Managing Risk in Information Systems

Managing Risk in Information Systems

Lesson 6

Business Impact Analysis and Continuity Planning

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objectives

Perform a business impact analysis.

Create a business continuity plan (BCP) based on the findings of a given risk assessment for an organization.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Key Concepts

Purpose of BIA

Critical success factors of BIA

Steps involved in implementing a BIA

BIA best practices

Comparing a BCP and a DRP

Major elements of BCP

Phases of a BCP

Steps for implementing a BCP

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Chapter 12 Slides

Chapter 12: “Mitigating Risk with a Business Impact Analysis”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

What Is a Business Impact Analysis?

A study used to identify the impact that can result from disruptions in the business

Focuses on the failure of one or more critical IT functions

Terms:

Maximum acceptable outage (MAO)

Critical business functions (CBFs)

Critical success factors (CSFs)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5

Seven Steps of Contingency Planning

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Develop the contingency planning policy statement

Conduct the BIA

Identify preventive controls

Develop contingency strategies

Develop an IT contingency plan

Ensure plan testing, training, and exercises

Ensure plan maintenance

Dimensions of a BIA

Identify the business impact of IT disruptions

Mission-critical IT systems and components

Does not analyze all IT functions

Stakeholders identify mission-critical systems

Compliance issues often drive BIA

Inputs into the business continuity plan (BCP) and risk assessment (RA)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Defining Scope of a BIA

Define BIA scope early in the process

Scope defines the boundaries of the plan

Scope is affected by the size of the organization

Small organizations: Scope could include entire organization

Larger organizations: Scope could include only certain areas, department, divisions

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Defining Scope of a BIA (Cont.)

Purchase phase

Shipment phase

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Objectives of BIA

Identify critical business functions (CBFs)

Identify critical resources

Identify maximum acceptable outage (MAO) and impact

Direct and indirect costs

Identify recovery requirements

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identify critical business functions (CBFs).

Unless you own the process, critical business functions are not always apparent. For example, if you are the security expert, you may not know the CBFs of an online Web site.

Identify critical resources.

The critical resources are those that are required to support the CBFs. Once you’ve identified the CBFs, you can analyze them to determine the critical resources for each.

Identify maximum acceptable outage (MAO) and its impact.

Once you have identified the critical business functions and the IT resources that support them, you turn your attention to the MAO and its impact. When calculating the MAO for an organization, it’s important to consider both direct and indirect costs.

Identify recovery requirements.

The recovery requirements show the time frame in which systems must be recoverable.

10

Balancing Costs

Cost to recover

Cost of disruption

Consider

Direct costs

Indirect costs

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

11

Steps Involved in Implementing a BIA

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identify the environment

Identify stakeholders

Identify CBFs

Identify critical resources

Identify maximum downtime

Identify recovery priorities

Develop the BIA report

Identifying Mission-Critical Business Functions and Processes

Mission-critical functions are:

Any functions considered to be vital

Derived from critical success factors (CSFs)

Successful CSFs result in performing CBFs

Experts have key information regarding mission-critical functions

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

13

BIA Best Practices

Start with clear objectives

Maintain focus on objectives

Use a top-down approach

Vary data collection methods

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Start with clear objectives:

Make sure you and anyone involved with the BIA understands the scope of the BIA.

This is best defined in writing, many projects get off track simply because individuals have a different understanding of the requirements.

Don’t lose sight of the objectives:

In addition to the scope statement, remember that the purpose of the BIA is to identify the critical functions, critical systems, and MAO.

This data is used to determine the recovery priorities.

Use a top-down approach:

Start with the CBFs and drill down to the IT services that support them.

If you start with the servers, you’ll miss important elements that are needed for the success of the CBFs.

Vary data collection methods:

When collecting data, ensure you match your method to the organization’s practices.

You may be able to get solid data from individual interviews with some people.

14

BIA Best Practices (cont.)

Plan interviews and meetings in advance

Avoid the quick solution

Use normal project management methods

Consider the use of technology resources

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Plan interviews and meetings in advance:

Data gathering is an important part of the BIA.

You want to ensure that the attendees have enough time to give you the data you need. If they’re rushed or you are not prepared, you won’t get the data you need.

Don’t look for the quick solution.

The BIA will take time.

It takes time to collect the data. It takes time to evaluate the data. It takes time to identify priorities.

Consider the BIA as a project:

All normal project management practices apply. Set milestones and track the progress.

Consider the use of tools:

Many tools are available that can assist with the completion of disaster preparedness projects.

These include tools that can help with a BIA.

15

Chapter 13 Slides

Chapter 13: “Mitigating Risk with a Business Continuity Plan”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

What Is a Business Continuity Plan?

A plan designed to help an organization continue to operate during and after a disruption

BIA is included as part of a BCP

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

What Is a Business Continuity Plan?

BIA key objectives that directly support the BCP:

Identify critical business functions (CBFs)

Identify critical processes supporting the CBFs

Identify critical IT services supporting the CBFs, including any dependencies

Determine acceptable downtimes for CBFs, processes, and IT service

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Elements of a BCP

Purpose and scope

Assumptions and planning principles

System description and architecture

Responsibilities

Phases

Plan training, testing, and exercises

Plan maintenance

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

System Description and Architecture

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

System Description and Architecture

Show system interaction

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

BCP Roles and Responsibilities

BCP program manager

BCP coordinator

BCP teams

Emergency Management Team (EMT)

Damage Assessment Team (DAT)

Technical Recovery Team (TRT)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Phases within a BCP Plan

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Notification/activation phase

Recovery phase

Reconstitution phase

Defining Data that Needs to Be Protected

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The BCP should list all the critical components for the system.

There are two reasons for including this data:

First, it makes it clear which components are needed for the critical business functions (CBF).

Second, it provides a list that you can use to restore the system from scratch.

This list includes any equipment, such as servers, switches, and routers.

The servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system.

If an image is used to rebuild servers, it will list the version number.

Data can include a database hosted on the system.

It can also include any type of files, such as documents or spreadsheets.

Last, the list can include any needed supplies:

This can be simple office supplies, such as printer paper and toner.

For some systems, it can include technical supplies, such as special oils for machinery or tools needed for maintenance.

24

Identify all critical components for the system

Identify all equipment ~ servers, switches, routers

Include databases hosted on the system

Include files ~ documents or spreadsheets

Include necessary supplies

BCP Best Practices

Complete the BIA early

Exercise caution when returning functionality from alternate locations

Restore least critical functions first

Review and update the BCP

Test all individual pieces of the plan

Conduct test exercises of the plan

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Complete the BIA early—Ensure the BIA is done early in the process for the BCP.

Without the BIA, you won’t know what systems are critical.

Exercise caution when returning functionality from alternate locations—When restoring functionality from an alternate location to the primary location, consider these best practices:

Restore least critical functions first to the primary location—This allows you to get the bugs out of the process without affecting critical functions.

Review and update the BCP regularly—The BCP coordinator should review and update the BCP at least annually.

If critical systems are changed or modified between annual reviews, the BCP should be reviewed when those changes or modifications occur.

Test all the individual pieces of the plan—This includes basic procedures, such as recalls.

Exercise the plan—Verify the plan works by performing test exercises.

These exercises should not affect normal operations.

25

Summary

Purpose of BIA

Critical success factors of BIA

Steps involved in implementing a BIA

BIA best practices

Comparing a BCP and a DRP

Major elements of BCP

Phases of a BCP

Steps for implementing a BCP

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

OPTIONAL SLIDES

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/20/2014

27

Chapter 12 Optional Slides

Chapter 12: “Mitigating Risk with a Business Impact Analysis”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Key Roles

Risk manager

Auditor

Data owners

IT management

Security manager

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

29

Significance of Business Impact Analysis

How critical are IT infrastructures to business?

What are the most critical IT systems to business?

What happens if critical IT systems go down?

What are the direct and indirect costs?

BIA shows urgent need for contingency plan

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Chapter 13 Optional Slides

Chapter 13: “Mitigating Risk with a Business Continuity Plan”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Business Continuity vs. Disaster Recovery

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

BCP

Covers all functional areas of a business, it ensures the entire business can continue to operate in the event of a disruption.

Includes a BIA, and also address other non-technical elements of the event.

Focused on getting the overall business functions back to normal.

DRP

Is a function of the IT department,

Includes the elements necessary to recover from a disaster, once one is declared.

Involves copying the critical data to media or online and then, if required, moving the IT operations off site to recover, if required.

Focused on restoring and recovering IT functions.

32

BCP

Covers all functional areas of business

Includes a business impact analysis (BIA)

Focused on business function recovery

DRP

Function of the IT department

Focused on IT function recovery

Recovery from a declared disaster

Steps for Implementing a BCP

Create BCP scope statements

Conduct business impact analysis (BIA)

Identify countermeasures and controls

Develop individual disaster recovery plans (DRPs)

Implement training

Test and exercise plans

Maintain and update plans

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Why Use a Business Continuity Plan?

What happens if electrical power is lost?

What happens if servers go down?

What are the critical business functions to maintain?

What must remain intact to conduct business?

What is the risk of being without a BCP?

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.


Comments are closed.