Transcript Business Impact Analysis
Business Impact Analysis 101
Bruce Lobree, CISSP, CISM, CIPP
Risk Realization Costs
Agenda
Risk Assessment Worksheet Terms Business Impact Analysis – What Risk Loss Types What, Why, Who, How Practical Threat Analysis – Free Tool Online Tools – Free Tools Example 1 – Lost data Resources Q & A
Risk Assessment Worksheet
Terms
Quantitative Analysis In finance, someone who applies mathematics, among others stochastic calculus to Finance The process of assigning a value to an item
Business Impact Analysis
A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: 1. The 2. The resources 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A 7. A processes or functions performed by an organization required to support each process performed Recovery Time Objective Recovery Point Objective process ( RTO ) for each process ( RPO ) for the data that supports each Often performed as a step in the development of business continuity plans , the BIA, along with Risk Analysis critical processes in the event of a ( RA ), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform disruption
Annual Loss Expectancy
Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually.
Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) = SLE x ARO AALE – Acceptable Annual Loss Expectancy – Do you have one?
Single Loss Expectancy
Single Loss Expectancy is a term related to Risk Management and Risk Assessment as the monetary value expected from the occurrence of a risk on an asset.
. It can be defined It is mathematically expressed as: SLE = NA x AV Where the the etc).
Asset Value (AV) Number of Assets (NA) is a dollar amount and is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens,
What
Define Impact How Detailed to make it Where the data comes from What format will you deliver it in Graphs, charts and other wasted information KEEP IT SIMPLE!!!!!!!!!
Why
Qualify actual costs What is the business risk What is the technical risk and why are they different Justify projects and their spend Cost Avoidance
Who
Who is your target Audience Management Non-Management Technical Other Who supports putting the data together What is your source
Don’t make up data
How
Define what your analyzing Define your attack vectors (more is better) Define the potential impact – What is going to be lost Define your costs and do the math
DON’T INFLATE YOUR NUMBERS – Use realistic numbers
PTA
Practical Threat Analysis A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system. Assets Threats Vulnerabilities Countermeasures Implemented Countermeasures Entry Points Attacker Types Tags
PTA
PTA
Privacy Breach Impact Calculator – Information Shield
Tech//404 Data Loss Cost Calculator - Data
Tech//404 Data Loss Cost Calculator - Graph
Example 1 – Database Lost
Stolen Laptop Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record.
His laptop is “stolen” out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work.
Analysis
400 clients – Name, Address, Account Number – Credit Card Number Direct Loss - Notification - Legal fees - Fines Ponemon Institute (per record costs) $140 – Notification / Credit service $94 – Reputation damage (lost customers, new customers, loss of data, etc.) $134 per record $53,600 - Total loss cost per incident Cost to encrypt a Laptop – $389 PGP Cost if the workstation has Vista - $0
Calculating odds of occurrence
1 in 14 laptops will be stolen in 2007 – FBI 85 employees carry laptops with client data on them.
6 laptops will be lost or stolen annually $321,600 loss potential (bottom Line impact) $33,065 to encrypt all laptops
For More Information
Resources Ponemon Institute www.vontu.com/uploadedFiles/global/Ponemon Vontu_US_Survey-Data_at-Risk.pdf FBI – Crimes statistics and CSI report http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurv ey.pdf
Gartner http://www.gartner.com/ Wikipedia http://en.wikipedia.org/wiki/Main_Page Security Focus http://www.securityfocus.com/infocus/1608 PTA – Practical Threat Analysis – http://ptatechnologies.com
Calculators Information Shield http://www.informationshield.com/privacybreachcalc.html
Tech 404 – http://www.tech-404.com/calculator.html
Questions And Answers
Contact Info: [email protected]