PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Platform Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Experiencing technical difficulties? Try REFRESHING your browser!

1
 CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.

• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.

• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.

2
 CMMI FOR SECURITY: BEST
PRACTICES FOR PROTECTING
YOUR ECOSYSTEM

Ron Lear, Vice President, Frameworks and Models

Kileen Harrison, Senior Manager, CMMI Professional Practice

3
3
 AGENDA

WHAT IS CMMI?
CMMI FOR SECURITY

4
 WHAT IS CMMI?

5
 WHY USE THE CMMI?
• The Capability Maturity Model Integration (CMMI)® is a
proven set of global best practices that drives
business performance through building and
benchmarking key capabilities.
• CMMI best practices focus on what needs to be done
to improve performance and align operations to business
goals.
• Standardized performance benchmarking and
measurement to compare capabilities across
organizations

6
 THE CMMI HAS EVOLVED OVER TIME

7
THE GLOBAL IMPACT OF CMMI

10K+ 12
ORGANIZATIONS NATIONAL GOVERNMENTS
106
COUNTRIES

10
LANGUAGES
424
PARTNERS
4,075
APPRAISALS in 2021

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
 WHO USES CMMI?
Many of the World’s Most Respected Organizations Use CMMI

9
CMMI V2.0 ADDRESSES KEY BUSINESS DRIVERS
Examples, making CMMI easier to use:
✓ Focused on use of plain language to
make adoption easier
✓ Improved Flesch-Kincaid Reading Ease
from 18.7 in V1.3 to 22.9 in V2.0
✓ Reduced Flesch-Kincaid Grade Level
from 14.9 in V1.3 to 13.2 in V2.0
✓ Decreased use of passive voice from
32.3% in V1.3 to 18% in V2.0
✓ V1.3 Total Number of Specific Practices
– 500 - V2.0 39.2% practice reduction
(64.5% including Generic Practices)
✓ Enables quicker translations
✓ Aligns the CMMI content with simpler
architectural elements to make it easier
to understand, integrate with other
adopted methodologies like ISO,
CMMC, COBIT, DTEF, ITIL, NIST
This new version of CMMI is “not your father’s CMMI”!

10
CMMI PRODUCT SUITE OVERVIEW

11
 CMMI ARCHITECTURE ENABLES SYSTEMATIC IMPROVEMENT
Organizations can select and focus on
their unique business challenges

Categories are logical groups or views of related

Capability Areas that address common problems Practice Group Levels provide a clear
encountered by businesses when producing or capability path to performance outcomes
12 delivering solutions.
 CMMI CAPABILITY AREAS
CMMI is a broad, but integrated framework,
covering many key capabilities across multiple
industries and domains.
• The CMMI Model covers 11 major Capability
Areas with 29 Practice Areas and enables
integration with other standards and frameworks,
such as ISO, COBIT, ITIL, NIST, etc.

• CMMI-Development is by far the most widely

adopted domain, followed by CMMI-Services

• CMMI-Security/Safety is the latest in new

domain/capability areas

• Releasing in 2022: CMMI-Data Management

and DevSecOps, CMMI-People and
Organizational Behavior

13
 CMMI SHIFT TO CONTINUAL QUALITY AND
PERFORMANCE IMPROVEMENT VS. COMPLIANCE
A compliance-only focus typically
assumes that quality and Tendency to inflexibility puts Fosters lasting
performance is a guaranteed long-term change, organizational innovation,
outcome – this is typically NOT true. innovation and improvement agility, and performance
Compliance must always be at risk improvement
coupled with performance.
Objective data related to
Tendency to become business performance
Innovation, Quality, and Performance additional level of improvement
Improvement Requires Discipline. Each administrative overhead
aspect must be counterbalanced by without clear value to Qualitative as well as
tougher behavior that’s less
fun…rigorous discipline, a high level of
performance or bottom line quantitative indicators
individual accountability, and strong
leadership.
Compliance Performance
From: The Hard Truth About Innovative Cultures, Pisano,
Gary, Harvard Business Review, Issue 97, Jan/Feb, 2019

14 Focus of Approach
CMMI INDUSTRIES

Top 4 industries:
1. Information Technology
2. Professional Scientific and Technical Activities
3. Manufacturing
4. Financial Services

Based on appraisal data from January 2019 through December 2021

CMMI PERFORMANCE OBJECTIVES
Based on appraisal data from
Measurement and Performance Objective or QPPO Achieved
January 2019 through
December 2021

Definitions
Yes: Objective fully met
Largely Met: More than half
1%
of the criteria was met
1% Yes: 81.22% Partially Met: Less than half
81% of the criteria was met
Largely Met: 0.62%
No: Objective was not met
Partially Met: 1.13% Not Yet: At the time of the
14%
No: 14.43% appraisal, the objective had
Not Yet: 1.73%
not been met, but was on
target to be met
Not Applicable: 0.86% Not Applicable: Objective
2%
Uncertain: 0.02% was not applicable for the
0%
1% appraisal
Uncertain: Ability to meet the
objective was unable to be
determined
 CMMI PERFORMANCE SUMMARY REPORT IS AVAILABLE
This report shares results based on an analysis of the performance improvement results from 95 organizations, targeting a
total of 735 performance objectives, that conducted the first-ever registered CMMI V2.0 appraisals conducted in 2019. There are
two formats available: PowerPoint and PDF. 2020-21 performance reporting is coming soon.

Key Takeaways
✓ The data is very clear–adopting CMMI V2.0 yields
tangible and consistent performance results
across multiple types of industries, organizations
and geographies.

✓ CMMI V2.0 enables a proven and effective approach

https://cmmiinstitute.com/resource-files/public/cmmi-v2-
0-performance-report-summary-2019
Case Studies:
https://cmmiinstitute.com/resources?searc
htext=ResourceType:%22case%20study%2
2
for performance-based improvement and enables
innovation, digital transformation and other
complementary methods such as agile and DevOps.
✓ CMMI V2.0’s focus on persistent and habitual
performance improvement sets it apart from any
other standard or model; this helps to ensure that the
performance improvement is lasting.
https://cmmiinstitute.com/resource-
files/partner/general/cmmi-v2-0-performance-
report-summary-how-organizat

17
 CMMI FOR SECURITY

18
 CORE VS. DOMAIN SPECIFIC PRACTICE AREAS

19
 CMMI FOR
DEVELOPMENT
EXAMPLE VIEW
MATURITY
LEVEL 3

20
 CAPABILITY AREA: MANAGING SECURITY AND SAFETY
Capabilities: What an organization needs to execute its business model or fulfill its
mission
Capability Area (CA): A group of related Practice Areas that can provide improved
performance in the skills and activities of an organization or work effort
MANAGING
SECURITY AND
SAFETY This CA
describes best
practices for
holistically defining MANAGING SECURITY THREATS
security and safety ENABLING SECURITY
AND VULNERABILITIES
strategies,
approaches,
activities, and
functions necessary
to protect the
organization’s entire
ecosystem, including ENABLING SAFETY
personnel, resources,
and information.

21
 CAPABILITY AREA: MANAGING SECURITY AND SAFETY - 2
ENABLING SECURITY includes performing
security activities that produce secure solutions.
Identifying security needs and constraints is an
ongoing, 24/7, 365 days a year activity.
ENABLING SAFETY identifies and addresses safety
in all aspects of the organization environment and
solution, including products, processes, services,
or environments. This encompasses both
facilitating and managing safety activities.
22
MANAGING SECURITY THREATS
AND VULNERABILITIES includes a
holistic and systematic approach for
addressing security threats and
vulnerabilities for an organization,
project, or work effort to select which
threats and vulnerabilities are the
most critical to address, given the
potential risk and impact to the
business, mission, or solution.
 SECURITY TERMINOLOGY AND CONCEPTS
• Information security refers to the processes and
methodologies which are designed and
implemented to protect print, electronic, or any
other form of confidential, private, and sensitive
information or data from unauthorized access,
use, misuse, disclosure, destruction,
modification, or disruption.
• Cybersecurity and information security are parts
of an overall security approach.
• Cybersecurity incorporates aspects of network,
internet, and application security in an integrated
fashion.
• Defense in Depth - A systematic means of
layering defenses to provide resiliency against
exploited security vulnerabilities that can cover
aspects of physical, personnel, process,
mission, and cybersecurity needs.
• CIA Triad: Confidentiality, Integrity, Availability

23
 ENABLING SECURITY – ADDITIONAL REQ’D PA INFORMATION

24
 ENABLING SECURITY – PRACTICE SUMMARY

25
ENABLING SAFETY – ADDITIONAL REQ’D PA INFORMATION,
PRACTICE SUMMARY

26
 MANAGING SECURITY THREATS AND VULNERABILITIES – ADD’L REQ’D PA INFORMATION

27
 MANAGING SECURITY THREATS AND VULNERABILITIES–
PRACTICE SUMMARY

28
 ADDITION OF NEW GLOSSARY TERMS

29
 EXAMPLE UPDATES TO CMMI PRACTICE AREAS
Additional Required Information incorporated within Practice Areas where appropriate.
Example: Configuration Management

CM 2.1: Identify items to be placed under configuration management.

Additional Required Information

If Safety is included in the selected view: Identify hazard and safety-related work products to be
placed under configuration management such as hazard analysis, safety improvement plans, safety
training materials, and safety related software and hardware.

If Security is included in the selected view: Identify security-related work products to be placed under
configuration management such as configurations of network devices, systems, applications, and
documentation.

Additionally, External Reference Tables were incorporated to identify related industry

standards.

30
 EXAMPLE UPDATES TO CMMI PRACTICE AREAS - 2
Context Specific Information incorporated within Practice Areas where appropriate.
The “Context Specific” section contains information that is relevant to a context and establishes common ground
for a specific industry, methodology, or discipline.

Example: Planning
Context Tag: CMMI-SEC

Context Use processes to incorporate security considerations as an integral part of the

solution, work, project, and organization.

Determine the necessary security controls, based on the organization’s security criteria. Identify and plan
security activities, resources, and process assets, e.g., guidelines, templates, and tools; required to meet the
necessary security level. This includes:
• Identify the necessary security posture
• Tailor the security activities and process assets for the work according to the security level
• Identify needed security resources and training to perform the work
Integrate the security activities and process assets within the overall work plan, including consideration of
security resources and knowledge needed to perform the security activities.

31
 RECAP: THE VALUE OF CMMI
Improve Quality,
Performance and
Business Outcomes
Business goals are tied directly
to operations in order to drive
measurable improved
performance against time,
quality, budget, customer
satisfaction and other key
drivers throughout the supply
chain.
32
Agile Resiliency and
Scalability for Any
Industry
Direct guidance on how to
build and improve other
critical capabilities to
enable innovation and
scalability for supply chain
management, product
development, service
operations, data
management and more.
Increase Value of Accelerate Supply Chain
Benchmarking Management Capability
and Performance
The performance-
orientated appraisal
Online access and adoption
methods improves
guidance makes straightforward
reliability and consistently
best practices easily accessible to
of benchmarks and
systematically build critical
performance results while
capabilities, improve their
reducing preparation time
performance and achieve benefits
and lifecycle costs.
for the entire supply chain.
THANK YOU FOR ATTENDING
 This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.
Copyright © 2022 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).

34