Richard A. Caralli
Software Engineering Institute
Richard Caralli is an SEI alumni employee.
Richard Caralli is the Technical Director of the Cyber Enterprise and Workforce Management Directorate in the CERT® Program at Carnegie Mellon University's Software Engineering Institute. He is responsible for managing a research portfolio focused on improving the security and resilience of organizational assets, including people, information, technology, facilities, and infrastructures. Previously, Caralli was the lead architect of the CERT® Resilience Management Model, a process improvement-focused maturity model for managing operational resilience. Caralli has spent over 10 years developing and delivering various information security risk assessment, analysis, and management technologies for customers in the federal government and the private sector. Caralli is an adjunct instructor in CMU's Heinz College CIO Institute and the Information Networking Institute, lecturing in information security risk management and the economics of information security. Prior to joining CERT in 2001, Caralli was the manager for IT Audit at Consolidated Natural Gas (now Dominion Resources) and the project manager of CNG's global Y2K project.
Publications by Richard A. Caralli
-
CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience
July 08, 2016 • Book
Richard A. CaralliJulia H. AllenDavid W. White
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.
read -
Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale
November 07, 2013 • Technical Note
Matthew J. ButkovicRichard A. Caralli
In this report, the authors review the specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed.
read -
Why Use Maturity Models to Improve Cybersecurity: Key Concepts, Principles, and Definitions
August 27, 2013 • Podcast
Richard A. CaralliJulia H. Allen
In this podcast, Rich Caralli explains how maturity models provide measurable value in improving an organization's cybersecurity capabilities.
learn more -
Maturity Models 101: A Primer for Applying Maturity Models to Smart Grid Security, Resilience, and Interoperability
November 01, 2012 • White Paper
Richard A. CaralliMark Knight (CGI Group)Austin Montgomery
In this paper, the authors explain the history and evolution of and applications for maturity models.
read -
How Resilient Is My Organization?
December 09, 2010 • Podcast
Richard A. CaralliDavid W. WhiteJulia H. Allen
In this podcast, Richard Caralli explains how CERT-RMM can ensure that critical assets and services perform as expected in the face of stress and disruption.
learn more -
CERT Resilience Management Model, Version 1.0
May 01, 2010 • Technical Report
Richard A. CaralliJulia H. AllenPamela D. Curtis
In this report, the authors present CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.
read -
Adapting to Changing Risk Environments: Operational Resilience
May 01, 2007 • Podcast
Richard A. CaralliStephanie Losi
In this podcast, participants discuss how businesses leaders need to keep their critical processes and services up and running in the face of the unexpected.
learn more -
Introducing the CERT® Resiliency Engineering Framework: Improving the Security and Sustainability Processes
May 01, 2007 • Technical Report
Richard A. CaralliJames F. StevensCharles M. Wallen (Financial Services Technology Consortium)
In this 2007 report, the authors explore the transformation of security and business continuity into processes to support and sustain operational resiliency.
read -
Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process
May 01, 2007 • Technical Report
Richard A. CaralliJames F. StevensLisa R. Young
In this 2007 report, the authors highlight the design considerations and requirements for OCTAVE Allegro based on field experience.
read -
Focus on Resiliency: A Process Improvement Approach to Security
November 06, 2006 • Presentation
Richard A. CaralliLisa R. Young
In this CSI 33rd Annual Security Conference presentation, Rich Caralli and Lisa Young discuss resiliency and a process improvement approach to security.
read -
Operational Resiliency Management: An Introduction to the Resiliency Engineering Framework
September 20, 2006 • Presentation
Richard A. CaralliCharles M. Wallen (Financial Services Technology Consortium)
In this presentation, Ron McLeod discusses a partnership with TARA to analyze the outbound and inbound traffic in networks of convenience.
read -
Sustaining Operational Resiliency: A Process Improvement Approach to Security Management
June 01, 2006 • Presentation
Richard A. Caralli
In this presentation, Richard Caralli describes a process improvement approach to security management for sustaining operational resiliency.
read -
Sustaining Operational Resiliency: A Process Improvement Approach to Security Management
April 01, 2006 • Technical Note
Richard A. Caralli
In this 2006 report, Richard Caralli describes the fundamental elements and benefits of a process approach to security and operational resiliency.
read -
Focus on Resiliency: A Process-Oriented Approach to Security
November 14, 2005 • Presentation
Richard A. CaralliJames F. Stevens
In this presentation, the authors describe a process-oriented approach to security.
read -
Information Asset Profiling
June 01, 2005 • Technical Note
James F. StevensRichard A. CaralliBradford J. Willke
In this 2005 report, the authors describe IAP, a documented and repeatable process for developing consistent asset profiles.
read -
Managing for Enterprise Security
December 01, 2004 • Technical Note
Richard A. CaralliJulia H. AllenJames F. Stevens
In this 2004 report, the authors itemize characteristics of common approaches to security that limit effectiveness and success.
read -
The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management
July 01, 2004 • Technical Report
Richard A. CaralliJames F. StevensBradford J. Willke
In this report, the authors describe the critical success factor method and present theories and experience in applying it to enterprise security management.
read -
Building a Practical Framework for Enterprise-Wide Security Management
April 28, 2004 • Presentation
Julia H. AllenKevin Behr (IP Services and ITPI)Richard A. Caralli
In this presentation, the authors describe a practical framework for enterprise-wide security management as developed by the CERT Division.
read -
Maturing Your Approach to "Security Management"
January 01, 2004 • Presentation
Richard A. CaralliWilliam R. Wilson
In this presentation, the authors describe the challenges in assuring security, roadblocks that security approaches face, and how to solve these problems.
read -
Applying Critical Success Factors to Information Security Planning
January 01, 2004 • Presentation
Richard A. CaralliWilliam R. Wilson
In this presentation, the authors discuss critical success factors and their use in security management, and provide development and analysis examples.
read -
The Challenges of Security Management
January 01, 2004 • Presentation
Richard A. Caralli
This paper explores some of the challenges that organizations must overcome to be successful in this environment and introduces ways in which a change in perspective might be the impetus for an emerging mission-driven approach to security.
read