Information security and risk management

Akash

Chapter12Powerpoint.pptx

Home >Computer Science homework help >Information security and risk management

Managing Risk in Information Systems

Lesson 12

Mitigating Risk with a Business Impact Analysis

www.jblearning.com

What Is a Business Impact Analysis?

A study used to identify the impact that can result from disruptions in the business

Focuses on failure of one or more critical IT functions

Terms:

Maximum acceptable outage (MAO)

Critical business functions (CBFs)

Critical success factors (CSFs)

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

BIA includes systems critical to the company’s survivability but may also include others that impact the company. It isn’t intended to include all IT functions. Instead, the BIA helps the organization identify the critical IT systems and components.

If the stakeholder determines that the loss of the function will cause an unacceptable loss, it is a critical function.

The MAO identifies the maximum acceptable downtime for a system. If an outage exceeds the MAO, it adversely affects the organization’s mission.

The CBFs include functions considered vital to an organization. If a Critical Business Function fails, the organization will lose the ability to perform essential operations.

Critical success factors include elements necessary to perform the mission of an organization. They must succeed in order for the organization to succeed.

Seven Steps of Contingency Planning

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Develop the contingency planning policy statement

Conduct the BIA

Identify preventive controls

Develop contingency strategies

Develop an IT contingency plan

Ensure plan testing, training, and exercises

Ensure plan maintenance

Objectives of BIA

Identify critical business functions (CBFs)

Identify critical resources

Identify maximum acceptable outage (MAO) and impact

Include direct and indirect costs

Identify recovery requirements

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The overall objective of the BIA is to identify the impact of outages and the goal is to identify the critical functions that can affect the organization. After identifying these, you can identify the critical resources that support these functions.

Each resource has an MAO and an impact if it fails.

Identify critical business functions (CBFs).

critical business functions are not always apparent.

Identify critical resources.

critical resources are those that are required to support the CBFs. Once you’ve identified the CBFs, you can analyze them to determine the critical resources for each.

Identify maximum acceptable outage (MAO) and its impact.

Once you identify the critical business functions and the IT resources that support them, you calculate the MAO and its impact. When calculating the MAO for an organization, it’s important to consider both direct and indirect costs.

Identify recovery requirements.

The recovery requirements show the time frame in which systems must be recoverable.

The Recovery Time Objective (RTO) is the time when the system or function must be recovered.

The Recovery Point Objective (RPO) identifies the maximum amount of data loss an organization can accept

Steps Involved in Implementing a BIA

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Identify the environment

Identify stakeholders

Identify CBFs

Identify critical resources

Identify maximum downtime

Identify recovery priorities

Develop the BIA report

BIA Reporting

The BIA report includes the following sections:

Preliminary system information—generic information about the organization, system name, system documentation.

System points of contact—system experts and stakeholders.

System resources—List of hardware and software and if critical, personnel or other resources.

Critical roles—Identify critical roles related to a system.

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

BIA Reporting (continued)

Table linking critical roles to critical resources—matches the personnel to the systems.

Table identifying resources, outage impact, and acceptable outage time—list each critical resource identified in the BIA. For each resource, include impact of outage and the MAO.

This is one of the most important elements of the BIA.

Table identifying recovery priority of key resources—list recovery priority (i.e. High, Medium, Low OR 1, 2, 3).

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

BIA Best Practices

Start with clear objectives

Maintain focus on objectives

Use a top-down approach

Vary data collection methods

Plan interviews and meetings in advance

Avoid the quick solution

Use normal project management methods

Consider the use of technology resources

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Start with clear objectives:

Make sure you and anyone involved with the BIA understands the scope of the BIA.

This is best defined in writing, many projects get off track simply because individuals have a different understanding of the requirements.

Don’t lose sight of the objectives:

In addition to the scope statement, remember that the purpose of the BIA is to identify the critical functions, critical systems, and MAO.

This data is used to determine the recovery priorities.

Use a top-down approach:

Start with the CBFs and drill down to the IT services that support them.

If you start with the servers, you’ll miss important elements that are needed for the success of the CBFs.

Vary data collection methods:

When collecting data, ensure you match your method to the organization’s practices.

You may be able to get solid data from individual interviews with some people.