Lisa R. Young

Software Engineering Institute

Lisa Young is an SEI alumni employee.

Lisa Young, Senior Member of the Technical Staff at the Software Engineering Institute at Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and is experienced in IT governance, information audit and security, and risk management. Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.

Publications by Lisa R. Young

Becoming a CISO: Formal and Informal Requirements

October 19, 2016 • Podcast

Darrell Keeling (Parkview Health)Lisa R. Young

In this podcast, Darrell Keeling, Vice President of Information Security and HIPAA Security Officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO in today's fast-paced cybersecurity field.
learn more
SEI Cyber Minute: CERT Resilience Management Model (RMM)

August 17, 2016 • Video

Lisa R. Young

Lisa Young discusses "CERT Resilience Management Model (RMM)."
watch
Global Value Chain – An Expanded View of the ICT Supply Chain

July 18, 2016 • Podcast

Edna M. Conway (Cisco Systems, Inc.)John Haller Lisa R. Young

In this podcast, Edna Conway and John Haller discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.
learn more
SEI Cyber Minute: Managing Operational Risk

July 06, 2016 • Video

Lisa R. Young

Lisa Young discusses "Managing Operational Risk."
watch
Intelligence Preparation for Operational Resilience

June 21, 2016 • Podcast

Douglas Gray Lisa R. Young

In this podcast, Douglas Gray, a member of the CERT Cyber Risk Management team, discusses how to operationalize intelligence products to build operational resilience of organizational assets and services using IPOR.
learn more
Measuring What Matters

February 18, 2016 • Presentation

Lisa R. Young

In this presentation, Lisa Young discusses how to measure the things that matter to your business.
read
Build Security In Maturity Model (BSIMM) – Practices from Seventy Eight Organizations

February 03, 2016 • Podcast

Gary McGraw Lisa R. Young

In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations.
learn more
Structuring the Chief Information Security Officer Organization

December 23, 2015 • Podcast

Nader Mehravari Julia H. Allen Lisa R. Young

In this podcast, Nader Mehravari and Julia Allen, members of the CERT Cyber Risk Management team, discuss an effective approach for defining a CISO team structure and functions for large, diverse organizations.
learn more
How Cyber Insurance Is Driving Risk and Technology Management

November 09, 2015 • Podcast

Chip Block Lisa R. Young

In this podcast, Chip Block, Vice President at Evolver, discusses the growth of the cyber insurance industry and how it is beginning to drive the way that organizations manage risk and invest in technologies.
learn more
How the University of Pittsburgh Is Using the NIST Cybersecurity Framework

October 01, 2015 • Podcast

Sean Sweeney (University of Pittsburgh)Lisa R. Young

In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (PITT), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework).
learn more
Defining a Maturity Scale for Governing Operational Resilience

March 19, 2015 • Technical Note

Katie C. Stewart Julia H. Allen Audrey J. Dorofee

Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.
read
A Workshop on Measuring What Matters

February 20, 2015 • Podcast

Lisa R. Young Michelle A. Valdez Katie C. Stewart

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop, and identifying improvements for future offerings.
learn more
Measuring What Matters Workshop Report

February 09, 2015 • Technical Note

Katie C. Stewart Julia H. Allen Michelle A. Valdez

This report describes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences in planning and executing the workshop and identifying improvements for future offerings.
read
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 2

June 11, 2014 • Technical Note

Kevin G. Partridge Mary Popeck Lisa R. Young

This update to Version 1 of this same title (CMU/SEI-2011-TN-028) maps CERT-RMM process areas to certain NIST 800-series special publications.
read
A Taxonomy of Operational Cyber Security Risks Version 2

May 21, 2014 • Technical Note

James J. Cebula Mary Popeck Lisa R. Young

This second version of the 2010 report presents a taxonomy of operational cyber security risks and harmonizes it with other risk and security activities.
read
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk

October 28, 2013 • Technical Note

Lisa R. Young Ma-Nyahn Kromah (SunGard Availability Services)

In this report, the authors map CERT-RMM process areas to key activities in NIST Special Publication 800-66 Revision 1.
read
Insights from the First CERT Resilience Management Model Users Group

July 17, 2012 • Podcast

Lisa R. Young Julia H. Allen

In this podcast, Lisa Young explains that implementing CERT-RMM requires well-defined improvement objectives, sponsorship, and more.
learn more
Report from the First CERT-RMM Users Group Workshop Series

April 01, 2012 • Technical Note

Julia H. Allen Lisa R. Young

In this report, the authors describe the first CERT RMM Users Group (RUG) Workshop Series and the experiences of participating members and CERT staff.
read
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 1

November 01, 2011 • Technical Note

Kevin G. Partridge Lisa R. Young

In this report, the authors map CERT-RMM process areas to selected NIST special publications in the 800 series.
read
CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1

October 01, 2011 • Technical Note

Kevin G. Partridge Lisa R. Young

In this report, the authors explain how CERT-RMM process areas, industry standards, and codes of practice are used by organizations in an operational setting.
read
A Taxonomy of Operational Cyber Security Risks

December 01, 2010 • Technical Note

James J. Cebula Lisa R. Young

In this report, the authors present a taxonomy of operational cyber security risks and its harmonization with other risk and security activities.
read
CERT Resilience Management Model, Version 1.0

May 01, 2010 • Technical Report

Richard A. Caralli Julia H. Allen Pamela D. Curtis

In this report, the authors present CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.
read
Security Risk Assessment Using OCTAVE Allegro

September 16, 2008 • Podcast

Lisa R. Young Julia H. Allen

In this podcast, Lisa Young describes OCTAVE Allegro, a streamlined assessment method that focuses on risks to information used by critical business services.
learn more
Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity

October 15, 2007 • Podcast

Lisa R. Young Julia H. Allen

In this podcast, Lisa Young suggests that by taking a holistic view of business resilience, business leaders can help their organizations stand up to threats.
learn more
Introducing the CERT® Resiliency Engineering Framework: Improving the Security and Sustainability Processes

May 01, 2007 • Technical Report

Richard A. Caralli James F. Stevens Charles M. Wallen (Financial Services Technology Consortium)

In this 2007 report, the authors explore the transformation of security and business continuity into processes to support and sustain operational resiliency.
read
Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

May 01, 2007 • Technical Report

Richard A. Caralli James F. Stevens Lisa R. Young

In this 2007 report, the authors highlight the design considerations and requirements for OCTAVE Allegro based on field experience.
read
Focus on Resiliency: A Process Improvement Approach to Security

November 06, 2006 • Presentation

Richard A. Caralli Lisa R. Young

In this CSI 33rd Annual Security Conference presentation, Rich Caralli and Lisa Young discuss resiliency and a process improvement approach to security.
read
Applying OCTAVE: Practitioners Report

May 01, 2006 • Technical Note

Carol Woody Johnathan Coleman (No Affiliation)Michael Fancher (No Affiliation)

In this report, the authors describe how OCTAVE has been used and tailored to fit a wide range of organizational risk assessment needs.
read