A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
and security process improvement. The bodies <strong>of</strong> knowledge identified included IT and information<br />
security governance, audit, risk management, IT operations, security, project management,<br />
and process management.<br />
In December 2004, <strong>the</strong> <strong>SEI</strong> released a technical note titled Managing for Enterprise Security [Caralli<br />
2004] that introduced operational resilience as <strong>the</strong> objective <strong>of</strong> security activities and began to<br />
describe <strong>the</strong> convergence between security management,<br />
business continuity management, and IT operations<br />
management as essential for managing operational risk.<br />
In March 2005, <strong>the</strong> <strong>SEI</strong> hosted a meeting with representatives<br />
<strong>of</strong> <strong>the</strong> Financial Services Technology Consortium<br />
(FSTC). 16 The FSTC’s Business Continuity Standing<br />
Committee was actively organizing a project to explore<br />
<strong>the</strong> development <strong>of</strong> a reference model to help determine<br />
an organization’s capability to manage operational resilience<br />
as a follow-on to lessons learned in <strong>the</strong> aftermath<br />
<strong>of</strong> Sept. 11, 2001. The respective efforts were clearly focused<br />
on solving <strong>the</strong> same problem: How can an organization<br />
predictably and systematically control operational<br />
resilience through activities such as security and business<br />
continuity?<br />
In <strong>the</strong> following year, <strong>the</strong> <strong>SEI</strong> introduced <strong>the</strong> concept <strong>of</strong><br />
a process improvement model for managing operational<br />
resilience, drawing heavily upon <strong>the</strong> <strong>SEI</strong>’s CMMI experience.<br />
The <strong>SEI</strong> continued to collaborate with <strong>the</strong> FSTC<br />
and o<strong>the</strong>rs to develop an initial framework and subsequent<br />
revisions, which resulted in <strong>the</strong> CERT Resilience<br />
Engineering Framework in March <strong>of</strong> 2008 and v1.0 <strong>of</strong><br />
<strong>the</strong> CERT Resilience Management Model (CERT-<br />
RMM) in March 2010 (followed shortly <strong>the</strong>reafter by<br />
v1.1 <strong>of</strong> <strong>the</strong> CERT-RMM in book form [Caralli 2010a]<br />
and a model description in a webinar [Caralli 2010b]).<br />
The <strong>SEI</strong> also developed resilience training and helped<br />
The View from O<strong>the</strong>rs<br />
The CERT-RMM class provided<br />
Lockheed Martin participants with<br />
a solid framework for measuring<br />
organizational and operational resilience,<br />
but <strong>the</strong> RMM Users<br />
Group gave us a greater appreciation<br />
<strong>of</strong> <strong>the</strong> issues surrounding resilience.<br />
The diversity <strong>of</strong> perspectives<br />
from industry, finance,<br />
government, and education helped<br />
to associate actual problems with<br />
model constructs. Hearing about<br />
<strong>the</strong> real world issues that o<strong>the</strong>r organizations<br />
had, and how <strong>the</strong>y<br />
conquered or planned to conquer<br />
<strong>the</strong>m, helped us to be better able to<br />
support our own operational teams<br />
and to establish a strategy for our<br />
organization.<br />
– Lynn Penn, Director<br />
Enterprise Integration,<br />
Lockheed Martin<br />
Corporation<br />
establish a CERT-RMM Users Group. 17 The <strong>SEI</strong> is conducting research and developing resources<br />
for measuring operational resilience, including guidance and templates that support organizations<br />
in defining <strong>the</strong>ir measures and an addendum to CERT-RMM V. 1.1 that updates examples <strong>of</strong><br />
measures for <strong>the</strong> 26 process areas [Allen 2011].<br />
16 The FSTC has since been incorporated into <strong>the</strong> Financial Services Roundtable<br />
(http://www.fsround.org).<br />
17 Information on <strong>SEI</strong> resilience work is available at http://www.cert.org/resilience, including links to<br />
<strong>the</strong> training and <strong>the</strong> user group pages.<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 125<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.