Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments and focus on how the assessment results help a business determine areas of risk and potential impact to their business when things go wrong. Audience members will participate in an assessment exercise.
Susan Kastan, Kastan Consulting
Susan Kastan has worked over 20 years in the information technology field with experience in business continuity planning, security analysis, systems development, and project management.
She is currently focused on developing business continuity and disaster recovery plans for companies and associations. Susan has experience in all areas of the business continuity life cycle including risk and business continuity assessments, business impact analysis, plan development, training, testing, and plan maintenance. She also writes information security policies and procedures providing organizations the necessary framework to secure their information systems.
Penny Klein, PJKlein Consulting
Penny Johnson Klein has been in the Information Assurance field for over 20 years and is a recognized expert in the field. During her career, she has provided support for various Department of Defense (DOD) Agencies, Federal Agencies, and the Private Sector. She spent 14 years with DOD, with 13 of those years in the Information Assurance arena, assisting in the development of security policies, processes, and procedures. She was one of the prime authors of the DOD Information Technology Security Certification and Accreditation Process (DITSCAP), and contributor to the National Information Assurance Certification and Accreditation Process (NIACAP). In addition, Ms. Klein has directed numerous successful Security Test and Evaluations and has developed information security programs.
2. Bio
Susan Kastan has been in the information technology
field for 20+ years, and currently specializes in
Business Continuity. She has developed numerous
security policies, procedures and plans for various
government, association and private industry.
Penny Klein brings 20+ years of information
assurance experience, specializing in IA policies. She
has developed a Business Contingency Program for a
major association, as well as policies, procedures and
plans for numerous government and private industries
October 20, 2010 2Kastan Consulting/PJKlein Consulting
3. Business Continuity
Business Continuity – The smooth continuation of
business activity despite an interruption of service
No size restrictions
Tailored to environment
Information technology as well as personnel and
processes
October 20, 2010 3Kastan Consulting/PJKlein Consulting
4. Business Continuity
In the event a incident occurs:
Operations are likely to be disrupted
Offices are likely to be closed down or destroyed
People may get hurt or killed
People are likely to have their employment disrupted
October 20, 2010 4Kastan Consulting/PJKlein Consulting
5. Risk Assessment
Risk Assessment – Activities that discover an
organization's vulnerabilities, threats and impact.
Additionally , it identifies the countermeasure to
mitigate the risk, the associated costs, and the risk
tolerance (risk the organization is willing to accept)
October 20, 2010 5Kastan Consulting/PJKlein Consulting
6. Business Impact Assessment
Business Impact Assessment (BIA) - Analyzes
mission criticality of all enterprise functions, the
current threats, and consequences of losing some or all
of these functions.
Also known as Business Impact Analysis
October 20, 2010 6Kastan Consulting/PJKlein Consulting
7. Steps in Business Continuity
Conduct Risk Assessment
Conduct BIA
Develop and Document
Train & Test
Implement
Maintain
October 20, 2010 7Kastan Consulting/PJKlein Consulting
8. Risk Assessment
Purpose of a Risk Assessment
Identifies current threats
Identifies current vulnerabilities
Identifies impact of the threats to the vulnerabilities
Provides for Risk Management, that is, what risk is the
organization willing to accept, reduce/correct, or
transfer
October 20, 2010 8Kastan Consulting/PJKlein Consulting
10. Business Impact Assessment
Benefits
Raises senior management’s awareness of the state of
their business and helps to justify the need for a
business continuity plan
Ensures that a suitable business continuity strategy and
effective business continuity plan will be developed
Identifies and prioritizes recovery of mission critical
business functions and processes
October 20, 2010 10Kastan Consulting/PJKlein Consulting
11. Business Impact Assessment
Benefits – cont’d
Identifies requirements for recovery of critical IT
systems, applications, vital records, equipment and
resources
Identifies extent of financial impact
Identifies extent of operational impact
October 20, 2010 11Kastan Consulting/PJKlein Consulting
12. Business Impact Assessment
Process
Awareness
Provide to Management and Team
Ensure buy-in to the process
Data Gathering
Management’s vision
Interviews and/or general surveys
Threat Analysis and Requirements Analysis
Reviews
Department review
Senior management review
Evaluation and Recommendation
Build recovery plans for “time sensitive”/mission critical plans
October 20, 2010 12Kastan Consulting/PJKlein Consulting
13. Business Impact Assessment
Awareness
Brief Senior Management and Stakeholders
GET BUY-IN
Provide a high level overview of the process
Identify benefits
Reference guide
Useful and easy to follow presentation of the data collected
Comprehensive view of all the requirements
Requirements guide for developing and implementing risk
mitigation strategies
Provides validation and justification for funding all BCP
requirements
October 20, 2010 13Kastan Consulting/PJKlein Consulting
14. Business Impact Assessment
Gather data
Business processes
Resources
Interdependencies
Impacts over time
Maximum Allowable Downtime (MAD)
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
October 20, 2010 14Kastan Consulting/PJKlein Consulting
15. Business Impact Assessment
Determine the impact of scenarios on processes
Loss of key people
Loss of location
Loss of power
Loss of communications
Loss of technology
Loss of information
October 20, 2010 15Kastan Consulting/PJKlein Consulting
16. Business Impact Assessment
Impact types/categories
Financial
Legal/regulatory
Customer loss/dissatisfaction
Reputation impact
Time sensitive material
October 20, 2010 16Kastan Consulting/PJKlein Consulting
17. Business Impact Assessment
Low - May result in the loss of some tangible
assets or resources or may noticeably affect an
organization’s mission, reputation, or interest.
Medium - May result in the costly loss of tangible
assets or resources; may violate, harm, or impede
an organization’s mission, reputation, or interest;
or may result in human injury.
Based on NIST 800-30
October 20, 2010 17Kastan Consulting/PJKlein Consulting
18. Business Impact Assessment
High - May result in the highly costly loss of major
tangible assets or resources; may significantly
violate, harm, or impede an organization’s
mission, reputation, or interest; or may result in
human death or serious injury.
Based on NIST 800-30
October 20, 2010 18Kastan Consulting/PJKlein Consulting
19. Business Impact Assessment
Department Review
Changes
Inaccuracies/ misinterpretation
Verify timelines are correct
RTO
RPO
MAD
October 20, 2010 19Kastan Consulting/PJKlein Consulting
20. Business Impact Assessment
Senior Management Review
Prioritize for entire company
Determine path forward based on
Cost
Speed of Recovery
Quality
Impacts to business
October 20, 2010 20Kastan Consulting/PJKlein Consulting
21. Business Impact Assessment
Follow On
Take what you’ve learned and build out the Business
Continuity Plan
BIA is the basis for the risk decisions
Start with most critical or time sensitive
October 20, 2010 21Kastan Consulting/PJKlein Consulting
22. Exercise
Santa attended a conference in January about business
continuity.
He wants to put a business continuity plan in place.
It’s a little later than he would like, but he would like to
start with the Business Impact Assessments.
Our goal:
Identify critical processes
Create list of top 10
October 20, 2010 22Kastan Consulting/PJKlein Consulting
23. Exercise
Santa delivers 2 toys (or coal) to all children around
the globe who believe in him
24 hours to do it
Santa is the President of Santa’s Workshop, Inc.
151,000+ employees
Week before (and Christmas day) is critical to him
Everyone believes what they do is critical to operations
A little bit of technology helps!
October 20, 2010 Kastan Consulting/PJKlein Consulting 23
24. Contact Information
Penny Klein
PJKlein Consulting, LLC
Penny.Klein@
pjkleinllc.com
www.pjkleinllc.com
703.901.1932
Susan Kastan
Kastan Consulting, LLC
Susan.Kastan@
kastanconsulting.com
www.kastanconsulting.com
585.724.0804
October 20, 2010 24Kastan Consulting/PJKlein Consulting