Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The project team is evaluating secure information system development processes to follow. Which of the following is least applicable to the system engineering for this project?
A. System Security Engineering Capability Maturity Model (SSE-CMM).
B. INCOSE Systems Engineering Handbook
C. NIST SP 800-160 (Systems Security Engineering)
D. ISO/IEC/IEEE 15288 (Systems and software engineering — System life cycle processes)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. System Security Engineering Capability Maturity Model (SSE-CMM).
Systems Security Engineering Capability Maturity Model (SSE-CMM)
Capability Maturity Model
The Capability Maturity Model (CMM) is a development model created after a study of data collected from organizations that contracted with the U.S. Department of Defense, who funded the research. The term “maturity” relates to the degree of formality and optimization of processes, from ad hoc practices, to formally defined steps, to managed result metrics, to active optimization of the processes.
The Capability Maturity Model was originally developed as a tool for objectively assessing the ability of government contractors’ processes to implement a contracted software project. The model is based on the process maturity framework first described in IEEE Software and, later, in the 1989 book Managing the Software Process by Watts Humphrey. It was later published in a report in 1993 and as a book by the same authors in 1995.
Though the model comes from the field of software development, it is also used as a model to aid in business processes generally, and has also been used extensively worldwide in government offices, commerce, and industry.
Source: Wikipedia
ISO/IEC 21827 (SSE-CMM)
ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) developed by the International Systems Security Engineering Association (ISSEA).
ISO/IEC 21827 specifies the Systems Security Engineering – Capability Maturity Model, which describes the characteristics essential to the success of an organization’s security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic. ISO/IEC 21827 does not prescribe a particular process or sequence, but captures practices generally observed in industry.
Source: Wikipedia
ISO/IEC/IEEE 15288:2015
Systems and software engineering — System life cycle processes
ISO/IEC/IEEE 15288:2015 establishes a common framework of process descriptions for describing the life cycle of systems created by humans. It defines a set of processes and associated terminology from an engineering viewpoint. These processes can be applied at any level in the hierarchy of a system’s structure. Selected sets of these processes can be applied throughout the life cycle for managing and performing the stages of a system’s life cycle. This is accomplished through the involvement of all stakeholders, with the ultimate goal of achieving customer satisfaction.
ISO/IEC/IEEE 15288:2015 also provides processes that support the definition, control and improvement of the system life cycle processes used within an organization or a project. Organizations and projects can use these processes when acquiring and supplying systems.
ISO/IEC/IEEE 15288:2015 concerns those systems that are man-made and may be configured with one or more of the following system elements: hardware, software, data, humans, processes (e.g., processes for providing service to users), procedures (e.g., operator instructions), facilities, materials and naturally occurring entities.
Source: ISO
INCOSE Systems Engineering Handbook
A Guide for System Life Cycle Processes and Activities
- For the new systems engineer
- For the engineer in another discipline who needs to perform systems engineering
- For the experienced systems engineer who needs a convenient reference
The INCOSE Systems Engineering Handbook shows what each systems engineering process activity entails in the context of designing for affordability and performance. On some projects, a given activity may be performed very informally (e.g., on the back of an envelope, or in an engineer’s notebook); or, on other projects, a more formal response is required with interim products under formal configuration control. This book provides tools that lead to project success in various circumstances.
Source: INCOSE
NIST SP 800-160 (Systems Security Engineering)
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.
Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things.
This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities.
The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.
Source: NIST
Summary
- SSE-CMM (ISO/IEC 21827) does not prescribe a particular process or sequence; it’s used to “evaluate” the maturity of system security engineering. It’s not a guideline, approach, or methodology.
- INCOSE Systems Engineering Handbook and NIST SP 800-160 (Systems Security Engineering) are largely compatible with ISO/IEC/IEEE 15288 (Systems and software engineering — System life cycle processes).
- In fact, NIST SP 800-160 is based on ISO/IEC/IEEE 15288, IMO.