6.2. Understanding Business Continuity Planning

Business Continuity Planning (BCP) is the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes. BCP is primarily a management tool that ensures that critical business functions (CBF) can be performed when normal business operations are disrupted.

Critical business functions refer to those processes or systems that must be made operational immediately when an outage occurs. The business can't function without them, and many are information intensive and require access to both technology and data.

Two of the key components of BCP are Business Impact Analysis (BIA) and risk assessment. BIA is concerned with evaluating the processes, and risk assessment is concerned with evaluating the risk or likelihood of a loss. Evaluating all the processes in an organization or enterprise is necessary in order for BCP to be effective.

You need only a passing knowledge of business continuity issues for the Security+ exam. If you plan on taking the Project+ exam, also from CompTIA, you will need a more thorough knowledge of the topics.


6.2.1. Undertaking Business Impact Analysis

Business Impact Analysis (BIA) is the process of evaluating all the critical systems in an organization to determine impact and recovery plans. The BIA isn't concerned with external threats or vulnerabilities; this analysis focuses on the impact a loss would have on the organization.

The key components of a BIA include the following:


Identifying critical functions

To identify critical functions, a company must ask itself, "What functions are necessary to continue operations until full service can be restored?" This identification process will help you establish which systems must be returned to operation in order for the business to continue. In performing this identification, you may find that a small or overlooked application in a department may be critical for operations. Many organizations have overlooked seemingly insignificant process steps or systems that have prevented BCP from being effective. Every department should be evaluated to ensure that no critical processes are overlooked.


Prioritizing critical business functions

When business is continued after an event, operations must be prioritized as to essential and nonessential functions. If the organization makes resources available to the recovery process, these resources may be limited. Further, in a widespread outage, full operation may not be possible for some time. What would happen, for example, if your data communications services went down? You can usually establish temporary services, but you probably won't be able to restore full network capability. You should be clear about which applications or systems have priority for the resources available. Your company may find itself choosing to restore e-mail before it restores its website.


Calculating a time frame for critical systems loss

How long can the organization survive without a critical function? Some functions in an organization don't require immediate action; others do. Which functions must be reestablished, and in what time frame? If your business is entirely dependent on its web presence and is e-commerce oriented, how long can the website stay inoperable? Your organization may need to evaluate and attempt to identify the maximum time that a particular function can be unavailable. This dictates the contingencies that must be made to minimize losses from exceeding the allowable period.


Estimating the tangible and intangible impact on the organization

Your organization will suffer losses in an outage. These losses will be of a tangible nature, such as lost production and lost sales. Intangible losses will also be a factor. For example, will customers lose faith in your service? Your discovery of these effects can greatly increase the company's realization of how much a loss of service will truly cost.

A thorough BIA will accomplish several things for your organization. First, the true impact and damage that an outage will cause will be visible. Second, like insurance, understanding the true loss potential may help you in your fight for a budget. Third, and perhaps most important, the process will document what business processes are being used, the impact they have on the organization, and how to restore them quickly.

The BIA will have some power in the organization as the costs of an outage become known. People buy insurance not because they intend to have an accident, but in case they do. A BIA can help identify what insurance is needed in order for the organization to feel safe.

6.2.2. Assessing Risk

Risk assessment (also referred to as a risk analysis) primarily deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or information. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key is to think out of the box. Conventional threats/risks are often too limited when considering risk assessment.

The key components of a risk-assessment process are outlined here:


Risks to which the organization is exposed

This component allows you to develop scenarios that can help you evaluate how to deal with these risks should they occur. An operating system, server, or application may have known risks in certain environments. How will your organization deal with these risks, and what is the best way to respond?


Risks that need addressing

The risk-assessment component also allows the organization to provide a reality check on which risks are real and which aren't likely. This process helps the organization focus its resources on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a pack of wild dogs stealing the entire contents of the payroll file is very low. Therefore, resources should be allocated to prevent espionage or theft as opposed to the latter possibility.


Coordination with BIA

The risk-assessment component, in conjunction with the BIA, provides the organization with an accurate picture of the situation facing it. It allows the organization to make intelligent decisions about how to respond to various scenarios.

NOTE

Risk assessment can be either qualitative or quantitative, depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts.

Real World Scenario: Conducting a Risk Assessment

You've been asked to do a quick assessment of the risks your company faces from a security perspective. What steps might you take to develop an overview of your company's problems?

You should interview the department heads and the owners to determine what information they feel needs additional security and what the existing vulnerabilities are from their perspectives. You should also evaluate the servers to determine their known vulnerabilities and how you might counter them. Additionally, you should make sure you do a physical assessment of the facility to evaluate what physical risks you must counter. Armed with this information, you have a place to start, and you can determine which measures may be appropriate for the company from a risk perspective.


When you're doing a risk assessment, one of the most important things to do is to prioritize. Not everything should be weighed evenly because some events have a greater likelihood of happening; in addition, a company can live with some risks, whereas others would be catastrophic. One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:

SLE x ARO = ALE

Thus, if you can reasonably expect that every SLE will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.

Real World Scenario: Risk-Assessment Computations

As a security professional, you should know how to compute SLE, ALE, and ARO. Given any two of the numbers, it's possible to calculate the third. For this exercise, compute the missing values:

  1. You're the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing is estimated to be 25 percent, and a failure would lead to three hours of downtime and cost $5,000 in components to correct. What is the ALE?

    The SLE is $80,000 ($25,000 × 3 hours + $5,000), and the ARO is .25. Therefore the ALE is $20,000 ($80,000 × .25).

  2. You're the administrator for a research firm that works on only one project at a time and collects data through the Web to a single server. The value of each research project is approximately $100,000. At any given time, an intruder could commandeer no more than 90 percent of the data. The industry average for ARO is .33. What is the ALE?

    The SLE equals $90,000 ($100,000 × .9), and the ARO is .33. Therefore, the ALE is $29,700 ($90,000 × .33).

  3. You work at the help desk for a small company. One of the most common requests you must respond to is to help retrieve a file that has been accidentally deleted by a user. On average, this happens once a week. If the user creates the file and then deletes it on the server (about 60 percent of the incidents), then it can be restored in moments from the shadow copy, and there is rarely any data lost. If the user creates the file on their workstation and then deletes it (about 40 percent of the incidents), and if it can't be recovered and it takes the user an average of two hours to re-create it at $12 an hour, what is the ALE?

    The SLE is $24 ($12 × 2), and the ARO is 20.8 (52 weeks × .4). Therefore the ALE equals $499.20 ($24 × 20.8).


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.100.118