CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience

Posted on by Ben Rothke

If Gartner were to have  created the CERT-RMM framework like what is detailed in the book CERT  Resilience Management Model (RMM): A Maturity Model for Managing Operational  Resilience; it likely would be offered to their  clients for at least $15,000-.  With a list price of $79.99, the book is clearly  a bargain.  Besides being inexpensive, it details an invaluable model that  should be seriously considered by nearly every organization. 

The CERT-RMM is a capability model for operational resilience management.  Put more  simply; it is a method to tame the out of control world of IT operations. 

CERT notes that the model  has two primary objectives: to establish the convergence of operational risk and  resilience management activities such as security, business continuity, and  aspects of IT operations management into a single model.  And to apply a process  improvement approach to operational resilience management through the definition  and application of a capability level scale that expresses increasing levels of  process improvement.

In plain English, the model creates a formal method  in which to execute IT tasks.  Given the reality that most IT tasks are executed  in an ad-hoc manner, the CERT-RMM should be a welcome relief to most organizations. 

The CERT-RMM is a relatively new framework,  with version  1.0 being issued in May 2010.  Version 1.1 was made  available via this book in December 2010.  CERT also has a really  good CERT-RMM  Overview presentation available. 

CERT-RMM v1.1 comprises 26 process areas that cover  four areas of operations resilience management: enterprise management,  engineering, operations and process management.

In chapter 1, the authors astutely note that  technology can be very effective in managing risk, but technology cannot always  substitute for skilled peoples and resources, procedures and methods that define  and connect tasks and activities, and processes to provide structure and  stability towards the achievement of common objectives and goals. 

The problem is that most companies will spend huge  amounts of money on these myriad technologies and seemingly expect the install  routine to magically integrate the numerous processes.  CERT-RMM is a  comprehensive solution to a broad set of problems. 

But for those that are looking to CERT-RMM for a  quick fix to a decades old problem, the authors also note in chapter 1 that  CERT-RMM must be embedded within the culture and practices of an organization.   The CERT-RMM practices will only make an organization more resilient to the  degree to which they have been institutionalized via its processes. 

At just over 1,000 pages, the book is a  treasure-trove of invaluable information.  While the amount of information may  be overwhelming, it is manageable if used in a serious fashion.  But just to  reiterate, CERT-RMM should not be seen as a quick-fix solution.

The main textual part of the book covers 2 parts and  7 chapters which make up the first 120 pages.  These 2 parts provide a  comprehensive overview of the CERT-RMM and provides an overview of the various  concepts used within the model.  The authors do a superb job of showing how  structure and processes need to be an integral part of enterprise operations,  and note the challenges of not having such an approach. 

Focusing on information security, the authors  intelligently observe in chapter 2 that historically information was viewed as a  technology problem and relegated to the IT department.  The problem though with  such an approach is that when an incident or disruption occurs, the response is  generally localized and discrete; not orchestrated across all affected lines of  business and organizational units.  That problem is precisely what CERT-RMM  comes to fix.  If implemented effectively, the processes enable organizations to  respond in a more formal manner, with integrated processes; resulting in  operations that are quicker, cheaper, and ultimately, more resilient. 

In chapter 4, the authors tell you what seems to be  obvious: that the CERT-RMM in its entirety looks ominous.  They note the reason  is that operational resilience management encompasses many disciplines and  practices.  The challenge though is for the organization to be able to  understand the relationships in the CERT-RMM model and connect them to their own  organization.  CERT-RMM is certainly not for the fainthearted.  But for those  that are serious about operational efficiency and resilience, CERT-RMM is  certainly a godsend. 

The reality is that not only does the CERT-RMM look  ominous, it is.  The reason is that CERT-RMM will most likely be used to  retrofit an organization that has used decades of ad-hoc approaches to its IT  processes.  Trying to fix so much is indeed ominous.  But even with that ominous  cloud, it is something that must be done. 

In chapter 5, the authors make an important point in  that CERT-RMM is not a prescriptive model.  This means that there is no guidance  provided to adopt the model in any specific sequence or prescriptive path.   Rather, process improvements are unique to each organization, to which the  CERT-RMM provides the basic structure to enable enterprises to chart their own  specific improvements paths uses the model as a guide. 

Chapter 6 on Using  CERT-RMM notes that the model has a strong enterprise  undercurrent, due to the fact that effective operational resilience management  requires capabilities that often have enterprise-wide significant.  But the  enterprise–wide nature of the model does not mean that it can’t be adopted at  more discrete levels. 

Part 3 of the book is a complete listing of the 26  CERT-RMM process areas.  Part 3 is where the heart of the CERT-RMM is.  Each of  the 26 sections has a complete set of descriptions of goals and practices and  real-world examples.

Think of part 3 as The  Checklist Manifesto: How to Get Things Right, but on  steroids.  In that book, author Atul Gawande uses the notion of a checklist as a  quality-control device.  He noticed that the high-pressure complexities in place  today can overwhelm even the best-trained professional and that only a  disciplined adherence to essential procedures can fix things.  Gawande would  likely be enamored by the CERT-RMM.

When the reader goes through the over 800 pages of  part 3, they will see them as a set of standard operating procedures (SOP).   Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply  embedded in their processes.  The SOP in part 3 are far from rocket science.   They are simply a comprehensive approach and attention to detail.  Given that  resilience is all about the details, part 3 can be used to take an organization  to a mature state of resilience.

If nothing else, part 3 should give the reader an  appreciation for the need for effective process around IT initiatives.  The  exacting level of detail described in part 3 displays a rigorous set of  processes that if deployed, can ensure an all-embracing approach to systems  management and control. 

Often books with numerous authors lack a sense of  style and symmetry.  With 3 authors, the book suffers none of that and is  completely integrated into a single unit with no disconnects.  Each of the  authors are CERT veterans that bring considerable experience which is pervasive  throughout the book.

But as good as the CERT-RMM, we all know that it is  likely to have minimal adoption.  Most organizations are far too short-sighted  to use a model that requires such discipline and long-term approach  as CERT-RMM

But for those organizations that are truly serious  about resiliency, serious about security, serious about saving money and being  more efficient, this book and the CERT-RMM is a model they will embrace warmly.   This book is an important first step that can be the gateway to  resiliency. 

For all the others, they should at least use the  CERT-RMM incident management and control process area to deal with the many security incidents and breaches  they will inevitably have to contend with.

Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs