Transcription
CERT Resilience Management Model OverviewTable of Contents30T30T30T30T30T30TCERT-RMM . 230TOperational Lifecycle Context . 430TCERT-RMM Organizational Context -1 . 530TCERT-RMM Organizational Context -2 . 630TCERT-RMM at a glance . 730TNotices . 830TPage 1 of 8
CERT-RMMCERT-RMM A capability model for managing and improving operational resilience Guides implementation and management of operational resilience activities Converges security, BC/DR, and IT operations activities Defines maturity through capability levels (like CMMI) Improves confidence in how an organization manages and responds to operational stress Reaches back to inform security and continuity as development requirements “ an extensive super-set of the things an organization could do to be more resilient.”- CERT -RMM adopter46**046 Instructor: So, this is a capability modelthat helps you maintain resilience inyour enterprise. Recall, when wetalked about the idea of knowingyour uncertainties-- and this is achicken and egg principle. If Iunderstand risk, I can make myselfhave a more resilient enterprise. Thatis, when that cold dark day comes, Ican recover and keep my operationgoing so that way the organizationisn't brought to its knees, andhopefully it can withstand any givenincident.RMM helps you do that. It helpsguide you through how you wouldmanage these activities related toplanning for resilience, how you'regoing to actually implement it. Andfollowing even incidents, there somebusiness continuity disaster recoveryelements to it. And it all circlesPage 2 of 8
around an IT operations context. Italso helps you measure the maturitythat you may have within thatprocess. You can also understandhow confident you would be atmeeting any given stress that isprovided to the enterprise, and ithelps you reach back and keep theorganization more informed aboutwhat you're doing about continuity inthe enterprise.Now, RMM is big. There's a lot to it.So, I'd like to pause here to note thatyou shouldn't feel compelled to ingestall of the Resilience ManagementModel, all of RMM, and feel like youhave to do it all at once. As a matterof fact, we're going to talk a little bitabout this here in the future, butwhat I would like to know is if youwere to go and Google RMM and findit at the SEI website, you candownload the textbook. And it ismassive.Page 3 of 8
Operational Lifecycle ContextOperational Lifecycle CERT -RMM (secure, continuous operation)CMMI-DEV (software development)CMMI-ACQ (software acquisition)CMMI-SVC (service quality)TSP (data-driven quality approach for team management, applicable to projects throughout lifecycle)DEVELOPMENTOPERATION47**047 That said, I don't want you tobe overwhelmed. Rather, what Iwant you to do is understand thebasis of where it came from and theelements that might help you best.This slide kind of helps you with thatidea. It looks at the idea of theexisting assets that the SEI haspublished in the past, especiallyaround the capability and maturitymodels, and it will actually help youunderstand, too, that RMM restsupon the principles and ideas thatcame out of all those great productswith the goal of having a moresecure enterprise that can maintainoperations despite that darkest daytaking place. And you're going to gothrough this process again and again.With any given asset that you have,you're going to plan to have it. You'regoing to design, develop it. You'regoing to actually bring it in thePage 4 of 8
enterprise and ingest it and startusing it. You're going to deploy it inthe enterprise. And then your longestphase right there may be to operateit. And then eventually you're goingto retire it. And you're going to haveto understand how you're going to doall that within the context of having itin terms of if a risk were to come tofruition.CERT-RMM Organizational Context -1CERT-RMM Organizational Context erviceMissionAssets in Productionpeopleinformationtechnologyfacilities Four asset types People – the human capital of the organization Information – data, records, knowledge in physical or digital form Technology – software, systems, hardware, network Facilities – offices, data centers, labs – the physical places48**048 RMM does a really good jobat categorizing assets in yourbusiness. Asset management is keyto good risk management. There arefour types of assets. There arepeople, information, technology, andfacilities. It's interesting to note here,too, that you could also think abouteach of those elements in a thirdparty context. So, don't forget justabout the assets that you have inyour enterprise. You want to alsoPage 5 of 8
think about the service providers thatyou may have that serve as criticalassets to your organization as well.CERT-RMM Organizational Context -2CERT-RMM Organizational Context nProtecttechSustainOperational ResilienceManagement SystemfacilitiesProtectSustainCERT-RMMfocuses here49**049 Furthermore, what you wantto do is focus on each of those assettypes, understand how they arecritical to the enterprise, what criticalservices they are delivering,understand the risk related to it andwhat you are going to specifically doto make sure that those assets areprotected. So, that way, when thatrisk comes to light, you could still beresilient and keep your organizationoperating.Page 6 of 8
CERT-RMM at a glanceCERT-RMM at a glance26 Process Areas in 4 categoriesOperationsEngineeringADMAsset Definition and ManagementAMAccess ManagementCTRLControls ManagementECEnvironmental ControlRRDResilience Requirements DevelopmentEXDExternal Dependencies ManagementRRMResilience Requirements ManagementIDIdentity ManagementRTSEResilient Technical Solution EngineeringIMCIncident Management and ControlSCService ContinuityKIMKnowledge and Information ManagementEnterprise ManagementPMPeople ManagementCOMMCommunicationsTMTechnology ManagementCOMPComplianceVARVulnerability Analysis and ResolutionEFEnterprise FocusProcess ManagementFRMFinancial Resource ManagementMAMeasurement and AnalysisHRMHuman Resource ManagementMONMonitoringOTAOrganizational Training and AwarenessOPDOrganizational Process DefinitionRISKRisk ManagementOPFOrganizational Process Focus50**050 RMM does this in a veryinteresting way. It breaks down into26 process areas under four differentcategories. Now, here's where youcan get slightly overwhelmed. Eachof these process areas within thetextbook, or within the training,however you ingest RMM, you'regoing to find out that there's a lot toeach given step. You're going to haveto actually sit down and reflect uponwhat your enterprise needs mostfirst. Maybe you need to characterizewhat your operations are firstbecause that's what you're doing toactually physically getting the productout the door. So, categorically, youstart there. And maybe only pickseveral process areas.So, that way, you can make yourselfbetter at maybe identity management ormaybe your environmental controls.Page 7 of 8
Maybe access is an issue for you,maybe how you actually manageyour assets or your people. So, youfocus there first, and then you wouldbranch out and start thinking aboutthe other process areas within thosecategories that may need some focusso that way you can make yourenterprise, over time, far more resilient.NoticesNotices1Page 8 of 8
- CERT -RMM adopter. CERT-RMM. 46 **046 Instructor: So, this is a capability model . that helps you maintain resilience in . your enterprise. Recall, when we . talked about the idea of knowing . your uncertainties-- and this is a . chicken and egg principle. If I . understand risk, I can make myself . have a more resilient enterprise. That
