Richard A. Caralli, Julia H. Allen, David W. White. CERT Resilience Management Model
Подождите немного. Документ загружается.
Chapter 3 Model Components 47
Ty p i c a l p r o c e s s a r t i f a c t s a r e u s e f u l a s m o d e l e l e m e n t s b e c a u s e t h e y p r o v i d e a b a s e -
line from which measurement of the performance of the practice can be gauged.
3.3.8 Subpractices, Notes, Example Blocks, Generic Practice Elaborations,
References, and Amplifications
Subpractices are informative elements associated with each specific practice and
relevant to typical work products. Subpractices are a transition point for process-
area–specific practices because the focus changes at this point from what must be
done to how. While not prescriptive or detailed, subpractices can help organiza-
tions determine how they can satisfy the specific practices and achieve the goals
of the process area. Each organization will have its own subpractices that it has
either organically developed or has acquired from a code of practice.
Subpractices can include notes and example blocks. Notes provide expanded
and explanatory detail for subpractices where necessary. Examples provide rele-
vant and real-world illustrations and depictions that support understanding of
the subpractices.
Generic practice and subpractice elaborations provide guidance about how the
generic practice should be applied uniquely to the process area. For example, in
every process area, subpractice 1 of generic goal 2, generic practice 3 (“Provide
Resources”), is “Staff the process.” In the Incident Management and Control process
area, the subpractice elaboration lists examples of staff required to perform the inci-
dent management and control process, such as staff responsible for triaging events.
References are pointers to related, additional, or more detailed information in
other process areas or other components within the same process area. The CERT
Resiliency Engineering Framework: Code of Practice Crosswalk, Preview Version,
v0.95R [REF Team 2008b] contains subpractice references to common codes of
practice that aid in effectively adopting CERT-RMM regardless of what practices
an organization has already invested in and implemented.
Amplifications explain or describe a unique aspect of a practice. They are
used in Asset Definition and Management to describe the differences between
asset types. Otherwise, they are infrequently used in the current version of the
model. Future versions of the model will use amplifications to describe how a
particular process area is addressed for a specific asset type, such as software, sys-
tems, or facilities.
Figure 3.6 illustrates the structure of the major model components and indi-
cates whether all or part of each component is required, expected, or informative.
3.4 Numbering Scheme
Process areas in CERT-RMM are tagged with a two- to four-letter tag. The tags for
all the process areas are shown in Table 3.3.
48 PART ONE ABOUT THE CERT RESILIENCE MANAGEMENT MODEL
FIGURE 3.6
Summary of Major Model Components
TA BL E 3 . 3 Pro ce ss Ar ea Tag s
Process Area Tag
Asset Definition and Management ADM
Access Management AM
Communications COMM
Compliance COMP
Controls Management CTRL
Environmental Control EC
Enterprise Focus EF
External Dependencies Management EXD
Financial Resource Management FRM
Human Resource Management HRM
Identity Management ID
Incident Management and Control IMC
Knowledge and Information Management KIM
Measurement and Analysis MA
Monitoring MON
Purpose
Statement
Introductory
Notes
Related Process
Areas
Specific
Goals
Generic
Goals
Required
Element
Specific
Practices
Generic
Practices
Expected
Element
Typical Work
Products
Subpractices
Subpractice
Elaborations
Subpractices
Informative
Element
Legend
Process Area
(PA)
Chapter 3 Model Components 49
Process Area Tag
Organizational Process Definition OPD
Organizational Process Focus OPF
Organizational Training and Awareness OTA
People Management PM
Risk Management RISK
Resilience Requirements Development RRD
Resilience Requirements Management RRM
Resilient Technical Solution Engineering RTSE
Service Continuity SC
Te c h n o l o g y M a n ag e m e n t TM
Vulnerability Analysis and Resolution VAR
Specific and generic goals are tagged and numbered as follows: SG refers to a
specific goal; GG refers to a generic goal. These are appended to the CERT-RMM
process area tags and numbered. For example, “ADM:SG1” is specific goal 1 in
the Asset Definition and Management process area, and “ADM:GG3” is generic
goal 3 in the Asset Definition and Management process area.
Specific and generic practices are tagged and numbered as follows: SP refers
to a specific practice; GP refers to a generic practice. These are appended to the
CERT-RMM process area tags and the specific goal and generic goal tags, respec-
tively, and are numbered. For example, “ADM:SG1.SP1” is specific practice 1 in
specific goal 1 in ADM, and “ADM:GG2.GP3” is generic practice 3 in generic
goal 2 in ADM.
Ty p i c a l w o r k p r o d u c t s a r e n u m b e r e d s e q u e n t i a l l y b e g i n n i n g w i t h “ 1 ” w i t h i n
each specific practice. Subpractices are numbered sequentially beginning with
“1” in each specific or generic practice. Subpractices are referenced in text with
their specific or generic practice tag. For example, “ADM:SG2.SP1 subpractice 1”
is subpractice 1 in specific practice 1 in specific goal 2 in ADM, and
“ADM:GG2.GP3 subpractice 2” is subpractice 2 in generic practice 3 in generic
goal 2 in ADM.
3.5 Typographical and Structural Conventions
Ty p o g r a p h i c a l a n d s t r u c t u r a l c o n v e n t i o n s h a v e b e e n u s e d i n t h e m o d e l t o d i s t i n -
guish model components and make them easier to recognize. Also, references to
other process areas or process area components are always styled in italic in
CERT-RMM.
These conventions can be seen in Figure 3.7, which shows extracts of process
area pages with model components identified.
50 PART ONE ABOUT THE CERT RESILIENCE MANAGEMENT MODEL
FIGURE 3.7
Format of Model Components (Continues)
Process area icon
Process area
tag
Process area
category
Purpose statement
Process area
category
Introductory
notes
Process area name
Specific goal
statement
Specific practice
statement
Specific practice
title
Specific goal title
Chapter 3 Model Components 51
Example block
Reference
Typical wor
k
products
Note
Subpractices
References
Generic sub
elaboration
FIGURE 3.7
Format of Model Components (Continued)
This page intentionally left blank
CHAPTER 4
MODEL RELATIONSHIPS
Successful process improvement efforts align with and help to accomplish business
and strategic objectives. Otherwise, there is no reason for the organization to invest
in improving processes. Business and strategic objectives may reflect the organiza-
tion’s critical success factors (to improve sales volume) or compliance regulations
(to meet stricter information privacy rules) or even address a continuing issue or
challenge for the organization (to prevent further data breaches). These objectives
should drive how you use model-based process improvement methods, techniques,
and tools, including CERT-RMM.
CERT-RMM in its entirety looks ominous at first glance. One reason for this is
that operational resilience management encompasses many disciplines and prac-
tices. Another reason is that CERT-RMM provides extensive elaborative material
to help you make practical use of the model. Once you understand the relation-
ships in the model—and you are able to connect these with your own operational
resilience management processes—the CERT-RMM processes that are most rele-
vant to you will be fairly easy to identify and adopt.
There are two types of relationships that are useful to understand as you
become familiar with the model. The model view helps you to understand the
model from an architectural perspective. The way that process areas are grouped
provides perspective on the area of operational resilience management that
those process areas are intended to support. The objective view helps you see the
model through relationships that support a particular objective and what you
want to accomplish. For example, if your objective is to improve the manage-
ment of vulnerabilities to high-value information assets, the objective view links
together the process areas that would satisfy this objective. Because CERT-RMM
allows you to develop an approach to improvement that addresses specific
objectives, understanding each of these types of relationships can also be impor-
tant in helping you develop meaningful targeted improvement roadmaps, as dis-
cussed in Section 6.3.
53
54 PART ONE ABOUT THE CERT RESILIENCE MANAGEMENT MODEL
Understanding the key relationships that exist among CERT-RMM process
areas aids your adoption and application of the model. For this reason, each
process area references other process areas and details the nature of the relation-
ships between them. These references can be found in the “Related Process
Areas” section of each process area in Part Three.
In this section, we describe the model view and provide two visual examples of
how CERT-RMM process areas relate to each other to accomplish a common
objective. As the model continues to be used and adopted, additional objectives
and relationships will be developed and described.
4.1 The Model View
The model view simply arranges the process areas by process category. Process
areas in each category share common characteristics that form the foundational
architecture of the model.
4.1.1 Enterprise Management
The enterprise is an important concept in managing operational resilience. At the
enterprise level, the organization establishes and carries out many activities that
set the tone for operational resilience, such as governance, risk management, and
financial responsibility.
The process areas in the Enterprise Management category represent functions
and activities that are essential to broadly supporting the operational resilience
management system. This does not mean that these processes are or have to be
functionally positioned at an enterprise level. Instead, they represent organization-
wide competencies that affect the operational resilience of organizational units. For
example, the practices in the Risk Management process area may be performed by
an organizational unit, but their effectiveness may be limited by the overall risk
management capability of the organization.
The process areas that represent the Enterprise Management category are
• Communications [COMM]
• Compliance Management [COMP]
• Enterprise Focus [EF]
• Financial Resource Management [FRM]
• Human Resource Management [HRM]
• Organizational Training and Awareness [OTA]
• Risk Management [RISK]
Figure 4.1 depicts the relationships that drive resilience activities at the enter-
prise level.
Chapter 4 Model Relationships 55
FIGURE 4.1
Relationships That Drive Resilience Activities at the Enterprise Level
RRM
Operational resilience
plan and program
Resilience standards
and policies
Governance and
oversight
Strategic
objectives
and CSFs
SC
RRD
EF
CTRL
MON
RISK
VAR
COMP
HRM
FRM
COMM
IMC
OTA
EXD
Requirements
for protection
strategies
Data for governance
and decision making
Risk drivers, appetite,
and tolerances
Governance and
oversight
COMM – Communications
COMP – Compliance
CTRL – Controls Management
EF – Enterprise Focus
EXD – External Dependencies Management
FRM – Financial Resource Management
HRM – Human Resource Management
IMC – Incident Management and Control
MON – Monitoring
OTA – Organizational Training and Awareness
RISK – Risk Management
RRD – Resilience Requirements Development
RRM – Resilience Requirements Management
SC – Service Continuity
VAR – Vulnerability Analysis and Resolution
Funding
needs
Risks due to
non-compliance
Strategies to
mitigate risk
Strategies to mitigate
risk
Vulnerabilities
Communications
requirements and
standards
Communications plan
and program
Communications
requirements
Communications
training requirements
Awareness
requirements
Guidelines for
communicating about
incidents
Resilience goals
and objectives
Skill deficiencies and
training needs
Compliance
requirements and
standards
and program
Compliance plan
RORI
Committed
funds
Cost and
performance
analysis
Guidelines for
communicating with
external entities
Operational Resilience
Management System
Requirements for
sustainment
strategies
Compliance data
56 PART ONE ABOUT THE CERT RESILIENCE MANAGEMENT MODEL
4.1.2 Engineering
Aspects of operational resilience management are requirements-driven. Thus, the
process areas in the Engineering category represent those that are focused on
establishing and implementing resilience for organizational assets, business
processes, and services through a requirements-driven process. These processes
establish the basic building blocks for resilience and create the foundation to pro-
tect and sustain assets and, by reference, the business processes and services that
those assets support.
Engineering process areas fall into three broad categories:
• Requirements Management addresses the development and management of the
security (protect) and resilience (sustain) objectives for assets and services.
• Asset Management establishes the important people, information, technology, and
facilities assets across the enterprise.
• Establishing and Managing Resilience addresses the selection, implementation, and
management of preventive controls and the development and implementation of
service continuity and impact management plans and programs. It also addresses
early life-cycle consideration of resilience quality attributes for software and
systems.
The Engineering process areas include:
Requirements Management
• Resilience Requirements Development [RRD]
• Resilience Requirements Management [RRM]
Asset Management
• Asset Definition and Management [ADM]
Establishing and Managing Resilience
• Controls Management [CTRL]
• Resilient Technical Solution Engineering [RTSE]
• Service Continuity [SC]
4.1.3 Operations
The Operations process areas represent the core activities for managing the oper-
ational resilience of assets and services in the operations life-cycle phase. These
process areas are focused on sustaining an adequate level of operational resilience
as prescribed by the organization’s strategic drivers, critical success factors, and
risk appetite. These process areas represent core security, business continuity, and