Richard A. Caralli, Julia H. Allen, David W. White. CERT Resilience Management Model
Подождите немного. Документ загружается.
VAR:GG2.GP8 MONITOR AND CONTROL THE PROCESS
Monitor and control the vulnerability analysis and resolution process against the plan for
performing the process and take appropriate corrective action.
Elaboration:
Refer to the Monitoring process area for more information about the collection, organization,
and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establish-
ing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process
information to managers, identifying issues, and determining appropriate corrective
actions.
Subpractices
1. Measure actual performance against the plan for performing the process.
2. Review accomplishments and results of the process against the plan for perform-
ing the process.
Elaboration:
These are examples of metrics for the vulnerability analysis and resolution process:
• for high-value information, technology, and facilities assets (including assets
owned and managed by external entities as well as internally):
– number of high-value assets (by type) subject to process activities (This is
determined by the resilience requirements associated with identified assets
and assumes an up-to-date asset inventory [refer to the Asset Definition and
Management process area].)
– percentage of high-value assets that have been monitored for vulnerabilities
within an agreed-upon time interval
– percentage of high-value assets that have been audited or assessed for vulnera-
bilities within an agreed-upon time interval
– number of reported vulnerabilities by asset type or category for which some
form of resolution or remediation is called for (course of action, reduction,
elimination)
– percentage of vulnerabilities that have been satisfactorily remediated (or con-
versely, percentage of open vulnerabilities) by time interval (days, weeks, months)
– number of reported vulnerabilities for which a vulnerability management
strategy exists
– percentage of vulnerabilities with a vulnerability management strategy that is
on track per plan
– number and percentage of vulnerabilities requiring a root-cause analysis
• number of vulnerabilities referred to the risk management process; number of
vulnerabilities where corrective action is still pending (by risk rank)
Vulnerability Analysis and Resolution 937
VAR
3. Review activities, status, and results of the process with the immediate level of
management responsible for the process and identify issues.
Elaboration:
Periodic reviews of the vulnerability analysis and resolution process are needed to
ensure that
• current sources of vulnerability data are in use
• assets subject to the process are identified, documented, and included in the
scope of process activities
• assets that have been retired are removed from the scope of the process
• vulnerability data is identified, collected, and stored in a timely manner
• the vulnerability repository is established and maintained
• access to the vulnerability repository is limited to authorized staff
• vulnerability management status reports are provided to appropriate
stakeholders in a timely manner
• vulnerabilities are referred to the risk management process when necessary
• actions requiring management involvement are elevated in a timely manner
• the performance of process activities is being monitored and regularly reported
• key measures are within acceptable ranges as demonstrated in governance
dashboards or scorecards and financial reports
• administrative, technical, and physical controls are operating as intended
• controls are meeting the stated intent of the resilience requirements
• actions resulting from internal and external audits are being closed in a timely manner
• number of vulnerabilities referred to the incident management and control
process by time interval
• number of vulnerabilities referred to the service continuity process by time interval
• schedule for collecting, recording, and distributing vulnerability data, including
elapsed time from high-value data collection to data distribution to key stakeholders
• percentage of organizational units, lines of business, projects, and activities using
vulnerability data to assess the performance of operational resilience manage-
ment processes
• number of risks resulting from unsatisfied process requirements, designated as
high, medium, or low, or some other organizational risk ranking method
• number of scope changes to process activities by time interval
• number of process risks referred to the risk management process; number of risks
where corrective action is still pending (by risk rank)
• level of adherence to process policies; number of policy violations; number of
policy exceptions requested and number approved
• number of process activities that are on track per plan
• rate of change of resource needs to support the process
• rate of change of costs to support the process
938 PART THREE CERT-RMM PROCESS AREAS
Vulnerability Analysis and Resolution 939
4. Identify and evaluate the effects of significant deviations from the plan for
performing the process.
Elaboration:
Discrepancies in the vulnerability repository may result when assets are acquired,
modified, or retired but not reflected accurately in the asset inventory. To the
extent that Vulnerability Analysis and Resolution process area activities result in
inventory discrepancies, the organization’s overall ability to manage the opera-
tional resilience of high-value assets subject to vulnerability analysis and resolu-
tion is impeded.
5. Identify problems in the plan for performing and executing the process.
6. Take corrective action when requirements and objectives are not being satisfied,
when issues are identified, or when progress differs significantly from the plan
for performing the process.
7. Track cor re ctive ac tion to closure.
VAR:GG2.GP9 OBJECTIVELY EVALUATE ADHERENCE
Objectively evaluate adherence of the vulnerability analysis and resolution process against
its process description, standards, and procedures, and address non-compliance.
Elaboration:
These are examples of work products to be reviewed:
• process plan and policies
• process scope and strategy, as well as strategies for managing specific vulnerabilities
• vulnerabilities that have been referred to the risk management process
• vulnerability data identification, analysis, recording, storage, remediation, monitor-
ing, communication, protection, and distribution methods, techniques, and tools
• metrics for the process (Refer to VAR:GG2.GP8 subpractice 2.)
• contracts with external entities
These are examples of activities to be reviewed:
• the alignment of stakeholder requirements and needs with the process scope,
strategy, plans, and management strategies for specific vulnerabilities
• assignment of responsibility, accountability, and authority for process activities
• determining the adequacy of process reports and reviews in informing decision
makers regarding the performance of operational resilience management activi-
ties and the need to take corrective action, if any
• verification of data confidentiality, integrity, and availability controls
• use of process data for improving strategies for protecting and sustaining assets
and services
VAR
940 PART THREE CERT-RMM PROCESS AREAS
VAR:GG2.GP10 REVIEW STATUS WITH HIGHER-LEVEL MANAGERS
Review the activities, status, and results of the vulnerability analysis and resolution process
with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship
and oversight to the operational resilience management system.
VAR:GG3 INSTITUTIONALIZE A DEFINED PROCESS
Vulnerability analysis and resolution is institutionalized as a defined process.
VAR:GG3.GP1 ESTABLISH A DEFINED PROCESS
Establish and maintain the description of a defined vulnerability analysis and resolution
process.
Establishing and tailoring process assets, including standard processes, are addressed in the
Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process
assets, including standard processes, are addressed in the Organizational Process Focus
process area.
Subpractices
1. Select from the organization’s set of standard processes those processes that cover
the vulnerability analysis and resolution process and best meet the needs of the
organizational unit or line of business.
2. Establish the defined process by tailoring the selected processes according to the
organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in
the defined process, and ensure that process governance extends to the tailored
processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.
VAR:GG3.GP2 COLLECT IMPROVEMENT INFORMATION
Collect vulnerability analysis and resolution work products, measures, measurement
results, and improvement information derived from planning and performing the
process to support future use and improvement of the organization’s processes and
process assets.
Vulnerability Analysis and Resolution 941
Elaboration:
Establishing the measurement repository and process asset library is addressed in the
Organizational Process Definition process area. Updating the measurement repository and
process asset library as part of process improvement and deployment is addressed in the
Organizational Process Focus process area.
Subpractices
1. Store process and work product measures in the organization’s measurement
repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s
process asset library.
4. Propose improvements to the organizational process assets.
These are examples of improvement work products and information:
• changes in operating conditions, risk conditions, and the risk environment that
affect process results
• metrics and measurements of the viability of the process (Refer to VAR:GG2.GP8
subpractice 2.)
• lessons learned in post-event review of incidents and disruptions in continuity
• lessons learned that can be applied to improve operational resilience manage-
ment performance
• the currency status of vulnerability data
• the confidentiality, integrity, and availability status of vulnerability data based on
integrity and security tests
• reports on the effectiveness and weaknesses of controls
• process action plans and strategies that are not being satisfied and the risks
associated with them
• resilience requirements that are not being satisfied or are being exceeded
VAR
This page intentionally left blank
PART FOUR
The Appendices
This page intentionally left blank
APPENDIX A
GENERIC GOALS AND PRACTICES
This appendix describes the generic goals and practices that the organization
deploys to attain successively improving degrees of process institutionalization
and capability maturity for operational resilience management. These practices
exhibit the organization’s commitment and ability to perform operational
resilience management processes, as well as its ability to measure performance
and verify implementation.
GG1 ACHIEVE SPECIFIC GOALS
The operational resilience management system supports and enables achievement of the
specific goals of the process area by transforming identifiable input work products to
produce identifiable output work products.
GG1.GP1 PERFORM SPECIFIC PRACTICES
Perform the specific practices of the process area to develop work products and provide
services to achieve the specific goals of the process area.
This practice requires the organization to perform the practices, produce the
work products, and deliver the services that are contained in the process defini-
tion for a process area. The organization may perform these practices in an
improvised or reactive manner, and there may not be any process definition to
support the performance of the practices. The degree to which the performance
of practices is formalized varies from organization to organization and may be
inconsistent within an organization. The success of achieving the work products
and delivering the service of the practices may be directly related to the staff
involved in the process.
GG2 INSTITUTIONALIZE A MANAGED PROCESS
The process is institutionalized as a managed process.
945
946 PART FOUR THE APPENDICES
GG2.GP1 ESTABLISH PROCESS GOVERNANCE
Establish and maintain governance over the planning and performance of the process.
This practice establishes the foundation for higher-level managers’ responsibility
for overseeing, directing, and guiding the operational resilience management
system. Higher-level managers set expectations for managing operational resilience
in this practice and communicate these expectations to those who are responsible
as appropriate. Regular reviews of operational resilience activities are performed
and reported to higher-level managers for interpretation. Higher-level managers
make recommendations where gaps are perceived in process performance.
The behavioral expectations of higher-level managers are instantiated in orga-
nizational policies that address operational resilience management, as well as in
expectations for planning and performing operational resilience processes.
Higher-level managers are also responsible for ensuring appropriate levels of
compliance with legal, regulatory, contractual, and government obligations.
Refer to the Enterprise Focus process area for more information about providing sponsorship
of and oversight to the operational resilience management system.
Subpractices
1. Establish governance over process activities.
The organization’s governance activity is expanded to include oversight over the
activities and processes that the organization uses to manage operational resilience
and to perform the process.
2. Develop and publish organizational policy for the process.
Establish the organizational expectations for planning and performing the process,
and communicate these expectations via policy. The policy should reflect higher-
level managers’ objectives for the process.
GG2.GP2 PLAN THE PROCESS
Establish and maintain the plan for performing the process.
In this practice, the organization determines what is needed to perform the
process and to achieve the established objectives, to prepare a plan for performing
the process, to prepare a process description, and to get agreement on the plan
from relevant stakeholders. In some cases, this generic practice may be applied to
a planning process in a particular process area; in that case, this generic practice
sets an expectation that the planning process itself needs to be planned.
Establishing a plan includes documenting the plan and providing a process
description, as well as assigning ownership of the plan with requisite authority to
carry out the plan. Maintaining the plan includes changing it as necessary to
reflect corrective actions, changes in requirements, or improvements.