Using Defined Processes as a Context for Resilience Measures

The CERT^® Resilient Enterprise Management (REM) team is researching operational resilience and the organizational processes that support it. This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience. The team's first report, Measuring Operational Resilience Using the CERT^® Resilience Management Model (CMU/SEI-2010-TN-030), defined high-level objectives for an operational resilience management system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures. The team's second report, Measures for Managing Operational Resilience (CMU/SEI-2011-TR-019), suggested strategic measures for managing operational resilience and provided candidate measures for the 26 process areas of the CERT^® Resilience Management Model, Version 1.1 (CERT^®-RMM). While CERT-RMM defines the commonly used or best practices for operational resilience-what an organization should do-organization-specific processes must be defined at the implementation level to describe how to perform those practices. Organizations can then identify and define measures within the context of their specific processes and procedures. Organizations can use the measures to evaluate process performance and operational resilience and identify opportunities for improvement. This technical note provides examples and templates for defining processes and procedures and for defining related assets and measures.