中華民國憲法學會 104 年會暨學術研討會議程 · 中華民國憲法學會榮譽理事長) 報告人 葉俊榮 教授 (國立臺灣大學法律學院) 陳淳文
中華民國資訊軟體品質協會 會員大會專題演講 Integrates CMMI & ISMS...
Transcript of 中華民國資訊軟體品質協會 會員大會專題演講 Integrates CMMI & ISMS...
中華民國資訊軟體品質協會中華民國資訊軟體品質協會會員大會專題演講會員大會專題演講
Integrates CMMI & ISMSIntegrates CMMI & ISMS
景華管理顧問公司總經理景華管理顧問公司總經理Jessie Lee Jessie Lee 李哲祥李哲祥
[email protected]@hotmail.com
CMM and CMM Integration and PCMM are Service Marks of Carnegie Mellon University.CMM and CMM Integration and PCMM are Service Marks of Carnegie Mellon University.Capability Maturity Model, Capability Maturity Modeling are Registered in the U.S. Patent and Trade Marks Office.Capability Maturity Model, Capability Maturity Modeling are Registered in the U.S. Patent and Trade Marks Office.Personal Software Process and Team Software Process are Service Marks of Carnegie Mellon UniversityPersonal Software Process and Team Software Process are Service Marks of Carnegie Mellon University
22
研究議題
如何在依據 CMMI 來協助組織設計管理流程過程中,整合 ISMS 資訊安全管理的目標與要求,以達到流程管理與資訊安全管理的雙重目的,並提升內部管理資訊安全管理的要求,以及外部客戶的品質滿意。
33
主題主題
說明 CMMI 中對資訊安全的要求
說明 ISO27001 中與軟體工程有關的部分
說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證
流程規劃的注意事項
44
主題
說明說明 CMMICMMI 中對資訊安全的要求中對資訊安全的要求
說明說明 ISO27001ISO27001 中與軟體工程有關的部分中與軟體工程有關的部分
說明說明 ISO12207ISO12207 軟體工程過程中的資訊安全管理項目與要求軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證原始碼的安全驗證
流程規劃的注意事項流程規劃的注意事項
55
CMMI 中對 Security 的要求 1/16
CM - SP 2.2 Control Configuration ItemsSubpractices
4. Perform reviews to ensure that changes have not caused unintended effectsunintended effects on the baselines (e.g., ensure that the changes have not compromised the safety and/or security safety and/or security of the systemof the system).
66
CMMI 中對 Security 的要求 2/16
IPM - SP 1.3 Establish the Project's Work Environment Subpractices
1. Plan, design, and install a work environment for the project.◦ The critical aspects of the project work environment are, like any other product,
requirements driven. Work environment functionality and operations are explored with the same rigor as is done for any other product development.
◦ It may be necessary to make tradeoffs among performance, costs, and risks. The following are examples of each:
◦ Performance considerations may include timely interoperable Performance considerations may include timely interoperable communications, safety, security, and maintainability.communications, safety, security, and maintainability.
◦ Costs may include capital outlays, training, support structure, disassembly and disposal of existing environments, and operation and maintenance of the environment.
◦ Risks may include workflow and project disruptions.
77
CMMI 中對 Security 的要求 3/16
MA - SP 1.3 Specify Data Collection and Storage Procedures Subpractices
3. Specify how to collect and store the data for each required measure.◦ Explicit specifications are made of how, where, and when the data will be
collected. Procedures for collecting valid data are specified. The data are stored in an accessible manner for analysis, and it is determined whether they will be saved for possible reanalysis or documentation purposes.
◦ Questions to be considered typically include the following: Have the frequency of collection and the points in the process where
measurements will be made been determined? Has the timeline that is required to move measurement results from the points of
collection to repositories, other databases, or end users been established? Who is responsible for obtaining the data? Who is responsible for data storage, retrieval, and security?Who is responsible for data storage, retrieval, and security? Have necessary supporting tools been developed or acquired?
88
CMMI 中對 Security 的要求 4/16
OPD - SP 1.6 Establish Work Environment StandardsExamples of work environment standards includeProcedures for operation, safety, and security of the Procedures for operation, safety, and security of the
work environmentwork environmentStandard workstation hardware and softwareStandard application software and tailoring
guidelines for itStandard production and calibration equipmentProcess for requesting and approving tailoring or
waivers
99
CMMI 中對 Security 的要求 5/16
PI - SP 3.4Package and Deliver the Product or Product ComponentSubpractices
3. Satisfy the applicable requirements and standards for packaging and delivering the product.◦ Examples of requirements and standards include those for safety, the
environment, security, transportability, and disposal. For Software Engineering Examples of requirements and standards for packaging and delivering software
include the following: Type of storage and delivery media Custodians of the master and backup copies Required documentation Copyrights License provisions Security of the softwareSecurity of the software
1010
CMMI 中對 Security 的要求 6/16
PMC - SP 1.1 Monitor Project Planning ParametersSubpractices
4. Monitor resources provided and used.◦ Examples of resources include the following:◦ Physical facilities◦ Computers, peripherals, and software used in design, manufacturing,
testing, and operation◦ Networks◦ Security environmentSecurity environment◦ Project staff◦ Processes
1111
CMMI 中對 Security 的要求 7/16
PMC - SP 2.1 Analyze IssuesSubpractices
1. Gather issues for analysis. Issues are collected from reviews and the execution of other
processes.◦ Examples of issues to be gathered include the following:◦ Issues discovered through performing verification and validation activities◦ Significant deviations in the project planning parameters from the
estimates in the project plan◦ Commitments (either internal or external) that have not been satisfied◦ Significant changes in risk status◦ Data access, collection, privacy, or security issuesData access, collection, privacy, or security issues◦ Stakeholder representation or involvement issues
1212
CMMI 中對 Security 的要求 8/16
PP - SP 1.2 Establish Estimates of Work Product and Task AttributesSubpractices
1. Determine the technical approach for the project.◦ The technical approach defines a top-level strategy for development of the
product. It includes decisions on architectural features, such as distributed or client/server; state-of-the-art or established technologies to be applied, such as robotics, composite materials, or artificial intelligence; and breadth of the functionality expected in the final products, such as safety, breadth of the functionality expected in the final products, such as safety, security, and ergonomics.security, and ergonomics.
1313
CMMI 中對 Security 的要求 9/16
PP - SP 1.4 Determine Estimates of Effort and CostSubpractices
3. Estimate effort and cost using models and/or historical data.◦ Effort and cost inputs used for estimating typically include the following:◦ Judgmental estimates provided by an expert or group of experts (e.g., Delphi Method)◦ Risks, including the extent to which the effort is unprecedented◦ Critical competencies and roles needed to perform the work◦ Product and product component requirements◦ Technical approach◦ WBS◦ Size estimates of work products and anticipated changes◦ Cost of externally acquired products◦ Selected project lifecycle model and processes◦ Lifecycle cost estimates◦ Capability of tools provided in engineering environment◦ Skill levels of managers and staff needed to perform the work◦ Knowledge, skill, and training needs◦ Facilities needed (e.g., office and meeting space and workstations)◦ Engineering facilities needed◦ Capability of manufacturing process(es)◦ Travel◦ Level of security required for tasks, work products, hardware, software, personnel, and work Level of security required for tasks, work products, hardware, software, personnel, and work
environmentenvironment◦ Service level agreements for call centers and warranty work◦ Direct labor and overhead
1414
CMMI 中對 Security 的要求 10/16
PP - SP 2.3 Plan for Data ManagementTypical Work Products
1. Data management plan 2. Master list of managed data 3. Data content and format description 4. Data requirements lists for acquirers and for
suppliers 5.5. Privacy requirementsPrivacy requirements 6.6. Security requirementsSecurity requirements 7.7. Security proceduresSecurity procedures 8. Mechanism for data retrieval, reproduction, and
distribution 9. Schedule for collection of project data 10. Listing of project data to be collected
1515
CMMI 中對 Security 的要求 11/16
RD - Introductory Notes Analyses are used to understand, define, and select
the requirements at all levels from competing alternatives. These analyses include the following:
Analysis of needs and requirements for each Analysis of needs and requirements for each product lifecycle phase, including needs of product lifecycle phase, including needs of relevant stakeholders, the operational relevant stakeholders, the operational environment, and factors that reflect overall environment, and factors that reflect overall customer and end-user expectations and customer and end-user expectations and satisfaction, such as safety, security, and satisfaction, such as safety, security, and affordabilityaffordability
Development of an operational concept Definition of the required functionality
1616
CMMI 中對 Security 的要求 12/16
RSKM - SP 2.1 Identify RisksSubpractices
Performance maintenance attributes are those characteristics Performance maintenance attributes are those characteristics that enable an in-use product or service to provide originally that enable an in-use product or service to provide originally required performance, such as maintaining safety and required performance, such as maintaining safety and security performance.security performance.
1717
CMMI 中對 Security 的要求 13/16
SAM - SP 1.2 Select SuppliersSubpractices
When COTS products are being evaluated consider the following:◦ Cost of the COTS products◦ Cost and effort to incorporate the COTS products into the project◦ Security requirementsSecurity requirements◦ Benefits and impacts that may result from future product releases
1818
CMMI 中對 Security 的要求 14/16
TS - SP 2.2 Establish a Technical Data PackageBecause design descriptions can involve a very large amount of data
and can be crucial to successful product component development, it is advisable to establish criteria for organizing the data and for selecting the data content. It is particularly useful to use the product architecture as a means of organizing this data and abstracting views that are clear and relevant to an issue or feature of interest. These views include the following: Customers Requirements The environment Functional Logical SecuritySecurity Data States/modes Construction Management
These views are documented in the technical data package.
1919
CMMI 中對 Security 的要求 15/16
TS - SP 2.3 Design Interfaces Using CriteriaInterface designs include the following:
Origination Destination Stimulus and data characteristics for software Electrical, mechanical, and functional characteristics for hardware Services lines of communication
The criteria for interfaces frequently reflect critical parameters that must be defined, or at least investigated, to ascertain their applicability. These parameters are often peculiar to a given type of product (e.g., software, mechanical, electrical, and service) and are often associated with safety, security, are often associated with safety, security, durability, and mission-critical characteristics.durability, and mission-critical characteristics.
2020
CMMI 中對 Security 的要求 16/16
TS - SP 3.2 Develop Product Support DocumentationSubpractices
3. Adhere to the applicable documentation standards.◦ Examples of documentation standards include the following:
Compatibility with designated word processors Acceptable fonts Numbering of pages, sections, and paragraphs Consistency with a designated style manual Use of abbreviations Security classification markingsSecurity classification markings Internationalization requirements
2121
Conclusion
CMMI 中對資訊安全的要求,分別在:環境管理:
OPD – SP 1.6 整體環境的安全管理機制 CM – SP 2.2 建構項目的安全管理機制 MA – SP 1.3 資料儲存的安全管理機制
專案管理: PP – SP1.2 & 1.4 & 2.3 專案資料的安全管理機制 PMC – SP1.2 & 2.1 專案執行過程的管理機制 RSKM – SP 2.1 安全風險的辨識 SAM – SP1.2 供應商及其產品的安全要求
技術管理 RD – 安全需要與需求 TS – SP 2.2 & 2.3 & 3.2 與安全相關的技術需求 PI – SP 3.4 產品交付的安全規範
2222
主題
說明 CMMI 中對資訊安全的要求
說明 ISO27001 中與軟體工程有關的部分
說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證
流程規劃的注意事項
2323
ISO27001:2005 標準與架構說明
0. Introduction0.1 General 0.2 Process approach0.3 Compatibility with
other management systems
1. Scope1.1 General1.2 Application
2. Normative references 3. Terms and definitions
4. Information security management system 4.1 General requirements
4.2 Establishing and managing the ISMS4.2.1 Establish the ISMS4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS4.2.4 Maintain and improve the ISMS
4.3 Documentation requirements4.3.1 General4.3.2 Control of documents 4.3.3 Control of records
5. Management responsibility 5.1 Management commitment 5.2 Resource management
5.2.1 Provision of resources5.2.2 Training, awareness and
competence6. Internal ISMS audits7. Management review of the ISMS
7.1 General7.2 Review input7.3 Review output
8. ISMS improvement8.1 Continual improvement8.2 Corrective action8.3 Preventive action
Annex A (normative) Control objectives and controlsAnnex B (informative) OECD principles and this International Standard Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard
2424
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
GP2.1GP2.1
2525
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
SAMSAM
2626
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
CMCM
2727
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
OTOT ::Security Security TrainingTraining
2828
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
OPD OPD SP1.6SP1.6
2929
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
OPD OPD SP1.6SP1.6
3030
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
SAMSAM
3131
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
開發者的角開發者的角度:度:所交付的程所交付的程式碼是否經式碼是否經過安全檢查?過安全檢查?
使用者的角使用者的角度:度:如何確保應如何確保應用軟體系統用軟體系統沒有弱點風沒有弱點風險?險?
3232
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
OPD OPD SP1.6SP1.6
3333
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
CMCM
3434
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
3535
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
CMCM
3636
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
從開發者的角從開發者的角度來看:度來看:
TS SP3.2TS SP3.2
VER SP1.1VER SP1.1
CM SP1.2CM SP1.2
CM SG2CM SG2
CMCM
VALVAL
TS TS SP1.1SP1.1DARDAR
TS SP1.1TS SP1.1DARDAR
CM SG3CM SG3
RD SP1.1/1.2RD SP1.1/1.2
CMCM
SAM/CMSAM/CM
3737
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
3838
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
3939
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
4040
主題
說明 CMMI 中對資訊安全的要求
說明 ISO27001 中與軟體工程有關的部分
說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證
流程規劃的注意事項
4141
F.3.2 Infrastructure Process
Purpose: The purpose of the Infrastructure process is to maintain a stable
and reliable infrastructure that is needed to support the performance of any other process. The infrastructure
may include hardware, software, methods, tools, techniques, standards, and facilities for development, operation,
or maintenance. Outcomes: As a result of successful implementation of the
Infrastructure process: 1) an infrastructure is established that is consistent with and
supportive of the applicable process procedures, standards, tools and techniques;
2) the infrastructure will meet all requirements for functionality, performance, safety, securitysecurity, availability, space, equipment, cost, time and data integrity.
4242
H.1.4 Technical Requirements
Purpose: The purpose of the Technical Requirements process is to
establish the technical requirements of the acquisition. This involves the elicitation of functional and non-functional
requirements that consider the deployment lifecycle of the products so as to establish a technical requirement baseline.
Outcomes: As a result of successful implementation of the process: 1) the technical requirements, including environment effect
evaluation, safety and security requirementssecurity requirements where appropriate, will be defined and developed to match the needs and expectations of the users;
6) the requirements will include compliance with relevant standards, including environment effect evaluation, safety and security standards where appropriate.security standards where appropriate.
4343
ISO12207 vs Security issues
基礎建設是否達到資訊安全的要求CM 建構管理的權限設定
使用者與系統需求是否完善需求發展需求管理分析設計開發測試
是否滿足資訊安全管理系統的目標與要求
4444
主題
說明 CMMI 中對資訊安全的要求
說明 ISO27001 中與軟體工程有關的部分
說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證
流程規劃的注意事項
4545
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
開發者的角開發者的角度:度:所交付的程所交付的程式碼是否經式碼是否經過安全檢查?過安全檢查?
使用者的角使用者的角度:度:如何確保應如何確保應用軟體系統用軟體系統沒有弱點風沒有弱點風險?險?
4646
ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls
從開發者的角從開發者的角度來看:度來看:
TS SP3.2TS SP3.2
VER SP1.1VER SP1.1
CM SP1.2CM SP1.2
CM SG2CM SG2
CMCM
VALVAL
TS TS SP1.1SP1.1DARDAR
TS SP1.1TS SP1.1DARDAR
CM SG3CM SG3
RD SP1.1/1.2RD SP1.1/1.2
CMCM
SAM/CMSAM/CM
4747
人工檢視 vs. 自動化工具偵測VER SG2 Conduct Peer Review
檢測階段的疑慮檢測範圍和抽樣比例的疑慮檢測深度的疑慮
自動化工具可以做到何種程度?需求檢測程式碼檢測
4848
善用工具阿瑪科技ParasoftFortify
4949
主題
說明 CMMI 中對資訊安全的要求
說明 ISO27001 中與軟體工程有關的部分
說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求
原始碼的安全驗證
流程規劃的注意事項
5050
產業專業技術 (以軟體工程為例)
需求分析
專案生命週期專案生命週期產品生命週期產品生命週期
專案定義 專案規劃
產品開發生命週期產品開發生命週期
維護保固
Lifecycles 生命週期
專案執行 專案結案
品質管理 風險管理 構型管理 需求作業 驗證確認作業
外購管理
專案支援相關活動
系統設計
軟硬體需求分析
初步設計
細部設計
測試計劃開發 單元
測試單元整合
整合測試
系統整合
系統測試
軟體安裝
接收支援
5151
整合範圍管理目標整合 – OPF 、 OPD 、 MA 、 DAR專案管理整合 – PP 、 PMC 、 IPM 、 RSKM工程流程整合 – RD 、 TS 、 PI 、 REQM品質管理整合 – PPQA 、 VER 、 VAL人事管理整合 – OT文管流程整合 – CM知識管理整合 – OPD資訊安全整合 – OPD SP1.6採購管理整合 – SAM各種工具整合
5252
Ways for Integration
已經有管理流程或程序:Compare with model/PA definition, is it enough?Modify current process/procedure for more effectiveness
沒有相關適當的管理程序:Build a new one by following the model defined, but
design to meet your business needs and enterprise standards.
5353
Questions & Workshop - 專案管理整合 – PP
在規畫一個軟體系統專案時:請問貴公司如何指派專案經理或專案負責人 ?請問貴公司是否具備 SOP 以進行需求轉換成專案的討論 ?
( refer to requirement development process area RD )請問貴公司在討論專案的過程中,是否涵蓋以下與資訊安全相關的議題 ?是否討論過委外開發或採購 ? If Yes , Security Requirement?是否討論過重新使用已使用中的模組或程式 ? If yes, Security
Checked?是否討論過與資訊安全相關的風險 ? 或是進一步可能的風險減緩措
施 ?
5454
Questions & Workshop - 工程流程整合 – RD
在使用者提出應用上的需要時:請問貴公司是否具備 SOP 以進行營運需要與使用者操作需求轉換的討論 ? ( Operating Needs and Operating Requirements )
請問貴公司是否在引導與確認使用者需求的過程中,涵蓋資訊安全的要求與規範 ?
請問貴公司是否運用檢核表或紀錄表或任何方式來確認使用者的需要 ?
請問貴公司是否對討論過程保存相關的會議紀錄 ?請問貴公司是否討論過委外開發或採購 ?
5555
Process Life-cycle after CMMI implemented
Develop Develop project project
planplan
Execute Execute project project
(per plan)(per plan)
Measure & assess Measure & assess processes & productsprocesses & products
CustomerCustomer
OSSP/PALOSSP/PAL
PoliciesPolicies
Org. Lead Mgmt Org. Lead Mgmt ProceduresProcedures
Project Lead Mgmt Project Lead Mgmt ProceduresProcedures
Training, Forms, Training, Forms,
Customer Customer RequirementsRequirements Customer FeedbackCustomer Feedback
DeliverablesDeliverables(products & services)(products & services)
Tailor from OSSP/PALTailor from OSSP/PAL
Improve OSSP/PALImprove OSSP/PAL
需求管需求管理安全理安全
確認確認
建構管建構管理理安全安全
確確
建置管建置管理理安全安全
確認確認專案管專案管理理安全安全
確認確認
測試管測試管理理安全安全
確認確認
數據資數據資料料安全安全
確認確認
知識管知識管理理安全安全
確認確認
5656
謝謝
AA