sb22 resiliency finally defined -...
Post on 22-May-2020
10 Views
Preview:
TRANSCRIPT
SB22: Resiliency Finally Defined
Jerry VarneyVice President
Vigilant Services Groupgtvarney@vsg1.cc
321-432-9787
Doug WeldonPresident
Vigilant Services Groupdnweldon@vsg1.cc
407-492-9676
Presentation Outline
• Evolution to Resiliency
• Resiliency Finally Defined
• Resiliency Engineering
• Process Improvement
• Summary
• Evolution to Resiliency
4
Evolution to Resiliency
Reliability
Availability
Disaster Recovery
Business Continuity
Resiliency
5
Evolution to Resiliency
Reliability:
the ability of a system or component to perform its required functions under stated conditions
for a specified period of time[IEEE 90] Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE Standard
Computer Glossaries. New York, NY: 1990.
6
Evolution to Resiliency
High Availability:
High Availability (HA for short) refers to the availability of resources in a computer system, in the wake of component failures in the system
IEEE Technical Committee on Scalable Computinghttp://www.ieeetscs.org/high-availability.html
7
Evolution to ResiliencyRelated to High Availability:
Continuous Availability: This implies non-stop service, with no lapse in service. This represents an ideal state, and is generally used to indicate a high level of availability in which only a very small quantity of downtime is allowed. High availability does not imply continuous availability
Fault Tolerance: This is a means to achieve very high levels of availability. A fault tolerant system has the ability to continue service despite a hardware or a software failure, and is characterized by redundancy in hardware, including CPU, memory, and I/0 subsystems. High availability does not imply fault tolerance.
Single Point of Failure (SPOF): A hardware or software component whose loss results in the loss of service; such components are not backed up by redundant components.
Failover: When a component in an HA system fails resulting in a loss of service, the service is started by the HA system on another component in the system. This transfer of a service following a failure in the system is termed failover
IEEE Technical Committee on Scalable Computinghttp://www.ieeetcsc.org/high-availability.html
8
Evolution to Resiliency
Disaster Recovery:The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions
http://www.drj.com/glossary/glossleft.htm
ITDR – An integral part of the organization’s BCM plan by which it intends to recover and restore its IT and Telecommunications capabilities after an e/i/c
http://thebci.org/Glossary.pdf
9
Evolution to Resiliency
Business Continuity Management:(BCI) A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
http://thebci.org/Glossary.pdf
(+ DRJ) The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the plan stays current and up to date
http://www.drj.com/glossary/glossleft.htm
10
Evolution to Resiliency
Resiliency (dictionary definition):
1. Said of a person: able to recover quickly from, or to deal readily with, illness, sudden, unexpected difficulties, hardship, etc.
2. Said of an object, a material, etc: able to return quickly to its original shape or position after being bent, twisted, stretched, etc; elastic.
http://www.allwords.com/word-Resiliency.html
11
Evolution to Resiliency
Resilience (ICOR)
Resilience is the ability of an organization to rebound following a crisis or a disaster event. It is the ability
to absorb strain. Building resilience into organizations entails a shift from a reactive to a proactive approach
for crisis management and disaster recovery. A resilient organization is one that is able to achieve its
core objectives in the face of adversity.
http://www.theicor.org/pages/defined.htmlper the International Consortium for Organizational Resilience (ICOR)
12
Evolution to Resiliency
Resiliency (FFIEC)
The ability of an organization to recover from a significant disruption and resume critical operations .
http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf
FFIEC – Federal Financial Institutions Examination Council
13
Evolution to Resiliency
Resiliency (UN)
The capacity of a system, community or society potentially exposed to hazards to adapt,
by resisting or changing in order to reach and maintain an acceptable level of functioning and structure.
http://www.emi-megacities.org/upload/3cd_2007_MOSP_TR0702.pdf
EMI – Earthquakes and Megacities Initiative, A member of the U.N. Global Platform for Disaster Risk Reduction
14
Evolution to Resiliency
Business Resilience Model (BRCCI)
• Resiliency Finally Defined
16
Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes
Resiliency Finally Defined
17
Who is – SEI ?
Since 1984, the Carnegie Mellon® Software Engineering Institute (SEI) has served the nation as a federally funded research and
development center.
The SEI staff has advanced software engineering principles and practices and has served as a national resource in software engineering, computer Security, and process improvement.
As part of Carnegie Mellon University, which is well known for its highly rated programs in computer science and engineering, the SEI
operates at the leading edge of technical innovation.
http://www.sei.cmu.edu/about/
Resiliency Finally Defined
18
Who is ?
Computer Emergency Readiness Team
Resiliency Finally Defined
19
Relevant Technical Reports (TR) by SEI
In December 2004, SEI first published a technical note entitled Managing for Enterprise Security that described the barriers that organizations face in making Security an effective contributing factor to the achievement of organizational goals
A second, subsequent technical note entitled Sustaining Operational Resiliency: A Process Approach to Security Management was published in April 2006 - it expanded the description of the Security discipline by linking it to activities such as Business Continuity and IT Operations Management
In 2007, Resiliency Engineering Framework report is the third in a series that explores the transformation of the disciplines of Security and Business Continuity into organizationally driven processes designed to support and sustain Operational Resiliency
Resiliency Engineering
20
Resiliency Finally Defined
What this latest TR does:
This 3rd technical report is a refinement of the concepts
included in these previous works and introduces the
field of Resiliency Engineering - a process of
collaboration between Security, Business Continuity,
and other organizational activities aimed at managing
Operational Resiliency
• Resiliency Engineering
Resiliency Engineering
The Goal
That organizations will be able to improve their security and business continuity efforts by focusing their activities and objectives toward the Resiliency Engineering Process and by beginning to embrace a process improvement approach
Resiliency EngineeringThe Characteristics of the Resiliency Engineering Process:
• Requirements-driven security and business continuity characterize the resiliency engineering process
• Because the process can be defined, theoretically it can also be managed, measured, controlled, and improved, perhaps even optimized
Resiliency EngineeringParadigm Shift:
• Because Security and Business Continuity are fields often thought of as practice driven, the movement toward Resiliency Engineering provides an opportunity for an initial application of process improvement concepts
• In essence, process improvement is introduced to Security and Business Continuity through the definition of the Resiliency Engineering Process
Resiliency EngineeringFoundation for Operational Resiliency
Resiliency EngineeringEngineering Objects
• Services (and/or Products)
• Business Processes
• Assets
• people• information• technology • facilities
Resiliency EngineeringVigilant’s ‘Oil Rig’ … an Enterprise Customer-Supplier Model
Customers
Products &Services
Sites
Platforms& Resources
Suppliers
Customer#1
Customer#2
Site #1
Prod #1 Prod #2 Svc #1 Svc #2 Prod #3
Site #4Site #3
Prod #4 Svc #3 Svc #4 Prod #5 Svc #5
Customer#3
Customer#4
Customer# 5
Customer# 6
People
Process
Technology
Facilities
Data
Supplier#1
Supplier#2 Supplier
#3
Supplier#4
Supplier#n
Site #2
Process #1 Process #2 Process #3 Process #4 Process #5Processes
Copyright © 2001-2008 Vigilant Services Group All Rights Reserved
Resiliency EngineeringGraphical Depiction of Resiliency Engineering Objects
Resiliency Engineering
in Practice
• Service / Product Resiliency Starts with Asset Resiliency
• Requirements Are the Catalyst
Resiliency Engineering“Engineered”
• Requirements are the foundation of all engineering-based processes, and the result of an engineered process is a product or service that substantially meets or exceeds all of the requirements that are established.
• Requirements also form the basis for managing Operational Resiliency.
Resiliency EngineeringRequirements Are the Catalyst
• The importance of requirements to the resiliency engineering process cannot be understated.
• Resiliency requirements embody the strategic objectives, risk appetite, critical success factors, and operational constraints of the organization in its pursuit of the mission.
Resiliency EngineeringExample of Resiliency Requirements
Confidentiality• Patient medical records may be viewed only by office physicians, physician assistants, and nurses.• Patient medical records of a specific patient may be viewed by that patient (or their authorized representative) upon his or her request.
Integrity• Additions to patient medical records may be made only by office physicians, physician assistants, and nurses. • Modifications of existing patient medical information may be made only by physicians, or by physician assistants and nurses on the approval of an attending physician.• Deletions of existing medical record information may be made only by a physician.• Existing patient medical records may be destroyed only on the approval of a physician.
Availability• Patient medical records must be available during normal office hours (9:00 am to 5:00 pm, Monday through Thursday, and 10:00 am to 6:00 pm on Saturdays).• Patient medical records must be available on demand when physicians need them for attending to patients.
Resiliency EngineeringAbout Resiliency Requirements
• Confidentiality, integrity, and availability (CIA) are well known by the security community as descriptive properties of information assets, but their application from a resiliency perspective is extensible to the other types of assets with which resiliency engineering is concerned:
Resiliency EngineeringAbout Resiliency Requirements (continued)
• Security activities are normally focused on protecting againstthe unauthorized or inadvertent disclosure of information and the prevention of unauthorized or accidental modification of information, technology assets (in the form of configurations), and facilities (in the form of physical structures and access controls)
• Business continuity activities, on the other hand, are primarilyfocused on ensuring the availability of these assets when affected by a disruptive event
• Together, these practitioner-level activities address the range of resiliency requirements that are necessary to manage operationalresiliency
Resiliency EngineeringOperational Resiliency at the Asset Level
This concept for operational resiliency captures the basic premise of risk management—not all risk can be identified or eliminated
Security Continuity
Resiliency EngineeringCooperative Approach to Operational Resiliency
Resiliency Engineering
Engineering Competencies
1. Requirements ManagementRRD – Resiliency Requirements Development
RRM – Resiliency Requirements Management
2. Asset ManagementADM – Asset Definition and Management
3. Establishing and Managing ResiliencySM – Sustainability Management
CM – Controls Management
Resiliency EngineeringAsset Resiliency Management Cluster
Resiliency EngineeringProtect and Sustain Cluster
Resiliency EngineeringSupplier Management Cluster
Resiliency EngineeringVulnerability, Incident, and Risk Cluster
Resiliency EngineeringMonitoring Cluster
• Process Improvement
44
Process Improvement
• Asset-based approach - means that the
organization focuses its Resiliency Engineering
activities specifically at the asset level and derives
service Resiliency considerations from this asset view
• Service-based approach - means that the core
important Services (or Products) must be identified
and validated against strategic objectives
• Summary
46
• Resiliency is not a Concept but a Specific Goal
• The Resiliency Goal is Achieved Through an Engineering
Process
• Resiliency Engineering Raises the Bar on Operational
Risk Management:
It is tied to Strategic Objectives
It is Designed In – Not Layered On After Implementation
It Combines Security and Business Continuity
Summary
47
* * * * * * *
Resiliency Engineering
is the way an organization
“builds in” and manages Resiliency,
rather than “bolting it on” !!
* * * * * * *
top related