2. • The initial steps of a simplified Agile approach to initiate an enterprise
security architecture program are
3. The Capability Maturity Model Integration
(CMMI)
The Capability Maturity Model Integration (CMMI) is a process and
behavioral model that helps organizations streamline process
improvement and encourage productive, efficient behaviors that
decrease risks in software, product, and service development
4. CMMI Maturity Levels
• Maturity Level 0 – Incomplete:
Goals have not been established at this point and processes are only
partly formed or do not meet the organizational needs.
5. CMMI Maturity Levels
• Maturity Level 1 – Initial:
Processes are viewed as unpredictable and reactive. At this stage,
“work gets completed but it’s often delayed and over budget.”
Maturity Level 2 – Managed
There’s a level of project management achieved. Projects are
“planned, performed, measured and controlled” at this level, but there
are still a lot of issues to address.
6. • Maturity Level 3 – Defined:
• There’s a set of “organization-wide standards” to “provide guidance across
projects, programs and portfolios.” Businesses understand their
shortcomings, how to address them and what the goal is for improvement.
• Maturity Level 4 – Quantitatively managed:
• This stage is more measured and controlled. The organization is working off
quantitative data to determine predictable processes that align with
stakeholder needs. The business is ahead of risks, with more data-driven
insight into process deficiencies.
7. • Maturity Level 5 – Optimizing: Here, an organization’s processes are
stable and flexible. At this final stage, an organization will be in
constant state of improving and responding to changes or other
opportunities. The organization is stable, which allows for more
“agility and innovation,” in a predictable environment.
8. • This maturity can be identified for a range of controls. Depending on the
architecture, it might have more or fewer controls.
• Some example controls are:
• Procedural controls
• Risk management framework
• User awareness
• Security governance
• Security policies and standards
• Operational controls
• Asset management
• Incident management
• Vulnerability management
• Change management
• Access controls
• Event management and monitoring
9. • Application controls
• Application security platform (web application firewall [WAF], SIEM, advanced persistent
threat [APT] security)
• Data security platform (encryption, email, database activity monitoring [DAM], data loss
prevention [DLP])
• Access management (identity management [IDM], single sign-on [SSO])
• Endpoint controls
• Host security (AV, host intrusion prevention system [HIPS], patch management, configuration
and vulnerability management)
• Mobile security (bring your own device [BYOD], mobile device management [MDM], network
access control [NAC])
• Authentication (authentication, authorization, and accounting [AAA], two factor, privileged
identity management [PIM])
• Infrastructure controls
• Distributed denial of service (DDoS), firewall, intrusion prevention system (IPS), VPN, web,
email, wireless, DLP, etc.