CERT(R) Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic…mehr
CERT(R) Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic resilience management goals. This book both introduces CERT-RMM and presents the model in its entirety. It begins with essential background for all professionals, whether they have previously used process improvement models or not. Next, it explains CERT-RMM's Generic Goals and Practices and discusses various approaches for using the model. Short essays by a number of contributors illustrate how CERT-RMM can be applied for different purposes or can be used to improve an existing program. Finally, the book provides a complete baseline understanding of all 26 process areas included in CERT-RMM. The book is divided into four parts: * Part One summarizes the value of a process improvement approach to managing resilience, explains CERT-RMM's conventions and core principles, describes the model architecturally, and shows how it supports relationships tightly linked to your objectives. * Part Two focuses on using CERT-RMM to establish a foundation for sustaining operational resilience management processes in complex environments where risks rapidly emerge and change. * Part Three details all 26 CERT-RMM process areas, from asset definition through vulnerability resolution. For each, complete descriptions of goals and practices are presented, with realistic examples. * Part Four contains appendices, including Targeted Improvement Roadmaps, a glossary, and other reference materials. This book will be valuable to anyone seeking to improve the mission assurance of high-value services, including leaders of large enterprise or organizational units, security or business continuity specialists, managers of large IT operations, and those using methodologies such as ISO 27000, COBIT, ITIL, or CMMI.
The authors are senior technical staff members within the CERT Program of the Software Engineering Institute (SEI). Richard A. Caralli, Resilient Enterprise Management technical manager, develops and delivers methods, tools, and techniques for enterprise security and resilience management. He has led the development of CERT-RMM. Julia H. Allen conducts research in operational resilience, software security and assurance, and measurement and analysis. She served as the SEI’s Acting Director and Deputy Director/COO and authored The CERT® Guide to System and Network Security Practices (Addison-Wesley, 2001). David W. White, a core member of the CERT-RMM development team, develops CERT-RMM and related products and helps organizations apply them.
Inhaltsangabe
List of Figures xi List of Tables xiii Preface xv Acknowledgments xxi
Part One: About the Cert Resilience Management Model 1
Chapter 1: Introduction 7 1.1 The Influence of Process Improvement and Capability Maturity Models 8 1.2 The Evolution of CERT-RMM 10 1.3 CERT-RMM and CMMI Models 15 1.4 Why CERT-RMM Is Not a Capability Maturity Model 18
Chapter 2: Understanding Key Concepts in CERT-RMM 21 2.1 Foundational Concepts 21 2.2 Elements of Operational Resilience Management 27 2.3 Adapting CERT-RMM Terminology and Concepts 39
Chapter 3: Model Components 41 3.1 The Process Areas and Their Categories 41 3.2 Process Area Component Categories 42 3.3 Process Area Component Descriptions 44 3.4 Numbering Scheme 47 3.5 Typographical and Structural Conventions 49
Chapter 4: Model Relationships 53 4.1 The Model View 54 4.2 Objective Views for Assets 59
Part Two: Process Institutionalization and Improvement 65
Chapter 5: Institutionalizing Operational Resilience Management Processes 67 5.1 Overview 67 5.2 Understanding Capability Levels 68 5.3 Connecting Capability Levels to Process Institutionalization 69 5.4 CERT-RMM Generic Goals and Practices 73 5.5 Applying Generic Practices 74 5.6 Process Areas That Support Generic Practices 74
Chapter 6: Using CERT-RMM 77 6.1 Examples of CERT-RMM Uses 78 6.2 Focusing CERT-RMM on Model-Based Process Improvement 80 6.3 Setting and Communicating Objectives Using CERT-RMM 83 6.4 Diagnosing Based on CERT-RMM 92 6.5 Planning CERT-RMM—Based Improvements 95
Chapter 7: CERT-RMM Perspectives 99 Using CERT-RMM in the Utility Sector, by Darren Highfill and James Stevens 99 Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle, by Julia Allen and Michele Moss 104 Raising the Bar on Business Resilience, by Nader Mehravari, PhD 110 Measuring Operational Resilience Using CERT-RMM, by Julia Allen and Noopur Davis 115
Part Three: CERT-RMM Process Areas 119
Asset Definition and Management 121 Access Management 149 Communications 175 Compliance 209 Controls Management 241 Environmental Control 271 Enterprise Focus 307 External Dependencies Management 341 Financial Resource Management 381 Human Resource Management 411 Identity Management 447 Incident Management and Control 473 Knowledge and Information Management 513 Measurement and Analysis 551 Monitoring 577 Organizational Process Definition 607 Organizational Process Focus 629 Organizational Training and Awareness 653 People Management 685 Risk Management 717 Resilience Requirements Development 747 Resilience Requirements Management 771 Resilient Technical Solution Engineering 793 Service Continuity 831 Technology Management 869 Vulnerability Analysis and Resolution 915
Part Four: The Appendices 943
Appendix A: Generic Goals and Practices 945 Appendix B: Targeted Improvement Roadmaps 957 Appendix C: Glossary of Terms 965 Appendix D: Acronyms and Initialisms 989 Appendix E: References 993
List of Figures xi List of Tables xiii Preface xv Acknowledgments xxi
Part One: About the Cert Resilience Management Model 1
Chapter 1: Introduction 7 1.1 The Influence of Process Improvement and Capability Maturity Models 8 1.2 The Evolution of CERT-RMM 10 1.3 CERT-RMM and CMMI Models 15 1.4 Why CERT-RMM Is Not a Capability Maturity Model 18
Chapter 2: Understanding Key Concepts in CERT-RMM 21 2.1 Foundational Concepts 21 2.2 Elements of Operational Resilience Management 27 2.3 Adapting CERT-RMM Terminology and Concepts 39
Chapter 3: Model Components 41 3.1 The Process Areas and Their Categories 41 3.2 Process Area Component Categories 42 3.3 Process Area Component Descriptions 44 3.4 Numbering Scheme 47 3.5 Typographical and Structural Conventions 49
Chapter 4: Model Relationships 53 4.1 The Model View 54 4.2 Objective Views for Assets 59
Part Two: Process Institutionalization and Improvement 65
Chapter 5: Institutionalizing Operational Resilience Management Processes 67 5.1 Overview 67 5.2 Understanding Capability Levels 68 5.3 Connecting Capability Levels to Process Institutionalization 69 5.4 CERT-RMM Generic Goals and Practices 73 5.5 Applying Generic Practices 74 5.6 Process Areas That Support Generic Practices 74
Chapter 6: Using CERT-RMM 77 6.1 Examples of CERT-RMM Uses 78 6.2 Focusing CERT-RMM on Model-Based Process Improvement 80 6.3 Setting and Communicating Objectives Using CERT-RMM 83 6.4 Diagnosing Based on CERT-RMM 92 6.5 Planning CERT-RMM—Based Improvements 95
Chapter 7: CERT-RMM Perspectives 99 Using CERT-RMM in the Utility Sector, by Darren Highfill and James Stevens 99 Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle, by Julia Allen and Michele Moss 104 Raising the Bar on Business Resilience, by Nader Mehravari, PhD 110 Measuring Operational Resilience Using CERT-RMM, by Julia Allen and Noopur Davis 115
Part Three: CERT-RMM Process Areas 119
Asset Definition and Management 121 Access Management 149 Communications 175 Compliance 209 Controls Management 241 Environmental Control 271 Enterprise Focus 307 External Dependencies Management 341 Financial Resource Management 381 Human Resource Management 411 Identity Management 447 Incident Management and Control 473 Knowledge and Information Management 513 Measurement and Analysis 551 Monitoring 577 Organizational Process Definition 607 Organizational Process Focus 629 Organizational Training and Awareness 653 People Management 685 Risk Management 717 Resilience Requirements Development 747 Resilience Requirements Management 771 Resilient Technical Solution Engineering 793 Service Continuity 831 Technology Management 869 Vulnerability Analysis and Resolution 915
Part Four: The Appendices 943
Appendix A: Generic Goals and Practices 945 Appendix B: Targeted Improvement Roadmaps 957 Appendix C: Glossary of Terms 965 Appendix D: Acronyms and Initialisms 989 Appendix E: References 993
Book Contributors 997
Index 1001
Es gelten unsere Allgemeinen Geschäftsbedingungen: www.buecher.de/agb
Impressum
www.buecher.de ist ein Shop der buecher.de GmbH & Co. KG Bürgermeister-Wegele-Str. 12, 86167 Augsburg Amtsgericht Augsburg HRA 13309
