Business Impact Analysis

advertisement
Business Impact Analysis 101
Bruce Lobree, CISSP, CISM, CIPP
Risk Realization Costs
Agenda










Risk Assessment Worksheet
Terms
Business Impact Analysis – What Risk
Loss Types
What, Why, Who, How
Practical Threat Analysis – Free Tool
Online Tools – Free Tools
Example 1 – Lost data
Resources
Q&A
Risk Assessment Worksheet
Terms

Quantitative Analysis


In finance, someone who applies
mathematics, among others stochastic
calculus to Finance
The process of assigning a value to an item
Business Impact Analysis



A Business Impact Analysis (BIA) is an information-gathering
exercise designed to methodically identify:
1. The processes or functions performed by an organization
2. The resources required to support each process performed
3. Interdependencies between processes and/or departments
4. The impact of failing to performing a process
5. The criticality of each process
6. A Recovery Time Objective (RTO) for each process
7. A Recovery Point Objective (RPO) for the data that supports each
process
Often performed as a step in the development of business continuity
plans, the BIA, along with Risk Analysis (RA), provides the
foundation for developing and selecting a business continuation
strategy that will allow the organization to continue to perform
critical processes in the event of a disruption
Annual Loss Expectancy





Annual Loss Expectancy (ALE) - The
calculation by which you determine the
potential loss that will occur annually.
Single Loss Expectancy (SLE) –
Annual Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) = SLE x ARO
AALE – Acceptable Annual Loss Expectancy –
Do you have one?
Single Loss Expectancy


Single Loss Expectancy is a term related to Risk
Management and Risk Assessment. It can be defined
as the monetary value expected from the occurrence
of a risk on an asset.
It is mathematically expressed as:


SLE = NA x AV
Where the Asset Value (AV) is a dollar amount and
the Number of Assets (NA) is the quantity. The result
is a monetary value in the same unit as the Single
Loss Expectancy is expressed (euros, dollars, yens,
etc).
What






Define Impact
How Detailed to make it
Where the data comes from
What format will you deliver it in
Graphs, charts and other wasted
information
KEEP IT SIMPLE!!!!!!!!!
Why





Qualify actual costs
What is the business risk
What is the technical risk and why are
they different
Justify projects and their spend
Cost Avoidance
Who

Who is your target Audience






Management
Non-Management
Technical
Other
Who supports putting the data together
What is your source
Don’t make up data
How




Define what your analyzing
Define your attack vectors (more is better)
Define the potential impact – What is
going to be lost
Define your costs and do the math
DON’T INFLATE YOUR NUMBERS –
Use realistic numbers
PTA

Practical Threat Analysis









A calculative threat modeling methodology and software
technology that assists computer security consultants and
software developers in assessing system risks and building
the most effective risk reduction policy for their system.
Assets
Threats
Vulnerabilities
Countermeasures
Implemented Countermeasures
Entry Points
Attacker Types
Tags
PTA
PTA
Privacy Breach Impact Calculator – Information
Shield
Tech//404 Data Loss Cost Calculator - Data
Tech//404 Data Loss Cost Calculator - Graph
Example 1 – Database Lost

Stolen Laptop


Scenario – An employee in marketing has several
large accounts. These individuals buy widgets from
him. On his laptop he has 400 clients information
that includes all their contact, billing and
purchasing record.
His laptop is “stolen” out of the trunk of his car on
a Friday night while he is in having a beer with some
friends. He does not notice its gone until Monday
morning when he gets back to work.
Analysis



400 clients – Name, Address, Account Number –
Credit Card Number
Direct Loss - Notification - Legal fees - Fines
Ponemon Institute (per record costs)






$140 – Notification / Credit service
$94 – Reputation damage (lost customers, new
customers, loss of data, etc.)
$134 per record
$53,600 - Total loss cost per incident
Cost to encrypt a Laptop – $389 PGP
Cost if the workstation has Vista - $0
Calculating odds of occurrence





1 in 14 laptops will be stolen in 2007 – FBI
85 employees carry laptops with client
data on them.
6 laptops will be lost or stolen annually
$321,600 loss potential (bottom Line
impact)
$33,065 to encrypt all laptops
For More Information

Resources







Ponemon Institute www.vontu.com/uploadedFiles/global/PonemonVontu_US_Survey-Data_at-Risk.pdf
FBI – Crimes statistics and CSI report http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurv
ey.pdf
Gartner - http://www.gartner.com/
Wikipedia - http://en.wikipedia.org/wiki/Main_Page
Security Focus - http://www.securityfocus.com/infocus/1608
PTA – Practical Threat Analysis – http://ptatechnologies.com
Calculators


Information Shield http://www.informationshield.com/privacybreachcalc.html
Tech 404 – http://www.tech-404.com/calculator.html
Questions
And
Answers
Contact Info: bruclo01@noa.nintendo.com
Download