Systems Security Engineering Capability Maturity Model

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

Information Systems Security Engineering Professional (ISSEP)
Course
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome back to Cybaries ISSEP course.
00:00
I'm your Instructor, Brad Rhodes.
00:00
This lesson is the System Security
00:00
Engineering Capability Maturity Model
00:00
or the SSE-CMM.
00:00
In this lesson we're going to
00:00
talk about why do we have this?
00:00
We're going to talk about
00:00
the levels and we're going to talk about
00:00
who does system security engineering work.
00:00
The SSE-CMM construct and the fact that there's
00:00
a maturity model for system security engineering
00:00
should not surprise anyone.
00:00
We, as a community of
00:00
system security engineers as ISSEs
00:00
who hopefully hold the ISO concentration,
00:00
this gives us a framework to work through when we look at
00:00
our organizations and assess them to see if we're
00:00
actually doing the right things.
00:00
Why did we need SSE-CMM?
00:00
Why do we need our own capability maturity model?
00:00
Well, the laundry list of things
00:00
could go on more than
00:00
the five things listed on this line.
00:00
Systems are growing more and more interconnected.
00:00
We can now put crock-pots and refrigerators
00:00
and dishwashers onto the Internet.
00:00
If you don think we need this,
00:00
I say look at all of the devices in your home that
00:00
you may be connected to
00:00
the Internet that might be suspect.
00:00
Unfortunately, today, we're still
00:00
seeing systems and software come into the marketplace,
00:00
products, capabilities, functions, services, etc.
00:00
that don't start out with security built-in.
00:00
Why? We've talked about this previously.
00:00
We don't do a very good job of instructing people,
00:00
especially in the software side of the
00:00
how else do you secure coding?
00:00
We've forgotten about the fact that we
00:00
have the system development life cycle.
00:00
Then we have to work through these processes
00:00
in a deliberative manner so that we
00:00
are building security and as early as
00:00
possible as opposed to bolting it on afterwards.
00:00
Our systems are incredibly complex,
00:00
and they also rely specifically on software.
00:00
That reliance on software.
00:00
Software right now, is changed the way the world works.
00:00
It really started at the beginning of
00:00
the Internet revolution and
00:00
the open-source revolution in the 1990s,
00:00
but it is even more so prevalent today.
00:00
How much of your smartphones
00:00
rely specifically on the way
00:00
the applications are written.
00:00
You're dependent upon software
00:00
every single minute of your day,
00:00
whether you realize it or not.
00:00
That's why we've got to have a capability maturity model.
00:00
Then of course operation and maintenance.
00:00
If we haven't done security integration up front,
00:00
if we didn't start at the beginning
00:00
and built-in security from
00:00
the very beginning of
00:00
our systems design and requirements,
00:00
and then we tried to add security at the end,
00:00
what do we do if you were to draw the chart?
00:00
When you get to operations and maintenance and
00:00
you have to fix something from a security perspective,
00:00
you've tripled quadrupled, five tuple,
00:00
whatever the word is there, your cost
00:00
to fix those systems.
00:00
There's five levels to the SSC capability maturity model.
00:00
We have level 1, which is informal.
00:00
Level 2, planned and tracked.
00:00
Level 3, well-defined.
00:00
Level 4 we have quantitative controls.
00:00
Level 5, we're doing
00:00
continuously improving or continuous monitoring.
00:00
We've talked about this before.
00:00
Hopefully these are all things you're starting to clue
00:00
in on in terms of what we're seeing in the ISSEP content.
00:00
Really, we start at level 1. That's our starting point.
00:00
In level 2, that's where we
00:00
begin to do those basic assessments.
00:00
In level 3, which is where many organizations
00:00
reside and they have standards. That's super important.
00:00
If you don't have standards, you're not going to be
00:00
able to implement things consistently.
00:00
When we get to quantitative controls,
00:00
which is the next step up, we have
00:00
measurable controls in place,
00:00
things that we can actually truly assess to ensure that
00:00
those security controls or whatever the case may
00:00
be is actually mature enough to work.
00:00
Then of course, when we get to continuous improvement,
00:00
now we're looking at how effective are we,
00:00
not just do we have measurable standards?
00:00
Who does a system security engineer?
00:00
The laundry list is right there.
00:00
It's everybody from developers to consultants,
00:00
to you, to me,
00:00
to program managers, project managers.
00:00
Just about anybody can be in this chain.
00:00
As we look at this diagram on the left there,
00:00
and we go through this and remember
00:00
those are tied to our processes,
00:00
we know that in
00:00
the conceptual phases of
00:00
things in the development phase of things,
00:00
there's lots of people with
00:00
their hands in the cookie jar.
00:00
When we get to production, that's
00:00
a totally different set of things,
00:00
utilization, support and retirement.
00:00
Each of these folks on the right
00:00
has a different thing to do in each of those areas.
00:00
Why? Because our systems today are
00:00
so very complex that if we don't
00:00
do system security engineering across
00:00
those phases as defined
00:00
on the left-hand side of the screen there,
00:00
then we never get to a mature point with
00:00
our organizations or our system security engineering,
00:00
hence, the need, and the reason we
00:00
have a capability maturity model.
00:00
You definitely want to read up on that.
00:00
You can find that online and that's actually
00:00
also in our references list for this course.
00:00
In this lesson, what did we look at?
00:00
We looked at why do we need
00:00
a System Security Engineering Capability Maturity Model.
00:00
We talked about the five levels from
00:00
the starting point all the way up to
00:00
the most advanced where we're doing
00:00
continuous improvement.
00:00
Now we've talked about the fact that there's
00:00
lots of people that do system security engineering.
00:00
They may not realize that they do,
00:00
or maybe they've do realize that they do.
00:00
But there's a lot of people that do it,
00:00
and it's important as an SE,
00:00
that we can interact successfully with all of them.
Up Next
ISSE and SLDC Linkages
Preparing for the ISSEP Exam
Module Summary
View All
Instructed By
Brad Rhodes

Brad Rhodes

Head of Cybersecurity, zvelo & Lieutenant Colonel, Cyber Warfare

Instructor
Similar Content
Certified Information Systems Security Professional (CISSP) 2021
Course
Certified Information Systems Security Professional (CISSP) 2021
4.77
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16CEUs
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
Practice Test
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
4.17
There is a growing need for information security leaders who possess the depth of expertise ...
Penetration Testing and Ethical Hacking
Course
Penetration Testing and Ethical Hacking
4.7
To assess the strength of your organization’s cybersecurity posture, you need to gather information, perform ...
7CEUs