- Page 1: CERT ® Resilience Management Model
- Page 5 and 6: List of FiguresFigure 1: The Three
- Page 7 and 8: List of TablesTable 1: Process Area
- Page 9 and 10: AcknowledgementsThis report is the
- Page 11 and 12: The effect of increased levels of c
- Page 13 and 14: Part One: About the CERT ® Resilie
- Page 15 and 16: 1 IntroductionOperational resilienc
- Page 17 and 18: experience, organizations often ask
- Page 19 and 20: continuity management, and IT opera
- Page 21 and 22: As a descriptive model, CERT-RMM fo
- Page 23 and 24: Table 1:Process Areas in CERT-RMM a
- Page 25 and 26: their ability to transform the way
- Page 27 and 28: 2 Understanding Key Concepts in CER
- Page 29 and 30: Historically and often still today,
- Page 31 and 32: Operational resilience addresses th
- Page 33 and 34: esilience of services is key for mi
- Page 35 and 36: Figure 7: Impact of Disrupted Asset
- Page 37 and 38: owners are responsible for ensuring
- Page 39 and 40: into the “security” function bu
- Page 41 and 42: Figure 12: Software/System Asset Li
- Page 43 and 44: 3 Model ComponentsThis chapter intr
- Page 45 and 46: Table 4:CERT-RMM Components by Cate
- Page 47 and 48: Figure 15: A Specific Goal and Spec
- Page 49 and 50: Figure 19: Summary of Major Model C
- Page 51 and 52: Figure 20: Format of Model Componen
- Page 53 and 54:
4 Model RelationshipsSuccessful pro
- Page 55 and 56:
Figure 21: Relationships That Drive
- Page 57 and 58:
Asset Resilience ManagementEnvironm
- Page 59 and 60:
Figure 23: Relationships That Drive
- Page 61 and 62:
Figure 25: Relationships That Drive
- Page 63 and 64:
Part Two: Process Institutionalizat
- Page 65 and 66:
To reach a particular level, an org
- Page 67 and 68:
perform in the future. In CERT-RMM,
- Page 69 and 70:
names of the generic goals, except
- Page 71 and 72:
Generic Practice Related Process Ar
- Page 73 and 74:
Such objectives may be high-level a
- Page 75 and 76:
These four questions can be directl
- Page 77 and 78:
The purpose of the establishing pha
- Page 79 and 80:
CERT-RMM has a strong enterprise un
- Page 81 and 82:
Communications (COMM)—to institut
- Page 83 and 84:
Figure 31: Model Scope Options6.3.3
- Page 85 and 86:
Figure 33: CERT-RMM Targeted Improv
- Page 87 and 88:
Figure 34: Capability Level Ratings
- Page 89 and 90:
If the immediate or long-term impro
- Page 91 and 92:
ASSET DEFINITION AND MANAGEMENTEngi
- Page 93 and 94:
Specific Practices by GoalADM:SG1 E
- Page 95 and 96:
Facilities are any physical plant a
- Page 97 and 98:
Information AssetsBecause informati
- Page 99 and 100:
Ownership of assets typically varie
- Page 101 and 102:
ADM:SG2.SP2 Analyze Asset-Service D
- Page 103 and 104:
Organizational and operational cond
- Page 105 and 106:
Subpractices1. Establish governance
- Page 107 and 108:
ADM:GG2.GP3 Provide ResourcesProvid
- Page 109 and 110:
Refer to the Human Resource Managem
- Page 111 and 112:
ADM:GG2.GP6 Manage Work Product Con
- Page 113 and 114:
ADM:GG2.GP8 Monitor and Control the
- Page 115 and 116:
ADM:GG2.GP9 Objectively Evaluate Ad
- Page 117 and 118:
ADM:GG3.GP2 Collect Improvement Inf
- Page 119 and 120:
access controls current and reflect
- Page 121 and 122:
COMMUNICATIONSEnterprisePurposeThe
- Page 123 and 124:
COMM:SG2 Prepare for Communications
- Page 125 and 126:
Related Process AreasA primary comp
- Page 127 and 128:
CONTROLS MANAGEMENTEngineeringPurpo
- Page 129 and 130:
The identification and implementati
- Page 131 and 132:
ENVIRONMENTAL CONTROLOperationsPurp
- Page 133 and 134:
EC:SG2 Protect Facility AssetsAdmin
- Page 135 and 136:
The relationship between services a
- Page 137 and 138:
EXTERNAL DEPENDENCIES MANAGEMENTOpe
- Page 139 and 140:
Related Process AreasThe establishm
- Page 141 and 142:
EXD:SG4 Manage External Entity Perf
- Page 143 and 144:
Related Process AreasVisible and ac
- Page 145 and 146:
HUMAN RESOURCE MANAGEMENTEnterprise
- Page 147 and 148:
Specific Practices by GoalHRM:SG1 E
- Page 149 and 150:
IDENTITY MANAGEMENTOperationsPurpos
- Page 151 and 152:
Summary of Specific Goals and Pract
- Page 153 and 154:
and associated services and require
- Page 155 and 156:
IMC:SG2.SP4 Analyze and Triage Even
- Page 157 and 158:
KNOWLEDGE AND INFORMATION MANAGEMEN
- Page 159 and 160:
Specific Practices by GoalKIM:SG1 E
- Page 161 and 162:
MEASUREMENT AND ANALYSISProcessPurp
- Page 163 and 164:
MA:SG1.SP4 Specify Analysis Procedu
- Page 165 and 166:
supports and enables its monitoring
- Page 167 and 168:
ORGANIZATIONAL PROCESS DEFINITIONPr
- Page 169 and 170:
ORGANIZATIONAL PROCESS FOCUSProcess
- Page 171 and 172:
OPF:SG2.SP2 Implement Process Actio
- Page 173 and 174:
awareness program. Conduct Awarenes
- Page 175 and 176:
OTA:SG3.SP3 Establish Training Capa
- Page 177 and 178:
a steady stream of effective staff
- Page 179 and 180:
RISK MANAGEMENTEnterprisePurposeThe
- Page 181 and 182:
RISK:SG2 Establish Risk Parameters
- Page 183 and 184:
RESILIENCE REQUIREMENTS DEVELOPMENT
- Page 185 and 186:
egularly analyzing the requirements
- Page 187 and 188:
RESILIENCE REQUIREMENTS MANAGEMENTE
- Page 189 and 190:
RRM:SG1.SP4 Maintain Traceability o
- Page 191 and 192:
The functional aspects of software
- Page 193 and 194:
Monitoring for events, incidents, a
- Page 195 and 196:
SERVICE CONTINUITYEngineeringPurpos
- Page 197 and 198:
Summary of Specific Goals and Pract
- Page 199 and 200:
SC:SG5 Exercise Service Continuity
- Page 201 and 202:
organization, the organization must
- Page 203 and 204:
TM:SG4.SP3 Perform Change Control a
- Page 205 and 206:
them to determine if breakdowns in
- Page 207 and 208:
Appendix A: Generic Goals and Pract
- Page 209 and 210:
Subpractices1. Establish governance
- Page 211 and 212:
GG2.GP3 Provide ResourcesProvide ad
- Page 213 and 214:
Subpractices1. Identify process ski
- Page 215 and 216:
GG2.GP8 Monitor and Control the Pro
- Page 217 and 218:
performing of the process can be ma
- Page 219 and 220:
Appendix B: Targeted Improvement Ro
- Page 221 and 222:
Required CERT-RMM Process AreasCate
- Page 223 and 224:
Process AreasRisk ManagementResilie
- Page 225 and 226:
Glossary of TermsThis document cont
- Page 227 and 228:
Asset-level resilience requirements
- Page 229 and 230:
Communications stakeholderA person
- Page 231 and 232:
Critical success factorsThe key are
- Page 233 and 234:
External dependencyAn external depe
- Page 235 and 236:
Identity registrationThe process of
- Page 237 and 238:
Key control indicatorsOrganizationa
- Page 239 and 240:
Operational riskThe potential impac
- Page 241 and 242:
PeopleAll staff, both internal and
- Page 243 and 244:
ProvisioningThe process of assignin
- Page 245 and 246:
Resilient Technical Solution Engine
- Page 247 and 248:
SensitivityA measure of the degree
- Page 249 and 250:
Technical controlA type of technica
- Page 251 and 252:
Acronyms and InitialismsADMAsset De
- Page 253 and 254:
EUDPDEuropean Union Data Protection
- Page 255 and 256:
OPFOrganizational Process Focus (pr
- Page 257 and 258:
ReferencesURLs are valid as of the
- Page 259:
REPORT DOCUMENTATION PAGEForm Appro