Richard A. Caralli, Julia H. Allen, David W. White. CERT Resilience Management Model
Подождите немного. Документ загружается.
Refer to the Organizational Training and Awareness process area for information about
training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about
acquiring staff to fulfill roles and responsibilities.
2. Fund the process.
Refer to the Financial Resource Management process area for information about budg-
eting for, funding, and accounting for risk management.
3. Provide necessary tools, techniques, and methods to perform the process.
Elaboration:
RISK:GG2.GP4 ASSIGN RESPONSIBILITY
Assign responsibility and authority for performing the risk management process,
developing the work products, and providing the services of the process.
Elaboration:
RISK:SG4.SP3 describes the level of management responsibility and authority
required based on risk disposition but does not directly address responsibility
and authority for carrying out the risk management process plan.
Refer to the Human Resource Management process area for more information about estab-
lishing resilience as a job responsibility, developing resilience performance goals and objec-
tives, and measuring and assessing performance against these goals and objectives.
These are examples of tools, techniques, and methods to support the risk manage-
ment process:
• methods and tools for determining, documenting, and communicating risk
sources, categories, parameters, and measurement criteria
• methods for operational risk identification, analysis, mitigation, monitoring, and
communication with respect to identified assets and services (Techniques for risk
identification are described in RISK:SG3.SP1.)
• techniques for risk assessment, including interview techniques, questionnaires,
and surveys
• methods, techniques, and tools for business impact analysis
• tools for scenario planning and analysis
• tools for developing risk mitigation plans
• templates for documenting risk mitigation plans
• methods for tracking open risks to closure
• methods for keeping stakeholders apprised of the current status of open risks
• methods for monitoring the effectiveness of risk mitigation plans
• tools, techniques, and methods for version control of risk mitigation plans
Risk Management 737
RISK
Subpractices
1. Assign responsibility and authority for performing the process.
Elaboration:
Organizations may establish a risk officer, a risk management group, or a risk
management process group to take responsibility for the overall risk manage-
ment process. This group may also formally interface with higher-level managers
for the purposes of reporting on organizational progress against risk management
process goals as part of the governance process.
2. Assign responsibility and authority for performing the specific tasks of the process.
Elaboration:
Refer to the External Dependencies Management process area for additional details
about managing relationships with external entities.
3. Confirm that people assigned with responsibility and authority understand it and
are willing and able to accept it.
RISK:GG2.GP5 TRAIN PEOPLE
Train the people performing or supporting the risk management process as needed.
Refer to the Organizational Training and Awareness process area for more information about
training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about invento-
rying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring
and addressing skill deficiencies.
Responsibility and authority for performing risk management tasks can be formal-
ized by
• defining roles and responsibilities in the process plan to include roles responsi-
ble for addressing and tracking risk
• including process tasks and responsibility for these tasks in specific job descrip-
tions, particularly for those staff who own high-value organizational assets
• developing policy requiring organizational unit managers, line of business
managers, project managers, and asset and service owners and custodians to
participate in and derive benefit from the process for assets and services under
their ownership or custodianship
• including process activities in staff performance management goals and
objectives, with requisite measurement of progress against these goals
• developing and implementing contractual instruments (including service level
agreements) with external entities to establish responsibility and authority for
performing process tasks on outsourced functions
• including process tasks in measuring performance of external entities against
contractual instruments
738 PART THREE CERT-RMM PROCESS AREAS
Subpractices
1. Identify process skill needs.
Elaboration:
2. Identify process skill gaps based on available resources and their current skill
levels.
3. Identify training opportunities to address skill gaps.
Elaboration:
Certification training is an effective way to improve risk management skills and
attain competency. While operational risk management certifications are not
widespread, GIAC (Global Information Assurance Certification) does offer a
Certified Project Manager Certification that includes risk management of IT
projects and application development. The Information Systems Examination
Board (ISEB) of the British Computer Society offers a Practitioner Certificate in
Information Risk Management.
4. Provide training and review the training needs as necessary.
These are examples of training topics:
• risk management concepts and activities (e.g., risk identification, evaluation,
monitoring, and mitigation)
• selection of protection strategies and measures for mitigating risk
• establishing risk tolerance, threshold, and evaluation criteria
• developing risk management strategy
• establishing and managing a continuous process
• using process tools and techniques
• working with external entities that have responsibility for process activities and
for assessing risk on outsourced functions
• using process methods, tools, and techniques, including those identified in
RISK:GG2.GP3 subpractice 3
These are examples of skills required in the risk management process:
• knowledge of tools, techniques, and methods that can be used to identify,
analyze, mitigate, and monitor operational risks to organizational assets and
services, including those identified in RISK:GG2.GP3 subpractice 3
• knowledge necessary to develop, implement, and monitor risk mitigation plans
• knowledge necessary to collect, coordinate, and elevate operational risks to the
organization’s enterprise risk management process
• strong communication skills for conveying the operational risk management
strategy, identified risks, and mitigation plans to higher-level managers and
key stakeholders so as to obtain their commitment
Risk Management 739
RISK
RISK:GG2.GP6 MANAGE WORK PRODUCT CONFIGURATIONS
Place designated work products of the risk management process under appropriate levels
of control.
Elaboration:
RISK:GG2.GP7 IDENTIFY AND INVOLVE RELEVANT STAKEHOLDERS
Identify and involve the relevant stakeholders of the risk management process as planned.
Elaboration:
Several RISK-specific practices address the involvement of stakeholders in the
risk management process. For example, RISK:SG1.SP2 addresses the commu-
nication of the operational risk management strategy to relevant stakeholders.
RISK:SG3.SP1 calls for identifying relevant stakeholders associated with each
documented risk.
Subpractices
1. Identify process stakeholders and their appropriate involvement.
Elaboration:
These are examples of stakeholders of the risk management process:
• organizational unit managers, line of business managers, project managers, and
business process owners
• owners of identified assets and services (for which plans to manage risks must be
developed)
• custodians of identified assets and services (who may need to execute or
participate in plans)
These are examples of risk management work products placed under control:
• operational risk source list, risk categories list, and taxonomy
• operational risk management plan and strategy
• operational risk parameters and measurement criteria
• list of operational risks by asset category and service with prioritization, risk
disposition, mitigations, and current status
• risk statements with impact valuation
• risk mitigation plans
• process plan
• policies and procedures
• contracts with external entities
740 PART THREE CERT-RMM PROCESS AREAS
2. Communicate the list of stakeholders to planners and those responsible for
process performance.
3. Involve relevant stakeholders in the process as planned.
RISK:GG2.GP8 MONITOR AND CONTROL THE PROCESS
Monitor and control the risk management process against the plan for performing
the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization,
and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing
process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process
information to managers, identifying issues, and determining appropriate corrective actions.
Stakeholders are involved in various tasks in the risk management process, such as
• planning for the process
• making decisions about the process
• making commitments to process plans and activities
• communicating process plans and activities
• coordinating process activities
• developing process parameters
• identifying risk
• analyzing risk (particularly where technical expertise is required), including
assessing the adequacy of the internal control system
• developing and implementing risk mitigation plans
• reviewing and appraising the effectiveness of process activities
• establishing requirements for the process
• resolving issues in the process
• staff involved in identifying, analyzing, mitigating, and controlling risks to assets
and services (such as information technology, human resources, legal, and
compliance staff)
• staff involved in reviewing and adjusting strategies to protect and sustain assets
and services
• the owner of any resilience management process who has referred risks to the
process
• risk owners
• risk mitigation plan owners
Risk Management 741
RISK
Subpractices
1. Measure actual performance against the plan for performing the process.
2. Review accomplishments and results of the process against the plan for performing
the process.
Elaboration:
742 PART THREE CERT-RMM PROCESS AREAS
These are examples of metrics for the risk management process:
• percentage of identified assets and services for which some form of risk assessment
has been performed and documented as required by policy
• percentage of identified assets and services for which the impact or cost of
compromise (refer to RISK:SG2.SP2) has been quantified
• percentage of identified risks that do not have a defined risk disposition
• percentage of identified risks that have a defined mitigation plan against which
status is reported in accordance with policy
• percentage of identified risks that have not been tracked to closure
• change in volume of risks that have been identified over a selected period
• percentage of previously identified risks that have converted to a risk disposition
of “mitigate”
• percentage of identified assets for which a mitigation plan has been implemented
to mitigate risks as necessary and to maintain these risks within acceptable risk
parameters and risk measurement criteria
• percentage of identified services for which a mitigation plan has been implemented
to mitigate risks as necessary and to maintain these risks within acceptable risk
parameters and risk measurement criteria
• percentage of security incidents that caused damage, compromise, or loss to
identified assets or services beyond established risk parameters and risk
measurement criteria
• percentage of realized risks that have exceeded established risk thresholds
• percentage of identified or realized risks that have been characterized as “high”
impact according to the organization’s risk evaluation criteria
• level of adherence to process policies; number of policy violations; number of
policy exceptions requested and number approved
• number of process activities that are on track per plan
• rate of change of resource needs to support the process
• rate of change of costs to support the process
3. Review activities, status, and results of the process with the immediate level of
managers responsible for the process and identify issues.
Elaboration:
Reviews of the risk management process may result from periodic examination
or post-event audits that seek to identify problems that must be corrected.
Elevating the results of these examinations to managers provides an opportunity
to correct risk management process deficiencies and to make managers aware of
variations in the risk management process that not only have localized impact
but may also affect the organization’s resilience as a whole.
4. Identify and evaluate the effects of significant deviations from the plan for
performing the process.
Elaboration:
Deviations from the risk management plan may occur because operational risks
for assets and services vary widely, and thus the mitigation of these risks may
require process deviations. The organization must determine if the deviations are
appropriate given the risk parameters and whether the deviation will result in an
impact on operational resilience.
In addition, deviations from the risk management plan may occur when organi-
zational units fail to follow the enterprise-sponsored process. These deviations
may affect the operational resilience of the organizational unit’s services but may
also have a cascading effect on enterprise operational resilience objectives.
5. Identify problems in the plan for performing the process and in the execution of
the process.
6. Take corrective action when requirements and objectives are not being satisfied,
when issues are identified, or when progress differs significantly from the plan
for performing the process.
7. Track cor re ctive ac tion to closure.
RISK:GG2.GP9 OBJECTIVELY EVALUATE ADHERENCE
Objectively evaluate adherence of the risk management process against its process description,
standards, and procedures, and address non-compliance.
Periodic reviews of the risk management process are needed to ensure that
• actions requiring management involvement are elevated in a timely manner
• the performance of process activities is being monitored and regularly reported
• key measures are within acceptable ranges as demonstrated in governance
dashboards or scorecards and financial reports
• administrative, technical, and physical controls are operating as intended to
protect assets and services from risk
• actions requiring management involvement are elevated in a timely manner
• actions resulting from internal and external audits are being closed in a timely
manner
• work products accurately reflect what is essential for managing operational risk to
ensure mission success, or are corrected or modified if necessary
Risk Management 743
RISK
Elaboration:
RISK:GG2.GP10 REVIEW STATUS WITH HIGHER-LEVEL MANAGERS
Review the activities, status, and results of the risk management process with higher-level
managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship
and oversight to the operational resilience management system.
RISK:GG3 INSTITUTIONALIZE AS A DEFINED PROCESS
Risk management is institutionalized as a defined process.
These are examples of work products to be reviewed:
• process plan and policies
• risk management plans and risk mitigation plans
• operational risk sources, risk categories, and risk taxonomy
• operational risk management strategy
• risk parameters, impact areas, and measurement criteria
• operational risks by asset category and service
• risk statements
• risk dispositions and priorities
• risk owners (those responsible for each risk with the authority to act)
• list of controls necessary to mitigate risks
• process methods, techniques, and tools
• metrics for the process (Refer to RISK:GG2.GP9 subpractice 2.)
• contracts with external entities
These are examples of activities to be reviewed:
• risk planning, including establishing tolerances, thresholds, and other parameters
• risk assessment, including risk identification, analysis, and prioritization
• risk mitigation planning
• risk monitoring
• use of risk-based information for improving strategies for protecting and sustain-
ing assets and services
• assignment of responsibility, accountability, and authority for process activities
• determining the adequacy of process reports and reviews in informing decision
makers regarding the performance of operational resilience management activi-
ties and the need to take corrective action, if any
744 PART THREE CERT-RMM PROCESS AREAS
RISK:GG3.GP1 ESTABLISH A DEFINED PROCESS
Establish and maintain the description of a defined risk management process.
Establishing and tailoring process assets, including standard processes, are addressed in
the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets,
including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
1. Select from the organization’s set of standard processes those processes that cover
the risk management process and best meet the needs of the organizational unit
or line of business.
2. Establish the defined process by tailoring the selected processes according to the
organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in
the defined process, and ensure that process governance extends to the tailored
processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.
RISK:GG3.GP2 COLLECT IMPROVEMENT INFORMATION
Collect risk management work products, measures, measurement results, and improvement
information derived from planning and performing the process to support future use and
improvement of the organization’s processes and process assets.
Elaboration:
These are examples of improvement work products and information:
• metrics and measurements of the viability of the process (Refer to RISK:GG2.GP8
subpractice 2.)
• changes and trends in operating conditions that affect risk sources and categories
• changes in risk conditions and the risk environment that affect risk parameters,
measurement criteria, or risk dispositions
• lessons learned in post-event review of continuity exercises, incidents, and disrup-
tions in continuity, particularly those that result in losses or compromises that
exceed risk parameters and measurement criteria
• process lessons learned that can be applied to improve operational resilience
management performance and internal controls
• issues with the risk identification, analysis, prioritization, overall assessment,
mitigation, and monitoring processes
• lessons learned from both successfully and unsuccessfully mitigating identified risks
• risk mitigation plan costs and benefits for future return on investment analysis
• resilience requirements that are not being satisfied or are being exceeded
Risk Management 745
RISK
Establishing the measurement repository and process asset library is addressed in the
Organizational Process Definition process area. Updating the measurement repository and
process asset library as part of process improvement and deployment is addressed in the
Organizational Process Focus process area.
Subpractices
1. Store process and work product measures in the organization’s measurement
repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s
process asset library.
4. Propose improvements to the organizational process assets.
746 PART THREE CERT-RMM PROCESS AREAS