Banks, credit card companies, and other financial services institutions are among the most regulated and security-conscious organizations in the United States. They must have highly skilled staff to manage resiliency—the ability to stay in business despite disruptions such as security breaches, regional infrastructure failures, and natural disasters.

But escalating physical and cyber threats, complex technologies, interdependent supply chains, and the global marketplace have made the job of managing disruptions increasingly difficult. Members of the Financial Services Technology Consortium (FSTC), a forum for financial services organizations to solve shared challenges, recognized a need for a consistent, systematic resiliency-management process and a common set of related metrics and terminology. In the fall of 2004, the FSTC’s Business Continuity Standing Committee began a project to explore the development of a resiliency model.

“When the FSTC contacted me, we realized that our goals were the same; we were just coming at them from the perspective of different disciplines, security and business continuity,” says Caralli.

In an initial literature search, the committee came upon a report by CERT staff member Rich Caralli, Managing for Enterprise Security, in which Caralli presents ideas about how organizations can move toward security-management processes that are strategic, systematic, and repeatable. Caralli and others at the SEI had already started developing a capabilities framework for improving organizational resiliency from a security perspective. “When the FSTC contacted me, we realized that our goals were the same; we were just coming at them from the perspective of different disciplines, security and business continuity,” says Caralli. “We saw that the best way forward was to acknowledge the convergence of these disciplines through the development of a single model.”

Caralli and his team have met with FSTC project participants in a series of workshops over the course of three years. “These are generally senior-level people with responsibility for resiliency, some very smart people with a lot of knowledge about their fields,” Caralli says. “Without FSTC, I could never have put together a focus group that represented the level of knowledge and experience that their members brought to the table.” Through the three phases of the project so far, they have gathered foundational data, built the model architecture, and produced an initial framework and assessment tool. An outline of the framework was published in an SEI report, Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes, in May 2007. FSTC participants have been piloting the framework and the assessment tool to do benchmarking and to validate the framework’s design and refine its maturity components.

Charles Wallen, managing executive of FSTC’s Business Continuity Standing Committee, says, “Our partnership with the SEI has been extremely valuable. The expertise that the SEI has gained in developing methods, models, and frameworks over the past 20 years, combined with the financial sector’s expertise in managing risk, made it a lot easier to come to something that would be usable for us.”

Wallen stresses that while the CERT Resilience Management Model framework has been initiated and driven by the financial sector, it is applicable and recommended to all organizations. “This is an industry-agnostic, non-proprietary piece of work,” says Wallen. “It’s for the public sector, the private sector, everyone. And the SEI has the infrastructure and experience in managing process-improvement model implementation to enable the framework to be widely and consistently applied.”