# Business Impact Analysis 101

## Presentation on theme: "Business Impact Analysis 101"— Presentation transcript:

Business Impact Analysis 101
Bruce Lobree, CISSP, CISM, CIPP

Risk Realization Costs

Agenda Risk Assessment Worksheet Terms
Business Impact Analysis – What Risk Loss Types What, Why, Who, How Practical Threat Analysis – Free Tool Online Tools – Free Tools Example 1 – Lost data Resources Q & A

Risk Assessment Worksheet

Terms Quantitative Analysis
In finance, someone who applies mathematics, among others stochastic calculus to Finance The process of assigning a value to an item

A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify: 1. The processes or functions performed by an organization 2. The resources required to support each process performed 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A Recovery Time Objective (RTO) for each process 7. A Recovery Point Objective (RPO) for the data that supports each process Often performed as a step in the development of business continuity plans, the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform critical processes in the event of a disruption

Annual Loss Expectancy
Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually. Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) - Annual Loss Expectancy (ALE) = SLE x ARO AALE – Acceptable Annual Loss Expectancy – Do you have one?

Single Loss Expectancy
Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as: SLE = NA x AV Where the Asset Value (AV) is a dollar amount and the Number of Assets (NA) is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens, etc).

What Define Impact How Detailed to make it Where the data comes from
What format will you deliver it in Graphs, charts and other wasted information KEEP IT SIMPLE!!!!!!!!!

Why Qualify actual costs What is the business risk
What is the technical risk and why are they different Justify projects and their spend Cost Avoidance

Who Don’t make up data Who is your target Audience
Management Non-Management Technical Other Who supports putting the data together What is your source Don’t make up data

DON’T INFLATE YOUR NUMBERS –
How Define what your analyzing Define your attack vectors (more is better) Define the potential impact – What is going to be lost Define your costs and do the math DON’T INFLATE YOUR NUMBERS – Use realistic numbers

PTA Practical Threat Analysis Assets Threats Vulnerabilities
A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system. Assets Threats Vulnerabilities Countermeasures Implemented Countermeasures Entry Points Attacker Types Tags

PTA

PTA

Privacy Breach Impact Calculator – Information Shield

Tech//404 Data Loss Cost Calculator - Data

Tech//404 Data Loss Cost Calculator - Graph

Example 1 – Database Lost
Stolen Laptop Scenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record. His laptop is “stolen” out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work.

Analysis 400 clients – Name, Address, Account Number – Credit Card Number Direct Loss - Notification - Legal fees - Fines Ponemon Institute (per record costs) \$140 – Notification / Credit service \$94 – Reputation damage (lost customers, new customers, loss of data, etc.) \$134 per record \$53,600 - Total loss cost per incident Cost to encrypt a Laptop – \$389 PGP Cost if the workstation has Vista - \$0

Calculating odds of occurrence
1 in 14 laptops will be stolen in 2007 – FBI 85 employees carry laptops with client data on them. 6 laptops will be lost or stolen annually \$321,600 loss potential (bottom Line impact) \$33,065 to encrypt all laptops