CISSP Security & Risk Management-Business Impact Analysis (BIA)

• gol


• 25 May 2016

• • Identify organization’s critical business functions

• Identify functions resource requirements
• Calculate how long these functions can operate without such resources
• Identify vulnerabilities and threats to the functions
• Calculate risk for each different business function
• Develop backup solutions based on tolerable outage times
• Develop recovery solutions for the organization’s individual departments and for the organization as a whole

 

Identifying the Most Critical Functions

If Function “X” Is Not Up and Running………..

• How much will this affect the revenue stream?
• How much will this affect the production environment?
• How much will it increase operational expenses?
• How much it affect the organization’s reputation and public confidence?
• How much will the organization possibly lose its competitive edge?
• How much will it result in violations of contract agreements or regulations?
• What delayed costs could be endured?
• What hidden costs are not accounted for?

Identifying Interdependencies

It is difficult but very important

• When the activities of functions A and B are mutually reliant on each other to successfully complete operational activities.
• When activities of function B cannot be performed without the input from the activities of function A. Failure to receive input from A results in incomplete or inadequate implementation of B activities.
• Identifying interdependencies is difficult because an organization truly needs to understand how its functions work together
• Many times there are subtle interdependencies that are easily missed in the equation

 

Identifying Functions’ Resources

Critical Items for Certain Functions to Run…..

• Specific types of technologies
• Necessary software
• Communication mechanisms
• Electrical power
• Safe environment for workers
• Access to specific outside entities
• Networked production environment
• Physical production environment
• Specific supplies
• Interdepartmental communications
• Etc., etc.

 

Identifying Vulnerabilities and Threats

Threats Types

• Man-made
  • Strikes, riots, fires, terrorism, hackers, vandals, burglars
• Natural
  • Fires, tornado, floods, hurricanes, earthquakes
• Technical
  • Power outage, device failure, loss of communication lines

 

 

Survival Without Resources?

Maximum Tolerable Downtime (MTD) NIST Guidelines

• Non-essential = 30 days
• Normal = 7 days
• Important = 72 hours
• Urgent = 24 hours
• Critical = Minutes to hours

Each Function/Resource Must Have an MTD Calculated

• It outlines the criticality of individual function and resources
• It also helps indicate which function or resources need backup options developed
  • Hot swappable devices
  • Software and data backups
  • Facility space

 

Alternate Sites

Organization-owned & Subscription Services (Exclusive Use Strategies):

• Hot site – fully configured computer facility with all services, communication links, and physical plant operations.
• Warm site – similar to hot site, but software and/or client workstations may not be included
• Cold site – provides only rudimentary services and facilities, no computer hardware
• Mobile site – configured like hot site except that this is on wheels.

Other Options

• Reciprocal agreements
• Prefabricated facility
• Time-share

The major deciding factor for exclusive use strategies is cost.

 

 

 

 

 

 

To Become Certified For CISSP Please Visit This Link;