Resiliency Engineering Research

Enterprise Security Resiliency Engineering Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities

Overview

Are security and business continuity activities coordinated in your organization or are they performed in silos? Are they viewed as technical rather than business activities?
Can you actively manage operational resiliency or do you typically react to disruptive events as they occur?
Do you know if the security and business continuity practices you’ve implemented are effective? Do they support the achievement of the organization’s strategic objectives and mission?
Can you measure the success of your security and business continuity activities? Can you consistently repeat and sustain that success over the long run?
Do you have a foundation from which to continuously improve your security and business continuity efforts?

If your organization cannot answer these questions with certainty, our research in the field of resiliency engineering may be able to help. We are developing tools, techniques, and methodologies that allow organizations to move their security and business continuity activities to the next level by focusing on actively managing operational resiliency to achieve the organization’s mission. The cornerstone of our research is the development of the CERT ^® Resiliency Engineering Framework.

The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.

The CERT^® Resiliency Engineering Framework doesn’t replace your organization’s best practices—it provides a process structure into which these practices can be inserted and managed. Using the resiliency engineering process definition as a guide, your organization can select the right practices to achieve the intended result and to ensure optimized resource deployment. In turn, your organization can measure the achievement of process goals to validate that the implemented practices are providing results.

Top

History

The establishment of the CERT^® Resiliency Engineering Framework actually began during our development and deployment of the OCTAVE^® methodology, which was focused on improving an organization’s involvement in managing information security risks. Through this work, we realized that organizations often view security as a technical specialty and don’t usually associate it with other activities such as business continuity and IT operations management—all of which are focused on managing operational risk and sustaining operational resiliency. Absent this important business driver, it is difficult to position security (or business continuity planning) as an enabler of an organization’s strategy, much less an activity that is worthy of the investment of limited resources such as capital and people.

By examining the impact of OCTAVE and relying on CERT’s vast expertise in the field of security, we began to envision ways that security and business continuity could become important contributors to an organization’s success and growth. Combined with the Software Engineering Institute’s successful history of developing and deploying process improvement models for software and systems engineering, we realized that a process improvement approach to managing operational resiliency could help organizations to raise the effectiveness of their current efforts by shifting their perspective to the process, not the practice.

Along the way, we have supplemented our research by seeking out real-world problems to solve. In 2004, we began a partnership with the Financial Services Technology Consortium (www.fstc.org) to examine the application of these concepts to the complex problem of managing operational resiliency in the U. S. financial sector. This has given us unparalleled access to some of the best practitioners in the security and business continuity space.

Top

Work with Us

If engineering, managing, improving, and sustaining operational resiliency is important to your organization, you can work directly with us.

In 2008, we have several ways to connect you to our resiliency engineering research. You can join our effort in any of these ways:

Download and review the draft version of the CERT Resiliency Engineering Framework and provide your input and comments
Participate in a CERT-led evaluation of your current resiliency practices
Participate in a CERT-led executive seminar
Become a CERT research partner to further develop the model, assessment methods, and training
Join the REF "Resilient Enterprise: Benchmarking for Maturity" project-a forum and series of workshops to help you benchmark your current resiliency activities with other industry experts and top-tier organizations
Sign up to receive the REF Newsletter

To become involved in one or more of these activities, click on the links provided or contact Joe McLeod at jmcleod@sei.cmu.edu. To stay connected to our progress, please revisit this web page periodically.

Top

Resources

Methods

CERT Resiliency Engineering Framework v0.95R
Request for Comment on the Resiliency Engineering Framework

Reports

Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes (CMU/SEI-2007TR-009, May 2007) (pdf)
The Critical Success Factors Method: Establishing a Foundation for Security and Resiliency Engineering (CMU/SEI-2004-TR-010, July 2004) (pdf)
Managing for Enterprise Security (CMU/SEI-20040TN-046, December 2004) (pdf)
Sustaining Operational Resiliency: A Process Improvement Approach to Security Management (CMU/SEI-2006-TN-009, April 2006) (pdf)

Podcasts

Presentations

Operational Resiliency Management (Presentation to Federal Reserve Bank Business Continuity Conference, September 20, 2006, Chicago, IL)
Resiliency Engineering Framework (Presentation to FSTC Annual Meeting, October 11, 2006, New York, NY)
Sustaining Operational Resiliency: A Process Improvement Approach To Security Management (Presentation to Bank Security Summit, June 2006, Chicago, IL)
Focus on Resiliency: A Process Improvement Approach to Security (Presentation to CSI 33rd Annual Security Conference and Exhibition, November 6, 2007, Orlando, FL)
Focus on Resiliency: A Process Improvement Approach to Security (Presentation to SEPG 2007, March 27, 2007, Austin, TX)
CERT Resiliency Engineering Framework (Presentation to BITS Advisory Council Meeting, March 1, 2007, Washington, DC)

Other Documents

Resiliency Engineering Framework FAQ (pdf)

Last updated March 7, 2008