Preface
We hear the word resilience everywhere these days. People are described as resilient when they bounce back from adversity. Things are described as resilient when they can withstand unusual wear and tear and still perform adequately. Organizations are described as resilient when they can meet their mission in the face of adversity and an ever-changing risk environment.
For something or somebody to be described as resilient, a few basic conditions must be met. First, a physical or logical impact must be able to be tolerated for some period of time. Second, the object or person must be able to continue its purpose or mission while impacted. And third, the object or person must be able, in some reasonable time, to return to a “normal” state.
The authors of this book have often struggled with finding the right metaphor for describing resilience. But we always seem to come back to something that everyone understands: a childhood toy called a “Slinky.”
Nearly everyone growing up either had a Slinky or knew someone who did. There wasn’t much to it—a coiled piece of wire that could do some basic tricks—but for the most part, it just kept us amused until we found something else to which to direct our attention. That is, until we tested the limits of the Slinky. Slinkys were mostly forgiving of our attempts to make them do things that weren’t intended by the designers, but there was always that one thing we did that pushed the Slinky to its limits. And the result? The spring became a mere wire, unable to bounce back to its original shape and never again to magically crawl down the stairs on its own.
People, things, and especially organizations can be very much like Slinkys. Most organizations can manage to expand and contract as necessary to absorb the “punch” of disruption. But when the expansion is beyond sustainable limits, in either impact or duration, the organization transforms from a Slinky to a mere wire—unable to spring back to a normal operating condition. Organizations that do not operate with a conscious eye to what their Slinky looks like do so to their own peril. Consider:
• In 2007 the Economist Intelligence Unit surveyed 181 executives from around the world about business resilience. Not surprisingly, 47% of respondents said that they could endure less than one day of downtime from IT systems before the disruption would seriously jeopardize the survival of the entire company [Economist 2007].
• A National Archives and Records Administration survey cites that 25% of companies that experienced an IT outage of two to six days went bankrupt immediately [Economist 2007]. This same study found that 93% of companies that lost their data center for ten days or more filed for bankruptcy within a year.
And it isn’t as though organizations don’t understand the necessity of improving their operational resilience capabilities. In a 2008 Carnegie Mellon CyLab report on Enterprise Security Governance, nearly 50% of survey respondents indicated that risk and crisis oversight is important, but only 37% responded that it was a critical governance issue. Thus, board of directors members recognize the importance of operational resilience but don’t feel it’s important enough to do anything about (or don’t know what to do to address it) [Westby 2008].
In its 2007 report The Resilient Economy: Integrating Competitiveness and Security, the Council on Competitiveness makes a compelling argument that the ability of an organization to actively manage resilience will become a key competitive differentiator in the twenty-first century [van Opstal 2007]. The Council’s conclusions frame a business- and economics-centric argument that supports the theories we posed in 2003 about the transformation of the security discipline into one that supports a larger business-driven purpose. Clearly, today that purpose is to ensure the organization is operationally resilient and able to carry out operational risk management activities in a coordinated way, liberated from traditional silos and organizational structures.
The CERT Resilience Management Model was developed to help organizations do this and, in the end, to help them be better Slinkys.
Introducing the CERT Resilience Management Model
The CERT Resilience Management Model (CERT-RMM) is an innovative and transformative way to approach the challenge of managing operational resilience in complex, risk-evolving environments. It is the result of years of research into the ways that organizations manage the security and survivability of the assets that ensure mission success: people, information, technology, and facilities. It incorporates concepts from an established process improvement community to create a model that transcends mere practice implementation and compliance—one that can be used to mature an organization’s capabilities and improve predictability and success in sustaining operations whenever disruption occurs.
The ability to manage operational resilience at a level that supports mission success is the focus of CERT-RMM. By improving its operational resilience management system—the plan, program, processes, procedures, practices, and people that are necessary to manage operational resilience—the organization in turn improves the mission assurance of high-value services. The success of high-value services in meeting their missions consistently over time and in particular under stressful conditions is vital to meeting organizational goals and objectives.
Purpose
CERT-RMM v1.1 is a capability-focused maturity model for process improvement that comprehensively reflects best practices from industry and government for managing operational resilience across the disciplines of security management, business continuity management, and IT operations management. Through CERT-RMM these best practices are integrated into a single model that provides an organization with a transformative path from a silo-driven approach for managing operational risk to one that is focused on achieving resilience management goals and supporting the organization’s strategic direction.
CERT-RMM incorporates many proven concepts and approaches from the Software Engineering Institute’s process improvement experience in software and systems engineering and acquisition. Foundational concepts from CMMI (Capability Maturity Model Integration) are integrated into CERT-RMM to elevate operational resilience management to a process approach and to provide an evolutionary path for improving capability. Practices in the model focus on improving the organization’s management of key operational resilience processes. The effect of this improvement is realized through improving the ability of high-value services to meet their mission consistently and with high quality, particularly during times of stress.
It should be noted that CERT-RMM is not based on the CMMI Model Foundation (CMF), which is a set of model components that are common to all CMMI models and constellations. In addition, CERT-RMM does not form an additional CMMI constellation or directly intersect with existing constellations. However, CERT-RMM makes use of several CMMI components, including core process areas and process areas from CMMI-DEV. It incorporates the Generic Goals and Practices of CMMI models, and it expands the resilience concept for services found in CMMI-SVC. Section 1.4 of this book provides a detailed explanation of the connections between CERT-RMM and the CMMI models.
Audience
The audience for CERT-RMM is anyone interested in improving the mission assurance of high-value services through improving operational resilience processes. Simply stated, CERT-RMM can help improve the ability of an organization to meet its commitments and objectives with consistency and predictability in the face of changing risk environments and potential disruptions. CERT-RMM will be useful to you if you manage a large enterprise or organizational unit, are responsible for security or business continuity activities, manage large-scale IT operations, or help others to improve their operational resilience. CERT-RMM is also useful for anyone who wants to add a process improvement dimension or who wants to make more efficient and effective use of an installed base of codes of practice, such as ISO 27000, COBIT, or ITIL.
If you are a member of an established process improvement community, particularly one centered on CMMI models, CERT-RMM can provide an opportunity to extend your process improvement knowledge to the operations phase of the asset life cycle. Thus, process improvement need not end when an asset is put into production—it can instead continue until the asset is retired.
Organization of This Book
This book is organized into three main parts:
• Part One: About the CERT Resilience Management Model
• Part Two: Process Institutionalization and Improvement
• Part Three: CERT-RMM Process Areas
Part One, About the CERT Resilience Management Model, consists of four chapters:
• Chapter 1, Introduction, provides a summary view of the advantages and influences of a process improvement approach and capability maturity models on CERT-RMM.
• Chapter 2, Understanding Key Concepts in CERT-RMM, describes all the model conventions used in CERT-RMM process areas and how they are assembled into the model.
• Chapter 3, Model Components, addresses the core operational risk and resilience management principles on which the model is constructed.
• Chapter 4, Model Relationships, describes the model in two virtual views to ease adoption and usability.
Part Two, Process Institutionalization and Improvement, focuses on the capability dimension of the model and its importance in establishing a foundation on which an operational resilience management system can be sustained in complex environments and evolving risk landscapes. The effect of increased levels of capability in managing operational resilience on the mission success of high-value services is discussed. Part Two addresses the use of the model’s Generic Goals and Practices, which are sourced from CMMI and tailored for institutionalizing operational resilience management processes. Part Two also describes various approaches for using CERT-RMM, as well as considerations when applying a Plan, Do, Check, Act model for process improvement. In the last chapter of Part Two, CERT-RMM Perspectives, several invited contributing authors share their thoughts about how CERT-RMM can be applied for different purposes. Another describes how his company evaluated CERT-RMM and found it to be “a comprehensive and flexible framework” for helping to meet business resilience objectives.
Part Three, CERT-RMM Process Areas, is a detailed view of the 26 CERT-RMM process areas. They are organized alphabetically by process area acronym. Each process area contains descriptions of goals, practices, and examples.
The appendices of the book provide a detailed treatment of the model’s Generic Goals and Practices, book references, a list of commonly used acronyms, and a reference glossary.
How to Use This Book
Part One of this book provides a foundational understanding of CERT-RMM, whether or not you have previous experience with process improvement models.
If you have process improvement experience, particularly using models in the CMMI family, you should start with Section 1.4 in the Introduction, which describes the relationship between CERT-RMM and CMMI models. Reviewing Part Three will provide you with a baseline understanding of the process areas covered in CERT-RMM and how they may be similar to or different from those in CMMI. Next, you should examine Part Two to understand how generic goals and practices are used in CERT-RMM. Pay particular attention to the example blocks in the generic goals and practices; they provide an illustration of how the capability dimension can be implemented in the CERT-RMM model.
If you have no process improvement experience, you should begin with the Introduction in Part One and continue sequentially through the book. The chapters are arranged to build understanding before you reach Part Three, the process areas.
Additional Information and Reader Feedback
CERT-RMM continues to evolve as more organizations use it to improve their operational resilience management processes. You can always find up-to-date information about the CERT-RMM model, including new process areas as they are developed and added, at www.cert.org/resilience. There, you can also learn how CERT-RMM is being used for critical infrastructure protection and how it forms the basis for exciting research in the area of resilience measurement and analysis.
Your suggestions for improving CERT-RMM are welcome. For information on how to provide feedback, see the CERT website at www.cert.org/resilience/request-comment. If you have comments or questions about CERT-RMM, send email to [email protected].