Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Business Impact and Risk Assessments in Business Continuity and Disaster Recovery

on

  • 1,388 views

Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments ...

Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments and focus on how the assessment results help a business determine areas of risk and potential impact to their business when things go wrong. Audience members will participate in an assessment exercise.

Susan Kastan, Kastan Consulting

Susan Kastan has worked over 20 years in the information technology field with experience in business continuity planning, security analysis, systems development, and project management.

She is currently focused on developing business continuity and disaster recovery plans for companies and associations. Susan has experience in all areas of the business continuity life cycle including risk and business continuity assessments, business impact analysis, plan development, training, testing, and plan maintenance. She also writes information security policies and procedures providing organizations the necessary framework to secure their information systems.

Penny Klein, PJKlein Consulting

Penny Johnson Klein has been in the Information Assurance field for over 20 years and is a recognized expert in the field. During her career, she has provided support for various Department of Defense (DOD) Agencies, Federal Agencies, and the Private Sector. She spent 14 years with DOD, with 13 of those years in the Information Assurance arena, assisting in the development of security policies, processes, and procedures. She was one of the prime authors of the DOD Information Technology Security Certification and Accreditation Process (DITSCAP), and contributor to the National Information Assurance Certification and Accreditation Process (NIACAP). In addition, Ms. Klein has directed numerous successful Security Test and Evaluations and has developed information security programs.

Statistics

Views

Total Views
1,388
Views on SlideShare
1,388
Embed Views
0

Actions

Likes
0
Downloads
62
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Business Impact and Risk Assessments in Business Continuity and Disaster Recovery Business Impact and Risk Assessments in Business Continuity and Disaster Recovery Presentation Transcript

  • October 20, 2010 Presented By: Susan Kastan Penny Klein
  • Bio  Susan Kastan has been in the information technology field for 20+ years, and currently specializes in Business Continuity. She has developed numerous security policies, procedures and plans for various government, association and private industry.  Penny Klein brings 20+ years of information assurance experience, specializing in IA policies. She has developed a Business Contingency Program for a major association, as well as policies, procedures and plans for numerous government and private industries October 20, 2010 Kastan Consulting/PJKlein Consulting 2
  • Business Continuity  Business Continuity – The smooth continuation of business activity despite an interruption of service  No size restrictions  Tailored to environment  Information technology as well as personnel and processes October 20, 2010 Kastan Consulting/PJKlein Consulting 3 View slide
  • Business Continuity  In the event a incident occurs:  Operations are likely to be disrupted  Offices are likely to be closed down or destroyed  People may get hurt or killed  People are likely to have their employment disrupted October 20, 2010 Kastan Consulting/PJKlein Consulting 4 View slide
  • Risk Assessment  Risk Assessment – Activities that discover an organization's vulnerabilities, threats and impact. Additionally , it identifies the countermeasure to mitigate the risk, the associated costs, and the risk tolerance (risk the organization is willing to accept) October 20, 2010 Kastan Consulting/PJKlein Consulting 5
  • Business Impact Assessment  Business Impact Assessment (BIA) - Analyzes mission criticality of all enterprise functions, the current threats, and consequences of losing some or all of these functions.  Also known as Business Impact Analysis October 20, 2010 Kastan Consulting/PJKlein Consulting 6
  • Steps in Business Continuity  Conduct Risk Assessment  Conduct BIA  Develop and Document  Train & Test  Implement  Maintain October 20, 2010 Kastan Consulting/PJKlein Consulting 7
  • Risk Assessment  Purpose of a Risk Assessment  Identifies current threats  Identifies current vulnerabilities  Identifies impact of the threats to the vulnerabilities  Provides for Risk Management, that is, what risk is the organization willing to accept, reduce/correct, or transfer October 20, 2010 Kastan Consulting/PJKlein Consulting 8
  • Business Impact Assessment  Identifies:  Mission Critical and Mission Essential Requirements  Recovery Phases  Critical Factors  Assumptions  Evaluation Criteria  Critical Dependencies  Recommendations October 20, 2010 Kastan Consulting/PJKlein Consulting 9
  • Business Impact Assessment  Benefits  Raises senior management’s awareness of the state of their business and helps to justify the need for a business continuity plan  Ensures that a suitable business continuity strategy and effective business continuity plan will be developed  Identifies and prioritizes recovery of mission critical business functions and processes October 20, 2010 Kastan Consulting/PJKlein Consulting 10
  • Business Impact Assessment  Benefits – cont’d  Identifies requirements for recovery of critical IT systems, applications, vital records, equipment and resources  Identifies extent of financial impact  Identifies extent of operational impact October 20, 2010 Kastan Consulting/PJKlein Consulting 11
  • Business Impact Assessment  Process  Awareness  Provide to Management and Team  Ensure buy-in to the process  Data Gathering  Management’s vision  Interviews and/or general surveys  Threat Analysis and Requirements Analysis  Reviews  Department review  Senior management review  Evaluation and Recommendation  Build recovery plans for “time sensitive”/mission critical plans October 20, 2010 Kastan Consulting/PJKlein Consulting 12
  • Business Impact Assessment  Awareness  Brief Senior Management and Stakeholders  GET BUY-IN  Provide a high level overview of the process  Identify benefits  Reference guide  Useful and easy to follow presentation of the data collected  Comprehensive view of all the requirements  Requirements guide for developing and implementing risk mitigation strategies  Provides validation and justification for funding all BCP requirements October 20, 2010 Kastan Consulting/PJKlein Consulting 13
  • Business Impact Assessment  Gather data  Business processes  Resources  Interdependencies  Impacts over time  Maximum Allowable Downtime (MAD)  Recovery Time Objective (RTO)  Recovery Point Objective (RPO) October 20, 2010 Kastan Consulting/PJKlein Consulting 14
  • Business Impact Assessment  Determine the impact of scenarios on processes  Loss of key people  Loss of location  Loss of power  Loss of communications  Loss of technology  Loss of information October 20, 2010 Kastan Consulting/PJKlein Consulting 15
  • Business Impact Assessment  Impact types/categories  Financial  Legal/regulatory  Customer loss/dissatisfaction  Reputation impact  Time sensitive material October 20, 2010 Kastan Consulting/PJKlein Consulting 16
  • Business Impact Assessment  Low - May result in the loss of some tangible assets or resources or may noticeably affect an organization’s mission, reputation, or interest.  Medium - May result in the costly loss of tangible assets or resources; may violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human injury. Based on NIST 800-30 October 20, 2010 Kastan Consulting/PJKlein Consulting 17
  • Business Impact Assessment  High - May result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury. Based on NIST 800-30 October 20, 2010 Kastan Consulting/PJKlein Consulting 18
  • Business Impact Assessment  Department Review  Changes  Inaccuracies/ misinterpretation  Verify timelines are correct  RTO  RPO  MAD October 20, 2010 Kastan Consulting/PJKlein Consulting 19
  • Business Impact Assessment  Senior Management Review  Prioritize for entire company  Determine path forward based on  Cost  Speed of Recovery  Quality  Impacts to business October 20, 2010 Kastan Consulting/PJKlein Consulting 20
  • Business Impact Assessment  Follow On  Take what you’ve learned and build out the Business Continuity Plan  BIA is the basis for the risk decisions  Start with most critical or time sensitive October 20, 2010 Kastan Consulting/PJKlein Consulting 21
  • Exercise  Santa attended a conference in January about business continuity.  He wants to put a business continuity plan in place.  It’s a little later than he would like, but he would like to start with the Business Impact Assessments.  Our goal:  Identify critical processes  Create list of top 10 October 20, 2010 Kastan Consulting/PJKlein Consulting 22
  • Exercise  Santa delivers 2 toys (or coal) to all children around the globe who believe in him  24 hours to do it  Santa is the President of Santa’s Workshop, Inc.  151,000+ employees  Week before (and Christmas day) is critical to him  Everyone believes what they do is critical to operations  A little bit of technology helps! October 20, 2010 Kastan Consulting/PJKlein Consulting 23
  • Contact Information Susan Kastan Penny Klein Kastan Consulting, LLC PJKlein Consulting, LLC Susan.Kastan@ Penny.Klein@ kastanconsulting.com pjkleinllc.com www.kastanconsulting.com www.pjkleinllc.com 585.724.0804 703.901.1932 October 20, 2010 Kastan Consulting/PJKlein Consulting 24