risk analysis and the security survey 3rd edition
DESCRIPTION
Risk Analysis and the Security Survey 3rd edition. Chapter 15 Business Impact Analysis. Business Impact Analysis Introduction. Business Impact Analysis (BIA): Establish the value of each business unit Determines order of recovery Defines the impact of a disruption over time - PowerPoint PPT PresentationTRANSCRIPT
RISK ANALYSIS AND THE SECURITY SURVEY
3RD EDITION
Chapter 15
Business Impact Analysis
Business Impact Analysis
Introduction
Business Impact Analysis (BIA): Establish the value of each business
unit Determines order of recovery Defines the impact of a disruption over
time Identifies interdependencies
Business Impact Analysis
Introduction BIA examines impacts over time
on: Service objectives Financial position/cash flow Regulatory issues/contractual issues Market share/competitive issues
Business Impact Analysis
Introduction BIA will also:
Identify critical processes and applications
Establish the value of each business unit
Identify critical resources Gain support for the recovery process Increase management awareness Reveal inefficiencies in normal
operations Justify recovery planning budgets
Business Impact Analysis
Introduction Determines Recovery Time
Objectives; Decides which functions are critical; Establishes financial basis for
strategies; Provides understanding of the amount
of risk to assume, transfer or mitigate
Business Impact Analysis
Introduction Establishes RTO and Recovery Point
Objective (RPO) Outage Tolerance vs. RTO Shorter objective equates to most costly
strategies Result of BIA and management agreement Can determine escalation point RPO is amount of acceptable data loss Often used to determine backup strategies Timing considerations in RTO, RPO
determination
Business Impact Analysis
Introduction Illustrates business cycle criticality BIA is a separate planning element Management time is minimized Questions often included relate to:
Mitigation and Preparedness Hazard identification Resource requirements Single points of failure
Initial strategy development
Business Impact Analysis
BIA vs. Risk Analysis
BIA subset of Risk Analysis Places ‘asset value’ on business
processes Focuses less on hazard
identification Cause of disruption not
considered Goal not to rank criticality of
risks
Business Impact Analysis
BIA vs. Risk Analysis
BIA/RA projects managed in similar ways
BIA is a partnership with senior management
Data presented differently
Business Impact Analysis
BIA Methodology
Project Planning Data Collection Data Analysis Presentation of Data
Business Impact Analysis
BIA Methodology Project planning
Management commitment: Biggest single predictor of success or
failure Management sponsor CFO
Top down approachCredible dataSenior Management influenceCorporate wide view
Business Impact Analysis
BIA Methodology
Agree on scope of analysis Determine who should participate
Highest level manager in each business unit
Prepare list of financial impacts Decide on method to collect data Schedule interviews Include Risk Management, Information Technology
Business Impact Analysis
Data Collection Examine all current business
functions Data collected through interviews Interviews seek financial and
subjective impact information Formation of questions important Software programs and
questionnaires Sample questions (Box 15.1)
Business Impact Analysis
Data Collection Resource Data Collection
Short vs. long term resources needed
Include: Employees and consultants Internal and External Contacts Customers Forms and Supplies Equipment Software and Applications Vital Records
Business Impact Analysis
Data Analysis Review of goals of analysis Criticality not determined solely upon
numerical data Avoid duplication Do not deduct insurance
reimbursement from loss calculations Validate results
Verify results with the business unit manager and CFO
Establish outage tolerance during normal and critical business cycles
Business Impact Analysis
Data Presentation Results presented to senior
management Data must be credible Presentation short and simple Financial data best presented
graphically State data as fact where possible Outline expectations of
managementWhat management must do with
the results of the analysis
Business Impact Analysis
Updates
Reanalyze annually Reanalyze when strategic
direction of company changes