Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Book Review: CERT Resilience Management Model (RMM) 44

brothke writes "If Gartner were to have created the CERT-RMM framework like what is detailed in the book CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience; it likely would be offered to their clients for at least $15,000. With a list price of $79.99, the book is clearly a bargain. Besides being inexpensive, it details an invaluable model that should be seriously considered by nearly every organization." Keep reading for the rest of Ben's review.
CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience
author Richard Caralli, Julia Allen, David White
pages 1056
publisher Addison-Wesley Professional
rating 10/10
reviewer Ben Rothke
ISBN 0321712439
summary Book details a superb method to tame the out of control world of IT operations
The CERT-RMM is a capability model for operational resilience management. Put more simply; it is a method to tame the out of control world of IT operations.

CERT notes that the model has two primary objectives: to establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model. And to apply a process improvement approach to operational resilience management through the definition and application of a capability level scale that expresses increasing levels of process improvement.

In plain English, the model creates a formal method in which to execute IT tasks. Given the reality that most IT tasks are executed in an ad-hoc manner, the CERT-RMM should be a welcome relief to most organizations.

The CERT-RMM is a relatively new framework, with version 1.0 being issued in May 2010. Version 1.1 was made available via this book in December 2010. CERT also has a really good CERT-RMM Overview presentation available.

CERT-RMM v1.1 comprises 26 process areas that cover four areas of operations resilience management: enterprise management, engineering, operations and process management.

In chapter 1, the authors astutely note that technology can be very effective in managing risk, but technology cannot always substitute for skilled peoples and resources, procedures and methods that define and connect tasks and activities, and processes to provide structure and stability towards the achievement of common objectives and goals.

The problem is that most companies will spend huge amounts of money on these myriad technologies and seemingly expect the install routine to magically integrate the numerous processes. CERT-RMM is a comprehensive solution to a broad set of problems.

But for those that are looking to CERT-RMM for a quick fix to a decades old problem, the authors also note in chapter 1 that CERT-RMM must be embedded within the culture and practices of an organization. The CERT-RMM practices will only make an organization more resilient to the degree to which they have been institutionalized via its processes.

At just over 1,000 pages, the book is a treasure-trove of invaluable information. While the amount of information may be overwhelming, it is manageable if used in a serious fashion. But just to reiterate, CERT-RMM should not be seen as a quick-fix solution.

The main textual part of the book covers 2 parts and 7 chapters which make up the first 120 pages. These 2 parts provide a comprehensive overview of the CERT-RMM and provides an overview of the various concepts used within the model. The authors do a superb job of showing how structure and processes need to be an integral part of enterprise operations, and note the challenges of not having such an approach.

Focusing on information security, the authors intelligently observe in chapter 2 that historically information was viewed as a technology problem and relegated to the IT department. The problem though with such an approach is that when an incident or disruption occurs, the response is generally localized and discrete; not orchestrated across all affected lines of business and organizational units. That problem is precisely what CERT-RMM comes to fix. If implemented effectively, the processes enable organizations to respond in a more formal manner, with integrated processes; resulting in operations that are quicker, cheaper, and ultimately, more resilient.

In chapter 4, the authors tell you what seems to be obvious: that the CERT-RMM in its entirety looks ominous. They note the reason is that operational resilience management encompasses many disciplines and practices. The challenge though is for the organization to be able to understand the relationships in the CERT-RMM model and connect them to their own organization. CERT-RMM is certainly not for the fainthearted. But for those that are serious about operational efficiency and resilience, CERT-RMM is certainly a godsend.

The reality is that not only does the CERT-RMM look ominous, it is. The reason is that CERT-RMM will most likely be used to retrofit an organization that has used decades of ad-hoc approaches to its IT processes. Trying to fix so much is indeed ominous. But even with that ominous cloud, it is something that must be done.

In chapter 5, the authors make an important point in that CERT-RMM is not a prescriptive model. This means that there is no guidance provided to adopt the model in any specific sequence or prescriptive path. Rather, process improvements are unique to each organization, to which the CERT-RMM provides the basic structure to enable enterprises to chart their own specific improvements paths uses the model as a guide.

Chapter 6 on Using CERT-RMM notes that the model has a strong enterprise undercurrent, due to the fact that effective operational resilience management requires capabilities that often have enterprise-wide significant. But the enterprise–wide nature of the model does not mean that it can't be adopted at more discrete levels.

Part 3 of the book is a complete listing of the 26 CERT-RMM process areas. Part 3 is where the heart of the CERT-RMM is. Each of the 26 sections has a complete set of descriptions of goals and practices and real-world examples.

Think of part 3 as The Checklist Manifesto: How to Get Things Right, but on steroids. In that book, author Atul Gawande uses the notion of a checklist as a quality-control device. He noticed that the high-pressure complexities in place today can overwhelm even the best-trained professional and that only a disciplined adherence to essential procedures can fix things. Gawande would likely be enamored by the CERT-RMM.

When the reader goes through the over 800 pages of part 3, they will see them as a set of standard operating procedures (SOP). Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply embedded in their processes. The SOP in part 3 are far from rocket science. They are simply a comprehensive approach and attention to detail. Given that resilience is all about the details, part 3 can be used to take an organization to a mature state of resilience.

If nothing else, part 3 should give the reader an appreciation for the need for effective process around IT initiatives. The exacting level of detail described in part 3 displays a rigorous set of processes that if deployed, can ensure an all-embracing approach to systems management and control.

Often books with numerous authors lack a sense of style and symmetry. With 3 authors, the book suffers none of that and is completely integrated into a single unit with no disconnects. Each of the authors are CERT veterans that bring considerable experience which is pervasive throughout the book.

But as good as the CERT-RMM, we all know that it is likely to have minimal adoption. Most organizations are far too short-sighted to use a model that requires such discipline and long-term approach asCERT-RMM.

But for those organizations that are truly serious about resiliency, serious about security, serious about saving money and being more efficient, this book and the CERT-RMM is a model they will embrace warmly. This book is an important first step that can be the gateway to resiliency.

For all the others, they should at least use the CERT-RMM incident management and controlprocess area to deal with the many security incidents and breaches they will inevitably have to contend with.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.


This discussion has been archived. No new comments can be posted.

Book Review: CERT Resilience Management Model (RMM)

Comments Filter:
  • by creat3d ( 1489345 )
    Yes, but is there a Packt equivalent available? This is important.
  • Bargain? (Score:4, Insightful)

    by Anonymous Coward on Wednesday June 01, 2011 @02:44PM (#36311014)

    it likely would be offered to their clients for at least $15,000. With a list price of $79.99, the book is clearly a bargain

    From an imaginary price down to $80 makes it a bargain?

    Okay, I've got this rock that's worth 50 quazitribillions according to my calculations, but you can buy it for only 5 millions! What a bargain!

    • by Anonymous Coward

      This review is another bullshit bingo sponsored by slashdot and brought to you by ben rothke

    • Or you can "preview" it here [] for free.

      Rrrrrrrr. it's the only letter I know.

    • It's value level is OVER 9000!!!
    • See if Ferrari had built this car, with it's 4 wheels, vent controls, and motor.. it would have sold for AT LEAST $100,000.00... But since Rover makes it, it's a DEAL at $15,000!!!

    • And is selling it new for $41.63 [] so this must make it the bargain of a life time.
  • Employment? (Score:2, Funny)

    by Anonymous Coward

    With the economy in the terrible state it is in, will this book help me get a RMM job?

  • by Anonymous Coward

    So it takes six chapters to describe the model's model, and then 800 pages to describe the model?

    I'll pass.

    Sounds like wonderful CYA material for IT managers who are terrified to actually do something original.

    • right, like anybody can do something original...

      as an IT manager, who works alongside a number of other IT managers...

      You do not want 'us' doing anything original, it would probably suck

      Give us a list of tried and true techniques tho', and we'll manage the hell out of it

  • by Revotron ( 1115029 ) on Wednesday June 01, 2011 @03:41PM (#36311658)
    But will it teach me to revolutionize outside the paradigm?

    I'd love to stay and chat but I've got to go read the latest Gartner models to optimize some processes and use my mind-mapping software to shift some variables into profit centers.
  • Whenever I see Gartner recommend something, I usually look for the opposite. Gartner is inclined to promote technology that looks good on Powerpoint which the PHB's will spend $$$ to read about in Gartner reports, and then the PHB's use Gartner to validate their own preferences for the vendor with the high price tag but slick and charming sales team. Meanwhile the people who actually work with tech prefer totally different products, vendors, tools, and processes.

    • by mvdwege ( 243851 )

      Like many things, it is important to separate the bullshit bingo from the reality. Gartner is no different.

      I work for a company where Sales believes very strongly in Gartner's magic quadrants. We sell a lot of stuff that is recommended by Gartner. Funnily enough, most of it actually delivers, even if it doesn't do so as smoothly as the marketing bullshit and Gartner promises.

      If we were to sell purely on the Gartner recommendations, we'd be out of business. The strenght of the products and services, and our

  • Okay, I wanted to like this. I've worked for dysfunctional companies, and would love to have a guide I could just hand to them to get things in order, and get security as an added benefit. But all I've read shows this is just doublespeak, corporate buzzword hell that doesn't do a thing.

    I'm looking for suggestions, and will offer my own up front. If you want a reasonably safe infrastructure, start with PCI-DSS. It's free, fairly short, generalized, and widely accepted (because you have to, to accept cred

  • I think my first experience with technical book over $50 was buying books from Microsoft press, trying to get and keep a handle on Windows programming. I noticed several things about this trend. First of all, we must be out of our minds to pay over $50 for a paperback book. Secondly, I don't want to buy any more books that are about a specific version of a software package. By the time the book is published and in my hands, Microsoft is already distributing the beta's for the next version of the software. T

The Force is what holds everything together. It has its dark side, and it has its light side. It's sort of like cosmic duct tape.