Figure 1.1: The Three Critical Dimensions 9
Figure 1.2: Bodies of Knowledge Related to Security Process Improvement 11
Figure 1.3: CERT-RMM Influences 13
Figure 2.1: Convergence of Operational Risk Management Activities 24
Figure 2.2: Relationships Among Services, Business Processes, and Assets 28
Figure 2.3: Relationship Between Services and Operational Resilience Management Processes 29
Figure 2.4: Impact of Disrupted Asset on Service Mission 31
Figure 2.5: Putting Assets in Context 32
Figure 2.6: Driving Operational Resilience Through Requirements 34
Figure 2.7: Optimizing Information Asset Resilience 35
Figure 2.8: Generic Asset Life Cycle 36
Figure 2.9: Software/System Asset Life Cycle 37
Figure 2.10: Services Life Cycle 38
Figure 3.1: Examples of Process Area Icons 43
Figure 3.2: A Specific Goal and Specific Goal Statement 45
Figure 3.3: A Specific Practice and Specific Practice Statement 46
Figure 3.4: A Generic Goal and Generic Goal Statement 46
Figure 3.5: A Generic Practice and Generic Practice Statement 46
Figure 3.6: Summary of Major Model Components 48
Figure 3.7: Format of Model Components 50
Figure 4.1: Relationships That Drive Resilience Activities at the Enterprise Level 55
Figure 4.2: Relationships That Drive Threat and Incident Management 58
Figure 4.3: Relationships That Drive the Resilience of People 60
Figure 4.4: Relationships That Drive Information Resilience 61
Figure 4.5: Relationships That Drive Technology Resilience 62
Figure 4.6: Relationships That Drive Facility Resilience 63
Figure 5.1: Structure of the CERT-RMM Continuous Representation 69
Figure 6.1: The IDEAL Model for Process Improvement 82
Figure 6.2: Organizational Unit, Subunit, and Superunit on an Organization Chart 86
Figure 6.3: Alternate Organizational Unit Designation on an Organization Chart 87
Figure 6.4: Model Scope Options 90
Figure 6.5: CERT-RMM Targeted Improvement Profile 91
Figure 6.6: CERT-RMM Targeted Improvement Profile with Scope Caveats 92
Figure 6.7: Capability Level Ratings Overlaid on Targeted Improvement Profile 94
Figure 6.8: Alternate Locations for Organizational Process Assets 96