Business Impact Analysis 101 Bruce Lobree, CISSP, CISM, CIPP Risk Realization Costs Agenda Risk Assessment Worksheet Terms Business Impact Analysis – What Risk Loss Types What, Why, Who, How Practical Threat Analysis – Free Tool Online Tools – Free Tools Example 1 – Lost data Resources Q&A Risk Assessment Worksheet Terms Quantitative Analysis In finance, someone who applies mathematics, among others stochastic calculus to Finance The process of assigning a value to an item Business Impact Analysis A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: 1. The processes or functions performed by an organization 2. The resources required to support each process performed 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A Recovery Time Objective (RTO) for each process 7. A Recovery Point Objective (RPO) for the data that supports each process Often performed as a step in the development of business continuity plans, the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform critical processes in the event of a disruption Annual Loss Expectancy Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually. Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) = SLE x ARO AALE – Acceptable Annual Loss Expectancy – Do you have one? Single Loss Expectancy Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as: SLE = NA x AV Where the Asset Value (AV) is a dollar amount and the Number of Assets (NA) is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens, etc). What Define Impact How Detailed to make it Where the data comes from What format will you deliver it in Graphs, charts and other wasted information KEEP IT SIMPLE!!!!!!!!! Why Qualify actual costs What is the business risk What is the technical risk and why are they different Justify projects and their spend Cost Avoidance Who Who is your target Audience Management Non-Management Technical Other Who supports putting the data together What is your source Don’t make up data How Define what your analyzing Define your attack vectors (more is better) Define the potential impact – What is going to be lost Define your costs and do the math DON’T INFLATE YOUR NUMBERS – Use realistic numbers PTA Practical Threat Analysis A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system. Assets Threats Vulnerabilities Countermeasures Implemented Countermeasures Entry Points Attacker Types Tags PTA PTA Privacy Breach Impact Calculator – Information Shield Tech//404 Data Loss Cost Calculator - Data Tech//404 Data Loss Cost Calculator - Graph Example 1 – Database Lost Stolen Laptop Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record. His laptop is “stolen” out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work. Analysis 400 clients – Name, Address, Account Number – Credit Card Number Direct Loss - Notification - Legal fees - Fines Ponemon Institute (per record costs) $140 – Notification / Credit service $94 – Reputation damage (lost customers, new customers, loss of data, etc.) $134 per record $53,600 - Total loss cost per incident Cost to encrypt a Laptop – $389 PGP Cost if the workstation has Vista - $0 Calculating odds of occurrence 1 in 14 laptops will be stolen in 2007 – FBI 85 employees carry laptops with client data on them. 6 laptops will be lost or stolen annually $321,600 loss potential (bottom Line impact) $33,065 to encrypt all laptops For More Information Resources Ponemon Institute www.vontu.com/uploadedFiles/global/PonemonVontu_US_Survey-Data_at-Risk.pdf FBI – Crimes statistics and CSI report http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurv ey.pdf Gartner - http://www.gartner.com/ Wikipedia - http://en.wikipedia.org/wiki/Main_Page Security Focus - http://www.securityfocus.com/infocus/1608 PTA – Practical Threat Analysis – http://ptatechnologies.com Calculators Information Shield http://www.informationshield.com/privacybreachcalc.html Tech 404 – http://www.tech-404.com/calculator.html Questions And Answers Contact Info: bruclo01@noa.nintendo.com