Tuesday, February 24, 2009

Systems Security Engineering [SSE]: The Most Important Process Area of the Capability Maturity Model [CMM]

Figure 1- The security risk process (activity) involves threats, vulnerabilities, and impact (SSE–CMM, p. 48, fig. 3.2).

Systems Security Engineering [SSE]: The Most Important Process Area of the Capability Maturity Model [CMM]

by John M. Kennedy T., MS, ISS


The top management of The Plow of the Sea Inc., has recently made the decision to expand its retail business into the cyberspace by creating an online web-store. As the Security Manager of this corporation, I have the responsibility to develop, implement and monitor a security management program for The Plow of the Sea Inc.'s new e-commerce initiative. As a first step, I wanted to involve all my security engineers in the planning and implementation process. I asked them to review the concepts behind of the SSE – CMM so we can go over it and discussed it on our weekly meeting. I challenged each of them to identify the most appropriate Process Area [PA] for The Plow of the Sea Inc. , and to discuss the rationale behind their individual decisions. As turned out, I was prompted to answer the same mere question by my executive security team. This paper documents my response to this question; as the analysis of the research that I have conducted about this topic and, my reasons that support my PA choice.

1 Introduction

The security engineers identified their PAs and, discussed their views and reasons about their choices during the meeting, they fired me back, not surprisingly though, with the same question. I responded, “I would have picked the PA03 – Assess the Security Risk”, instantaneously they replied to me, uttering: “Why? “How come do you?” “Explain it, can you?” So I answered the following: “In the first place, I have this impression that all of you are right, no matter what your answers were. I sense that, at the end of the day, all PAs must be contemplated, considered and, included in a comprehensive information security management plan; especially, if we want to reach a decent level of assurance for The Plow of the Sea Inc., and its customers. Also, as you have done it, I have put sometime aside for reviewing and reading the SSE-CMM site, as I really was not too familiar at all with this process reference model (SSE–CMM, 2003, p. 1) that is very well recommended by many experts in the industry and utilize by the military institutions for the development and implementation of their web presence. Primarily, we want to use the SSE-CMM for planning the e-commerce and security management program for The Plow of the Sea Inc.”

2 The Process of Choosing a Process Area [PA]

In reality, it took me sometime to figure out which PA from the eleven process areas presented by this model I should choose. More importantly, I was so enticed with the question: Why would I have been so decisive into pick one anyway? So, I stated to my fellows security engineers, that I was not so sure, but based on my research, I was almost completely convinced in that management risks is the main goal of every single security management program (Volonino & Robison, 2003) and, being as such, this only thought is one of the main reasons why I chose at the end the PA03 over the others ten PAs. However, this reason was based, as well, on other apparently more compelling business facts and security requirements.

3 Management Risks Methodology

Why would we want to manage risks in the first place? Volonino & Robison (2003) explained that, “information security is a business problem …” (chap. 5, p. 63) and as stated as a business problem, we are interested in creating ways to increase the chance to make money by keeping the best services for our customers; besides, we are very interested in precluding loss or harm from happening to us and our stakeholders. We are placing emphasis in information security because now The Plow of the Sea Inc.'s business model is facing an entirely new and wild environment based almost entirely on our capacity to protect the sensitivity of the information, its confidentiality, integrity and, availability. We are entering the unknown space of the e-commerce transactions, a space in where Close Circuit Television Cameras [CCTV] and well trained security guards or warriors have not place in it whatsoever, as they would if we were talking or writing about one of The Plow of the Sea Inc.'s physical locations. Computer and Information Systems Security are beyond the tangible and static worldly realms of our past industrial revolution. It is a very dynamic field, almost volatile in nature, as the information is saved nowadays in different types of storage; as for instance, over thumb-drives, SDs, DVDs, memory cache or SRAM.

4 Results

Information Security over the Web is a very complex endeavor and as the statistics show, the numerous threats and exploits, are not getting any better and; each time, are far more dangerous than before. As soon we are worry about which one would be the next blended and compounded attack or, how to effectively patch our operating systems [OS] against them, as soon we find out, (I mean no offense) that lawyers can represent sometimes a far more greater menace than hackers are, for our own business security. As Security Officers, we need to understand that corporations now are not only accountable to enforce security policies, also we are liable and could face fines and evenly prison, for negligence or for the lack of legal observance and compliance (Volonino & Robison, 2003 chap. 1-5). The aforementioned is in part why managing risks have become so crucial for developing appropriate security programs and policies for any Chief Information Officer. Managing risks is the ability to understand a full range of requirements that involve legal as ethical issues, people, policies and technology (Volonino & Robison, 2003 Chap 1, Part 1, p. 4).

As I have interpreted the SSE – CMM, a PA is as set of related security activities that can be executed, concurrently, iteratively or recursively. However at the end of the day, when these processes are systematized and organized in function of a well-defined security objective, the likelihood to achieve this objective or goal approaches, from a subjective probability vantage point, and very close indeed, one; i.e., the uncertainty or entropic level of failure is greatly reduced as approaching or becoming zero, over a given period of time in which the Information Security System has been monitored and appraised as to measuring the level of its compliance and assurance according to the documented security policies institutionalized and approved by the corporation officers and; under the scrutiny of the ad-hoc official supervisory boards for industry standards and; other regulatory governmental agencies. (SSE–CMM, 2003, p. 39).

5 Conclusion

In closing, figure 1 (see above) depicts clearly the interdependence of PA03 with the other important PAs. This diagram is presented as a sort of substantiating and bringing more evidence that supports the rationale behind the selection of the PA03 - Assess Security Risk analysis over the other PAs. The key concept, at this point, has become, for me, about: How to determine an appropriate security policy, people, technology, business and processes security requirements throughout a thorough risk analysis which, in turn, involves, assessing the opportunity of costs, expected value and, marginal analysis over the Return of security Investments, [ROSI] rather than just focusing in the traditional [ROI] Return of Investment (Volonino & Robinson, 2003, Chap. 1-5). Lastly, I think the SSE–CMM is a process reference model that could serve as a guide or road map for security managers and engineers, especially, to integrate the multidisciplinary aspects, which are overlapping, interrelated and, involved when providing the highest level of assurance for the protection and security of Information Systems.


  • SSE-CMM System Security Engineering Capability Maturity Model. Model Description, Version 3.0. (2003, June 15). Pittsburgh, Pennsylvania: Carnegie Mellon University. Retrieved November 24, 2007, from http://www.sse-cmm.org/docs/secmmv3final.pdf

  • Volonino, L. & Robison, S. R. (2003). Principles and Practice of Information Security Protecting Computers from Hackers and Lawyers. Upper Saddle River, NJ: Pearson Prentice Hall.

Biographical note about the author:

John M. Kennedy T. has two Masters Degrees, and many professional certifications in technology. He has founded many organizations in both, non-profit and for-profit sectors. He has taught in many higher educational organizations and universities in United States and other countries. For the last 15 years, he has been dedicated much of his efforts to research historical inter-cultural communication technology, This investigation is focused on the effects of the utilization of cultural dominant technologies in the field of Human Services, as in teaching and, learning. Incidentally, in the year 1998, he wrote his master thesis titled, “The Application of the World Wide Web in the Human Services”. He combines, his research with teaching, learning and art. In addition, Mr. Kennedy is a professional artists, designer and; digital illustrator, who exhibits, an sales his art rather reluctantly. He writes in both languages, Spanish and English, and has been published by many newspapers and; magazines. He is, currently, developing an interdisciplinary and hypertaxonomic description of knowledge architecture; with the end to compress the volume of space-storage, reduce the information entropy, while increasing the speed of delivery for improving the assimilation, interpretation, or compilation of information between different interfaces, e.g., [human-machine-human] HMH, [Machine Human Machine] MHM, an expedite the development life-cycle of invention as in the [Design-Implementation-Evaluation-Design] DIED life-cycle in which the development of the whole design is view as process of mashing-up and evaluating, meaning,in two step. [it is his own conception of Project with licenses management life-cycle], et al. He often writes on different topics. His research and writings includes [but not only]: Meta-taxonomy, Information System Security, Management of Information Systems, Operating Systems, Web design and Development, MetaCommunities and their behaviors, Anthropology, Politics, “nanoblogging”, philosophy, Metasemantics, memetic, math, botany, biotechnology, computer hardware and software, digital occultism, esoteric symbols and lives, literature, history, sociology, psychology, painting, music, humor, Opera and Rock, and Peruvian music and cooking. For him the mind is not only in the brain as education is not a person, and so the mind is not a country, therefore it has not borders for learning, let along walls, obstacles or fences. Mr. Kennedy thinks that a human being is more than just a money making machine, or just a piece in the long and specialized chain of consumerism. He practices what he preaches by writing about and instilling in others, the idea and motivation, to live a life full of possibilities, and devoted to learning to become a well rounded educated individuals.
Nota Bene: If you want a copy of this paper, for further research, be my guest and click in ►here◄ for downloading it.

Plowed Results | Resultados Arados