CERT Resilience Management Model Capability Appraisals

Organizational Security Resilience Management Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents

CERT Resilience Management Model Capability Appraisals

One of the features of the CERT^® Resilience Management Model (CERT^®-RMM) is the CERT-RMM capability appraisal for process improvement (CERT-RMM appraisal). The CERT-RMM appraisal is designed to objectively review an organization against the benchmark of the CERT Resilience Management Model processes and practices. It can be used internally by an organization to improve its processes for managing operational resilience or applied externally to determine the capability of a third-party organization. Either way, the appraisal provides a foundation for long-term process improvement.

What distinguishes a CERT-RMM appraisal?

Unlike assessments, audits, or evaluations in the security, business continuity, or IT operations domain, the CERT-RMM appraisal is designed to help the organization understand its level of capability through an examination of process maturity. In other words, the CERT-RMM appraisal determines not only whether the organization is doing the right things right now, but whether it is capable of sustaining an acceptable level of performance during times of stress and over the long run as risk environments continue to evolve and change. In contrast, most practice-based assessments focus on how well the organization meets the prescribed practice at a point in time, which fails to tell the organization whether it can sustain an adequate level of performance after the assessment is over.

Why should an organization care about a CERT-RMM appraisal?

Managing operational resilience is a challenge because it involves managing operational risk in complex environments. Because of technology and other factors, these environments (and corresponding threats and vulnerabilities) are continuously changing. An organization must be prepared to not only address the events it knows about, but also the events that will occur in the future. By considering the organization's process capability and maturity, the CERT-RMM appraisal tells the organization how well it is prepared to manage a changing risk environment.

Why is an expression of process capability and maturity important to an organization?

Organizations with lower levels of process capability and maturity tend to do things in an ad hoc way and to depend on heroics and fortunate circumstances. As process capability and maturity improves, the organization moves away from "getting lucky" to performing with an emphasis on predictable, repeatable, and consistent results. In other words, organizations with higher levels of process capability and maturity do things in a way that improves their potential for managing operational resilience regardless of the risk environment. Knowing the organization's current level of process capability and maturity is a way to determine where on this scale the organization fits.

What will an organization learn in a CERT-RMM appraisal?

The CERT-RMM appraisal provides the organization insight into

the current state of its processes for managing operational resilience
its process strengths and weaknesses
opportunities for improvement relative to the CERT Resilience Management Model
the potential value of improvements
ways to prioritize improvement activities

What is the scope of a CERT-RMM appraisal?

Because the CERT Resilience Management Model allows for appraisals of individual process areas, the scope of the CERT-RMM appraisal involves determining

which CERT-RMM process areas will be included in the appraisal—the model scope
which parts or levels of the organization will be appraised (the enterprise, a line of business, one or more operating units, a specific project, etc.)—the organizational scope

Both the model and the organizational scopes are determined during an appraisal workshop activity that considers criteria such as the organization's objectives for performing the appraisal, process improvement objectives, resilience strategy, regulatory and compliance environment, and specific threats or risks that may be of concern.

What and who is involved in a CERT-RMM appraisal?

The appraisal is performed by appraisers who have been trained in the CERT Resilience Management Model and the accompanying appraisal methodology and who are authorized by the Software Engineering Institute to perform the appraisal. The level and extent of involvement by the organization's personnel depend on the scope of the appraisal. The organization's personnel will assist in the appraisal by participating in interviews, supplying process artifacts (such as documents), facilitating process observation, and analyzing findings and drawing conclusions. Because the organization owns the appraisal results, the results can be a valuable learning tool for those involved in the appraisal and responsible for process improvement.

What can an organization do with the results of a CERT-RMM appraisal?

In addition to using the results to improve processes and set performance targets, the results of a CERT-RMM appraisal can be used to convey the organization's competency for managing operational resilience. For the organization's customers, this may communicate confidence in creating a resilient partnership that can survive business and operational events. And as appraisals are performed throughout the organization's core industry, the appraisal results can be used to benchmark the organization's performance against peers.

How can an organization make a business case for investing in an CERT-RMM appraisal?

An CERT-RMM appraisal is an investment in the organization's long-term ability to manage operational resilience. It establishes the foundation for improving processes and helps the organization to efficiently focus on those areas that matter most, which, in turn, translates to less effort wasted on unnecessary improvements. In addition, improving processes can eliminate redundancies, streamline compliance activities, and increase efficiency in other ways. Some organizations may even be able to convince their insurers to reduce rates because of their demonstrated ability to manage risk. If the organization is a service provider to other organizations, the appraisal may help the organization increase its business and ability to secure contracts because it has an objective means to communicate its process capability and maturity with respect to resilience.

Are there any other options for CERT-RMM Appraisals?

Organizations new to the concept of model-based process improvement may find a less formal assessment activity to be more appropriate for determining where to start gap assessment and improvement activities. CERT-RMM Compass is a lightweight assessment instrument that can quickly identify areas for improvement or set direction for more formal appraisals.

How does an organization initiate a CERT-RMM appraisal?

CERT has approved CERT-RMM appraisers who can work with you to establish an appraisal scope, perform the appraisal, and document and present appraisal results. We can even help you prioritize process improvement areas, develop action and implementation plans, and embark on an improvement process.

To learn more about CERT-RMM appraisals, become a licensed CERT-RMM appraiser, or arrange for CERT to perform a CERT-RMM appraisal in your organization, contact Joe McLeod at jmcleod@sei.cmu.edu.

Resources

General Information

Methods

Download Resilience Management Materials
Request for Comment on the CERT Resilience Management Model

Podcasts and Media

Publications

more related publications...

Training

Last updated April 5, 2011