CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience

List of Figures xi List of Tables xiii Preface xv Acknowledgments xxi Part One: About the Cert Resilience Management Model 1 Chapter 1: Introduction 7 1.1 The Influence of Process Improvement and Capability Maturity Models 8 1.2 The Evolution of CERT-RMM 10 1.3 CERT-RMM and CMMI Models 15 1.4 Why CERT-RMM Is Not a Capability Maturity Model 18 Chapter 2: Understanding Key Concepts in CERT-RMM 21 2.1 Foundational Concepts 21 2.2 Elements of Operational Resilience Management 27 2.3 Adapting CERT-RMM Terminology and Concepts 39 Chapter 3: Model Components 41 3.1 The Process Areas and Their Categories 41 3.2 Process Area Component Categories 42 3.3 Process Area Component Descriptions 44 3.4 Numbering Scheme 47 3.5 Typographical and Structural Conventions 49 Chapter 4: Model Relationships 53 4.1 The Model View 54 4.2 Objective Views for Assets 59 Part Two: Process Institutionalization and Improvement 65 Chapter 5: Institutionalizing Operational Resilience Management Processes 67 5.1 Overview 67 5.2 Understanding Capability Levels 68 5.3 Connecting Capability Levels to Process Institutionalization 69 5.4 CERT-RMM Generic Goals and Practices 73 5.5 Applying Generic Practices 74 5.6 Process Areas That Support Generic Practices 74 Chapter 6: Using CERT-RMM 77 6.1 Examples of CERT-RMM Uses 78 6.2 Focusing CERT-RMM on Model-Based Process Improvement 80 6.3 Setting and Communicating Objectives Using CERT-RMM 83 6.4 Diagnosing Based on CERT-RMM 92 6.5 Planning CERT-RMM-Based Improvements 95 Chapter 7: CERT-RMM Perspectives 99 Using CERT-RMM in the Utility Sector, by Darren Highfill and James Stevens 99 Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle, by Julia Allen and Michele Moss 104 Raising the Bar on Business Resilience, by Nader Mehravari, PhD 110 Measuring Operational Resilience Using CERT-RMM, by Julia Allen and Noopur Davis 115 Part Three: CERT-RMM Process Areas 119 Asset Definition and Management 121 Access Management 149

The authors are senior technical staff members within the CERT Program of the Software Engineering Institute (SEI). Richard A. Caralli, Resilient Enterprise Management technical manager, develops and delivers methods, tools, and techniques for enterprise security and resilience management. He has led the development of CERT-RMM. Julia H. Allen conducts research in operational resilience, software security and assurance, and measurement and analysis. She served as the SEI's Acting Director and Deputy Director/COO and authored The CERT(R) Guide to System and Network Security Practices (Addison-Wesley, 2001). David W. White, a core member of the CERT-RMM development team, develops CERT-RMM and related products and helps organizations apply them.