ISACA’s new CMMI Model content describes best practices for holistically defining security and safety strategies, approaches, activities, and functions necessary to protect an organization’s entire ecosystem, including personnel, resources and information.
The release of CMMI Model content for Security and Safety was under development for multiple years, resulting in new content and a new Capability Area (CA) named Managing Security and Safety (MSS) that was reviewed through community focus groups with certified CMMI subject matter experts who have demonstrated experience with security and safety.
The CA involves identifying and evaluating security and safety needs and constraints, prioritizing and planning relevant approaches to address those needs and constraints, responding to and preventing harmful events and incidents, and protecting and defending against safety incidents and security threats and vulnerabilities.
The Managing Security and Safety (MSS) Capability Area describes the capabilities organizations need to:
- Prepare: Define approaches for organizational preparedness and readiness to address safety and security needs and constraints
- Investigate: Analyze, assess, and learn from safety or security events and incidents
- Monitor: Identify and respond to events and incidents that are potentially harmful to the organization or solution on a continuous basis
- Protect and Defend: Take steps and actions against current and future potentially harmful impacts on the organization or solution to either avoid or minimize negative effects on the organization
- Preempt and Prevent: Conduct advanced analysis to anticipate and avoid harmful internal or external threats, activities or vulnerabilities caused by people, processes or systems
- Review and Evaluate: Determine the effectiveness of security and safety approaches and make improvements
The following are the new Practice Areas in CMMI:
Enabling Safety (ESAF) identifies and addresses safety in all aspects of the organization environment and solution, including products, processes, services or environments. This encompasses both facilitating and managing safety activities.
Enabling Security (ESEC) includes performing security activities that produce secure solutions. Identifying security needs and constraints is an ongoing, 24/7, 365 days a year activity. It can never stop and cannot be an afterthought or a tradeoff item like schedule, cost and quality. Enabling security includes systematically identifying, assessing and addressing security needs across a project or organization.
Managing Security Threats and Vulnerabilities (MST) includes a holistic and systematic approach for addressing security threats and vulnerabilities for an organization, project or work effort to select which threats and vulnerabilities are the most critical to address, given the potential risk and impact to the business, mission or solution.
To learn more about the new content, visit the CMMI Security and CMMI Safety web pages.