Chapter 4. Model Relationships

Successful process improvement efforts align with and help to accomplish business and strategic objectives. Otherwise, there is no reason for the organization to invest in improving processes. Business and strategic objectives may reflect the organization’s critical success factors (to improve sales volume) or compliance regulations (to meet stricter information privacy rules) or even address a continuing issue or challenge for the organization (to prevent further data breaches). These objectives should drive how you use model-based process improvement methods, techniques, and tools, including CERT-RMM.

CERT-RMM in its entirety looks ominous at first glance. One reason for this is that operational resilience management encompasses many disciplines and practices. Another reason is that CERT-RMM provides extensive elaborative material to help you make practical use of the model. Once you understand the relationships in the model—and you are able to connect these with your own operational resilience management processes—the CERT-RMM processes that are most relevant to you will be fairly easy to identify and adopt.

There are two types of relationships that are useful to understand as you become familiar with the model. The model view helps you to understand the model from an architectural perspective. The way that process areas are grouped provides perspective on the area of operational resilience management that those process areas are intended to support. The objective view helps you see the model through relationships that support a particular objective and what you want to accomplish. For example, if your objective is to improve the management of vulnerabilities to high-value information assets, the objective view links together the process areas that would satisfy this objective. Because CERT-RMM allows you to develop an approach to improvement that addresses specific objectives, understanding each of these types of relationships can also be important in helping you develop meaningful targeted improvement roadmaps, as discussed in Section 6.3.

Understanding the key relationships that exist among CERT-RMM process areas aids your adoption and application of the model. For this reason, each process area references other process areas and details the nature of the relationships between them. These references can be found in the “Related Process Areas” section of each process area in Part Three.

In this section, we describe the model view and provide two visual examples of how CERT-RMM process areas relate to each other to accomplish a common objective. As the model continues to be used and adopted, additional objectives and relationships will be developed and described.

4.1 The Model View

The model view simply arranges the process areas by process category. Process areas in each category share common characteristics that form the foundational architecture of the model.

4.1.1 Enterprise Management

The enterprise is an important concept in managing operational resilience. At the enterprise level, the organization establishes and carries out many activities that set the tone for operational resilience, such as governance, risk management, and financial responsibility.

The process areas in the Enterprise Management category represent functions and activities that are essential to broadly supporting the operational resilience management system. This does not mean that these processes are or have to be functionally positioned at an enterprise level. Instead, they represent organization-wide competencies that affect the operational resilience of organizational units. For example, the practices in the Risk Management process area may be performed by an organizational unit, but their effectiveness may be limited by the overall risk management capability of the organization.

The process areas that represent the Enterprise Management category are

• Communications [COMM]

• Compliance Management [COMP]

• Enterprise Focus [EF]

• Financial Resource Management [FRM]

• Human Resource Management [HRM]

• Organizational Training and Awareness [OTA]

• Risk Management [RISK]

Figure 4.1 depicts the relationships that drive resilience activities at the enterprise level.

Figure 4.1. Relationships That Drive Resilience Activities at the Enterprise Level

4.1.2 Engineering

Aspects of operational resilience management are requirements-driven. Thus, the process areas in the Engineering category represent those that are focused on establishing and implementing resilience for organizational assets, business processes, and services through a requirements-driven process. These processes establish the basic building blocks for resilience and create the foundation to protect and sustain assets and, by reference, the business processes and services that those assets support.

Engineering process areas fall into three broad categories:

• Requirements Management addresses the development and management of the security (protect) and resilience (sustain) objectives for assets and services.

• Asset Management establishes the important people, information, technology, and facilities assets across the enterprise.

• Establishing and Managing Resilience addresses the selection, implementation, and management of preventive controls and the development and implementation of service continuity and impact management plans and programs. It also addresses early life-cycle consideration of resilience quality attributes for software and systems.

The Engineering process areas include:

Requirements Management

• Resilience Requirements Development [RRD]

• Resilience Requirements Management [RRM]

Asset Management

• Asset Definition and Management [ADM]

Establishing and Managing Resilience

• Controls Management [CTRL]

• Resilient Technical Solution Engineering [RTSE]

• Service Continuity [SC]

4.1.3 Operations

The Operations process areas represent the core activities for managing the operational resilience of assets and services in the operations life-cycle phase. These process areas are focused on sustaining an adequate level of operational resilience as prescribed by the organization’s strategic drivers, critical success factors, and risk appetite. These process areas represent core security, business continuity, and IT operations and service delivery management activities and focus specifically on the resilience of people, information, technology, and facilities assets.

Operations process areas fall into three broad categories:

• Supplier Management addresses the management of external dependencies and the potential impact on the organization’s operational resilience.

• Threat, Vulnerability, and Incident Management addresses the organization’s continuous cycle of identifying and managing threats, vulnerabilities, and incidents to minimize organizational disruption.

• Asset Resilience Management addresses the asset-level activities that the organization performs to manage operational resilience of people, information, technology, and facilities to ensure that business processes and services are sustained.

The Operations process areas are:

Supplier Management

• External Dependency Management [EXD]

Threat and Incident Management

• Access Management [AM]

• Identity Management [ID]

• Incident Management and Control [IMC]

• Vulnerability Analysis and Resolution [VAR]

Asset Resilience Management

• Environmental Control [EC]

• Knowledge and Information Management [KIM]

• People Management [PM]

• Technology Management [TM]

Figure 4.2 depicts the relationships that drive threat and incident management.

Figure 4.2. Relationships That Drive Threat and Incident Management

4.1.4 Process Management

Process Management processes represent those that are focused on measuring, managing, and improving operational resilience management processes. These process areas represent the extension of process improvement concepts to operational resilience management and, in turn, to the disciplines of security and business continuity. Process areas in this category are intended to catalyze the organization’s view of resilience as a repeatable, predictable, manageable, and improvable process over which it has a significant level of active and direct control.

Process Management process areas can be divided into two broad categories:

• Data Collection and Logging addresses the organization’s competencies for identifying, collecting, logging, and distributing information needed to ensure that operational resilience management processes are performed consistently and within acceptable tolerances.

• Process Management addresses the activities the organization performs to improve and optimize operational resilience management processes and to make these processes consistent throughout the organization.

Process Management process areas are:

Data Collection and Logging

• Monitoring [MON]

Process Management

• Organizational Process Definition [OPD]

• Organizational Process Focus [OPF]

• Measurement and Analysis [MA]

4.2 Objective Views for Assets

Objective views in CERT-RMM can address a number of useful perspectives, such as

• how operational resilience management is planned and executed

• the specific processes that drive asset-based resilience, such as relationships that drive information resilience

• how people are addressed in operational resilience management

• the development and deployment of protection strategies and controls

• the service continuity planning process

With a large model, the number of possible objective views could be significant and would be beyond the scope of this book. A basic set of objective views can address the operational resilience management of the assets that are the focus of the model. The following describes these views and provides four figures that graphically depict model objectives.

4.2.1 People

Figure 4.3 shows the CERT-RMM process areas that participate in managing the operational resilience of people. They establish people as an important asset in service delivery and ensure that people meet job requirements and standards, have appropriate skills, are appropriately trained, and have access to other assets as needed to do their jobs.

Figure 4.3. Relationships That Drive the Resilience of People

4.2.2 Information

Figure 4.4 shows the CERT-RMM process areas that drive the operational resilience management of information. Information is established as a key element in service delivery. Requirements for protecting and sustaining information are established and used by processes such as risk management, controls management, and service continuity planning.

Figure 4.4. Relationships That Drive Information Resilience

4.2.3 Technology

Figure 4.5 shows the CERT-RMM process areas that drive the operational resilience management of technology. These relationships address the specific complexities of software and system resilience, as well as the resilience of architectures where the technology assets reside, development and acquisition processes, and processes such as configuration management and capacity planning and management.

Figure 4.5. Relationships That Drive Technology Resilience

4.2.4 Facilities

Figure 4.6 shows the CERT-RMM process areas that drive the operational resilience management of facilities. As with information and technology assets, relationships that drive the resilience of facilities have special considerations such as protecting facilities from disruption, ensuring that facilities are sustained, managing the environmental conditions of facilities, determining the dependencies of facilities on their geographical region, and planning for the retirement of a facility. Because facilities are often owned and managed by an external entity, consideration must also be given to how external entities implement and manage the resilience of facilities under the organization’s direction.

Figure 4.6. Relationships That Drive Facility Resilience