Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©

Published byStella Long Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©"— Presentation transcript:

1 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 1 ISO 21827 System Security Engineering Capability Maturity Model Presented By John W. Lindquist Founding Member of the HIPAA Alliance, LLC and President and CEO EWA Information & Infrastructure Technologies, Inc. 13873 Park Center Rd., Ste. 200, Herndon VA 20171 703 478 7600 6th Annual HIPAA Summit Session: 5.06 On-Going HIPAA Compliance: Securing Tracked Data - March 28, 2003 Presented By John W. Lindquist Founding Member of the HIPAA Alliance, LLC and President and CEO EWA Information & Infrastructure Technologies, Inc. 13873 Park Center Rd., Ste. 200, Herndon VA 20171 703 478 7600 6th Annual HIPAA Summit Session: 5.06 On-Going HIPAA Compliance: Securing Tracked Data - March 28, 2003

2 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 2 Problem How does management establish and track an information security program when: Risks are real Risks are nearly infinite The information environment is highly dynamic Resources are finite

3 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 3 The Need to Protect Information assets against damage and unauthorized disclosure is critical to your organization. 29% 28% 11% 6% 5% 4% 3% 2% Laptop Theft Virus Insider Abuse of Net Telecomm Fraud Financial Fraud System Penetration Theft of Proprietary Info Unauthorized Insider Sabotage Denial of Service Telecom Eavesdrop Active Wiretap

4 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 4 Information Assurance Technology alone won’t make you safe. “Get rid of the techno-babble. This is a management problem.” Steve Katz, CISO, Citibank Solutions Must Address: v People v Process v Technology

5 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 5 Security Aversion (Ostrich) Risk Aversion (Paranoia) Risk Management Decisions (Acceptance, Mitigation, Transference, Avoidance) $ Cost of Not Securing Cost of Securing SSE-CMM Process Maturity Level 5 Level 0 (Focused investment in IT Security) Process Maturity and the Risk Management Cost Continuum

6 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 6 SYSTEM SECURITY ENGINEERING CAPABILITY MATURITY MODEL SSE - CMM is both a Model and a Process A Community-owned Model (50 companies / agencies led by the US National Security Agency (NSA) and Canadian Communications Security Establishment (CSE)) Model Presents Security Engineering as a Defined, Mature and Measurable Discipline Model and Appraisal Method Enable: –Capability-based assurance i.e.. Security/trustworthiness inferred from the maturity of processes –Focused investment in security engineering tools, training, process definition, management practices and improvements based on risk assessment and available resources –Qualifying vendors, suppliers, and organizations connecting to a system

7 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 7 1 Performed Informally 2 Planned & Tracked 3 Well Defined 4 Quantitatively Controlled 5 Continuously Improving CAPABILITY LEVELS

8 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 8 PA01 PA02PA03 PA04a PA04b PA05PA06PA07PA08PA09PA10PA11PA12PA13PA14PA15PA16PA17PA18PA19PA20PA21 0 1 2 3 4 5 Baseline, Minimum & Target Profile Maturity Level Process Area

9 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 9 System Security Process Areas PA 17 Improve Organization's Security Engineering Processes PA 01 Specify Security Needs PA 02 Provide Security Input PA 03 Verify and Validate Security PA 04a Threat Assessment PA 04b Impact Assessment PA 05 Assess Security Risk PA 06 Build Assurance Argument PA 08 Administer Security Controls PA 09 Coordinate Security PA 10 Vulnerability Assessment PA 07 Monitor System Security Posture PA 11 Ensure Quality PA 12 Manage Configurations PA 13 Manage Program Risk PA 14 Monitor and Control Technical Effort PA 15 Plan Technical Effort PA 16 Define Organization's Security Engineering Process PA 18 Manage Security Product Line Evolution PA 19 Manage Security Engineering Support Environment PA 20 Provide Ongoing Skills and Knowledge PA 21 Coordinate With Suppliers

10 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 10 SSE-CMM Usage Scenarios Security Assessment Information Operations SW Vendor Services HW Vendor Trust Relationships Business Partners/other units Qualified Suppliers Operational Information Assurance ITS Business Processes/Military Information Systems Applies to all system types and all classifications levels

11 Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 FOR OFFICIAL USE ONLY June 17, 2002 © 2002  All rights reserved EWA Information & Infrastructure Technologies, Inc2 FOR OFFICIAL USE ONLY June 17, 2002© 2002 IIT, Inc. All rights reserved EWA Information & Infrastructure Technologies, Inc. 4 11 Summary Can’t Protect Everything All The Time The Dynamic Environment Requires a Flexible Response Effective Information Assurance Must Address People, Process and Technology Information Assurance is Risk Management not Risk Avoidance (There is No Silver Bullet) The SSE-CMM is an IA Tool Developed in Consideration the Above

Download ppt "Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©"

Similar presentations

Kai H. Chang COMP 6710 Course NotesSlide CMMI-1 Auburn University Computer Science and Software Engineering Capability Maturity Model Integration - CMMI.

Kai H. Chang COMP 6710 Course NotesSlide CMMI-1 Auburn University Computer Science and Software Engineering Capability Maturity Model Integration - CMMI.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.

Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
The Systems Security Engineering Capability Maturity Model (ISO 21827)

The Systems Security Engineering Capability Maturity Model (ISO 21827)
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
2003 Indigo Technology, Inc. All Rights Reserved Integrated Process Teams Process Management Quality Assurance Configuration and Data Management Program.

2003 Indigo Technology, Inc. All Rights Reserved Integrated Process Teams Process Management Quality Assurance Configuration and Data Management Program.
2003 Indigo Technology, Inc. All Rights Reserved Alliance Portfolio Computing Infrastructure Services Customer Relationship Management Engineering Services.

2003 Indigo Technology, Inc. All Rights Reserved Alliance Portfolio Computing Infrastructure Services Customer Relationship Management Engineering Services.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Introducing Computer and Network Security

Introducing Computer and Network Security
Capability Maturity Model (CMM) in SW design

Capability Maturity Model (CMM) in SW design
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.

Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.
IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.

IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

Similar presentations

Ads by Google