Project on Risk Assessment Plan
Managing Risk in Information Systems
Lesson 6
Business Impact Analysis and Continuity Planning
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objectives
Perform a business impact analysis.
Create a business continuity plan (BCP) based on the findings of a given risk assessment for an organization.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Purpose of BIA
Critical success factors of BIA
Steps involved in implementing a BIA
BIA best practices
Comparing a BCP and a DRP
Major elements of BCP
Phases of a BCP
Steps for implementing a BCP
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 12 Slides
Chapter 12: “Mitigating Risk with a Business Impact Analysis”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Business Impact Analysis?
A study used to identify the impact that can result from disruptions in the business
Focuses on the failure of one or more critical IT functions
Terms:
Maximum acceptable outage (MAO)
Critical business functions (CBFs)
Critical success factors (CSFs)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Seven Steps of Contingency Planning
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Develop the contingency planning policy statement
Conduct the BIA
Identify preventive controls
Develop contingency strategies
Develop an IT contingency plan
Ensure plan testing, training, and exercises
Ensure plan maintenance
Dimensions of a BIA
Identify the business impact of IT disruptions
Mission-critical IT systems and components
Does not analyze all IT functions
Stakeholders identify mission-critical systems
Compliance issues often drive BIA
Inputs into the business continuity plan (BCP) and risk assessment (RA)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Scope of a BIA
Define BIA scope early in the process
Scope defines the boundaries of the plan
Scope is affected by the size of the organization
Small organizations: Scope could include entire organization
Larger organizations: Scope could include only certain areas, department, divisions
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Scope of a BIA (Cont.)
Purchase phase
Shipment phase
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Objectives of BIA
Identify critical business functions (CBFs)
Identify critical resources
Identify maximum acceptable outage (MAO) and impact
Direct and indirect costs
Identify recovery requirements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify critical business functions (CBFs).
Unless you own the process, critical business functions are not always apparent. For example, if you are the security expert, you may not know the CBFs of an online Web site.
Identify critical resources.
The critical resources are those that are required to support the CBFs. Once you’ve identified the CBFs, you can analyze them to determine the critical resources for each.
Identify maximum acceptable outage (MAO) and its impact.
Once you have identified the critical business functions and the IT resources that support them, you turn your attention to the MAO and its impact. When calculating the MAO for an organization, it’s important to consider both direct and indirect costs.
Identify recovery requirements.
The recovery requirements show the time frame in which systems must be recoverable.
10
Balancing Costs
Cost to recover
Cost of disruption
Consider
Direct costs
Indirect costs
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Steps Involved in Implementing a BIA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify the environment
Identify stakeholders
Identify CBFs
Identify critical resources
Identify maximum downtime
Identify recovery priorities
Develop the BIA report
Identifying Mission-Critical Business Functions and Processes
Mission-critical functions are:
Any functions considered to be vital
Derived from critical success factors (CSFs)
Successful CSFs result in performing CBFs
Experts have key information regarding mission-critical functions
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
BIA Best Practices
Start with clear objectives
Maintain focus on objectives
Use a top-down approach
Vary data collection methods
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Start with clear objectives:
Make sure you and anyone involved with the BIA understands the scope of the BIA.
This is best defined in writing, many projects get off track simply because individuals have a different understanding of the requirements.
Don’t lose sight of the objectives:
In addition to the scope statement, remember that the purpose of the BIA is to identify the critical functions, critical systems, and MAO.
This data is used to determine the recovery priorities.
Use a top-down approach:
Start with the CBFs and drill down to the IT services that support them.
If you start with the servers, you’ll miss important elements that are needed for the success of the CBFs.
Vary data collection methods:
When collecting data, ensure you match your method to the organization’s practices.
You may be able to get solid data from individual interviews with some people.
14
BIA Best Practices (cont.)
Plan interviews and meetings in advance
Avoid the quick solution
Use normal project management methods
Consider the use of technology resources
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Plan interviews and meetings in advance:
Data gathering is an important part of the BIA.
You want to ensure that the attendees have enough time to give you the data you need. If they’re rushed or you are not prepared, you won’t get the data you need.
Don’t look for the quick solution.
The BIA will take time.
It takes time to collect the data. It takes time to evaluate the data. It takes time to identify priorities.
Consider the BIA as a project:
All normal project management practices apply. Set milestones and track the progress.
Consider the use of tools:
Many tools are available that can assist with the completion of disaster preparedness projects.
These include tools that can help with a BIA.
15
Chapter 13 Slides
Chapter 13: “Mitigating Risk with a Business Continuity Plan”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Business Continuity Plan?
A plan designed to help an organization continue to operate during and after a disruption
BIA is included as part of a BCP
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Business Continuity Plan?
BIA key objectives that directly support the BCP:
Identify critical business functions (CBFs)
Identify critical processes supporting the CBFs
Identify critical IT services supporting the CBFs, including any dependencies
Determine acceptable downtimes for CBFs, processes, and IT service
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements of a BCP
Purpose and scope
Assumptions and planning principles
System description and architecture
Responsibilities
Phases
Plan training, testing, and exercises
Plan maintenance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Description and Architecture
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Description and Architecture
Show system interaction
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BCP Roles and Responsibilities
BCP program manager
BCP coordinator
BCP teams
Emergency Management Team (EMT)
Damage Assessment Team (DAT)
Technical Recovery Team (TRT)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Phases within a BCP Plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Notification/activation phase
Recovery phase
Reconstitution phase
Defining Data that Needs to Be Protected
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The BCP should list all the critical components for the system.
There are two reasons for including this data:
First, it makes it clear which components are needed for the critical business functions (CBF).
Second, it provides a list that you can use to restore the system from scratch.
This list includes any equipment, such as servers, switches, and routers.
The servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system.
If an image is used to rebuild servers, it will list the version number.
Data can include a database hosted on the system.
It can also include any type of files, such as documents or spreadsheets.
Last, the list can include any needed supplies:
This can be simple office supplies, such as printer paper and toner.
For some systems, it can include technical supplies, such as special oils for machinery or tools needed for maintenance.
24
Identify all critical components for the system
Identify all equipment ~ servers, switches, routers
Include databases hosted on the system
Include files ~ documents or spreadsheets
Include necessary supplies
BCP Best Practices
Complete the BIA early
Exercise caution when returning functionality from alternate locations
Restore least critical functions first
Review and update the BCP
Test all individual pieces of the plan
Conduct test exercises of the plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Complete the BIA early—Ensure the BIA is done early in the process for the BCP.
Without the BIA, you won’t know what systems are critical.
Exercise caution when returning functionality from alternate locations—When restoring functionality from an alternate location to the primary location, consider these best practices:
Restore least critical functions first to the primary location—This allows you to get the bugs out of the process without affecting critical functions.
Review and update the BCP regularly—The BCP coordinator should review and update the BCP at least annually.
If critical systems are changed or modified between annual reviews, the BCP should be reviewed when those changes or modifications occur.
Test all the individual pieces of the plan—This includes basic procedures, such as recalls.
Exercise the plan—Verify the plan works by performing test exercises.
These exercises should not affect normal operations.
25
Summary
Purpose of BIA
Critical success factors of BIA
Steps involved in implementing a BIA
BIA best practices
Comparing a BCP and a DRP
Major elements of BCP
Phases of a BCP
Steps for implementing a BCP
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/20/2014
27
Chapter 12 Optional Slides
Chapter 12: “Mitigating Risk with a Business Impact Analysis”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Roles
Risk manager
Auditor
Data owners
IT management
Security manager
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
29
Significance of Business Impact Analysis
How critical are IT infrastructures to business?
What are the most critical IT systems to business?
What happens if critical IT systems go down?
What are the direct and indirect costs?
BIA shows urgent need for contingency plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 13 Optional Slides
Chapter 13: “Mitigating Risk with a Business Continuity Plan”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Continuity vs. Disaster Recovery
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BCP
Covers all functional areas of a business, it ensures the entire business can continue to operate in the event of a disruption.
Includes a BIA, and also address other non-technical elements of the event.
Focused on getting the overall business functions back to normal.
DRP
Is a function of the IT department,
Includes the elements necessary to recover from a disaster, once one is declared.
Involves copying the critical data to media or online and then, if required, moving the IT operations off site to recover, if required.
Focused on restoring and recovering IT functions.
32
BCP
Covers all functional areas of business
Includes a business impact analysis (BIA)
Focused on business function recovery
DRP
Function of the IT department
Focused on IT function recovery
Recovery from a declared disaster
Steps for Implementing a BCP
Create BCP scope statements
Conduct business impact analysis (BIA)
Identify countermeasures and controls
Develop individual disaster recovery plans (DRPs)
Implement training
Test and exercise plans
Maintain and update plans
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Why Use a Business Continuity Plan?
What happens if electrical power is lost?
What happens if servers go down?
What are the critical business functions to maintain?
What must remain intact to conduct business?
What is the risk of being without a BCP?
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.