Pamela D. Curtis

Measures for Managing Operational Resilience

Abstract : How resilient is my organization? Have our processes made us more resilient? Members of the CERT(Registered Trademark) Resilient Enterprise Management (REM) team are conducting research to address these and other related questions. The teams first report, Measuring Operational Resilience Using the CERT Resilience Management Model, defined high-level objectives for managing an operational resilience management (ORM) system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures, along with example measures. In this report, REM team members suggest a set of top 10 strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT Resilience Management Model, Version 1.1 (CERT-RMM). The report also provides measures for each of the 26 process areas of CERT-RMM, as well as a set of global measures that apply to all process areas. This report thus serves as an addendum to CERT-RMM Version 1.1. Since CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS, the measures may be useful for measuring security, business continuity, and IT operations management processes, either as part of adoption of CERT-RMM or independent of it.

Improving Operational Resilience Processes: The CERT Resilience Management Model

The CERT® Resilience Management Model (CERT®-RMM) defines processes for managing operational resilience in complex, risk-evolving environments. The model encompasses and integrates activities from security, business continuity, and aspects of IT operations management. It provides a path for making operational resilience a repeatable, predictable, manageable, and improvable process over which an organization has a significant level of active and direct control. This paper describes the operational resilience management foundations of the model and the evolution of the model, and it provides an example of how the model might be used to manage and improve the resilience of information assets.

Evaluating and improving cybersecurity capabilities of the energy critical infrastructure

This paper describes the Cyber Security Capability Maturity Model (C2M2) and two tailored versions of the model for the energy sector the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and the Oil & Natural Gas Cybersecurity Capability Maturity Model (ONG-C2M2). These are proven tools which allow owners and operators of components of electricity and oil & natural gas critical infrastructure to assess their cybersecurity capabilities and informs the prioritization of their actions and investments to improve cybersecurity. The models combine elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The goal of these models and associated tools are to support ongoing development and measurement of cybersecurity capabilities within the electricity and oil and natural gas subsectors. The model can be used to: (1) Strengthen cybersecurity capabilities in the subsector, (2) Enable subsector entities to effectively and consistently evaluate and benchmark cybersecurity capabilities, (3) Share knowledge, best practices, and relevant references within the subsector, as a means to improve cybersecurity capabilities, and (4) Enable subsector entities to prioritize actions and investments to improve cybersecurity. In this paper we will provide background on the C2M2, including the model architecture, an overview of the domains, and the model practices. We will explain the Cybersecurity Self Evaluation Survey Tool, which helps electric utilities and grid operators use the model to identify opportunities to further develop their own cybersecurity capabilities. Finally, we will share information about how these models have successfully been utilized by an ever increasing number of entities and plans for their continued stewardship, evolution, and applications to other types of organizations.

A proven method for identifying security gaps in international postal and transportation critical infrastructure

The safety, security, and resilience of international postal, shipping, and transportation critical infrastructure are vital to the global supply chain that enables worldwide commerce and communications. But security on an international scale continues to fail in the face of new threats, such as the discovery by Panamanian authorities of suspected components of a surface-to-air missile system aboard a North Korean-flagged ship in July 2013 [1].This reality calls for new and innovative approaches to critical infrastructure security. Owners and operators of critical postal, shipping, and transportation operations need new methods to identify, assess, and mitigate security risks and gaps in the most effective manner possible.