1. October 20, 2010
Presented By:
Susan Kastan
Penny Klein

2. Bio
 Susan Kastan has been in the information technology
field for 20+ years, and currently specializes in
Business Continuity. She has developed numerous
security policies, procedures and plans for various
government, association and private industry.
 Penny Klein brings 20+ years of information
assurance experience, specializing in IA policies. She
has developed a Business Contingency Program for a
major association, as well as policies, procedures and
plans for numerous government and private industries
October 20, 2010 2Kastan Consulting/PJKlein Consulting

3. Business Continuity
 Business Continuity – The smooth continuation of
business activity despite an interruption of service
 No size restrictions
 Tailored to environment
 Information technology as well as personnel and
processes
October 20, 2010 3Kastan Consulting/PJKlein Consulting

4. Business Continuity
 In the event a incident occurs:
 Operations are likely to be disrupted
 Offices are likely to be closed down or destroyed
 People may get hurt or killed
 People are likely to have their employment disrupted
October 20, 2010 4Kastan Consulting/PJKlein Consulting

5. Risk Assessment
 Risk Assessment – Activities that discover an
organization's vulnerabilities, threats and impact.
Additionally , it identifies the countermeasure to
mitigate the risk, the associated costs, and the risk
tolerance (risk the organization is willing to accept)
October 20, 2010 5Kastan Consulting/PJKlein Consulting

6. Business Impact Assessment
 Business Impact Assessment (BIA) - Analyzes
mission criticality of all enterprise functions, the
current threats, and consequences of losing some or all
of these functions.
 Also known as Business Impact Analysis
October 20, 2010 6Kastan Consulting/PJKlein Consulting

7. Steps in Business Continuity
 Conduct Risk Assessment
 Conduct BIA
 Develop and Document
 Train & Test
 Implement
 Maintain
October 20, 2010 7Kastan Consulting/PJKlein Consulting

8. Risk Assessment
 Purpose of a Risk Assessment
 Identifies current threats
 Identifies current vulnerabilities
 Identifies impact of the threats to the vulnerabilities
 Provides for Risk Management, that is, what risk is the
organization willing to accept, reduce/correct, or
transfer
October 20, 2010 8Kastan Consulting/PJKlein Consulting

9. Business Impact Assessment
 Identifies:
 Mission Critical and Mission Essential Requirements
 Recovery Phases
 Critical Factors
 Assumptions
 Evaluation Criteria
 Critical Dependencies
 Recommendations
October 20, 2010 9Kastan Consulting/PJKlein Consulting

10. Business Impact Assessment
 Benefits
 Raises senior management’s awareness of the state of
their business and helps to justify the need for a
business continuity plan
 Ensures that a suitable business continuity strategy and
effective business continuity plan will be developed
 Identifies and prioritizes recovery of mission critical
business functions and processes
October 20, 2010 10Kastan Consulting/PJKlein Consulting

11. Business Impact Assessment
 Benefits – cont’d
 Identifies requirements for recovery of critical IT
systems, applications, vital records, equipment and
resources
 Identifies extent of financial impact
 Identifies extent of operational impact
October 20, 2010 11Kastan Consulting/PJKlein Consulting

12. Business Impact Assessment
 Process
 Awareness
 Provide to Management and Team
 Ensure buy-in to the process
 Data Gathering
 Management’s vision
 Interviews and/or general surveys
 Threat Analysis and Requirements Analysis
 Reviews
 Department review
 Senior management review
 Evaluation and Recommendation
 Build recovery plans for “time sensitive”/mission critical plans
October 20, 2010 12Kastan Consulting/PJKlein Consulting

13. Business Impact Assessment
 Awareness
 Brief Senior Management and Stakeholders
 GET BUY-IN
 Provide a high level overview of the process
 Identify benefits
 Reference guide
 Useful and easy to follow presentation of the data collected
 Comprehensive view of all the requirements
 Requirements guide for developing and implementing risk
mitigation strategies
 Provides validation and justification for funding all BCP
requirements
October 20, 2010 13Kastan Consulting/PJKlein Consulting

14. Business Impact Assessment
 Gather data
 Business processes
 Resources
 Interdependencies
 Impacts over time
 Maximum Allowable Downtime (MAD)
 Recovery Time Objective (RTO)
 Recovery Point Objective (RPO)
October 20, 2010 14Kastan Consulting/PJKlein Consulting

15. Business Impact Assessment
 Determine the impact of scenarios on processes
 Loss of key people
 Loss of location
 Loss of power
 Loss of communications
 Loss of technology
 Loss of information
October 20, 2010 15Kastan Consulting/PJKlein Consulting

16. Business Impact Assessment
 Impact types/categories
 Financial
 Legal/regulatory
 Customer loss/dissatisfaction
 Reputation impact
 Time sensitive material
October 20, 2010 16Kastan Consulting/PJKlein Consulting

17. Business Impact Assessment
 Low - May result in the loss of some tangible
assets or resources or may noticeably affect an
organization’s mission, reputation, or interest.
 Medium - May result in the costly loss of tangible
assets or resources; may violate, harm, or impede
an organization’s mission, reputation, or interest;
or may result in human injury.
Based on NIST 800-30
October 20, 2010 17Kastan Consulting/PJKlein Consulting

18. Business Impact Assessment
 High - May result in the highly costly loss of major
tangible assets or resources; may significantly
violate, harm, or impede an organization’s
mission, reputation, or interest; or may result in
human death or serious injury.
Based on NIST 800-30
October 20, 2010 18Kastan Consulting/PJKlein Consulting

19. Business Impact Assessment
 Department Review
 Changes
 Inaccuracies/ misinterpretation
 Verify timelines are correct
 RTO
 RPO
 MAD
October 20, 2010 19Kastan Consulting/PJKlein Consulting

20. Business Impact Assessment
 Senior Management Review
 Prioritize for entire company
 Determine path forward based on
 Cost
 Speed of Recovery
 Quality
 Impacts to business
October 20, 2010 20Kastan Consulting/PJKlein Consulting

21. Business Impact Assessment
 Follow On
 Take what you’ve learned and build out the Business
Continuity Plan
 BIA is the basis for the risk decisions
 Start with most critical or time sensitive
October 20, 2010 21Kastan Consulting/PJKlein Consulting

22. Exercise
 Santa attended a conference in January about business
continuity.
 He wants to put a business continuity plan in place.
 It’s a little later than he would like, but he would like to
start with the Business Impact Assessments.
 Our goal:
 Identify critical processes
 Create list of top 10
October 20, 2010 22Kastan Consulting/PJKlein Consulting

23. Exercise
 Santa delivers 2 toys (or coal) to all children around
the globe who believe in him
 24 hours to do it
 Santa is the President of Santa’s Workshop, Inc.
 151,000+ employees
 Week before (and Christmas day) is critical to him
 Everyone believes what they do is critical to operations
 A little bit of technology helps!
October 20, 2010 Kastan Consulting/PJKlein Consulting 23

24. Contact Information
Penny Klein
PJKlein Consulting, LLC
Penny.Klein@
pjkleinllc.com
www.pjkleinllc.com
703.901.1932
Susan Kastan
Kastan Consulting, LLC
Susan.Kastan@
kastanconsulting.com
www.kastanconsulting.com
585.724.0804
October 20, 2010 24Kastan Consulting/PJKlein Consulting