中華民國資訊軟體品質協會會員大會專題演講 Integrates CMMI & ISMS...

中華民國資訊軟體品質協會中華民國資訊軟體品質協會會員大會專題演講會員大會專題演講

Integrates CMMI & ISMSIntegrates CMMI & ISMS

景華管理顧問公司總經理景華管理顧問公司總經理Jessie Lee Jessie Lee 李哲祥李哲祥

[email protected]@hotmail.com

CMM and CMM Integration and PCMM are Service Marks of Carnegie Mellon University.CMM and CMM Integration and PCMM are Service Marks of Carnegie Mellon University.Capability Maturity Model, Capability Maturity Modeling are Registered in the U.S. Patent and Trade Marks Office.Capability Maturity Model, Capability Maturity Modeling are Registered in the U.S. Patent and Trade Marks Office.Personal Software Process and Team Software Process are Service Marks of Carnegie Mellon UniversityPersonal Software Process and Team Software Process are Service Marks of Carnegie Mellon University

22

研究議題

如何在依據 CMMI 來協助組織設計管理流程過程中，整合 ISMS 資訊安全管理的目標與要求，以達到流程管理與資訊安全管理的雙重目的，並提升內部管理資訊安全管理的要求，以及外部客戶的品質滿意。

33

主題主題

說明 CMMI 中對資訊安全的要求

說明 ISO27001 中與軟體工程有關的部分

說明 ISO12207 軟體工程過程中的資訊安全管理項目與要求

原始碼的安全驗證

流程規劃的注意事項

44

主題

說明說明 CMMICMMI 中對資訊安全的要求中對資訊安全的要求

說明說明 ISO27001ISO27001 中與軟體工程有關的部分中與軟體工程有關的部分

說明說明 ISO12207ISO12207 軟體工程過程中的資訊安全管理項目與要求軟體工程過程中的資訊安全管理項目與要求

原始碼的安全驗證原始碼的安全驗證

流程規劃的注意事項流程規劃的注意事項

55

CMMI 中對 Security 的要求 1/16

CM - SP 2.2 Control Configuration ItemsSubpractices

4. Perform reviews to ensure that changes have not caused unintended effectsunintended effects on the baselines (e.g., ensure that the changes have not compromised the safety and/or security safety and/or security of the systemof the system).

66


IPM - SP 1.3 Establish the Project's Work Environment Subpractices

1. Plan, design, and install a work environment for the project.◦ The critical aspects of the project work environment are, like any other product,

requirements driven. Work environment functionality and operations are explored with the same rigor as is done for any other product development.

◦ It may be necessary to make tradeoffs among performance, costs, and risks. The following are examples of each:

◦ Performance considerations may include timely interoperable Performance considerations may include timely interoperable communications, safety, security, and maintainability.communications, safety, security, and maintainability.

◦ Costs may include capital outlays, training, support structure, disassembly and disposal of existing environments, and operation and maintenance of the environment.

◦ Risks may include workflow and project disruptions.

77


MA - SP 1.3 Specify Data Collection and Storage Procedures Subpractices

3. Specify how to collect and store the data for each required measure.◦ Explicit specifications are made of how, where, and when the data will be

collected. Procedures for collecting valid data are specified. The data are stored in an accessible manner for analysis, and it is determined whether they will be saved for possible reanalysis or documentation purposes.

◦ Questions to be considered typically include the following: Have the frequency of collection and the points in the process where

measurements will be made been determined? Has the timeline that is required to move measurement results from the points of

collection to repositories, other databases, or end users been established? Who is responsible for obtaining the data? Who is responsible for data storage, retrieval, and security?Who is responsible for data storage, retrieval, and security? Have necessary supporting tools been developed or acquired?

88


OPD - SP 1.6 Establish Work Environment StandardsExamples of work environment standards includeProcedures for operation, safety, and security of the Procedures for operation, safety, and security of the

work environmentwork environmentStandard workstation hardware and softwareStandard application software and tailoring

guidelines for itStandard production and calibration equipmentProcess for requesting and approving tailoring or

waivers

99


PI - SP 3.4Package and Deliver the Product or Product ComponentSubpractices

3. Satisfy the applicable requirements and standards for packaging and delivering the product.◦ Examples of requirements and standards include those for safety, the

environment, security, transportability, and disposal. For Software Engineering Examples of requirements and standards for packaging and delivering software

include the following: Type of storage and delivery media Custodians of the master and backup copies Required documentation Copyrights License provisions Security of the softwareSecurity of the software

1010


PMC - SP 1.1 Monitor Project Planning ParametersSubpractices

4. Monitor resources provided and used.◦ Examples of resources include the following:◦ Physical facilities◦ Computers, peripherals, and software used in design, manufacturing,

testing, and operation◦ Networks◦ Security environmentSecurity environment◦ Project staff◦ Processes

1111


PMC - SP 2.1 Analyze IssuesSubpractices

1. Gather issues for analysis. Issues are collected from reviews and the execution of other

processes.◦ Examples of issues to be gathered include the following:◦ Issues discovered through performing verification and validation activities◦ Significant deviations in the project planning parameters from the

estimates in the project plan◦ Commitments (either internal or external) that have not been satisfied◦ Significant changes in risk status◦ Data access, collection, privacy, or security issuesData access, collection, privacy, or security issues◦ Stakeholder representation or involvement issues

1212


PP - SP 1.2 Establish Estimates of Work Product and Task AttributesSubpractices

1. Determine the technical approach for the project.◦ The technical approach defines a top-level strategy for development of the

product. It includes decisions on architectural features, such as distributed or client/server; state-of-the-art or established technologies to be applied, such as robotics, composite materials, or artificial intelligence; and breadth of the functionality expected in the final products, such as safety, breadth of the functionality expected in the final products, such as safety, security, and ergonomics.security, and ergonomics.

1313


PP - SP 1.4 Determine Estimates of Effort and CostSubpractices

3. Estimate effort and cost using models and/or historical data.◦ Effort and cost inputs used for estimating typically include the following:◦ Judgmental estimates provided by an expert or group of experts (e.g., Delphi Method)◦ Risks, including the extent to which the effort is unprecedented◦ Critical competencies and roles needed to perform the work◦ Product and product component requirements◦ Technical approach◦ WBS◦ Size estimates of work products and anticipated changes◦ Cost of externally acquired products◦ Selected project lifecycle model and processes◦ Lifecycle cost estimates◦ Capability of tools provided in engineering environment◦ Skill levels of managers and staff needed to perform the work◦ Knowledge, skill, and training needs◦ Facilities needed (e.g., office and meeting space and workstations)◦ Engineering facilities needed◦ Capability of manufacturing process(es)◦ Travel◦ Level of security required for tasks, work products, hardware, software, personnel, and work Level of security required for tasks, work products, hardware, software, personnel, and work

environmentenvironment◦ Service level agreements for call centers and warranty work◦ Direct labor and overhead

1414


PP - SP 2.3 Plan for Data ManagementTypical Work Products

1. Data management plan 2. Master list of managed data 3. Data content and format description 4. Data requirements lists for acquirers and for

suppliers 5.5. Privacy requirementsPrivacy requirements 6.6. Security requirementsSecurity requirements 7.7. Security proceduresSecurity procedures 8. Mechanism for data retrieval, reproduction, and

distribution 9. Schedule for collection of project data 10. Listing of project data to be collected

1515


RD - Introductory Notes Analyses are used to understand, define, and select

the requirements at all levels from competing alternatives. These analyses include the following:

Analysis of needs and requirements for each Analysis of needs and requirements for each product lifecycle phase, including needs of product lifecycle phase, including needs of relevant stakeholders, the operational relevant stakeholders, the operational environment, and factors that reflect overall environment, and factors that reflect overall customer and end-user expectations and customer and end-user expectations and satisfaction, such as safety, security, and satisfaction, such as safety, security, and affordabilityaffordability

Development of an operational concept Definition of the required functionality

1616


RSKM - SP 2.1 Identify RisksSubpractices

Performance maintenance attributes are those characteristics Performance maintenance attributes are those characteristics that enable an in-use product or service to provide originally that enable an in-use product or service to provide originally required performance, such as maintaining safety and required performance, such as maintaining safety and security performance.security performance.

1717


SAM - SP 1.2 Select SuppliersSubpractices

When COTS products are being evaluated consider the following:◦ Cost of the COTS products◦ Cost and effort to incorporate the COTS products into the project◦ Security requirementsSecurity requirements◦ Benefits and impacts that may result from future product releases

1818


TS - SP 2.2 Establish a Technical Data PackageBecause design descriptions can involve a very large amount of data

and can be crucial to successful product component development, it is advisable to establish criteria for organizing the data and for selecting the data content. It is particularly useful to use the product architecture as a means of organizing this data and abstracting views that are clear and relevant to an issue or feature of interest. These views include the following: Customers Requirements The environment Functional Logical SecuritySecurity Data States/modes Construction Management

These views are documented in the technical data package.

1919


TS - SP 2.3 Design Interfaces Using CriteriaInterface designs include the following:

Origination Destination Stimulus and data characteristics for software Electrical, mechanical, and functional characteristics for hardware Services lines of communication

The criteria for interfaces frequently reflect critical parameters that must be defined, or at least investigated, to ascertain their applicability. These parameters are often peculiar to a given type of product (e.g., software, mechanical, electrical, and service) and are often associated with safety, security, are often associated with safety, security, durability, and mission-critical characteristics.durability, and mission-critical characteristics.

2020


TS - SP 3.2 Develop Product Support DocumentationSubpractices

3. Adhere to the applicable documentation standards.◦ Examples of documentation standards include the following:

Compatibility with designated word processors Acceptable fonts Numbering of pages, sections, and paragraphs Consistency with a designated style manual Use of abbreviations Security classification markingsSecurity classification markings Internationalization requirements

2121

Conclusion

CMMI 中對資訊安全的要求，分別在：環境管理：

OPD – SP 1.6 整體環境的安全管理機制 CM – SP 2.2 建構項目的安全管理機制 MA – SP 1.3 資料儲存的安全管理機制

專案管理： PP – SP1.2 & 1.4 & 2.3 專案資料的安全管理機制 PMC – SP1.2 & 2.1 專案執行過程的管理機制 RSKM – SP 2.1 安全風險的辨識 SAM – SP1.2 供應商及其產品的安全要求

技術管理 RD – 安全需要與需求 TS – SP 2.2 & 2.3 & 3.2 與安全相關的技術需求 PI – SP 3.4 產品交付的安全規範

2222

主題






2323

ISO27001:2005 標準與架構說明

0. Introduction0.1 General 0.2 Process approach0.3 Compatibility with

other management systems

1. Scope1.1 General1.2 Application

2. Normative references 3. Terms and definitions

4. Information security management system 4.1 General requirements

4.2 Establishing and managing the ISMS4.2.1 Establish the ISMS4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS4.2.4 Maintain and improve the ISMS

4.3 Documentation requirements4.3.1 General4.3.2 Control of documents 4.3.3 Control of records

5. Management responsibility 5.1 Management commitment 5.2 Resource management

5.2.1 Provision of resources5.2.2 Training, awareness and

competence6. Internal ISMS audits7. Management review of the ISMS

7.1 General7.2 Review input7.3 Review output

8. ISMS improvement8.1 Continual improvement8.2 Corrective action8.3 Preventive action

Annex A (normative) Control objectives and controlsAnnex B (informative) OECD principles and this International Standard Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard

2424

ISO27001:2005(BS7799-2:2005) 控制措施Annex A (normative) Control objectives and controls

GP2.1GP2.1

2525


SAMSAM

2626


CMCM

2727


OTOT ：：Security Security TrainingTraining

2828


OPD OPD SP1.6SP1.6

2929


OPD OPD SP1.6SP1.6

3030


SAMSAM

3131


開發者的角開發者的角度：度：所交付的程所交付的程式碼是否經式碼是否經過安全檢查？過安全檢查？

使用者的角使用者的角度：度：如何確保應如何確保應用軟體系統用軟體系統沒有弱點風沒有弱點風險？險？

3232


OPD OPD SP1.6SP1.6

3333


CMCM

3434


3535


CMCM

3636


從開發者的角從開發者的角度來看：度來看：

TS SP3.2TS SP3.2

VER SP1.1VER SP1.1

CM SP1.2CM SP1.2

CM SG2CM SG2

CMCM

VALVAL

TS TS SP1.1SP1.1DARDAR

TS SP1.1TS SP1.1DARDAR

CM SG3CM SG3

RD SP1.1/1.2RD SP1.1/1.2

CMCM

SAM/CMSAM/CM

3737


3838


3939


4040

主題






4141

F.3.2 Infrastructure Process

Purpose: The purpose of the Infrastructure process is to maintain a stable

and reliable infrastructure that is needed to support the performance of any other process. The infrastructure

may include hardware, software, methods, tools, techniques, standards, and facilities for development, operation,

or maintenance. Outcomes: As a result of successful implementation of the

Infrastructure process: 1) an infrastructure is established that is consistent with and

supportive of the applicable process procedures, standards, tools and techniques;

2) the infrastructure will meet all requirements for functionality, performance, safety, securitysecurity, availability, space, equipment, cost, time and data integrity.

4242

H.1.4 Technical Requirements

Purpose: The purpose of the Technical Requirements process is to

establish the technical requirements of the acquisition. This involves the elicitation of functional and non-functional

requirements that consider the deployment lifecycle of the products so as to establish a technical requirement baseline.

Outcomes: As a result of successful implementation of the process: 1) the technical requirements, including environment effect

evaluation, safety and security requirementssecurity requirements where appropriate, will be defined and developed to match the needs and expectations of the users;

6) the requirements will include compliance with relevant standards, including environment effect evaluation, safety and security standards where appropriate.security standards where appropriate.

4343

ISO12207 vs Security issues

基礎建設是否達到資訊安全的要求CM 建構管理的權限設定

使用者與系統需求是否完善需求發展需求管理分析設計開發測試

是否滿足資訊安全管理系統的目標與要求

4444

主題






4545


開發者的角開發者的角度：度：所交付的程所交付的程式碼是否經式碼是否經過安全檢查？過安全檢查？

使用者的角使用者的角度：度：如何確保應如何確保應用軟體系統用軟體系統沒有弱點風沒有弱點風險？險？

4646


從開發者的角從開發者的角度來看：度來看：

TS SP3.2TS SP3.2

VER SP1.1VER SP1.1

CM SP1.2CM SP1.2

CM SG2CM SG2

CMCM

VALVAL

TS TS SP1.1SP1.1DARDAR

TS SP1.1TS SP1.1DARDAR

CM SG3CM SG3

RD SP1.1/1.2RD SP1.1/1.2

CMCM

SAM/CMSAM/CM

4747

人工檢視 vs. 自動化工具偵測VER SG2 Conduct Peer Review

檢測階段的疑慮檢測範圍和抽樣比例的疑慮檢測深度的疑慮

自動化工具可以做到何種程度？需求檢測程式碼檢測

4848

善用工具阿瑪科技ParasoftFortify

4949

主題






5050

產業專業技術（以軟體工程為例）

需求分析

專案生命週期專案生命週期產品生命週期產品生命週期

專案定義專案規劃

產品開發生命週期產品開發生命週期

維護保固

Lifecycles 生命週期

專案執行專案結案

品質管理風險管理構型管理需求作業驗證確認作業

外購管理

專案支援相關活動

系統設計

軟硬體需求分析

初步設計

細部設計

測試計劃開發單元

測試單元整合

整合測試

系統整合

系統測試

軟體安裝

接收支援

5151

整合範圍管理目標整合 – OPF 、 OPD 、 MA 、 DAR專案管理整合 – PP 、 PMC 、 IPM 、 RSKM工程流程整合 – RD 、 TS 、 PI 、 REQM品質管理整合 – PPQA 、 VER 、 VAL人事管理整合 – OT文管流程整合 – CM知識管理整合 – OPD資訊安全整合 – OPD SP1.6採購管理整合 – SAM各種工具整合

5252

Ways for Integration

已經有管理流程或程序：Compare with model/PA definition, is it enough?Modify current process/procedure for more effectiveness

沒有相關適當的管理程序：Build a new one by following the model defined, but

design to meet your business needs and enterprise standards.

5353

Questions & Workshop - 專案管理整合 – PP

在規畫一個軟體系統專案時：請問貴公司如何指派專案經理或專案負責人 ?請問貴公司是否具備 SOP 以進行需求轉換成專案的討論 ?

（ refer to requirement development process area RD ）請問貴公司在討論專案的過程中，是否涵蓋以下與資訊安全相關的議題 ?是否討論過委外開發或採購 ? If Yes ， Security Requirement?是否討論過重新使用已使用中的模組或程式 ? If yes, Security

Checked?是否討論過與資訊安全相關的風險 ? 或是進一步可能的風險減緩措

施 ?

5454

Questions & Workshop - 工程流程整合 – RD

在使用者提出應用上的需要時：請問貴公司是否具備 SOP 以進行營運需要與使用者操作需求轉換的討論 ? （ Operating Needs and Operating Requirements ）

請問貴公司是否在引導與確認使用者需求的過程中，涵蓋資訊安全的要求與規範 ?

請問貴公司是否運用檢核表或紀錄表或任何方式來確認使用者的需要 ?

請問貴公司是否對討論過程保存相關的會議紀錄 ?請問貴公司是否討論過委外開發或採購 ?

5555

Process Life-cycle after CMMI implemented

Develop Develop project project

planplan

Execute Execute project project

(per plan)(per plan)

Measure & assess Measure & assess processes & productsprocesses & products

CustomerCustomer

OSSP/PALOSSP/PAL

PoliciesPolicies

Org. Lead Mgmt Org. Lead Mgmt ProceduresProcedures

Project Lead Mgmt Project Lead Mgmt ProceduresProcedures

Training, Forms, Training, Forms,

Customer Customer RequirementsRequirements Customer FeedbackCustomer Feedback

DeliverablesDeliverables(products & services)(products & services)

Tailor from OSSP/PALTailor from OSSP/PAL

Improve OSSP/PALImprove OSSP/PAL

需求管需求管理安全理安全

確認確認

建構管建構管理理安全安全

確確

建置管建置管理理安全安全

確認確認專案管專案管理理安全安全

確認確認

測試管測試管理理安全安全

確認確認

數據資數據資料料安全安全

確認確認

知識管知識管理理安全安全

確認確認

5656

謝謝

&&QQ

AA

中華民國資訊軟體品質協會會員大會專題演講 Integrates CMMI & ISMS...

Documents

Transcript of 中華民國資訊軟體品質協會會員大會專題演講 Integrates CMMI & ISMS...

中華民國資訊軟體品質協會 會員大會專題演講 Integrates CMMI & ISMS...

Documents

Transcript of 中華民國資訊軟體品質協會 會員大會專題演講 Integrates CMMI & ISMS...

中華民國資訊軟體品質協會會員大會專題演講 Integrates CMMI & ISMS...

Transcript of 中華民國資訊軟體品質協會會員大會專題演講 Integrates CMMI & ISMS...