welcome back to CyberRays is. Of course, I'm your instructor, Brad Roads.
So this lesson is the system security engineering capability, maturity model or the S S E C M m.
So, in this lesson, we're gonna talk about why do we have this? We're gonna talk about the levels, and we're gonna talk about who does system security engineering work. Um, so the s s e c mm construct. And the fact that there's a maturity model for system security engineering should not surprise anyone. We,
as a community of system security engineers, is he sees right who
hopefully hold the ISS of concentration. Right? This gives us a framework toe work through when we look at our organizations and assess them to see if we're actually doing the right things.
So why do we see Why do we need s sec? Mm. Why do we need our own capability? Maturity model? Well, the laundry list of things could go on mawr than the fourth of the five things listed on this line
systems, air growing mawr and more interconnected.
We can now put crock pots and refrigerators and, um, dishwashers onto the internet. So if you don't think we need this. I say, look at all of the devices in your home that you maybe connect to the internet. That might be suspect.
unfortunately, today we're still seeing systems and software come into the marketplace. Products, capabilities, functions, services, etcetera. Right, that don't start out with security built in. Why? And we've talked about this previously.
We don't do a very good job off instructing people, especially the software side of the house. How did you secure coding?
We forgot about the fact that we have the system development lifecycle on that we have to work through these processes in a deliberative manner so that we are building security and as early as possible, as opposed to bolting it on afterwards. Our systems are incredibly complex.
Um, and and they also rely specifically on, uh, software, right, That reliance on software software right now right is changed the way the world works, right? Um, and it really started at the beginning of the Internet revolution in the open source revolution in the 19 nineties, but it is even more so prevalent today.
How much of your smartphones
rely specifically on the way the applications are written? right. You are dependent upon software every single minute of your day, whether you realize it or not. And that's why we've gotta have a capability maturity model.
And then, of course, right. Operation Maintenance. Right. Um, if we haven't done security integration upfront if we didn't start at the beginning and building security from the very, very beginning of our systems design and requirements, right, and then we try to add security at the end, Right? What do we do if you were to draw the chart, right,
the when you get to operations and maintenance and you have to fix something from a security perspective, you've tripled. Quadrupled, Uh, five temple. Whatever the word. Is there your cost to fix those systems?
So there's five levels to the the SSC capability maturity model. We have level one, which is informal level to plant track level three were well defined before we have quantitative controls and level five were doing continuously improving or continuous monitoring. Right? We've talked about this before.
Hopefully, they're all sort of things you started to clue in on in terms of what we're seeing in the use of content.
Um, so really, we started level one. That's our starting point
in level two. That's where we begin to do those basic assessments in Level three, which is where many organizations reside and they have standards and and that's super important. If you don't have standards, you're not gonna be able to implement things consistently when we get to quantitative controls, which is the next step up. We have measurable controls in place, things that we can actually truly assess
to ensure that those security controls or whatever the case may be.
Eyes actually mature enough toe work. And then, of course, when we get to continuous improvement, now we're looking at How effective are we not just do we have measurable standards?
Who does a system security engineer?
Um, the laundry list is right there. It's everybody from developers to consultants to you, to me, to program managers, project managers. Just about anybody can be in this chain. Azzawi. Look at the nice diagram on the left there, and we go through this and remember those were tied to our processes right? We know that it
in the conceptual phases of things in the development phase of things,
there's lots of people with their hands in the cookie jar. When we get to production, right? That's a totally different set of things. Utilization, support, retirement, right? We each of these folks on the right has a different thing to do in each of those areas. Um And why? Because our systems today are so very complex that if we don't do
system security engineering across those phases as defined on the left hand side of the screen there,
then we never get to a mature point with our organizations or our system security engineering. Hence the need and the reason we have a capability maturity model. You definitely want to read up on that. You can find that online, and that's actually also in our references list for this course.
So in this lesson, what do we look at? We looked at, Why do we need ah system security engineering capability, maturity model? We talked about the five levels from the starting point right all the way up to the most advanced what we're doing. Continuous improvement. Now we talked about the fact that there's lots of people that do system security engineering. They may not realize that they do
or Maybe they do realize that they do, but there's a lot of people that do it.
It's important as an ISI that we can interact successfully with all of them.