Applying the ISA-CMM: A Cloud E-Store Case Study

calendar Jun 18, 2026 / · 4 min read · isa-cmm information assurance cloud security aws security assessment capability maturity model  ·
Share on: linkedin copy

Applying the ISA-CMM: A Cloud E-Store Case Study

Company A (CA) is a major supplier of satellite imagery to commercial, federal and defense vertical markets. The organization launched an e-commerce website on the Internet or an estore enabling customers to navigate, review and purchase satellite imagery. This applied case study is to perform an Information Security Assurance Capability Maturity Model (ISA-CMM) to improve the predictability, control, and process effective using the estore at CA as the focus. The ISA-CMM process as described by Security Horizon (2012) is a sequence of steps performed or followed to achieve a specific process. The Capability Maturity Model (CMM) is a guide to assist the company in achieving statistical process control. Process maturity shows the amount to which a detailed process is defined, managed, measured, controlled, and believed effective as described by Security Horizon (2012).

Background

CA’s Navigator estore enables an online marketplace to find showcase and cross-sell imagery products. Features include production inventory by area of interest (AOI), related collateral, use case and vertical context. The key features is to allow a customer to order imagery from the Navigator estore. Each sales channels have direct access to the site. The Navigator site allows guided selling and cross-selling. The site will capture business analytics from the estore by monitoring customer behavior. The purpose of the Navigator product is to enhance the customer experience and to showcase the availability of the inventory of non-core imagery products. The site enables the sales and service team to convert traditional repeat buyers to a subscription revenue sales model and enhances stickiness to be better than the current competitor. The site will serve the long tail business more efficiently and make it more streamlined.

Application Architecture Overview

The section will discuss an overview of the application architecture. The estore application is built and runs on Amazon Web Services cloud infrastructure.

Security Architecture Overview

The overview of the security architecture will outline the information assurance and security considerations with the estore application running on Amazon Web Services cloud infrastructure.

Overview of the ISA-CMM Assessment

ISA-CMM identifies nine process areas that are related to performing Information Assurance task or activities as described by Security Horizon (2012). For every one of the nine activities, a capability maturity level from zero to five is assigned. If the capability is high, there is an understanding that the area is in compliance with the ISA-CMM and if on the lower end the area needs attention to come into compliance. This ISA-CMM Assessment is broken into three areas. The organization support activities, on-site coordination with the customer, gathering information and performing analysis of the site security and the findings from the ISA-CMM which include analysis and results.

Support Assessment

The support assessment area covers the CA’s support activities that ensure the assessment organization is prepared and capable of performing Information Security Assurance Activities. The support assessment section includes ISA-CMM areas of providing training (ISA-PA01), coordination with customer organization (ISA-PA02) and managing the information security assurance processes (ISA-PA09) as Security Horizon (2012) points out.

System Assessment

The system assessment section involves on-site the information gathering processes to gather information and perform an analysis of the site’s security as described by Security Horizon (2012). The system assessment section of the case study includes the ISA-CMM areas of assessing the threat (ISA-PA04), assess vulnerability (ISA-PA05), assess the impact (ISA-PA06) and assess information security risk (ISA-PA07). The on-site customer coordination, as Security Horizon (2012) points out, is where information criticality and customer concerns are identified is also covered in the system assessment area which is specified initial information security needs (ISA-PA03).

Analysis, Findings, and Results

This section works to analyze the information collection, provide any findings and discuss the result of the assessment as discussed by Security Horizon (2012). This includes documents information security assurance plan and thr final report of findings and recommendations and is identified in the ISA-CMM as provide analysis and results (ISA-PA08).

Conclusion

The conclusion of the case study summarizes the application, its architectures and high level ISA-CMM findings.

References

Security Horizon. (2012). Information security assurance capability maturity model (ISA-CMM), draft version 3.2. Security Horizon, Inc.

Posts in this series