Measuring Operational Resilience Using the CERT® Resilience Management Model
September 2010 • Technical Note
In this 2010 report, the authors begin a dialogue and establish a foundation for measuring and analyzing operational resilience.
Software Engineering Institute
CMU/SEI Report Number
Measurement involves transforming management decisions, such as strategic direction and policy, into action, and measuring the performance of that action. As organizations strive to improve their ability to effectively manage operational resilience, it is essential that they have an approach for determining what measures best inform the extent to which they are meeting their performance objectives. Operational resilience comprises the disciplines of security, business continuity, and aspects of IT operations.
The reference model used as the foundation for this research project is the CERT Resilience Management Model v1.0. This model provides a process-based framework of goals and practices at four increasing levels of capability and defines twenty six process areas, each of which includes a set of candidate measures. Meaningful measurement occurs in a context so this approach is further defined by exploring and deriving example measures within the context of selected ecosystems, which are collections of process areas that are required to meet a specific objective. Example measures are defined using a measurement template. This report is the first in a series and is intended to start a dialogue on this important topic.