CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing Operational Resilience, 1st edition

Published by Addison-Wesley Professional (January 24, 2016) © 2011

  • Richard A. Caralli
  • Julia H. Allen
  • David W. White
Products list
$67.99

Price Reduced From: $84.99

Details

  • A print text
  • Free shipping
  • Also available for purchase as an ebook from all major ebook resellers, including InformIT.com

This product is expected to ship within 3-6 business days for US and 5-10 business days for Canadian customers.

CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic resilience management goals.

This book both introduces CERT-RMM and presents the model in its entirety. It begins with essential background for all professionals, whether they have previously used process improvement models or not. Next, it explains CERT-RMM’s Generic Goals and Practices and discusses various approaches for using the model. Short essays by a number of contributors illustrate how CERT-RMM can be applied for different purposes or can be used to improve an existing program. Finally, the book provides a complete baseline understanding of all 26 process areas included in CERT-RMM.

List of Figures xi

List of Tables xiii

Preface xv

Acknowledgments xxi

 

Part One: About the Cert Resilience Management Model 1

 

Chapter 1: Introduction 7

1.1 The Influence of Process Improvement and Capability Maturity Models 8

1.2 The Evolution of CERT-RMM 10

1.3 CERT-RMM and CMMI Models 15

1.4 Why CERT-RMM Is Not a Capability Maturity Model 18

 

Chapter 2: Understanding Key Concepts in CERT-RMM 21

2.1 Foundational Concepts 21

2.2 Elements of Operational Resilience Management 27

2.3 Adapting CERT-RMM Terminology and Concepts 39

 

Chapter 3: Model Components 41

3.1 The Process Areas and Their Categories 41

3.2 Process Area Component Categories 42

3.3 Process Area Component Descriptions 44

3.4 Numbering Scheme 47

3.5 Typographical and Structural Conventions 49

 

Chapter 4: Model Relationships 53

4.1 The Model View 54

4.2 Objective Views for Assets 59

 

Part Two: Process Institutionalization and Improvement 65

 

Chapter 5: Institutionalizing Operational Resilience Management Processes 67

5.1 Overview 67

5.2 Understanding Capability Levels 68

5.3 Connecting Capability Levels to Process Institutionalization 69

5.4 CERT-RMM Generic Goals and Practices 73

5.5 Applying Generic Practices 74

5.6 Process Areas That Support Generic Practices 74

 

Chapter 6: Using CERT-RMM 77

6.1 Examples of CERT-RMM Uses 78

6.2 Focusing CERT-RMM on Model-Based Process Improvement 80

6.3 Setting and Communicating Objectives Using CERT-RMM 83

6.4 Diagnosing Based on CERT-RMM 92

6.5 Planning CERT-RMM—Based Improvements 95

 

Chapter 7: CERT-RMM Perspectives 99

Using CERT-RMM in the Utility Sector, by Darren Highfill and James Stevens 99

Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle, by Julia Allen and Michele Moss 104

Raising the Bar on Business Resilience, by Nader Mehravari, PhD 110

Measuring Operational Resilience Using CERT-RMM, by Julia Allen and Noopur Davis 115

 

Part Three: CERT-RMM Process Areas 119

 

Asset Definition and Management 121

Access Management 149

Communications 175

Compliance 209

Controls Management 241

Environmental Control 271

Enterprise Focus 307

External Dependencies Management 341

Financial Resource Management 381

Human Resource Management 411

Identity Management 447

Incident Management and Control 473

Knowledge and Information Management 513

Measurement and Analysis 551

Monitoring 577

Organizational Process Definition 607

Organizational Process Focus 629

Organizational Training and Awareness 653

People Management 685

Risk Management 717

Resilience Requirements Development 747

Resilience Requirements Management 771

Resilient Technical Solution Engineering 793

Service Continuity 831

Technology Management 869

Vulnerability Analysis and Resolution 915

 

Part Four: The Appendices 943

 

Appendix A: Generic Goals and Practices 945

Appendix B: Targeted Improvement Roadmaps 957

Appendix C: Glossary of Terms 965

Appendix D: Acronyms and Initialisms 989

Appendix E: References 993

 

Book Contributors 997

 

Index 1001



Need help? Get in touch