TINFO462Week6Notes.pdf T INFO 462 - Building An Information Risk Management Toolkit
Popular in T INFO 462 - Building An Information Risk Management Toolkit
verified elite notetaker
Popular in Information technology
This 5 page Class Notes was uploaded by James Cha on Friday February 13, 2015. The Class Notes belongs to T INFO 462 - Building An Information Risk Management Toolkit at University of Washington taught by Marc Dupuis in Winter2015. Since its upload, it has received 70 views. For similar materials see T INFO 462 - Building An Information Risk Management Toolkit in Information technology at University of Washington.
Reviews for TINFO462Week6Notes.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 02/13/15
T INFO 462 Building an Information Risk Management ToolKit Week 6 Chapter 12 Business Impact Analysis A Business Impact Analysis BIA is a study used to identify the impact that can result from disruptions in the business Focuses on the failure of or more critical information technology IT functions Basically helps identify the systems critical to the survival of an organization Survivability the ability of a company to survive loss due to a risk When working with BIAs you should have a basic understanding of 0 Maximum Acceptable Outage MAO I Identifies the maximum acceptable downtime for a system I If an outage EXCEEDS the MAO time it negatively affects the organization s mission I DIRECTLY affects the recovery time 0 Critical Business Functions CBFs I Includes functions considered vital to an organization I If a CBF fails the organization will lose the ability to perform essential operations such as selling products to customers I If an organization fails to perform the function it will lose money 0 Critical Success Factors CSFs I Includes elements necessary to perform the mission of an organization I An organization will have a few elements that must succeed in order for the organization to succeed I Example a reliable network infrastructure may be considered a CSF for many companies today BIA isn t intended to include all IT functions Instead it helps the organization identify the critical IT systems and components You identify the critical systems and components by identifying the CRITICAL BUSINESS FUNCTIONS What is a Critical Business Function CBF Any stakeholder will determine that a business function is critical If a stakeholder determines that the loss of the function will cause an unacceptable loss it is a critical function 0 The stakeholder makes this decision based on experience and opinion 0 Once it is decided as critical the stakeholder needs to dedicate resources to protect it which includes I Money I Personnel Collecting Data BIA BIA is a datagathering process and there are multiple methods to do so 0 Conduct interviews with key personnel I Improve results with a little forethought 0 Plan the interview 0 Make sure the people you are interviewing have the time to answer your questions 0 Make sure you re ready with the right questions 0 Questions should focus on CBFs and the MAO of supporting resources 0 Use questionnaires forms or surveys I Keep them limited and focused I Focus on only one process at a time 0 Host meetings or conference calls I Beneficial in that people can interact with each other which can lead to richer results I Can be difficult to gain consensus Defining the Scope of Your BIA It is important to define the scope of a BIA early in the process Scope defines the boundaries of the plan 0 Defining the scope helps ensure that the BIA is focused o Ensures that you analyze the correct functions 0 Affected by the size of the organization Objectives of a Business Impact Analysis The overall objective of the BIA is to identify the impact of outages 0 Specifically the goal is to identify the critical functions that can affect the organization I After identifying the critical functions you can identify the critical resources that support these functions 0 Each resource has an MAO and an impact if it fails 0 Ultimate goal is to identify the recovery requirements I You gather input from process owners and experts I Helps identify the CBFs and the critical resources that support them I You then identify the impact and MAO of the resources I Last you determine the recovery requirements from the MAO An indirect objective of the BIA is to justify funding After you ve identified the recovery requirements in the BIA you identify controls to support these requirements in the BCP o If the impact is high it is cost effective to spend money to prevent the outage Identifying Critical Business Functions Unless you own the process the critical business functions are NOT always apparent o For example if you are the security expert you may not know the CBFs of a Web site The Web server is the obvious component but there are others I By interviewing or surveying the experts you can gain insight into all the components that support the Web server I It is often useful to identify the underlying steps of CBFs 0 Steps involved in an online Web site purchase 1 The customer visits the Web site 2 The customer browses the product catalog 3 The customer picks a product 4 The customer checks out 0000 5 A message is sent to the order processing application 0 6 The order is processed o In this example the critical business functions are 0 The customer accessing the web site 0 The web server accessing the database server 0 The order processing application tracking the order 0 A With this information you can identify the critical resources Identifying Critical Resources The critical resources are those that are required to support the CBFs Once you ve identified the CBFs you can analyze them to determine the critical resources for each Following the example of the web site purchase you can see how to identify the critical resources from the CBFs 0 One of the web site CBFs is the customer accessing the web site 0 The following IT resources are required to support this function nternet access The Web server The Web application Network connectivity 0 The firewall on the Internet side of the DMZ o The second CBF is the Web server s ability to access the database server 0 The database server hosts I Product Information I Customer Information Used when the customer makes a purchase and to target advertising for the returning customer I The following IT resources are required to support this function 0 Web Server 0 Web Application 0 Database server 0 Network connectivity o The firewall on the internal side of the DMZ o The third critical function is the order processing application 0 It needs to receive orders from the database server and also needs to be able to track the order until delivery I The following IT resources are required to support this function 0 The server hosting the order processing application 0 The database server 0 The warehouse application 0 Network connectivity 0 Internet access 0 In many instances there will be overlapping in the critical resources 0 Additionally facility support is required for each of these functions such as power heating and air conditioning 0 You may choose to list a resource one time for all the functions or with each function I For example all IT resources require facility support and you could list these requirements one time as follows 0 Power Uninterruptible power supplies and generators are required to ensure systems remain operational during power outages 0 Heating and air conditioning Heating andor air conditioning is required to ensure all systems can operate