Richard A. Caralli, Julia H. Allen, David W. White. CERT Resilience Management Model

Подождите немного. Документ загружается.

threat actor A situation, entity, individual, group, or action that has the poten-

tial to exploit a threat. [RISK] [VAR]

threat environment The set of all types of threats that could affect the current

operations of the organization. (See the related term threat.)

threat motive The reason that a threat actor would exploit a vulnerability or

otherwise cause harm. [RISK] [VAR]

unplanned downtime Interruption in the availability of an information or tech-

nology asset (and, in some cases, a facility asset) due to an unplanned event

or incident, often resulting from diminished operational resilience. [TM]

user Any entity or object to which the organization has granted some form

of access to an organizational asset. Typically referred to as an “identity.”

(See the related term identity.)

vital records Records that must be preserved and available for retrieval if

needed. This refers to records or documents that, for legal, regulatory, or

operational reasons, cannot be irretrievably lost or damaged without materi-

ally impairing the organization’s ability to conduct business. [KIM]

vital staff A select group of individuals who are absolutely essential to the

sustained operation of the organization, particularly under stressful

conditions. [PM]

vulnerability An exposure, flaw, or weakness that could be exploited. The

susceptibility of an organizational service or asset to disruption. [VAR]

vulnerability analysis and resolution (VAR) An operations process area in

CERT-RMM. The purpose of Vulnerability Analysis and Resolution is to

identify, analyze, and manage vulnerabilities in an organization’s operating

environment.

vulnerability management strategy A strategy for identifying and reducing

exposure to known vulnerabilities. [VAR]

vulnerability repository An organizational inventory of known vulnerabilities.

[VAR]

vulnerability resolution The action that the organization takes to reduce or

eliminate exposure to vulnerability. [VAR]

waiver Documentation for staff members who have been exempted from aware-

ness training or other activities for any reason. Such documentation

includes the rationale for the waiver and approval by the individual’s man-

ager (or similarly appropriate person). Each required course should include

criteria for granting training waivers. [OTA]

Appendix C Glossary of Terms 987

This page intentionally left blank

989

APPENDIX D

ACRONYMS AND INITIALISMS

ADM Asset Deﬁnition and Management (process area)

AM Access Management (process area)

BSIMM Building Security In Maturity Model

CBCP Certiﬁed Business Continuity Professional

CIO chief information ofﬁcer

CISA Certiﬁed Information Systems Auditor

CISSP Certiﬁed Information Systems Security Professional

CMF CMMI Model Foundation

CMMI Capability Maturity Model Integration

CMMI-ACQ CMMI for Acquisition

CMMI-DEV CMMI for Development

CMMI-SVC CMMI for Services

COBIT Control Objectives for Information and Related Technology

COMM Communications (process area)

COMP Compliance (process area)

COPPA Children’s Online Privacy Protection Act

COR cost of resilience

COSO Committee of Sponsoring Organizations of the Treadway Commission

frameworks

COTS commercial off-the-shelf

CPA Certiﬁed Public Accountant

CSIRT computer security incident response team

990 PART FOUR THE APPENDICES

CTRL Controls Management (process area)

CVE Common Vulnerabilities and Exposures project

CXO higher-level managers (CEO, CSO, etc.)

DBA database administrator

DRII Disaster Recovery Institute International

EC Environmental Control (process area)

EF Enterprise Focus (process area)

EUDPA European Union Data Protection Directive

EXD External Dependencies Management (process area)

FBI U.S. Federal Bureau of Investigation

FCRA Fair Credit Reporting Act

FERC Federal Energy Regulatory Commission

FERPA Family Educational Rights and Privacy Act

FRM Financial Resource Management (process area)

FSTC Financial Services Technology Consortium

GG generic goal

GLBA Gramm-Leach-Bliley Act

GP generic practice

HIPAA Health Insurance Portability and Accountability Act

HRM Human Resource Management (process area)

HVAC heating, ventilation, and air conditioning

ID Identity Management (process area)

IIA Institute of Internal Auditors

IMC Incident Management and Control (process area)

ISACA Information Systems Audit and Control Association

ISO International Organization for Standardization

ISSA Information Systems Security Association

IT information technology

ITIL Information Technology Infrastructure Library

KCI key control indicator

KIM Knowledge and Information Management (process area)

KPI key performance indicator

Appendix D Acronyms and Initialisms 991

KRI key risk indicator

MA Measurement and Analysis (process area)

MCSE Microsoft Certiﬁed Systems Engineer

MON Monitoring (process area)

OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation

OPD Organizational Process Deﬁnition (process area)

OPF Organizational Process Focus (process area)

ORPG operational resilience process group

OTA Organizational Training and Awareness (process area)

OWASP Open Web Applications Security Project

PA process area

PCI DSS Payment Card Industry Data Security Standard

PDA personal digital assistant

PM People Management (process area)

RFID radio frequency identiﬁcation

RFP request for proposals

RISK Risk Management (process area)

RMA Risk Management Association

RMM Resilience Management Model

RORI return on resilience investment

RPO recovery point objective

RRD Resilience Requirements Development (process area)

RRM Resilience Requirements Management (process area)

RTO recovery time objective

RTSE Resilient Technical Solution Engineering (process area)

SAMM Software Assurance Maturity Model

SC Service Continuity (process area)

SCADA supervisory control and data acquisition

SCAMPI Standard CMMI Appraisal Method for Process Improvement

SEI Software Engineering Institute

SG speciﬁc goal

SLA service level agreement

992 PART FOUR THE APPENDICES

SOX Sarbanes-Oxley Act

SP speciﬁc practice

TM Tec hn ol og y M an a ge me nt ( pr oc es s are a)

US-CERT United States Computer Emergency Readiness Team

VAR Vulnerability Analysis and Resolution (process area)

993

APPENDIX E

REFERENCES

URLs are valid as of the publication date of this book.

Alberts 1999 C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. Wilson,

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Framework, Version 1.0, Carnegie Mellon University, Software Engineering

Institute, Technical Report CMU/SEI-99-TR-017, 1999. [Online].

www.sei.cmu.edu/library/abstracts/reports/99tr017.cfm.

Allen 2004 J. H. Allen et al., Best in Class Security and Operations Roundtable

Report, Carnegie Mellon University, Software Engineering Institute, Special

Report CMU/SEI-2004-SR-002, 2004. Available upon request from

info@sei.cmu.edu.

Caralli 2004 R. A. Caralli, Managing for Enterprise Security, Carnegie Mellon

University, Software Engineering Institute, Technical Note CMU/SEI-2004-

TN-046, 2004. [Online].

www.sei.cmu.edu/library/abstracts/reports/04tn046.cfm.

Caralli 2006 R. A. Caralli, Sustaining Operational Resiliency: A Process Improve-

ment Approach to Security Management, Carnegie Mellon University, Software

Engineering Institute, Technical Note CMU/SEI-2006-TN-009, 2006.

[Online]. www.sei.cmu.edu/library/abstracts/reports/06tn009.cfm.

Caralli 2007 R. A. Caralli et al., Introducing the CERT Resiliency Engineering

Framework: Improving the Security and Sustainability Processes, Carnegie

Mellon University, Software Engineering Institute, Technical Report

CMU/SEI-2007-TR-009, 2007. [Online].

www.sei.cmu.edu/library/abstracts/reports/07tr009.cfm.

Caralli 2010 R. A. Caralli et al., CERT Resilience Management Model, Version 1.0,

Carnegie Mellon University, Software Engineering Institute, Technical

Report CMU/SEI-2010-TR-012, 2010. [Online].

www.sei.cmu.edu/library/abstracts/reports/10tr012.cfm.

994 PART FOUR THE APPENDICES

CMMI Product Team 2006 CMMI Product Team, CMMI for Development,

Ve r si o n 1 .2 , Carnegie Mellon University, Software Engineering Institute,

Te ch ni ca l Re po rt C MU /S E I- 20 06 -T R- 00 8, 20 06 . [O nl in e] .

www.sei.cmu.edu/library/abstracts/reports/06tr008.cfm.

CMMI Product Team 2009 CMMI Product Team, CMMI for Services, Version

1.2, Carnegie Mellon University, Software Engineering Institute, Technical

Report CMU/SEI-2009-TR-001, 2009. [Online].

www.sei.cmu.edu/library/abstracts/reports/09tr001.cfm.

CNSS 2009 Committee on National Security Systems, Instruction No. 4009,

National Information Assurance Glossary, Revised June 2009.

Deming 2000 W. E . D e m i n g , Out of the Crisis, MIT Press, 2000. [Online].

http://mitpress.mit.edu/shared/contact/default.asp.

Dougherty 2009 C. Dougherty, K. Sayre, R. C. Seacord, D. Svoboda, and

K. Togashi, Secure Design Patterns, Carnegie Mellon University, Software

Engineering Institute, Technical Report CMU/SEI-2009-TR-010, 2009.

[Online]. www.sei.cmu.edu/library/abstracts/reports/09tr010.cfm.

Economist 2007 Economist Intelligence Unit, “Business Resilience: Ensuring

Continuity in a Volatile Environment,” The Economist Intelligence Unit,

2007.

FFIEC 2004 Federal Financial Institutions Examination Council, Outsourcing

Te c h n o l o g y S e r v i c e s (IT Examination Handbook), 2004. [Online].

www.fﬁec.gov/fﬁecinfobase/booklets/outsourcing/Outsourcing_Booklet.pdf.

Imai 1986 M. Imai, Kaizen: The Key to Japan’s Competitive Success, McGraw-

Hill/Irwin, 1986.

Manadhata 2010 P. K . M a n a d h a t a a n d J . M . W i n g , Attack Surface Measurement,

2010. [Online]. www.cs.cmu.edu/~pratyus/as.html.

McFeeley 1996 R. McFeeley, IDEAL: A Users Guide for Software Process

Improvement, Carnegie Mellon University, Software Engineering Institute,

Handbook CMU/SEI-96-HB-001, 1996. [Online].

www.sei.cmu.edu/library/abstracts/reports/96hb001.cfm. See also

www.sei.cmu.edu/library/abstracts/presentations/idealmodelported.cfm.

Mead 2010 Nancy Mead et al. Master of Software Assurance Reference Curricu-

lum, Carnegie Mellon University, Software Engineering Institute, Technical

Report CMU/SEI-2010-TR-005, 2010.

Microsoft 2009 Microsoft Corporation, Microsoft Security Development Life

Cycle, Version 4.1, Microsoft Corporation, 2009. [Online].

www.microsoft.com/security/sdl/.

Appendix E References 995

REF Team 2008a Resiliency Engineering Framework Team, CERT Resiliency

Engineering Framework v0.95R, Carnegie Mellon University, Software

Engineering Institute, 2008. [Online].

www.cert.org/resilience/rmm_materials.html.

REF Team 2008b Resiliency Engineering Framework Team, CERT Resiliency

Engineering Framework: Code of Practice Crosswalk, Preview Version, v0.95R,

Carnegie Mellon University, Software Engineering Institute, 2008. [Online].

www.cert.org/resilience/rmm_materials.html.

SCAMPI Upgrade Team 2006 SCAMPI Upgrade Team, Appraisal Requirements

for CMMI, Version 1.2 (ARC, V1.2), Carnegie Mellon University, Software

Engineering Institute, Technical Report CMU/SEI-2006-TR-011, 2006.

[Online] www.sei.cmu.edu/library/abstracts/reports/06tr011.cfm. See also

www.sei.cmu.edu/cmmi/tools/appraisals/materials.cfm.

van Opstal 2007 D. van Opstal, The Resilient Economy: Integrating Competitive-

ness and Security, Council on Competitiveness, Washington, DC, 2007.

[Online]. http://compete.org.

Westby 2008 J. R. Westby and R. Power, Governance of Enterprise Security:

CyLab 2008 Report, Carnegie Mellon CyLab, 2008. [Online]

www.cylab.cmu.edu/outreach/governance.html.

This page intentionally left blank