BCP & BIS Flashcards
BCP
Business Continuity Planning
…used to maintain the continuous operation of business in the event of an emergency
BCP Process
- Project Scope and Planning
- Business Impact Assessment (BIA)
- Business Continuity Planning
- Plan Approval and Implementation
BCP > Project Scope and Planning
Step 1 of BCP Process
- Analysis of Business Organization
- Creation of a BCP team w/t senior MGMT approval
- Assessment of resources available
- Analysis of legal / regulatory landscape that governs response(s) to a catastrophe
BCP Process > BIA
Step 2 of BCP
Business Impact Assessment
After the BCP team completes their four parts…it’s BIA time.
The BIA identifies the resources that are critical to the companies ongoing viability, and the threats posed to said resources.
BIA types of analysis
BIA = Step 2 of BCP.
- Quantitative - involves numbers, expressed in terms of $ value to business
- Qualitative - involved non-number factors, expressed in categories of prioritization.»_space; more difficult
BIA Steps
BIA = Step 2 of BCP.
- Identify Priorities
A. create a list of of company assets (hard / soft) and assign an Asset Value —> AV
B. develop a maximum tolerable downtime (MTD) metric –> import for both BCP and DRP planning - Risk Identification = identify risks posed to company, both man-made and natural.
- Likelihood Assessment = Assign a likelihood that each risk will occur via —-> ARO
- Impact Assessment = determine what impact each risk identified would have on businessSLE = AV * EF
ALE = SLE * ARO - Resource Prioritization = prioritize the list of risks from most damaging to least, target avail resources to mitigate
BCP > Continuity Planning Tasks
Step 3 of 4 (see BCP): Developing a strategy to minimize the impact realized risks might have on assets.
Continuity Planning Phases:
- Strategy Development –> Determine which risks require mitigation and the level of resources to be committed.
- Provisions and Processes –> Meat and Potatoes of of BCP = design procedures that will mitigate risks to assets (People, Buildings, Infrastructure) chosen in Strat Development.
BCP Process > Approval and Implementation
Step 4 of BCP.
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?
Provisions and processes
BCP > BIA > Impact Assessment
4) Impact Assessment
BIA Steps:
- Identify Priorities
- Risk Identification
- Likelihood Assessment
- Impact Assessment
- Resource Prioritization
Most critical portion of BIA.
SLE = AV * EF ALE = SLE * ARO
Quantitative Risk Analysis
produces a report with concrete risks & dollar costs.
Steps:
- Inventory assets and assign a $ value
- R&D each asset, produce list of possible threats
- Perform threat analysis = ARO
- Derive loss potential per threat = ALE
- R&D countermeasures for each threat
- Perform cost/benefit analysis for each countermeasure. select most appropriate response to each threat.
How is SLE calculated?
SLE = AV * EF
cost of a single realized risk against a specific asset
ALE
Annualized Loss Expectancy
ALE = SLE * ARO
possible yearly cost of all instances of a specific realized threat against a specific asset.
RMF
Risk Management Framework
NIST SP 800-37
- Categorize –> information systems and the data processed, stored and transmitted
- Select —> baseline security controls
- Implement –> security controls
- Asses –> security controls
- Authorize –> information systems operation
- Monitor –> security controls in the information system
Risk
Risk = Threat * Vulnerability
DEF: the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
Total Risk
threat * vulnerability * asset value
Residual Risk
total risk - countermeasures
Vulnerability
the weakness in an asset, or the weakness of a safeguard or countermeasure
Asset Valuation
the dollar value assigned to an asset based on actual cost and non-monetary expenses.
E.g., cost to develop, maintain, administer, advertise, support, repair etc.
EF / SLE / ALE / ARO
Completed during BCP > BIA > Impact Assessment.
Exposure Factor (EF)
The amount of damage the risk poses to the asset.
Example: the BCP team consults with fire experts and determine a fire would cause 70% of the building to be destroyed. > the EF of the building to fire is 70%
The Single Loss Expectancy (SLE) is the $ loss expected each time the risk materializes.
SLE = AV * EF If the building is worth $500,00, the SLE is 500,00 * .7 = 350,000
Annualized loss expectancy (ALE) is the $ loss that occurs as a result of the risk (fire) harming the asset (building) over a year.
ALE = SLE * ARO ALE = 350,000 * ARO ARO is obtained during Likelihood Assessment. The risk of fire > building is 1 every 30 yrs = 1 / 30 == .03 ALE = 350,000 * .03 = 10,500 In other words, the business should expect to lose $10,500 each to risk of fire.
What is the first step that individuals responsible for the development of a business continuity plan should perform?
business organization analysis
The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?
A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization