Business Impact Analysis 101

Bruce Lobree, CISSP, CISM, CIPP

Risk Realization Costs

         

Agenda

Risk Assessment Worksheet Terms Business Impact Analysis – What Risk Loss Types What, Why, Who, How Practical Threat Analysis – Free Tool Online Tools – Free Tools Example 1 – Lost data Resources Q & A

Risk Assessment Worksheet

Terms

 Quantitative Analysis   In finance, someone who applies mathematics, among others stochastic calculus to Finance The process of assigning a value to an item

Business Impact Analysis

  A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: 1. The 2. The resources 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A 7. A processes or functions performed by an organization required to support each process performed Recovery Time Objective Recovery Point Objective process ( RTO ) for each process ( RPO ) for the data that supports each  Often performed as a step in the development of business continuity plans , the BIA, along with Risk Analysis critical processes in the event of a ( RA ), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform disruption

Annual Loss Expectancy

     Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually.

Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) = SLE x ARO AALE – Acceptable Annual Loss Expectancy – Do you have one?

Single Loss Expectancy

   Single Loss Expectancy is a term related to Risk Management and Risk Assessment as the monetary value expected from the occurrence of a risk on an asset.

. It can be defined It is mathematically expressed as:  SLE = NA x AV Where the the etc).

Asset Value (AV) Number of Assets (NA) is a dollar amount and is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens,

What

      Define Impact How Detailed to make it Where the data comes from What format will you deliver it in Graphs, charts and other wasted information KEEP IT SIMPLE!!!!!!!!!

Why

     Qualify actual costs What is the business risk What is the technical risk and why are they different Justify projects and their spend Cost Avoidance

Who

   Who is your target Audience     Management Non-Management Technical Other Who supports putting the data together What is your source

Don’t make up data

How

    Define what your analyzing Define your attack vectors (more is better) Define the potential impact – What is going to be lost Define your costs and do the math

DON’T INFLATE YOUR NUMBERS – Use realistic numbers

PTA

 Practical Threat Analysis  A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system.         Assets Threats Vulnerabilities Countermeasures Implemented Countermeasures Entry Points Attacker Types Tags

PTA

PTA

Privacy Breach Impact Calculator – Information Shield

Tech//404 Data Loss Cost Calculator - Data

Tech//404 Data Loss Cost Calculator - Graph

Example 1 – Database Lost

 Stolen Laptop  Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record.

 His laptop is “stolen” out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work.

Analysis

     400 clients – Name, Address, Account Number – Credit Card Number Direct Loss - Notification - Legal fees - Fines Ponemon Institute (per record costs)     $140 – Notification / Credit service $94 – Reputation damage (lost customers, new customers, loss of data, etc.) $134 per record $53,600 - Total loss cost per incident Cost to encrypt a Laptop – $389 PGP Cost if the workstation has Vista - $0

Calculating odds of occurrence

     1 in 14 laptops will be stolen in 2007 – FBI 85 employees carry laptops with client data on them.

6 laptops will be lost or stolen annually $321,600 loss potential (bottom Line impact) $33,065 to encrypt all laptops

For More Information

 Resources       Ponemon Institute www.vontu.com/uploadedFiles/global/Ponemon Vontu_US_Survey-Data_at-Risk.pdf FBI – Crimes statistics and CSI report http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurv ey.pdf

Gartner http://www.gartner.com/ Wikipedia http://en.wikipedia.org/wiki/Main_Page Security Focus http://www.securityfocus.com/infocus/1608 PTA – Practical Threat Analysis – http://ptatechnologies.com

 Calculators   Information Shield http://www.informationshield.com/privacybreachcalc.html

Tech 404 – http://www.tech-404.com/calculator.html

Questions And Answers

Contact Info: [email protected]