1、 Reference number ISO/IEC 21827:2008(E) ISO/IEC 2008INTERNATIONAL STANDARD ISO/IEC 21827 Second edition 2008-10-15 Information technology Security techniques Systems Security Engineering Capability Maturity Model (SSE-CMM) Technologies de linformation Techniques de scurit Ingnierie de scurit systme
2、Modle de maturit de capacit (SSE-CMM) ISO/IEC 21827:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the
3、 computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to
4、 create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please infor
5、m the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, with
6、out permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2008 All
7、 rights reservedISO/IEC 21827:2008(E) ISO/IEC 2008 All rights reserved iii Contents Page Foreword. v 0 Introduction vi 1 Scope . 1 2 Normative references . 1 3 Terms and definitions. 2 4 Background . 6 4.1 Reason for Development . 7 4.2 The Importance of Security Engineering 7 4.3 Consensus. 7 5 Str
8、ucture of the Document 8 6 Model Architecture . 8 6.1 Security Engineering 8 6.2 Security Engineering Process Overview 11 6.3 SSE-CMM Architecture Description .14 6.4 Summary Chart . 22 7 Security Base Practices . 23 7.1 PA01 Administer Security Controls 24 7.2 PA02 - Assess Impact. 28 7.3 PA03 - As
9、sess Security Risk . 32 7.4 PA04 - Assess Threat . 36 7.5 PA05 - Assess Vulnerability 39 7.6 PA06 - Build Assurance Argument . 43 7.7 PA07 - Coordinate Security . 46 7.8 PA08 - Monitor Security Posture. 49 7.9 PA09 - Provide Security Input . 54 7.10 PA10 - Specify Security Needs 59 7.11 PA11 - Verif
10、y and Validate Security 63 Annex A (normative) Generic Practices. 67 Annex B (normative) Project and Organizational Base Practices. 68 B.1 General. 68 B.2 General Security Considerations 68 B.3 PA12 - Ensure Quality 69 B.4 PA13 - Manage Configurations 74 B.5 PA14 - Manage Project Risks 78 B.6 PA15 -
11、 Monitor and Control Technical Effort. 82 B.7 PA16 - Plan Technical Effort 86 B.8 PA17 - Define Organizations Systems Engineering Process 92 B.9 PA18 - Improve Organizations Systems Engineering Processes. 96 B.10 PA19 - Manage Product Line Evolution99 B.11 PA20 - Manage Systems Engineering Support E
12、nvironment. 102 B.12 PA21 - Provide Ongoing Skills and Knowledge 106 B.13 PA22 - Coordinate with Suppliers . 112 Annex C (informative) Capability Maturity Model Concepts 117 C.1 General. 117 C.2 Process Improvement 117 C.3 Expected Results 118 ISO/IEC 21827:2008(E) iv ISO/IEC 2008 All rights reserve
13、dC.4 Common Misunderstandings. 118 C.5 Key Concepts 120 Annex D (informative) Generic Practices . 124 D.1 General . 124 D.2 Capability Level 1 - Performed Informally 125 D.3 Capability Level 2 - Planned and Tracked 126 D.4 Capability Level 3 - Well Defined. 132 D.5 Capability Level 4 - Quantitativel
14、y Controlled 137 D.6 Capability Level 5 - Continuously Improving. 139 Bibliography . 142 ISO/IEC 21827:2008(E) ISO/IEC 2008 All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for
15、worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collabora
16、te in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are
17、 drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an
18、International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent righ
19、ts. ISO/IEC 21827 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. In addition, alignment is being maintained with the publicly available System Security Engineering - Capability Maturity Model 1)(SSE-CMM) Version 3, publish
20、ed by the International Systems Security Engineering Association (ISSEA) as a Publicly Available Specification. This second edition cancels and replaces the first edition (ISO/IEC 21827:2002), which has been technically revised. SSE-CMM includes excerpts from “A Systems Engineering Capability Maturi
21、ty Model (SE-CMM), Version 1.1”, CMU/SEI95-MM-003, Copyright 1995 by Carnegie Mellon University. SE-CMM is a collaborative effort of Hughes Space and Communications, Hughes Telecommunications and Space, Lockheed Martin, Software Engineering Institute, Software Productivity Consortium, and Texas Inst
22、ruments Incorporated. Neither Carnegie Mellon University nor the Software Engineering Institute directly or indirectly endorse SSE-CMM or ISO/IEC 21827. 1) CMM and Capability Maturity Model are Service Marks of Carnegie Mellon University NOT-FOR-PROFIT CORPORATION PENNSYLVANIA, 5000 Forbes Avenue, P
23、ittsburgh, PA 15213, USA. ISO/IEC 21827:2008(E) vi ISO/IEC 2008 All rights reserved0 Introduction 0.1 General A wide variety of organizations practice security engineering in the development of computer programs, whether as operating systems software, security managing and enforcing functions, softw
24、are, middleware or applications programs. Appropriate methods and practices are therefore required by product developers, service providers, system integrators, system administrators, and even security specialists. Some of these organizations deal with high-level issues (e.g., ones dealing with oper
25、ational use or system architecture), others focus on low-level issues (e.g., mechanism selection or design), and some do both. Organizations may specialize in a particular type of technology or a specialized context (e.g., at sea). The SSE-CMM is designed for all these organizations. Use of the SSE-
26、CMM should not imply that one focus is better than another or that any of these uses are required. An organizations business focus need not be biased by use of the SSE-CMM. Based on the focus of the organization, some, but not all, of the security engineering practices defined will apply. In additio
27、n, the organization may need to look at relationships between different practices within the model to determine their applicability. The examples below illustrate ways in which the SSE-CMM may be applied to software, systems, facilities development and operation by a variety of different organizatio
28、ns. This International Standard has a relationship to ISO/IEC 15504, particularly ISO/IEC 15504-2, as both are concerned with process improvement and capability maturity assessment. However, ISO/IEC 15504 is specifically focused on software processes, whereas the SSE-CMM is focused on security. This
29、 International Standard has a closer relationship with the new versions of ISO/IEC 15504, particularly ISO/IEC 15504-2, and is compatible with its approaches and requirements. Security service providers To measure the process capability of an organization that performs risk assessments, several grou
30、ps of practices come into play. During system development or integration, one would need to assess the organization with regard to its ability to determine and analyze security vulnerabilities and assess the operational impacts. In the operational case, one would need to assess the organization with
31、 regard to its ability to monitor the security posture of the system, identify and analyze security vulnerabilities and threats, and assess the operational impacts. Countermeasure developers In the case of a group that focuses on the development of countermeasures, the process capability of an organ
32、ization would be characterized by a combination of SSE-CMM practices. The model contains practices to address determining and analyzing security vulnerabilities, assessing operational impacts, and providing input and guidance to other groups involved (such as a software group). The group that provid
33、es the service of developing countermeasures needs to understand the relationships between these practices. Product developers The SSE-CMM includes practices that focus on gaining an understanding of the customers security needs. Interaction with the customer is required to ascertain them. In the ca
34、se of a product, the customer is generic as the product is developed a priori independent of a specific customer. When this is the case, the product marketing group or another group can be used as the hypothetical customer, if one is required. ISO/IEC 21827:2008(E) ISO/IEC 2008 All rights reserved v
35、ii Practitioners in security engineering recognize that the product contexts and the methods used to accomplish product development are as varied as the products themselves. However, there are some issues related to product and project context that are known to have an impact on the way products are
36、 conceived, produced, delivered and maintained. The following issues in particular have significance for the SSE-CMM: type of customer base (products, systems, or services); assurance requirements (high vs. low); and support for both development and operational organizations. The differences between
37、 two diverse customer bases, differing degrees of assurance requirements, and the impacts of each of these differences in the SSE-CMM are discussed below. These are provided as an example of how an organization or industry segment might determine appropriate use of the SSE-CMM in their environment.
38、Specific industry segments Every industry reflects its own particular culture, terminology and communication style. By minimizing the role dependencies and organization structure implications, it is anticipated that the SSE-CMM concepts can be easily translated by all industry segments into their ow
39、n language and culture. 0.2 How should the SSE-CMM be used? The SSE-CMM and the method for applying the model (i.e., appraisal method) are intended to be used as a: tool for engineering organizations to evaluate their security engineering practices and define improvements; method by which security e
40、ngineering evaluation organizations such as certifiers and evaluators can establish confidence in the organizational capability as one input to system or product security assurance; and standard mechanism for customers to evaluate a providers security engineering capability. The scope of the assessm
41、ent should be defined by the assessment organization and discussed with the assessor, if applicable. The appraisal techniques can be used in applying the model for self improvement and in selecting suppliers, if the users of the model and appraisal methods thoroughly understand the proper applicatio
42、n of the model and its inherent limitations. Additional information on using process assessment can be found in ISO/IEC 15504-4, Information technology Process assessment Part 4: Guidance on use for process improvement and process capability determination. 0.3 Benefits of using the SSE-CMM The trend
43、 for security is a shift from protecting classified government data to a broader spectrum of concerns including financial transactions, contractual agreements, personal information and the Internet. A corresponding proliferation of products, systems and services that maintain and protect information
44、 has emerged. These security products and systems typically come to market in one of two ways: through lengthy and expensive evaluation or without evaluation. In the former case, trusted products often reach the market long after their features are needed and secure systems are being deployed that n
45、o longer address current threats. In the latter case, acquirers and users must rely solely on the security claims of the product or system developer or operator. Further, security engineering services traditionally were often marketed on this caveat emptor basis. ISO/IEC 21827:2008(E) viii ISO/IEC 2
46、008 All rights reservedThis situation calls for organizations to practice security engineering in a more mature manner. Specifically, the following qualities are needed in the production and operation of secure systems and trusted products: continuity - knowledge acquired in previous efforts is used
47、 in future efforts; repeatability - a way to ensure that projects can repeat a successful effort; efficiency - a way to help both developers and evaluators work more efficiently; and assurance - confidence that security needs are being addressed. To provide for these requirements, a mechanism is nee
48、ded to guide organizations in understanding and improving their security engineering practices. To address these needs, the SSE-CMM is being developed to advance the state of the practice of security engineering with the goal of improving the quality and availability of and reducing the cost of deli
49、vering secure systems, trusted products and security engineering services. In particular, the following benefits are envisioned. To engineering organizations: Engineering organizations include System Integrators, Application Developers, Product Vendors and Service Providers. Benefits of the SSE-CMM to these organizations include: savings with less rework from repeatable, predictable processes and practices; credit for true capability to perform, particularly in source selections;
