Embed Size (px)
Citation preview
Business Impact AnalysisBusiness Impact Analysis 101101
Bruce Lobree, CISSP, CISM, Bruce Lobree, CISSP, CISM, CIPPCIPP
Risk Realization CostsRisk Realization Costs
AgendaAgenda Risk Assessment WorksheetRisk Assessment Worksheet Terms Terms Business Impact Analysis – What Business Impact Analysis – What
RiskRisk Loss TypesLoss Types What, Why, Who, HowWhat, Why, Who, How Practical Threat Analysis – Free ToolPractical Threat Analysis – Free Tool Online Tools – Free ToolsOnline Tools – Free Tools Example 1 – Lost dataExample 1 – Lost data ResourcesResources Q & AQ & A
Risk Assessment WorksheetRisk Assessment Worksheet
TermsTerms
Quantitative AnalysisQuantitative Analysis In finance, someone who applies In finance, someone who applies
mathematics, among others stochastic mathematics, among others stochastic calculus to Financecalculus to Finance
The process of assigning a value to an The process of assigning a value to an itemitem
Business Impact AnalysisBusiness Impact Analysis A A Business Impact Analysis (BIA)Business Impact Analysis (BIA) is an information- is an information-
gathering exercise designed to methodically identify:gathering exercise designed to methodically identify: 1. The 1. The processesprocesses or functions performed by an organization or functions performed by an organization
2. The 2. The resourcesresources required to support each process performed required to support each process performed3. Interdependencies between processes and/or departments3. Interdependencies between processes and/or departments4. The impact of failing to performing a process4. The impact of failing to performing a process5. The criticality of each process5. The criticality of each process6. A 6. A Recovery Time ObjectiveRecovery Time Objective ( (RTORTO) for each process) for each process7. A 7. A Recovery Point ObjectiveRecovery Point Objective ( (RPORPO) for the data that supports ) for the data that supports each processeach process
Often performed as a step in the development of Often performed as a step in the development of business continuity plansbusiness continuity plans, the BIA, along with Risk Analysis , the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization business continuation strategy that will allow the organization to continue to perform critical processes in the event of a to continue to perform critical processes in the event of a disruptiondisruption
Annual Loss ExpectancyAnnual Loss Expectancy
Annual Loss Expectancy (ALE) -Annual Loss Expectancy (ALE) - The The calculation by which you determine the calculation by which you determine the potential loss that will occur annually.potential loss that will occur annually.
Single Loss Expectancy (SLE) – Single Loss Expectancy (SLE) – Annual Rate of Occurrence (ARO) - Annual Rate of Occurrence (ARO) - Annual Loss Expectancy (ALE) = SLE x Annual Loss Expectancy (ALE) = SLE x
AROARO AALE – Acceptable Annual Loss AALE – Acceptable Annual Loss
Expectancy – Do you have one?Expectancy – Do you have one?
Single Loss ExpectancySingle Loss Expectancy
Single Loss ExpectancySingle Loss Expectancy is a term related to is a term related to Risk Management and Risk Assessment. It can Risk Management and Risk Assessment. It can be defined as the monetary value expected be defined as the monetary value expected from the occurrence of a risk on an asset.from the occurrence of a risk on an asset.
It is mathematically expressed as:It is mathematically expressed as: SLE = NA x AVSLE = NA x AV
Where the Where the Asset Value (AV)Asset Value (AV) is a dollar amount is a dollar amount and the and the Number of Assets (NA)Number of Assets (NA) is the quantity. is the quantity. The result is a monetary value in the same unit The result is a monetary value in the same unit as the Single Loss Expectancy is expressed as the Single Loss Expectancy is expressed (euros, dollars, yens, etc).(euros, dollars, yens, etc).
WhatWhat
Define ImpactDefine Impact How Detailed to make itHow Detailed to make it Where the data comes fromWhere the data comes from What format will you deliver it inWhat format will you deliver it in Graphs, charts and other wasted Graphs, charts and other wasted
informationinformation KEEP IT SIMPLE!!!!!!!!!KEEP IT SIMPLE!!!!!!!!!
WhyWhy
Qualify actual costsQualify actual costs What is the business riskWhat is the business risk What is the technical risk and why What is the technical risk and why
are they differentare they different Justify projects and their spendJustify projects and their spend Cost AvoidanceCost Avoidance
WhoWho Who is your target AudienceWho is your target Audience
ManagementManagement Non-ManagementNon-Management TechnicalTechnical OtherOther
Who supports putting the data togetherWho supports putting the data together What is your source What is your source
Don’t make up dataDon’t make up data
HowHow
Define what your analyzingDefine what your analyzing Define your attack vectors (more is Define your attack vectors (more is
better)better) Define the potential impact – What is Define the potential impact – What is
going to be lostgoing to be lost Define your costs and do the mathDefine your costs and do the math
DON’T INFLATE YOUR NUMBERS –DON’T INFLATE YOUR NUMBERS –Use realistic numbersUse realistic numbers
PTAPTA Practical Threat AnalysisPractical Threat Analysis
A calculative threat modeling methodology and A calculative threat modeling methodology and software technology that assists computer security software technology that assists computer security consultants and software developers in assessing consultants and software developers in assessing system risks and building the most effective risk system risks and building the most effective risk reduction policy for their system. reduction policy for their system.
AssetsAssets ThreatsThreats VulnerabilitiesVulnerabilities CountermeasuresCountermeasures Implemented CountermeasuresImplemented Countermeasures Entry PointsEntry Points Attacker TypesAttacker Types TagsTags
PTAPTA
PTAPTA
Privacy Breach Impact Calculator – Information Privacy Breach Impact Calculator – Information ShieldShield
Tech//404 Data Loss Cost Calculator - DataTech//404 Data Loss Cost Calculator - Data
Tech//404 Data Loss Cost Calculator - GraphTech//404 Data Loss Cost Calculator - Graph
Example 1 – Database LostExample 1 – Database Lost
Stolen LaptopStolen Laptop Scenario – An employee in marketing has Scenario – An employee in marketing has
several large accounts. These individuals buy several large accounts. These individuals buy widgets from him. On his laptop he has widgets from him. On his laptop he has 400 400 clientsclients information that includes all their information that includes all their contact, billingcontact, billing and purchasing record. and purchasing record.
His His laptop is “stolenlaptop is “stolen” out of the trunk of his ” out of the trunk of his car on a car on a FridayFriday night while he is in having a night while he is in having a beer with some friends. He does not notice its beer with some friends. He does not notice its gone until gone until Monday morningMonday morning when he gets when he gets back to work.back to work.
AnalysisAnalysis 400 clients – Name, Address, Account 400 clients – Name, Address, Account
Number – Credit Card NumberNumber – Credit Card Number Direct Loss - Notification - Legal fees - Direct Loss - Notification - Legal fees -
FinesFines Ponemon Institute (per record costs)Ponemon Institute (per record costs)
$140 – Notification / Credit service$140 – Notification / Credit service $94 – Reputation damage (lost customers, new $94 – Reputation damage (lost customers, new
customers, loss of data, etc.)customers, loss of data, etc.) $134 per record$134 per record $53,600 - Total loss cost per incident$53,600 - Total loss cost per incident
Cost to encrypt a Laptop – $389 PGPCost to encrypt a Laptop – $389 PGP Cost if the workstation has Vista - $0Cost if the workstation has Vista - $0
Calculating odds of occurrenceCalculating odds of occurrence
1 in 14 laptops will be stolen in 2007 – 1 in 14 laptops will be stolen in 2007 – FBIFBI
85 employees carry laptops with client 85 employees carry laptops with client data on them.data on them.
6 laptops will be lost or stolen annually6 laptops will be lost or stolen annually $321,600 loss potential (bottom Line $321,600 loss potential (bottom Line
impact)impact) $33,065 to encrypt all laptops$33,065 to encrypt all laptops
For More InformationFor More Information ResourcesResources
Ponemon Institute - Ponemon Institute - www.vontu.com/uploadedFiles/global/www.vontu.com/uploadedFiles/global/PonemonPonemon--Vontu_US_Survey-Data_at-Risk.pdf Vontu_US_Survey-Data_at-Risk.pdf
FBI – Crimes statistics and CSI report - FBI – Crimes statistics and CSI report - http://www.cpppe.umd.edu/Bookstore/Documents/2005Chttp://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdfSISurvey.pdf
Gartner - Gartner - http://www.gartner.com/http://www.gartner.com/ Wikipedia - http://en.wikipedia.org/wiki/Main_PageWikipedia - http://en.wikipedia.org/wiki/Main_Page Security Focus - Security Focus -
http://www.securityfocus.com/infocus/1608http://www.securityfocus.com/infocus/1608 PTA – Practical Threat Analysis – PTA – Practical Threat Analysis –
http://ptatechnologies.comhttp://ptatechnologies.com
CalculatorsCalculators Information Shield - Information Shield -
http://www.informationshield.com/privacybreachcalc.hthttp://www.informationshield.com/privacybreachcalc.htmlml
Tech 404 – Tech 404 – http://www.tech-404.com/calculator.htmlhttp://www.tech-404.com/calculator.html
