Systems Security Engineering Capability Maturity Model

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybaries ISSEP course.
00:00
I'm your Instructor, Brad Rhodes.
00:00
This lesson is the System Security
00:00
Engineering Capability Maturity Model
00:00
or the SSE-CMM.
00:00
In this lesson we're going to
00:00
talk about why do we have this?
00:00
We're going to talk about
00:00
the levels and we're going to talk about
00:00
who does system security engineering work.
00:00
The SSE-CMM construct and the fact that there's
00:00
a maturity model for system security engineering
00:00
should not surprise anyone.
00:00
We, as a community of
00:00
system security engineers as ISSEs
00:00
who hopefully hold the ISO concentration,
00:00
this gives us a framework to work through when we look at
00:00
our organizations and assess them to see if we're
00:00
actually doing the right things.
00:00
Why did we need SSE-CMM?
00:00
Why do we need our own capability maturity model?
00:00
Well, the laundry list of things
00:00
could go on more than
00:00
the five things listed on this line.
00:00
Systems are growing more and more interconnected.
00:00
We can now put crock-pots and refrigerators
00:00
and dishwashers onto the Internet.
00:00
If you don think we need this,
00:00
I say look at all of the devices in your home that
00:00
you may be connected to
00:00
the Internet that might be suspect.
00:00
Unfortunately, today, we're still
00:00
seeing systems and software come into the marketplace,
00:00
products, capabilities, functions, services, etc.
00:00
that don't start out with security built-in.
00:00
Why? We've talked about this previously.
00:00
We don't do a very good job of instructing people,
00:00
especially in the software side of the
00:00
how else do you secure coding?
00:00
We've forgotten about the fact that we
00:00
have the system development life cycle.
00:00
Then we have to work through these processes
00:00
in a deliberative manner so that we
00:00
are building security and as early as
00:00
possible as opposed to bolting it on afterwards.
00:00
Our systems are incredibly complex,
00:00
and they also rely specifically on software.
00:00
That reliance on software.
00:00
Software right now, is changed the way the world works.
00:00
It really started at the beginning of
00:00
the Internet revolution and
00:00
the open-source revolution in the 1990s,
00:00
but it is even more so prevalent today.
00:00
How much of your smartphones
00:00
rely specifically on the way
00:00
the applications are written.
00:00
You're dependent upon software
00:00
every single minute of your day,
00:00
whether you realize it or not.
00:00
That's why we've got to have a capability maturity model.
00:00
Then of course operation and maintenance.
00:00
If we haven't done security integration up front,
00:00
if we didn't start at the beginning
00:00
and built-in security from
00:00
the very beginning of
00:00
our systems design and requirements,
00:00
and then we tried to add security at the end,
00:00
what do we do if you were to draw the chart?
00:00
When you get to operations and maintenance and
00:00
you have to fix something from a security perspective,
00:00
you've tripled quadrupled, five tuple,
00:00
whatever the word is there, your cost
00:00
to fix those systems.
00:00
There's five levels to the SSC capability maturity model.
00:00
We have level 1, which is informal.
00:00
Level 2, planned and tracked.
00:00
Level 3, well-defined.
00:00
Level 4 we have quantitative controls.
00:00
Level 5, we're doing
00:00
continuously improving or continuous monitoring.
00:00
We've talked about this before.
00:00
Hopefully these are all things you're starting to clue
00:00
in on in terms of what we're seeing in the ISSEP content.
00:00
Really, we start at level 1. That's our starting point.
00:00
In level 2, that's where we
00:00
begin to do those basic assessments.
00:00
In level 3, which is where many organizations
00:00
reside and they have standards. That's super important.
00:00
If you don't have standards, you're not going to be
00:00
able to implement things consistently.
00:00
When we get to quantitative controls,
00:00
which is the next step up, we have
00:00
measurable controls in place,
00:00
things that we can actually truly assess to ensure that
00:00
those security controls or whatever the case may
00:00
be is actually mature enough to work.
00:00
Then of course, when we get to continuous improvement,
00:00
now we're looking at how effective are we,
00:00
not just do we have measurable standards?
00:00
Who does a system security engineer?
00:00
The laundry list is right there.
00:00
It's everybody from developers to consultants,
00:00
to you, to me,
00:00
to program managers, project managers.
00:00
Just about anybody can be in this chain.
00:00
As we look at this diagram on the left there,
00:00
and we go through this and remember
00:00
those are tied to our processes,
00:00
we know that in
00:00
the conceptual phases of
00:00
things in the development phase of things,
00:00
there's lots of people with
00:00
their hands in the cookie jar.
00:00
When we get to production, that's
00:00
a totally different set of things,
00:00
utilization, support and retirement.
00:00
Each of these folks on the right
00:00
has a different thing to do in each of those areas.
00:00
Why? Because our systems today are
00:00
so very complex that if we don't
00:00
do system security engineering across
00:00
those phases as defined
00:00
on the left-hand side of the screen there,
00:00
then we never get to a mature point with
00:00
our organizations or our system security engineering,
00:00
hence, the need, and the reason we
00:00
have a capability maturity model.
00:00
You definitely want to read up on that.
00:00
You can find that online and that's actually
00:00
also in our references list for this course.
00:00
In this lesson, what did we look at?
00:00
We looked at why do we need
00:00
a System Security Engineering Capability Maturity Model.
00:00
We talked about the five levels from
00:00
the starting point all the way up to
00:00
the most advanced where we're doing
00:00
continuous improvement.
00:00
Now we've talked about the fact that there's
00:00
lots of people that do system security engineering.
00:00
They may not realize that they do,
00:00
or maybe they've do realize that they do.
00:00
But there's a lot of people that do it,
00:00
and it's important as an SE,
00:00
that we can interact successfully with all of them.
Up Next