Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Impact Analysis101 Bruce Lobree, CISSP, CISM, CIPP.

Similar presentations


Presentation on theme: "Business Impact Analysis101 Bruce Lobree, CISSP, CISM, CIPP."— Presentation transcript:

1 Business Impact Analysis101 Bruce Lobree, CISSP, CISM, CIPP

2 Risk Realization Costs

3 Agenda Risk Assessment Worksheet Risk Assessment Worksheet Terms Terms Business Impact Analysis – What Risk Business Impact Analysis – What Risk Loss Types Loss Types What, Why, Who, How What, Why, Who, How Practical Threat Analysis – Free Tool Practical Threat Analysis – Free Tool Online Tools – Free Tools Online Tools – Free Tools Example 1 – Lost data Example 1 – Lost data Resources Resources Q & A Q & A

4 Risk Assessment Worksheet

5 Terms Quantitative Analysis Quantitative Analysis In finance, someone who applies mathematics, among others stochastic calculus to Finance In finance, someone who applies mathematics, among others stochastic calculus to Finance The process of assigning a value to an item The process of assigning a value to an item

6 Business Impact Analysis A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: 1. The processes or functions performed by an organization 2. The resources required to support each process performed 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A Recovery Time Objective (RTO) for each process 7. A Recovery Point Objective (RPO) for the data that supports each process 1. The processes or functions performed by an organization 2. The resources required to support each process performed 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A Recovery Time Objective (RTO) for each process 7. A Recovery Point Objective (RPO) for the data that supports each processprocessesresourcesRecovery Time ObjectiveRTORecovery Point ObjectiveRPOprocessesresourcesRecovery Time ObjectiveRTORecovery Point ObjectiveRPO Often performed as a step in the development of business continuity plans, the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform critical processes in the event of a disruption Often performed as a step in the development of business continuity plans, the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform critical processes in the event of a disruptionbusiness continuity plansRisk AnalysisRAdisruptionbusiness continuity plansRisk AnalysisRAdisruption

7 Annual Loss Expectancy Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually. Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually. Single Loss Expectancy (SLE) – Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) - Annual Rate of Occurrence (ARO) - Annual Loss Expectancy (ALE) = SLE x ARO Annual Loss Expectancy (ALE) = SLE x ARO AALE – Acceptable Annual Loss Expectancy – Do you have one? AALE – Acceptable Annual Loss Expectancy – Do you have one?

8 Single Loss Expectancy Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset.Risk ManagementRisk AssessmentRisk ManagementRisk Assessment It is mathematically expressed as: It is mathematically expressed as: SLE = NA x AV SLE = NA x AV Where the Asset Value (AV) is a dollar amount and the Number of Assets (NA) is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens, etc). Where the Asset Value (AV) is a dollar amount and the Number of Assets (NA) is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens, etc).

9 What Define Impact Define Impact How Detailed to make it How Detailed to make it Where the data comes from Where the data comes from What format will you deliver it in What format will you deliver it in Graphs, charts and other wasted information Graphs, charts and other wasted information KEEP IT SIMPLE!!!!!!!!! KEEP IT SIMPLE!!!!!!!!!

10 Why Qualify actual costs Qualify actual costs What is the business risk What is the business risk What is the technical risk and why are they different What is the technical risk and why are they different Justify projects and their spend Justify projects and their spend Cost Avoidance Cost Avoidance

11 Who Who is your target Audience Who is your target Audience Management Management Non-Management Non-Management Technical Technical Other Other Who supports putting the data together Who supports putting the data together What is your source What is your source Dont make up data

12 How Define what your analyzing Define what your analyzing Define your attack vectors (more is better) Define your attack vectors (more is better) Define the potential impact – What is going to be lost Define the potential impact – What is going to be lost Define your costs and do the math Define your costs and do the math DONT INFLATE YOUR NUMBERS – Use realistic numbers

13 PTA Practical Threat Analysis Practical Threat Analysis A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system. A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system. Assets Assets Threats Threats Vulnerabilities Vulnerabilities Countermeasures Countermeasures Implemented Countermeasures Implemented Countermeasures Entry Points Entry Points Attacker Types Attacker Types Tags Tags

14 PTA

15 PTA

16 Privacy Breach Impact Calculator – Information Shield

17 Tech//404 Data Loss Cost Calculator - Data

18 Tech//404 Data Loss Cost Calculator - Graph

19 Example 1 – Database Lost Stolen Laptop Stolen Laptop Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record. Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record. His laptop is stolen out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work. His laptop is stolen out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work.

20 Analysis 400 clients – Name, Address, Account Number – Credit Card Number 400 clients – Name, Address, Account Number – Credit Card Number Direct Loss - Notification - Legal fees - Fines Direct Loss - Notification - Legal fees - Fines Ponemon Institute (per record costs) Ponemon Institute (per record costs) $140 – Notification / Credit service $140 – Notification / Credit service $94 – Reputation damage (lost customers, new customers, loss of data, etc.) $94 – Reputation damage (lost customers, new customers, loss of data, etc.) $134 per record $134 per record $53,600 - Total loss cost per incident $53,600 - Total loss cost per incident Cost to encrypt a Laptop – $389 PGP Cost to encrypt a Laptop – $389 PGP Cost if the workstation has Vista - $0 Cost if the workstation has Vista - $0

21 Calculating odds of occurrence 1 in 14 laptops will be stolen in 2007 – FBI 1 in 14 laptops will be stolen in 2007 – FBI 85 employees carry laptops with client data on them. 85 employees carry laptops with client data on them. 6 laptops will be lost or stolen annually 6 laptops will be lost or stolen annually $321,600 loss potential (bottom Line impact) $321,600 loss potential (bottom Line impact) $33,065 to encrypt all laptops $33,065 to encrypt all laptops

22 For More Information Resources Resources Ponemon Institute - Vontu_US_Survey-Data_at-Risk.pdf Ponemon Institute - Vontu_US_Survey-Data_at-Risk.pdf FBI – Crimes statistics and CSI report - ey.pdf FBI – Crimes statistics and CSI report - ey.pdf ey.pdf ey.pdf Gartner - Gartner - Wikipedia - Wikipedia - Security Focus - Security Focus - PTA – Practical Threat Analysis – PTA – Practical Threat Analysis – Calculators Calculators Information Shield - Information Shield - Tech 404 – Tech 404 –

23 QuestionsAndAnswers Contact Info:


Download ppt "Business Impact Analysis101 Bruce Lobree, CISSP, CISM, CIPP."

Similar presentations


Ads by Google