2. Information Security Assessment Methodology (ISAM)7
Information Security RED TEAM Methodology (ISRM)9
Information Security ASSURANCE – Capability Maturity
Model (ISA-CMM)11
Acknowledgments13
Points of Contact14
2.ISA-CMM Overview15
Expected Results17
Key Concepts18
ISA-CMM Architecture Description22
The Basic Model23
The Base Practices and Process Areas25
The Generic PRACTICES27
The Capability Levels28
3.Process Area Format31
ISA-PA01: Provide Training32
ISA-BP01.01 – Identify Training Needs34
ISA-BP01.02 – Select method of Information Security
training35
ISA-BP01.03 – Ensure availability of Information Security
training36
ISA-BP01.04 – Train Personnel37
ISA-BP01.05 – Assess Training Effectiveness38
ISA-PA02: Coordinate with Customer Organization39
ISA-BP02.01 – Identify coordination mechanisms40
ISA-BP02.02 – Facilitate coordination41
ISA-BP02.03 – Coordinate decisions and recommendations42
ISA-PA03: Specify Initial Information Security Needs43
ISA-BP03.01 – Understand criticality of the customer’s assets44
ISA-BP03.02 – Identify applicable constraints45
ISA-BP03.03 – Identify customer's concerns46
ISA-BP03.04 – Capture high-level OBJECTIVES47
ISA-BP03.05 Identify initial Information Security needs48
ISA-PA04: Assess Threat49
ISA-BP04.01 – Identify applicable threats50
ISA-BP04.02 – Identify threat impact potential51
3. ISA-BP04.03 – Assess threat agent capability52
ISA-BP04.04 – Assess threat likelihood53
ISA-BP04.05 – Monitor threats54
ISA-PA05: Assess Vulnerability55
ISA-BP05.01 – Identify Applicable Vulnerabilities56
ISA-BP05.02 – Define Exploitation Potential57
ISA-BP05.03 – Determine Overall Vulnerability58
ISA-BP05.04 – Monitor Exploitation Potential59
ISA-PA06: Assess Impact60
ISA-BP06.01 – Analyze Capabilities61
ISA-BP06.02 – Identify Potential Impacts62
ISA-BP06.03 – Monitor Impacts63
ISA-PA07: Assess Information Security Risk64
ISA-BP07.01 – Determine Threat / Vulnerability / Impact
Triples65
ISA-BP07.02 – Assess Risk Associated with Exploitations66
ISA-BP07.03 – Identify Potential Countermeasures67
ISA-BP07.04 – Monitor Risks68
ISA-PA08: Provide Analysis and Results69
ISA-BP08.01 – Address Customer’s Concerns AND
CONSTRAINTS70
ISA-BP08.02 – Provide Findings and Recommendations71
ISA-PA09: Manage Information Security assurance
Processes72
ISA-BP09.01 – Identify Information Security Assurance Process
Management Structure73
ISA-BP09.02 – Define Information Security Assurance
Process74
ISA-BP09.03 – Maintain Work Product Baselines75
ISA-BP09.04 – Manage Information Security Assurance
Program76
4.Generic Practices77
Capability Level 0 – Not Performed78
Capability Level 1 – Performed Informally79
Common Feature 1.1 – Base Practices Are Performed80
Capability Level 2 – Planned and Tracked82
4. Common Feature 2.1 – Planning Performance83
Common Feature 2.2 – Disciplined Performance90
Common Feature 2.3 – Verifying Performance93
Common Feature 2.4 – Tracking Performance96
Capability Level 3 – Well-Defined99
Common Feature 3.1 – Defining a Standard Process100
Common Feature 3.2 – Perform the Defined Process103
Common Feature 3.3 – Coordinate Practices107
Capability Level 4 – Quantitatively Controlled111
Common Feature 4.1 – Establishing Measurable Quality
Goals112
Common Feature 4.2 – Objectively Managing Performance114
Capability Level 5 – Continuously Improving117
Common Feature 5.1 – Improving Organizational Capability118
Common Feature 5.2 – Improving Process Effectiveness121
Appendix A: Glossary125
Appendix B: GP Interdependencies132
Appendix C: ISAM Compliance Guidelines133
Appendix D: ISAM Evidence Matrix141
Appendix E: ISRM Compliance Guidelines145
5.Appendix F: ISRM Evidence Matrix161
LIST OF FIGURES
Figure 21: Rating Profile24
Figure 22: Capability Levels29
Figure 31: Process Area Format32
LIST OF TABLES
Table 21: Capability Principles27INTRODUCTION
The last twenty years have seen a proliferation of automated
information systems, reliance on the Internet to enable most of
the nation’s essential services and infrastructures, and the
growing threat of organized cyber attacks capable of causing
debilitating disruption to our critical infrastructures. There are
many regulations, policies, and guidelines encouraging
organizations to assess the security posture of their information
systems to determine fundamental, cost-effective security
improvements in order to contribute to the protection of these
5. critical information infrastructures. As a result of events
leading up to and that have occurred since September 11, 2001,
there has been an even greater need to be aware of and address
cyber threats and vulnerabilities. On November 25, 2002, the
Department of Homeland Security was established as the federal
center of excellence for cyber-security and the focal point for
federal outreach to state, local, and nongovernmental
organizations including the private sector, academia, and the
public in providing ongoing protection from threats against our
national assets. The National Strategy to Secure Cyberspace is
an implementing component of the National Strategy for
Homeland Security, with the purpose of engaging and
empowering Americans to secure the portions of cyberspace that
they own, operate, control, or with which they interact.
The National Strategy to Secure Cyberspace includes five
national priorities, one of which is a National Cyberspace
Security Threat and Vulnerability Reduction Program, aimed at
reducing threats from and our vulnerabilities to cyber attacks.
Vulnerabilities must be identified and corrected in critical
networks and systems before threats surface. Recognizing that
vulnerabilities result from weaknesses in technology as well as
from improper implementation and oversight of technological
products, the strategy identifies eight major actions and
initiatives, one of which is to create a process for national
vulnerability assessments to better understand the potential
consequences of threats and vulnerabilities.
The number of government organizations and private companies
who profess to offer security assessment services has also
grown significantly. However, without any standardization,
these organizations have implemented varying interpretations of
the Information Security assurance services. Today the
terminology, scope and cost of Information Security assurance
services offered by industry differ greatly with no standardized
way for customers to determine which provider is the most
capable to address their specific needs for the most reasonable
cost. The National Security Agency (NSA) offered a solution to
6. this problem through the INFOSEC Assurance Training and
Rating Program (IATRP). In mid-2010, the NSA transferred the
entire IATRP to Security Horizon, Inc. which has renamed the
program Information Security Assurance Training and Rating
Program.Information Security ASSUrance
One of the most significant changes to version 3.2 of the ISA-
CMM is the incorporation of the updated Methodologies. This
change reflects the expanded scope of the document. Whereas
the previous versions of the ISA-CMM focused only on
Information Security Assessment, in particular the Information
Security Assessment Methodology (IAM) and the Information
Security Evaluation Methodology (IEM), the current version has
been updated to encompass the merger of the IAM and IEM
Methodologies into the Information Security Assessment
Methodology (ISAM), the creation of the Information Security
Red Team Methodology, and other current, and possibly future,
Information Security Assurance services.
What is meant by Information Security Assurance? It is best
explained by expanding the acronym and taking the words in
reverse order. Information Security Assurance is the assurance
level that can be associated with the security that the system
(e.g., technical, procedural, etc) uses to protect the information.
Since it is impractical for security to guarantee that information
is totally protected from exploitation, there is a level of
assurance that is associated with the ability of the system to
protect the information. Information Security Assurance
services analyze this level of Information Security Assurance
through analysis of information criticality, vulnerability, threat,
impact, risk, and countermeasures. Although Information
Security Assurance services can be performed on developmental
as well as operational systems, the focus of this current version
of the ISA-CMM is the analysis of operational
systems.Information Security AssURANCE Training and Rating
Program (ISATRP)
Security Horizon, Inc. operates the ISATRP on the assumption
that there are a significant number of Commercial and National
7. Information Infrastructure (NII) organizations (Customers) who
own and operate systems that store, process, and transmit
information with national security implications that need
assistance in vulnerability discovery and risk management
decisions. These Customers face a myriad of Information
Security Assurance service providers (Providers) that offer an
array of services. Customers are often confused about what
needs to be done during an Information Security Assurance
Activity and how to compare both individual assessors and
evaluators and service provider organizations. The ISATRP
provides standardized methodologies that set the baseline of
activities that are required for an Information Security
Assurance Activity, trains and certifies assessors and evaluators
in the standard, rates provider organizations against a
standardized metric to determine the provider's organizational
capability to perform Information Security Assurance
Activities, and identifies if the rating was met by compliance
with one (or more) of the ISATRP methodologies. The ISATRP
standardized rating system provides consumers with the
appropriate information required to be better informed when
selecting Information Security Assurance providers.
The first part of the ISATRP is the ISATRP methodology
courses, these courses transfer the standards by which the
Information Security Assurance service should be performed.
Through the ISATRP, Security Horizon, Inc. certifies that
individuals have demonstrated an understanding in these
specific methodologies.
The second part of the program involves an organization
undergoing an Information Security Assurance Capability
Maturity Model (ISA-CMM) appraisal and receiving a rating
that indicates the organization’s capability to provide ongoing
support and confidence that its technical work force is
performing according to an established and mature Information
Security Assurance process. The goal is to gain relative
assurance that the Information Security Assurance process is
consistent and repeatable over time.
8. The application of an ISA-CMM appraisal is defined in the
Continuous Appraisal Method (CAM). The purpose of the CAM
is to ensure the consistent application and execution of the ISA-
CMM appraisal process. This provides a level “playing field”
with the ultimate objective of providing the assurance that the
ratings applied to the sites are equivalent regardless of the team
composition from one appraisal to the next.Information Security
Assessment Methodology (ISAM)
The Information Security Assessment Methodology (ISAM) is
the foundation for Information Security Assessment services.
Information Security Assessments provide a detailed and
systematic way of examining cyber vulnerabilities and was
developed by experienced assessors from government and
industry. In addition to assisting the governmental and private
sectors, an important result of supplying baseline standards for
information security assessments is fostering a commitment to
improve the organization's security posture. The ISAM is a
hands-on methodology for conducting comprehensive
assessments of customer organizations and networks utilizing
common techniques and technical evaluation tools. Students
successfully completing the certification class can expect to
learn a repeatable methodology that provides each customer an
individualized roadmap for addressing their security concerns
and improving their security posture. The ISAM focuses on the
appropriate procedures for three primary phases:
Pre Assessment:
· Focuses on identifying critical information and systems and
addressing the impact to the organization should the loss of
confidentiality, integrity, and/or availability occur.
· This phase also addresses the full scoping of the assessment
process.
On-Site Assessment:
· Focuses on gathering the information needed to validate the
actual security posture of the organization through interviews,
documentation review, and system evaluation.
Post Assessment:
9. · Focuses on detailed analysis and reporting of the findings.
· This process also includes a reporting tool that assists in the
management view of the security posture.
The ISAM consists of a standardized set of activities required to
perform an Information Security Assessment. In other words,
the methodology explains the depth and breadth of the
assessment activities that must be performed to be compliant
within the ISATRP. The ISAM “sets the bar” for what needs to
be done for an activity to be considered a complete Information
Security Assessment. The methodology does not teach
Information Security analysis skills. It merely provides a
framework by which Information Security analysts can use their
skills to perform a repeatable and comparable process.
Providers who advertise an Information Security Assurance
capability and consumers seeking assistance in performing
Information Security Assessments can use the ISAM as their
baseline for their discussions. Because the ISAM is a baseline,
providers can expand upon it to further meet the needs of the
customers. However, it is recommended that any "expansion"
should not reduce or interfere with the original intent of any
ISAM activity.
The ISAM is taught in a three-day training class. Although the
class material is the same, the ISAM is taught in two formats:
Certification and Non-Certification.
The certification is open to anyone meeting the requirements
(government, contractor, or private individual). To qualify for
certification, individuals must have five years of demonstrated
experience in the field of Information Security,
Communications Security, or Computer Security, with two of
the five years of experience directly involved in analyzing /
evaluating / assessing computer system / network vulnerabilities
and security risks. To further qualify for certification, students
must demonstrate an understanding of the ISAM through
10. participating in all of the three-day training, group
presentations to the class, and a passing grade on the ISAM
final exam. Each student who meets all these requirements will
receive an ISAM certificate of Completion stating that they
have been trained and demonstrated an understanding of the
ISAM. The ISAM certification provides no assurance as to the
Information Security analysis ability of the individuals beyond
that of the qualifications. Organizations can bring together a
cadre of ISAM certified individuals to provide an Information
Security Assessment capability to market for public and private
organizations. Individuals with Information Security
responsibilities for U.S. Government systems can earn the
ISAM certification to meet CNSS 4012 requirements for
Security Managers.
More information about the ISAM and ISATRP can be found at
www.isatrp.com.Information Security RED TEAM Methodology
(ISRM)
The second of the ISATRP methodologies is the Information
Security Red Team Methodology (ISRM). The ISRM is a
detailed hands-on methodology for performing evaluations of
the current security readiness of an organization against
identified threats. Individuals can expect to learn a repeatable
methodology that can be used to prepare for and conduct a Red
Team engagement. It is recommended that a security
professional obtain both the ISRM and the Information Security
Assessment Methodology (ISAM) to assure a broad
understanding of the information security analysis processes.
The ISRM covers the processes involved in an evaluation of a
customer's overall security posture, based on both technical and
physical threats. The ISRM can start with a review of the ISAM
and select inputs to the ISRM, and proceeds to walk through the
process of planning, executing, monitoring, and reporting, Red
Team activities with the customer. The students will learn
techniques that can be used for intelligence gathering and
reconnaissance of selected targets, and how to use this
information. Once the intelligence gathering and
11. reconnaissance is completed, the students will learn how to plan
and execute various exploitation techniques in a coordinated
attack against the selected targets. Both technical and mental
exercises are used throughout the course to reinforce the
concepts.
The ISRM is a four-day course for experienced Information
Systems Security analysts, those interested in performing Red
Team engagements, or those planning on having a Red Team
engagement performed against their organization. The students
will benefit most if they have a solid background in information
security systems and have an understanding of networking
concepts. A strong ability to analyze disparate information is
also highly valuable.
The ISRM is taught in a four-day training class. Although the
class material is the same, the ISRM is taught in two formats:
Certification and Non-Certification.
The certification is open to anyone meeting the requirements
(government, contractor, or private individual). To qualify for
certification, individuals must have five years of demonstrated
experience in the field of Information Security, communications
security, or computer security, with two of the five years of
experience directly involved in analyzing / evaluating /
assessing computer system / network vulnerabilities and
security risks. To further qualify for certification, students
must demonstrate an understanding of the ISRM through
participating in all of the four-day training, group presentations
to the class, and a passing grade on the ISRM final exam. Each
student who meets all these requirements will receive an ISRM
certificate of Completion stating that they have been trained and
demonstrated an understanding of the ISRM. The ISRM
certification provides no assurance as to the Information
Security analysis ability of the individuals beyond that of the
qualifications. Organizations can bring together a cadre of
12. ISRM certified individuals to provide an Information Security
Red Team Assessment capability to market for public and
private organizations.
More information about the ISRM and ISATRP can be found at
www.isatrp.com.Information Security ASSURANCE –
Capability Maturity Model (ISA-CMM)
The Information Security Assurance – Capability Maturity
Model (ISA-CMM) is based on the System Security Engineering
Capability Maturity Model (SSE-CMM) which became an
International Organization for Standardization (ISO) standard
on 18 March 2002 (reference: Document ISO/IEC 21827
“Information Technology - Systems Security Engineering -
Capability Maturity Model”). The ISA-CMM addresses the
Information Security Assurance analysis processes. The ISA-
CMM is a non-tailorable continuous model (i.e. all the Process
Areas will be appraised for a given organization and can not be
“tailored out”). The ISA-CMM focuses on the processes
(specific functions) that produce Information Security
Assurance analysis work products (e.g., results that identify
vulnerabilities, countermeasures, and threats).
The ISA-CMM identifies nine process areas related to
performing Information Security Assurance Activities. For each
of the nine process areas, the ISA-CMM defines six levels of
capability maturity from Level 0 to Level 5. The higher the
capability maturity level, the greater the confidence that a
process is well established throughout the organization and the
more likely it is that the process will be performed consistently
from one assessment to the next. From consistency comes
greater confidence in the quality of an activity, but quality
cannot necessarily be guaranteed (i.e. there is an outside chance
that a process can run perfectly and consistently produce bad
results). As such, it is important that the knowledge and skills
of individual assessors be taken into consideration as well (e.g.
ISAM / ISRM certification, CISSP, other certifications, past
performance). The combination of skilled assessors and a
capable organization greatly increases the potential for
13. consistent high-quality results.
The Process Areas in the ISA-CMM were initially developed to
gauge the maturity of Information Security Assurance
capability. However, they have relevance when performing
many other Information Assurance assessment related activities
(e.g. Health Insurance Portability and Accountability Act of
1996 (HIPAA) for healthcare organizations and Gramm-Leach-
Bliley for financial service organizations). In addition,
organizations can use the ISA-CMM to measure their own
capability for assessing Information Security strength within
their infrastructure (e.g. do we know how to assess our own
threats, vulnerabilities and impacts to determine the risk to our
mission, systems and assets?).
In traditional CMM activities, it is conceivable that a well-
defined process that consistently produces a poor product can
receive a fairly high maturity rating. The ISATRP approach
reduces this possibility by providing detailed linkages between
each process area and ISATRP methodology certifications.
Standardized methodology products adds further assurance of
quality in a resulting Information Security Assurance activity
(i.e., the right products are being produced to meet compliance
with the standard methodology.)
As a result of an ISA-CMM appraisal, the organization will be
assigned an ISA-CMM Rating Profile. This is a list of nine
numbers from 0 to 5 (one for each process area). As mentioned
above, the organization must be appraised against all Process
Areas of the ISA-CMM, that is, none of the Process Areas may
be tailored out of the model for the appraisal.
When a customer is deciding on a provider organization, they
should use the ISA-CMM rating profile along with the
experience of the organization’s Information Security assessors
to determine what is required to meet their needs. For example,
in the case of a low rating in the Assess Vulnerability Process
Area, the customer may want to pay particular attention when
reviewing the qualifications of the individual analysts to
determine their specific vulnerability assessment experience. A
14. high rating would provide assurance that the process area is
institutionalized and allow for less scrutiny of analysts (i.e., the
maturity of the process provides the assurance).
If a customer is seeking a provider capable of providing a
specific ISATRP methodology (e.g., ISAM, ISRM), they should
verify that the appropriate compliance checkbox beneath each
Process Area on the rating profile is marked. While an
organization may be performing the activities within the
parameters allowed by the ISA-CMM, they may lack the
specific requirements needed to be complaint with a specific
Information Security Assurance environment (i.e. an ISATRP
methodology) as outlined in the various appendices of the ISA-
CMM. In other words, an organization may have a mature
process for identifying vulnerabilities and receive a rating in
accordance with that maturity. But if the organization is not
performing the process in compliance with the ISATRP
methodology, they will not be given credit for meeting the
methodology standards.
If the methodology compliance box is checked for the
organization, it can be assumed that the organization’s
compliance for that Process Area is the maturity level assigned.
This means if an organization has a maturity rating for Assess
Vulnerabilities of level 3 and the ISAM compliance box is
checked, the organization is considered level 3 for ISAM
compliance.AcknowledgmentsSponsoring Organizations
The Information Security Assurance – Capability Maturity
Model (ISA-CMM) is sponsored by Security Horizon,
Inc.Developers
The following individuals are responsible for the ongoing
updates and maintenance of the ISA-CMM and its related
documents:
Fuller, EdSecurity Horizon, Inc.PREVIOUS AuthorS AND
Reviewer Group Members
We wish to thank the following individuals for providing
reviews, comments, and feedback to this version and / or
previous versions of the ISA-CMM:
15. Becker, DoronElectronic Data Systems
Camponeschi, ChristopherInterAct
Solution
s Group, Inc.
Canfield, RebeccaNational Security Agency
Crossman, TomElectronic Data Systems
DiRienzo, VictorEngineering