标准摘要
[中文适用范围]: 本国际标准规定了系统安全工程能力成熟度模型(SSE-CMM)。SSE-CMM 是一个过程参考模型,专注于在信息技术安全(ITS)领域实现系统或一系列相关系统的安全要求。在 ITS 领域内,SSE-CMM 专注于实现 ITS 的过程,特别是这些过程的成熟度。SSE-CMM 无意规定组织必须使用的特定过程,更不用说特定的方法论。相反,其意图是,使用 SSE-CMM 的组织应使用其现有过程,无论这些过程是否基于其他 ITS 指导文件。其范围包括: • 针对安全产品或可信系统的系统安全工程活动,涵盖从概念定义、需求分析、设计、开发、集成、安装、运行、维护到退役的完整生命周期; • 产品开发者、安全系统开发者和集成商、提供计算机安全服务和计算机安全工程组织的有关要求; • 所有类型和规模的工程组织,从商业到政府和学术界。 虽然 SSE-CMM 是一个用于改进和评估安全工程能力的独立模型,但这并不意味着安全工程应与其他工程学科隔离。相反,SSE-CMM 提倡整合,认为安全贯穿于所有工程学科(如系统、软件和硬件)及其定义组件中。通用特性“协调实践”认识到将安全与项目或组织内涉及的所有学科和群体进行整合的需要。同样,过程域“协调安全”定义了用于协调安全工程活动的目标和机制。 [外文原描述]: ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following: the entire life cycle, including development, operation, maintenance and decommissioning activities; the whole organization, including management, organizational and engineering activities; concurrent interactions with other disciplines, such as system, software, hardware, human factors and test engineering; system management, operation and maintenance; interactions with other organizations, including acquisition, system management, certification, accreditation and evaluation. The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM® is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them.
英文名称Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model® (SSE-CMM®)