55915X Ch13.qxd 3/22/04 5:51 PM Page 602 602 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration PA22 Coordinate with Suppliers The goal of this process area and the related best practices are: ✦ Goal 1 — Effective suppliers are selected and used. ✦ BP.22.01 — Identify systems components or services. ✦ BP.22.02 — Identify competent suppliers or vendors. ✦ BP.22.03 — Choose suppliers or vendors. ✦ BP.22.04 — Provide expectations. ✦ BP.22.05 — Maintain communications. The IDEAL Model In addition to the SSE-CMM, the ISSEP candidate should be aware of the Carnegie Mellon Software Engineering Institute’s IDEAL model. (IDEAL stands for Initiating, Diagnosing, Establishing, Acting, and Learning.) Security engineering process improvement is a fundamental component of managing and maintaining the secu- rity program. Process Improvement The basic premise of process improvement is that the quality of services produced is a direct function of the quality of the associated development and maintenance processes. Knowledge of the basic principles of process change is required to implement a successful security engineering process improvement activity. The principles are: ✦ Major changes must be sponsored by senior management. ✦ Focus on fixing the process, not assigning blame. ✦ Understand the current process first. ✦ Change is continuous. ✦ Improvement requires investment. ✦ Retaining improvement requires periodic reinforcement. The goal is to establish a continuous cycle of evaluating the current status of your organization, making improvements, and repeating this cycle. The IDEAL model is shown in Table 13-2. 55915X Ch13.qxd 3/22/04 5:51 PM Page 603 Chapter 13 ✦ Technical Management 603 Table 13-2 The IDEAL Model Phase Description Activity I Initiating Laying the groundwork for a successful improvement effort D Diagnosing Determining where you are relative to where you want to be E Establishing Planning the specifics of how you will reach your destination A Acting Doing the work according to the plan L Learning Learning from the experience and improving your ability Each of the five phases of the IDEAL approach is made up of several activities. The Initiating Phase Embarking upon a security engineering process improvement effort should be han- dled in the same manner in which all new projects within an organization are approached. One must become familiar with the project’s objectives and the means for their accomplishment, develop a business case for the implementation, gain the approval and confidence of management, and develop a method for the project’s implementation. Effective and continuous support of the effort throughout its lifetime is essential for successful process improvement. Sponsorship involves not only making available the financial resources necessary to continue the process but also requires per- sonal attention from management to the project. After the relationship between the proposed effort and business goals has been established and key sponsors have given their commitment, a mechanism for the project’s implementation must be established. The Diagnosing Phase In order to perform process development/improvement activities, it is imperative that an understanding of the organization’s current and desired future state of pro- cess maturity be established. These parameters form the basis of the organization’s process improvement action plan. Performing a gap analysis emphasizes the differences between the current and desired states of the organization’s processes and reveals additional information or findings about the organization. Grouped according to area of interest, these find- ings form the basis of the recommendations for how to improve the organization. 55915X Ch13.qxd 3/22/04 5:51 PM Page 604 604 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration The Establishing Phase In this phase, a detailed plan of action based on the goals of the effort and the rec- ommendations made during the diagnosing phase is developed. In addition, the plan must take into consideration any possible constraints, such as resource limita- tions, which might limit the scope of the improvement effort. Priorities, along with specific outputs and responsibilities, are also put forth in the plan. Time constraints, available resources, organizational priorities, and other factors might not allow for all of the goals to be realized or recommendations implemented during a single instance of the process improvement life cycle. Therefore, the orga- nization must establish priorities for its improvement effort. As a result of established priorities and the organization characterization defined in the diagnosing phase, the scope of the process improvement effort might be differ- ent from that developed in the initiating phase. The develop-approach step requires that the redefined objectives and recommendations be mapped to potential strate- gies for accomplishing the desired outcomes. At this point, all of the data, approaches, recommendations, and priorities are brought together in the form of a detailed action plan. Included in the plan are the allocation of responsibilities, resources, and specific tasks; tracking tools to be used; and established deadlines and milestones. The plan should also include con- tingency plans and coping strategies for any unforeseen problems. The Acting Phase This phase is the implementation phase and requires the greatest level of effort of all the phases both in terms of resources and time. Achieving the goals of the orga- nization might require multiple parallel cycles within the acting phase in order to address all of the desired improvements and priorities. Solutions, or improvement steps, for each problem area are developed based on available information on the issue and on the resources for implementation. At this stage, the solutions are the best-guess efforts of a technical working group. The first step in designing processes that will meet the business needs of an enter- prise is to understand the business, product, and organizational context that will be present when the process is being implemented. Some questions that need to be answered before process design include the following: ✦ How is security engineering practiced within the organization? ✦ What life cycle will be used as a framework for this process? ✦ How is the organization structured to support projects? ✦ How are support functions handled (for example, by the project or by the organization)? 55915X Ch13.qxd 3/22/04 5:51 PM Page 605 Chapter 13 ✦ Technical Management 605 ✦ What are the management and practitioner roles used in this organization? ✦ How critical are these processes to organizational success? Because first attempts at generating solutions rarely succeed, all solutions must be tested before they are implemented across an organization. How an organization chooses to test its solutions is dependent upon the nature of the area of interest, the proposed solution, and the resources of the organization. Using information collected during testing, potential solutions should be modified to reflect new knowledge about the solution. The importance of the processes under focus as well as the complexity of the proposed improvements will dictate the degree of testing and refinement proposed solutions must undergo before being considered acceptable for implementation throughout the organization. Once a proposed improved process has been accepted, it must be implemented beyond the test group. Depending upon the nature and degree to which a process is being improved, the implementation stage might require significant time and resources. Implementation can occur in a variety of ways, depending upon the orga- nization’s goals. The Learning Phase The learning phase is both the final stage of the initial process improvement cycle and the initial phase of the next process improvement effort. Here the entire pro- cess improvement effort is evaluated in terms of goal realization and how future improvements can be instituted more efficiently. This phase is only as constructive as the detail of records kept throughout the process and the ability of participants to make recommendations. Determining the success of process improvement requires analyzing the final results in light of the established goals and objectives. It also requires evaluating the effi- ciency of the effort and determining where further enhancements to the process are required. These lessons learned are then collected, summarized, and documented. Based on the analysis of the improvement effort itself, the lessons learned are translated into recommendations for improving subsequent efforts. These recom- mendations should be promulgated outside those guiding the improvement effort for incorporation in this and other efforts. Planning and Managing the Technical Effort The key to the successful implementation of any security engineering effort is early planning. Planning for security system engineering activities is initiated with the defi- nition of program requirements and the development of a Program Management Plan (PMP). This leads to the identification of system security engineering requirements and the preparation of a detailed Systems Engineering Management Plan (SEMP). 55915X Ch13.qxd 3/22/04 5:51 PM Page 606 606 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration Program Manager Responsibilities The program manager is the lead for all activities involving cost, schedule, and per- formance responsibilities. For example, the program manager’s function in the DITSCAP is to ensure security requirements are integrated into the IT architecture in a way that will result in an acceptable level of risk to the operational infrastruc- ture. As we saw in Chapter 12, the DITSCAP PM works directly with the develop- ment integration, maintenance, configuration management, quality assurance, test verification, and validation organizations. The PM drafts or supports the drafting of the SSAA and coordinates security requirements with the DAA, the CA, and the user representative. The PM continuously keeps all DITSCAP participants informed of acquisition and development action, security requirements, and user needs. Figure 13-2 shows the PM security management relationship in the DITSCAP. User Representative Program Manager Maintainer Configuration Management Staff Quality Control Staff Government Acceptance IV&V Support Acquisition or Maintenance Organization DAA CA Developer, Integrator, Test Team SETA, Figure 13-2: DITSCAP program manager security management relationships. Program Management Plan (PMP) Usually there is one overall planning document for every program or project, which covers all requirements at a high level and leads to a variety of lower-level plans that address specific areas of activity. Although the specific nomenclature may vary from one program to the next, the title Program Management Plan (PMP) is most often selected to represent this high-level plan. Two major components of the PMP are the Systems Engineering Management Plan (SEMP) and the Work Breakdown Structure (WBS). Systems Engineering Management Plan (SEMP) All of the key participants in the system development process must know not only their own responsibilities but also how to interface with one another. This interac- tion of responsibilities and authority within the project must be defined and 55915X Ch13.qxd 3/22/04 5:51 PM Page 607 Chapter 13 ✦ Technical Management 607 controlled, and it is accomplished through the preparation and dissemination of a System Engineering Management Plan (SEMP). An important function of the SEMP is to ensure that all of the participants know their responsibilities to one another. The SEMP also serves as a reference for the procedures that are to be followed in carrying out the numerous systems security engineering tasks. Often the contractor is required to prepare a SEMP as part of the concept definition effort. The place of the SEMP in the program management plan is shown in Figure 13-3. Program Requirements Specifications A B C D E Related Management Plans Individual Program Plans Systems Engineering Management Plan (SEMP) Program Management Plan (PMP) Program Management Requirements Functional Design Reliability Maintainability Producibility Safety Logistics Configuration Management Manufacturing Management Program Technical Requirements Test & Evaluation Total Quality Figure 13-3: Placement of the SEMP in the program management plan. (Source: A. Kossiakoff and W. N. Sweet, Systems Engineering: Principles and Practice, Wiley Publishing, Inc., 2003. Used by permission.) The SEMP is intended to be a dynamic document. It starts as an outline and is updated as the security system development process goes on. The SEMP covers all management functions associated with the performance of security systems engi- neering activities for a given program. The responsibility for the SEMP must be clearly defined and supported by the program manager. 55915X Ch13.qxd 3/22/04 5:51 PM Page 608 608 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration SEMP Elements The SEMP contains detailed statements of how the systems security engineering func- tions are to be carried out during development. Two major elements of the SEMP are: ✦ Development program planning and control ✦ Security systems engineering process Development Program Planning and Control Development program planning and control describes the tasks that must be imple- mented to manage the development phase of the security program, including: ✦ Statement Of Work (SOW) ✦ Organizational Structure ✦ Scheduling and Cost Estimation ✦ Technical Performance Measurement (TPM) Security Systems Engineering Process Security systems engineering process describes the security systems engineering process as it applies to the development of the system, including: ✦ Operational Requirements ✦ Functional Analysis ✦ System Analysis And Trade-Off Strategy ✦ System Test And Evaluation Strategy Statement of Work (SOW) The Statement of Work (SOW) is a narrative description of the work required for a given project. It is commonly described in the PMP and should include the following: ✦ Summary statement of the tasks to be accomplished. ✦ Identification of the input requirements from other tasks, including tasks accomplished by the customer and supplier. ✦ References to applicable specifications, standards, procedures, and related documentation. ✦ Description of specific results to be achieved and a proposed schedule of delivery. 55915X Ch13.qxd 3/22/04 5:51 PM Page 609 Chapter 13 ✦ Technical Management 609 Work Breakdown Structure (WBS) After the generation of the SOW and the identification of the organizational struc- ture, one of the initial steps in program planning is the development of the Work Breakdown Structure (WBS). The WBS is a tree that leads to the identification of the activities, functions, tasks, and subtasks that must be completed. The WSB is an important technique to ensure that all essential tasks are properly defined, assigned, scheduled, and controlled. It contains a hierarchical structure of the tasks to be accomplished during the project. The WBS may be a contractual requirement in competitive bid system developments. The WSB structure generally includes three levels of activity: ✦ Level 1 — Identifies the entire program scope of work to be produced and delivered. Level 1 may be used as the basis for the authorization of the pro- gram work. ✦ Level 2 — Identifies the various projects, or categories of activity, that must be completed in response to program requirements. Program budgets are usually prepared at this level. ✦ Level 3 — Identifies the activities, functions, major tasks, and/or components of the system that are directly subordinate to the Level 2 items. Program schedules are generally prepared at this level. The WBS provides many benefits, such as: ✦ Provides for the reporting of system technical performance measures (TPMs) ✦ The entire security system can be easily defined by the breakdown of its ele- ments into discrete work packages ✦ Aids in linking objectives and activities with available resources ✦ Facilitates budgeting and cost reporting ✦ Responsibility assignments can be readily identified through the assignment of tasks ✦ Provides a greater probability that every activity will be accounted for WBS Components The use of the WBS as a project-organizing framework generally begins in the con- cept exploration phase. Later, in the concept definition phase, the WBS is defined in detail as the basis for organizing, costing, and scheduling. The WBS format follows a hierarchical structure designed to ensure a slot for every significant task and activity. 55915X Ch13.qxd 3/22/04 5:51 PM Page 610 610 Part II ✦ The Information Systems Security Engineering Professional (ISSEP) Concentration In the example below, the entire security system project is at Level 1 in the hierar- chy, and the five components represent the Level 2 categories. 1.1 Security System Product — The effort required to develop, produce, and inte- grate the security system. 1.2 Security System Support — The equipment, facilities, and services necessary for the development and operation of the system product. 1.3 Security System Testing — Testing begins after the design of the individual components has been validated via component tests. A very significant fraction of the total test effort is usually allocated to system level testing 1.4 Project Management — All activities associated with project planning and control, including all management of the WBS, costing, scheduling, perfor- mance measurement, project reviews, reports, and associated activities. 1.5 Security Systems Engineering — The actions of the security systems engi- neering staff in guiding the engineering of the system through all its con- ceptual and engineering phases. Each of the Level 2 categories will have deeper, associated Level 3, Level 4, and pos- sibly Level 5 categories as each component is further broken down. These lower level categories represent the breakdown of each component into definable prod- ucts of development, the lowest level defining each step of the component’s design, development, and testing. This is vital for establishing cost allocation and controls. The WBS should be structured so that every task is identified at the appropriate place within the WBS hierarchy. Cost Control and Estimating Cost control starts with the initial development of cost estimates for the program and continues with the functions of cost monitoring, the collection of cost data, the analysis of the data, and the immediate initiation of corrective action. Cost control requires good overall cost management, including: ✦ Cost estimating ✦ Cost accounting ✦ Cost monitoring ✦ Cost analysis and reporting ✦ Control functions The cost control process is typically performed in this order: 1. Define the elements of work, as extracted from the SOW 2. Integrate the tasks defined in the WBS 3. Develop the estimated costs for each task 4. Develop a functional cost data collection and reporting capability 5. Develop a procedure for evaluation and quick corrective action 55915X Ch13.qxd 3/22/04 5:51 PM Page 611 Chapter 13 ✦ Technical Management 611 Critical path analysis is an essential project management tool that traces each major ele- critical path “slack” for those paths. Critical Path Method (CPM) ment of the system back through the engineering of its constituent parts. Estimates are made up not only of the size, but also of the duration of effort required for each step. The particular path that is estimated to require the longest time to complete is called the . The differences between this time and the times required for other paths are called For more information about the cost control process, please see Appendix E, “The Cost Analysis Process.” Outsourcing Outsourcing refers to the identification of, selection of, and contracting with one or more outside suppliers for the procurement and acquisition of materials and serv- ices for a given system. The term suppliers is defined here as a broad class of external organizations that provide products, components, materials, and/or services to a producer or prime contractor. The prime activities of the outsourcing process are: 1. Identification of potential suppliers 2. Development of a request for proposal (RFP) 3. Review and evaluation of supplier proposals 4. Selection of suppliers and contract negotiation 5. Supplier monitoring and control System Design Testing An important step in the security systems development process is the development of a well-designed test plan for determining whether the security system design is stable. A well-planned test program often requires the following five steps: 1. Planning — The test approach must be planned properly to uncover potential design deficiencies and acquire sufficient test data to identify areas needing correction. This includes the activities: • Development of a test plan • Development of test procedures • Development of a test analysis plan [...]... emergency preparedness, homeland security, and law enforcement communi­ ties; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information secu­ rity policies, procedures, and practices Subsequent NIST standards and guidelines will address the second and third tasks cited.” FIPS PUB 199 lists the following areas where the standards... choice below best describes the purpose of the Learning phase of the IDEAL model? a The Learning phase is the implementation phase and requires the great­ est level of effort of all the phases both in terms of resources and time b The Learning phase is both the final stage of the initial process improve­ ment cycle and the initial phase of the next process improvement effort c In the Learning phase, it... The Information Systems Security Engineering Professional (ISSEP) Concentration 2 Development or acquisition of test equipment and facilities — The process in the creation of test equipment and test facilities includes: • Creating the Test Environment — The design and construction of the test environment and the acquisition of equipment for the realistic genera­ tion of all of the input functions and. .. of the ISSEP Candidate The U.S Government Information Assurance Regulations domain of the ISSEP concentration is designed to enable the candidate to identify, understand, and apply the practices as defined by the U.S Government IA regulations and policies Common U.S Government Information Assurance Terminology A large amount of U.S government assurance terminology has, necessarily, been defined and. .. contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks 5 Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and controls... suppliers for the procurement and acquisition of materials and services 13 Which choice below is NOT a benefit of the WBS? a The WBS facilitates the initial allocation of budgets b The WBS facilitates the collection and reporting of costs c The system can easily be described through the logical breakout of its elements into work packages d The WBS integrates the efforts of all engineering disciplines and special­... design This is often the most critical period in the development of a new system 4 Analysis and evaluation of test results — The outputs from the component under examination and the results of the test must then be analyzed to dis­ close all significant discrepancies, in order to identify their source and assess whether correction is required 5 Correction of Design Deficiencies — The final step is a... functions and the measurement of the resulting outputs • Test Software — The acquisition of the software to be used for testing, tai­ lored to the system at hand • Test Equipment Validation — The test equipment itself must be validated to ensure that it is sufficiently accurate and reliable 3 Demonstration and validation testing — The actual conduct of the test to demonstrate and validate the security... guidelines between NIST and the NSA and other agencies with responsibility for national security systems Standards associated with the national defense establishment remain the responsi­ bility of the DoD and NSA NIST Special Publication 800- 37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” Second Public Draft, June 2003, sum­ marizes the tasks under FISMA that each... and controlled 621 622 Chapter 13 ✦ Study Guide 27 Which choice is not an activity in the Development Program Planning and Control element of the SEMP? a System Test and Evaluation Strategy b Scheduling and Cost Estimation c Technical Performance Measurement d Statement of Work 28 At what point in the project is the Work Breakdown Structure (WBS) usually created? a After the generation of the SOW and . verification, and validation organizations. The PM drafts or supports the drafting of the SSAA and coordinates security requirements with the DAA, the CA, and the user representative. The PM continuously. with the project’s objectives and the means for their accomplishment, develop a business case for the implementation, gain the approval and confidence of management, and develop a method for the. After the generation of the SOW and the identification of the organizational struc- ture, one of the initial steps in program planning is the development of the Work Breakdown Structure (WBS). The