Description
Book SynopsisThe authors are senior technical staff members within the CERT Program of the Software Engineering Institute (SEI).
Richard A. Caralli, Resilient Enterprise Management technical manager, develops and delivers methods, tools, and techniques for enterprise security and resilience management. He has led the development of CERT-RMM.
Julia H. Allen conducts research in operational resilience, software security and assurance, and measurement and analysis. She served as the SEI's Acting Director and Deputy Director/COO and authored
The CERT Guide to System and Network Security Practices (Addison-Wesley, 2001).
David W. White, a core member of the CERT-RMM development team, develops CERT-RMM and related products and helps organizations apply them.
Table of Contents List of Figures xi
List of Tables xiii
Preface xv
Acknowledgments xxi
Part One: About the Cert Resilience Management Model 1
Chapter 1: Introduction 7
1.1 The Influence of Process Improvement and Capability Maturity Models 8
1.2 The Evolution of CERT-RMM 10
1.3 CERT-RMM and CMMI Models 15
1.4 Why CERT-RMM Is Not a Capability Maturity Model 18
Chapter 2: Understanding Key Concepts in CERT-RMM 21
2.1 Foundational Concepts 21
2.2 Elements of Operational Resilience Management 27
2.3 Adapting CERT-RMM Terminology and Concepts 39
Chapter 3: Model Components 41
3.1 The Process Areas and Their Categories 41
3.2 Process Area Component Categories 42
3.3 Process Area Component Descriptions 44
3.4 Numbering Scheme 47
3.5 Typographical and Structural Conventions 49
Chapter 4: Model Relationships 53
4.1 The Model View 54
4.2 Objective Views for Assets 59
Part Two: Process Institutionalization and Improvement 65
Chapter 5: Institutionalizing Operational Resilience Management Processes 67
5.1 Overview 67
5.2 Understanding Capability Levels 68
5.3 Connecting Capability Levels to Process Institutionalization 69
5.4 CERT-RMM Generic Goals and Practices 73
5.5 Applying Generic Practices 74
5.6 Process Areas That Support Generic Practices 74
Chapter 6: Using CERT-RMM 77
6.1 Examples of CERT-RMM Uses 78
6.2 Focusing CERT-RMM on Model-Based Process Improvement 80
6.3 Setting and Communicating Objectives Using CERT-RMM 83
6.4 Diagnosing Based on CERT-RMM 92
6.5 Planning CERT-RMM—Based Improvements 95
Chapter 7: CERT-RMM Perspectives 99
Using CERT-RMM in the Utility Sector, by Darren Highfill and James Stevens 99
Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle, by Julia Allen and Michele Moss 104
Raising the Bar on Business Resilience, by Nader Mehravari, PhD 110
Measuring Operational Resilience Using CERT-RMM, by Julia Allen and Noopur Davis 115
Part Three: CERT-RMM Process Areas 119
Asset Definition and Management 121
Access Management 149
Communications 175
Compliance 209
Controls Management 241
Environmental Control 271
Enterprise Focus 307
External Dependencies Management 341
Financial Resource Management 381
Human Resource Management 411
Identity Management 447
Incident Management and Control 473
Knowledge and Information Management 513
Measurement and Analysis 551
Monitoring 577
Organizational Process Definition 607
Organizational Process Focus 629
Organizational Training and Awareness 653
People Management 685
Risk Management 717
Resilience Requirements Development 747
Resilience Requirements Management 771
Resilient Technical Solution Engineering 793
Service Continuity 831
Technology Management 869
Vulnerability Analysis and Resolution 915
Part Four: The Appendices 943
Appendix A: Generic Goals and Practices 945
Appendix B: Targeted Improvement Roadmaps 957
Appendix C: Glossary of Terms 965
Appendix D: Acronyms and Initialisms 989
Appendix E: References 993
Book Contributors 997
Index 1001
