Footnotes

Preface

¹ See http://wordnet.princeton.edu.

Chapter 1

¹ FSTC has since been incorporated into the Financial Services Roundtable (www.fsround.org).

Chapter 2

¹ CMMI-SVC achieves its objectives by focusing on the improvement of the service management and delivery process, with services as the object of improvement. CERT-RMM achieves its objectives by focusing on the improvement of the operational resilience management process, with services as the beneficiary of improvement.

² These activities are bound by their operational risk focus. However, collectively they do not represent the full range of activities that define operational risk management.

³ In the CMMI for Services model, a service is defined as a product that is intangible and non-storable [CMMI Product Team 2009]. CMMI for Services focuses on the high-quality delivery of services. CERT-RMM extends this concept by focusing on resilience as an attribute of high-quality service delivery, which ultimately impacts organizational health and resilience. In CERT-RMM, services are used as an organizing principle; the resilience of these services is the focus of improving operational resilience management processes and the operational resilience management system.

⁴ In CERT-RMM, we take a “cyber” approach to resilience. That is, we specifically exclude considerations of other tangible, raw materials that are important to the delivery of some services and most manufacturing processes. This is not to say that physical materials cannot be considered in CERT-RMM, but explicit processes and practices for this are not included in the core model.

⁵ The early life-cycle activities for services (design, development, and implementation) are covered in the CMMI for Services model. CERT-RMM addresses services in operation as they support the achievement of organizational goals and objectives.

Chapter 3

¹ Much of the nomenclature used in CERT-RMM is derived from CMMI. Thus, if you are already familiar with CMMI models, you should notice no differences in the way that these components are defined or used.

Chapter 5

¹ In CERT-RMM, there is no staged representation as in CMMI models. The staged representation uses maturity levels, which define levels of organizational maturity. In addition, the levels in a staged representation correlate to a collection of process areas that are prescribed or “staged” at each level. This concept does not exist in CERT-RMM because all improvement activities are undertaken in an individual process area or a collection of process areas that are chosen by the organization to satisfy its unique process improvement objectives.

² In CERT-RMM, as in CMMI models, all of the specific goals of a process area must be satisfied to state that the process is being performed or that the organization is performing the process at capability level 1.

Chapter 6

¹ For more on appraisal classes, see www.sei.cmu.edu/cmmi/tools/appraisals/classes.cfm.

Chapter 7

¹ The UCA International Users Group is a not-for-profit corporation consisting of utility user and supplier companies that is dedicated to promoting the integration and interoperability of electric/gas/water utility systems through the use of international standards-based technology.

² NERC is an international, independent, self-regulatory, not-for-profit organization whose mission is to ensure the reliability of the bulk power system in North America.

³ Adapted from a WordNet definition of resilience at http://wordnetweb.princeton.edu/perl/webwn?s=resilience.

⁴ The Bulk Electric System is generally considered to be the generation and transmission of electricity over high-voltage transmission lines.

⁵ “SANS Founder Slams ‘Terribly Damaging’ US Cyber Security Law,” www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm.

⁶ In business continuity parlance, this is referred to as the “recovery point objective.”

⁷ And this is referred to as the “recovery time objective.”

⁸ RTSE assumes that the organization has one or more existing, defined processes for software and system development into which resilience controls and activities can be integrated. If this is not the case, the organization should not attempt to implement the goals and practices identified in RTSE or in other CERT-RMM process areas that are involved in developing software and system technical solutions.

Chapter 14

¹ Roles may include the chief risk officer, chief compliance officer, chief security and/or chief information security officer, chief privacy officer, chief information officer, chief financial officer, general counsel, business unit executives and leaders, vice president of human resources/relations, vice president of public relations, etc.

Appendix B

¹ See page 88 for more information about using CERT-RMM targeted improvement roadmaps.