|
Links:
|
| Business Impact Analysis |
| This is one of the more important steps in developing a security plan,
business continuity plan, and disaster recovery plan. The BIA helps a company
identify the major assets of the company that are worth risking life or
limb for (at least the executives would like to think that). Here are some
helpful steps for developing a BIA. |
- Business Impact Analysis
- In the event that something does happen, what will be the effects? It is
important to identify the primary areas of the business, as well as the
secondary and terenary parts. Once you have the primary areas identified,
you need to rank the impacts of losing each. Consentrate on the ones that
are most crucial to the survival of the business.
- Risk Analysis IS a Business Impact Analysis
- There are two types of analysis - Quantitative & Qualitative
- Quantitative Risk has two elements; the probability of an event occurring
and the likely loss should it occur. Quantitative risk analysis makes use
of a single dollar amount produced from these two elements. This is called
the 'Annual Loss Expectancy (ALE)'. This is calculated for an event by
simply multiplying the potential loss ($) by the probability that the event
will occur in a year's timeframe. It is thus theoretically possible to
rank events in order of risk (ALE) and to make decisions based upon the
resultant amounts.
- As all good analysts know, not everything has a quantitative attribute
(ie, as Visa would say, you can't put a price on something that is priceless).
That is where the second type of analysis comes in. Qualitative Risk involves
estimating the amount of loss of particular items. Since most items are
like this, this is the most commonly used type of analysis.
- Elements of a Risk Analysis/BIA
- Threats - Entities that will exploit vulnerabilites (fire, people, metores,
earthquakes).
- Vulnerabilites - A exploitable weakness in a system or process (wood walls,
buffer overflow, non-earthquake resistance building).
- Countermeasures - In the event that a threat exploits a vulnerability you
must have a control in place to mitigate the damage. Countermeasues can
vary in speed of execution, costs, etc.These can be classified into the
following:
- Corrective - A countermeasure that trys to correct the effects of an impact
when a vulnerability is exploited
- Preventative - Trys to detect someone trying to exploit a vulnerability
in order to prevent any impact to the business.
- Detective - If a preventative mechanism detects a vulnerability being exploited
it will try to get information on the attack and attacker.
- Deterrent - A control that trys to prevent the exploitation of a vulnerability.
|
|