ISO/IEC 21827

More documents

Recommendations

Info

ISO/IEC 21827:2002(E) 6.4 Summary Chart This chart represents the model at a high level of abstraction. The practitioner is cautioned that each process area consists of a number of base practices, which are described in detail in Clause 7 and Annex B. Also, each common feature consists of a number of generic practices, which are described in detail in Annex A. 5.2 Improving Proc. Effectiveness 5.1 Improving Org. Capability 4.2 Objectively Managing Perf. 4.1 Establish Meas. Quality Goals 3.3 Coordinate Practices 3.2 Perform the Defined Process 3.1 Defining a Standard Process 2.4 Tracking Performance 2.3 Verifying Performance 2.2 Disciplined Performance 2.1 Planned Performance 1.1 Base Practices Are Performed Common Features Process Areas PA01 – Administer Security Controls PA02 – Assess Impact PA03 – Assess Security Risk PA04 – Assess Threat PA05 – Assess Vulnerability PA06 – Build Assurance Argument PA07 – Coordinate Security PA08 – Monitor Security Posture PA09 – Provide Security Input PA10 – Specify Security Needs PA11 – Verify and Validate Security PA12 – Ensure Quality PA13 – Manage Configuration PA14 – Manage Project Risk PA15 – Monitor and Control Technical Ef PA16 – Plan Technical Effort PA17 – Define Org. Systems Eng. Proce PA18 – Improve Org. Systems Eng. Proc PA19 – Manage Product Line Evolution PA20 – Manage Systems Eng. Support E PA21 – Provide Ongoing Skills and Knldg PA22 – Coordinate with Suppliers Security Engineering Process Areas Project and Organizational Process Areas Figure 7 - Summary of Process Areas and Common Features relationships 7 Security Base Practices This clause contains the base practices, that is, the practices considered essential to the conduct of basic security engineering. Note that the process areas are numbered in no particular order since the SSE-CMM® does not prescribe a specific process or sequence. An organization can be assessed against any one single process area or combination of process areas. The process areas together, however, are intended to cover all base practices for security engineering and there are many inter-relationships between the process areas. At present, the SSE-CMM® comprises 11 security process areas, each 20 © ISO/IEC 2002 – All rights reserved
ISO/IEC 21827:2002(E) of which contains a number of base practices. Each process area is identified in the following subsections. The general format of the process areas is shown in Figure 8. The summary description contains a brief overview of the purpose of the process area. Each process area is decomposed into a set of base practices. The base practices are considered mandatory items (i.e., they must be successfully implemented to accomplish the purpose of the process area they support). Each base practice is described in detail following the process area summary. Goals identify the desired end result of implementing the process area. PA01 – Process Area Title (in verb-noun form) Summary Description – An overview of the process area Goals – A list indicating the desired results of implementing this process area Base Practices List – A list showing the number and name of each base practice Process Area Notes – Any other notes about this process area BP.01.01 – Base Practice Title (in verb-noun form) Descriptive Name – A sentence describing the base practice Description – An overview of this base practice Example Work Products – A list of examples illustrating some possible output Notes – Any other notes about this base practice BP.01.02... Figure 9 - Process Area Format 7.1 PA01 - Administer Security Controls 7.1.1 Process Area 7.1.1.1 Summary Description The purpose of Administer Security Controls is to ensure that the intended security for the system that was integrated into the system design, is in fact achieved by the resultant system in its operational state. 7.1.1.2 Goals • Security controls are properly configured and used. 7.1.1.3 Base Practice List BP.01.01 BP.01.02 BP.01.03 BP.01.04 Establish responsibilities and accountability for security controls and communicate them to everyone in the organization. Manage the configuration of system security controls. Manage security awareness, training, and education programs for all users and administrators. Manage periodic maintenance and administration of security services and control mechanisms. 7.1.1.4 Process Area Notes This process area addresses those activities required to administer and maintain the security control mechanisms for a development environment and an operational system. Further this process area helps to ensure that, over time, the level of security does not deteriorate. The management of controls for a new facility should integrate with existing facility controls. 7.1.2 BP.01.01 - Establish Security Responsibilities Establish responsibilities and accountability for security controls and communicate them to everyone in the organization. © ISO/IEC 2002 – All rights reserved 21
Page 1 and 2: INTERNATIONAL STANDARD ISO/IEC 2182
Page 3 and 4: ISO/IEC 21827:2002(E) Contents Fore
Page 5 and 6: © ISO/IEC 2002 - All rights reserv
Page 7 and 8: ISO/IEC 21827:2002(E) Specific Indu
Page 9 and 10: INTERNATIONAL STANDARD ISO/IEC 2182
Page 11 and 12: ISO/IEC 21827:2002(E) 3.11 Baseline
Page 13 and 14: ISO/IEC 21827:2002(E) 3.36 Validati
Page 15 and 16: ISO/IEC 21827:2002(E) 5 Structure o
Page 17 and 18: ISO/IEC 21827:2002(E) • Communica
Page 19 and 20: ISO/IEC 21827:2002(E) Figure 3 - Se
Page 21 and 22: ISO/IEC 21827:2002(E) Figure 5 - Th
Page 23 and 24: ISO/IEC 21827:2002(E) Subsequent co
Page 25 and 26: ISO/IEC 21827:2002(E) • Level 1,
Page 27: ISO/IEC 21827:2002(E) Table 3 - 218
Page 31 and 32: ISO/IEC 21827:2002(E) • security
Page 33 and 34: ISO/IEC 21827:2002(E) 7.2.1.2 Goals
Page 35 and 36: ISO/IEC 21827:2002(E) 7.2.5.1 Descr
Page 37 and 38: ISO/IEC 21827:2002(E) information f
Page 39 and 40: ISO/IEC 21827:2002(E) 7.3.7 BP.03.0
Page 41 and 42: ISO/IEC 21827:2002(E) 7.4.4.3 Notes
Page 43 and 44: ISO/IEC 21827:2002(E) of existing s
Page 45 and 46: ISO/IEC 21827:2002(E) 7.5.5.1 Descr
Page 47 and 48: ISO/IEC 21827:2002(E) acceptable le
Page 49 and 50: ISO/IEC 21827:2002(E) 7.7.2 BP.07.0
Page 51 and 52: ISO/IEC 21827:2002(E) 7.8.1.3 Base
Page 53 and 54: ISO/IEC 21827:2002(E) response shou
Page 55 and 56: ISO/IEC 21827:2002(E) 7.9 PA09 - Pr
Page 57 and 58: ISO/IEC 21827:2002(E) rules and pra
Page 59 and 60: ISO/IEC 21827:2002(E) 7.10.1.3 Base
Page 61 and 62: ISO/IEC 21827:2002(E) information f
Page 63 and 64: ISO/IEC 21827:2002(E) In the intere
Page 65 and 66: ISO/IEC 21827:2002(E) Annex A (norm
Page 67 and 68: ISO/IEC 21827:2002(E) A.3.2.1 Commo
Page 69 and 70: ISO/IEC 21827:2002(E) A.3.2.7.2 Not
Page 71 and 72: ISO/IEC 21827:2002(E) A.3.5 Common
Page 73 and 74: ISO/IEC 21827:2002(E) A.4.2.2.3 Rel
Page 75 and 76: ISO/IEC 21827:2002(E) A.4.4.2.1 Des
Page 77 and 78: ISO/IEC 21827:2002(E) A.5.2.2.2 Not
Page 79 and 80:
ISO/IEC 21827:2002(E) A.6.2.2.2 Not
Page 81 and 82:
ISO/IEC 21827:2002(E) Annex B (norm
Page 83 and 84:
ISO/IEC 21827:2002(E) B.3.2.1 Descr
Page 85 and 86:
ISO/IEC 21827:2002(E) parameters;
Page 87 and 88:
ISO/IEC 21827:2002(E) B.4.1.5 Proce
Page 89 and 90:
ISO/IEC 21827:2002(E) B.4.5.1 Descr
Page 91 and 92:
ISO/IEC 21827:2002(E) B.5.2.3 Notes
Page 93 and 94:
ISO/IEC 21827:2002(E) B.5.7 BP.14.0
Page 95 and 96:
ISO/IEC 21827:2002(E) B.6.4.2 Examp
Page 97 and 98:
ISO/IEC 21827:2002(E) BP.16.08 BP.1
Page 99 and 100:
ISO/IEC 21827:2002(E) B.7.6.1 Descr
Page 101 and 102:
ISO/IEC 21827:2002(E) B.7.10.2 Exam
Page 103 and 104:
ISO/IEC 21827:2002(E) • process a
Page 105 and 106:
ISO/IEC 21827:2002(E) B.9.1.2 Summa
Page 107 and 108:
ISO/IEC 21827:2002(E) B.9.5.2 Examp
Page 109 and 110:
ISO/IEC 21827:2002(E) B.10.4.2 Exam
Page 111 and 112:
ISO/IEC 21827:2002(E) B.11.2.1 Desc
Page 113 and 114:
ISO/IEC 21827:2002(E) performance.
Page 115 and 116:
ISO/IEC 21827:2002(E) B.12.3 BP.21.
Page 117 and 118:
ISO/IEC 21827:2002(E) B.12.7 BP.21.
Page 119 and 120:
ISO/IEC 21827:2002(E) B.13.2.1 Desc
Page 121 and 122:
ISO/IEC 21827:2002(E) • communica
Page 123 and 124:
ISO/IEC 21827:2002(E) produce the d
Page 125 and 126:
ISO/IEC 21827:2002(E) C.5.2 Organiz
Page 127 and 128:
ISO/IEC 21827:2002(E) C.5.12 Instit
Page 129 and 130:
ISO/IEC 21827:2002(E) Security Engi
Page 131 and 132:
ISO/IEC 21827:2002(E) GOODENOUGH93B
show all

ISO/IEC 21827

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?