Professional Documents
Culture Documents
Isacawebinar 20220616 Cmmiforsecurityrepaired 1655305203192
Isacawebinar 20220616 Cmmiforsecurityrepaired 1655305203192
Isacawebinar 20220616 Cmmiforsecurityrepaired 1655305203192
• Use the HELP icon at the bottom for FAQ’s and system requirements.
1
CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING
• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.
• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.
• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.
• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.
2
CMMI FOR SECURITY: BEST
PRACTICES FOR PROTECTING
YOUR ECOSYSTEM
3
3
AGENDA
WHAT IS CMMI?
CMMI FOR SECURITY
4
WHAT IS CMMI?
5
WHY USE THE CMMI?
• The Capability Maturity Model Integration (CMMI)® is a
proven set of global best practices that drives
business performance through building and
benchmarking key capabilities.
• CMMI best practices focus on what needs to be done
to improve performance and align operations to business
goals.
• Standardized performance benchmarking and
measurement to compare capabilities across
organizations
6
THE CMMI HAS EVOLVED OVER TIME
7
THE GLOBAL IMPACT OF CMMI
10K+ 12
ORGANIZATIONS NATIONAL GOVERNMENTS
106
COUNTRIES
10
LANGUAGES
424
PARTNERS
4,075
APPRAISALS in 2021
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
WHO USES CMMI?
Many of the World’s Most Respected Organizations Use CMMI
9
CMMI V2.0 ADDRESSES KEY BUSINESS DRIVERS
Examples, making CMMI easier to use:
✓ Focused on use of plain language to
make adoption easier
✓ Improved Flesch-Kincaid Reading Ease
from 18.7 in V1.3 to 22.9 in V2.0
✓ Reduced Flesch-Kincaid Grade Level
from 14.9 in V1.3 to 13.2 in V2.0
✓ Decreased use of passive voice from
32.3% in V1.3 to 18% in V2.0
✓ V1.3 Total Number of Specific Practices
– 500 - V2.0 39.2% practice reduction
(64.5% including Generic Practices)
✓ Enables quicker translations
✓ Aligns the CMMI content with simpler
architectural elements to make it easier
to understand, integrate with other
adopted methodologies like ISO,
CMMC, COBIT, DTEF, ITIL, NIST
This new version of CMMI is “not your father’s CMMI”!
10
CMMI PRODUCT SUITE OVERVIEW
11
CMMI ARCHITECTURE ENABLES SYSTEMATIC IMPROVEMENT
Organizations can select and focus on
their unique business challenges
13
CMMI SHIFT TO CONTINUAL QUALITY AND
PERFORMANCE IMPROVEMENT VS. COMPLIANCE
A compliance-only focus typically
assumes that quality and Tendency to inflexibility puts Fosters lasting
performance is a guaranteed long-term change, organizational innovation,
outcome – this is typically NOT true. innovation and improvement agility, and performance
Compliance must always be at risk improvement
coupled with performance.
Objective data related to
Tendency to become business performance
Innovation, Quality, and Performance additional level of improvement
Improvement Requires Discipline. Each administrative overhead
aspect must be counterbalanced by without clear value to Qualitative as well as
tougher behavior that’s less
fun…rigorous discipline, a high level of
performance or bottom line quantitative indicators
individual accountability, and strong
leadership.
Compliance Performance
From: The Hard Truth About Innovative Cultures, Pisano,
Gary, Harvard Business Review, Issue 97, Jan/Feb, 2019
14 Focus of Approach
CMMI INDUSTRIES
Top 4 industries:
1. Information Technology
2. Professional Scientific and Technical Activities
3. Manufacturing
4. Financial Services
Definitions
Yes: Objective fully met
Largely Met: More than half
1%
of the criteria was met
1% Yes: 81.22% Partially Met: Less than half
81% of the criteria was met
Largely Met: 0.62%
No: Objective was not met
Partially Met: 1.13% Not Yet: At the time of the
14%
No: 14.43% appraisal, the objective had
Not Yet: 1.73%
not been met, but was on
target to be met
Not Applicable: 0.86% Not Applicable: Objective
2%
Uncertain: 0.02% was not applicable for the
0%
1% appraisal
Uncertain: Ability to meet the
objective was unable to be
determined
CMMI PERFORMANCE SUMMARY REPORT IS AVAILABLE
This report shares results based on an analysis of the performance improvement results from 95 organizations, targeting a
total of 735 performance objectives, that conducted the first-ever registered CMMI V2.0 appraisals conducted in 2019. There are
two formats available: PowerPoint and PDF. 2020-21 performance reporting is coming soon.
Key Takeaways
✓ The data is very clear–adopting CMMI V2.0 yields
tangible and consistent performance results
across multiple types of industries, organizations
and geographies.
17
CMMI FOR SECURITY
18
CORE VS. DOMAIN SPECIFIC PRACTICE AREAS
19
CMMI FOR
DEVELOPMENT
EXAMPLE VIEW
MATURITY
LEVEL 3
20
CAPABILITY AREA: MANAGING SECURITY AND SAFETY
Capabilities: What an organization needs to execute its business model or fulfill its
mission
Capability Area (CA): A group of related Practice Areas that can provide improved
performance in the skills and activities of an organization or work effort
MANAGING
SECURITY AND
SAFETY This CA
describes best
practices for
holistically defining MANAGING SECURITY THREATS
security and safety ENABLING SECURITY
AND VULNERABILITIES
strategies,
approaches,
activities, and
functions necessary
to protect the
organization’s entire
ecosystem, including ENABLING SAFETY
personnel, resources,
and information.
21
CAPABILITY AREA: MANAGING SECURITY AND SAFETY - 2
22
SECURITY TERMINOLOGY AND CONCEPTS
• Information security refers to the processes and
methodologies which are designed and
implemented to protect print, electronic, or any
other form of confidential, private, and sensitive
information or data from unauthorized access,
use, misuse, disclosure, destruction,
modification, or disruption.
• Cybersecurity and information security are parts
of an overall security approach.
• Cybersecurity incorporates aspects of network,
internet, and application security in an integrated
fashion.
• Defense in Depth - A systematic means of
layering defenses to provide resiliency against
exploited security vulnerabilities that can cover
aspects of physical, personnel, process,
mission, and cybersecurity needs.
• CIA Triad: Confidentiality, Integrity, Availability
23
ENABLING SECURITY – ADDITIONAL REQ’D PA INFORMATION
24
ENABLING SECURITY – PRACTICE SUMMARY
25
ENABLING SAFETY – ADDITIONAL REQ’D PA INFORMATION,
PRACTICE SUMMARY
26
MANAGING SECURITY THREATS AND VULNERABILITIES – ADD’L REQ’D PA INFORMATION
27
MANAGING SECURITY THREATS AND VULNERABILITIES–
PRACTICE SUMMARY
28
ADDITION OF NEW GLOSSARY TERMS
29
EXAMPLE UPDATES TO CMMI PRACTICE AREAS
Additional Required Information incorporated within Practice Areas where appropriate.
Example: Configuration Management
If Security is included in the selected view: Identify security-related work products to be placed under
configuration management such as configurations of network devices, systems, applications, and
documentation.
30
EXAMPLE UPDATES TO CMMI PRACTICE AREAS - 2
Context Specific Information incorporated within Practice Areas where appropriate.
The “Context Specific” section contains information that is relevant to a context and establishes common ground
for a specific industry, methodology, or discipline.
Example: Planning
Context Tag: CMMI-SEC
Determine the necessary security controls, based on the organization’s security criteria. Identify and plan
security activities, resources, and process assets, e.g., guidelines, templates, and tools; required to meet the
necessary security level. This includes:
• Identify the necessary security posture
• Tailor the security activities and process assets for the work according to the security level
• Identify needed security resources and training to perform the work
Integrate the security activities and process assets within the overall work plan, including consideration of
security resources and knowledge needed to perform the security activities.
31
RECAP: THE VALUE OF CMMI
Improve Quality, Agile Resiliency and Increase Value of Accelerate Supply Chain
Performance and Scalability for Any Benchmarking Management Capability
Business Outcomes Industry and Performance
The performance-
Business goals are tied directly orientated appraisal
Direct guidance on how to Online access and adoption
to operations in order to drive methods improves
build and improve other guidance makes straightforward
measurable improved reliability and consistently
critical capabilities to best practices easily accessible to
performance against time, of benchmarks and
enable innovation and systematically build critical
quality, budget, customer performance results while
scalability for supply chain capabilities, improve their
satisfaction and other key reducing preparation time
management, product performance and achieve benefits
drivers throughout the supply and lifecycle costs.
development, service for the entire supply chain.
chain.
operations, data
management and more.
32
THANK YOU FOR ATTENDING
This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.
You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.
Copyright © 2022 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
34