Security Engineering Maturity Matrix is a maturity model similar to the Department of Energy Cybersecurity Capability Maturity Model (C2M2) in that it leverages a 3 tiered approach to define the capabilities of an organizations security engineering processes. Unlike the SSE-CMM which is based more on specific security activities, the SEMM breaks down the security engineering process into the following practice areas and maps to 40 different categories such as Governance, Requirements Management, Threat Modeling, Acquisition, Maintenance and many other areas:
- Planning
- Design
- Build
- Test
- Deploy
- Operate
SEMM seeks to define the practices that should be considered for a mature security organization, but does not specify the security requirements or frameworks to be used as this will vary for every organization. This project will be maintained as an open source contribution, but its practices can also be found in the Opswright Impact platform available at https://opswright.com
Future efforts will focus on WHEN these activities should be applied as a risk based approach will help best inform how far left in the engineering process rigor should be applied.
Any questions can be relayed to tony@opswright.com
References