SG Security F2F Knoxville-CERT-RMM Overview

Report
CERT® Resilience Management Model
CERT-RMM Overview
David White
CERT Resilient Enterprise Management Team
© 2011 Carnegie Mellon University
Notices
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED
TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS
OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR
COPYRIGHT INFRINGEMENT.
Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the
trademark holder.
This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or
electronic form without requesting formal permission. Permission is required for any other use. Requests
for permission should be directed to the Software Engineering Institute at [email protected]
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003
with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded
research and development center. The Government of the United States has a royalty-free governmentpurpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have
or permit others to do so, for government purposes pursuant to the copyright license under the clause at
252.227-7013.
© 2011 Carnegie Mellon University
2
CERT | Software Engineering Institute | Carnegie Mellon
Software Engineering Institute (SEI)
•
Federally funded research and development center
based at Carnegie Mellon University
•
Basic and applied research in partnership with
government and private organizations
•
Helps organizations improve development,
operation, and management of software-intensive
and networked systems
CERT – Anticipating and solving our
nation’s cybersecurity challenges
•
Largest technical program at SEI
•
Focused on internet security, secure systems,
operational resilience, and coordinated response to
security issues
© 2011 Carnegie Mellon University
3
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
4
Operational resilience
and operational risk
Setting context
© 2011 Carnegie Mellon University
5
Operational resilience defined
Resilience: The physical property of a
material when it can return to its original
shape or position after deformation that
does not exceed its elastic limit
[wordnet.princeton.edu]
Operational resilience: The
emergent property of an organization
that can continue to carry out its
mission in the presence of
operational stress and disruption
that does not exceed its limit
[CERT-RMM]
Where does the stress and disruption come from? Risk.
© 2011 Carnegie Mellon University
6
Operational resilience and operational risk
Operational resilience emerges from effective operational
risk management
Operational risk categories:
Actions of
people
Systems
and
technology
failures
Failed
internal
processes
External
events
© 2011 Carnegie Mellon University
7
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
8
CERT® Resilience Management
Model (CERT-RMM)
A platform for improvement and measurement
© 2011 Carnegie Mellon University
9
What is CERT®-RMM?
CERT-RMM is a capability
model for managing and
improving operational
resilience.
• Guides implementation and
management of operational
resilience activities
• Converges key operational risk
management activities: security,
BC/DR, and IT operations
• Defines maturity through
“…an extensive superset of the things an
organization could do to
be more resilient.”
- CERT-RMM adopter
capability levels (like CMMI)
• Enables measurement
• Improves confidence in how an
organization responds in times
of operational stress
© 2011 Carnegie Mellon University
10
Imperatives for building CERT-RMM
Increasingly complex operational
environments; traditional approaches failing
Siloed nature of operational risk activities; a
lack of convergence
Tech reliance
Global economy
Overreliance on technical approaches
Open boundaries
Complexity
Cultural shifts
Lack of common language or taxonomy
Lack of means to measure organizational
capability
Inability to confidently predict outcomes,
behaviors, and performance under times
of stress
© 2011 Carnegie Mellon University
11
CERT-RMM background
Collaboration
with high
maturity
organizations
800+
practices for
security, BC,
& IT ops
20+ years of
security mgmt
knowledge at
CERT
CERTRMM
CMMI
architecture
and
experience
Piloting in
private and
government
organizations
© 2011 Carnegie Mellon University
12
Organizational context
Organization
Mission
Service
Service
Service
Mission
Mission
Mission
Assets in Production
people
information technology
facilities
Four asset types:
• People – the human capital of the organization
• Information – data, records, knowledge in physical or digital form
• Technology – software, systems, hardware, network
• Facilities – offices, data centers, labs – the physical places
© 2011 Carnegie Mellon University
13
Organizational context - disruption
Organization
Mission
Service
Service
Service
Mission
Mission
Mission
people
info
tech
facilities
Operational risk can disrupt an asset
And lead to organizational disruption
© 2011 Carnegie Mellon University
14
Building resilience at the asset level
tech
Protect
Security Domain
Sustain
BC/DR Domain
Protection strategies
Sustainment strategies
Keep assets from
exposure to disruption
Keep assets productive
during adversity
Typically implemented as
“security” activities
Typically implemented as
“business continuity” activities
© 2011 Carnegie Mellon University
15
Building resilience at the asset
tech
Protect
Sustain
Security Domain
BC/DR Domain
The optimal “mix” of
these strategies
depends on the value
of the asset and the
cost of deploying
and maintaining the
strategy.
Manage Risk
Manage Condition
Manage Consequence
© 2011 Carnegie Mellon University
16
Organizational context
Organization
Mission
Service
Service
Service
Mission
Mission
Mission
people
Sustain
Protect
info
Sustain
Protect
tech
Sustain
Protect
facilities
Sustain
Protect
Operational Resilience
Management System
CERT-RMM
focuses here
© 2011 Carnegie Mellon University
17
Resilience management in the life cycle
Resilience management covers the life cycle of an asset.
Operational resilience management focuses on the deploy,
operate, and decommission phases, but must reach back to
address issues during development.
Design
Plan
Develop
Deploy
Operate
Retire
Acquire
Asset in Production
© 2011 Carnegie Mellon University
18
CERT-RMM position in life cycle
Design
Plan
Develop
Deploy
Operate
Retire
Acquire
CERT-RMM
CMMI-DEV
CMMI-ACQ
CMMI-SVC
DEVELOPMENT
OPERATION
© 2011 Carnegie Mellon University
19
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
20
CERT-RMM Architecture
How the model is put together
© 2011 Carnegie Mellon University
21
CERT-RMM: 26 process areas in 4 categories
Engineering
Operations Management
ADM
Asset Definition and Management
AM
Access Management
CTRL
Controls Management
EC
Environmental Control
RRD
Resilience Requirements Development
EXD
External Dependencies Management
RRM
Resilience Requirements Management
ID
Identity Management
RTSE
Resilient Technical Solution Engineering
IMC
Incident Management & Control
SC
Service Continuity
KIM
Knowledge & Information Management
PM
People Management
Enterprise Management
TM
Technology Management
COMM
Communications
VAR
Vulnerability Analysis & Resolution
COMP
Compliance
EF
Enterprise Focus
Process Management
FRM
Financial Resource Management
MA
Measurement and Analysis
HRM
Human Resource Management
MON
Monitoring
OTA
Organizational Training & Awareness
OPD
Organizational Process Definition
RISK
Risk Management
OPF
Organizational Process Focus
© 2011 Carnegie Mellon University
22
CERT-RMM process area architecture
Process
Area
Focused Activity
What to do to achieve
the capability
How to accomplish the goal
How to implement the practice
Points of connection to other
practice bodies
Specific
Goals
Three
Generic
Goals
Specific
Practices
Generic
Practices
Subpractices
Subpractices
Maturity
Elements
© 2011 Carnegie Mellon University
23
CERT-RMM links to codes of practice
Process
Area
Codes of Practice:
BS25999-1:2006
CMMI v1.2
CMMI for Services
Specific
Goals
CobiT 4.1
COSO ERM
DRII GAP
FFIEC Handbooks (Security, BCP)
Specific
Practices
ISO 20000-2:2005(E) (ITIL-related)
ISO 24762:2008(E)
ISO 27002:2005
NFPA 1600 (2007)
Subpractices
PCI DSS v1.1
Val-IT
© 2011 Carnegie Mellon University
24
CERT-RMM numbers
© 2011 Carnegie Mellon University
25
Where to start
To use the model, start by selecting any number of process
areas (or even parts of process areas) that align with your
objectives.
Starting with 1 process area or a few specific goals is
completely acceptable.
There is no requirement to use the entire model—use
whatever parts of the model make sense for your
situation.
© 2011 Carnegie Mellon University
26
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
27
Measuring maturity — the
CERT-RMM capability dimension
Measuring process institutionalization to
determine capability under stress
© 2011 Carnegie Mellon University
28
Institutionalization
What does institutionalization look like?
It describes when something has become ingrained in the way
an organization operates.
”institutionalize.” Dictionary.cambridge.org Advanced Learner's Dictionary. Cambridge University
Press. 14 Sep. 2010. <http://dictionary.cambridge.org/dictionary/british/institutionalize_2>.
© 2011 Carnegie Mellon University
29
Process institutionalization in CERT-RMM
Capability levels are used in CERT-RMM to measure process institutionalization
Processes are
acculturated,
defined,
measured,
and
governed
Practices are
performed
Level 3
• Defined
• Managed
Higher degrees of
institutionalization
translate to more
stable processes that
Level 1
• produce consistent
Level 2
• Performed
• are retained during
Level 0
Practices are
incomplete
results over time
times of stress
• Incomplete
© 2011 Carnegie Mellon University
30
Capability Levels and Generic Goals
Capability levels apply independently to each process area
• An organization could target level 1 in one process area and level 3
in another
• Provides for very flexible application of the model
Generic goals define capability levels:
To achieve:
An organization must satisfy:
Capability Level 1
Generic Goal 1
Capability Level 2
Generic Goals 1 and 2
Capability Level 3
Generic Goals 1, 2, and 3
© 2011 Carnegie Mellon University
31
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
32
COMP: Compliance
One process area in-depth
© 2011 Carnegie Mellon University
33
COMP – Compliance process area
Purpose: ensure awareness of and compliance with an established
set of relevant internal and external guidelines, standards, practices,
policies, regulations, and legislation, and other obligations (such as
contracts and service level agreements) related to managing
operational resilience
Collect once — comply many times
•
Data collection is one of the most expensive activities for compliance
•
Understand intersecting requirements to leverage compliance data
•
Develop a compliance knowledgebase with strong data validation
© 2011 Carnegie Mellon University
34
Compliance: specific goals & practices
Specific Goals
Specific Practices
COMP:SG1
SG1.SP1: Establish a compliance plan
Prepare for compliance SG1.SP2: Establish a compliance program
management
SG1.SP3: Establish compliance guidelines and
standards
COMP:SG2
Establish compliance
obligations
SG2.SP1: Identify compliance obligations
SG2.SP2: Analyze obligations
SG2.SP3: Establish ownership for meeting obligations
COMP:SG3
SG3.SP1: Collect and validate compliance data
Demonstrate
SG3.SP2: Demonstrate the extent of compliance
satisfaction of
obligation satisfaction
compliance obligations
SG3.SP3: Remediate areas of non-compliance
COMP:SG4
Monitor compliance
activities
SG4.SP1: Evaluate compliance activities
© 2011 Carnegie Mellon University
35
Achieving capability level 1 in COMP
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
Perform Specific Practices
√
Achieve capability level 1 by satisfying generic goal 1,
which means:
• Perform the COMP specific practices (all 10 of them) so that you
• Satisfy the COMP specific goals (all 4 of them)
© 2011 Carnegie Mellon University
36
Achieving capability level 2 in COMP
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
GG2 Institutionalize
a Managed Process
Perform Specific Practices
√
Establish Process Governance
√
GG2.GP2
Plan the Process
√
GG2.GP3
Provide Resources
√
GG2.GP4
Assign Responsibility
√
GG2.GP5
Train People
√
GG2.GP6
Manage Work Product Configurations
√
GG2.GP7
Identify and Involve Relevant Stakeholders √
GG2.GP8
Monitor and Control the Process
√
GG2.GP9
Objectively Evaluate Adherence
√
√ GG2.GP1
GG2.GP10 Review Status with Higher Level Managers √
Achieve capability level 1 plus satisfy generic goal 2 by
performing the associated 10 generic practices.
© 2011 Carnegie Mellon University
37
Achieving capability level 3 in COMP
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
GG2 Institutionalize
a Managed Process
Perform Specific Practices
√
Establish Process Governance
√
GG2.GP2
Plan the Process
√
GG2.GP3
Provide Resources
√
GG2.GP4
Assign Responsibility
√
GG2.GP5
Train People
√
GG2.GP6
Manage Work Product Configurations
√
GG2.GP7
Identify and Involve Relevant Stakeholders √
GG2.GP8
Monitor and Control the Process
√
GG2.GP9
Objectively Evaluate Adherence
√
√ GG2.GP1
GG2.GP10 Review Status with Higher Level Managers √
GG3 Institutionalize
a Defined Process
√ GG3.GP1
GG3.GP2
Establish a Defined Process
√
Collect Improvement Information
√
© 2011 Carnegie Mellon University
38
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
39
SC: Service Continuity
One process area in-depth
© 2011 Carnegie Mellon University
40
SC – Service Continuity
Purpose:
To ensure the continuity of
essential operations of services
and related assets if a
disruption occurs as a result of
an incident, disaster, or other
disruptive event.
Contains
• 7 specific goals
• 20 specific practices
• ~40 pages
© 2011 Carnegie Mellon University
41
SC specific goals 1-3 and practices
Specific Goals
Specific Practices
SG1 Prepare for Service
Continuity
SG1.SP1 Plan for Service Continuity
SG2 Identify and Prioritize
High-Value Services
SG2.SP1 Identify the Organization’s High-Value Services
SG1.SP2 Establish Standards and Guidelines for Service
Continuity
SG2.SP2 Identify Internal and External Dependencies and
Interdependencies
SG2.SP3 Identify Vital Organizational Records and
Databases
SG3 Develop Service
Continuity Plans
SG3.SP1 Identify Plans to be Developed
SG3.SP2 Develop and Document Service Continuity Plans
SG3.SP3 Assign Staff to Service Continuity Plans
SG3.SP4 Store and Secure Service Continuity Plans
SG3.SP5 Develop Service Continuity Plan Training
© 2011 Carnegie Mellon University
42
SC specific goals 4-7 and practices
Specific Goals
Specific Practices
SG4 Validate Service
Continuity Plans
SG4.SP1 Validate Plans to Requirements and Standards
SG5 Exercise Service
Continuity Plans
SG5.SP1 Develop Testing Program and Standards
SG4.SP2 Identify and Resolve Plan Conflicts
SG5.SP2 Develop and Document Test Plans
SG5.SP3 Exercise Plans
SG5.SP4 Evaluate Plan Test Results
SG6 Execute Service
Continuity Plans
SG6.SP1 Execute Plans
SG7 Maintain Service
Continuity Plans
SG7.SP1 Establish Change Criteria
SG6.SP2 Measure the Effectiveness of the Plans in
Operation
SG7.SP2 Maintain Changes to Plans
© 2011 Carnegie Mellon University
43
Achieving capability level 1 in SC
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
Perform Specific Practices
√
Achieve capability level 1 by satisfying generic goal 1,
which means:
• Perform the SC specific practices (all 20 of them) so that you
• Satisfy the SC specific goals (all 7 of them)
© 2011 Carnegie Mellon University
44
Achieving capability level 2 in SC
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
GG2 Institutionalize a
Managed Process
Perform Specific Practices
√
Establish Process Governance
√
GG2.GP2
Plan the Process
√
GG2.GP3
Provide Resources
√
GG2.GP4
Assign Responsibility
√
GG2.GP5
Train People
√
GG2.GP6
Manage Work Product Configurations
√
GG2.GP7
Identify and Involve Relevant Stakeholders √
GG2.GP8
Monitor and Control the Process
√
GG2.GP9
Objectively Evaluate Adherence
√
√ GG2.GP1
GG2.GP10 Review Status with Higher-Level Managers √
Achieve capability level 1 plus satisfy generic goal 2 by
performing the associated 10 generic practices.
© 2011 Carnegie Mellon University
45
Achieving capability level 3 in SC
Generic Goals
Generic Practices
GG1 Achieve Specific Goals√ GG1.GP1
GG2 Institutionalize a
Managed Process
Perform Specific Practices
√
Establish Process Governance
√
GG2.GP2
Plan the Process
√
GG2.GP3
Provide Resources
√
GG2.GP4
Assign Responsibility
√
GG2.GP5
Train People
√
GG2.GP6
Manage Work Product Configurations
√
GG2.GP7
Identify and Involve Relevant Stakeholders √
GG2.GP8
Monitor and Control the Process
√
GG2.GP9
Objectively Evaluate Adherence
√
√ GG2.GP1
GG2.GP10 Review Status with Higher-Level Managers √
GG3 Institutionalize a
Defined Process
√ GG3.GP1
GG3.GP2
Establish a Defined Process
√
Collect Improvement Information
√
© 2011 Carnegie Mellon University
46
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
47
Using CERT-RMM
A process for improvement
© 2011 Carnegie Mellon University
48
Using CERT-RMM for improvement
Recognize
Objective
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
© 2011 Carnegie Mellon University
49
Recognize
Objective
Recognizing objectives
Objectives frame and provide context
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
Answer the question: What are we trying to accomplish with
the improvement effort?
Typical themes:
• Are we doing all that we should to manage business continuity (or
security, IT ops, or a combination)?
• How can we minimize the potential disruption from <some known
risk or category of risk>?
• How can we improve the efficiency, effectiveness, or consistency of
our operational risk management activities (security, BC, & IT ops)?
• Do our policies and guidelines produce the risk management
activities that we want them to? How can we improve policy?
© 2011 Carnegie Mellon University
50
Recognize
Objective
Determining scope
Two elements:
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
• Organizational scope:
On which part of the organization will we focus?
• Model scope:
Which parts of the CERT-RMM will we use?
—
—
Whole process areas (1-6 typically)
Parts of process areas (a set of practices)
Both elements should align with objectives and sponsorship
Model scoping can be easily accomplished by walking the
model outline in a small workshop or meeting
© 2011 Carnegie Mellon University
51
Organizational scope
Determine
Scope
Where, in the organization,
process improvement will be
focused
Must consider
• Span of sponsorship
developed in Initiating phase
• Span of authority of the
improvement team
• Schedule feasibility for
desired improvements
© 2011 Carnegie Mellon University
52
Organizational scoping example -1
1
1.1
1.1.1
1.1.1.1
1.1.2.1
Organizational Unit
1.2
1.1.2
1.1.2.2
Determine
Scope
1.3
1.2.1
1.3.1
1.2.1.1
1.3.1.1
1.3.2
1.3.2.1
1.3.3
1.3.2.2
1.3.3.1
Suppose that we are performing process improvement on the part
of the organization defined by 1.3 and its subunits
First, we have to understand where the CERT-RMM practices are
performed or designate where they will be performed
© 2011 Carnegie Mellon University
53
Determine
Scope
Model scope
Determines which areas of the model will be selected for
process improvement
When selecting, consider process areas that
• May be causing “pain” or perceived weakness
• Align with regulatory or industry initiatives and objectives
• Align with organizational objectives or initiatives
• Support other organizational process improvement initiatives such
as Six Sigma or ITIL
• Explore areas in which the organization needs to develop
competency
© 2011 Carnegie Mellon University
54
CERT-RMM model scope in detail -1
Determine
Scope
Process
Areas
People
Capability
Level Targets
Information
Asset Scope
Technology
Model Scope
Facilities
Business
Continuity
Resilience
Scope
Security
IT Operations
© 2011 Carnegie Mellon University
55
CERT-RMM model scope in detail -2
Process
Areas
Determine
Scope
Fine-grained model scoping options
People
Capability
Level Targets
Information
Asset Scope
Technology
Model Scope
Facilities
Business
Continuity
Resilience
Scope
Security
IT Operations
© 2011 Carnegie Mellon University
56
Determine
Scope
PA-level scope example
Capability Profile
Scoping Caveats
Information and technology assets only
ADM
COMP
Information security compliance only
IMC
Information security incidents only
KIM
None
TM
None
0
1
2
3
© 2011 Carnegie Mellon University
57
CERT-RMM model scope in detail -3
Determine
Scope
Fine-grained model scoping options
Specific &
Generic Practices
People
Information
Asset Scope
Technology
Model Scope
Facilities
Business
Continuity
Resilience
Scope
Security
IT Operations
© 2011 Carnegie Mellon University
58
Determine
Scope
Practice-level scope example
Example scope for IT Disaster Recovery activities.
Note: PAs with no selected practices are hidden.
© 2011 Carnegie Mellon University
59
Recognize
Objective
Identifying gaps
Methods:
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
Rigorous: CERT-RMM Capability Appraisals
• Three classes: A (most rigorous), B, and C (least)
• Outputs include detailed practice-level characterizations and written
findings statements
Lightweight: CERT-RMM Compass
• Questionnaire-based gap analysis instrument from CERT
• In development now
Informal: gap analysis roundtable or workshop
• Assemble a group of internal experts
• Informally evaluate the organization’s implementation of the model
practices in a workshop setting
© 2011 Carnegie Mellon University
60
CERT-RMM appraisal comparison
Process
Area
Generic
Goals
Specific
Practices
Generic
Practices
Resource requirements:
Effort
Appraisal team:
Depth of investigation:
Class A
Class B
Class C
Capability Level
Ratings
--
--
(Satisfied or
Not Satisfied)
--
--
Characterization of
implementation on
5-point scale
Characterization
of approach on
3-point scale
Characterization
of intent on 3point scale
(Fully, Largely, Partially,
Not, Not Yet Implemented)
(High, medium, low)
(High, medium, low)
Findings statements
Statements
Statements
(strengths & weaknesses)
(strength/weakness)
(strength/weakness)
4 or more
2 or more
1 or more
High
Medium
Low
High
Medium
Low
(0, 1, 2, or 3)
Model-Related Outputs
Specific
Goals
Identify Gaps
Goal Ratings
© 2011 Carnegie Mellon University
61
CERT-RMM appraisal comparison
Specific
Goals
Generic
Goals
Specific
Practices
Generic
Practices
Model-Related Outputs
Process
Area
Depth of investigation:
Resource requirements:
Effort
Appraisal team:
Identify Gaps
Class A
Class B
Class C
Capability Level
Scoped at the
Ratings
process
area level
(0, 1, 2, or 3)
--
--
--
--
Goal Ratings
(Satisfied or
Not Satisfied)
Characterization of
implementation on
5-point scale
(Fully, Largely, Partially,
Not, Not Yet Implemented)
Characterization
Characterization
of approach on
of intent on 33-point scale
point scale
May be
scoped
practice
level
(High,
medium,
low) at the(High,
medium,
low)
Findings statements
Statements
Statements
(strengths & weaknesses)
(strength/weakness)
(strength/weakness)
4 or more
2 or more
1 or more
High
Medium
Low
High
Medium
Low
© 2011 Carnegie Mellon University
62
Sample class B/C scope
Identify Gaps
Example scope for IT Disaster Recovery activities.
Note: PAs with no practices in scope are hidden.
© 2011 Carnegie Mellon University
64
Sample class B/C appraisal output
Identify Gaps
For IT Disaster Recovery activities:
Note: PAs with no practices in scope are hidden.
© 2011 Carnegie Mellon University
65
Sample class A appraisal output
Identify Gaps
© 2011 Carnegie Mellon University
66
A appraisals must
be scoped
Sample class A Class
appraisal
output
to include full process areas
Identify Gaps
Class A appraisals
include goal ratings
Class A appraisals include
Capability Level ratings. These
results would yield Capability
Level 0 because at least one
specific goal is not satisfied.
© 2011 Carnegie Mellon University
67
Sample appraisal findings
Identify Gaps
Strengths
• The service continuity testing program is complete, rigorous, well-
implemented, consistently-followed, and provides valuable feedback
for the improvement of preparedness activities across the
organization.
• …
Weaknesses
• Internal dependencies are well-identified in support of service
continuity planning, but external dependencies are not.
• While service continuity plans are being executed appropriately in
the organization, no evidence was provided to show that plans are
being evaluated for their effectiveness in operation.
• …
© 2011 Carnegie Mellon University
68
Sample appraisal findings
Identify Gaps
Strengths
• The service continuity testing program is complete, rigorous, well-
implemented, consistently-followed, and provides valuable feedback
for the improvement of preparedness activities across the
organization.
• …
Findings statements are generated
for class A, B, and C appraisals
Weaknesses
• Internal dependencies are well-identified in support of service
continuity planning, but external dependencies are not.
• While service continuity plans are being executed appropriately in
the organization, no evidence was provided to show that plans are
being evaluated for their effectiveness in operation.
• …
Findings statements are agreed by
consensus of the full appraisal team
© 2011 Carnegie Mellon University
69
Appraisal process
Preparation
Lead
•
Appraiser
•
•
•
Customer •
Identify Gaps
Onsite
Reporting
Develops appraisal
plan
Trains appraisal team
Coaches and
monitors evidence
preparation*
Plans and schedules
interviews
Appraisal team:
• Reviews evidence
(may collect
additional evidence)
• Performs interviews
• Characterizes
practices by
consensus
Appraisal team:
• Presents final findings
to sponsor – typically
in MS Powerpoint
• Optionally produces a
written report which
may include detailed
recommendations
Collects and prepares
evidence*
•
Supports interviews
and additional
evidence collection
* Evidence collection in advance of the onsite is the most efficient appraisal process, but may require
substantial effort by the customer – this mode is called “verification.” Alternatively, the evidence can be
collected during the onsite period in a mode called “discovery.”
© 2011 Carnegie Mellon University
70
Recognize
Objective
Analyzing gaps
To make sure that closing gaps makes sense,
gaps should be analyzed:
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
• Is the cost for closing a gap worth the investment?
• Are there any efficiencies that can be realized by making the
changes to close one or more gaps (efficiencies may include
streamlining controls or compliance activities)?
• Which gaps are most important in the context of the objective?
• Are the organizational changes necessary to close the gaps within
the bounds of sponsorship?
Output is a set of prioritized gaps to be closed
© 2011 Carnegie Mellon University
71
Recognize
Objective
Implementing changes
Use model guidance
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Analyze
Gaps
• Subpractices and other informative material provide implementation
guidance
• Code of Practice Crosswalk highlights connections between CERT-
RMM and relevant standards and codes of practice, which can serve
as additional implementation guidance
• Generic practices in the model provide guidance for having the
changes persist in the organization
Consider measurements that could be implemented with the
changes to help monitor results and inform management
© 2011 Carnegie Mellon University
72
Recognize
Objective
Evaluating results
Evaluate
Results
Determine
Scope
Implement
Changes
Identify
Gaps
Did we achieve the objective?
Analyze
Gaps
Did the changes stick? Can we be sure the new state will
persist?
Are additional needs or objectives now apparent?
When should we make another improvement cycle?
If measurements were implemented, are they revealing
positive trends?
© 2011 Carnegie Mellon University
73
Outline
Operational resilience and operational risk
CERT Resilience Management Model Introduction
CERT-RMM Architecture
Measuring maturity with CERT-RMM – the capability dimension
Compliance process area
Service Continuity process area
Using CERT-RMM
Summary and resources
© 2011 Carnegie Mellon University
74
Summary and resources
© 2011 Carnegie Mellon University
75
Key benefits of using CERT-RMM
Improve efficiency and
effectiveness of operational risk
management
Lower risk, lower cost
Institutionalize resilience
management processes using
proven techniques
Confidence that processes
will be sustained in times
of stress
Establish a common language
for resilience in your
organization (or community)
Effectively communicate
and collaborate to achieve
resilience
Access an extensive body of
knowledge for managing
operational risk and resilience
Confidence in
completeness, flexibility,
and scalability of approach
© 2011 Carnegie Mellon University
76
But I’m already using ________
Most organizations already use one or more standards or
practice bodies to support security and continuity activities.
CERT-RMM can complement your current efforts
• Completeness: CERT-RMM may provide coverage or guidance not
included in your current practice bodies
• Scalability & flexibility: use only the parts that you need to support
your improvement objective
• Stickiness: institutionalization guidance can be deployed to help
you make current and improved practices persist and collaborate
© 2011 Carnegie Mellon University
77
Potential next steps
Get the book
Take the course
Select a subset of the model that matches your current
improvement objectives
Convene a small team to review the model content and
identify gaps in your current activities
© 2011 Carnegie Mellon University
78
Resources
Training
Book
Introduction to the CERT Resilience
Management Model (3-day course)
Includes full
model (v1.1)
plus adoption
guidance and
perspectives
from realworld use of
the model.
• Public courses
- Feb 14-16, 2012 (DC)
- July 16-18, 2012 (Pittsburgh)
- Oct 2-4, 2012 (DC)
• Private onsite courses are also
available
www.sei.cmu.edu/training/P66.cfm
Lead appraiser apprenticeship program
is also available to certify people in
leading CERT-RMM-based appraisals
Available at Amazon.com
www.cert.org/resilience
email: [email protected]
© 2011 Carnegie Mellon University
79
Contact information
David White
SEI Customer Relations
CERT Resilient Enterprise
Management Team
For general inquiries
[email protected]
412-268-5800
David Ulicne
Joe McLeod
For information about training
For information about working
with us
[email protected]
[email protected]
[email protected]
© 2011 Carnegie Mellon University
80
© 2011 Carnegie Mellon University
81
CERT-RMM Use Scenario
Using selected process areas to improve incident
management
© 2011 Carnegie Mellon University
82
Scenario: improve incident management
Objective: improve incident management capability
A quick scan through CERT-RMM reveals several process
areas that would assist with this objective
• Incident Management and Control
• Risk Management
• Monitoring
• Service Continuity
© 2011 Carnegie Mellon University
83
Incident Management and Control defines
Event – one or
more occurrences,
possibly minor, that
affect assets and
have the potential
to disrupt operations
Incident – an event
(or series of events)
of higher magnitude
that significantly
affects assets and
requires action to
limit impact
Incident
Criteria
Event
Crisis – an incident
where the impact is
rapidly escalating or
immediate
Crisis
Criteria
Incident
Closure
Crisis
Closure – should actively occur for all events, incidents, and crises
when no further actions are needed.
© 2011 Carnegie Mellon University
84
Incident Management and Control
In most organizations, many event streams need to be
watched to effectively provide early warning and to detect
incidents and crises.
How do we build an effective approach?
Event stream
Event stream
Event stream
Event stream
Event stream
© 2011 Carnegie Mellon University
85
Risk Management -1
Risk Management guides
Network intrusions
Supply disruption
the identification of sources
Malware
and categories of risk that
Mass illness
matter to the organization,
Extreme weather
for example:
© 2011 Carnegie Mellon University
86
Risk Management -2
These sources of risk
should inform the event
streams if they are likely to
lead to incidents or crises
Network intrusions
Supply disruption
Malware
Mass illness
Extreme weather
Event stream
Event stream
Event stream
Event stream
Event stream
© 2011 Carnegie Mellon University
87
Monitoring
Monitoring guides the implementation of data collection and
sharing activities. In this example, it will provide guidance on
implementing the infrastructure to monitor these event
streams.
Network intrusions
Malware
Mass illness
Supply disruption
Extreme weather
© 2011 Carnegie Mellon University
88
Risk Management -3
Risk Management practices produce criteria for measuring
the potential impact of risks.
Risk measurement criteria
inform
Incident
Criteria
Crisis
Criteria
Network intrusions
Malware
Mass illness
Supply disruption
Extreme weather
© 2011 Carnegie Mellon University
89
Incident Management and Control process
Practices from Incident management and Control produce a
consistent process for managing incidents and crises
Consistent incident management process, including closure
Incident
Criteria
Crisis
Criteria
Closure
Network intrusions
Malware
Incident
Crisis
Mass illness
Supply disruption
Incident
Extreme weather
© 2011 Carnegie Mellon University
90
Service Continuity
Service Continuity practices produce plans to ensure the continuity
of operations in the event of disruptions. Continuity plans will be
triggered during incidents or crises. Collaboration is needed to
ensure that plans are effectively triggered.
Service continuity plans
Triggers
Incident
Criteria
Crisis
Criteria
Triggers
Closure
Network intrusions
Malware
Incident
Crisis
Mass illness
Supply disruption
Incident
Extreme weather
© 2011 Carnegie Mellon University
91
Incident Management system
Four process areas that can
help us develop an effective
incident management
system in our organization
Incident
Criteria
• Incident Management and Control
• Risk Management
• Monitoring
• Service Continuity
Crisis
Criteria
Closure
Network intrusions
Malware
Incident
Crisis
Mass illness
Supply disruption
Incident
Extreme weather
© 2011 Carnegie Mellon University
92
CERT-RMM for Assurance
Focusing CERT-RMM on early life-cycle activities
for building resilience in
© 2011 Carnegie Mellon University
93
RTSE – Resilient Technical Solution Engineering
Ensure that software and systems
are developed to satisfy their
resilience requirements
© 2011 Carnegie Mellon University
94
RTSE specific goals
Goal
Goal Title
RTSE:SG1
Establish guidelines for resilient
technical solution development
RTSE:SG2
Develop resilient technical solution
development plans
RTSE:SG3
Execute the plan
© 2011 Carnegie Mellon University
95
RTSE: Building in versus bolting on
Requires organizational
intervention
Extends resilience
requirements to assets that
are to be developed
Creates requirements for
quality attributes
Attempts to reduce the level
of operational risk
Extends across the
life cycle
© 2011 Carnegie Mellon University
96
RTSE: Designing and testing for resilience
• Performing resilience controls planning and design
• Incorporating resilience controls into architecture design
• Designing resilience-specific architecture
• Adopting secure coding practices
• Processes for detecting and removing defects
• Designing testing criteria to attest to asset resilience
• Testing resilience controls
• Designing service continuity plans during the
development process
© 2011 Carnegie Mellon University
97
RTSE influences
BSIMM2
bsimm.com
Open Web Applications Security Project (OWASP) Software
Assurance Maturity Model www.owasp.org
Microsoft Security Development Life Cycle
www.microsoft.com/security/sdl/
DHS Process Reference Model for Assurance Mapping to
CMMI-DEV V1.2
https://buildsecurityin.us-cert.gov/swa/procresrc.html
© 2011 Carnegie Mellon University
98
CERT-RMM for software assurance
© 2011 Carnegie Mellon University
99

similar documents