Acknowledgments
This book is the culmination of many years of hard work by many talented people dedicated to the belief that security, continuity, and IT operations management processes can be improved, and operational resilience can be actively directed, controlled, and measured. These people have spent countless hours poring over codes of practice, interviewing senior personnel in organizations with high-performance resilience programs, applying and field testing the concepts in this book, and codifying the 26 most common process areas that compose a convergent view of operational resilience.
CERT-RMM is a major component of this book. Early models were created by Richard Caralli, working with members of the Financial Services Technology Consortium over a four-year period from 2004 through 2008. The model was significantly enhanced as additional model team members joined our efforts. The resulting model included in this book (CERT-RMM v1.1) is the work of the CERT-RMM Model Team, which includes Richard Caralli, David White, Julia Allen, Lisa Young, and Pamela Curtis.
CERT-RMM v1.1 was refined and recalibrated through benchmarking activities performed over a period of two years by security and continuity professionals at prominent financial institutions. The model team is forever indebted to the following people who participated in that effort (listed here with the companies at which they worked during the benchmarking effort):
• Ameriprise Financial: Barry Gorelick
• Capital Group: Michael Gifford and Bo Trowbridge
• Citi: Andrew McCruden, Patrick Keenan, Victor Zhu, and Joan Land
• Discover Financial Services: Rick Webb, Kent Anderson, Kevin Novak, and Ric Robinson
• JPMorgan Chase & Co.: Judith Zosh, Greg Pinchbeck, and Kathryn Wakeman
• Marshall & Ilsley Corporation: Gary Daniels and Matthew Meyer
• MasterCard Worldwide: Randall Till
• PNC Financial Services: Jeffery Gerlach and Louise Hritz
• U.S. Bank: Jeff Pinckard, Mike Rattigan, Michael Stickney, and Nancy Hofer
• Wachovia: Brian Clodfelter
In addition, we are grateful for the contributions of people from organizations that bravely performed early appraisal pilots using the model, including Johnny E. Davis, Kimberly A. Farmer, William Gill, Mark Hubbard, Walter Dove, Leonard Chertoff, Deb Singer, Deborah Williams, Bill Sabbagh, Jody Zeugner, Tim Thorpe, and the many other participants from the Environmental Protection Agency; and Nader Mehravari, Joan Weszka, Michael Freeman, Doug Stopper, Eric Jones, and many other talented people from Lockheed Martin Corporation.
Last, but certainly not least, we owe much of the momentum that created this model to Charles Wallen from American Express. In 2005, as the Executive Director of the Business Continuity Standing Committee for the Financial Services Technology Consortium, Charles came to the CERT Program at the Software Engineering Institute with a desire to create a resiliency maturity model based on work being performed at CERT. Five years later (which is only four years and 46 weeks longer than we hoped it would take!), we have a functional model.
We would also like to thank those who supported this effort at the Software Engineering Institute and CERT.
We thank Rich Pethia, Director–CERT Program, for his support, patience, encouragement, and direction during the development and piloting of the model. We have special thanks for William Wilson, Deputy Director–CERT Program, and especially Barbara Laswell, Director–CERT Enterprise Workforce Development Directorate, for their day-to-day direction and assistance in helping us build a community of believers and helping us navigate through all of the challenges inherent in a long, arduous effort. In particular, Barbara has been an internal champion from the beginning and an ardent source of encouragement in the most trying times of the development of this model.
A special thanks goes to all of those who contributed essays in Chapter 7. Your insight has been invaluable in helping us understand how the community can make use of this important work.
Finally, special thanks to our Addison-Wesley partners, especially Peter Gordon, for their guidance and assistance with the design, editing, and final production of this book.
From Richard Caralli
I owe the completion of this book to so many SEI and CERT people. Lisa Young worked tirelessly to do much of the basic research for this work and to create many interim deliverables. Her knowledge of security and continuity codes of practice is astonishing. No matter what request we made of her, she was always willing to jump in and help. David White single-handedly led the charge to make organizations aware of CERT-RMM. He devoted countless hours to getting the message out, no matter where that journey took him. It turned out in the process that he also had significant knowledge of the subject matter and taught us a few things! This book would not be possible without him. Julia Allen saved the day. When Lisa, David, and I were struggling with too many commitments, Julia seamlessly swooped in and single-handedly completed a significant portion of the model. I can never thank her enough for her contributions and her willingness to put her own important research aside and become a part of our team. And if you ever have the fortune to work with Julia, you also get the side benefits of knowing a genuinely kind, collaborative, and intelligent person who gives everything unconditionally. This also reminds me of my friend Pamela Curtis. Pamela has contributed tirelessly to the development effort of CERT-RMM and in making us all look good with her constant polishing and refinement of the model. To call her a technical editor does not adequately characterize the impact she has had on this book. Her quick comprehension of the subject matter redefined forever what we will expect technical editors to do. She has truly raised the bar.
From Julia Allen
I thank my two coauthors, Rich and David; Rich for his vision and leadership of CERT’s operational resilience work over many years, particularly when there were many doubters of its value, and David for his commitment, insight, and fieldwork to validate the model. They have both been my mentors and teachers. I thank Lisa Young for leading our efforts in appraisal and assessment and for valuable lessons learned in applying CERT-RMM to meet customer needs. I benefited significantly from Pamela Curtis’s steady hand, challenging comments, and unique ability to connect the dots across all CERT-RMM process areas. I greatly appreciate Barbara Laswell’s recognition of the power in integrating CERT’s enterprise security governance guidance with CERT-RMM, which was the catalyzing event for my joining the CERT-RMM development team. I will be forever grateful for the opportunity she offered me to contribute to this body of work, and for Rich’s and the team’s warm welcome. I would be remiss if I did not recognize and thank two SEI colleagues who helped form, shape, and influence my thinking regarding how to adapt process maturity concepts and practices for application to the operational and software security domains. Eileen Forrester and I worked on this over many years; she is one of the most capable thinkers in this space with whom I’ve had the good fortune to work. And Suzie Garcia, the queen of CMMI, codified process maturity and capability modeling concepts. I would like to thank Gene Kim, CTO of Tripwire, for articulating and advocating the numerous connections between information security, IT operations, audit, and risk management, and for introducing the SEI to some of the most experienced and competent leaders in this field, including all of the participants in our joint Best in Class Security and Operations Round Table, held in October 2003. I am incredibly blessed and fortunate to be able to contribute every day to a profession I love, in collaboration with smart, talented, passionate, and committed colleagues.
From David White
My contributions to this work and this book would not have been possible without the support, encouragement, and leadership of Rich Caralli and Bill Wilson. They were both champions for changes in my career trajectory that led to my involvement and success in this work; I am forever grateful. Rich’s knowledge of the subject matter and vision for the model were ever present and provided the necessary guidance for me and the team to reach this point. Julia Allen, my friend and coauthor, was a very welcome addition to the team. I thank her for sharing her knowledge and for being a source of inspiration, a sounding board, and a really hard worker. I am thankful to Lisa Young for always being available when I needed to talk through an issue with the model, for sharing her encyclopedic knowledge of practice bodies, for partnering with me on the first appraisal, and for her constant friendship and support. Pamela Curtis has been exacting and thorough in helping us with language consistency, in finding and resolving loose ends, and in working hard to drive this model to completion; thank you, Pamela. Charles Wallen’s vision and tireless advocacy for this work and its importance to the financial sector were critically important to our early outreach activities and to engaging the first users of the model. At the U.S. Environmental Protection Agency, Johnny Davis provided the leadership and vision that enabled our successful first RMM appraisal. The appraisal team was tireless and tenacious in producing sound and beneficial results; I thank my fellow appraisal team members Kimberly Farmer, Steve Masters, and Lisa Young. Lockheed Martin Corporation supported an RMM pilot to evaluate the model for its use. The pilot and its success were made possible by the leadership and vision of Nader Mehravari, the tenacity and support of Joan Weszka, the appraisal process knowledge and skills of Michael Freeman, the site knowledge and hard work of Eric Jones, and the exacting and thorough preparation by Doug Stopper. I also thank Nader and his team for sharing their brilliant insights about the model and its use in a large organization. There are many other people who could be named here; I am fortunate to have worked with many great people in pursuit of this work.