CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [153]
Calculating a time frame for critical systems loss How long can the organization survive without a critical function? Some functions in an organization don’t require immediate action; others do. Which functions must be reestablished, and in what time frame? If your business is entirely dependent on its web presence and is e-commerce oriented, how long can the website stay inoperable? Your organization may need to evaluate and attempt to identify the maximum time that a particular function can be unavailable. This dictates the contingencies that must be made to minimize losses from exceeding the allowable period.
Estimating the tangible and intangible impact on the organization Your organization will suffer losses in an outage. These losses will be of a tangible nature, such as lost production and lost sales. Intangible losses will also be a factor. For example, will customers lose faith in your service? Your discovery of these effects can greatly increase the company’s realization of how much a loss of service will truly cost.
A thorough BIA will accomplish several things for your organization. First, the true impact and damage that an outage will cause will be visible. Second, like insurance, understanding the true loss potential may help you in your fight for a budget. Third, and perhaps most important, the process will document what business processes are being used, the impact they have on the organization, and how to restore them quickly.
The BIA will have some power in the organization as the costs of an outage become known. People buy insurance not because they intend to have an accident, but in case they do. A BIA can help identify what insurance is needed in order for the organization to feel safe.
Assessing Risk
Risk assessment (also referred to as a risk analysis) primarily deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or information. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key is to think out of the box. Conventional threats/risks are often too limited when considering risk assessment.
The key components of a risk-assessment process are outlined here:
Risks to which the organization is exposed This component allows you to develop scenarios that can help you evaluate how to deal with these risks should they occur. An operating system, server, or application may have known risks in certain environments. How will your organization deal with these risks, and what is the best way to respond?
Risks that need addressing The risk-assessment component also allows the organization to provide a reality check on which risks are real and which aren’t likely. This process helps the organization focus its resources on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a pack of wild dogs stealing the entire contents of the payroll file is very low. Therefore, resources should be allocated to prevent espionage or theft as opposed to the latter possibility.
Coordination with BIA The risk-assessment component, in conjunction with the BIA, provides the organization with an accurate picture of the situation facing it. It allows the organization to make intelligent decisions about how to respond to various scenarios.
Risk assessment can be either qualitative or quantitative, depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all