1 / 17

Risk Analysis and the Security Survey 3rd edition

Risk Analysis and the Security Survey 3rd edition. Chapter 15 Business Impact Analysis. Business Impact Analysis Introduction. Business Impact Analysis (BIA): Establish the value of each business unit Determines order of recovery Defines the impact of a disruption over time

desiree-bowers
Download Presentation

Risk Analysis and the Security Survey 3rd edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis and the Security Survey 3rd edition Chapter 15 Business Impact Analysis

  2. Business Impact AnalysisIntroduction • Business Impact Analysis (BIA): • Establish the value of each business unit • Determines order of recovery • Defines the impact of a disruption over time • Identifies interdependencies

  3. Business Impact AnalysisIntroduction • BIA examines impacts over time on: • Service objectives • Financial position/cash flow • Regulatory issues/contractual issues • Market share/competitive issues

  4. Business Impact AnalysisIntroduction • BIA will also: • Identify critical processes and applications • Establish the value of each business unit • Identify critical resources • Gain support for the recovery process • Increase management awareness • Reveal inefficiencies in normal operations • Justify recovery planning budgets

  5. Business Impact AnalysisIntroduction • Determines Recovery Time Objectives; • Decides which functions are critical; • Establishes financial basis for strategies; • Provides understanding of the amount of risk to assume, transfer or mitigate

  6. Business Impact AnalysisIntroduction • Establishes RTO and Recovery Point Objective (RPO) • Outage Tolerance vs. RTO • Shorter objective equates to most costly strategies • Result of BIA and management agreement • Can determine escalation point • RPO is amount of acceptable data loss • Often used to determine backup strategies • Timing considerations in RTO, RPO determination

  7. Business Impact AnalysisIntroduction • Illustrates business cycle criticality • BIA is a separate planning element • Management time is minimized • Questions often included relate to: • Mitigation and Preparedness • Hazard identification • Resource requirements • Single points of failure • Initial strategy development

  8. Business Impact AnalysisBIA vs. Risk Analysis • BIA subset of Risk Analysis • Places ‘asset value’ on business processes • Focuses less on hazard identification • Cause of disruption not considered • Goal not to rank criticality of risks

  9. Business Impact AnalysisBIA vs. Risk Analysis • BIA/RA projects managed in similar ways • BIA is a partnership with senior management • Data presented differently

  10. Business Impact AnalysisBIA Methodology • Project Planning • Data Collection • Data Analysis • Presentation of Data

  11. Business Impact AnalysisBIA Methodology • Project planning • Management commitment: • Biggest single predictor of success or failure • Management sponsor • CFO • Top down approach • Credible data • Senior Management influence • Corporate wide view

  12. Business Impact AnalysisBIA Methodology • Agree on scope of analysis • Determine who should participate • Highest level manager in each business unit • Prepare list of financial impacts • Decide on method to collect data • Schedule interviews • Include Risk Management, Information Technology

  13. Business Impact AnalysisData Collection • Examine all current business functions • Data collected through interviews • Interviews seek financial and subjective impact information • Formation of questions important • Software programs and questionnaires • Sample questions (Box 15.1)

  14. Business Impact AnalysisData Collection • Resource Data Collection • Short vs. long term resources needed • Include: • Employees and consultants • Internal and External Contacts • Customers • Forms and Supplies • Equipment • Software and Applications • Vital Records

  15. Business Impact AnalysisData Analysis • Review of goals of analysis • Criticality not determined solely upon numerical data • Avoid duplication • Do not deduct insurance reimbursement from loss calculations • Validate results • Verify results with the business unit manager and CFO • Establish outage tolerance during normal and critical business cycles

  16. Business Impact AnalysisData Presentation • Results presented to senior management • Data must be credible • Presentation short and simple • Financial data best presented graphically • State data as fact where possible • Outline expectations of management • What management must do with the results of the analysis

  17. Business Impact AnalysisUpdates • Reanalyze annually • Reanalyze when strategic direction of company changes

More Related