using cert-rmm in a software and system assurance context
TRANSCRIPT
![Page 1: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/1.jpg)
Using CERT-RMM in a Software and System Assurance Context
© 2011 Carnegie Mellon University
Assurance Context
Julia AllenSEPG NA 201124 March 2011
![Page 2: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/2.jpg)
Agenda
What is the CERT Resilience Management Model
(CERT-RMM)?
Model Building Blocks
CERT-RMM for Assurance
2© 2011 Carnegie Mellon University
![Page 3: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/3.jpg)
What is CERT-RMM?
The CERT® Resilience Management Model is a maturity model for
managing and improving operational resilience.
• Process improvement for
operational resilience
• Converges key operational
risk management activities:
security, BC/DR, and IT
operations
3© 2011 Carnegie Mellon University
• Operations phase focus
• CMMI architecture
• Continuous representation
• 26 process areas
• Defines maturity through
capability levels
![Page 4: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/4.jpg)
CERT-RMM Building Blocks
4© 2011 Carnegie Mellon University
Foundational concepts of the model
![Page 5: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/5.jpg)
Operational resilience
Resilience: The physical
property of a material when it
can return to its original
shape or position after
deformation that does not
exceed its elastic limit
5© 2011 Carnegie Mellon University
exceed its elastic limit[wordnet.princeton.edu]
Operational resilience: An
emergent property
![Page 6: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/6.jpg)
Operational resilience and operational risk
Operational resilience emerges from effective operational risk management
Operational risk categories:
6© 2011 Carnegie Mellon University
Actions of
people
Systems
and
technology
failures
Failed
internal
processes
External
events
![Page 7: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/7.jpg)
CERT-RMM foundational elements
7© 2011 Carnegie Mellon University
![Page 8: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/8.jpg)
Services in CERT-RMM
The resilience of high-value services ensures the
resilience of the mission.
Service resilience is a factor of asset resilience—if
an asset is disrupted or fails, the service may suffer.
Service resilience is the object of CERT-RMM
8© 2011 Carnegie Mellon University
Service resilience is the object of CERT-RMM
processes.
![Page 9: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/9.jpg)
Assets
CERT-RMM focuses on four types:
9© 2011 Carnegie Mellon University
![Page 10: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/10.jpg)
Assets supporting the mission
10© 2011 Carnegie Mellon University
![Page 11: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/11.jpg)
Operational resilience starts at the asset level
Protect assets from threats
Make them sustainable under adverse conditions
Optimal mix depends on the
value of the asset and the
11© 2011 Carnegie Mellon University
value of the asset and the cost of deploying and maintaining the strategy
![Page 12: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/12.jpg)
Organizational context for resilience activities
12© 2011 Carnegie Mellon University
![Page 13: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/13.jpg)
CERT-RMM for AssuranceFocusing CERT-RMM on early life-cycle activities
13© 2011 Carnegie Mellon University
Focusing CERT-RMM on early life-cycle activities for building resilience in
![Page 14: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/14.jpg)
CERT-RMM focus in the life cycle
14© 2011 Carnegie Mellon University
![Page 15: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/15.jpg)
For comparison: CERT-RMM and CMMI
15© 2011 Carnegie Mellon University
![Page 16: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/16.jpg)
RTSE – Resilient Technical Solution Engineering
Ensure that software and
systems are developed to
satisfy their resilience
requirements
16© 2011 Carnegie Mellon University
![Page 17: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/17.jpg)
RTSE specific goals
Goal Goal Title
RTSE:SG1 Establish guidelines for resilient
technical solution development
RTSE:SG2 Develop resilient technical solution
development plans
17© 2011 Carnegie Mellon University
development plans
RTSE:SG3 Execute the plan
![Page 18: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/18.jpg)
RTSE: Building in versus bolting on
Requires organizational intervention
Extends resilience requirements to assets that are to be developed
18© 2011 Carnegie Mellon University
Creates requirements for quality attributes
Attempts to reduce the level of operational risk
Extends across the life cycle
![Page 19: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/19.jpg)
RTSE: Design and test for resilience
• Perform resilience controls during planning and all life cycle phases
• Specify and maintain resilience requirements
• Design resilience-specific architectures
• Adopt secure coding practices
19© 2011 Carnegie Mellon University
• Adopt secure coding practices
• Minimize weaknesses and vulnerabilities (defects)
• Design test criteria to attest to asset resilience
• Test for resilience during assembly and integration
• Design and exercise service continuity plans during the development process
![Page 20: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/20.jpg)
RTSE influences
BSIMM2bsimm.com
Open Web Applications Security Project (OWASP)
Software Assurance Maturity Model www.owasp.org
20© 2011 Carnegie Mellon University
www.owasp.org
Microsoft Security Development Life Cyclewww.microsoft.com/security/sdl/
DHS Process Reference Model for Assurance Mapping to CMMI-DEV V1.2https://buildsecurityin.us-cert.gov/swa/procresrc.html
![Page 21: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/21.jpg)
CERT-RMM for software assurance
21© 2011 Carnegie Mellon University
![Page 22: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/22.jpg)
CERT-RMM assurance view
Engineering
ADM Asset Definition and Management
CTRL Controls Management
RRD Resilience Requirements Development
RRM Resilience Requirements Management
RTSE Resilient Technical Solution Engineering
SC Service Continuity
Operations Management
AM Access Management
EC Environmental Control
EXD External Dependencies Management
ID Identity Management
IMC Incident Management & Control
KIM Knowledge & Information Management
PM People Management
22© 2011 Carnegie Mellon University
Enterprise Management
COMM Communications
COMP Compliance
EF Enterprise Focus
FRM Financial Resource Management
HRM Human Resource Management
OTA Organizational Training & Awareness
RISK Risk Management
PM People Management
TM Technology Management
VAR Vulnerability Analysis & Resolution
Process Management
MA Measurement and Analysis
MON Monitoring
OPD Organizational Process Definition
OPF Organizational Process Focus
![Page 23: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/23.jpg)
The “what”
Framing process to practice
Process
Level
CERT-
RMM
Assurance for
CMMI
BSIMM2
23© 2011 Carnegie Mellon University
Moving from “what” to “how”Practice
LevelOpenSAMM
Microsoft SDL
![Page 24: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/24.jpg)
Example – Training and Awareness
Process
Level CERT-RMM Goal: Establish and maintain the strategic assurance training needs of the organization.
Process areas: OTA, RTSE, HRM
CERT-RMM Subpractices
Capability levels inform
practice maturity
24© 2011 Carnegie Mellon University
Practice
Level
BSIMM2
OpenSAMM
Microsoft SDL
Training related practices for creating the software security satellite, role-based training on demand . . .
Practices for technical security awareness training. . .
CERT-RMM Subpractices
Training guidelines on basic concepts, common baseline, training topics. . .
![Page 25: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/25.jpg)
Moving
The “what”
CERT-RMM links to codes of practice
Process
Area
Specific
Goals
Codes of Practice:
BS25999-1: 2011
CMMI v1.2
CMMI for Services
CobiT 4.1
COSO ERM
DRII GAP
FFIEC BCP Handbook
Codes of Practice:
BS25999-1: 2011
CMMI v1.2
CMMI for Services
CobiT 4.1
COSO ERM
DRII GAP
FFIEC BCP Handbook
25© 2011 Carnegie Mellon University
From “model
how” to “tactical
how”
Moving
from “what” to
“how”Specific
Practices
Sub-
practices
FFIEC BCP Handbook
ISO 20000-2:2005
ISO 24762:2008
ISO 27002:2005
NFPA 1600 (2007)
PCI DSS v1.1 (2006)
FFIEC BCP Handbook
ISO 20000-2:2005
ISO 24762:2008
ISO 27002:2005
NFPA 1600 (2007)
PCI DSS v1.1 (2006)
![Page 26: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/26.jpg)
Resources
Book
Includes full
model (v1.1)
plus adoption guidance and
perspectives of
real-world use of the model
Training
Introduction to the CERT Resilience Management Model (3-day course)
• Public courses (Pittsburgh and DC)
• Private onsite courses
Appraiser and instructor training in
development
26© 2011 Carnegie Mellon University
Website
www.cert.org/resilience
Support
Engage CERT-RMM team to lead
appraisals, provide implementation coaching, pilot CERT-RMM Compass, or deliver custom training
of the model
www.amazon.com/CERT-Resilience-
Management-Model-
RMM/dp/0321712439
development
CERT-RMM User Group Annual Series
• Quarterly 2-day workshops
• Focus on CERT-RMM implementation
• CERT-RMM Coach Certification option
![Page 27: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/27.jpg)
CERT-RMM contacts
Rich CaralliRMM Architect and Lead [email protected]
David WhiteRMM Transition Lead and Developer [email protected]
Lisa YoungRMM Appraisal Lead and [email protected]
Julia AllenRMM Developer/Measurement Team [email protected]
27© 2011 Carnegie Mellon University
Richard LynchPublic Relations — All Media [email protected]
SEI Customer [email protected]
Joe McLeodFor info on working with [email protected]
http://www.cert.org/resilience/
![Page 28: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/28.jpg)
NO WARRANTY
THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This presentation may be reproduced in its entirety, without modification, and freely distributed in
28© 2011 Carnegie Mellon University
This presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013.
CERT ® is a registered mark owned by Carnegie Mellon University.
![Page 29: Using CERT-RMM in a Software and System Assurance Context](https://reader034.vdocuments.site/reader034/viewer/2022051403/627c5c1f7d9cd3749b106329/html5/thumbnails/29.jpg)
29© 2011 Carnegie Mellon University