The purpose of Resilience Requirements Management is to manage the resilience requirements of high-value services and associated assets and to identify inconsistencies between these requirements and the activities that the organization performs to meet the requirements.
In conjunction with the Resilience Requirements Development process area, the Resilience Requirements Management process area seeks to define the life cycle of resilience requirements—from inception, development, or acquisition to application, monitoring and measurement, and change management. In reality, resilience requirements constantly evolve as the organization encounters changes in strategic direction, operational complexity, and new or evolving risk environments. Unfortunately, requirements often are not revisited to ensure alignment with strategies for protecting and sustaining services and assets, potentially affecting the resilience of these services and ultimately the organization’s mission. Thus, the organization must implement and make a commitment to dedicated processes that aim to constantly monitor and adjust requirements as these triggers for change are encountered.
The Resilience Requirements Management process area aims to ensure that the requirements that are established in the Resilience Requirements Development process area (or are otherwise acquired) remain viable for each high-value asset associated with a high-value service until it is retired (either because the asset is retired or its relative value is reduced) or until it is changed due to one or more organizational triggers. In addition, Resilience Requirements Management defines the organization’s responsibility for monitoring the effectiveness of requirements (for protecting service-related assets and ensuring their continuity) and for recognizing when changes to requirements are necessary. Finally, the evolution of requirements often necessitates that an organization revisit the goals and practices in the Resilience Requirements Development process area because organizational drivers must be reestablished, new or revised enterprise-level or asset-level requirements must be developed, or changes to requirements must be analyzed and revalidated. The iterative nature of the Resilience Requirements Development and Resilience Requirements Management process areas is necessary to ensure that asset-level resilience requirements satisfactorily reflect and support strategic drivers, and this in turn supports the level of operational resilience that the organization desires.
The Resilience Requirements Management process area has one specific goal—to manage resilience requirements. In practice, this requires that the organization obtain and promote an understanding of the requirements, ensure commitment to satisfying the requirements, manage changes to the requirements, establish traceability of the requirements, and identify inconsistencies between the requirements and the activities that the organization performs to satisfy them.
The identification, development, documentation, and analysis of resilience requirements are performed in the Resilience Requirements Development process area.
The responsibility for managing requirements at the asset level is established in the Asset Definition and Management process area.
Ensuring that requirements reflect the protection and continuity needs of the owners of the assets is performed in the Resilience Requirements Development process area.
Identifying and establishing the ownership of the assets and the corresponding responsibilities for establishing and validating resilience requirements are performed in the Asset Definition and Management process area.
The monitoring and control of the satisfaction of resilience requirements for high-value business processes, services, and associated assets are performed in the Monitoring process area.
Resilience requirements are actively managed and inconsistencies between requirements and the activities necessary to satisfy them are identified.
The requirements defined and established in Resilience Requirements Development are managed over the life of the associated assets by
• identifying and managing changes to requirements (by establishing change triggers and criteria)
• establishing a shared view and understanding of requirements between owners and custodians
• maintaining the relationship between requirements and associated assets and services
• identifying inconsistencies between requirements and associated assets and services, and the activities performed to satisfy the requirements
• taking corrective action when requirements are not being satisfied
An understanding of resilience requirements is obtained from providers to ensure consistency and accuracy.
The identification and implementation of asset resilience requirements require cooperation between service owners, asset owners, and asset custodians. This cooperation must be based on a mutual and shared understanding of requirements.
Resilience requirements can come from many different sources, but asset owners have the ultimate responsibility for identifying, collecting, and establishing these requirements and for communicating these requirements to all those with a need to know (e.g., owners of an information asset such as medical records would be responsible for setting the confidentiality, integrity, and availability requirements for these records relative to the services they support). The requirements that asset owners develop are based on their implicit understanding of the relative value of the assets (as defined by the services to which they are associated) as well as the needs of the organization (as established in work products such as strategic drivers). They are also influenced by enterprise-level requirements and the results of risk assessments and business impact analyses.
Establishing ownership of the assets and the corresponding responsibilities for establishing and validating resilience requirements is performed in the Asset Definition and Management process area.
Asset custodians must ensure that they clearly and completely understand the requirements so that there is a shared vision of the need for protecting and sustaining assets. Custodians must ensure that they act only on the requirements from authorized providers (generally asset owners or their approved designees). Custodians must agree to the requirements and must identify any organizational constraints they may know of in satisfying the requirements so that the constraints can be communicated to owners for their consideration and approval. The agreement between owners and custodians on how assets are to be protected and sustained is crucial in managing operational resilience.
Typical work products
Subpractices
Commitments to resilience requirements are obtained from those who are responsible for satisfying the requirements.
The resilience requirements set by asset owners require two actions to ensure implementation: (1) they must be communicated to all custodians who need to know them, and (2) custodians must make a commitment to implement and manage the requirements. Because requirements represent a wide range of needs for protecting assets, custodians in turn may represent a wide range of organizational entities and activities, so this practice may be extensive.
Owners must commit to developing and monitoring the requirements, and custodians must commit to performing activities that are commensurate with protecting and sustaining assets. Owners must ensure that commitments have been obtained from custodians both internal and external to the organization to implement the requirements as provided and to manage to the requirements as they change and evolve.
Typical work products
Changes to resilience requirements are managed as conditions dictate.
The conditions under which organizations operate are continually changing. As a result, the risk environment for services and associated assets continues to evolve as well. An organization must become very adept at recognizing changes in conditions that precipitate considerations for changes in asset resilience requirements.
Managing changes to requirements involves consideration of several distinct activities:
• identifying change triggers and criteria
• identifying associated assets that may be affected by these triggers
• assessing the impact of changes on asset requirements
• identifying and documenting changes to existing requirements (or identifying new requirements, if necessary)
• communicating changes to requirements to those who are responsible for their implementation (custodians)
Change management for resilience requirements is a continuous process and therefore requires that the organization effectively assign responsibility and accountability for it. The organization must independently monitor that the change management process is operational and that asset-level resilience requirements have been updated on a regular basis so that they remain in direct alignment with organizational drivers. In most cases, these responsibilities will fall to asset owners as part of their management of the assets over their life cycles.
Typical work products
Subpractices
Ensure that these criteria are commensurate with the organization’s risk tolerances.
Update service level agreements with custodians if necessary to reflect commitment to changes.
Traceability between resilience requirements and the activities performed to satisfy the requirements is established.
The development, implementation, and monitoring of resilience requirements necessitate that they be traceable from originating source to assets, and vice versa. Often, there is not a simple one-to-one relationship between requirement and asset because, in practical application, requirements are usually translated and decomposed into lower-level and discipline-specific (i.e., security and business continuity) activities. This is further complicated by two additional realities:
• A single resilience requirement may be associated with one asset or, more realistically, more than one asset. For example, a service that must be available 24 hours per day, 7 days per week, will generate availability requirements for associated people, supporting application systems and technology components, information and data, and the facilities in which these assets are accessible and productive.
• Assets may have more than one set of resilience requirements coming from different organizational constraints and owners and the enterprise, often in direct conflict.
This specific practice ensures that the source of the requirements can be traced to all of the assets that are the subject of the requirements, which is particularly important when requirements or assets undergo changes. In addition, this specific practice requires that the organization be able to trace requirements from assets back to their sources so that responsibility and accountability for the requirements can be ascertained and that changes can be more effectively accomplished and conflicts effectively resolved.
Resolving requirements conflicts is addressed in the Resilience Requirements Development process area.
Typical work products
Subpractices
Revise the profile as requirements change to ensure it reflects current asset needs.
The maintenance of asset profiles is addressed in the Asset Definition and Management process area.
Ensure traceability is maintained from strategies to protect and sustain services and assets to resilience requirements intended to implement these strategies to activities performed to satisfy the requirements.
Inconsistencies between resilience requirements and the activities performed to satisfy the requirements are identified and managed.
The monitoring and control of the satisfaction of resilience requirements for high-value services and associated assets are performed in the Monitoring process area.
Custodians make commitments to perform activities and implement controls that are consistent with resilience requirements and that ensure the satisfaction of those requirements. This specific practice aims to ensure that custodians are capable and prepared to meet the requirements to which they have made commitments (whether or not they are under the direct control of the organization).
Because assets may derive requirements from more than one source, it is possible that custodians in good faith commit to the requirements but in reality are constrained in satisfying them. Identifying these inconsistencies proactively can help the organization to resolve conflicts, to reroute work as necessary, or to negotiate with owners to make changes to requirements as needed.
Typical work products
Subpractices
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Resilience Requirements Management process area.
The operational resilience management system supports and enables achievement of the goals of the Resilience Requirements Management process area by transforming identifiable input work products to produce identifiable work products.
Perform the specific practices of the Resilience Requirements Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices RRM:SG1.SP1 through RRM:SG1.SP5 are performed to achieve the goals of the resilience requirements management process.
Resilience requirements management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the resilience requirements management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the resilience requirements management process.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the resilience requirements management process.
Elaboration:
The plan for the process of resilience requirements management should enable large-scale (at the enterprise or organizational unit level, whichever is appropriate) management of resilience requirements by owners of organizational assets (particularly information, technology, and facilities assets). The plan should also allow for the distribution of these requirements to custodians who are responsible for implementing strategies to meet the requirements for protecting and sustaining assets in their care or possession. The plan must support both internal staff involved in the process (typically asset owners) and external entities (which may include custodians). The plan must support managing requirements that are developed as part of the resilience requirements development process, as well as requirements acquired from other internal and external sources.
Subpractices
Elaboration:
Special consideration may be given to the means of collecting and organizing requirements from all identified sources so that they can be managed by this process.
Provide adequate resources for performing the resilience requirements management process, developing the work products, and providing the services of the process.
Subpractices
Elaboration:
The diversity of asset types (people, information, technology, and facilities) requires that staff assigned to the resilience requirements management process have appropriate knowledge of all assets that need to fulfill resilience requirements and the services with which they are associated.
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for resilience requirements management.
Elaboration:
Assign responsibility and authority for performing the resilience requirements management process, developing the work products, and providing the services of the process.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
The primary staff involved in the resilience requirements management process are service owners and asset owners and custodians.
Refer to the Enterprise Focus process area for information about identifying organizational services and associating them with organizational assets.
Refer to the Asset Definition and Management process area for information about establishing asset ownership and custodianship.
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the resilience requirements management process as needed.
Elaboration:
Expertise in managing resilience requirements requires a strong understanding of each type of resilience requirement (confidentiality, integrity, and availability) as well as the ability to understand strategies (including the internal control system) for protecting and sustaining the various types of assets. Knowledge across multiple functional domains of physical and logical security, business continuity, logistics, and crisis response may also be required.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
Effective management of resilience requirements (including changes to requirements) must be informed by working knowledge of how an asset is deployed and how it contributes to assuring the mission of organizational services. Asset owners and custodians must be skilled in preserving the dependencies among assets, services, and organizational mission and goals that have been translated into resilience requirements. Functional working knowledge of the types of resilience requirements and their impact on assets is essential.
Information security risk assessment training can provide fundamental knowledge about resilience requirements such as confidentiality and integrity. An active knowledge of business impact analysis techniques can provide foundational knowledge about availability requirements.
Training may also be needed for staff to use requirements management tools, techniques, and methods, particularly for requirements tracking and change control, which may be performed through the use of specialized application systems and databases.
Place designated work products of the resilience requirements management process under appropriate levels of control.
Elaboration:
Changes in strategic objectives or assets (and the services with which they are associated) will necessitate changes in resilience requirements. Because resilience requirements are the basis for strategies to protect and sustain assets and services, changes to these requirements may in turn translate to changes in strategies, including the type and extent of controls, changes to service continuity plans, etc.
RRM:SG1.SP3 specifically addresses the change control process over resilience requirements. RRM:GG2.GP6 generically covers all work products of the resilience requirements management process.
Identify and involve the relevant stakeholders of the resilience requirements management process as planned.
Subpractices
Elaboration:
Monitor and control the resilience requirements management process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
The results of periodic reviews should be elevated to higher-level managers to ensure that the strategies for protecting and sustaining assets continue to be in alignment with (1) their resilience requirements (that is, able to satisfy the requirements) as requirements change and (2) the organization’s enterprise resilience requirements and strategic objectives.
Objectively evaluate adherence of the resilience requirements management process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Objective evaluation of the resilience requirements management process is intended to ensure that requirements are up-to-date and available as the basis for the organization’s development, implementation, and management of strategies to protect and sustain assets and services. Therefore, objective evaluation should be focused on determining whether there is alignment between requirements and the activities being performed to meet the requirements, as well as ensuring that requirements changes are managed and controlled.
Review the activities, status, and results of the resilience requirements management process with higher-level managers and resolve issues.
Elaboration:
Assets that do not have resilience requirements, have poorly defined requirements, or have outdated requirements should be brought to the attention of higher-level managers as a symptom of potential process inadequacies. In addition, inconsistencies between requirements and strategies for protecting and sustaining assets and services should also be reported. Audits of the process should be conducted regularly to ensure that the process is functioning properly across organizational units and the enterprise.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Resilience requirements management is institutionalized as a defined process.
Establish and maintain the description of a defined resilience requirements management process.
Elaboration:
The identification, tracking, and management of resilience requirements may be best performed at a level commensurate with direct ownership of the asset. Thus, this process may be often carried out at the organizational unit level. However, to ensure consistency of requirements across organizational units, the process must be tailored from the organization’s enterprise process definition.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect resilience requirements management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices