2. CERT®-RMM : A Curtain Raiser
For
HYDSPIN, Hyderabad, India
25th August 2011
By
P M Shareef
Certified Lead Appraiser & Lead Auditor
www.promindsglobal.com
3. Notice and Disclaimer
NO WARRANTY
THIS MATERIAL OF PROMINDS CONSULTING IS FURNISHED ON AN ―AS-IS" BASIS FROM THE REFERENCE
MATERIALS AS STATED IN THE LAST WITHOUT ANY ALTERATIONS. PROMINDS CONSULTING MAKES NO
WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT
LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS
OBTAINED FROM USE OF THE MATERIAL. PROMINDS CONSULTING DOES NOT MAKE ANY WARRANTY OF
ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the
trademark holder.
DISCLAIMER
This message and any attachments are solely intended for the addressee(s). It may also be ProMinds’
confidential, privileged and / or subject to copyright. Access to this presentation by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it, is prohibited that may be unlawful. If you have received this
in error, please notify the sender immediately by return and delete it from your computer. While all care
has been taken, ProMinds' management disclaims all liabilities for loss or damages to person(s) or
properties arising from misuse of any information provided or the message being infected by computer
virus or other contamination.
3
www.promindsglobal.com
4. Take Away’s
• What is Resilience Management?
• Why Resilience Management?
• Preamble to CERT® Resilience Management Model
• Features and Benefits of the CERT® - RMM
• CERT-RMM Appraisals
• Roles You Could Play
• Summary
4
www.promindsglobal.com
5. What is Resilience?
Resilience is a function of an organisation’s:
situation awareness,
management of keystone vulnerabilities and
adaptive capacity
in a complex, dynamic and interconnected environment.
Mostly it refers to the operational part of the business
wherein challenges are many as against many of the
current standards and practices, which focuses on the
strategic part of business.
5
www.promindsglobal.com
6. Defining “RESILIENCE”
• A Resilient Organisation is one that is:
– able to achieve its business objectives and
– realise opportunities, even in the face of adversity.
• Resilience Management is the ability of an
Organisation to survive an unscheduled disruption
or major crisis from its ability to adapt using
proven and integrated Risk Management, Crisis
Management and Business Continuity
Management processes using a single line of sight.
6
www.promindsglobal.com
7. Resilience Management Framework
Increasing situational awareness will provide
greater understanding of vulnerabilities that can
critically undermine performance.
Emergency Management Testing of
plans and
Planning
Testing
Business Continuity Management people
response is
Risk Management essential to
ensure
Adaptive Capability realism
Decision makers learn about underlying values
systems and key individuals - relying on the culture
7
www.promindsglobal.com
8. Resilience Indicators
Situation Awareness Manage Key Threats Adaptive Capacity
Roles &
Planning Strategies Silo Mentality
Responsibilities
Understanding Hazards Participation in Communications and
& Consequences Exercises Relationships
Connectivity Capability & capacity Strategic Vision and
Awareness Of Internal Resources Outcome Expectancy
Insurance Capability & capacity Information &
Awareness Of External Resources Knowledge
Organizational Leadership, Management
Recovery Priorities
Connectivity & Governance Structures
Aware of total Those components of an The culture of the
operating system, organization that have organization allowing it
including threats, the potential to cause the to make decisions in a
opportunities, greatest negative impact timely and appropriate
connectivity and manner in a crisis.
internal and external
stakeholders
8
www.promindsglobal.com
9. Why Resilience Management (RM)?
• It brings together all the planning that an organisation may have
done under one umbrella;
• Increases its situation awareness;
• Have a greater understanding of the vulnerabilities that can
critically undermine its performance;
• Improve its adaptive capacity as decision makers;
• Make you learn more about the underlying value systems of the
organisation and of key individuals in the organisation;
• Highlights the expectations that decision makers have of their
enterprise and key stakeholders;
• Offers a way to test existing plans and create new ones.
Risk Management, Business Continuity and Emergency Management
are commonly viewed as closely related, but a practical means of
linking them is often not achieved.
9
www.promindsglobal.com
10. Towards Resilience – Emerging Risks
GEN Y NEW
CARBON
CONSTRAINED STANDARDS
WORLD &
COMPLIANCE
GREEN IT SUSTAINABILITY
SYSTEMATIC
CULTURE
CYCLICAL
& ETHICS
RISK
AVAILABILTY
CHANGING OF
RESILIENCE
WORKFORCE CREDIT/
LIQUIDITY
10
www.promindsglobal.com
14. CERT® - RMM in the Life Cycle
Operational resilience management focuses on the deploy,
operate, and decommission phases, but reaches back to
development phase of lifecycle to ensure consideration of
security and continuity issues prior to placing assets in
production
14
www.promindsglobal.com
16. Features of CERT® - RMM
CERT-RMM brings several innovative and advantageous
concepts to the management of operational resilience.
• The convergence advantage:
Merging the disciplines of security, BC/DR, and IT operations
into a single model
• The process advantage:
Elevating these disciplines to a process view, useful as an
integration and measurement framework
• The maturity advantage:
Provides a foundation for practical institutionalization of
practices— critical for retaining these practices under times
of stress
16
www.promindsglobal.com
17. CERT® - RMM at a glance
17
www.promindsglobal.com
18. CERT® - RMM by numbers
18
www.promindsglobal.com
20. Benefits of CERT® - RMM
CERT-RMM can be used as a
• Starting point for leveraging convergence across security, business
continuity, and IT operations activities
• Reference model for understanding the scope of managing
operational resiliency
• Taxonomy to enable internal and external communication
• Organizing construct for codes of practice, standards, and
regulations and a framework for compliance
• Process improvement model to catalyze improvement efforts
• Baseline for appraising an organization’s capability
• Guide for improvement in areas where an organization’s capability
does not equal its desired state
20
www.promindsglobal.com
31. CERT-RMM Professional Roles
• CERT-RMM Appraiser
• CERT-RMM Navigator
• CERT-RMM Coach
• CERT-RMM Appraisal Team Member
31
www.promindsglobal.com
32. Summary
• Times have significantly changed and we are facing
increasing risks, uncertainty and unprecedented disasters
in peoples’ lives and businesses
• Now more about survival requiring simpler, practical, faster
and tested solutions towards the focus on resilience
• New challenges driving new ways of thinking
• An embedded top down / bottom up Resilience
Management Program and culture is about “doing
business better” in managing opportunities,
mitigating risks and becoming more resilient in
a rapidly changing operating environment
Statistically 1 in 5 organisations will suffer a major
incident every 5 years
32
www.promindsglobal.com
33. References
1. Presentation on CERT® Resilience Management Model – A Maturity
Model Approach to Managing Operational Resilience by Rich Caralli
of CERT® RMM Team
2. Presentation on CERT® Resilience Management Model – Improving
and Sustaining Processes for Managing Operational Resiliency by
Rich Caralli of CERT® RMM Team
3. CERT® Resilience Management Model – A Maturity Model for
Managing Operational Resilience (CERT® RMM Ver 1.1) by Rich
Caralli, Julia H. Allen and David W. White of Addison Wesley
Publications
4. Presentation on “Towards Resilience Management” by David Martin
ProMinds® do hereby acknowledge the copyright and trademarks of the
above referenced materials and assure that, no modifications / alterations
are made on their
33
www.promindsglobal.com
35. Click to editOverview
ProMinds Master title style
Who We Are What Are We
• Founded in June 2005 • Empanelled with CERT-In,
• HQ in Hyderabad, India Ministry of ICT, as an Info.
Security Auditing Org.
• Served 250+ Clients
• Worldwide partner SEI-CMU,
• Across 15+ Industries
for CMMI® & People CMM
• In Over 10 Countries
• An ISO 27001:2005 certified
• 250+ Man-years of Experience
• An ISO 9001:2008 certified
• 25+ Professionals
• A member of NASSCOM
• A member of DSCI
35
www.promindsglobal.com
36. What Do We Do
IT Governance Technology,
Capability & Industrial
Risk and Performance &
Maturity Advisory
Compliance Transformation
36
www.promindsglobal.com
37. Whom We Serve
Industries and Sectors
Software & IT Services Business Process Outsourcing
Banking & Financial Services Healthcare & Insurance
Telecom Manufacturing
Governments & Public Sector Mining & Metals
Defense Oil & Gas
Pharmaceuticals Energy
For more details, visit us at www.promindsglobal.com or
37
www.promindsglobal.com
39. Contact Us
We would be happy to provide any further information
that you may require to assist in your corporate
transformation initiatives
Please contact us:
Corporate Office: Regional Offices:
ProMinds® Consulting Pvt. Ltd. Bangalore | Chennai | Mumbai | New Delhi
402, ABK Olbee Plaza,
Road No. 1, Banjara Hills,
Hyderabad - 500034
India
Tel: +91-40-40207383, 23113996
Mob: +91-9866673663
info@promindsglobal.com
US Office
ProMinds Global Inc
614 Broadmoor Dr., APT C,
Saint Louis,
Missouri 63017 USA
Phone: +1-314-4713604, +1-314-8495264
E-Mail: info@promindsglobal.com
39
www.promindsglobal.com