The "Security Maturity Model" you describe sounds like a reasonable
framework for improving security practices in organizations. You could
view the Orange Book as defining security maturity levels of the
software product, and then your framework would (as you said)
complement the Orange Book within the organization. You could even
develop an SEI-style assessment method to determine the security
maturity level. And I suspect that it would be easier to demonstrate a
correlation between security maturity level and actual organizational
security than it has been for the CMM folks to correlate process
maturity with product quality. For some organizations the security
maturity level would be a useful marketing tool, just as some software
organizations advertise their CMM level. The net effect would be to
increase organizational awareness of security issues.
-- David
--------------------------------------------------------------------
David S. Rosenblum
Department of Information & Computer Science
University of California, Irvine
Irvine, CA 92697-3425
+1 714.824.6534 (voice)
+1 714.824.1715 (fax)
<http://www.ics.uci.edu/~dsr/>