CERT Resiliency Engineering Research
Traditional activities like security, business continuity, and IT operations management have a common goal: to manage operational risk in a way that helps the organization to manage and sustain an adequate level of operational resiliency. Unfortunately, many organizations lack the capabilities required to actively direct and control operational resiliency. They typically perform operational risk-based activities in silos, depend on heroics in times of stress, and describe their success in terms of “what hasn’t happened” rather than an objective measure of competency.
The CERT Resiliency Engineering research focuses on developing tools, techniques, and methods to help organizations improve their operational resiliency management capabilities. Currently, the CERT Resiliency Engineering team is focusing its efforts on the development of the CERT Resiliency Engineering Framework—the foundation for a process-improvement approach to security and business continuity.
CERT Resiliency Engineering Framework
The CERT Resiliency Engineering Framework establishes an organization’s resiliency engineering process: a collection of essential capabilities an organization performs to ensure that its important assets remain able to support business processes and services. The framework serves as a foundation an organization can use to objectively measure its competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and improves these activities so that whatever disruption is waiting in the wings—natural disaster, terrorism, pandemic—the organization consciously understands its capabilities and can use this knowledge to be as prepared as possible to limit the impact of the disruption on the organization.
Current Activities
The CERT RE team has released a review version of the Resiliency Engineering Framework (v0.95R). This version is an early release of our work in progress. It provides a view of the framework capabilities that we have developed to date, as well as capability levels to measure the extent to which each capability area is integrated into the organization’s culture—a predictive indicator of the organization’s ability to sustain resiliency activities even in times of stress.
You can download a current copy of the REF and provide feedback and suggestions here.
The CERT RE team presented a half-day tutorial on the Resiliency Engineering Framework at the SEPG 2008 conference on March 17, 2008, in Tampa, FL. The CERT RE team also has been accepted to present at European SEPG 2008, June 10–13, 2008, in Munich, Germany. Details of this presentation will be included on this page as they are finalized.
The SEI is also offering two informational sessions on the REF in early 2008. Session 1 will be held in New York City on March 12, 2008, and session 2 at the SEI offices in Washington, D.C. (Arlington) on March 26, 2008. For information on these activities, contact Joe McLeod at jmcleod@sei.cmu.edu.
Future Activities
In 2008, our Resiliency Engineering research and development will continue. Some of the activities and deliverables we are planning include
- release of version 1.0 of the CERT Resiliency Engineering Framework (summer 2008). This version will contain
- additional resiliency engineering processes
- elaboration and examples of specific process artifacts and practices at various levels of capability for each resiliency engineering process
- instruction on using the model and initiating and sustaining a process improvement approach
- early case studies and benchmarking information for organizations that are using the framework to improve their processes
- initiation of the Introduction to the CERT Resiliency Engineering Framework training course (fall 2008)
- development and implementation of an appraisal methodology and program to assess framework capability (late 2008–early 2009)
Subscribe to the REF Newsletter
The RE team produces a regular newsletter to keep the community updated on project developments and publications. Newsletter recipients also receive event notifications and invitations. You can subscribe to our newsletter here.
OCTAVE
The Resiliency Engineering Framework grew out of our development and deployment of the OCTAVE methodology, a self-directed, strategic assessment and planning technique that focuses on improving an organization’s management of information security risks. Risks are identified and analyzed based on where they originate—where information is stored, transported, and used. Identified risks are evaluated in the context of the organization’s business objectives and risk tolerance to provide insight into mitigation priorities and strategies. An accelerated version of OCTAVE, OCTAVE Allegro, is also available.
Remainder of page (For More Information etc.) stays the same except please put the OCTAVE email info on one line and change “E-mail” to “email.” Also please change “E-mail” to “Email” in the Contact Information section.
For More Information
OCTAVE Email: octave-info@sei.cmu.edu
Contact Information
Networked Systems Survivability Program
Software Engineering Institute
Carnegie Mellon University
CERT hotline: +1 412-268-7090
FAX: +1 412-268-6989
Email: cert@cert.org
Web: http://www.cert.org