How to Conduct a Business Impact Analysis and Risk Assessment

Similar documents
TSC Business Continuity & Disaster Recovery Session

Business continuity management and cyber resiliency

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Implementing a Global Business

Introduction to Business continuity Planning

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Business Continuity Management

Maintaining Resiliency Within the Defense Industrial Base Through Preparedness Response and Recovery

Business Continuity Management Standards A Side-by-Side Comparison

Cyber Protections: First Step, Risk Assessment

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

CCISO Blueprint v1. EC-Council

Organizational Readiness for Digital Transformation

Table of Contents. Sample

Bradford J. Willke. 19 September 2007

Principles for BCM requirements for the Dutch financial sector and its providers.

PECB Change Log Form

Promoting the Art and Science of Business Continuity Management Worldwide. Partner of the DRJ

Infocomm Professional Development Forum 2011

Enterprise GRC Implementation

Vulnerability Assessments and Penetration Testing

Business Continuity Planning

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Information Security Risk Strategies. By

Third Party Security Review Process

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

The Problem. Business Continuity/ Disaster Recovery. Course Outline and Structure. The Problem The Coverage. Sean Gunasekera

The importance of STANDARDS to ensure ACCOUNTABILITY and GOVERNANCE in ehealth-ict security processes

Introduction to Business Continuity Management

Business Continuity Planning Keeping Pace with New Technology

Build a viable plan for disaster recovery and crisis management.

Threat and Vulnerability Assessment Tool

Certified Information Systems Auditor (CISA)

MHA Consulting BCM Metrics Resiliency Through Measurement

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Using ITIL to Measure Your BCP

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Information Technology General Control Review

A Framework for Managing Crime and Fraud

Global Statement of Business Continuity

Certified Information Security Manager (CISM) Course Overview

The NIS Directive and Cybersecurity in

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

COPE-ing with Cyber Risk Exposures

The Office of Infrastructure Protection

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Application for Certification

External Supplier Control Obligations. Cyber Security

SFC strengthens internet trading regulatory controls

Disaster recovery strategic planning: How achievable will it be?

NYDFS Cybersecurity Regulations

Public Safety Canada. Audit of the Business Continuity Planning Program

FDA & Medical Device Cybersecurity

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

ISE North America Leadership Summit and Awards

Member of the County or municipal emergency management organization

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Sample Exam Privacy & Data Protection Foundation

Improving Cybersecurity through the use of the Cybersecurity Framework

Introduction to ISO/IEC 27001:2005

Business Impact Analysis (BIA)

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Information Security Controls Policy

HIPAA RISK ADVISOR SAMPLE REPORT

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Business Continuity Management Program Overview

A View From the Top. Mark Hughes BT Group Security Director

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT

BCM Program Development

Risk Management. Continuity Management

Driving Global Resilience

Business Continuity and Disaster Recovery

Canada Life Cyber Security Statement 2018

Checklist: Credit Union Information Security and Privacy Policies

Addressing the elephant in the operating room: a look at medical device security programs

Contents. Chapter 3: Chapter 4: Critical Server Ranking Classifying Systems for Recovery Priority Mission-Critical Only, Please...

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Manchester Metropolitan University Information Security Strategy

Business Continuity: How to Keep City Departments in Business after a Disaster

Role of BC / DR in CISRP. Ramesh Warrier Director ebrp Solutions

Avanade s Approach to Client Data Protection

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

Reinvent Your 2013 Security Management Strategy

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Business Continuity Policy

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Transcription:

How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 Project Management Institute, La Crosse, WI Chapter

Agenda Contingency Planning Model BIA Risk Assessment Presenting Results to Leadership 2

Contingency Planning Model Crisis Mgt Business Continuity Organization Disaster Recovery Business Technical Crisis Management The overall coordination of response to a crisis in an effective, timely manner to avoid or minimize damage to our profitability, reputation, and ability to operate. [Lead: Legal or Risk Management] Business Continuity Plans and activities designed to ensure continuity of services and support for customers and to maintain its viability BEFORE, DURING and AFTER an event. [Lead: Combined effort, IS, Risk Management and Business] Disaster Recovery Plans and activities designed to recover the technical infrastructure and restore critical business applications to an acceptable condition. [Lead: IS] 3

Business Impact Analysis (BIA) PURPOSE: To provide a factual, understandable, and informative set of findings that leadership can use to provide direction for development of the Business Continuity Program. 4

Business Impact Analysis (BIA) OBJECTIVES: Identify Business functions and their dependence upon technology, infrastructure and applications Potential financial and operational impacts of disruption over time Interdependencies Legal and regulatory requirements Risks and single points of failure Critical records and documentation External resource products and services Departmental recovery requirements Determine Recovery timeframes and acceptable levels of data, operational and financial losses Provide Business case for the operational recovery strategies and recommended business recovery strategies 5

Business Impact Analysis (BIA) ASSUMPTIONS: Executive Leadership will identify and make available division/department representatives qualified to participate in the Business Impact Analysis All information gathered in the interviews is assumed to be accurate no independent audit steps will be taken to verify the data The BIA Report and Presentation will be based on the information gathered from representatives who participated in the BIA process. Recommendations included in the BIA report and presentation will be made in response to the requirements received in the information gathering process 6

Business Impact Analysis (BIA) CRITICAL SUCCESS FACTORS: Promote awareness of the possibility of a disaster Leverage compliance initiatives, industry regulations, recent disaster events Align with strategic and business objectives Perform an informal business impact analysis and risk assessment 7

Business Impact Analysis (BIA) APPROACH: Questionnaires Interviews Workshops Combination of any or all above PARTICIPANTS: Executive Management Managers / Directors 8

Business Impact Analysis (BIA) 7 - STEP PROCESS: 1. Department Profile 2. Business Functions 3. IT Recovery Requirements 4. Business Function Impact 5. Critical Records and Documentation Disaster Recovery 6. External Business Partners, Vendors, and Supplier Products and Services 7. Department Recovery Requirements Business Continuity 9

Risk Assessment PURPOSE: Determine the events & external surroundings that can adversely affect an organization and its resources, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss OBJECTIVE: Provide cost-benefit analysis to justify investment in controls to mitigate risk THREATS: Natural Man-Made (Intentional) Man-Made (Unintentional) Business Risks Information Technology-Specific Other 10

Risk Assessment LIKELIHOOD X THREAT FACTOR X IMPACT = Risk Score Likelihood Threat + 1 Very High: High: Medium: Low: Very Low: More than two incidents per year 1 2 incidents per year 1 2 years between incidents 2 5 years between incidents 5+ years between incidents Speed of Onset Warning Duration Impact High: Service disrupted for more than 3 days. Impacts many business functions Medium: Service disruption between 1-3 days. Impacts one business function Low: Service disruption less than a day. Impacts a number of individuals 11

Risk Assessment RISK REMEDIATION: Identify controls currently in place Identify potential remediation controls and rank them by cost Very High: High: Medium: Low: Very Low: Very high cost to remediate ($50,000.00+) High cost to remediate ($10,001.00 - $50,000.00) : Medium cost to remediate ($1,001.00 - $10,000.00) Small cost to remediate ($100.00 - $1,000.00) No, or very low cost to remediate (under $100.00) Use inverse scoring to get the best bang for your buck 12

Presenting to Leadership BIA RESULTS: Report Minimums Executive Summary Purpose Objectives Scope Approach Assumptions Key Take-Aways Recommendations Action Items Next Steps Possible Core Metrics Lowest RTO for systems Business Loss Matrix High-Level Business Function Recovery Timeline Flowcharts Processing Models Departmental Requirements Timeline Event Calendar 13

Presenting to Leadership RISK ASSESSMENT RESULTS: Executive Summary Key Take-Aways Recommendations Risk Categories Risk Remediation Action Items Next Steps 14

Presenting to Leadership RISK RANKINGS: Red is a high vulnerability Should be addressed immediately Yellow is a medium vulnerability Requires close monitoring for changes and escalation Green is a low vulnerability Requires monitoring Should be addressed as part of organizations strategic vision 15

Presenting to Leadership RISK Classification Recommendation Action Plan / Comments Status Denial of Service Attack Power Outages System Performance Human Error 16

Risk Assessment RISK ASSESSMENT RESULTS: High Risk High Risk High Impact Low Impact High Impact Risk Low Risk Low Impact Impact 17 Low Risk RISK & IMPACT MATRIX

Wrap-Up Questions? Good luck! Feel free to contact me with questions Miller Good Call! Thank you 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback