CARS project

Application framework for security recommendations: A Maturity Model for Security

Context

To encourage and assist in the use of the ITSEC recommendations, the SCSSI, which is the French certification body for security, has begun several studies aimed at producing methodological guides concerned with the various aspects of the life cycle of a security system or product. Like the ITSEC recommendations, these guides are not very explicit for the software quality community. The emergence of models such as the CMM from the Software Engineering Institute (SEI) provides an opportunity for SCSSI to develop these guides to get the standards and the certification system for software quality and security more closely aligned.

The CARS project started a global process to review the SCSSI technical guides and to define a Maturity Model, which would include security requirements. For the SCSSI, the CARS project has been run by the following companies: PSTI-Evaluation, Dassault Electronique and Syseca.

Objectives

The objectives, marked by the definition of a Maturity Model for security are:

To analyse how the concept of a Maturity Model can contribute to improve the security given by a system or a product;
To provide companies with means of assessing objectively their own capability to develop systems or products for security;
To estimate whether a company, which controls the production of systems or products with a given security level (see the security levels defined in ITSEC), has the capability to guarantee without significant problems the production of systems or products of a higher security level.

Approach and Results

The following approach was taken:

KPA = Key Process Area
KP= Key Practice
CF = Common Feature

The advantages are to define a Maturity Model, which is completely compatible with the concepts and the properties of SEI/CMM, and to take into account security at all of the CMM levels. This approach led the project to the elaboration of a Maturity Model for Security on the basis of the SEI/CMM and some technical guides in security:

The various activities performed are shown in the following figure:

Conclusion

The resulting Maturity Model for Security has demonstrated the soundness of the CARS approach. The project has highlighted that:

the security guides analysed add to the existing Maturity Model and can be expressed in the KP form;

the KP of CMM are either directly applicable or easily interpreted in a security context.

Together these results demonstrate that the CMM can and needs to include Security requirements and that this evolution can be made at the KP level. Just as in the case for the CMM, it is necessary to validate and stabilise this model for the KP proposed relating to security.

The development of such a model is needed:

to make the software quality community aware of security;

to acquire the views and the experience from people in this community;

to make it easier to take into account security requirements during the development process;

This definition of a Maturity Model for Security raises the question of the ITSEC evaluation and the certification of a system or product. How can this evaluation/certification be related to SEI-CMM evaluation/certification?