Your organization decides to purchase new firewalls to replace the legacy ones. Two brand vendors are competing for the bid. Which of the following is the best evidence of your organizational capability that assures the procurement decision of firewalls renders the best outcome?
A. Common Criteria (CC)
B. Service Organization Controls (SOC) 2 Type 2 Report
C. Capability Maturity Model Integration (CMMI)
D. Evaluation Assurance Level (EAL)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Capability Maturity Model Integration (CMMI).
The question focuses on organizational capability. The capability of the organization is crucial to the procurement of firewalls, instead of the assurance or trustworthiness of the product itself. So, the Common Criteria or its EALs are not critical to answering this question.
CMM and CMMI
A capability maturity model (CMM) is used to evaluate an organization’s capability level. The following CMMs have been integrated into an integrated version of the CMM, or the well-known CMMI (Capability Maturity Model Integration):
- CMMI for Development (CMMI-DEV) for product and service development
- CMMI for Services (CMMI-SVC) for service establishment and management
- CMMI for Acquisition (CMMI-ACQ) for product and service acquisition
The CMMI is acquired by ISACA.
Service Organization Controls (SOC)
Service Organization Controls (SOC) focus on information security, specifically, confidentiality, integrity, availability, and privacy. As a result, Service Organization Controls (SOC) may help in developing and maintaining organizational capability while procurement is a significant issue of information security. SOC is not designed specifically for acquisitions, so CMMI is a better answer than SOC.