Embed Size (px)
DESCRIPTION
Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments and focus on how the assessment results help a business determine areas of risk and potential impact to their business when things go wrong. Audience members will participate in an assessment exercise. Susan Kastan, Kastan Consulting Susan Kastan has worked over 20 years in the information technology field with experience in business continuity planning, security analysis, systems development, and project management. She is currently focused on developing business continuity and disaster recovery plans for companies and associations. Susan has experience in all areas of the business continuity life cycle including risk and business continuity assessments, business impact analysis, plan development, training, testing, and plan maintenance. She also writes information security policies and procedures providing organizations the necessary framework to secure their information systems. Penny Klein, PJKlein Consulting Penny Johnson Klein has been in the Information Assurance field for over 20 years and is a recognized expert in the field. During her career, she has provided support for various Department of Defense (DOD) Agencies, Federal Agencies, and the Private Sector. She spent 14 years with DOD, with 13 of those years in the Information Assurance arena, assisting in the development of security policies, processes, and procedures. She was one of the prime authors of the DOD Information Technology Security Certification and Accreditation Process (DITSCAP), and contributor to the National Information Assurance Certification and Accreditation Process (NIACAP). In addition, Ms. Klein has directed numerous successful Security Test and Evaluations and has developed information security programs.
Citation preview
October 20, 2010
Presented By:Susan Kastan
Penny Klein
Bio Susan Kastan has been in the information technology
field for 20+ years, and currently specializes in Business Continuity. She has developed numerous security policies, procedures and plans for various government, association and private industry.
Penny Klein brings 20+ years of information assurance experience, specializing in IA policies. She has developed a Business Contingency Program for a major association, as well as policies, procedures and plans for numerous government and private industries
October 20, 2010 2Kastan Consulting/PJKlein Consulting
Business Continuity Business Continuity – The smooth continuation of
business activity despite an interruption of service
No size restrictions
Tailored to environment
Information technology as well as personnel and processes
October 20, 2010 3Kastan Consulting/PJKlein Consulting
Business Continuity In the event a incident occurs:
Operations are likely to be disrupted
Offices are likely to be closed down or destroyed
People may get hurt or killed
People are likely to have their employment disrupted
October 20, 2010 4Kastan Consulting/PJKlein Consulting
Risk Assessment Risk Assessment – Activities that discover an
organization's vulnerabilities, threats and impact. Additionally , it identifies the countermeasure to mitigate the risk, the associated costs, and the risk tolerance (risk the organization is willing to accept)
October 20, 2010 5Kastan Consulting/PJKlein Consulting
Business Impact Assessment Business Impact Assessment (BIA) - Analyzes
mission criticality of all enterprise functions, the current threats, and consequences of losing some or all of these functions.
Also known as Business Impact Analysis
October 20, 2010 6Kastan Consulting/PJKlein Consulting
Steps in Business Continuity Conduct Risk Assessment
Conduct BIA
Develop and Document
Train & Test
Implement
Maintain
October 20, 2010 7Kastan Consulting/PJKlein Consulting
Risk Assessment Purpose of a Risk Assessment
Identifies current threats
Identifies current vulnerabilities
Identifies impact of the threats to the vulnerabilities
Provides for Risk Management, that is, what risk is the organization willing to accept, reduce/correct, or transfer
October 20, 2010 8Kastan Consulting/PJKlein Consulting
Business Impact Assessment Identifies: Mission Critical and Mission Essential Requirements
Recovery Phases
Critical Factors
Assumptions
Evaluation Criteria
Critical Dependencies
Recommendations
October 20, 2010 9Kastan Consulting/PJKlein Consulting
Business Impact Assessment Benefits
Raises senior management’s awareness of the state of their business and helps to justify the need for a business continuity plan
Ensures that a suitable business continuity strategy and effective business continuity plan will be developed
Identifies and prioritizes recovery of mission critical business functions and processes
October 20, 2010 10Kastan Consulting/PJKlein Consulting
Business Impact Assessment Benefits – cont’d
Identifies requirements for recovery of critical IT systems, applications, vital records, equipment and resources
Identifies extent of financial impact
Identifies extent of operational impact
October 20, 2010 11Kastan Consulting/PJKlein Consulting
Business Impact Assessment Process
Awareness Provide to Management and Team Ensure buy-in to the process
Data Gathering Management’s vision Interviews and/or general surveys
Threat Analysis and Requirements Analysis Reviews
Department review Senior management review
Evaluation and Recommendation Build recovery plans for “time sensitive”/mission critical plans
October 20, 2010 12Kastan Consulting/PJKlein Consulting
Business Impact Assessment Awareness Brief Senior Management and Stakeholders GET BUY-IN
Provide a high level overview of the process
Identify benefits Reference guide
Useful and easy to follow presentation of the data collected
Comprehensive view of all the requirements
Requirements guide for developing and implementing risk mitigation strategies
Provides validation and justification for funding all BCP requirements
October 20, 2010 13Kastan Consulting/PJKlein Consulting
Business Impact Assessment Gather data
Business processes
Resources
Interdependencies
Impacts over time
Maximum Allowable Downtime (MAD)
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
October 20, 2010 14Kastan Consulting/PJKlein Consulting
Business Impact Assessment Determine the impact of scenarios on processes
Loss of key people
Loss of location
Loss of power
Loss of communications
Loss of technology
Loss of information
October 20, 2010 15Kastan Consulting/PJKlein Consulting
Business Impact Assessment Impact types/categories
Financial
Legal/regulatory
Customer loss/dissatisfaction
Reputation impact
Time sensitive material
October 20, 2010 16Kastan Consulting/PJKlein Consulting
Business Impact Assessment Low - May result in the loss of some tangible
assets or resources or may noticeably affect an organization’s mission, reputation, or interest.
Medium - May result in the costly loss of tangible assets or resources; may violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human injury.
Based on NIST 800-30
October 20, 2010 17Kastan Consulting/PJKlein Consulting
Business Impact Assessment
High - May result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.
Based on NIST 800-30
October 20, 2010 18Kastan Consulting/PJKlein Consulting
Business Impact Assessment Department Review
Changes
Inaccuracies/ misinterpretation
Verify timelines are correct
RTO
RPO
MAD
October 20, 2010 19Kastan Consulting/PJKlein Consulting
Business Impact Assessment Senior Management Review
Prioritize for entire company
Determine path forward based on
Cost
Speed of Recovery
Quality
Impacts to business
October 20, 2010 20Kastan Consulting/PJKlein Consulting
Business Impact Assessment Follow On
Take what you’ve learned and build out the Business Continuity Plan
BIA is the basis for the risk decisions
Start with most critical or time sensitive
October 20, 2010 21Kastan Consulting/PJKlein Consulting
Exercise Santa attended a conference in January about business
continuity.
He wants to put a business continuity plan in place.
It’s a little later than he would like, but he would like to start with the Business Impact Assessments.
Our goal:
Identify critical processes
Create list of top 10
October 20, 2010 22Kastan Consulting/PJKlein Consulting
Exercise Santa delivers 2 toys (or coal) to all children around
the globe who believe in him
24 hours to do it
Santa is the President of Santa’s Workshop, Inc.
151,000+ employees
Week before (and Christmas day) is critical to him
Everyone believes what they do is critical to operations
A little bit of technology helps!
October 20, 2010 Kastan Consulting/PJKlein Consulting 23
Contact InformationPenny Klein
PJKlein Consulting, LLC
Penny.Klein@
pjkleinllc.com
www.pjkleinllc.com
703.901.1932
Susan Kastan
Kastan Consulting, LLC
Susan.Kastan@
kastanconsulting.com
www.kastanconsulting.com
585.724.0804
October 20, 2010 24Kastan Consulting/PJKlein Consulting
