The idea once again is that customers or some form of
00:00
external driver usually dictates
00:00
>> what our end result is,
00:00
>> where we want to be in the scheme of things.
00:00
Like for government entities,
00:00
a lot of government agencies can only do business with
00:00
organizations that are defined as 3.0 or higher,
00:00
or if you learn to work with a financial institution.
00:00
Ultimately what we would do is
00:00
just like we've seen with gap analysis,
00:00
we get an assessment of where we currently are.
00:00
What are our assets?
00:00
How are they protected?
00:00
Do we have the capabilities to not just protect,
00:00
but to respond to breaches?
00:00
Where do we stand in relation to
00:00
our security posture? Current state.
00:00
Then we look at where
00:00
the customer wants us to be, like I said,
00:00
may be defined at 3.0,
00:00
or optimized at 5.0, whatever that is,
00:00
and how do we close the gaps?
00:00
Here's where we are, here's where we need to be.
00:00
What do we do to bring
00:00
current state in alignment with desired state?
00:00
Now, you can see layer or level
00:00
one is very low in security posture.
00:00
We don't have a lot of well-defined processes,
00:00
we're not staffed appropriately,
00:00
we don't really have anything formalized all the way
00:00
up to level five, which is optimized.
00:00
When we look at optimize,
00:00
this is focused on continual improvement.
00:00
We can always make the process better, and how?
00:00
By having an in-depth understanding
00:00
of how the process impacts the product,
00:00
how to be more efficient and more quality driven.
00:00
Now, 3.0 is in the middle.
00:00
Even though this may not sound very
00:00
good like some roles established,
00:00
minimal verification, there
00:00
seem to be some drawbacks in the description.
00:00
It's actually a pretty rigorous process
00:00
to go from a level one to a level three.
00:00
There's a lot of documentation,
00:00
a lot of change in the structure of the organization.
00:00
A customer may require that we be adherent
00:00
to CMMI level three or five or whatever they desire.
00:00
It's not an easy process,
00:00
it's time-consuming and it costs money.
00:00
Ultimately, I'm going to
00:00
look at what level the customer requires,
00:00
actually not going to exceed that.
00:00
For instance, if a customer wants me at level three,
00:00
I'm usually not going to overshoot and go to level
00:00
five just because the cost and expense.
00:00
I look at where I am,
00:00
I look at where the customer wants me to be,
00:00
I look at the details and figure out how to
00:00
close that gap. That's the CMMI.
00:00
It's again based on process.
00:00
Get a mature process in place
00:00
and you'll provide a secure environment.
00:00
Use those levels to figure out
00:00
what your desired state is.
00:00
We already should know what we
00:00
currently have as far as security posture goes.
00:00
Figure out how to close the gap.
00:00
As we're going to see in our next section,
00:00
again, the answer to how do I close the gap?
00:00
The answer to that is through my security program.
Up Next
Instructed By
Similar Content
