Richard A. Caralli, Julia H. Allen, David W. White. CERT Resilience Management Model
Подождите немного. Документ загружается.
Incident Management and Control 507
3. Review activities, status, and results of the process with the immediate level of
managers responsible for the process and identify issues.
Elaboration:
Incident learning processes as described in IMC:SG5 are intended to provide a
standard and consistent post-incident review and examination. However, reviews
of the incident management and control process may result from periodic audits
or examinations, particularly if metrics indicate a rise in incidents of specific types
or with increasing impact, or an extension of time required to resolve incidents.
If the incident management and control process is decentralized (i.e.,
spread across organizational units), post-incident reviews may provide man-
agement insight into variations between the organizational units that could
impact the organization’s overall incident management capability.
IMC
• average time between event detection and related incident declaration, response,
or closure
• percentage increase in the volume of events and incidents in a specific period
• extent of consequences to the organization due to incidents by incident type (also
referred to as “magnitude”)
• percentage increase in the elapsed time of the incident life cycle by incident type
• number and percentage of recurrence of specified events or incidents
• percentage increase in resource needs (training, skill building, additional human
resources) to support incident management
• number of post-incident review activities that result in control changes or
improvements to the process
• number of incidents referred to the risk management process; number of risks
where corrective action is still pending (by risk rank)
• level of adherence to process policies; number of policy violations; number of
policy exceptions requested and number approved
• number of process activities that are on track per plan
• rate of change of resource needs to support the process
• rate of change of costs to support the process
Periodic reviews of the incident management and control process are needed to
ensure that
• the process is known and accessible
• events and incidents are identified, reported, and addressed on a timely basis
• events and incidents are logged and closed
• proper forensic procedures are used to collect and preserve evidence
• events are properly triaged and analyzed for root causes
• incidents are properly declared
508 PART THREE CERT-RMM PROCESS AREAS
4. Identify and evaluate the effects of significant deviations from the plan for per-
forming the process.
5. Identify problems in the plan for performing and executing the process.
6. Take corrective action when requirements and objectives are not being satisfied,
when issues are identified, or when progress differs significantly from the plan
for performing the process.
7. Track cor re ctive ac tion to closure.
IMC:GG2.GP9 OBJECTIVELY EVALUATE ADHERENCE
Objectively evaluate adherence of the incident management and control process against its
process description, standards, and procedures, and address non-compliance.
Elaboration:
• incidents are properly escalated to designated stakeholders
• incident response capabilities are commensurate with the priority of an incident
• incidents are communicated appropriately to stakeholders at a level commensu-
rate with their involvement
• event and incident status reports are provided to appropriate stakeholders in a
timely manner
• post-incident reviews are performed to improve the process
• actions requiring management involvement are elevated in a timely manner
• the performance of process activities is being monitored and regularly reported
• key measures are within acceptable ranges as demonstrated in governance
dashboards or scorecards and financial reports
• administrative, technical, and physical controls are operating as intended
• controls are meeting the stated intent of the resilience requirements
• actions resulting from internal and external audits are being closed in a timely
manner
These are examples of activities to be reviewed:
• identifying and detecting events and incidents, including service desk procedures
• logging, tracking, and reporting events and incidents
• establishing incident validation criteria
• collecting, documenting, and preserving evidence
• triaging events
• analyzing events and incidents
• declaring incidents
Incident Management and Control 509
IMC:GG2.GP10 REVIEW STATUS WITH HIGHER-LEVEL MANAGERS
Review the activities, status, and results of the incident management and control process
with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship
and oversight to the operational resilience management system.
IMC
• escalating incidents
• communicating incidents
• responding to incidents
• recovering from incidents so as to minimize disruption and impact
• closing incidents (and addressing incidents that have not been closed)
• performing post-incident reviews
• the alignment of stakeholder requirements with process plans
• assignment of responsibility, accountability, and authority for process activities
• determination of the adequacy of process reports and reviews in informing
decision makers regarding the performance of operational resilience manage-
ment activities and the need to take corrective action, if any
• use of process work products for improving strategies for protecting and sustain-
ing assets and services
These are examples of work products to be reviewed:
• incident management plans
• event and incident service desk reports and documentation
• incident management policies, procedures, standards, and guidelines
• incident knowledgebase
• evidence collection and preservation guidelines, as well as documentation on
past collection activities
• event and incident analysis reports
• incident declaration criteria
• incident escalation criteria and procedures
• incident response documentation (of past response actions)
• incident communications plan and status reports
• post-incident review reports
• issues that have been referred to the risk management process
• process methods, techniques, and tools
• metrics for the process (Refer to IMC:GG2.GP8 subpractice 2.)
• contracts with external entities
510 PART THREE CERT-RMM PROCESS AREAS
IMC:GG3 INSTITUTIONALIZE A DEFINED PROCESS
Incident management and control is institutionalized as a defined process.
IMC:GG3.GP1 ESTABLISH A DEFINED PROCESS
Establish and maintain the description of a defined incident management and control
process.
Elaboration:
Incident management and control may be performed in either a centralized or
decentralized manner. The way in which the organization institutionalizes the
incident management and control process varies based on the size of the
organization, the diversity of operational environments, and other factors.
This may lead to a range of implementation methods, including the use of a
dedicated centralized team, dedicated virtual teams, decentralized dedicated
teams, or other combinations.
Establishing and tailoring process assets, including standard processes, are addressed in
the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process
assets, including standard processes, are addressed in the Organizational Process Focus
process area.
Subpractices
1. Select from the organization’s set of standard processes those processes that cover
the incident management and control process and best meet the needs of the
organizational unit or line of business.
2. Establish the defined process by tailoring the selected processes according to the
organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in
the defined process, and ensure that process governance extends to the tailored
processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.
IMC:GG3.GP2 COLLECT IMPROVEMENT INFORMATION
Collect incident management and control work products, measures, measurement results,
and improvement information derived from planning and performing the process to
support future use and improvement of the organization’s processes and process
assets.
Incident Management and Control 511
Establishing the measurement repository and process asset library is addressed in the
Organizational Process Definition process area. Updating the measurement repository
and process asset library as part of process improvement and deployment is addressed
in the Organizational Process Focus process area.
Subpractices
1. Store process and work product measures in the organization’s measurement
repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s
process asset library.
4. Propose improvements to the organizational process assets.
IMC
These are examples of improvement work products and information:
• service desk reports or similar documentation of reported events
• incident reports from the incident knowledgebase and the level to which the
knowledgebase reflects the current status of all incidents
• issues related to collecting, documenting, and preserving evidence
• issues related to deploying forensic tools and techniques
• lessons learned in triaging and analyzing events and in analyzing incidents
• communications issues
• issues related to declaring incidents
• incident response successes and failures
• issues related to closing incidents
• lessons learned in post-incident review
• problem reports and corresponding actions
• changes to asset and service resilience requirements resulting from post-incident
review
• metrics and measurements of the viability of the process (Refer to IMC:GG2.GP8
subpractice 2.)
• changes and trends in operating conditions, risk conditions, and the risk environ-
ment that affect process results
• recommendations for control improvements
• recommended updates to service continuity plans
Elaboration:
Specific goal IMC:SG5 and its specific practices describe capturing lessons
learned in post-incident review and translating these into improvements to
incident management and control process activities. Such improvement
directly supports the improvement of service continuity and strategies to protect
and sustain assets and services.
This page intentionally left blank
513
KIM
KNOWLEDGE AND INFORMATION MANAGEMENT
Operations
Purpose
The purpose of Knowledge and Information Management is to establish and
manage an appropriate level of controls to support the confidentiality, integrity,
and availability of the organization’s information, vital records, and intellectual
property.
Introductory Notes
The importance of information as an organizational asset continues to grow. The
focus of organizations has increasingly turned to intangible assets such that the
ratio of tangible assets to intangible assets continues to decrease. This supports
the assertion that information is one of the most—if not the most—high-value
organizational assets. It is the raw material that is used by and created in services.
The protection of this intellectual and enterprise capital—to ensure that it is
available in the form intended for use in services—is the focus of the Knowledge
and Information Management process area.
An information asset can be described as information or data that is of value
to the organization, including such diverse information as patient records, intel-
lectual property, vital business records and contracts, and customer information.
The unique aspect of information assets is that they can exist in physical form
(on paper, CDs, or other media) or electronic form (files, databases, on personal
computers). The Knowledge and Information Management process area
addresses the importance of information assets in the operational resilience of
services, as well as unique attributes specific to information assets such as those
described in Table KIM.1.
514 PART THREE CERT-RMM PROCESS AREAS
TA BL E K I M.1 At t ri b u te s of I nf o rm a t io n As se t s
Attribute Description
Confidentiality For an information asset, the quality of being accessible only to authorized people,
processes, and devices
Integrity For an information asset, the quality of being in the condition intended by the
owner and so continuing to be useful for the purposes intended by the owner
Availability For an information asset, the quality of being accessible to authorized users
(people, processes, or devices) whenever it is needed
Privacy The assurance that information about an individual is disclosed only to people,
processes, and devices authorized by that individual or permitted under privacy
laws and regulations
Sensitivity A measure of the degree to which an information asset must be protected based
on the consequences of its unauthorized access, modification, or disclosure
In this process area, information assets are prioritized according to their
value in supporting high-value organizational services. Physical, technical, and
administrative controls that keep information assets viable and sustainable are
selected, implemented, and managed, and the effectiveness of these controls is
monitored. In addition, information asset risks are identified and mitigated in an
attempt to prevent disruption when possible. Information is categorized as to its
organizational sensitivity, and consideration is given to the backup and storage
of important information and vital records in case of loss or destruction, or to
support the execution of service continuity plans.
Knowledge management is also performed in this process area: the require-
ment to identify and document the organizational and intellectual knowledge of
staff that is important to the effective operation of the organization’s services.
This information asset is often not documented, has poorly developed security
requirements, and lacks adequate protection. It is also often one of the most
high-value information assets in the organization.
Related Process Areas
The establishment and management of resilience requirements for information assets are per-
formed in the Resilience Requirements Development and Resilience Requirements Management
process areas.
The identification, definition, inventorying, management, and control of information assets
are addressed in the Asset Definition and Management process area.
The risk management cycle for information assets is addressed in the Risk Management
process area.
The management of the internal control system that ensures the protection of information
assets is addressed in the Controls Management process area.
The selection, implementation, and management of access controls for information assets are
performed in the Access Management process area.
Summary of Specific Goals and Practices
KIM:SG1 Establish and Prioritize Information Assets
KIM:SG1.SP1 Prioritize Information Assets
KIM:SG1.SP2 Categorize Information Assets
KIM:SG2 Protect Information Assets
KIM:SG2.SP1 Assign Resilience Requirements to Information Assets
KIM:SG2.SP2 Establish and Implement Controls
KIM:SG3 Manage Information Asset Risk
KIM:SG3.SP1 Identify and Assess Information Asset Risk
KIM:SG3.SP2 Mitigate Information Asset Risk
KIM:SG4 Manage Information Asset Confidentiality and Privacy
KIM:SG4.SP1 Encrypt High-Value Information
KIM:SG4.SP2 Control Access to Information Assets
KIM:SG4.SP3 Control Information Asset Disposition
KIM:SG5 Manage Information Asset Integrity
KIM:SG5.SP1 Control Modification of Information Assets
KIM:SG5.SP2 Manage Information Asset Configuration
KIM:SG5.SP3 Verify Validity of Information
KIM:SG6 Manage Information Asset Availability
KIM:SG6.SP1 Perform Information Duplication and Retention
KIM:SG6.SP2 Manage Organizational Knowledge
Specific Practices by Goal
KIM:SG1 ESTABLISH AND PRIORITIZE INFORMATION ASSETS
Information assets are prioritized to ensure the resilience of high-value services in which
they are used.
In this goal, the organization establishes the subset of information assets (from
its information asset inventory) on which it must focus operational resilience
activities because of their importance to the sustained operation of essential
services.
Prioritization of information assets is a risk management activity. It estab-
lishes the information assets that are of most value to the organization and for
which measures to protect and sustain them are required. Failure to prioritize
information assets may lead to inadequate operational resilience of high-value
assets and excessive levels of operational resilience for non-high-value assets.
Knowledge and Information Management 515
KIM
Information assets may also be of high priority to the organization because of
their sensitivity. The unique nature of these information assets may require a
higher level of resilience controls.
KIM:SG1.SP1 PRIORITIZE INFORMATION ASSETS
Information assets are prioritized relative to their importance in supporting the delivery of
high-value services.
The prioritization of information assets must be performed in order to ensure that
the organization properly directs its operational resilience resources to the assets
that most directly impact and contribute to services that support the organization’s
mission. These assets require the organization’s direct attention because their disrup-
tion has the potential to cause the most significant organizational consequences.
Information asset prioritization is performed relative to services—that is,
information assets associated with high-value services are those that must be
most highly prioritized for operational resilience activities.
516 PART THREE CERT-RMM PROCESS AREAS
However, the organization can use other criteria to establish high-priority information
assets, such as
• the use of the asset in the general management and control of the organization
(contracts, articles of incorporation, etc.)
• highly sensitive or classified information (Categorization of information assets is
addressed in KIM:SG1.SP2.)
• information that represents the organization’s trade secrets or proprietary informa-
tion such as intellectual property (Intellectual property management is addressed in
KIM:SG4.SP2.)
• information assets that are of high value to more than one service
• value of the asset in directly supporting the organization’s achievement of critical
success factors and strategic objectives
• the organization’s tolerance for “pain”—the degree to which it can suffer a loss or
destruction of the information asset and continue to meet its mission
Ty p ic a l l y, t h e o rg a ni z a t io n s e le c t s a s u b se t o f i n fo r m at i o n a s s e ts f ro m i t s
asset inventory; however, the organization could compile a list of high-value
information assets based on risk or other factors. However, failure to select
assets from the organization’s asset inventory poses additional risk that some
high-value information assets may never have been inventoried. (The identifica-
tion, definition, management, and control of information assets are addressed in the
Asset Definition and Management process area.)
Ty p i c a l w o r k p r o d u c t s
1. List of high-value information assets