Information Technology Reference
In-Depth Information
Capability Maturity Model (SSE-CMM), Six Sigma, and ROSI (return on security
investment) as quality assurance ROI.
SQA in the development phase may include a formal software engineering
approach (e.g., SEI-CMMI). CMMI models provide many beneits to organiza-
tional management of processes, including the following as paraphrased from the
SEI CMMI Web site:
n
n
n
n
Align business objectives to management activities.
Better manage products and services to meet customer expectations.
Capture and leverage lessons learned.
View organizational functions from an enterprise perspective.
SSE-CMM is similar to SEI-CMMI, but SSE-CMM addresses security issues
in general, not software development. Six Sigma provides a statistical quantification
approach to QA where the successful application of Six Sigma in software devel-
opment provides for less than 3.4 defects per million opportunities, or 99.9997
percent error-free—not quite Nirvana, but at least a balcony view.
The ever-elusive quest for hard ROSI figures is partially satisfied through QA
quantification from a ROI perspective. Finding and fixing software bugs early in
the development process is far less expensive than finding and fixing after delivery
or sitting on the shelf as COTS: “Researchers concluded that fixing [one set of ] four
defects during the testing phase cost $24,000. Fixing the same defects after deploy-
ment cost $160,000, nearly seven times as much.” With executive attention on risk
management and the bottom line, the example presents a hard ROI for addressing
security flaws as software bugs.
Another foundation of IA
2
is the IA quantification framework (IAQF). Devel-
opment QA contributes to the IAQF by quantifying security flaws as software bugs
and providing the monetary justification to fix those bugs early in the development
process. SQA provides direct input to the IA
2
development view.
9.18 Commentary and Conclusion
The intent of this chapter is to provide insight into the definition and fit of IA
mechanisms in context of IA services and IA
2
. All too often, despite good inten-
tions, the focus of security professionals is exclusively on the mechanisms, on the
technology. Managers and executives are interested in the business benefits of IA
mechanisms, not the technical details. The business benefits are seen in terms of
http://www.sei.cmu.edu/cmmi/ (accessed May 2004).
http://www.sei.cmu.edu/cmmi/general/general.html (accessed April 2004).
Berinato, Scott, Finally, a Real Return on Security Spending,
CIO Magazine
, February 15,
2002.
