CISSP Security & Risk Management-Business Impact Analysis (BIA)

Posted filed under CISSP.

    • Identify organization’s critical business functions

  • Identify functions resource requirements
  • Calculate how long these functions can operate without such resources
  • Identify vulnerabilities and threats to the functions
  • Calculate risk for each different business function
  • Develop backup solutions based on tolerable outage times
  • Develop recovery solutions for the organization’s individual departments and for the organization as a whole

 

Identifying the Most Critical Functions

If Function “X” Is Not Up and Running………..

  • How much will this affect the revenue stream?
  • How much will this affect the production environment?
  • How much will it increase operational expenses?
  • How much it affect the organization’s reputation and public confidence?
  • How much will the organization possibly lose its competitive edge?
  • How much will it result in violations of contract agreements or regulations?
  • What delayed costs could be endured?
  • What hidden costs are not accounted for?

Identifying Interdependencies

It is difficult but very important

  • When the activities of functions A and B are mutually reliant on each other to successfully complete operational activities.
  • When activities of function B cannot be performed without the input from the activities of function A. Failure to receive input from A results in incomplete or inadequate implementation of B activities.
  • Identifying interdependencies is difficult because an organization truly needs to understand how its functions work together
  • Many times there are subtle interdependencies that are easily missed in the equation

 

Identifying Functions’ Resources

Critical Items for Certain Functions to Run…..

  • Specific types of technologies
  • Necessary software
  • Communication mechanisms
  • Electrical power
  • Safe environment for workers
  • Access to specific outside entities
  • Networked production environment
  • Physical production environment
  • Specific supplies
  • Interdepartmental communications
  • Etc., etc.

 

Identifying Vulnerabilities and Threats

Threats Types

  • Man-made
    • Strikes, riots, fires, terrorism, hackers, vandals, burglars
  • Natural
    • Fires, tornado, floods, hurricanes, earthquakes
  • Technical
    • Power outage, device failure, loss of communication lines

 

 

Survival Without Resources?

Maximum Tolerable Downtime (MTD) NIST Guidelines

  • Non-essential = 30 days
  • Normal = 7 days
  • Important = 72 hours
  • Urgent = 24 hours
  • Critical = Minutes to hours

Each Function/Resource Must Have an MTD Calculated

  • It outlines the criticality of individual function and resources
  • It also helps indicate which function or resources need backup options developed
    • Hot swappable devices
    • Software and data backups
    • Facility space

 

Alternate Sites

Organization-owned & Subscription Services (Exclusive Use Strategies):

  • Hot site – fully configured computer facility with all services, communication links, and physical plant operations.
  • Warm site – similar to hot site, but software and/or client workstations may not be included
  • Cold site – provides only rudimentary services and facilities, no computer hardware
  • Mobile site – configured like hot site except that this is on wheels.

Other Options

  • Reciprocal agreements
  • Prefabricated facility
  • Time-share

The major deciding factor for exclusive use strategies is cost.

 

 

 

 

 

 

To Become Certified For CISSP Please Visit This Link;

Comments are closed.