|
Introduction to Security Engineering
and SSE-CMM
(A Three Day Workshop)
Register
Online
Workshop
Overview
Creating a CMM
for security in the form of SSE-CMM began as an NSA sponsored effort
in 1993 with a need to research into existing capability models
and investigate the need for specialized CMM to address Security
Engineering. Over last 12 year the model has developed by
contributions by over 50 organizations by a consensus process and
has been published as an ISO standard (ISO/IEC 21827).
The objective of this exercise was to create a distinct model to
advance Security Engineering as a Defined, Mature and Measurable
discipline.
The prevailing
approach used by most organizations today is to build new solutions
based on functional requirements, security invariably comes afterwards.
Unfortunately, security cannot be separated from the design process
if customers want to minimize potentially painful trade-offs among
functionality, cost, schedule, and security. This flawed "build
then evaluate" approach has lead to a perception that a secure
solution is not a functional solution. Many believe that security
and functionality inevitably result in an "either-or"
situation. The Systems Security Engineering has demonstrated that
security does not have to compromise functionality. When the inevitable
conflict arises between a functional requirement and a security
requirement, more efficient decisions can be made while the solution
is being designed rather than after it is already built.
Security is
serious customer concern and if, the present trends continue, it
would be much worse in the future and may eventually drive out companies
from the market that do not address it now. There are obviously
no silver bullets, which can solve the problem of software security.
It is a long-term multifaceted problem, which requires multiple
solutions and application of resources throughout the development
lifecycle. Improving software security and safeguarding the IT infrastructure
is an education issue, which needs to be addressed by training on
secure software development. It is a skill and process issue; which
necessitates requirement of trained and skilled security engineers,
security analysts and security architects on software projects.
It is also a requirements issue for customers, where we need to
address their security requirements alongside their functional requirements.
Using
the SSE-CMM model will help organizations build the security-engineering
processes within their SDLC. Ensuring security is an ongoing process
which requires ongoing threat analysis, security improvements and
security evaluation. In order to have a meaningful long
-term impact, security must be at the heart of the software specification,
design, implementation and the testing process.
What
is SSE-CMM ?
The System Security Engineering Capability Maturity Model (SSE-CMM)
describes the essential characteristics of an organization’s security
engineering processes.
The model and
its appraisal methodology provides a standard metric for security
engineering practices which cover the following:
- The entire life cycle
and activities like development, maintenance and decommissioning
activities
- The whole organization,
including management, organizational, and engineering activities.
- Concurrent interactions
with other disciplines like system, software, hardware, human
factor, and test engineering; system management, operation,
and maintenance.
- Interaction with other
organizations including acquisition, system management, certification,
accreditation, and evaluation.
The SSE-CMM
model addresses security-engineering activities that span the entire
trusted product or secure system life cycle, including concept
definition, requirements analysis, design, development, integrations,
installations, operations, maintenance, and decommissioning.
It applies secure product developers; secure system developers and
integrators, and organizations that provide security services and
security engineering solutions. It also applies to all types and
sizes of security engineering organizations, such as commercial,
government, and academic.
The objective of SEE-CMM Project is to advance security engineering
as defined, mature and measurable discipline. The
model and its appraisal methods enable:
- Focused investments in
security engineering tools, training, process definition, management
practices, and improvement by engineering groups.
- Capability-Based assurance,
that is, trustworthiness based on confidence in maturity of
engineering group’s security practices and processes.
- Selection of appropriately
qualified providers of security engineering through differentiating
bidders by capability levels and associated programmatic risks.
The
need of SSE-CMM
Both customers and suppliers are interested in improving the development
of security products, systems, and services. The field of security
engineering has several generally accepted principles, but it currently
lacks a comprehensive framework for evaluating security-engineering
practices. The SSE-CMM, by identifying such a framework, provides
a way to measure and improve performance in the application of security
engineering principles. Security Engineering is a unique
discipline which requires unique knowledge, skills, and processes
that warrants a distinct CMM for security engineering.
SSE-CMM applies
to a wide variety of organizations that practice security engineering
in the development of computer programs, operating systems software,
security managing and enforcing functions, software, and middleware
of applications programs. Product developers, service providers,
system integrators, system administrators, and even security specialists
therefore require appropriate methods and practices. Some of these
organizations deal with high-level issues (e.g., ones dealing with
operational use or system architecture), others focus on low-level
issues (e.g., mechanism selection or design), and some do both.
Organizations may specialize in a particular type of technology,
or a specialized context
Benefits of SSE-CMM
Benefits of SSE-CMM are varied and apply across various type of
organizations. These are summarized as follows:
- Engineering Organizations
- Engineering organizations include System Integrators,
Application Developers, Product Vendors, and Service Providers.
Benefits of the SSE-CMM to these organizations include:
- Savings with less
rework from repeatable, predictable processes and practices
- Credit for true capability
to perform, particularly in source selections
- Focus on measured
organizational competency (maturity) and improvements
- Acquiring Organizations
- Acquirers include organizations acquiring systems, products,
and services from external/internal sources and end users. Benefits
of the SSE-CMM to these organizations include:
- Reusable standard
Request for Proposal language and evaluation means
- Systems Security Engineering
Capability Maturity Model 3.0- 7 -
- Reduced risks (performance,
cost, schedule) of choosing an unqualified bidder
- Less protests due
to uniform assessments based on industry standard
- Predictable, repeatable
level of confidence in product or service
- Evaluation Organizations
- Evaluation organizations include System Certifiers, System
Acridities, Product Evaluators, and Product Assessors. Benefits
of the SSE-CMM to these organizations include:
- Reusable process appraisal
results, independent of system or product changes
- Confidence in security
engineering and its integration with other disciplines
- Capability-based confidence
in evidence, reducing security evaluation workload.
Workshop
Objectives
After completion of this 3 day workshop, the participants
should be able to:
- Understand basic concepts,
principles, practices, processes and terminologies that
form part of the complex discipline of security engineering
and how it interacts with other engineering discipline in
resolving security problems.
- Communicate the benefits
of process improvement as they relate to security engineering
and system security.
- Describe how capability
maturity models support process improvement initiatives
and security engineering
- Demonstrate knowledge
of the architecture of the SSE-CMM by effectively utilize
the model
- Apply and implement
security engineering process areas to organizations and
projects.
- Be able to use the
SSE-CMM on systems security engineering projects to achieve
measurable improvements based on specific goals and objectives.
|
Course
Provider
The course will be run by Certified Instructor from MBT.
MBT is a leading India-based global IT solutions provider. As a
proven leader in application outsourcing and offshoring of business
critical applications, MBT enables its clients, protect their investment
in legacy systems, enhance capital budgets, reduce operating expenses
and build solutions for the multi-services future.
MBT
is a corporate member of The International Systems Security Engineering
Association (ISSEA) and an ISSEA authorized training provider of
the SSE-CMM. MBT is a BS 7799 (ISO 17799) (Information Security
Management Framework) compliant organization.
Workshop Andragogy
Courseware Coverage
The workshop is designed & developed by senior consultants acclaimed
within the industry who have been mentors & change leaders in
reputed organizations, having experience of teaching & mentoring
several hundred security professionals. The courseware is up to
date and linked with latest industry trends & practices in the
security engineering domain.
Workshop Delivery
The workshop is a mix of presentation of concepts, examples and
exercises designed to enable the participants to learn by doing
it themselves. The courseware consists of textual material, examples,
and class exercises.
Pace
While this accelerated approach imparts enough knowledge to the
participant on concepts, it also provides chances for hands-on exposure
and ample opportunity to interact with class & peers from industry.
Workshop
Contents
Introduction to Security Engineering and the SSE-CMM
The three-day course provides a fundamental understanding
of Security Engineering and the Systems Security Engineering
Capability Maturity Model. The class is combination of lecture,
case studies, and in-class exercises.
One can learn how to use the model to evaluate and improve
system security practices, evaluate a security provider’s
capability, and establish a level of assurance based on organizational
capability-based confidences.
Topics covered
- Basics understanding
of Security Engineering as a discipline.
- Process Improvement
and the Capability Maturity Model
- Benefits of Mature
Security Engineering Practices
- SSE-CMM Model Architecture
- Methods of Application
of the Model to Organizations and Projects
- Relationship to other
CMMs and Quality Frameworks
|
What
to bring to class?
Laptop Computer with
- Microsoft ® office
tools such as Excel ®, Power point ®, Word ®
- CD ROM Drive
What
do you get ?
- Brief overview about the
SSE-CMM and SDLC hand-to-hand.
- Opportunity to learn and
interact & learn from peers in industry.
- Hard copy of courseware,
examples, mini-cases, class exercises & solutions.
Who
should attend?
The Target Audiences for this course are project and program managers
in software design and development, quality professionals, testing
professionals and security professionals who may not have any previous
background of SSE –CMM and people who have responsibilities and
/ or have an interest in following areas:
- Information Security
- System Integration
- Secure System/Product
Design
- Product Evaluation
- Application Development
- Acquisition
- System Certification/Accreditation
"QAI
and MBT partnership is a joint initiative to enhance the competitiveness
of the Indian Industry in the field of Sytems Security Engineering.
As the first providers of SSE CMM training in India, QAI-MBT Team
offers Indian Industry a unique blend of Knowledge base and hands-on
Experience."
|
|
|
|
