Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Part One: About the CERT Resilience Management Model

Part One: About the CERT Resilience Management Model

Organizations in every sector—industry, government, and academia—face increasingly complex business and operational environments. They are constantly bombarded with conditions and events that can introduce stress and uncertainty that may disrupt the effective operation of the organization.

Stress related to managing operational resilience—the ability of the organization to achieve its mission even under degraded circumstances—can come from many sources. For example:

  • Technological advances are helping organizations to automate business processes and make them more effective at achieving their missions. But the cost to organizations is that the technology often introduces complexities, takes specialized support and resources, and creates an environment that is rife with vulnerabilities and risks.

  • Organizations increasingly depend on partnerships to achieve their mission. External partners provide essential skills and functions, with the aim of increasing productivity and reducing costs. As a result, the organization must expose itself to new risk environments. By employing a chain of partners to execute a business process, the organization cedes control of mission assurance in exchange for cost savings.

  • The increasing globalization of organizations and their supply chains poses a problem for management in that governance and oversight must cross organizational and geographical lines like never before. And it must be acknowledged that the emerging worldwide sociopolitical environment is forcing organizations to consider threats and risks that have previously not been on their radar screens. Recent well-publicized events have changed the view of what is feasible and has expanded the range of outcomes that an organization must attempt to prevent and from which it must be prepared to recover.

All of these new demands conspire to force organizations to rethink how they perform operational risk management and how they address the resilience of high-value business services and processes. The traditional, and typically compartmentalized, disciplines of security, business continuity, and information technology (IT) operations must be expanded to provide protection and continuity strategies for high-value services and supporting assets that are commensurate with these new operating complexities.

In addition, organizations lack a reliable means to answer the question, “How resilient am I?” They also lack the ability to assess and measure their capability for managing operational resilience (“Am I resilient enough?”) as they have no credible yardstick against which to measure. Typically, capability is measured by the way that an organization has performed during an event or is described in vague terms that cannot be measured. For example, when organizations are asked to describe how well they are managing resilience, they typically characterize success in terms of what hasn’t happened: “We haven’t been attacked, so we must be doing everything right.” Because there will always be new and emerging threats, knowing how well the organization performs today is necessary but not sufficient; it is more important to be able to predict how it will perform in the future when the risk environment changes.

CERT recognizes that organizations face challenges in managing operational resilience in complex environments. The solution to addressing these challenges must have several dimensions. First and foremost, it must consider that the management activities for security, business continuity, and IT operations—typical operational risk management activities—are converging toward a continuum of practices that are focused on managing operational resilience. Second, the solution must address the issues of measurement and metrics, providing a reliable and objective means for assessing capability and a basis for improving processes. And finally, the solution must help organizations improve deficient processes—to reliably close gaps that ultimately translate into weaknesses that diminish operational resilience and impact an organization’s ability to achieve its strategic objectives.

As a process improvement model, the CERT Resilience Management Model seeks to allow organizations to use a process definition as a benchmark for identifying the current level of organizational capability, setting an appropriate and attainable desired target for performance, measuring the gap between current performance and targeted performance, and developing action plans to close the gap. By using the model’s process definition as a foundation, the organization can obtain an objective characterization of performance not only against a base set of functional practices but also against practices that indicate successively increasing levels of capability.

Do You Need CERT-RMM?

The use of models for process improvement is common throughout the world. Models for improving manufacturing processes are typically the most recognizable, but models such as CMMI are widely adopted across a range of industries.

All organizations have some type of operational element—they may produce software or cars or deliver consulting services, but they all share the need to carry out functions that directly and indirectly support their mission on a daily basis. Regardless of what is being produced or what service is being delivered, managing operations that are critical for day-to-day and long-term success is what many people in organizations are charged to do. What makes this so challenging?

Do You Have These Common Problems?

Many organizations accept that with operations comes operational risk. They see it as an unpleasant by-product of doing business, and perhaps as something they can’t do anything about. But according to Towers Perrin, operational risk has been identified as the most important category of risk facing executives today [van Opstal 2007].

For security and continuity professionals, operational risk is our playing field. Much of what we do on a daily basis is directly focused on avoiding or mitigating operational risk even though the tasks we perform might not appear at first glance to be risk management activities.

How Does CERT-RMM Help You Solve These Problems and Benefit Your Organization?

While the intention of developing CERT-RMM was initially to produce a model in the likeness of CMMI that could be used for model-based process improvement, there is a broad range of uses for the model that address many of the challenges listed above.

CERT-RMM helps you manage your way through changing risk conditions by focusing on stabilizing operational resilience processes and meeting resilience objectives. It uses a process orientation as a way to “glue together” people, procedures and methods, and tools, equipment, and technology—all important elements in managing operational resilience. And CERT-RMM’s focus on continuous process improvement supports an organizational reality: operational resilience is never achieved—it must be continually managed.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free 10-Day Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint