What you will learn in this tip: With so many approaches to risk management and resilience management, it’s difficult
to decide which approach and/or strategy to take. This tip examines how the use of a Resilience Management Model (RMM)—such as CERT RMM—can help you build a stronger business continuity plan that is consistent with best practices for operational resiliency.
Computer Emergency Readiness Team (CERT) is an initiative of the federally funded Software Engineering Institute (SEI) of Carnegie Mellon University. In previous years, SEI developed an internationally deployed framework, the Capability Maturity Model (CMM), to address process improvement in software systems development. A more recent version, Capability Maturity Model Integration, introduced in 2006, has superseded the original CMM and addresses process improvement in the development of hardware products, the delivery of various kinds of services and the acquisition of products and services. CERT is on a similar track for maturity of security and resiliency engineering with a model called the Resilience Management Model.
What is a Resilience Management Model?
Consistent with the CMM and CMMI frameworks, the CERT RMM is a process improvement model for operational resiliency management. It has two primary objectives. Its first objective is to establish the convergence of operational risk and resiliency management activities such as security, business continuity and aspects of IT operations management into a single model. Its second objective is to apply an approach to operational resiliency management through the definition and application of a capability-level scale that expresses increasing levels of process improvement.
Business continuity professionals can benefit from the RMM in that it addresses process-level improvement. Guidance from the RMM can help practitioners develop more robust business continuity plans and procedures by incorporating RMM elements into the overall BCM program structure as well as plans and procedures.
The CERT RMM has many uses for risk management, business continuity and other initiatives dealing with the protection of enterprise assets and operations. For example, it can be used as a:
- Starting point for leveraging convergence across security, business continuity, and IT operations activities
- Reference model for understanding the scope of managing operational resiliency
- Dictionary of terminology to facilitate internal and external communication
- Organizing construct for codes of practice, standards and regulations and a framework for compliance
- Process improvement model to stimulate improvement efforts
- Baseline for auditing an organization’s current capabilities
- Guide for improvement in operating areas where an organization’s existing capabilities are not consistent with its desired state
CERT RMM features
Features of the CERT's RMM include the following:
- Provides process-level definitions across four categories: enterprise management, engineering, operations management and process management
- Expands the four categories into 26 capability areas (See Figure 1 "RMM capability areas" below)
- Focuses on four essential operational assets: people, information, technology, and facilities
- Includes processes and practices that map to five capability levels for each capability area: incomplete, performed, managed, directed and continuously improved
- Serves as a meta-model that includes references to common codes of practice such as ISO 9000, ISO 27000, ITIL Versions 2 and 3, CobiT, COSO, and others such as BS25999, FFIEC, NFPA 1600 and ISO 24762
- Includes process metrics and measurements that can be used to ensure that operational resiliency processes are performing as intended
- Facilitates an objective measurement of capability levels via a structured and repeatable appraisal methodology.
For business continuity professionals, the above items are invaluable when formulating a BCM program, business continuity management system, and outputs of these initiatives. Specifically, each item in the list represents a way for BCM professionals to improve the content, structure and quality of their programs and plans. Inclusion of the above items can also be useful when auditing plans and programs, as they add depth to the provisions found in major BCM standards, such as BS 25999, Parts 1 and 2, NFPA 1600:2010 and the new international standard ISO 22301.
Figure 1: RMM capability areas
|ENGINEERING MANAGEMENT||OPERATIONS MANGEMENT|
RRD – Resiliency Requirements Development
RRM – Resiliency Requirements Management
Asset resiliency management
EC – Environmental Control
KIM – Knowledge & Information Management
PM – People Management
TM – Technology Management
ADM – Asset Definition and Management
EXD – External Dependencies
SC – Service Continuity
CTRL – Controls Management
RTSE – Resilient Technical Solution Engineering
Threat, incident, and access management
AM – Access Management
ID – Identity Management
IMC – Incident Management & Control
VAR – Vulnerability Analysis & Resolution
|ENTERPRISE MANAGEMENT||PROCESS MANAGEMENT|
Governance, risk and compliance
COMP – Compliance
EF – Enterprise Focus
RISK – Risk Management
Data collection and Logging
MON – Monitoring
COMM – Communications
FRM – Financial Resource Management
HRM – Human Resource Management
OTA – Organizational Training & Awareness
MA – Measurement and Analysis
OPD – Organizational Process Definition
OPF – Organizational Process Focus
Benefits of CERT RMM
The benefit of developing a framework for resiliency engineering is that a baseline process description is provided as a road map for comparison, analysis and improvement. However, the framework also provides a starting point for driving process improvement. One of the important aspects of process improvement is the ability to recognize and consider capability improvement through process maturity.
The basic goals and practices documented in CERT RMM address the functional and practitioner-level aspects of resiliency engineering at an activity level. In other words, they focus on the body of resiliency engineering knowledge and practices across a wide range of organizational capabilities such as incident management and organizational training and awareness. Organizations can use this body of knowledge as a baseline for improving their overall resiliency management capability by identifying and considering process gaps.
Why use the CERT RMM?
The CERT RMM provides detailed process specifications for the 26 unique and interconnected resiliency-related processes intended to provide specific guidance for process development, improvement and maturity benchmarking. Adopting this model ensures the establishment of operational resiliency processes from the ground up that provide a true basis for process improvement and repeatability. Even more importantly, the CERT RMM has been certified to cross-walk with most of the global standards. And perhaps most importantly, the model was developed with U.S. Government funding (meaning it is non-proprietary and in the public domain) and in partnership with the Financial Services Technology Consortium (FSTC) which has been funding projects to mature the model in line with advanced financial services industry requirements. These requirements can be used in non-financial sector industries.
As we have stated, business continuity professionals can use RMM elements to add value to their programs and plans. Use of the RMM will not simplify the development of plans and procedures, but it will provide relevant guidance and structure that can make plans consistent with best practices for operational resiliency, a key aspect of business continuity. Exercising business continuity plans is the best way to ensure that plans work as efficiently as possible, when needed.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.