Jim Cebula Technical Manager - Cyber Risk Management, CERT .

1y ago

18 Views

1 Downloads

6.02 MB

56 Pages

Report/dmca

Download PDF

Transcription

Overview of the CERT Resilience Management Model(CERT -RMM)Jim CebulaTechnical Manager - Cyber Risk Management, CERT DivisionJim Cebula is the Technical Manager of the Cyber Risk Management team in theCyber Security Solutions Directorate of the CERT Division at the SoftwareEngineering Institute (SEI), a unit of Carnegie Mellon University.Cebula’s current activities include risk management methods along with assessmentand management of operational resilience among Federal departments and agencies aswell as critical infrastructure and key resource (CIKR) providers. He is the co-authorof the Taxonomy of Operational Cyber Security Risks, and has instructed courses inthe OCTAVE method. He is also currently a co-PI on a research initiative studyingperceptions of risk. He joined CERT in 2009 after spending nearly fifteen years inproject management, IT and security roles supporting government agencies, mostrecently as a cyber security manager.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Form ApprovedOMB No. 0704-0188Report Documentation PagePublic reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.1. REPORT DATE3. DATES COVERED2. REPORT TYPE23 JAN 201400-00-2014 to 00-00-20144. TITLE AND SUBTITLE5a. CONTRACT NUMBEROverview of the CERT Resilience Management Model (CERT-RMM)5b. GRANT NUMBER5c. PROGRAM ELEMENT NUMBER6. AUTHOR(S)5d. PROJECT NUMBER5e. TASK NUMBER5f. WORK UNIT NUMBER7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)8. PERFORMING ORGANIZATIONREPORT NUMBERCarnegie Mellon University ,Software EngineeringInstitute,Pittsburgh,PA,152139. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)10. SPONSOR/MONITOR’S ACRONYM(S)11. SPONSOR/MONITOR’S REPORTNUMBER(S)12. DISTRIBUTION/AVAILABILITY STATEMENTApproved for public release; distribution unlimited13. SUPPLEMENTARY NOTES14. ABSTRACT15. SUBJECT TERMS16. SECURITY CLASSIFICATION OF:a. REPORTb. ABSTRACTc. THIS PAGEunclassifiedunclassifiedunclassified17. LIMITATION OFABSTRACT18. NUMBEROF PAGESSame asReport (SAR)5519a. NAME OFRESPONSIBLE PERSONStandard Form 298 (Rev. 8-98)Prescribed by ANSI Std Z39-18

ContentsBackground and HistoryFoundational Elements of the ModelOrganization of the ModelUsing the ModelSummaryCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Background & HistoryCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT Resilience Management Model alresiliencehttp://www.cert.org/resilience/“ an extensive super-set of thethings an organization could doto be more resilient.”—CERT-RMMadopterCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

What is CERT-RMM?Guides implementation and management of operational resilience activitiesEnables and promotes the convergence of Business Continuity, COOP, IT disaster recovery Information security, cybersecurity IT operationsApplicable to a variety of organizations small or large simple or complex public or privateCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

How was CERT-RMM developed?Collaborationwith highmaturityorganizations20 years ofsecurity mgmtknowledge atCERTDR and BCknowledge offinancialindustry800 practices forsecurity, BC,DR, & IT opsProcessimprovementarchitecture &experienceCERTRMMPiloting inprivate andgovernmentorganizationsCERT-RMM codifies best practices for info. sec., IT DR, and BC from world leading organizations andnumerous standards and codes of practice.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

What drove development of CERT-RMM?Increasingly complex operational environmentsSiloed nature of operational risk activitiesLack of common language or taxonomyOverreliance on technical approachesLack of means to measure organizational capabilityInability to confidently predict outcomes, behaviors, and performanceunder times of stressCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT-RMM – The ModelGuidelines and practices for converging of security, business continuity, disaster recovery, and IT ops implementing, managing, and sustaining operational resilience activities managing operational risk through process measuring and institutionalizing the resilience processCommon vernacular and basis for planning,communicating, and evaluating improvementsFocuses on “what,” not “how”Organized into 26 process areasCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT-RMM Process AreasAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information Mgmt.Vulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Foundational Elementsof CERT-RMMCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Foundational Elements of CERT-RMMOperational ResilienceRisk Management Operational Risk ManagementConvergenceOrganizational Construct for ResilienceActivitiesCapability Dimension Process InstitutionalizationCode of Practice CrosswalkCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Risk RISK1. An event or condition2. A consequence or impact from the condition3. An uncertaintyThe possibility of suffering a harmful eventExposure to the chance of injury or lossCharacterizeAssessPrioritizeThe possibility of suffering harmor lossMitigateA source of dangerReduceAvoidAcceptShareMonitorEtc RISK ManagementIdentifyCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Operational Risk ManagementA form of risk affecting day-to-daybusiness operationsA very broad risk category from high-frequency, low-impactto low-frequency, high-impactEnterprise Risk Management(ERM)Types of Operational Risks actions of people systems and technology failures failed internal processes external eventsOperationalRiskManagementOperational resilience emerges from effective management of operational risk.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Hurdles to Effective Operational Risk & Resilience Mgmt.Vague and abstract natureCompartmentalizationTechnology focusPractice proliferationInsufficient fundingInsufficient success metricsDiscrete nature of activity(Over)reliance on peopleRegulatory climateHead-in-the-sandCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Cornerstones & Foundational Elements of CERT-RMMOperational ResilienceOperational Risk ManagementConvergenceOrganizational Construct forResilience ActivitiesProtection and SustainmentActivitiesInstitutionalizationLifecycle ViewCode of Practice CrosswalkCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

ConvergenceA fundamental concept in managing operational resilienceRefers to the harmonization of operational risk management activitiesthat have similar objectives and outcomesOperational risk management activities include (but are not limited to) security planning and management business continuity and disaster recovery IT operations and service delivery managementOther support activities may also be involved communications financial management etc.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

ConvergenceOrganization’s MissionConvergence directlyaffects the level ofoperational resilienceOperational Resilience t. Operational Risk ManagementEnterprise Risk ManagementCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Benefits of Convergence and IntegrationSimilar activities are bound by the same risk driversAllows for better alignment between risk-based activities andorganizational risk tolerances and appetiteEliminates redundant activities (and associated costs)Forces collaboration between activities that have similar objectivesEnforces a mission focusFacilitates a process that is owned across the organizationInfluences how operational risk and resilience management work isplanned, executed, and managedCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Desired Integrated ApproachContinuity of Operation (COOP)Crisis tContingency PlanningBusinessContinuityIT OperationsInformationSecurityIT Disaster anagementPreparednessPlanningCyber ProtectionSupply ChainContinuityRiskManagementOperational ntinuityCrisisCommunicationsEnterprise Risk tITOperationsInformationSecurityCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Desired Integrated ApproachCMConvergenceDRDRBCCMInfoSecCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Enemies of ConvergenceOrganizational structuresTraditional funding modelsOveruse and misuse of codes of practiceUnclear or poorly defined and communicated risk driversUnclear or poorly defined enterprise objectives, strategic objectives,and critical success factorsLack of supporting process orientation and definitionLack of sponsorship and governance for the processLack of a risk-aware cultureCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Organizational Context for Resilience Activitiesor Productsor Productsor ProductsService or ProductProductiveActivity ceManagementSystemsProductiveActivity ssIProductiveActivity ProductiveActivity onRealized operational riskIIIIVresulting in asset disruptionExamples: Disaster Recovery Planning Business Continuity Planning COOP Risk Management Information Security Crisis Management Emergency Management Pandemic Planning Supply Chain Continuity Etc, Etc, Etc CERT-RMMAppliesHereCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Operational Resilience Starts at the Asset LevelAssetProtectSustainEventManage Conditions of RiskManage Consequences of RiskKeep assets fromexposure to disruptionKeep assets productiveduring adversity(e.g., fault-tolerant & high-availabilitydesigns; preparedness; informationsecurity)(e.g., disaster recovery, businesscontinuity, pandemic planning, crisismanagement, COOP)DetectCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

What do these organizations have in common?Chain of CommandUnit CohesionRegulationsCustomer HappinessStrongCultureCustomer ServiceTraditionProtectionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT-RMM Combines Two ApproachesOperational ResilienceManagement SystemProcessInstitutionalization andImprovementWhat to doMaking it stickComprehensive nonprescriptive guidance onwhat to do to manageoperational resilienceProven guidance forinstitutionalizing processesso that they persist overtimeProcess DimensionCapability DimensionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Institutionalizing a Culture of ResilienceOrganizations must provide explicitguidance for institutionalizing resilienceactivities so that they persist over time.Ask not “how well am I performing today?”Ask “do I have what it takes to sustain high performance beyond today?”CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Lifecycle ViewPlanDesign / Develop / AcquireResilience EngineeringDeployOperateRetireProtection and Sustainment ActivitiesTo improve and sustain an entity’s operational resilience, it is notsufficient to improve only protection and sustainment activities.Resilience should not be an afterthought bolt-on.Resilience should be engineered and built in.Resilience Management is a Total Lifecycle Concept.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Code of Practice CrosswalkLinks CERT-RMM practices to commonly used codes of practice and standards, including ANSI/ASIS SPC.1-2009BS25999COBIT 4.1COSO ERM FrameworkCMMIFFIEC BCP HandbookISO 20000-2ISO/IEC 24762ISO/IEC 24762ISO/IEC 27005ISO/IEC 31000NFPA 1600PCI DSSetc.CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT-RMM Code of Practice CrosswalkExtensive Tabular Crosswalk between CERT-RMM’s 26 process areas and251 specific practices and key industry standardsCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Organization of the ModelCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Process Area Structure & ComponentsProcess Area (PA)Process AreaIcon & icGoal(SG)(GG)IntroductoryNotesRelated ProcessAreasSummary ofGoals & PracticesWhatto esSub-practicesTypical icationsNotesColor veComponentCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Describes “what” to do toachieve the capabilityDescribes the characteristics that must bepresent to institutionalize the processes thatimplement a PAProcess Area (PA)Process Area Structure & ComponentsProcess AreaIcon & icGoal(SG)(GG)IntroductoryNotesRelated ProcessAreasSummary ofGoals & PracticesExamplesReferences Practices support goalachievementAmplifications A suggested way to b-practicesTypical WorkProductsElaborationsActivities that ensure theprocesses associated with the PAwill be effective, ExpectedComponentInformativeComponentCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Example: Service Continuity Process AreaAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information MgmtVulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Example: Service Continuity Process AreaCERT Operational Resilience:Manage, Protect, and SustainCERTISoftware Engineering InstituteICarnegieMellonUniversityTwitter #CERTopRES 2013 Carnegie Mellon University

Example: Service Continuity Process AreaSC:SGl Prepare for Service ContinuitySC:SGl.SPlPlan for Service ContinuitySC:SG l.SP2Establish Standards and Guidelines for Service ContinuitySC:SG2 dentify and Prioritize High-Value ServicesSC:SG2.SP1Identify the Organization,s High-Value ServicesSC:SG2.SP2Identify lnterna and External Dependencies and InterdependenciesSC:SG2.SP3Identify Vital Organizational Records and DatabasesSC:SG3 Develop Service Continuity PlansSC:SG3.SP1Identify Plans to Be DevelopedSC:SG3.SP2Develop and Document Service Continuity PlansSC:SG3.SP3Assign Staff to Service Continuity PansSC:SG3.SP'tStore and Secure Service Continuity PlansSC:SG3.SPSDevelop Service Continuity Plan TrainingSC:SG't Va idate Service Continuity PlansSC:SGtt.SPlValidate Plans to Requirements and StandardsSC:SG't.SP2Identify and Resolve Plan CpnflictsCERT Operational Resilience:Manage, Protect, and SustainCERTISoftware Engineering InstituteICarnegieMellonUniversityTwitter #CERTopRES 2013 Carnegie Mellon University

Example: Service Continuity Process AreaSC:SG2.SP1IDENTIFY THE ORGANIZATION's HIGH--VALUE SERVICESThe high,value services of the organization and their associated assets are identified. n h. h- lupi F spsif p1 ·or.ti u I igh--vrr,;"7 iz2.11 .ia. ' ti .CERT Operational Resilience:Manage, Protect, and SustainCERTISoftware Engineering InstituteICarnegieMellonUniversityTwitter #CERTopRES 2013 Carnegie Mellon University

Using the ModelCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Using CERT-RMM for T Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT Resilience Management Model alresiliencehttp://www.cert.org/resilience/“ an extensive superset of the things anorganization could do tobe more resilient.”—CERT-RMM adopterCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

For FISMA ComplianceAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information MgmtVulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

For Managing Cloud ComputingAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information MgmtVulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

For Managing the Insider Threat ChallengeAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information MgmtVulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

For Managing Disaster Recovery, COOP, andBusiness Continuity PoliciesAccess ManagementMeasurement and AnalysisAsset Definition and ManagementMonitoringCommunicationsOrganizational Process FocusComplianceOrganizational Process DefinitionControls ManagementOrganizational Training & AwarenessEnterprise FocusPeople ManagementEnvironmental ControlResiliency Requirements DevelopmentExternal DependenciesResiliency Requirements ManagementFinancial Resource ManagementResilient Technical Solution Engr.Human Resource ManagementRisk ManagementIdentity ManagementService ContinuityIncident Management & ControlTechnology ManagementKnowledge & Information MgmtVulnerability Analysis & ResolutionCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

SummaryCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Distinguishing Features of CERT-RMMConverges key operational risk managementactivities: security, BC/DR, and IT operationsGuides implementation and managementof operational resilience activitiesDescriptive rather than prescriptive:focuses on the “what,” not the “how”Provides an organizing convention foreffective selection and deployment of codesof practice and standardsGuides improvement in areas where anorganization’s capability does not equal itsdesired stateCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Distinguishing Features of CERT-RMM (Cont.)Improves confidence in how an organizationresponds in times of operational stressProvides a baseline from which to perform an appraisalEnables measurements of effectivenessIs a process improvement modelEnables institutionalizationIs not a proprietary modelCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

Variety of Ways to Use CERT-RMMStarting point for socializing important harmonization and convergenceprinciples across security, business continuity, and IT operations activitiesReference model for understanding the scope of managing operationalresilienceProcess improvement model to catalyze a process improvement effortBaseline from which to perform an appraisal of an organization’s capabilityGuide for improvement in areaswhere an organization’s capabilitydoes not equal its desired stateOrganizing construct for codes ofpracticeTaxonomyCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

NoticesCopyright 2014 Carnegie Mellon UniversityThis material is based upon work funded and supported by Department of Homeland Security under Contract No.FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federallyfunded research and development center sponsored by the United States Department of Defense.Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and donot necessarily reflect the views of Department of Homeland Security or the United States Department of Defense.NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTEMATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NOWARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUTNOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, ORRESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOTMAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, ORCOPYRIGHT INFRINGEMENT.This material has been approved for public release and unlimited distribution except as restricted below.This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic formwithout requesting formal permission. Permission is required for any other use. Requests for permission should bedirected to the Software Engineering Institute at permission@sei.cmu.edu.CERT is a registered mark of Carnegie Mellon University.DM-0000904CERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

As projects continue to grow in scale and complexity, effective collaboration across geographical, cultural, and technical boundaries is increasinglyprevalent and essential to system success. SATURN 2012 will explore the theme of “Architecture: Catalyst for Collaboration.”Introduction to the CERT Resilience Management ModelFebruary 18 - 20, 2014 (SEI, Arlington, VA)June 17 - 19, 2014 (SEI, Pittsburgh, PA)See Materials Widget for course documentCERT Operational Resilience:Manage, Protect, and SustainTwitter #CERTopRES 2013 Carnegie Mellon University

CERT-RMM Combines Two Approaches Operational Resilience Management System Process Institutionalization and Improvement What to do Making it stick Comprehensive non-prescriptive guidance on what to do to manage operational resilience Proven guidance for institutionalizing processes