Index
A
access acknowledgement, 965
access control policy, 965
access controls. See also Access Management (AM), 965
establishing identity community, 452–453
for information assets, 525–526
modification management and, 527–528
overview of, 150–151
for technology assets, 882–883
for trusted access. See Identity Management (IM)
Access Management (AM)
achieve specific goals, 161
assign responsibility for, 165–166
collect improvement information, 173–174
correct inconsistencies, 159–160
defined, 965
enable access, 152–155
establish defined process for, 173
establish process governance, 161–162
FISMA compliance, 957
identify and involve relevant stakeholders, 168–169
insider threats and, 964
introductory notes, 149–151
manage and control access, 151–152
manage changes to access privileges, 155–157
manage work product configurations, 168
monitor and control the process, 169–171
monitoring needs of, 586
objectively evaluate adherence, 172
as Operations process area, 57
periodic review of access privileges, 157–159
plan the process, 163
provide resources for, 163–165
purpose, 149
related process areas, 151
review status with higher-level managers, 172
summary of specific goals and practices, 151
train people for, 167
access privileges
assign on basis of identity, 451
correct inconsistencies in, 159–160
defined, 965
deprovisioning identity profiles and, 459–460
granting, 152–155
to human resources documents, 440–441
identify invalid identities, 456–457
identity management linked to, 449
manage and control access with, 151–152
manage changes to access, 155–157
manage changes to employment status, 430–431
manage involuntary termination, 432
overview of, 149–151
periodic review of, 157–159
access requests
defined, 966
enabling, 152
acculturation, 966
achieve specific goals, generic goals and practices, 945
acronyms, used in this book, 989–992
acting phase, process improvement, 82–83
action plans
for conflict mitigation, 755
implementing process action plans, 636
for organizational processes, 634–635
adaptive maintenance
defined, 966
of environmental conditions, 285
adherence, objective evaluation of
Access Management, 172
Asset Definition and Management, 144–145
Communications, 206
Compliance, 238
Controls Management, 267–268
Enterprise Focus, 336–337
Environmental Control, 303
External Dependencies Management, 377–378
Financial Resource Management, 408
generic goals and practices, 953
Human Resource Management, 444
Identity Management, 470–471
Incident Management and Control, 508–509
Knowledge and Information Management, 546
Measurement and Analysis, 574–575
Monitoring, 603
Organizational Process Definition, 626–627
Organizational Process Focus, 651
Organizational Training and Awareness, 682–683
People Management, 713
Resilience Requirements Development, 767
Resilience Requirements Management, 789–790
Resilient Technical Solution Engineering, 826–827
Risk Management, 743–744
Service Continuity, 864–865
Technology Management, 911–912
Vulnerability Analysis and Resolution, 939
ADM. See Asset Definition and Management (ADM)
administrative (management) controls
defined, 966
at enterprise/service/asset level, 248–250
for facility assets, 277–278
for information assets, 519–521
overview of, 246
for technology assets, 876–878
agreements
confidentiality, 429–430
employment, 420–422
with external entities, 360–362, 370
legal, 966
service level agreements (SLAs), 985
Allen, Julia H., 104–105, 115, 999, xxiii–xxiv
AM. See Access Management (AM)
amplifications, process area, 47–48
analysis
of Compliance obligations, 217–218
of controls, 250–253
cost and performance analysis in budgeting, 393–394
measurement and. See Measurement and Analysis (MA)
of monitoring requirements, 585–587
of resilience requirements, 755
risk analysis, 983
of vulnerabilities. See Vulnerability Analysis and Resolution (VAR)
analysis, in incident management
analyze and triage events, 482–483
to support response, 485–486
appraisal
CAM (Capability Appraisal Method), CERT-RMM, 92–94
capability appraisal in evaluation of adherence, 953
capability dimension used for, 68
of organizational processes, 632–633
architecture
guidelines for resilient software and systems, 801–802
interoperability standards, 898
process architecture, 610, 980
area of impact
business impact analysis, 892
defined, 966
limiting organizational impact of incidents, 488–490
assembly guidelines, for Resilient Technical Solution Engineering, 805–807
assessment
of awareness program, 662–663
of communications, 192–194
of controls, 253–257
of facility asset risks, 280–281
of information asset risks, 522
of performance, 425–426
of risks due to external dependencies, 350–351
of staff risks, 691–692
of technology risks, 879–880
of training program, 670–671
asset custodian. See custodians, asset
Asset Definition and Management (ADM)
achieve specific goals, 134
assign responsibility, 138–139
Cloud Computing and, 961
collect improvement information, 146–147
develop resilient software across life cycle with, 107
as Engineering process area, 56
establish common understanding of assets, 126–128
establish defined process, 145–146
establish organizational assets, 123–124
establish ownership and custodianship, 128–130
establish process governance, 135–136
establish relationship between assets and services, 130–131
FISMA compliance, 958
identify and involve stakeholders, 141–142
introductory notes, 121–122
inventory assets, 124–126
manage assets, 132–134
manage work product configurations, 141
monitor and control process, 142–144
objectively evaluate adherence, 144–145
plan process, 136–137
provide resources, 137–138
purpose of, 121
related process areas, 122–123
summary of specific goals and practices, 123
train people for, 140
asset disposition, 966
asset inventory
creating, 124–126
defined, 967
maintaining changes to assets, 133–134
managing changes to employment status, 430–431
asset life cycle, 37, 794, 967
Asset Management, Engineering, 56
asset owner, 967
asset profile, 967
Asset Resilience Management, Operations, 57
asset-level controls, 248–250
asset-level resilience requirements
analyze, 755
defined, 967
establish, 752–753
overview of, 748–749
validate, 756
asset-level risks
identifying, 723–725
review and adjust strategies for, 732
assets. See also Asset Definition and Management (ADM)
alternate locations for organizational process, 95–96
concept of, 30–33
define required functionality of, 754–755
defined, 966
establishing improvement objective with asset scope, 89–90
facility, establishing resiliencefocused, 275
facility, prioritization of, 273–274
identifying vulnerabilities, 917–918
managing changes to employment status, 430
objective views for. See objective views, for assets
operational risk as potential impact on, 25–26
protecting and sustaining, 35–36
relationships among services, business process and, 27–28
resilience requirements, 773–774
resilience requirements for, 33–35
risks of external entities and, 342
stress of managing intangible, 22
traceability of resilience requirements and, 777
assets, technology
access controls, 882–883
assign resilience requirements, 875–876
establish and implement controls, 876–878
establish resilience-focused, 873–874
identify and assess risks, 879–880
maintain, 894–895
manage availability of, 890–891
manage capacity of, 895–897
manage integrity of, 881–882
manage interoperability of, 897–899
manage risks, 878–879
mitigate risks, 880–881
perform change management, 887–888
perform configuration management, 883–887
perform release management, 889–890
protect, 874–875
sustain, 891–894
assign responsibility, generic goals and practices, 948–949
assurance case, 967
Assurance for CMMI PRM (Process Reference Model), 109–110
attack pattern, 967
attack surface, 967
attributes, critical attributes of process elements, 609
audits
for configuration management, 887
discovery of vulnerabilities, 921
manage external dependencies, 362
in objective evaluation of adherence, 953
perform resilience oversight, 324–325
for process-compliance, 639
review enterprise focus plan, 337
of technology assets, 883–884
authority, assigning
Access Management, 165–166
Asset Definition and Management, 138–139
Communications, 199–200
Compliance, 231–232
Controls Management, 261–262
Enterprise Focus, 330–331
Environmental Control, 296–297
External Dependency Management, 370–371
Financial Resource Management, 402–403
generic goals and practices, 949
Human Resource Management, 437–438
Identity Management, 464–465
Incident Management and Control, 501–502
Knowledge and Information Management, 539
Measurement and Analysis, 569
Organizational Process Definition, 621
Organizational Process Focus, 645–646
Organizational Training and Awareness, 675
People Management, 706–707
Resilience Requirements Development, 760–761
Resilience Requirements Management, 782–783
Resilient Technical Solution Engineering, 819
Risk Management, 738
Service Continuity, 858
Technology Management, 904–905
Vulnerability Analysis and Resolution, 933
availability
attributes of information assets, 514
defined, 967
Knowledge and Information Management and, 513
of measurement information, 564
availability, of information assets
document organizational and intellectual knowledge of staff, 532–533
duplication and retention, 531–532
overview of, 530–531
availability, of staff
establish redundancy for vital staff, 694–695
manage, 693–694
perform succession planning, 695–697
plan for return-to-work following disruptive events, 700–701
plan to support staff during disruptive events, 698–700
prepare for redeployment, 697–698
availability, of technology assets
maintain technology assets, 894–895
manage technology capacity, 895–897
manage technology interoperability, 897–899
overview of, 890–891
sustain technology assets, 891–894
awareness activity, 967
awareness materials, 659–660
awareness plan, 657–658
awareness program. See also Organizational Training and Awareness (OTA)
assess effectiveness of, 662–663
defined, 967
establish delivery capability, 658–660
establish needs, 655–657
establish plan, 657–658
overview of, 655
perform activities, 660–661
records of, 661–662
waiver. See waiver
B
back up, of information assets, 531–532
base measures
data collection and, 561–562
defined, 967
specify, 556
baseline competencies
comparing skills inventory to, 416
establishment of, 414–415
baseline verification criteria, acquisition of staff, 419
baselines
baseline configuration item, 968
for change management, 887–888
for configuration management, 887
identifying and assessing risks, 522
resilience requirements, 776
for technology assets, 884
BES (Bulk Electric System), 101–102
BIC-SORT (Best in Class Security and Operations Roundtable), 10–11
BRM (business resilience management), 110–115
budgeting
benefits of CERT-RMM, 6
commit funds for operational resilience management, 383–384
establish financial commitment, 382–383
establish resilience budgets, 388–389
establish structure to support financial management, 384–386
fund resilience activities, 390–391
perform cost and performance analysis, 393–394
resolve funding gaps, 388–389
bugs, availability of technology assets and, 891
builds, release management and, 889–890
Bulk Electric System (BES), 101–102
business case
for adoption of CERT-RMM processes, 81
commit funds for operational resilience management, 383–384
for convergence of operational risk activities, 24–25
fund operational resilience management, 318–319
business continuity plans. See also service continuity plans, 839
business impact analysis, availability of technology assets and, 892
business processes
concept of, 29–30
defined, 968
fueled by assets, 30–33
relationships among services, assets and, 27–28
business requirements. See also resilience requirements, 968
business resilience, downtime tolerance and, xvi
business resilience management (BRM), 110–115
C
CAM (Capability Appraisal Method), CERT-RMM, 92–94
capability appraisal, in objective evaluation of adherence, 953
Capability Appraisal Method (CAM), CERT-RMM, 92–94
capability dimension, CERT-RMM
defined, 68
understanding capability levels, 68–69
capability dimension, CMMI, 19
capability levels
connecting to process institutionalization, 69–73
considerations when establishing targets, 84–85
defined, 968
for generic goals and practices, 73
overlaying ratings on targeted improvement profile, 93–94
targeted improvement profile, 91–92
targets for establishing improvement objectives, 90–91
understanding, 68–69
Capability Maturity Model Integration. See CMMI (Capability Maturity Model Integration)
capacity, of technology assets, 895–897
Caralli, Richard A., 1000, xxiii
catalogs
of external dependencies, 344–347
of items in process asset library, 614
categories
of information assets, 517–518, 975
process areas by, 41–42
of process components, 42–44
CERT Resiliency Engineering Framework: Code of Practices Crosswalk, Preview Version, v0.95R (REF Team 2008b), 13
CERT Resiliency Engineering Framework, v0.95R (REF Team 2008a), 12
certification training, Communications, 201
CERT-RMM (CERT Resilience Management Model)
audience for, xviii
benefits to organizations, 5–6
CMMI models and, 15–18
CMMI vs., 18–19
evolution of, 9–12
influences on, 12–15
introduction to, xvii
need for, 3–4
official release of v1.1, 12
overview of, 7–8
process improvement and CMMI models influencing, 8–9
as process improvement model, 2–3
purpose of, xvii–xviii
CERT-RMM concepts
adapting terminology and, 39
convergence, 23–25
disruption and stress, 21–23
elements of operational resilience management, 27–39
operational resilience management, 25–27
CERT-RMM uses
for business resilience, 110–115
diagnosing with, 92–95
examples, 78–80
measuring operational resilience, 115–118
model-based process improvement with, 80–83
overview of, 77
planning improvements with, 95–97
setting and communicating objectives. See objectives, setting and communicating
for software assurance, 104–110
for utility sector, 99–104
change criteria
for asset management, 132–133
for service continuity tests, 852
change management
for configuration settings, 887
defined, 968
for external dependencies, 362
for identity community, 455–456
for resilience requirements, 775–776
for service continuity tests, 852–853
for technology assets, 887–888
for work product configurations, 950
channels, communications
establish and maintain infrastructure for, 190–191
identify, 188–190
checks, integrity, 562
classes, formal capability appraisal, 92–94
closing incidents, 492–493
Cloud Computing, targeted improvement roadmap for, 961–963
CMMI (Capability Maturity Model Integration)
CERT-RMM generic goals and practices vs., 73
equivalent CERT-RMM process areas, 15–18
evolution of CERT-RMM and, 12–15
process areas influencing CERT-RMM RTSE, 108, 795
using CERT-RMM without familiarity with, 13
why CERT-RMM is not, 18–19
CMMI-ACQ (CMMI for Acquisition) model
defined, 15
equivalent CERT-RMM process areas, 17–18
influencing CERT-RMM, 13
CMMI-DEV (CMMI for Development) model
defined, 15
equivalent CERT-RMM process areas, 17–18
focus of process improvement in, 15
influencing CERT-RMM, 13
CMMI-SVC (CMMI for Services) model
defined, 15
equivalent CERT-RMM process areas, 16–18
influencing CERT-RMM, 13
codes of practice
convergence vs., 25
relationship between CERT-RMM process areas and other, 12–13
coding guidelines, for resilient software and systems, 803
collect improvement information. See improvement information, collecting
co-location, 968
commitment
establish financial commitment, 382–383
of funds to operational resilience management, 383–384
to incident management plan, 477
to resilience requirements, 774–775
to service continuity plans, 834–835
of awareness activities, 660
of changes to resilience requirements, 776
guidelines and standards, 181–183
identify relevant stakeholders, 177–179
identify requirements for, 179–181
in incident management, 490–492
in incident response and recovery, 487–488
measure and assess performance using, 425–426
of measurement results, 564–565
of measures, 557
of objectives. See objectives, setting and communicating
preparing for, 177
process lessons learned and, 639–640
to stakeholders, 951
to stakeholders regarding incidents, 489
of vulnerability analysis and resolution strategy, 919
communication program
assessing effectiveness of, 192–194
assigning staff to, 186–188
establishing, 185–186
improving, 194–195
Communications (COMM)
achieve specific goals, 195
assign responsibility for, 199–200
collect improvement information, 207–208
defined, 968
deliver, 188–191
Enterprise Management, 54–55
establish and maintain plan for, 197–198
establish defined process, 207
establish guidelines and standards, 181–183
establish plan, 183–184
establish process governance, 196–197
establish program, 185–186
identify and assign plan staff, 186–188
identify and involve relevant stakeholders, 202–203
identify relevant stakeholders, 177–179
identify requirements, 179–181
improve, 191–195
introductory notes, 175–176
manage work product configurations, 202
monitor and control the process, 203–205
objectively evaluate adherence, 206
plan the process, 197–198
prepare for, 177
prepare for management of, 183
provide resources for, 198–199
purpose of, 175
related process areas, 176
relationships driving threat/incident management, 58
review status with higher-level managers, 206
summary of specific goals and practices, 176
train people for, 200–201
communications stakeholders, 968
comparison, using CERT-RMM as basis for, 78–79
compensating controls, 247
competitive differentiators, resilience management as, xvi
complexity, operational risk of, 22
compliance
collection and preservation of evidence and, 482
converting compliance activities into improvement activities, 6
defined, 968
developing program for, 212–214
evaluating adherence to. See adherence, objective evaluation of
performing resilience oversight, 324
Compliance (COMP)
achieve specific goals, 227
analyze obligations for, 217–218
assign responsibility for, 231–232
collect and validate compliance data, 219–225
collect improvement information, 239–240
defined, 968
demonstrate extent of satisfaction of obligations, 221–223
establish defined process, 239
establish guidelines and standards, 214
establish obligations for, 215–217
establish ownership for meeting obligations, 218–219
establish plan for, 211–212
establish process governance, 227–228
establish program for, 212–214
identify and involve relevant stakeholders, 234–236
introductory notes, 209–210
manage work product configurations, 234
monitor activities of, 225–226
monitor and control the process, 236–237
objectively evaluate adherence, 238
plan the process, 229
prepare for compliance management, 210–211
provide resources for, 229–231
purpose of, 209
related process areas, 210
remediate areas of non-compliance, 223–225
review status with higher-level managers, 238
summary of specific goals and practices, 210
train people for, 232–233
compliance knowledgebase, 969
compliance obligations, 969
compliance office, defining and installing, 212
components, model
defined, 981
expected components, 43–44, 48, 972
informative component, 43–44, 48, 975
numbering scheme, 47–49
process area component categories, 42–44
process area component descriptions, 44–47
process areas and their categories, 41–42
required components, 43–44, 48, 981
typographical and structural conventions, 49–51
computer security incident response team (CSIRT), 476
conditions, 969
confidentiality
access controls and, 525–526
agreements, 429–430
attributes of information assets, 514
defined, 969
disposal management, 526–527
encrypt high-value information, 524–525
Knowledge and Information Management process area and, 513
of measurement information, 564
overview of, 523–524
configuration items, 969
configuration management
defined, 969
for information assets, 529
for technology assets, 883–887
work product configurations and, 950
conflict resolution
identify and resolve conflicts in service continuity plans, 846
mitigation action plans, 755
consistency vs. flexibility, 611
constellation, 969
containers
defined, 969
managing information asset risk in, 521
contingency plans. See service continuity plans
continuity of operations. See also Service Continuity (SC), 969
continuous representation, of CERT-RMM structure, 68–69
contracts, with external entities, 360–362
control objectives
analysis of controls to ensure, 250–252
assessment process for, 255–257
defining, 244–246
establishing controls to meet, 246–248
identifying and establishing controls, 248–250
overview of, 244
controls. See also monitor and control
access. See access controls
administrative. See administrative (management) controls
defined, 969–970
external dependencies management, 361
for incident management, 506–508
for information assets, 519–521
internal, 975
manage work product configurations and, 950
revision plan, 732
for risk mitigation, 732
for technology assets, 875–878
for validity and reliability of information assets, 529–530
Controls Management (CTRL)
achieve specific goals, 257
analyze controls, 250–253
assess control effectiveness, 253–257
assign responsibility for, 261–262
collect improvement information, 269–270
define controls, 248–250
defined, 970
as Engineering process area, 56
establish control objectives, 244–246
establish controls supporting objectives, 246–248
establish defined process for, 269
establish process governance, 257–259
FISMA compliance, 959
identify and involve relevant stakeholders, 264–265
insider threats and, 964
introductory notes, 241–243
manage work product configurations, 264
managing changes to protecting and sustaining services and assets, 131
managing overall internal control system in, 151
monitor and control process, 265–267
objectively evaluate adherence, 267–268
plan process, 259
provide resources, 259–261
purpose of, 241
related process areas, 243
relationships driving threat/incident management, 58
review status with higher-level managers, 268
summary of specific goals and practices, 244
train people for, 262–263
convergence
defined, 970
of operational risk management activities, 23–25
convergence advantage
of CERT-RMM, 5–6
defined, 7
coordination communications, 187
corrective measures
for access privileges, 159–160
for controls management, 247
defined, 970
for enterprise focus, 325–326, 336–337
for environmental conditions, 285
for inconsistencies in identity community, 457–459
monitoring and controlling and, 952–953
for performance issues, 325–326
cost of resilience, 970
costs. See also Financial Resource Management (FRM)
external dependencies management, 362
of non-compliance, 222–223
used to track and document resilience management, 392–393
credentialing, 970
crisis
defined, 970
governance, xvi
critical success factors, 970
cross-training, 970
The Crosswalk, 13
cryptography. See encryption
CSIRT (computer security incident response team), 476
CTRL. See Controls Management (CTRL)
cultural norms, stress of managing globalization risks, 23
curriculum, for training program, 668
custodians
of access management, 159–160, 168–169
of asset definition and management, 126–130
defining, 33
of environmental control, 296–297
custodians, asset
conformity to resilience requirements, 778
defined, 966
resilience requirements and, 774–775
D
damage control, responding to incidents, 489
dashboard, governance, 324
data analysis. See also Measurement and Analysis (MA)
of measurement data, 562–563
methods and tools, 559–560
data collection
collection standards and guidelines, 589–591
of compliance data, 219–221
of measurement data, 561–562
monitoring and, 577–579, 588–589
of monitoring data, 591–592
techniques for, 557–559
vulnerability data collection, 921–922
Data Collection and Logging, Process Management, 58–59
data storage, 563–564
databases
for change management, 888
for configuration management, 886
identify external dependencies, 344–347
identify vital organizational, 837–839
incident knowledgebase, 922
of service continuity plans, 843
Davis, Noopur, 115
defined process
Access Management, 173
Asset Definition and Management, 145–146
Communications, 207
Compliance, 239
Controls Management, 269
defined, 970
Enterprise Focus, 337–338
Environmental Control, 304
External Dependencies Management, 378–379
Financial Resource Management, 409
generic goals and practices, 954
Human Resource Management, 445
Identity Management, 471
Incident Management and Control, 510
Knowledge and Information Management, 547–548
Measurement and Analysis, 575–576
Monitoring, 604
Organizational Process Definition, 627–628
Organizational Process Focus, 652
Organizational Training and Awareness, 683
overview of, 72
People Management, 714
Resilience Requirements Development, 768–769
Resilience Requirements Management, 791
Resilient Technical Solution Engineering, 827–828
Risk Management, 744–745
Service Continuity, 865–866
Technology Management, 912–913
Vulnerability Analysis and Resolution, 940
deliver communications
establish and maintain infrastructure, 190–191
identify methods and channels, 188–190
overview of, 188
delivery capability
for awareness program, 658–660
for training program, 666–668
dependencies
analyze asset-service, 131
identify, 837
manage external. See External Dependencies Management (EXD)
manage on public infrastructure for facilities, 288–289
manage on public services for facilities, 287
deploy practices, using CERT-RMM as organizing structure for, 79–80
deploy process assets
incorporate experiences into process assets, 639–641
monitoring implementation, 639
overview of, 636–637
standard processes, 638
deprovisioning identities
controlling identity management work products, 466–467
correcting inconsistencies in identity community, 458–459
defined, 970
introduction to, 448–449
involving stakeholders in, 468
overview of, 459–460
derived measures
data collection and, 561–562
data sets for, 563
defined, 971
specifying, 556
descriptive statistics, in data analysis, 560
design guidelines, for resilient software and systems, 801–802
detective controls, 247–248
development lifecycle, software and systems, 793
development plans, for resilient technical solutions
creating, 807–808
integrating selected guidelines with, 809–810
monitor execution of, 810–812
release solutions into production, 812–813
select and tailor guidelines for, 808–809
diagnosing phase, process improvement
defined, 82–83
formal diagnosis using Capability Appraisal Method, 92–94
informal diagnosis, 94–95
planning CERT-RMM-based improvements, 95–97
diagnosis of current resilience practices
formal, using Capability Appraisal Method, 92–94
informal, 94–95
digital information, stress of managing intangible assets, 22
disciplinary action, for violation of resilience policies, 426–427
disposition (disposal)
defined, 971
of information assets, 526–527
dispute resolution, external dependencies management, 362
disruptive events
CERT-RMM control of organizational behavior during, 21–23
identifying staff risks, 691
managing staff availability during, 693
plan for return-to-work following, 700–701
plan to support staff during, 698–700
prepare for redeployment of staff during, 697–698
distribution, of monitoring information, 592–594
DNA, identity’s
defined, 450
understanding, 447–448
documentation
in access management, 173–174
in asset definition and management, 146–147
of awareness needs, 657
of changes to process assets, 637
of changes to resilience requirements, 776
of commitments to resilience requirements, 774–775
of commitments to service continuity plans, 834
of communications, 194, 197, 207–208
of controls management, 245–246, 269–270
of disciplinary action, 426–427
of environmental controls, 277, 286–290, 305
event detection and, 479
of external dependencies management, 361
in financial resource management, 388, 392–394, 400
in human resource management, 419, 422, 435–436
in identity management, 450–451, 458–459, 462–463
of improvement information, 955
of incident analysis, 486
of incident evidence, 481–482
incident management plan and, 476
of inconsistencies in resilience requirements, 778
of maintenance operations, 895
of measurement objectives, 555
post-incident review and, 494
of return-to-work plan, 700
of risk measurement criteria, 723
of scope of vulnerabilities, 917
of service continuity plans, 840–842
of service continuity tests, 848
of succession plan, 696
of support for staff during disruptive events, 699
of training needs, 665
of vulnerability analysis and resolution strategy, 919
downtime
business resilience and, xvi
due diligence, performing on candidate external entities, 359
duplication, of information assets, 531–532
E
EC. See Environmental Control (EC)
EF. See Enterprise Focus (EF)
emergency actions, responding to incidents, 489
employment. See Human Resource Management (HRM)
employment agreements, 420–422
employment status, managing changes to
manage access to assets, 430–431
manage impact of position changes, 428–430
manage involuntary terminations, 431–432
overview of, 427–428
encryption
cryptographic controls, 970
of high-value information, 524–525
policies, 971
Engineering process areas
ADM. See Asset Definition and Management (ADM)
CTRL. See Controls Management (CTRL)
defined, 7–8
model view of, 56
overview of, 41–43
RRD. See Resilience Requirements Development (RRD)
RRM. See Resilience Requirements Management (RRM)
RTSE. See Resilient Technical Solution Engineering (RTSE)
SC. See Service Continuity (SC)
Enterprise Focus (EF)
achieve specific goals, 325–326
assign responsibility for, 330–331
collect improvement information, 338–339
commit funding for operational resilience management, 318–319
defined, 971
as Engineering process area, 56
establish corrective actions, 325–326
establish critical success factors, 310–312
establish defined process, 337–338
establish organizational services, 312–314
establish process governance, 327–328
establish resilience as governance focus area, 322–323
establish sponsorship, 317
establish strategic objectives, 309–310
FISMA compliance, 958
identify and involve relevant stakeholders, 332–333
identify communications requirements with, 180
introductory notes, 307–308
manage work product configurations, 332
monitor and control the process, 333–336
objectively evaluate adherence, 336–337
perform resilience oversight, 324–325
plan for operational resilience, 314–317
plan the process, 328–330
promoting resilience-aware culture, 319–320
provide resilience oversight, 321–322
provide resources for, 328–329
purpose of, 307
related process areas, 308
relationships driving threat/incident management, 58
review status with higher-level managers, 337
summary of specific goals and practices, 308
train people for, 331
enterprise level
monitoring at, 579
policies, 971
specifications for external entities, 353–354
enterprise management, aspects of CERT-RMM, 14–15
Enterprise Management process areas
COMM. See Communications (COMM)
COMP. See Compliance (COMP)
defined, 7–8
EF. See Enterprise Focus (EF)
FRM. See Financial Resource Management (FRM)
HRM. See Human Resource Management (HRM)
model view of, 54–55
OTA. See Organizational Training and Awareness (OTA)
overview of, 41–43
RISK. See Risk Management (RISK)
enterprise-level controls
as administrative controls, 246
assessing effectiveness of, 253–254
creating, 248–250
defined, 242
enterprise-level resilience requirements
assigning to services, 753–754
defined, 971
establishing, 751–752
identifying, 750
overview of, 748
entities, creating identities for. See Identity Management (IM)
Environmental Control (EC)
achieve specific goals, 290
assign resilience requirements to facility assets, 276–277
assign responsibility for, 296–297
Cloud Computing and, 963
collect improvement information, 304–305
control operational environments, 282–283
defined, 971
establish and implement controls, 277–280
establish defined process, 304
establish process governance, 290–292
establish resilience-focused facility assets, 275
FISMA compliance, 958
identify and involve relevant stakeholders, 299–300
introductory notes, 271–272
maintain environmental conditions, 285–286
manage dependencies on public infrastructure, 288–289
manage dependencies on public services, 287
manage facility asset risk, 280–282
manage work product configurations, 298–299
monitor and control the process, 300–302
monitor needs of, 586
objectively evaluate adherence, 303
as Operations process area, 57
perform facility sustainability planning, 284–285
plan for facility retirement, 289–290
plan the process, 292–293
prioritize facility assets, 273–274
protect facility assets, 275–276
provide resources for, 293–295
purpose of, 271
related process areas, 272
review status with higher-level managers, 303
summary of specific goals and practices, 272
train people for, 297–298
environments. See operational environments
equipment
as critical dimension of organizations, 8–9
service intervals in maintaining, 894–895
errors, availability of technology assets and, 891
escalation. See incident escalation
escrow provisions, external dependencies management, 362
establish and maintain, defined, 971
establish defined process. See defined process
establish process governance. See governance
Establishing and Managing Resilience, Engineering, 56
establishing phase, process improvement, 82–83
evaluation
of external entities, 358–359
form for assessing training effectiveness, 670
using CERT-RMM as basis for, 78–79
event detection
analyzing and triaging events, 482–483
collecting, documenting, and preserving event evidence, 481–482
establishing process for, 478
logging and tracking events, 480–481
monitoring, identifying, and reporting events, 478–479
transitioning from detection to declaration, 484
event logging, in incident management, 480–481
event triage
defined, 971
overview of, 482
events
defined, 971
disruptive. See disruptive events
evidence collection, responding to incidents, 489
example blocks, process area
defined, 47–48
typographical and structural conventions, 51
EXD. See External Dependencies Management (EXD)
exercises. See also test (exercise) service continuity plans, 971
exit interview process, 429
expected components
defined, 972
overview of, 43–44
summary of, 48
expenditures, optimizing resilience
determine return on investments, 396–397
identify cost recovery opportunities, 397–398
overview of, 394–396
expense requests, funding resilience activities, 391
experience, incorporating into process assets, 639–641
external dependencies, 972
External Dependencies Management (EXD)
achieve specific goals, 365
assign responsibility for, 370–371
Cloud Computing and, 962
collect improvement information, 379–380
defined, 972
develop resilient software across life cycle with, 108
establish defined process, 378–379
establish enterprise specifications for, 353–354
establish formal relationships, 352–353
establish process governance, 366–367
establish resilience specifications for, 355–357
evaluate and select external entities, 358–359
formalize relationships, 360–362
identify and involve relevant stakeholders, 373–374
identify external dependencies, 344–347
identify risks associated with external dependencies, 349–351
introductory notes, 341–343
manage external entity performance, 363–365
manage work product configurations, 373
monitor and control the process, 375–377
objectively evaluate adherence, 377–378
as Operations process area, 57
plan the process, 368
prioritize external dependencies, 348–349
provide resources for, 368–370
purpose of, 341
related process areas, 343
review status with higher-level managers, 378
risk mitigation strategies for external dependencies, 352
summary of specific goals and practices, 344
train people for, 371–372
external entities, 972
external sources, of vulnerabilities, 920
F
facilities. See also Asset Definition and Management (ADM) and Environmental Control (EC)
facility assets. See also Asset Definition and Management (ADM)
access privileges focusing on, 153
achieve specific goals, 290
assign resilience requirements to, 276–277
assign responsibility for, 296–297
in CERT-RMM, 32
collect improvement information, 304–305
controlling operational environment, 282–283
defined, 972
establish and implement controls for, 277–280
establish process governance for, 290–292
establish resilience-focused, 33–35, 275
identify and assess risk for, 280–281
identify and involve relevant stakeholders, 299–300
life-cycle of, 38
manage work product configurations, 298–299
managing dependencies on public infrastructure for, 288–289
managing dependencies on public services for, 287
monitor and control, 300–302
objective views for, 60–61, 63–64
perform sustainability planning, 284–285
plan for retirement of, 289–290
plan process for, 292–293
prioritization of, 273–274
provide resources for, 293–295
review status with higher-level managers, 304
risk mitigation strategies for, 281–282
train people, 297–298
Federal Energy Regulatory Commission (FERC), 101–102
federations
correcting inconsistencies in identity community, 458
of identities, 468
FERC (Federal Energy Regulatory Commission), 101–102
financial commitment, establishing
establish structure to support, 384–386
for operational resilience management, 383–384
overview of, 382–383
financial exceptions, in cost and performance analysis, 394
Financial Resource Management (FRM)
account for resilience activities, 392–394
achieve specific goals, 398
assign responsibility for, 402–403
collect improvement information, 410
commit funding for operational resilience management, 383–384
defined, 972
Enterprise Management and, 54–55
establish defined process, 409
establish financial commitment, 382–383
establish process governance, 398–400
establish structure to support financial management, 384–386
fund resilience activities, 390–391
identify and involve relevant stakeholders, 404–406
introductory notes, 381–382
manage work product configurations, 404
monitor and control the process, 406–407
objectively evaluate adherence, 408
optimize resilience expenditures and investments, 394–398
perform financial planning, 386–390
plan the process, 400
provide resources for, 400–402
purpose of, 391
related process areas, 382
review status with higher-level managers, 409
summary of specific goals and practices, 382
train people for, 403–404
Financial Services Technology Consortium (FTSC), 11
first responders, 972
FISMA compliance, 957–961
flexibility vs. consistency, 611
formal agreements, with external entities
assigning responsibility, 370
overview of, 360–362
formal relationships, with external entities
establish enterprise specifications, 353–354
establish formal agreements, 360–362
establish resilience specifications, 355–357
evaluate and select external entities, 358–359
overview of, 352–353
FRM. See Financial Resource Management (FRM)
FTSC (Financial Services Technology Consortium), 11
functional monitoring requirements, 972
funding. See also Financial Resource Management (FRM)
establishing baseline competencies to determine, 414
operational resilience management, 316–319
resource provision and, 948
funding, for process areas
Access Management, 164
Asset Definition and Management, 138
Communications, 199
Controls Management, 260
Enterprise Focus, 329
Environmental Control, 294
External Dependency Management, 369
Human Resource Management, 437
Identity Management, 463
Incident Management and Control, 500
Knowledge and Information Management, 538
Measurement and Analysis, 568
Monitoring, 597
Organizational Process Definition, 620
Organizational Process Definition and, 618
Organizational Process Focus, 644
Organizational Training and Awareness, 675
People Management, 705
Resilience Requirements Development, 760
Resilience Requirements Management, 782
Resilient Technical Solution Engineering, 817
Risk Management, 737
Service Continuity, 856
Technology Management, 903
Vulnerability Analysis and Resolution, 932
fuzz testing, 972
G
general guidelines, for Resilient Technical Solution Engineering, 798–800
generic goals and practices
applying, 74
assign responsibility, 948–949
capability levels related to, 69–73
collect improvement information, 955
elaborations, 74
establish defined process, 954
establish process governance, 946
identify and involve relevant stakeholders, 951
manage work product configurations, 950
monitor and control the process, 951–953
objectively evaluate adherence, 953
perform specific practices, 945
plan the process, 946–947
process areas supporting, 74–75
provide resources, 948
review status with higher-level managers, 953
tags and numbering scheme for, 49
train people, 949–950
typographical and structural conventions, 50
understanding, 73
using practice-level scope, 88–89
geographical controls
establishing and managing. See Environmental Control (EC)
for operational environment, 283
geographical dispersion, 973
geopolitical shifts, stress of managing globalization risks, 23
global economy, stress of managing operational risk in, 22–23
globalization, operational resilience management and, 2
goals. See also objectives
establishing resilience through goals and objectives, 423–424
generic. See generic goals and practices
measure performance against goals and objectives, 425–426
governance, process
Access Management, 161–162
Asset Definition and Management, 135–136
Communications, 196–197
Controls Management, 241, 257–259
defined, 973
Enterprise Focus, 327–328
Environmental Control, 290–292
establish corrective actions, 325–326
establish resilience as focus area of, 322–323
External Dependencies Management, 366–367
Financial Resource Management, 398–400
generic goals and practices, 946
Human Resource Management, 433–435
Identity Management, 460–462
Incident Management and Control, 497–498
Knowledge and Information Management, 534–536
Measurement and Analysis, 566–567
Monitoring, 594–595
Organizational Process Definition, 617–618
Organizational Process Focus, 641–643
Organizational Training and Awareness, 671–673
People Management (PM), 701–703
perform resilience oversight, 323–325
provide resilience oversight, 321–322
Resilience Requirements Development, 757–758
Resilience Requirements Management, 779–780
Resilient Technical Solution Engineering, 814–815
risk and crisis oversight and, xvi
Risk Management, 734–735
Service Continuity, 853–855
Technology Management, 899–901
Vulnerability Analysis and Resolution, 929–930
grid modernization, electric power industry, 103–104
guidance, using CERT-RMM as basis for, 78–79
guidelines. See also standards
for configuration management, 886
establish tailoring criteria and, 610–612
for handling information assets, 517
for integrated teams, 615–616
for monitoring, 589–591
for resilience, 320–321
for service continuity, 835
guidelines, for resilient technical solutions
identify architecture and design guidelines, 801–802
identify assembly and integration guidelines, 805–807
identify general guidelines, 798–800
identify implementation guidelines, 802–805
identify requirements guidelines, 800–801
integrating selected guidelines with software and system development process, 809–810
select and tailor, 808–809
H
hardware, integrity of, 882
hazards, service continuity planning and, 832
higher-level managers, reviewing with
Access Management, 172
Asset Definition and Management, 145
Communications, 206
Compliance, 238
Controls Management, 268–269
Enterprise Focus, 337
Environmental Control, 304
External Dependencies Management, 378
Financial Resource Management, 409
generic goals and practices, 953
Human Resource Management, 445
Identity Management, 471
Incident Management and Control, 509
Knowledge and Information Management, 547
Measurement and Analysis, 575
Monitoring, 603
Organizational Process Definition, 627
Organizational Process Focus, 651
Organizational Training and Awareness, 683
People Management (PM), 714
Resilience Requirements Development, 768
Resilience Requirements Management, 790–791
Resilient Technical Solution Engineering, 827
Risk Management, 744
Service Continuity, 865
Technology Management, 912
Vulnerability Analysis and Resolution, 940
Highfill, Darren, 99–100
high-value assets
defined, 973
metrics for, 893
high-value information, encryption of, 524–525
high-value services
defined, 973
as focus of CERT-RMM, 29
identify and prioritize, 835–836
identify internal and external dependencies and interdependencies, 837
identify vital organizational records and databases, 837–839
prioritization of technology assets related to, 871–872
resilience requirements for, 33–35
Human Resource Management (HRM)
achieve specific goals, 433
address skill deficiencies, 416–418
assign responsibility for, 437–438
collect improvement information, 445–446
defined, 973
Enterprise Management and, 54–55
establish baseline competencies, 414–415
establish defined process, 445
establish disciplinary process, 426–427
establish process governance, 433–435
establish resilience as job responsibility, 423
establish resilience performance goals/objectives, 423–425
establish resource needs, 413
identify and involve relevant stakeholders, 441–442
insider threats and, 963–964
introductory notes, 411–412
inventory skills and identify gaps, 415–416
manage changes to employment status, 412, 427–432
manage staff acquisition, 418–422
manage staff performance. See performance, in staff management
manage work product configurations, 440–441
measure and assess performance, 425–426
monitor and control the process, 442–444
objectively evaluate adherence, 444
plan the process, 435–436
provide resources for, 436–437
purpose of, 411
related process areas, 412
review status with higher-level managers, 445
summary of specific goals and practices, 413
train people for, 439–440
I
icons, process area, 42–43
IDEAL model, 82–83
identify and involve relevant stakeholders. See stakeholders, identify and involve
identities
assign roles to, 453–454
correct inconsistencies in, 457–459
creating, 450–451
defined, 973
deprovision, 459–460
establish identity community, 452–453
manage, 454
monitor and manage changes to, 455–456
overview of, 449–450
periodically review/maintain, 456–457
identity community
assigning roles to identities, 453–454
correcting inconsistencies in, 457–459
defined, 973
establishing, 452–453
monitoring and managing changes in, 455–456
periodic review of, 456–457
Identity Management (IM). See also Access Management (AM); Risk Management (RISK)
achieve specific goals, 460
assign responsibility for, 464–465
assign roles to identities, 453–454
collect improvement information, 471–472
create identities, 450–451
defined, 973
enable access request and approval, 152
establish defined process, 471
establish identities, 449–450
establish identity community, 452–453
establish process governance, 460–462
FISMA compliance, 958
identify and involve relevant stakeholders, 467–468
introductory notes, 447–449
manage work product configurations, 466–467
monitor and control the process, 468–470
monitoring needs of, 586
objectively evaluate adherence, 470–471
as Operations process area, 57
plan the process, 462
provide resources for, 462–464
purpose of, 447
related process areas, 449
review status with higher-level managers, 471
specific goals and practices, 449
train people for, 465–466
identity profiles, 973
identity registration, 974
identity repository, 974
IM. See Identity Management (IM)
IMC. See Incident Management and Control (IMC)
impact valuation, 974
implementation guidelines, for resilient software and systems, 802–805
improvement information, collecting
Access Management, 173–174
Asset Definition and Management, 146–147
Communications, 207–208
Compliance, 239–240
Controls Management, 269–270
Enterprise Focus, 338–339
Environmental Control, 304–305
External Dependencies Management, 379–380
Financial Resource Management, 410
generic goals and practices, 955
Human Resource Management, 445–446
Identity Management, 471–472
Incident Management and Control, 510–511
Knowledge and Information Management, 548–549
Measurement and Analysis, 576
Monitoring, 604–605
Organizational Process Definition, 628
Organizational Process Focus, 652
Organizational Training and Awareness, 684
People Management, 714–715
for process areas, 202
Resilience Requirements Development, 769
Resilience Requirements Management, 791–792
Resilient Technical Solution Engineering, 828–829
Risk Management, 745–746
Service Continuity, 866–867
Technology Management, 913–914
Vulnerability Analysis and Resolution, 940–941
improvement mind-set, benefits of CERT-RMM, 6
inappropriate behavior, identifying staff risks, 691
incident closure, 492–493, 974
incident declaration
analyzing incidents, 485–486
criteria for, 484–485
to support response, 483–484
incident escalation
communications and, 187
defined, 974
Incident Management and Control, 487–488
incident life cycle, 974
Incident Management and Control (IMC)
achieve specific goals, 497
analyze and triage events, 482–483
analyze incidents, 485–486
assign responsibility for, 501–502
assign staff for, 477–478
close incidents, 492–493
collect, document, and preserve event evidence, 481–482
collect improvement information, 510–511
communicate incidents, 490–492
declare events for response planning, 483–484
define criteria for event declaration, 484–485
defined, 974
detect and report events, 478–479
escalate incidents, 487–488
establish defined process, 510
establish process for, 475–476
establish process governance, 497–498
FISMA compliance, 959
identify and involve relevant stakeholders, 504–506
identify communications requirements, 180
integrate incident handling with problem management, 494–495
introductory notes, 473–475
learn from incidents, 493
log and track events, 480–481
manage work product configurations, 504
monitor and control the process, 506–508
monitoring needs of, 586
objectively evaluate adherence, 508–509
plan for, 476–477
plan the process, 498–499
post-incident review, 493–494
provide resources for, 499–500
purpose of, 473
related process areas, 475
relationships driving threat/incident management, 57–58
respond to/ recover from incidents, 487–490
review status with higher-level managers, 509
summary of specific goals and practices, 475
train people, 502–503
translate lessons into strategy, 495–496
incident owner, 974
incident response
closing incidents, 492–493
communication in, 490–492
defined, 974
developing and implementing, 488–490
escalation of incidents, 487–488
establishing process for, 487
incident stakeholder, 974
incidents, 974
incomplete process, capability level 0, 70
informal diagnosis, of current resilience practices, 94–95
information. See also Asset Definition and Management (ADM) and Knowledge and Information Management (KIM)
access privileges focusing on, 153
as asset in CERT-RMM, 31–32
establishing compliance knowledgebase or repository, 220–221
identifying external dependencies, 344–347
life-cycle of, 37
processing cycle, 529–530
protecting and sustaining, 35–36
resilience requirements for, 33–35
information asset baseline, 974
information asset categorization, 975
information asset container, 975
information asset owner, 975
information assets
defining. See Asset Definition and Management (ADM)
definition of, 974
managing. See Knowledge and Information Management (KIM)
information technology. See IT (information technology)
informative component
defined, 975
overview of, 43–44
summary of, 48
infrastructure
for communications, 190–191
managing dependencies on public, 288–289
for monitoring, 588–589
initialisms, acronyms used in this book, 989–992
initiating phase, process improvement. See also objectives, setting and communicating, 82
insider threats, 963
inspections, product release and, 812–813
institutional knowledge. See organizational and intellectual knowledge
institutionalization
capability levels and, 68–69
CERT-RMM as organizing structure for, 80
CERT-RMM generic goals and practices, 73–74
connecting capability levels to, 69–73
defined, 975
defined process. See defined process
managed process. See managed process
overview of, 67
process areas supporting generic practices, 74–75
instructors
for awareness program, 659–660
for training program, 667
intangible assets, stress of managing, 22
integrated teams, establish rules and guidelines for, 615–616
integration guidelines, for Resilient Technical Solution Engineering, 805–807
integrity
data analysis and, 561–562
defined, 975
Knowledge and Information Management and, 513
of measurement information, 564
integrity, of technology assets
access controls, 882–883
overview of, 881–882
perform change management, 887–888
perform configuration management, 883–887
perform release management, 889–890
integrity of information assets
attributes, 514
configuration management, 529
modification management, 527–528
overview of, 527
validity and reliability, 529–530
intellectual property
contrasted with institutional knowledge, 532
defined, 975
protecting, 513
interdependencies, identify internal and external dependencies, 837
internal communications. See also Communications (COMM), 186–187
internal control system
assessing effectiveness of, 253–254
defined, 975
implementing for facility assets, 277–280
overview of, 241–242
interoperability
defined, 986
of technology assets, 897–899
interviews, to assess effectiveness of awareness program, 662
Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes (Caralli 2007), 12
inventory. See also repositories
of assets, 124–125
of compliance obligations, 216–217
maintaining changes to assets and, 133–134
of service continuity plans, 843
of staff, 688
of stored data, 564
investigation reports, in establishing disciplinary process, 427
investments, resilience
determining return on, 396–397
identify cost recovery opportunities, 397–398
optimize resilience expenditures and, 394–396
involuntary termination of employment
managing, 431–432
overview of, 428
IT (information technology)
evolution of CERT-RMM, 9–12
managing operational risk for, 23
as traditional focus of operational risk management, 8–9
J
job descriptions
creating to reflect base competencies, 415
developing requisitions for unfilled positions, 417–418
establishing terms and conditions of employment, 420–422
incident management plan and, 477
inserting resilience obligations in, 423
updating to incorporate missing skills, 417
job-specific verification criteria, 419–420
K
key control indicators (KCIs)
defined, 975
performing resilience oversight, 325
key indicators
establish corrective actions, 325–326
perform resilience oversight, 325
key performance indicators (KPIs), 325
key risk indicators (KRIs)
defined, 975
performing resilience oversight, 325
Knowledge and Information Management (KIM)
access controls for information assets, 525–526
achieve specific goals, 533
assign responsibility for, 538–539
availability of information assets, 530–531
categorize information assets, 517–518
Cloud Computing and, 963
collect improvement information, 548–549
confidentiality and privacy considerations, 523–524
configuration management, 529
controls for information assets, 519–521
defined, 975
disposal management, 526–527
document organizational and intellectual knowledge of staff, 532–533
duplication and retention of information assets, 531–532
encrypt high-value information, 524–525
establish defined process for, 547–548
establish process governance, 534–536
FISMA compliance, 959
identify and assess risks, 522
identify and involve relevant stakeholders, 542–543
integrity management, 527
introductory notes, 513–514
manage work product configurations, 541
mitigate risks, 523
modification management, 527–528
monitor and control the process, 543–545
objectively evaluate adherence, 546
as Operations process area, 57
plan the process, 536
prioritize information assets, 516–517
protect information assets, 518–519
provide resources for, 536–538
purpose of, 513
related process areas, 514–515
resilience requirements for information assets, 519
review status with higher-level managers, 547
risk management and, 521
summary of specific goals and practices, 515
train people for, 540–541
validity and reliability of information assets, 529–530
knowledgebase
for compliance data, 220
for incident management, 481
L
labor, funding resilience activities, 391
laws
documenting events and, 481–482
external dependencies management, 362
stress of managing operational risk, 23
layering, of controls, 247
learning
from incidents and events, 493
integrating incident handling with problem management, 494–495
lessons learned and communicated, 639–640
overview of, 493
post-incident review, 493–494
translating lessons into strategy, 495–496
learning phase, process improvement, 82–83
legal issues. See laws
libraries, process asset, 613–614
licensing agreements, with external entities, 360–362
life-cycle
addressing resilience for software assurance, 104–110
of assets, 794
integration of resilience requirements in, 797
resilience of, 36–39
line of business, 976
Lockheed Martin Corporation, using CERT-RMM, 110–115
logs
asset modification, 883–884
configuration management, 887
Incident Management and Control, 480–481
M
MA. See Measurement and Analysis (MA)
maintenance
of infrastructure, 190–191
of service continuity tests, 851
of technology assets, 894–895
manage work product configurations. See work product configurations
managed process
as capability level 2, 70–72
defined, 976
management
developing operational resilience plan for, 314–316
identity. See identity management
of risks due to external dependencies, 349–350
management, preparing for communications
establish plan, 183–185
establish program, 185–186
identify and plan staff, 186–188
overview of, 183
management, preparing for compliance
establish guidelines and standards, 214
establish plan, 211–212
establish program, 212–214
overview of, 210–211
managers
identifying vital, 689
process governance and, 946
review with higher-level. See higher-level managers, reviewing with
Managing for Enterprise Security, (Caralli 2004), 11
maturity advantage, of CERT-RMM, 7
maturity models
CERT-RMM objectives vs., 12
CERT-RMM vs., 18–19
characteristics setting CERT-RMM apart from other, 113
raising bar on business resilience, 111–112
measurement. See also improvement information, collecting
for assessing performance, 425–426
benefits of CERT-RMM, 5–7
effectiveness of service continuity plans, 851
establish corrective actions, 325–326
establish risk measurement criteria, 722–723
objectives, 976
of operational resistance, 115–118
perform resilience oversight, 324–325
repository, 612–613
Measurement and Analysis (MA)
Access Management and, 170–171
achieve specific goals, 565
align activities with information needs and objectives, 553
analysis procedures for, 559–561
analyze measurement data, 562–563, 640
assign responsibility for, 569–570
collect improvement information, 576
collect measurement data, 561–562
communicate results, 564–565
data collection and storage procedures for, 557–559
defined, 976
establish defined process for, 575–576
establish objectives, 553–555
establish process governance, 566–567
identify and involve relevant stakeholders, 571–573
introductory notes, 551–552
manage work product configurations, 571
measurement results, 561
measures for, 556–557
measuring operational resistance using CERT-RMM, 115–118
monitor and control the process, 573–574
monitor asset definition and management process, 142–144
objectively evaluate adherence, 574–575
plan the process, 567
as Process Management, 59
provide resources for, 567–569
purpose of, 551
related process areas, 552
review status with higher-level managers, 575
store data and results, 563–564
summary of specific goals and practices, 552
train people for, 570–571
measurement results
analyze data, 562–563
collect data, 561–562
communicate, 564–565
overview of, 561
store data and results, 563–564
measures
base measures, 556, 561–562, 967
classes of commonly used, 612–613
defined, 976
derived measures, 556, 561–562, 563, 971
overview of, 556–557
media, distribution methods and, 593
Mehravari, Dr. Nader, PhD, 109–110
memoranda of agreement, with external entities, 360–362
methods. See also tools, techniques, and methods
controls management, 261
environmental control, 295
establishing infrastructure for communications, 190–191
identify communications, 188–190
metrics. See also improvement information, collecting; monitor and control
capacity planning, 896
for high-value technology assets, 893
measure and assess performance with, 425–426
Measurement and Analysis, 551
for monitoring process, 602
for operational resistance, 117–118
performing resilience oversight, 324–325
misuse/abuse case, 976
mitigation
conflict mitigation plans, 755
for external dependencies, 352
for facility assets, 281–282
implement risk strategies, 731
risk mitigation plans, 729–731
of risks, 729
of staff risks, 692–693
of technology asset risks, 880–881
model components. See components, model
model relationships
model view. See model view
objective views. See objective views, for assets
overview of, 53–54
model scope
asset scope, 89–90
establishing improvement objective with, 87–88
practice-level scope, 88–89
resilience scope, 89–90
targeted improvement roadmaps, 88
model view
defined, 54
Engineering process areas, 56
Enterprise Management process areas, 54–55
Operations process areas, 56–57
Process Management, 57–59
model-based process improvement, using CERT-RMM for, 80–83
modification management, for information assets, 527–528
MON. See Monitoring (MON)
monitor and control
Access Management, 169–171
Asset Definition and Management, 142–144
Communications, 203–205
controls for information assets, 521
Controls Management, 265–266
Enterprise Focus, 333–336
Environmental Control, 300–302
event detection and, 478–479
execution of software and system development plan, 810–812
External Dependencies Management, 375–377
Financial Resource Management, 406–407
generic goals and practices, 951–953
Human Resource Management, 442–444
for identity changes, 455–456
Identity Management, 468–470
Incident Management and Control, 506–508
Knowledge and Information Management, 543–545
Measurement and Analysis, 573–574
Monitoring, 601–603
Organizational Process Definition, 624–626
Organizational Process Focus, 649–650
Organizational Training and Awareness, 680–682
People Management, 711–713
performing resilience oversight, 324–325
process implementation and, 639
Resilience Requirements Development, 765–766
Resilience Requirements Management, 787–789
Resilient Technical Solution Engineering, 823–826
Risk Management, 741–743
risks to information assets, 522
Service Continuity, 862–864
software and systems, 795
Technology Management, 909–911
Vulnerability Analysis and Resolution, 937–939
Monitoring (MON)
achieve specific goals, 594
analyze and prioritize requirements for, 585–587
assign responsibility for, 597–598
collect and record information, 591–592
collect improvement information, 604–605
defined, 976
develop resilient software across life cycle with, 108
distribute information, 592–594
establish collection standards and guidelines, 589–591
establish defined process, 604
establish process governance, 594–595
establish requirements for, 583–585
establishing/maintaining program for, 578–581
establish/maintain infrastructure for, 588–589
FISMA compliance, 959
identify and involve relevant stakeholders, 581–582, 600–601
introductory notes, 577–578
manage work product configurations, 599–600
monitor and the control process, 601–603
objectively evaluate adherence, 603
performance of, 587–588
plan the process, 596
as Process Management, 59
provide resources for, 596–597
purpose of, 577
related process areas, 578
relationships driving resilience at enterprise level, 55
relationships driving threat/incident management, 58
review status with higher-level managers, 603
summary of specific goals and practices, 578
train people for, 598–599
monitoring infrastructure, 976
monitoring requirements, 976
monitoring stakeholder, 976
Moss, Michele, 104–105
N
natural disasters
availability of technology assets and, 890–891
identifying staff risks, 691
NERC (North American Electric Reliability Corporation), 100, 102
non-compliance
demonstrating extent of compliance obligation satisfaction, 221–223
evaluate adherence to compliance process, 238
remediate areas of, 223–225
requirements for identifying and documenting risks of, 214
North American Electric Reliability Corporation (NERC), 100, 102
notes, process area
defined, 47–48
typographical and structural conventions, 51
notification communications, 187
numbering scheme, process areas, 47–49
O
objective views, for assets
people, 59–60
perspectives addressed by, 59
objectively evaluate adherence. See also adherence, objective evaluation of
objectives, measurement and analysis
aligning needs by objectives, 553
establishing, 553–555
updating, 559
objectives, setting and communicating
capability level targets, 90–92
model scope, 87–90
organizational objectives, 84–85
organizational scope, 85–87
overview of, 83–85
relating process needs to, 631
using CERT-RMM for strategic/operational, 78
objects, creating identities for. See Identity Management (IM)
obligations, compliance
analyzing, 217–218
assign responsibility for, 231–232
collect and validate compliance data, 219–221
demonstrate extent of satisfaction with, 221–223
developing plan for managing, 211–212
establish ownership for meeting, 218–219
evaluate adherence to, 238
identify and document, 215–217
monitor activities, 225–226
remediate areas of non-compliance, 223–225
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, CERT, 10
off-budget request for funds, process for, 391
off-cycle request for funds, process for, 391
online references
CERT-RMM, 12
The Crosswalk, 13
developing resilient software across life cycle, 108–109
OPD. See Organizational Process Definition (OPD)
open borders, stress of managing globalization risks, 22–23
operational constraints, 976
operational controls, 242
operational environments
identifying vulnerabilities, 917–918
maintain environmental conditions, 285–286
manage dependencies on public infrastructure, 288–289
manage dependencies on public services, 287
overview of, 282–283
perform facility sustainability planning, 284–285
plan for facility retirement, 289–290
operational objectives
establish scope of improvement, 84
using CERT-RMM to support, 78
operational resilience, 976–977
operational resilience management
applying risk information to, 731–732
assets, 30–33
business processes, 29–30
CERT-RMM v1.1 introducing system of, 12
as competitive differentiator, xvi
concept of, 25–27
developing program for, 316–317
governing. See Enterprise Focus (EF)
identifying resilience requirements. See Resilience Requirements Development (RRD)
incident management and, 473–474
life-cycle coverage, 36–39
managing resilience requirements. See Resilience Requirements Management (RRM)
managing risk, 717
measuring using CERT-RMM, 115–118
resilience requirements, 33–35
services, 27–29
strategies for protecting/sustaining assets, 35–36
training and awareness and, 653
operational resilience process group (ORPG), 617, 672
operational resilience requirements
Access Management and, 155–156
asset disposal and, 526
for assets. See Resilience Requirements Development (RRD)
assign to technology assets, 875–876
change management, 131
Communications and, 179–181, 183–184
driving operational resilience through, 33–35
establishing, 26–27
for facility assets, 276–277
identify inconsistencies in meeting, 778
for information assets, 518–519
maintain traceability of, 776–777
manage changes to, 775–776
Measurement and Analysis and, 554
obtain commitment to, 774–775
for software and system development, 797
for software and systems, 800–801
understanding, 773–774
operational risk
common problems of, 3–4
how CERT-RMM solves problems of, 5–6
managing. See Risk Management (RISK)
overview of, 2–3
to technology assets, 878–881
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method, CERT, 10
Operations process areas
AM. See Access Management (AM)
defined, 7–8
EC. See Environmental Control (EC)
EXD. See External Dependencies Management (EXD)
IM. See Identity Management (IM)
IMC. See Incident Management and Control (IMC)
KIM. See Knowledge and Information Management (KIM)
model view of, 56–57
overview of, 42–43
PM. See People Management (PM)
TM. See Technology Management (TM)
VAR. See Vulnerability Analysis and Resolution (VAR)
OPF. See Organizational Process Focus (OPF)
optimization of resilience expenditures/investments
determining return on resilience investments, 396–397
identify cost recovery opportunities, 397–398
optimize resilience expenditures, 394–396
overview of, 394
organizational and intellectual knowledge, of staff, 532–533
organizational assets. See also Asset Definition and Management
creating identities for access to, 449–451
defined, 978
enable access to, 152–155
establish common understanding of, 126–128
establish ownership and custodianship, 128–130
establishing, 123–124
inventory assets, 124–126
manage and control access to, 151–152
returning upon departure from job, 430–431
organizational impact area. See area of impact
organizational objectives, 84–85
organizational process assets
establish measurement repository, 612–613
establish process asset library, 613–614
establish rules and guidelines for integrated teams, 615–616
establish work environment standards, 614–615
establishing, 608
set of standard processes, 608–610
tailoring criteria and guidelines, 610–612
Organizational Process Definition (OPD)
Access Management and, 173–174
achieve specific goals, 617
assign responsibility for, 620–621
collect improvement information, 628
defined, 978
establish defined process, 627–628
establish measurement repository, 612–613
establish process asset library, 613–614
establish process governance, 617–618
establish rules and guidelines for integrated teams, 615–616
establish standard processes, 608–610
establish tailoring criteria and guidelines, 610–612
establish work environment standards, 614–615
identify and involve relevant stakeholders, 623–624
introductory notes, 607
manage work product configurations, 623
monitor and control the process, 624–626
objectively evaluate adherence, 626–627
plan the process, 619
as Process Management, 59
provide resources for, 619–620
purpose of, 607
related process areas, 608
review status with higher-level managers, 627
summary of specific goals and practices, 608
train people for, 621–623
Organizational Process Focus (OPF)
Access Management and, 173–174
achieve specific goals, 641
appraise organizational processes, 632–633
Asset Definition and Management, 145
assign responsibility for, 645–646
collect improvement information, 652
deploy process assets, 636–637
deploy standard processes, 638
determine process improvement opportunities, 630
establish defined process, 652
establish process action plans, 634–635
establish process governance, 641–643
establish process needs, 631–632
identify and involve relevant stakeholders, 648–649
identify improvements to processes, 633–634
implement process action plans, 636
incorporate experiences into process assets, 639–641
introductory notes, 629–630
manage work product configurations, 647–648
monitor and control the process, 649–650
monitor process implementation, 639
objectively evaluate adherence, 651
plan and implement process actions, 634
plan the process, 643
as Process Management, 59
provide resources for, 643–645
purpose of, 629
review status with higher-level managers, 651
summary of specific goals and practices, 630
train people for, 646–647
organizational process maturity, 978
organizational scope
defined, 978
overview of, 84–87
organizational sensitivity. See sensitivity
organizational subunits
defined, 978
in organizational scope, 86
planning practice instantiation, 96
organizational superunits
defined, 979
in organizational scope, 86
planning practice instantiation, 96
Organizational Training and Awareness (OTA)
Access Management and, 164, 167
achieve specific goals, 671
assess effectiveness of awareness program, 662–663
assess effectiveness of training program, 670–671
Asset Definition and Management and, 137, 140
assign responsibility for, 676–677
collect improvement information, 684
conduct training, 668
defined, 979
deliver resilience training, 668–669
Enterprise Management and, 54–55
establish awareness delivery capability, 658–660
establish awareness needs, 655–657
establish awareness plan, 657–658
establish defined process for, 683
establish process governance, 671–673
establish training capability, 666–668
establish training needs, 664–665
establish training plan, 665–666
establish training records, 669–670
FISMA compliance, 960
identify and involve relevant stakeholders, 679–680
Incident Management and Control and, 510–511
introductory notes, 653–654
Knowledge and Information Management and, 548–549
manage work product configurations, 678–679
Measurement and Analysis and, 576
monitor and control the process, 680–682
Monitoring and, 604–605
objectively evaluate adherence, 682–683
Organizational Process Definition and, 628
Organizational Process Focus and, 652
perform awareness activities, 660–661
perform awareness records, 661–662
plan the process, 673–674
provide resources for, 674–675
purpose of, 653
related process areas, 654
review status with higher-level managers, 683
summary of specific goals and practices, 655
train people for, 677–678
organizational units
defined, 979
deploying standard processes to, 638
in organizational scope, 85–87
planning practice instantiation, 96
standard processes tailored by, 607–608
organizationally high-valued services. See high-value services
organizations
defined, 977
process asset library. See process asset library
role in External Dependencies Management, 341–343
standard processes. See standard processes
ORPG (operational resilience process group), 617, 672
OTA. See Organizational Training and Awareness (OTA)
overhead allocation, funding resilience activities, 391
oversight, resilience
establish corrective actions, 325–326
as governance focus area, 322–323
for operational resilience management program, 317
overview of, 321
performing, 323–325
ownership
of access management, 152, 156, 168–169
of asset definition and management, 126–130
of compliance, 231–232
of compliance obligations, 218–219
defining, 32–33
of environmental control, 296–297
planning and, 946
P
partnerships, operational resilience management and, 2
passwords, access control via, 525
patch management, 889
PDCA (Plan, Do, Check, Act) cycle, 80–81, 82–83
peer pressure, 101–103
people
as asset. See Asset Definition and Management (ADM), People Management (PM), and Human Resource Management (HRM)
as asset in CERT-RMM, 31–32
creating identities for. See Identity Management (IM)
as critical dimension of organizations, 8–9
as human resource. See Human Resource Management (HRM)
life-cycle, 37
objective views for, 59–60
protecting and sustaining, 35–36
resilience requirements for, 33–35
People Management (PM)
achieve specific goals, 701
assign responsibility for, 706–707
collect improvement information, 714–715
establish defined process for, 714
establish process governance, 701–703
establish redundancy for vital staff, 694–695
establish vital staff, 687–690
identify and assess staff risks, 691–692
identify and involve relevant stakeholders, 710–711
insider threats and, 964
introductory notes, 685–686
manage staff availability, 693–694
manage work product configurations, 709
mitigate staff risks, 692–693
monitor and control the process, 711–713
objectively evaluate adherence, 713
as Operations process area, 57
perform succession planning, 695–697
plan for return-to-work following disruptive events, 700–701
plan the process, 703–704
plan to support staff during disruptive events, 698–700
prepare for redeployment, 697–698
provide resources for, 704–706
purpose of, 685
related process areas, 686–687
review status with higher-level managers, 714
summary of specific goals and practices, 787
train people for, 707–709
perfective maintenance
defined, 979
of environmental conditions, 285
perform specific practices, generic goals and practices, 945
performance
analysis for funded resilience management activities, 393–394
corrective actions for poor, 325–326
management of staff, 411
managing external entity, 363–365
measuring against plan, 573
measuring and assessing, 425–426
performance, in staff management
establish disciplinary process, 426–427
establish resilience as job responsibility, 423
establish resilience performance goals/objectives, 423–425
measure and assess performance, 425–426
performed processes
defined, 979
managed processes vs., 71–72
overview of, 70
periodic reviews. See reviews
physical controls
access control via, 525
defined, 979
at enterprise/service/asset levels, 248–250
establishing and managing. See Environmental Control (EC)
for information assets, 519–521
overview of, 247
for technology assets, 876–878
Plan, Do, Check, Act (PDCA) cycle, 80–81, 82–83
plan the process
Access Management, 163
Asset Definition and Management, 136–137
Communications, 183–184, 197–198
Controls Management, 259
Enterprise Focus, 328
Environmental Control, 292–293
External Dependencies Management, 368
for facility retirement, 289–290
Financial Resource Management, 400
generic goals and practices, 946–947
Human Resource Management, 435–436
Identity Management, 462
Incident Management and Control, 498–499
Knowledge and Information Management, 536
Measurement and Analysis, 567
Monitoring, 596
for operational resilience management system, 314–317
Organizational Process Definition, 619
Organizational Process Focus, 643
Organizational Training and Awareness, 673–674
People Management, 703–704
remediating areas of non-compliance, 224
Resilience Requirements Development, 758–759
Resilience Requirements Management, 780–781
Resilient Technical Solution Engineering, 816
Risk Management, 735
Service Continuity, 855
Technology Management, 901–902
Vulnerability Analysis and Resolution, 930–931
planning CERT-RMM-based improvements, 95–97
plans
awareness, 657–658
capacity, 896
control revision, 732
development plans. See development plans, for resilient technical solutions
process actions, 634
risk mitigation, 692–693, 729–731
service continuity, 697–698, 733
succession, 695–697
sustaining technology assets, 891–894
training, 665–666
plans, financial
defining funding needs, 387–388
establishing resilience budgets, 388–389
for funding resilience management activities, 386–387
resolving funding gaps, 389–390
plans, for disruptive events
staff return-to-work, 700–701
staff support, 698–700
PM. See People Management (PM)
policies
change management, 887–888
Compliance, 216
configuration management, 886
Controls Management, 259
developing and publishing for compliance, 228
Enterprise Focus, 328
environmental control, 291–292
External Dependency Management, 367
Financial Resource Management, 385–386, 391, 399–400
Human Resource Management, 434–435
identify compliance obligations, 215–216
Identity Management, 461–462
Incident Management and Control, 498
information assets, 518
internal control, 241–242
Knowledge and Information Management, 535
Measurement and Analysis, 567
Monitoring, 595
Organizational Process Definition, 618
Organizational Process Focus, 642–643
Organizational Training and Awareness, 673
People Management, 702–703
release management, 889–890
Resilience Requirements Development, 758
Resilience Requirements Management, 780
Resilient Technical Solution Engineering, 815
Risk Management, 735
Service Continuity, 854–855
sponsoring resilience, 320–321
standard processes adhering to, 610
Technology Management, 901
Vulnerability Analysis and Resolution, 930
post-incident review, 493–494, 979
practice-level scope, 88–90
practices
damage of evaluation based on, 9–10
defining CERT-RMM, 14–15
generic. See generic goals and practices
limitations of organizations focused on, 9
organizing structure for deployed, 79–80
planning instantiation of, 95–96
pre-employment verification of staff, 418–419
preventive controls, 247–248
preventive maintenance
defined, 979
of environmental conditions, 285
prioritization
of candidates for process improvement, 634
of control objectives, 246
of data collection/storage, 559
of external dependencies, 348–349
of high-value services, 835–836
of information assets, 516–517
of measures, 557
of monitoring requirements, 585–587
of risk, 727
of risks, 726
of staff, 687
of vulnerabilities, 924–925
prioritization, of technology assets
establish resilience-focused technology assets, 873–874
overview of, 871–873
privacy
access controls and, 526
attributes of information assets, 514
defined, 979
of information assets, 523–524
privileges. See access privileges
problem management
defined, 980
integrating incident handling with, 494–495
procedures
as critical dimension of organizations, 8–9
for handling information assets, 517
process actions
establish action plans, 634–635
implement action plans, 636
planning and implementing, 634
process architecture, 610, 980
process areas
ADM. See Asset Definition and Management (ADM)
AM. See Access Management (AM)
arranging in model view, 54–59
by category, 41–42
in CERT-RMM and CMMI models, 12–15
COMM. See Communications (COMM)
COMP. See Compliance (COMP)
component categories, 42–44
component descriptions, 44–47
CTRL. See Controls Management (CTRL)
defined, 980
EC. See Environmental Control (EC)
EF. See Enterprise Focus (EF)
EXD. See External Dependencies Management (EXD)
FRM. See Financial Resource Management (FRM)
generic goals and practices, 950
HRM. See Human Resource Management (HRM)
icons, 42–43
IM. See Identity Management (IM)
IMC. See Incident Management and Control (IMC)
institutionalization of. See institutionalization
KIM. See Knowledge and Information Management (KIM)
MA. See Measurement and Analysis (MA)
MON. See Monitoring (MON)
numbering scheme, 47–49
OPD. See Organizational Process Definition (OPD)
OPF. See Organizational Process Focus (OPF)
OTA. See Organizational Training and Awareness (OTA)
PM. See People Management (PM)
RISK. See Risk Management (RISK)
RRD. See Resilience Requirements Development (RRD)
RRM. See Resilience Requirements Management (RRM)
RTSE. See Resilient Technical Solution Engineering (RTSE)
SC. See Service Continuity (SC)
selecting for model scope, 87–90
supporting generic practices, 74–75
tags, 47–49
TM. See Technology Management (TM)
typographical and structural conventions, 49–51
VAR. See Vulnerability Analysis and Resolution (VAR)
process asset library
collecting improvement information for communications, 208
establishing, 613–614
process capability, 980
process element, 980
process governance. See governance, process
process improvement
appraisal of organizational processes, 632–633
CERT-RMM for, 77
CERT-RMM for model-based, 80–83
CERT-RMM vs. CMMI focus, 15
determining opportunities for, 630
establish organizational process needs, 631–632
identify improvements, 633–634
proposals, 641
Process Management process areas
defined, 7–8
MA. See Measurement and Analysis (MA)
model view of, 57–59
MON. See Monitoring (MON)
OPD. See Organizational Process Definition (OPD)
OPF. See Organizational Process Focus (OPF)
overview of, 42–43
process maturity, 978
process performance, 980
processes
defined, 980
definition of. See Organizational Process Definition (OPD)
focus of. See Organizational Process Focus (OPF)
production environment, use of CERT-RMM in, 14
profiles, identity
assigning roles to identities, 454
correcting inconsistencies in, 458–459
deprovisioning, 459–460
establishing, 450–451
establishing identity community from, 452–453
plan process for, 462–463
protection, of information assets
controls for, 519–521
overview of, 518–519
resilience requirements, 519
protection, of technology assets
controls for, 876–878
overview of, 874–875
resilience requirements, 875–876
protection strategy
for assets, 35–36
defined, 981
resilience requirements as basis of, 35
protocols, communication, 491
provide resources, generic goals and practices. See resources, providing
provisioning
defined, 981
establishing identities and, 447
proximity, 981
public infrastructure, 981
public services
defined, 981
managing dependencies on, 287
purchase orders, with external entities, 360–362
purchase requests, funding resilience activities, 391
purpose statements
typographical and structural conventions, 50