3月10日,CMMI研究院发布了CMMI V2.2,这是CMMI 2.0的一次重要升级。其主要变化包括SAM不再作为核心(core)实践域了,仅是供应商管理中一个特定实践域,这就是说众多CMMI组织再也不用为没做采购而绞尽脑汁解释了。CMMI 2.2正式将Enabling Virtual Solution Delivery (EVSD)纳入Managing the workforce能力域,这个PA可以说完全是这次疫情的输出物,它有效支持了2020年3月以来的虚拟评估和虚拟培训。也就是说,CMMI研究院也要面对今后部分工作远程化的常态了。2.2版本也根据使用者的反馈,对一些原有内容做了些完善。
如果这次升级仅仅包含这些内容,那我在朋友圈里喊一嗓子就够了,没必须花时间写这篇文章。这次升级的重要性在于——它终于揭开了CMMI 2.0模型中safety和security的面纱。我之所以没用safety和security的中文,因为到目前为止,国内还没有这两个词的官方译本。南大的张福炎教授告诉我,他多年前参加过两个词如何翻译的讨论,但与会者也未能达成共识。华为将其都翻译为安全性,大家通过上下文可以看出差异。我也期待着CMMI2.2的中文版对这两个词的翻译。
软件开发过程中safety和security的考虑是我关注多年的问题,其重要性不言而喻。2019年在领导华为一个子产品线2.0评估时,有机会粗略了解到华为的IPD2.0规划,“可信”系统是其中重要内容,这让我十分欣喜。Safety和security则是可信系统的一部分,我专门写了一篇文章,“初探华为IPD2.0”,简单介绍了下可信系统的框架以及华为参考的可信系统的英国标准BS10754 – 1:2018(Information technology – System trustworthiness)。我认为华为将可信系统的考虑贯彻到整个产品开发过程,不愧抓住了新一代软件开发的命脉,也希望CMMI研究院在制定2.0模型中safety和security内容时,能够参考这个英国标准。
初探华为IPD 2.0
基于这个考虑,2020年5月左右,我参与了CMMI 2.0模型中safety和security的审核,花了大量时间,认真阅读了三个新实践域的每个字以及相关原有PA中新加的safety和security的内容。参加了多次讨论会,给出了一些我深思后的建议。
我希望CMMI模型中的safety和security的内容应该有自己的特色,而不是仅仅反映已有的一些业界标准。特别希望它能和CMMI最成功的开发模型结合,让需要的组织可以将safety和security的内容有效融入到开发过程中。
当我发现草稿中没有参考英国可信系统标准:BS10754 – 1:2018(Information technology – System trustworthiness)时,感觉这是一个大的遗漏,建议应将其作为主要参考文献之一。很高兴CMMI 2.2最终采纳了这个建议。
CMMI 2.0模型中最重要的safety和security内容是三个实践域,Enabling Safety(ESAF)、Enabling Security(ESEC)、Managing Security Threats & Vulnerabilities(MST), 它们都属于Managing Security and Safety能力域。
在不违反研究院保密协议前提下,给大家介绍简单介绍一下三个实践域的核心内容,包括三个PA的价值、意图、实践。为了确保大家看到原汁原味的东西,我这里就不做中文翻译了。
Enabling Safety (ESAF)
Intent
Minimize and mitigates safety risks within the tolerance parameters and constraints of operational effectiveness, time and cost.
Value
Reduces the residual safety hazard risk to an acceptable level.
Practice Summary
Level 1
ESAF 1.1:Identify and record safety and hazards.
ESAF 1.2: Address prioritized safety needs and hazards.
Level 2
ESAF 2.1: Identify critical safety needs and constraints, keep them updated, and use to develop and keep safety objective current.
ESAF 2.2: Develop,keep updated, and follow an approach to address workplace environment safety.
ESAF 2.3: Develop,keep updated, and follow an approach to address functional safety for the solution.
Level 3
ESAF 3.1: Establish and deploy an organizational safety capability.
ESAF 3.2: Perform safety evaluations periodically and take action on results.
ESAF 3.3: Develop,keep updated, and follow organizational safety control strategies.
ESAF的主要目的就是将safety危害和隐患控制在可接受的范围。一级实践要求识别、记录、处理重要的safety和危害。二级要求不断识别更新关键safety需求、约束条件、safety目标,并形成一套有效做法处理环境相关的safety隐患以及解决方案中功能safety隐患。三级实践则要求建立并部署组织管理safety的能力,定期评估safety限制,必要时采取整改措施;当然组织级的safety管控策略也是必不可少的。
Enabling Security (ESEC)
Intent
Develops and keeps updated the security approach that includes anticipating, identifying, and taking actions to avoid or minimize the impacts of security issues on an organization or solution.
Value
Reduces the impact of security threats and vulnerabilities on business performance.
Practice Summary
Level 1
ESEC 1.1:Identify and record security needs and issues.
ESEC 1.2: Address prioritized security needs and issues.
Level 2
ESEC 2.1: Identify security needs, keep them updated, and use to develop a security approach and objectives.
ESEC 2.2: Develop, keep updated, and follow an approach to address physical security needs.
ESEC 2.3: Develop, keep updated, and follow an approach to address mission, personnel, and process-related security needs.
ESEC 2.4: Develop, keep updated, and follow an approach to address mission, personnel, and process-related security needs.
Level 3
ESEC 3.1: Establish and deploy an organizational security operations capability.
ESEC 3.2: Develop, follow, and implement an organizational security strategy, approach, and architecture; and keep them updated.
ESEC 3.3 Periodically perform security reviews and evaluations throughout the organization and take action on results.
Managing Security Threats and Vulnerabilities (MST)
Intent
Identifies the security threats and vulnerabilities that could compromise the organization or solution, analyzes the potential impacts,and defines and takes actions to address and mitigate them.
Value
Increase an organization’s capability and resilience to identify, mitigate, and recover from threats and vulnerabilities.
Practice Summary
Level 1
MST 1.1: Identify and record security threats and vulnerabilities.
MST 1.2: Take actions to address security threats and vulnerabilities.
Level 2
MST 2.1: Develop, keep updated, and follow an approach for handling security threats and vulnerabilities.
MST 2.2: Develop and keep updated criteria to evaluate security threats and vulnerabilities.
MST 2.3: Use recorded criteria to prioritize, monitor, and address the most critical security threats and vulnerabilities that arise during operations.
MST 2.4: Evaluate the effectiveness of the approach and actions taken to address critical security threats and vulnerabilities to the solution.
Level 3
MST 3.1: Develop, keep updated, and follow an organizational security strategy, approach, and architecture to evaluate, manage, and verify threats and vulnerabilities.
MST 3.2: Analyze security verification and validation results to ensure accuracy, comparability, consistency, and validity across the organization.
MST 3.3: Evaluate effectiveness of the organizational security strategy, approach, and architecture for addressing security threats and vulnerabilities.
Level 4
MST 4.1: Employ threat intelligence analysis to develop and improve the solution security approach and architecture, and to select security solutions to address threats and vulnerabilities, using statistical and other quantitative techniques.
ESEC和MST内容安排和ESAF有些类似,只是关注点从safety转移到security,以及security的威胁和隐患的管理。
通过什么方式让企业使用CMMI2.0模型中的safety和security的优秀实践呢?这确实是个挑战。研究院最初计划为safety和security设置自己独立的benchmark,我觉得这样做成本太高,同时不利于将其和开发模型结合,所以建议做个调研,让用户从下列两个模式中做选择:
模式一:可选添加(Optional Addition):
新的Security和Safety中的实践域(Practice Areas)作为可选项添加到现有的几个Benchmark Model Views中:开发(DEV),服务(SVC),供应商管理(SPM)。
发布的评估结果例子可能是:DEV+SEC ML3 (开发和Security成熟度三级),DEV+SAF ML2 (开发和Safety成熟度二级), DEV+SEC+SAF ML3 (开发、Security、Safety成熟度三级)。
模式二:独立Benchmark (Individual Maturity Levels for Security and Safety):
在这种模式下(之前官方CMMI 2.0培训中介绍的模式),Security和Safety成为两个新的Benchmark Model Views,可以有独立的评估及独立的成熟度级别。18个核心PAs(SAM拿掉后,将变成17个), 如:PLAN,CM,等,必须支持实现Security或Safety某个成熟度级别。
发布的评估结果例子可能是,Security成熟度二级(SEC ML2),Safety成熟度三级(SAF ML3),也就是有独立的Security或Safety的证书。
大多数参与投票者选了第一个模式,很欣慰这也是研究院的选择。
请投票:选择CMMI 2.0 Safety和Security的评估模式
去年研究院希望我用几句话概括CMMI 2.0,认真考虑后,我写到:CMMIV2.0是一个动态的模型,可以快速扩展以接入新的方法论和实践。V2.0关注更有意义的结果并将改善方法与组织的业务目标相结合,它为组织带来的价值远远超出了评估和成熟度等级本身。
虽然新发布的safety和security内容还有一些不如意的地方,但它为不少中国的IT组织在解决开发过程中safety和security的问题,提供了一个不错的框架。通过实实在在的不断实践,我们可以不断完善CMMI这个动态模型,我也期待着有机会尽我的努力。
|
