Cyber Risk and Resilience Management Publications

Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
In this white paper, the authors discuss how financial services organizations can use a resilience-based approach to manage cyber risks that arise from outsourcing and comply with federal cybersecurity regulations.

Intelligence Preparation for Operational Resilience (IPOR)
In this report, Douglas Gray describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).

Structuring the Chief Information Security Officer Organization
In this September 2015 technical note, the authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.

CERT Resilience Management Model: A Maturity Model for Managing Operational

In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

CERT-RMM User Panel Discussion: USPIS, DHS, DoE, SunGard, & Lockheed Martin
In this webinar, watch the CERT-RMM User Panel discuss their experiences implementing RMM from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.

CERT Resilience Management Model (CERT-RMM) V1.1: NIST Special Publication
Crosswalk Version 2

This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.

The Smart Grid Maturity Model Around the World
In this webinar, Jeffrey H. Ferris introduces the Smart Grid Maturity Model (SGMM), a management tool designed to help any utility, anywhere, plan its journey toward grid modernization-no customization required.

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
In this webinar, watch James Stevens discuss the "Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)" from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment

In this 2007 report, the authors highlight the design considerations and requirements for OCTAVE Allegro based on field experience.

  • 2008

  • 09/16/2008 Security Risk Assessment Using OCTAVE Allegro In this podcast, Lisa Young describes OCTAVE Allegro, a streamlined assessment method that focuses on risks to information used by critical business services.
  • 06/01/2008 SQUARE-Lite: Case Study on VADSoft Project In this 2008 report, the authors describe SQUARE and SQUARE-Lite, and using SQUARE-Lite to develop security requirements for a financial application.
  • 01/02/2008 2008 CERT Research Report In this 2008 report, the authors describe how CERT research advanced the field of information and systems security during the 2008 fiscal year.
  • 2003

  • 12/31/2003 CERT Research 2003 Annual Report This report provides brief abstracts for major research projects, followed by more detailed descriptions of these projects, for all CERT research conducted in the year 2003.
  • 08/01/2003 Introduction to the OCTAVE Approach In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.
  • 07/01/2003 International Liability Issues for Software Quality In this 2003 report, Nancy Mead focuses on international liability as it relates to information security for critical infrastructure applications.