quality attributes, in software and system development, 793–794
questionnaires, for assessing effectiveness of awareness program, 662
reassignment, of roles and responsibilities, 429
records
of awareness activities, 661–662
identify vital organizational, 837–839
of maintenance operations, 895
of monitoring information, 591–592
of training activities, 669–670
recovery plans, service continuity and, 839
recovery point objectives (RPOs)
availability of technology assets and, 892–893
defined, 981
recovery time objectives (RTOs)
availability of technology assets and, 892–893
defined, 981
redundancy
availability of technology assets and, 891
establish for vital staff, 694–695
succession planning and, 695–697
reference resources, for information in this book, 993–995
references, process area
defined, 47–48
typographical and structural conventions, 51
registration, of identities, 450–451
regulations
defined, 981
documenting events and, 481–482
electric power industry and, 101–103
establish scope of improvement, 84
managing. See Compliance (COMP)
stress of managing operational risk, 23
related process areas section, 45, 48
relationships
establish enterprise specifications, 353–354
establish formal agreements, 360–362
establish resilience specifications, 355–357
evaluate/select external entities, 358–359
identify internal and external dependencies and interdependencies, 837
model view. See model view
objective view. See objective views, for assets
between process elements, 610
release builds, 981
release management
defined, 981
technical solutions released into production, 812–813
for technology assets, 889–890
reliability
of information assets, 529–530
resilience and, 100–101
remediation
of areas of non-compliance, 223–225
identifying areas needing compliance, 223
repeatability, of measures, 557
reports
on communications effectiveness, 194
on compliance obligation satisfaction, 222–223
on corrective actions, 326
on event status, 483
external dependencies management, 362
in incident management, 478–479, 486
on incident status, 491
logged events and, 481
post-incident review, 494
on resilience oversight, 325
repositories
for compliance data, 220–221
for processes and work products, 955
for skills, 985
for vulnerability information, 922–923, 925, 987
required components
defined, 981
overview of, 43–44
summary of, 48
requirements
guidelines for Resilient Technical Solution Engineering, 800–801
validate service continuity plans against, 845–846
requirements, for Monitoring
analyze and prioritize, 585–587
establishing, 583–585
requirements, resilience
developing. See Resilience Requirements Development (RRD)
managing. See Resilience Requirements Management (RRM)
operational. See operational resilience requirements
Requirements Development, CMMI process area, 795
residual risk, 981
configuration management and, 884–885
defined, 981, xv
establish resilience-focused technology assets, 873–874
identifying vital resilience functions of staff, 689
inserting obligations in job descriptions, 423
management. See operational resilience management
reliability and resilience in, 100–101
requirements. See operational resilience requirements
resilience-aware culture, 319–320
resilience-focused assets, 275
scope, 89–90
of service, 14
staff and training, 982
using goals and objectives to support, 423–424
resilience budgets
defined, 982
establishing, 388–389
funding resilience activities, 391
resolving funding gaps, 388–389
Resilience Requirements Development (RRD)
achieve specific goals, 756
analyze resilience requirements, 755
assign enterprise resilience requirements to services, 753–754
assign responsibility for, 760–761
Cloud Computing and, 962
collect improvement information, 769
define required functionality, 754–755
defined, 982
develop service requirements, 752
developing resilient software across life cycle with, 107
as Engineering process area, 56
establish asset resilience requirements, 752–753
establish defined process for, 768–769
establish process governance, 757–758
for facility asset resilience requirements, 276–277
FISMA compliance, 960
identify and involve relevant stakeholders, 763–764
identify enterprise requirements, 750–752
introductory notes, 747–750
manage work product configurations, 763
monitor and control process of, 765–766
objectively evaluate adherence, 767
plan the process, 758–759
provide resources for, 759–760
purpose of, 747
related process areas, 750
review status with higher-level managers, 768
summary of specific goals and practices, 750
train people for, 761–763
validate resilience requirements, 756
Resilience Requirements Management (RRM)
achieve specific goals, 778
assign responsibility for, 782–783
Cloud Computing and, 962
collect improvement information, 791–792
defined, 982
developing resilient software across life cycle, 107
as Engineering process area, 56
establish defined process for, 791
establish process governance, 779–780
identify and involve relevant stakeholders, 786–787
identify inconsistencies in meeting resilience requirements, 778
introductory notes, 771–772
maintain traceability of resilience requirements, 776–777
manage changes to resilience requirements, 775–776
manage work product configurations, 785–786
managing change to resilience requirements, 131
monitor and control the process, 787–789
objectively evaluate adherence, 789–790
obtain commitment to resilience requirements, 774–775
plan the process, 780–781
provide resources for, 781–782
purpose of, 771
related process areas, 772
review status with higher-level managers, 790–791
summary of specific goals and practices, 772
train people for, 783–785
understanding resilience requirements, 773–774
resilience specifications
defined, 982
evaluating/selecting external entities based on, 358–359
for external dependencies, 355–357
external dependencies management, 361
resilience training
delivery of, 668–669
establish training needs, 664–665
establish training plan, 665
materials, 666–667
Resilient Technical Solution Engineering (RTSE)
achieve specific goals, 813
assign responsibility for, 818–819
collect improvement information, 828–829
create development plans for resilient technical solutions, 807–808
defined, 982
developing resilient software across life cycle, 106–107
as Engineering process area, 56
establish defined process for, 827–828
establish process governance, 814–815
identify and involve relevant stakeholders, 822–823
identify architecture and design guidelines, 801–802
identify assembly and integration guidelines, 805–807
identify general guidelines, 798–800
identify implementation guidelines, 802–805
identify requirements guidelines, 800–801
influenced by CMMI process areas, 108
integrating selected guidelines with software and system development process, 809–810
introductory notes, 793–796
manage work product configurations, 821–822
monitor and control the process, 823–826
monitoring execution of development plan, 810–812
objectively evaluate adherence, 826–827
plan the process, 816
provide resources for, 816–818
purpose of, 793
related process areas, 796
release solutions into production, 812–813
review status with higher-level managers, 827
select and tailor guidelines, 808–809
summary of specific goals and practices, 796
train people for, 820–821
resource needs, establishing
address skill deficiencies, 416–418
establish baseline competencies, 414–415
inventory skills and identify gaps, 415–416
overview of, 413
resources, providing. See also Financial Resource Management (FRM)
Access Management, 163–165
Asset Definition and Management, 137–138
Communications, 197
Controls Management, 259–260
Enterprise Focus, 328–330
Environmental Control, 293–295
External Dependencies Management, 368–370
Financial Resource Management, 400–402
generic goals and practices, 948
Human Resource Management, 436–437
Identity Management, 462–464
Incident Management and Control, 499–500
Knowledge and Information Management, 536–538
Measurement and Analysis, 567–569
Monitoring, 596–597
Organizational Process Definition, 619–620
Organizational Process Focus, 643–645
Organizational Training and Awareness, 674–675
People Management, 704–706
Resilience Requirements Development, 759–760
Resilience Requirements Management, 781–782
Resilient Technical Solution Engineering, 816–818
Risk Management, 736–737
Service Continuity, 856–857
Technology Management, 902–904
Vulnerability Analysis and Resolution, 931–932
responding to incidents
declare events for response planning, 483–484
limiting organizational impact of incidents, 488–490
recovery and, 487
response and recovery, responding to incidents, 487
responsibilities. See also roles
incident management plan and, 477–478
linking to identity. See Identity Management (IM)
in organizational identity, 448
periodic review to identify invalid identities, 457
roles vs., 453
responsibilities, assigning
Access Management, 165–166
Asset Definition and Management, 138–139
Communications, 199–200
Compliance, 231–232
Controls Management, 261–262
Enterprise Focus, 330–331
Environmental Control, 296–297
External Dependencies Management, 370–371
Financial Resource Management, 402–403
generic goals and practices, 948–949
Human Resource Management, 437–438
Identity Management, 464–465
Incident Management and Control, 501–502
Knowledge and Information Management, 538–539
managing changes to employment status, 429
Measurement and Analysis, 569–570
Monitoring, 597–598
Organizational Process Definition, 620–621
Organizational Process Focus, 645–646
Organizational Training and Awareness, 676–677
People Management (PM), 706–707
Resilience Requirements Development, 760–761
Resilience Requirements Management, 782–783
Resilient Technical Solution Engineering, 818–819
Risk Management, 737–738
Service Continuity, 857–858
Technology Management, 904–905
Vulnerability Analysis and Resolution, 933
restoration plans
incident response and, 489
service continuity and, 839
restrictions. See access privileges
retention, of information assets, 531–532
retirement, develop plan for facility, 289–290
retrieval, of compliance data, 220
return on resilience investment (RORI)
calculation, 396–397
defined, 983
review status with higher-level managers, generic goals and practices, 953
reviews
with high-level managers. See higher-level managers, reviewing with
monitoring and controlling and, 952
of monitoring processes, 602–603
in objective evaluation of adherence, 953
periodic of environmental control process, 302
periodic of identities, 456–457
post-execution review of service continuity plans, 851
sources of vulnerability, 921
revision history, in change management, 888
RISK. See Risk Management (RISK)
risk
assessing controls for, 253, 257
assessment of facility asset, 280–281
availability of technology assets and, 892
controlling operational environment, 282–283
defined, 983
defining controls for, 248–250
due to external dependencies, 349–350
governance, xvi
identifying and assessing external, 350–351
identifying related to involuntary terminations, 432
mitigation strategies for external dependencies, 352
mitigation strategies for facility assets, 281–282
of non-compliance, 222
protecting information assets and, 518–519
service continuity planning and, 832
risk analysis, 983
risk appetite, 983
risk category, 983
risk disposition
assigning, 727–729
defined, 983
risk management
focus on high-value services, 836
incident management and, 475
interoperability and, 898–899
risk management, for information assets
identify and assess risks, 522
mitigate risks, 523
overview of, 521
prioritization and, 515–517
risk management, for technology assets
identify and assess risks, 879–880
mitigate risks, 880–881
overview of, 878–879
prioritization of technology assets, 871
risk management, of staff risk
identify and assess staff risks, 691–692
mitigate staff risks, 692–693
overview of, 691
Risk Management (RISK)
achieve specific goals, 733
apply risk information to operational resilience management, 731–732
assign responsibility for, 737–738
assign risk disposition, 727–729
categorize and prioritize risks, 727
Cloud Computing and, 962
collect improvement information, 745–746
define risk parameters, 721–722
defined, 983
determine sources and categories of risk, 719–720
develop risk mitigation plans, 729–731
Enterprise Management, 54–55
establish defined process for, 744–745
establish operational risk management strategy, 720–721
establish process governance, 734–735
establish relationship between assets and services, 130
establish risk measurement criteria, 722–723
evaluate risks, 726–727
FISMA compliance, 960
identify and involve relevant stakeholders, 740–741
identify asset-level risks, 723–725
identify service-level risks, 725–726
implement risk strategies, 731
insider threats and, 964
introductory notes, 717–718
manage work product configurations, 740
mitigate risks, 729
monitor and control the process, 741–743
objectively evaluate adherence, 743–744
plan the process, 735
preparing for, 719
provide resources for, 736–737
purpose of, 717
related process areas, 718
relationships driving threat/incident management, 58
review and adjust risk-related strategies, 732–733
review status with higher-level managers, 744
summary of specific goals and practices, 718
train people for, 738–739
risk measurement criteria, 983
risk mitigation
defined, 983
for external dependencies, 352
for facility assets, 281–282
of general risks, 729
implementing process action plans, 731
risk mitigation plans, 729–731, 983
of staff risks, 692–693
of technology asset risks, 880–881
risk parameters, 984
risk statements
defined, 984
developing, 725
staff risks and, 692
risk taxonomy, 984
risk threshold, 984
risk tolerance
defined, 984
overview of, 721–722
vulnerability analysis and resolution strategy and, 918–919
roles. See also responsibilities
access privileges and, 155–156
assign for knowledge and information management, 539
assign to identities, 453–454
identifying vital staff and, 688
incident management plan and, 477–478
linking to organizational identity. See Identity Management (IM)
managing changes to employment status, 429
organizational process definition process, 621
periodic review to identify invalid identities, 457
root-cause analysis
applying to vulnerabilities, 927–928
defined, 984
in post-incident review, 494
RORI (return on resilience investment)
calculation, 396–397
defined, 983
RPOs (recovery point objectives)
availability of technology assets and, 892–893
defined, 981
RRD. See Resilience Requirements Development (RRD)
RRM. See Resilience Requirements Management (RRM)
RTOs (recovery time objectives)
availability of technology assets and, 892–893
defined, 981
RTSE. See Resilient Technical Solution Engineering (RTSE)
rules, establish for integrated teams, 615–616
safety, work environment standards, 615
SC. See Service Continuity (SC)
scalability, of CERT-RMM, 15
SCAMPI (Standard CMMI Appraisal Method for Process Improvement), 92
scope
of assets and environments, 917–918
basing improvement objectives on, 84–85
capability appraisal and, 93–94
CERT-RMM, 14
of control assessment, 255–256
defined, 984
organizational scope, 84–87, 978
of risk assessment, 281
RORI calculation, 396–397
scorecard, governance, 324
screening, pre-employment, 418–419
secure design pattern, 984
security
benefits of CERT-RMM, 5
evolution of CERT-RMM, 10–11
protection of information assets, 518–519
protection of technology assets, 874–875
protection strategy, 35–36
service continuity plans, 843–844
work environment standards, 615
SEI (Software Engineering Institute), 8, 9–12
sensitivity
asset disposal and, 526
attributes of information assets, 514
categorize information assets by, 517–518
defined, 984
identifying staff responsible for sensitive assets, 690
organizational sensitivity, 978
service continuity plans
assign staff to, 842–843
availability of technology assets and, 891–893
defined, 985
develop and document, 840–842
develop testing program and standards for, 847–848
develop training for, 844
establish change criteria for, 852
evaluate test results, 849–850
execute, 850–851
exercise tests of, 849
identify and resolve conflicts in, 846
identify required plans, 840
identify vital staff, 688
maintain, 851–853
measure effectiveness of, 851
prepare for staff redeployment, 697–698
return-to-work plan, 700
risk mitigation and, 733
store and secure, 843–844
support of staff during disruptive events, 699
technology assets in, 873
validation of, 845–846
Service Continuity (SC)
achieve specific goals, 853
assign responsibility for, 857–858
assign staff to plans, 842–843
Cloud Computing and, 963
collect improvement information, 866–867
controls management using, 243
defined, 984
develop and document plans, 840–842
develop and document test plans, 848
develop operational resilience management plan, 315–316
develop resilient software across life cycle with, 108
develop testing program and standards, 847–848
develop training, 844
as Engineering process area, 56
establish change criteria, 852
establish defined process for, 865–866
establish process governance, 853–855
establish resilience-focused facility assets, 275
establish standards and guidelines for, 835
evaluate test results, 849–850
execute plans, 850–851
FISMA compliance, 960
identify and involve relevant stakeholders, 860–862
identify and resolve conflicts in plans, 846
identify communications requirements with, 180–181
identify high-value services, 835–836
identify internal and external dependencies and interdependencies, 837
identify required plans, 840
identify vital organizational records and databases, 837–839
incident response and, 489
introductory notes, 831–832
maintain changes to plans, 852–853
maintain plans, 851
manage work product configurations, 860
measure effectiveness of plans, 851
monitor and control the process, 862–864
objectively evaluate adherence, 864–865
plan the process, 855
prepare and plan for, 833–835
protect and sustain services and assets, 131
provide resources for, 856–857
purpose of, 831
related process areas, 832–833
relationships driving threat/incident management, 58
review status with higher-level managers, 865
store and secure plans, 843–844
summary of specific goals and practices, 833
test (exercise) plans, 849
train people for, 858–859
validate plans, 845–846
service disruption, 915
service level agreements (SLAs), 985
service profiles, 985
service-level controls
assessing effectiveness of, 253–254
defining, 248–250
service-level resilience requirements
analyze and validate, 754
assigning enterprise resilience requirements to services, 753–754
defined, 985
developing, 752
overview of, 748
service-level risks
identifying, 725–726
review and adjust strategies for, 732–733
services
in CERT-RMM, 14
CERT-RMM not establishing, delivering or managing, 14
concept of, 27–29
defined, 984
establish relationship between assets and, 130–131
focus on high-value, 29
fueled by assets, 30–33
life-cycle of, 38–39
operational risk objectives, 25–27
prioritize external dependencies relative to, 348–349
prioritize information assets relative to, 516
services map, 753
service-support staff, 689
shared resilience requirements, 985
Shewhart cycle, 80
silos, 5
skills
addressing gaps and deficiencies, 416–417
identifying gaps and deficiencies, 416
incident management plan and, 477–478
inventory or repository, 415–416, 985
service continuity plans and, 844
training needs and, 665
skills, training
Access Management, 167
Asset Definition and Management, 138, 140
Communications, 200–201
Compliance, 232–233
Controls Management, 262–263
Enterprise Focus, 331
Environmental Control, 297–298
External Dependencies Management, 371–372
Financial Resource Management, 403–404
generic goals and practices, 949–950
Human Resource Management, 439–440
Identity Management, 465–466
Incident Management and Control, 502–503
Knowledge and Information Management, 537, 540–541
Measurement and Analysis, 570–571
Monitoring, 599
Organizational Process Definition, 622
Organizational Process Focus, 646–647
Organizational Training and Awareness, 677–678
People Management, 708–709
Resilience Requirements Development, 762–763
Resilience Requirements Management, 784–785
Resilient Technical Solution Engineering, 820–821
Risk Management, 739
Service Continuity, 859
Technology Management, 906
Vulnerability Analysis and Resolution, 934
SLAs (service level agreements), 985
sociopolitical events, controlling operational environment, 283
software
architecture and design guidelines, 801–802
assembly and integration guidelines, 805–807
errors, 891
execution of development plan, 810–812
implementation guidelines, 802–805
integrating selected resilience guidelines with development process for, 809–810
integrity of, 882
monitoring, 795
releasing resilient solutions into production, 812–813
resilience guidelines, 800–801
resilience requirements, 793–794
stress of managing as intangible asset, 22
tailoring resilience guidelines using selection criteria, 808–809
software assurance, using CERT-RMM
about the authors, 104–105
defined, 105
overview of, 105–110
Software Engineering Institute (SEI), 8, 9–12
specific goals and practices
tags and numbering scheme for, 49
typographical and structural conventions, 50
using practice-level scope, 88–89
sponsorship. See also managers, review with higher-level
commit funding for operational resilience management, 383–384
for compliance program, 214, 231
establish scope of improvement, 84–85
of identity, 451
sponsorship, for operational resilience management
commit funding, 318–319
overview of, 317–318
promote resilience-aware culture, 319–320
standards and policies, 320–321
staff
access controls for, 883–884
acquisition of, 418
assigning to service continuity plans, 842–843
defined, 985
document organizational and intellectual knowledge of, 532–533
establish vital, 687–690
incident response and, 490
for maintenance operations, 894–895
managing. See People Management (PM)
for operational resilience management program, 316–317
personnel services. See Human Resource Management (HRM)
post-incident review, 494
providing for incident closure, 492
resource provision and, 948
training. See training people
training in discovery of vulnerabilities, 923
verifying suitability of candidates, 418–419
staff, providing
Access Management, 163–164
Asset Definition and Management, 137
Communications, 186–188, 198–200
Compliance, 229–230
Controls Management, 260
Enterprise Focus, 329
Environmental Control, 293–294, 296–297
External Dependencies Management, 368–370
Financial Resource Management, 400–401
Human Resource Management, 436
Identity Management, 462–464
Incident Management and Control, 477–478, 499–500
Knowledge and Information Management, 537
Measurement and Analysis, 568
Monitoring, 596–597
Organizational Process Definition, 619–620
Organizational Process Focus, 644
Organizational Training and Awareness, 674
People Management, 704–705
Resilience Requirements Development, 759–760
Resilience Requirements Management, 781
Resilient Technical Solution Engineering, 817
Risk Management, 736–737
Service Continuity, 856
Technology Management, 902–903
Vulnerability Analysis and Resolution, 931–932
staff availability
establish redundancy for vital staff, 694–695
managing, 693–694
perform succession planning, 695–697
plan for return-to-work following disruptive events, 700–701
plan to support staff during disruptive events, 698–700
prepare for redeployment, 697–698
staff risks
identify and assess, 691–692
mitigate, 692–693
overview of, 691
stakeholders
communicating measurement results to, 564–565
communicating to regarding incidents, 489
defined, 985
distributing collected information to, 592–593
escalation of incidents for input from, 487–488
in monitoring processes, 581–582
for performing resilience oversight, 324–325
stakeholders, identify and involve
Access Management, 168–169
Asset Definition and Management, 141–142
Communications, 177–181, 202–203
Compliance, 234–236
Controls Management, 264–265
Enterprise Focus, 332–333
Environmental Control, 299–300
External Dependencies Management, 373–374
Financial Resource Management, 404–406
generic goals and practices, 951
Human Resource Management, 441–442
Identity Management, 467–468
Incident Management and Control, 504–506
Knowledge and Information Management, 542–543
Measurement and Analysis, 571–573
Monitoring, 600–601
Organizational Process Definition, 623–624
Organizational Process Focus, 648–649
Organizational Training and Awareness, 679–680
People Management, 710–711
Resilience Requirements Development, 763–764
Resilience Requirements Management, 786–787
Resilient Technical Solution Engineering, 822–823
Risk Management, 740–741
Service Continuity, 860–862
Technology Management, 907–908
Vulnerability Analysis and Resolution, 935–936
Standard CMMI Appraisal Method for Process Improvement (SCAMPI), 92
standard processes
composition of, 607
defined processes compared with, 954
deploying, 638
establishing, 608–610
measurement repository for, 612
monitoring implementation of, 639
tailoring and, 611–612
standards. See also guidelines
for communications, 181–184
Compliance, 214
for configuration management, 886
establishing standard processes, 608–610
interoperability, 898
managing. See Compliance (COMP)
for monitoring, 589–591
for service continuity, 835
sponsoring resilience, 320–321
test service continuity plans against, 847–848
validate service continuity plans against, 845–846
for work environments, 614–615
statistics, descriptive statistics in data analysis, 560
Stevens, James, 99–100
storage
of compliance data, 220
of data, 563–564
data collection and, 557–559
of service continuity plans, 843–844
strategic planning
defined, 986
developing operational resilience management plan, 314–316
establish critical success factors, 310–312
establish organizational services, 312–314
establish scope of improvement, 84
establishing, 309–310
funding operational resilience management, 383–384
performing resilience oversight for, 323–324
using CERT-RMM to support, 78
strategies
establish operational risk management strategy, 720–721
establish vulnerability analysis and resolution strategy, 918–920
implement risk strategies, 731
for protecting/sustaining assets, 35–36
review and adjust asset-level risk strategies, 732
review and adjust service-level risk strategies, 732–733
for staff redundancy, 695
translating lessons into, 495–496
strengths and weaknesses, appraisal of organization, 632–633
stress
causes of in operational resilience management, 2
CERT-RMM control of organizational behavior during, 21–23
managing operational resilience, 25–27
structural conventions, process areas, 49–51
subpractices, process area
defined, 47–48
typographical and structural conventions, 51
subprocesses, 986
succession planning
defined, 986
perform, 695–697
summary of specific goals and practices, process areas, 45
Supplier Management, Operations, 57
suppliers, 986
surveys
assess effectiveness of awareness program, 662
assess effectiveness of training program, 670
sustain
defined, 986
facility assets, 284–285
information, 35–36
services and assets, 131
technology assets, 891–894
sustainability planning, 285–286
Sustaining Operational Resiliency: A Process Improvement Approach to Security Management (Caralli 2006), 12
systems
architecture and design guidelines, 801–802
assembly and integration guidelines, 805–807
execution of development plan, 810–812
implementation guidelines, 802–805
integrating selected resilience guidelines with development process for, 809–810
monitoring, 795
releasing resilient solutions into production, 812–813
resilience guidelines, 800–801
resilience requirements, 793–794
tailoring resilience guidelines using selection criteria, 808–809
targeted improvement profile (TIP)
capability level ratings overlaid on, 93–94
overview of, 91–92
targeted improvement roadmaps (TIRs)
for achieving FISMA compliance, 957–961
for Cloud Computing, 961–963
establishing improvement objective with, 88
for managing insider threats, 963
teams, establish rules and guidelines for integration of, 615–616
technical controls
defined, 986
at enterprise/service/asset levels, 248–250
for facility assets, 277–279
for information assets, 519–521
overview of, 246–247
for technology assets, 876–878
technical solutions. See Resilient Technical Solution Engineering (RTSE)
Technical Solutions, CMMI process area, 795
techniques. See tools, techniques, and methods
technology. See also Asset Definition and Management (ADM) and Technology Management (TM)
access privileges focusing on, 153
as asset in CERT-RMM, 31–32
assets, 986
identity management and, 448–449
interoperability. See interoperability
life-cycle of, 37
managing operational risk of, 23
operational resilience management and, 2
protecting and sustaining, 35–36
resilience requirements for, 33–35
stress of managing operational risk of, 22
as traditional focus of operational risk management, 8–9
access controls for, 882–883
achieve specific goals, 899
assign resilience requirements, 875–876
assign responsibility for, 904–905
Cloud Computing and, 962–963
collect improvement information, 913–914
defined, 986
developing resilient software across life cycle with, 108
establish and implement controls, 876–878
establish defined process, 912–913
establish process governance, 899–901
establish resilience-focused technology assets, 873–874
FISMA compliance, 961
identify and assess risks, 879–880
identify and involve relevant stakeholders, 907–908
introductory notes, 869–870
maintain technology assets, 894–895
manage availability of technology assets, 890–891
manage integrity of technology assets, 881–882
manage risks, 878–879
manage technology capacity, 895–897
manage technology interoperability, 897–899
manage work product configurations, 906–907
mitigate risks, 880–881
monitor and control, 909–911
objectively evaluate adherence, 911–912
as Operations process area, 57
perform change management, 887–888
perform configuration management, 883–887
perform release management, 889–890
plan the process for, 901–902
prioritize technology assets, 871–873
protect technology assets, 874–875
provide resources for, 902–904
purpose of, 869
related process areas, 870
review status with higher-level managers, 912
summary of specific goals and practices, 870–871
sustain technology assets, 891–894
train people for, 905–906
termination, external dependencies management, 362
termination of employment
involuntary, 428
managing impact of position changes, 428–429
managing involuntary, 431–432
voluntary, 427
terms and conditions of employment, establishing, 420–422
test (exercise) service continuity plans
develop and document tests, 848
develop testing program and standards, 847–848
evaluate test results, 849–850
exercise tests, 849
tests
guidelines for resilient software and systems, 803–805
release management and, 889–890
Threat, Vulnerability and Incident Management, Operations, 57
threat actor, 987
threat motive, 987
threats. See also vulnerabilities
defined, 986
manage insider threats, 963
monitoring software and systems for, 795
protecting information assets, 518–519
TIP (targeted improvement profile)
capability level ratings overlaid on, 93–94
overview of, 91–92
TIRs. See targeted improvement roadmaps (TIRs)
TM. See Technology Management (TM)
tools, techniques, and methods
Access Management, 164
Asset Definition and Management, 138
Communications, 199
Compliance, 230
Controls Management, 260–261
Enterprise Focus, 329–330
Environmental Control, 294–295
External Dependencies Management, 370
Financial Resource Management, 401–402
Human Resource Management, 437
Identity Management, 463–464
Incident Management and Control, 500
Knowledge and Information Management, 538
Measurement and Analysis, 568–569
for monitoring process, 597
Organizational Process Definition, 620
Organizational Process Focus, 644
Organizational Training and Awareness, 675
People Management, 705–706
Resilience Requirements Development, 760
Resilience Requirements Management, 782
Resilient Technical Solution Engineering, 817–818
Risk Management, 737
Service Continuity, 857
Technology Management, 903
Vulnerability Analysis and Resolution, 932
traceability, of resilience requirements, 776–777
tracking
events in incident management, 480–481
resilience requirements, 777
training people
Access Management, 167
Asset Definition and Management, 138, 140
Communications, 200–201
Compliance, 232–233
Controls Management, 262–263
Enterprise Focus, 331
Environmental Control, 297–298
External Dependencies Management, 371–372
Financial Resource Management, 403–404
generic goals and practices, 949–950
Human Resource Management, 439–440
Identity Management, 465–466
Incident Management and Control, 502–503
Knowledge and Information Management, 540–541
Measurement and Analysis, 570–571
Monitoring, 598–599
Organizational Process Definition, 621–623
Organizational Process Focus, 646–647
Organizational Training and Awareness, 677–678
People Management, 707–709
Resilience Requirements Development, 761–763
Resilience Requirements Management, 783–785
Resilient Technical Solution Engineering, 820–821
Risk Management, 738–739
Service Continuity, 844, 858–859
Technology Management, 905–906
Vulnerability Analysis and Resolution, 934
training programs. See also Organizational Training and Awareness (OTA)
assess effectiveness of, 670–671
conduct, 668
deliver resilience training, 668–669
establish capability for, 666–668
establish needs, 664–665
establish plan, 665–666
record, 669–670
triaging events, in incident management, 482–483
trusted access. See Identity Management (IM)
typical work products, process areas
defined, 46–48
typographical and structural conventions, 51
typographical conventions, 49–51
updating
measurement and analysis objectives, 559
process definitions and development plans, 810
service continuity plans, 846
vulnerability repository, 925
user IDs, access control via, 525
users, 987
utility sector, CERT-RMM in
about the authors, 99–100
grid modernization and transformation, 103–104
regulation and peer pressure, 101–103
reliability and resilience in, 100–101
validation
of compliance data, 221
of resilience requirements, 756
of service continuity plans, 845–846
validity and reliability, of information assets, 529–530
VAR. See Vulnerability Analysis and Resolution (VAR)
verification
evaluating suitability of candidate staff, 418–420
managing access to assets during position changes, 430–431
version control, manage work product configurations and, 950
vital records
defined, 987
protecting, 513
vital resilience functions, 689
vital staff. See also staff, 987
voluntary termination, of employment, 427
vulnerabilities
analysis and resolution strategy for, 918–920
analyze, 923–925
defined, 987
discover, 921–923
establish scope of, 917–918
identify root causes, 927–928
identify sources of, 920–921
manage exposure to, 925–927
monitoring software and systems for, 795
overview of, 915–916
protecting information assets, 518–519
service continuity planning and, 832
Vulnerability Analysis and Resolution (VAR)
achieve specific goals, 928
analyze vulnerabilities, 923–925
assign responsibility for, 933
collect improvement information, 940–941
defined, 987
discover vulnerabilities, 921–923
establish analysis and resolution strategy, 918–920
establish defined process, 940
establish process governance, 929–930
establish scope of assets and environments to be analyzed, 917–918
FISMA compliance, 961
identify and involve relevant stakeholders, 935–936
identify root causes, 927–928
identify sources of vulnerabilities, 920–921
insider threats and, 964
introductory notes, 915–916
manage exposure to vulnerabilities, 925–927
manage work product configurations, 935
monitor and control the process, 937–939
monitoring needs of, 586
objectively evaluate adherence, 939
plan the process, 930–931
prepare for vulnerability analysis and resolution, 917
provide resources for, 931–932
purpose of, 915
related process areas, 916
relationships driving threat/incident management, 57–58
review status with higher-level managers, 940
summary of specific goals and practices, 916
train people for, 934
vulnerability catalogs, 921
vulnerability data collection, 921
vulnerability management strategy, 987
vulnerability notification services, 921
vulnerability repository, 987
vulnerability resolution, 987
waivers, 987
White, David W., 999, xxiv
work environment standards, 614–615
work product configurations
Access Management, 168
Asset Definition and Management, 141
Communications, 202
Compliance, 234
Controls Management, 264
Enterprise Focus, 332
Environmental Control, 298–299
External Dependencies Management, 373
generic goals and practices, 950
Human Resource Management, 440–441
Identity Management, 466–467
Incident Management and Control, 504
Knowledge and Information Management, 541
Measurement and Analysis, 571
Monitoring, 599–600
Organizational Process Definition, 623
Organizational Process Focus, 647–648
Organizational Training and Awareness, 678–679
People Management, 709
Resilience Requirements Development, 763
Resilience Requirements Management, 785–786
Resilient Technical Solution Engineering, 821–822
Risk Management, 740
Service Continuity, 860
Technology Management, 906–907
Vulnerability Analysis and Resolution, 935
work products, typical
defined, 46–48
typographical and structural conventions, 51