| The development of internet technology has led the Information Technology (IT) product and service into many domains of politics, economic, culture and education. Indeed, in China, the purchase of information technology product and service has been required for many ministries and commissions. There are many process models, process management standards and technology support the quality management of the development and service process for the IT products. Unfortunately, the potential security issues have been inducing with the widely service applying and resource providing in internet environment. Some information security assurance, audit and assessment technology for IT product and its produce process have been developed. But the research and practice for information security management in IT product and service acquisition process is also lack. Especially, for different countries, the different political and financial policy make the government purchase is very different and many security problems were issued in the insecurity acquisition process. How to manage the information security in their IT product and service acquisition process is challenge and urgently required.CMMI is a widely applied process reference model in information industry. Since 2006, the new version of CMMI V1.2 presented a framework to support develop new constellation model under this unique framework.. Up to now, there are two constellation models have released, they are CMMI-DEV V1.2 (CMMI for Development) and CMMI-ACQ V1.2 (CMMI for Acquisition ) , one model has being developed, it is CMMI-SVC (CMMI for Service).CMMI-ACQ is special for IT products and service purchase. It includes 22 process areas, covers 4 primary phases of IT product and service purchase, they are planning and preparing, agreement establish, purchase project monitor and control, and purchased product verification and validation. As a constellation model of CMMI framework, CMMI-ACQ is compliable with the CMMI based development process of the supplier organization. But CMMI-ACQ is a general reference model for any IT product and service acquisition. For some special ministries, such as police, army, with high security requirement, CMMI-ACQ doesn't provide specific guidance for the security management of buyer's information, buyer provide product, and security assessment of acquisition product, and so on. This paper focuses on information security management of IT product and service acquisition, and presents Security Acquisition Model Extend CMMI-ACQ - SAMEC, which extended 6 purchase process areas of CMMI-ACQ with the information security management practices or goals depended on the requirement of ISO/IEC 27002.SAMEC based on CMMI-ACQ, extended some specific practices and goals to enhance its information security management capability. SAMEC could be adapted in security IT product and service purchase and is ISO/IEC 27000 compliant. It will be very helpful to support the IT product and service acquisition organization to establish their security IT product and service acquisition process system effectively and completely.A real application of SAMEC has been adapted in IT product and service purchase in police ministry. We updated and enhanced the original acquisition process based on SAMEC. The new acquisition process was used to manage the purchase activity of a higher security requirement IT purchase project. The application showed that SAMEC is effective and appropriate. |
PDF Full Text Request