SB22: Resiliency Finally Defined

Jerry VarneyVice President

Vigilant Services Groupgtvarney@vsg1.cc

321-432-9787

Doug WeldonPresident

Vigilant Services Groupdnweldon@vsg1.cc

407-492-9676

Presentation Outline

• Evolution to Resiliency

• Resiliency Finally Defined

• Resiliency Engineering

• Process Improvement

• Summary

• Evolution to Resiliency

4

Evolution to Resiliency

Reliability

Availability

Disaster Recovery

Business Continuity

Resiliency

5

Evolution to Resiliency

Reliability:

the ability of a system or component to perform its required functions under stated conditions

for a specified period of time[IEEE 90] Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE Standard

Computer Glossaries. New York, NY: 1990.

6

Evolution to Resiliency

High Availability:

High Availability (HA for short) refers to the availability of resources in a computer system, in the wake of component failures in the system

IEEE Technical Committee on Scalable Computinghttp://www.ieeetscs.org/high-availability.html

7

Evolution to ResiliencyRelated to High Availability:

Continuous Availability: This implies non-stop service, with no lapse in service. This represents an ideal state, and is generally used to indicate a high level of availability in which only a very small quantity of downtime is allowed. High availability does not imply continuous availability

Fault Tolerance: This is a means to achieve very high levels of availability. A fault tolerant system has the ability to continue service despite a hardware or a software failure, and is characterized by redundancy in hardware, including CPU, memory, and I/0 subsystems. High availability does not imply fault tolerance.

Single Point of Failure (SPOF): A hardware or software component whose loss results in the loss of service; such components are not backed up by redundant components.

Failover: When a component in an HA system fails resulting in a loss of service, the service is started by the HA system on another component in the system. This transfer of a service following a failure in the system is termed failover

IEEE Technical Committee on Scalable Computinghttp://www.ieeetcsc.org/high-availability.html

8

Evolution to Resiliency

Disaster Recovery:The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions

http://www.drj.com/glossary/glossleft.htm

ITDR – An integral part of the organization’s BCM plan by which it intends to recover and restore its IT and Telecommunications capabilities after an e/i/c

http://thebci.org/Glossary.pdf

9

Evolution to Resiliency

Business Continuity Management:(BCI) A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

http://thebci.org/Glossary.pdf

(+ DRJ) The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the plan stays current and up to date

http://www.drj.com/glossary/glossleft.htm

10

Evolution to Resiliency

Resiliency (dictionary definition):

1. Said of a person: able to recover quickly from, or to deal readily with, illness, sudden, unexpected difficulties, hardship, etc.

2. Said of an object, a material, etc: able to return quickly to its original shape or position after being bent, twisted, stretched, etc; elastic.

http://www.allwords.com/word-Resiliency.html

11

Evolution to Resiliency

Resilience (ICOR)

Resilience is the ability of an organization to rebound following a crisis or a disaster event. It is the ability

to absorb strain. Building resilience into organizations entails a shift from a reactive to a proactive approach

for crisis management and disaster recovery. A resilient organization is one that is able to achieve its

core objectives in the face of adversity.

http://www.theicor.org/pages/defined.htmlper the International Consortium for Organizational Resilience (ICOR)

12

Evolution to Resiliency

Resiliency (FFIEC)

The ability of an organization to recover from a significant disruption and resume critical operations .

http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf

FFIEC – Federal Financial Institutions Examination Council

13

Evolution to Resiliency

Resiliency (UN)

The capacity of a system, community or society potentially exposed to hazards to adapt,

by resisting or changing in order to reach and maintain an acceptable level of functioning and structure.

http://www.emi-megacities.org/upload/3cd_2007_MOSP_TR0702.pdf

EMI – Earthquakes and Megacities Initiative, A member of the U.N. Global Platform for Disaster Risk Reduction

14

Evolution to Resiliency

Business Resilience Model (BRCCI)

• Resiliency Finally Defined

16

Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes

Resiliency Finally Defined

17

Who is – SEI ?

Since 1984, the Carnegie Mellon® Software Engineering Institute (SEI) has served the nation as a federally funded research and

development center.

The SEI staff has advanced software engineering principles and practices and has served as a national resource in software engineering, computer Security, and process improvement.

As part of Carnegie Mellon University, which is well known for its highly rated programs in computer science and engineering, the SEI

operates at the leading edge of technical innovation.

http://www.sei.cmu.edu/about/

Resiliency Finally Defined

18

Who is ?

Computer Emergency Readiness Team

Resiliency Finally Defined

19

Relevant Technical Reports (TR) by SEI

In December 2004, SEI first published a technical note entitled Managing for Enterprise Security that described the barriers that organizations face in making Security an effective contributing factor to the achievement of organizational goals

A second, subsequent technical note entitled Sustaining Operational Resiliency: A Process Approach to Security Management was published in April 2006 - it expanded the description of the Security discipline by linking it to activities such as Business Continuity and IT Operations Management

In 2007, Resiliency Engineering Framework report is the third in a series that explores the transformation of the disciplines of Security and Business Continuity into organizationally driven processes designed to support and sustain Operational Resiliency

Resiliency Engineering

20

Resiliency Finally Defined

What this latest TR does:

This 3rd technical report is a refinement of the concepts

included in these previous works and introduces the

field of Resiliency Engineering - a process of

collaboration between Security, Business Continuity,

and other organizational activities aimed at managing

Operational Resiliency

• Resiliency Engineering

Resiliency Engineering

The Goal

That organizations will be able to improve their security and business continuity efforts by focusing their activities and objectives toward the Resiliency Engineering Process and by beginning to embrace a process improvement approach

Resiliency EngineeringThe Characteristics of the Resiliency Engineering Process:

• Requirements-driven security and business continuity characterize the resiliency engineering process

• Because the process can be defined, theoretically it can also be managed, measured, controlled, and improved, perhaps even optimized

Resiliency EngineeringParadigm Shift:

• Because Security and Business Continuity are fields often thought of as practice driven, the movement toward Resiliency Engineering provides an opportunity for an initial application of process improvement concepts

• In essence, process improvement is introduced to Security and Business Continuity through the definition of the Resiliency Engineering Process

Resiliency EngineeringFoundation for Operational Resiliency

Resiliency EngineeringEngineering Objects

• Services (and/or Products)

• Business Processes

• Assets

• people• information• technology • facilities

Resiliency EngineeringVigilant’s ‘Oil Rig’ … an Enterprise Customer-Supplier Model

Customers

Products &Services

Sites

Platforms& Resources

Suppliers

Customer#1

Customer#2

Site #1

Prod #1 Prod #2 Svc #1 Svc #2 Prod #3

Site #4Site #3

Prod #4 Svc #3 Svc #4 Prod #5 Svc #5

Customer#3

Customer#4

Customer# 5

Customer# 6

People

Process

Technology

Facilities

Data

Supplier#1

Supplier#2 Supplier

#3

Supplier#4

Supplier#n

Site #2

Process #1 Process #2 Process #3 Process #4 Process #5Processes

Copyright © 2001-2008 Vigilant Services Group All Rights Reserved

Resiliency EngineeringGraphical Depiction of Resiliency Engineering Objects

Resiliency Engineering

in Practice

• Service / Product Resiliency Starts with Asset Resiliency

• Requirements Are the Catalyst

Resiliency Engineering“Engineered”

• Requirements are the foundation of all engineering-based processes, and the result of an engineered process is a product or service that substantially meets or exceeds all of the requirements that are established.

• Requirements also form the basis for managing Operational Resiliency.

Resiliency EngineeringRequirements Are the Catalyst

• The importance of requirements to the resiliency engineering process cannot be understated.

• Resiliency requirements embody the strategic objectives, risk appetite, critical success factors, and operational constraints of the organization in its pursuit of the mission.

Resiliency EngineeringExample of Resiliency Requirements

Confidentiality• Patient medical records may be viewed only by office physicians, physician assistants, and nurses.• Patient medical records of a specific patient may be viewed by that patient (or their authorized representative) upon his or her request.

Integrity• Additions to patient medical records may be made only by office physicians, physician assistants, and nurses. • Modifications of existing patient medical information may be made only by physicians, or by physician assistants and nurses on the approval of an attending physician.• Deletions of existing medical record information may be made only by a physician.• Existing patient medical records may be destroyed only on the approval of a physician.

Availability• Patient medical records must be available during normal office hours (9:00 am to 5:00 pm, Monday through Thursday, and 10:00 am to 6:00 pm on Saturdays).• Patient medical records must be available on demand when physicians need them for attending to patients.

Resiliency EngineeringAbout Resiliency Requirements

• Confidentiality, integrity, and availability (CIA) are well known by the security community as descriptive properties of information assets, but their application from a resiliency perspective is extensible to the other types of assets with which resiliency engineering is concerned:

Resiliency EngineeringAbout Resiliency Requirements (continued)

• Security activities are normally focused on protecting againstthe unauthorized or inadvertent disclosure of information and the prevention of unauthorized or accidental modification of information, technology assets (in the form of configurations), and facilities (in the form of physical structures and access controls)

• Business continuity activities, on the other hand, are primarilyfocused on ensuring the availability of these assets when affected by a disruptive event

• Together, these practitioner-level activities address the range of resiliency requirements that are necessary to manage operationalresiliency

Resiliency EngineeringOperational Resiliency at the Asset Level

This concept for operational resiliency captures the basic premise of risk management—not all risk can be identified or eliminated

Security Continuity

Resiliency EngineeringCooperative Approach to Operational Resiliency

Resiliency Engineering

Engineering Competencies

1. Requirements ManagementRRD – Resiliency Requirements Development

RRM – Resiliency Requirements Management

2. Asset ManagementADM – Asset Definition and Management

3. Establishing and Managing ResiliencySM – Sustainability Management

CM – Controls Management

Resiliency EngineeringAsset Resiliency Management Cluster

Resiliency EngineeringProtect and Sustain Cluster

Resiliency EngineeringSupplier Management Cluster

Resiliency EngineeringVulnerability, Incident, and Risk Cluster

Resiliency EngineeringMonitoring Cluster

• Process Improvement

44

Process Improvement

• Asset-based approach - means that the

organization focuses its Resiliency Engineering

activities specifically at the asset level and derives

service Resiliency considerations from this asset view

• Service-based approach - means that the core

important Services (or Products) must be identified

and validated against strategic objectives

• Summary

46

• Resiliency is not a Concept but a Specific Goal

• The Resiliency Goal is Achieved Through an Engineering

Process

• Resiliency Engineering Raises the Bar on Operational

Risk Management:

It is tied to Strategic Objectives

It is Designed In – Not Layered On After Implementation

It Combines Security and Business Continuity

Summary

47

* * * * * * *

Resiliency Engineering

is the way an organization

“builds in” and manages Resiliency,

rather than “bolting it on” !!

* * * * * * *