BCP & BIS

Question 1

BCP

Answer 1

Business Continuity Planning

…used to maintain the continuous operation of business in the event of an emergency

Question 2

BCP Process

Answer 2

1. Project Scope and Planning
2. Business Impact Assessment (BIA)
3. Business Continuity Planning
4. Plan Approval and Implementation

Question 3

BCP > Project Scope and Planning

Answer 3

Step 1 of BCP Process

1. Analysis of Business Organization
2. Creation of a BCP team w/t senior MGMT approval
3. Assessment of resources available
4. Analysis of legal / regulatory landscape that governs response(s) to a catastrophe

Question 4

BCP Process > BIA

Answer 4

Step 2 of BCP

Business Impact Assessment

After the BCP team completes their four parts…it’s BIA time.

The BIA identifies the resources that are critical to the companies ongoing viability, and the threats posed to said resources.

Question 5

BIA types of analysis

Answer 5

BIA = Step 2 of BCP.

1. Quantitative - involves numbers, expressed in terms of $ value to business
2. Qualitative - involved non-number factors, expressed in categories of prioritization.&raquo_space; more difficult

Question 6

BIA Steps

Answer 6

BIA = Step 2 of BCP.

1. Identify Priorities
   A. create a list of of company assets (hard / soft) and assign an Asset Value —> AV
   B. develop a maximum tolerable downtime (MTD) metric –> import for both BCP and DRP planning
2. Risk Identification = identify risks posed to company, both man-made and natural.
3. Likelihood Assessment = Assign a likelihood that each risk will occur via —-> ARO
4. Impact Assessment = determine what impact each risk identified would have on businessSLE = AV * EF
   ALE = SLE * ARO
5. Resource Prioritization = prioritize the list of risks from most damaging to least, target avail resources to mitigate

Question 7

BCP > Continuity Planning Tasks

Answer 7

Step 3 of 4 (see BCP): Developing a strategy to minimize the impact realized risks might have on assets.

Continuity Planning Phases:

• Strategy Development –> Determine which risks require mitigation and the level of resources to be committed.
• Provisions and Processes –> Meat and Potatoes of of BCP = design procedures that will mitigate risks to assets (People, Buildings, Infrastructure) chosen in Strat Development.

Question 8

BCP Process > Approval and Implementation

Answer 8

Step 4 of BCP.

Question 9

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

Answer 9

Provisions and processes

Question 10

BCP > BIA > Impact Assessment

Answer 10

4) Impact Assessment

BIA Steps:

1. Identify Priorities
2. Risk Identification
3. Likelihood Assessment
4. Impact Assessment
5. Resource Prioritization

Most critical portion of BIA.

 SLE = AV * EF
 ALE = SLE * ARO

Question 11

Quantitative Risk Analysis

Answer 11

produces a report with concrete risks & dollar costs.

Steps:

1. Inventory assets and assign a $ value
2. R&D each asset, produce list of possible threats
3. Perform threat analysis = ARO
4. Derive loss potential per threat = ALE
5. R&D countermeasures for each threat
6. Perform cost/benefit analysis for each countermeasure. select most appropriate response to each threat.

Question 12

How is SLE calculated?

Answer 12

SLE = AV * EF

cost of a single realized risk against a specific asset

Question 13

ALE

Answer 13

Annualized Loss Expectancy

ALE = SLE * ARO

possible yearly cost of all instances of a specific realized threat against a specific asset.

Question 14

RMF

Answer 14

Risk Management Framework

NIST SP 800-37

1. Categorize –> information systems and the data processed, stored and transmitted
2. Select —> baseline security controls
3. Implement –> security controls
4. Asses –> security controls
5. Authorize –> information systems operation
6. Monitor –> security controls in the information system

Question 15

Risk

Answer 15

Risk = Threat * Vulnerability

DEF: the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.

Question 16

Total Risk

Answer 16

threat * vulnerability * asset value

Question 17

Residual Risk

Answer 17

total risk - countermeasures

Question 18

Vulnerability

Answer 18

the weakness in an asset, or the weakness of a safeguard or countermeasure

Question 19

Asset Valuation

Answer 19

the dollar value assigned to an asset based on actual cost and non-monetary expenses.

E.g., cost to develop, maintain, administer, advertise, support, repair etc.

Question 20

EF / SLE / ALE / ARO

Answer 20

Completed during BCP > BIA > Impact Assessment.

Exposure Factor (EF)

The amount of damage the risk poses to the asset.

 Example: the BCP team consults with fire experts and determine a fire would cause 70% of the building to be destroyed.

    > the EF of the building to fire is 70%

The Single Loss Expectancy (SLE) is the $ loss expected each time the risk materializes.

 SLE = AV * EF

 If the building is worth $500,00, the SLE is

 500,00 * .7 = 350,000

Annualized loss expectancy (ALE) is the $ loss that occurs as a result of the risk (fire) harming the asset (building) over a year.

 ALE = SLE * ARO

 ALE = 350,000 * ARO

 ARO is obtained during Likelihood Assessment. The risk of fire > building is 1 every 30 yrs = 1 / 30 == .03

 ALE = 350,000 * .03 = 10,500

 In other words, the business should expect to lose $10,500 each to risk of fire.

Question 21

What is the first step that individuals responsible for the development of a business continuity plan should perform?

Answer 21

business organization analysis

The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

Question 22

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

Answer 22

A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization