CC and CMMI. An Approach to Integrate CC with Development

Similar documents
Software Process Assessment

A Global Overview of The Structure

Update Observations of the Relationships between CMMI and ISO 9001:2000

Strategies for Transitioning to CMMI-SVC

Patricia A Eglin David Consulting Group

Highlights of CMMI and SCAMPI 1.2 Changes

SOFTWARE ENGINEERING SOFTWARE PROCESS. Saulius Ragaišis.

Software technology 3. Process improvement models. BSc Course Dr. Katalin Balla

What s New in V1.3. Judah Mogilensky Process Enhancement Partners, Inc.

Relationship between CMMI Maturity Levels and ISO/IEC Processes Capability Profiles

CMMI for Acquisition Quick Reference

MTAT Software Engineering Management

USAF Software Technology Support Center (STSC) STSC SPI Help Desk COM , DSN

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

CMMI for Services Quick Reference

Bill Smith, CEO Leading Edge Process Consultants LLC

SCAMPI V1.1 Method Overview

8. CMMI Standards and Certifications

DORNERWORKS QUALITY SYSTEM

High Maturity Practices in Quality Assurance Mechanisms for Quantitative Management (QM) and Continuous Process Improvement (CPI)

SCRUM and the CMMI. The Wolf and the Lamb shall Feed Together

Lesson Learned from Cross Constellations and Multi Models Process Improvement Initiatives

CMMI for Services (CMMI -SVC) Process Areas

Generating Supportive Hypotheses

CMMI Capability Maturity Model Integration [CMU SEI]

How to Assure your Subcontractors Quality with Cross Constellations and Multi Models Inspiration Continues Process Improvement Initiatives

9/24/2011 Sof o tw t a w re e P roc o e c s e s s s Mo M d o e d l e s l 1 Wh W a h t t i s i s a Pr P oc o ess s 2 1

CMMI Version 1.2. Model Changes

System Engineering Process Improvement using the CMMI in Large Space Programs

What is important in CMMI and what are the interrelations among its elements?

CMMI SM Mini- Assessments

Chapter 26 Process improvement

CMMI for Technical Staff

Dependency Analysis between CMMI Process Areas

A Real-Life Example of Appraising and Interpreting CMMI Services Maturity Level 2

Managing a Project and Keeping Sane While Wrestling Elegantly With PMBOK, Scrum and CMMI (Together or Any Combination)

Process Maturity Profile

Organizational Synthesis - CMMI, The Glue That Binds

Leveraging Your Service Quality Using ITIL V3, ISO and CMMI-SVC. Monday Half-Day Tutorial

CMM,,mproving and,ntegrating

Teuvo Suntio. Quality Development Tools. Professor of Power Electronics at University of Oulu. Electronic System Design A TS Rev. 1.

CMMI-SVC V1.3 CMMI for Services Version 1.3 Quick Reference Guide

Using the Equity in AS9100C to Implement CMMI-DEV Maturity Level 3

Why Should you Care about CMMI?

Q.A. Осигуряване на качество на софтуера (2016/2017, редовно/задочно)

Engineering. CMMI for Development V.1.2 Module 3. M03/Engineering/v1.2

Practical Application of the CMMI for Building a Strong Project Management Infrastructure

The Quality Paradigm. Quality Paradigm Elements

Using CMMI. Type of Work. IT solution development Software development IT solution integration IT solution deployment

Integrated Class C Process Appraisals (ICPA)

Process Improvement: CMMI

Marilyn Ginsberg-Finner Northrop Grumman Corporation

CMMI-SVC: A Cost-Effective Approach to Early Use

Use of Competency Guidelines to Address CMMI GP 2.5

CMMI High Maturity An Initial Draft Interpretation for V1.3

Implementing Systems Engineering Processes to Balance Cost and Technical Performance

Ogden Air Logistics Center

Process Improvement: CMMI

Proposed Approach to Heterogeneous CMMI. Appraisals. Joseph V. Vandeville. 14 November 2007

Q.A. Осигуряване на качество на софтуера (2016/2017, редовно/задочно)

How to Develop Highly Useable CMMI Documentation

M. Lynn Penn Lockheed Martin Integrated Systems and Solutions November 2004

CMMI v1.1 for a Service-Oriented Organization. By Steve Hall, Jeff Ricketts, Diane Simpson 16 November 2005

Interpretive Guidance: What We ve Learned

Do s and Don ts of Appraisal Preparation

CMMI for Services: Re-introducing the CMMI for Services Constellation

Measuring the Maturity Level of Core System Development Project in a Financial Company Using CMMI-DEV

Understanding and Leveraging a Supplier s CMMI Efforts: A Guidebook for Acquirers (Revised for V1.3)

Systems and Software Technology Conference

One if by Land, Two if by Sea

Staged Representation Considered Harmful?

Quest 2015 Webinar Series:

What the SEI Won t Teach You* A brief history of the SEI and CMMI. How you need to qualify and prepare

Analyzing Resonance of Motivation in Software Development Process Training by Using FRAM (Work-in-progress)

CMMI. Crash Course. What the SEI Won t t Teach You* *Nothing to hide, just not their style Entinex, Inc. ALL RIGHTS RESERVED ***PROPRIETARY***

Requirements Development of Energy Management System for a Unit in Smart Campus

Who needs that process stuff anyway? A practical example of process discipline to improve deployment

Visualizing Betweenness Centrality of Process Area Networks Organization, CMMI-SVC

The Issue of Performance Why Do you need a Maturity Level 5. Achieving the Organizational Business Objectives Through Optimized Operational Processes

AF Systems Engineering Assessment Model (AF SEAM) George Richard Freeman

Software Engineering. Lecture 7: CMMI

Understanding Model Representations and Levels: What Do They Mean?

Comparing Scrum And CMMI

CMMI. Crash Course. Legal Yadda Yadda. What the SEI Won t t Teach You*

CMMI Version 1.2 and Beyond

Capability Maturity Model Integration (CMMI) V1.3 and Architecture-Centric Engineering

Beyond Service Management: The Next Performance Advantage for All Disciplines

CC532 Collaborative System Design

This resource is associated with the following paper: Assessing the maturity of software testing services using CMMI-SVC: an industrial case study

CMMI Level 2 for Practitioners: A Focused Course for Your Level 2 Efforts

CMMI-DEV v1.3: What you need to know!

Maturity Models - CMMI

PM Architecture Design as a Critical Success Factor in CMMI Model Implementation

Do s Don ts and Pitfalls: Planning your first CMMI appraisal

Software Quality Assurance Framework (SQA) Yujuan Dou 窦玉娟 2008/11/28

CMMI Re-Appraisal Moving Barriers & Making Strides

Buy:

CMMI and Agile Development: A Binary Choice?

Transcription:

CC and CMMI An Approach to Integrate CC with Development Wolfgang Peter TÜV Informationstechnik GmbH -TÜViT -

Contents 1. Status Quo 2. CMMI for Development 3. Striking Analogies 4. Combining Standards 5. Conclusion 1

What CC does accomplish... assesses and rates security capabilities of IT products establishes various levels of confidence in those products offers flexibility for new type of products and configurations, and development models provides mutual recognition, i.e. dozens of countries and many commercial users buy into working with CC... 2

... but... uses a complex and somehow artificial language developers are not familiar with usually starts fairly late in the development process requires documents just for CC focuses on product features, not on development processes... 3

Bottom line CC is normally not integrated with development CC causes disruption from regular development processes CC often results in established coexistences of normal and CC development within organizations CC is typically not institutionalized within an organization 4

Associated risks CC is normally not integrated with development Decisions on a case by case basis CC causes disruption from regular development processes Unnecessary overhead Waste of time and money CC often results in established coexistences of normal and CC development within organizations No efficient re-usage of development results (specifications, test results, development documents etc.) CC is typically not institutionalized within an organization Heavy dependent on individuals No guarantees that historical results can be repeated 5

In general... The quality of a product is highly influenced by the quality of the processes used to acquire, develop, and maintain it Source: SEI, Mastering Process Improvement Every organization involved in the development of security products would basically benefit from experiences and best-practices of welldefined and structured engineering standards 6

Contents 1. Status Quo 2. CMMI for Development 3. Striking Analogies 4. Combining Standards 5. Conclusion 7

Background CMMI (Capability Maturity Model Integration) is a process improvement approach that provides organizations with the essential elements of effective processes Successor of CMM or Software CMM; CMM developed from 1987 through 1997; release of CMMI, V1.1 in 2002 Created by members of industry, government and the SEI (Software Engineering Institute, Pittsburgh, PA, USA) Three models CMMI for Development (CMMI-DEV), Version 1.2 (08/2006) CMMI for Acquisition (CMMI-ACQ), Version 1.2 (11/2007) CMMI for Services (CMMI-SVC), (2009) Primary focus: process improvement Organizations cannot be CMMI certified, but are appraised and awarded a 1-5 level rating (e.g., using SCAMPI - Standard CMMI Appraisal Method for Process Improvement) Web Site: http://www.sei.cmu.edu/cmmi/ 8

Key concept Process sequence of steps performed for a given purpose Maturity Level Process Areas (PA) characteristics of effective processes Process Area 1... Process Area i... Process Area n Specific/Generic Goals (SG/GG) requirements Specific/Generic Practices (SP/GP) expected activities 2 types of representations continuous staged Capability Level (CL) CL 0, CL 1,..., CL5 (cumulative) PA specific CL i = achievement of GG i in a PA Maturity Level (ML) ML 1, ML 2,..., ML 5 (cumulative) pre-defined set of PAs, each reaching a pre-defined CL implementation level Specific Goals Specific Practices institutionalization level Generic Goals Generic Practices Capability Level 9

Continuous representation: Process Areas by categories - 1 Process Management Project Management Engineering Support 10

Continuous representation: Process Areas by categories - 2 Process Management OPF OPF OPD OPD OT OT OPP OPP OID OID CM CM Configuration Configuration Management Management PPQA PPQA Process Process and and Product Product Quality Quality Assurance Assurance MA MA Measurement Measurement and and Analysis Analysis DAR DAR Decision Decision Analysis Analysis and and Resolution Resolution Project Project Planning CAR Planning CAR Causal Causal Analysis Analysis and and Resolution Resolution Project Project Monitoring Monitoring and and Control Control Supplier Supplier Agreement Agreement Management Management Engineering Integrated Integrated Project Project Management Management REQM REQM Requirements Requirements Management Management Risk Risk Management Management RD RD Requirements Requirements Development Development Quantitative Quantitative Project Project Management Management TS TS Technical Technical Solution Solution PI PI Product Product Integration Integration VER VER Verification Verification Organizational Organizational Process Process Focus Focus VAL VAL Validation Validation Organizational Organizational Process Process Definition Definition Organizational Organizational Training Training Organizational Organizational Process Process Performance Performance Organizational Organizational Innovation Innovation and and Deployment Deployment Project Management PP PP PMC PMC SAM SAM IPM IPM RSKM RSKM QPM QPM Support 11

Generic Goals 1-3 Process Area GG 1 Achieve Specific Goals GP 1.1 Perform Specific Practices Generic Goals Generic Practices GG 2 Institutionalize a Managed Process GP 2.1 Establish an Organizational Policy GP 2.2 Plan the Process GP 2.3 Provide Resources GP 2.4 Assign Responsibility GP 2.5 Train People GP 2.6 Manage Configurations GP 2.7 Identify and Involve Relevant Stakeholders GP 2.8 Monitor and Control the Process GP 2.9 Objectively Evaluate Adherence GP 2.10 Review Status with Higher Level Management GG 3 Institutionalize a Defined Process GP 3.1 Establish a Defined Process GP 3.2 Collect Improvement Information 12

Staged representation: Process Areas by Maturity Level Organizational Innovation and Deployment Causal Analysis and Resolution Organizational Process Performance Quantitative Project Management Requirements Development Technical Solution Product Integration Verification Validation Organizational Process Focus Organizational Process Definition +IPPD Organizational Training Integrated Project Management +IPPD Risk Management Decision Analysis and Resolution Requirements Management Project Planning Project Monitoring and Control Supplier Agreement Management Measurement and Analysis Process and Product Quality Assurance Configuration Management ML 5 Optimizing ML 4 Quantitatively Managed ML 3 Defined ML 2 Managed Generic Goal / Capability Level 1 2 3 4 5 13 P l u s C r i t i c a l S u b p r o c e s s e s P l u s C r i t i c a l S u b p r o c e s s e s Source: method park, 2008

Contents 1. Status Quo 2. CMMI for Development 3. Striking Analogies 4. Combining Standards 5. Conclusion 14

Look and see! Organizational Innovation and Deployment Causal Analysis and Resolution Organizational Process Performance Quantitative Project Management Requirements Development Technical Solution Product Integration Verification Validation Organizational Process Focus Organizational Process Definition +IPPD Organizational Training Integrated Project Management +IPPD Risk Management Decision Analysis and Resolution Requirements Management Project Planning Project Monitoring and Control Supplier Agreement Management Measurement and Analysis Process and Product Quality Assurance Configuration Management ML 5 Optimizing ML 4 Quantitatively Managed ML 3 Defined ML 2 Managed P l u s C r i t i c a l S u b p r o c e s s e s P l u s C r i t i c a l S u b p r o c e s s e s Generic Goal / Capability Level 1 2 3 4 5 15

Analogy of key terms Process Area PA Category Capability Level Maturity Level Addition Assurance Family Assurance Class Assurance Component Leveling EAL Extension Both, CMMI and CC, represent state of the art concepts and culmination of decades of experiences 16

Contents 1. Status Quo 2. CMMI for Development 3. Striking Analogies 4. Combining Standards 5. Conclusion 17

General idea CC covers additional security related requirements, for the product and the product s development environment... (e.g. IEC 61508) Process Areas of CMMI-DEV cover demands on planned and controllable product development An organization develops products with different requirements on functionality, security, and... (e.g. safety) 18

Example: ALC_CMS (CM Scope) Institutionalization of this PA within the organization Achievement of process related requirements Configuration Management Generic Goals & Practices GG 1 Achieve Specific Goal GP 1.1 Perform Specific Practices GG 2 Institutionalize a Managed Process GP 2.1 Establish an Organizational Policy GP 2.2 Plan the Process GP 2.3 Provide Resources GP 2.4 Assign Responsibility GP 2.5 Train People GP 2.6 Manage Configurations GP 2.7 Identify and Involve Relevant Stakeholders GP 2.8 Monitor and Control the Process GP 2.9 Objectively Evaluate Adherence GP 2.10 Review Status with Higher Level Management GG 3 Institutionalize a Defined Process GP 3.1 Establish a Defined Process GP 3.2 Collect Improvement Information Configuration Management Specific Goals & Practices SG 1 Establish Baselines SP 1.1 Identify Configuration Items SP 1.2 Establish a Configuration Management System SP 1.3 Create or Release Baselines SG 2 Track and Control Changes SP 2.1 Track Change Requests SP 2.2 Control Configuration Items SG 3 Establish Integrity SP 3.1 Establish Configuration Management Records SP 3.2 Perform Configuration Audits CC EAL4 specific requirements ALC_CMS.4: Problem tracking CM coverage ALC_CMS.4.1C The configuration list shall include the following: the TOE itself; the evaluation evidence required by the SARs; the parts that comprise the TOE; the implementation representation; and security flaw reports and resolution status. ALC_CMS.4.2C The configuration list shall uniquely identify the configuration items. ALC_CMS.4.3C For each TSF relevant configuration item, the configuration list shall indicate the developer of the item. 19

Activities and (first) results Focused on EAL4 Bi-directional mapping and parts of the integration CC/CMMI-DEV done EAL4 does not require any addition of new CMMI-DEV process areas CMMI-DEV specific goal needs to be added ( ALC_DVS) Lots of additions to specific practices in engineering, project management, and support will be needed Lots of additions to the CMMI-DEV informative material necessary 20

Contents 1. Status Quo 2. CMMI for Development 3. Striking Analogies 4. Combining Standards 5. Conclusion 21

Conclusion and next steps Experience shows that efficiently developing high quality/security products requires managing the engineering processes In this respect CC needs to evolve or be combined with engineering standards Combining CMMI-DEV and CC is feasible e.g. EAL4 would require Capability Level 3 of quite a few CMMI Process Areas Piloting with customers will follow Models will be implemented in a web based tool, supporting reference models process definition management 22

23

TÜV INFORMATIONSTECHNIK GMBH Member of TÜV NORD Group Wolfgang Peter Director Evaluation Body for IT Security Langemarckstr. 20 D-45141 Essen Phone: +49 201 8999 624 Fax: +49 201 8999 666 E-Mail: w.peter@tuvit.de URL: www.tuvit.net 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback