Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments and focus on how the assessment results help a business determine areas of risk and potential impact to their business when things go wrong. Audience members will participate in an assessment exercise. Susan Kastan, Kastan Consulting Susan Kastan has worked over 20 years in the information technology field with experience in business continuity planning, security analysis, systems development, and project management. She is currently focused on developing business continuity and disaster recovery plans for companies and associations. Susan has experience in all areas of the business continuity life cycle including risk and business continuity assessments, business impact analysis, plan development, training, testing, and plan maintenance. She also writes information security policies and procedures providing organizations the necessary framework to secure their information systems. Penny Klein, PJKlein Consulting Penny Johnson Klein has been in the Information Assurance field for over 20 years and is a recognized expert in the field. During her career, she has provided support for various Department of Defense (DOD) Agencies, Federal Agencies, and the Private Sector. She spent 14 years with DOD, with 13 of those years in the Information Assurance arena, assisting in the development of security policies, processes, and procedures. She was one of the prime authors of the DOD Information Technology Security Certification and Accreditation Process (DITSCAP), and contributor to the National Information Assurance Certification and Accreditation Process (NIACAP). In addition, Ms. Klein has directed numerous successful Security Test and Evaluations and has developed information security programs.

1. October 20, 2010
Presented By:
Susan Kastan
Penny Klein

2. Bio
 Susan Kastan has been in the information technology
field for 20+ years, and currently specializes in
Business Continuity. She has developed numerous
security policies, procedures and plans for various
government, association and private industry.
 Penny Klein brings 20+ years of information
assurance experience, specializing in IA policies. She
has developed a Business Contingency Program for a
major association, as well as policies, procedures and
plans for numerous government and private industries
October 20, 2010 2Kastan Consulting/PJKlein Consulting

3. Business Continuity
 Business Continuity – The smooth continuation of
business activity despite an interruption of service
 No size restrictions
 Tailored to environment
 Information technology as well as personnel and
processes
October 20, 2010 3Kastan Consulting/PJKlein Consulting

4. Business Continuity
 In the event a incident occurs:
 Operations are likely to be disrupted
 Offices are likely to be closed down or destroyed
 People may get hurt or killed
 People are likely to have their employment disrupted
October 20, 2010 4Kastan Consulting/PJKlein Consulting

5. Risk Assessment
 Risk Assessment – Activities that discover an
organization's vulnerabilities, threats and impact.
Additionally , it identifies the countermeasure to
mitigate the risk, the associated costs, and the risk
tolerance (risk the organization is willing to accept)
October 20, 2010 5Kastan Consulting/PJKlein Consulting

6. Business Impact Assessment
 Business Impact Assessment (BIA) - Analyzes
mission criticality of all enterprise functions, the
current threats, and consequences of losing some or all
of these functions.
 Also known as Business Impact Analysis
October 20, 2010 6Kastan Consulting/PJKlein Consulting

7. Steps in Business Continuity
 Conduct Risk Assessment
 Conduct BIA
 Develop and Document
 Train & Test
 Implement
 Maintain
October 20, 2010 7Kastan Consulting/PJKlein Consulting

8. Risk Assessment
 Purpose of a Risk Assessment
 Identifies current threats
 Identifies current vulnerabilities
 Identifies impact of the threats to the vulnerabilities
 Provides for Risk Management, that is, what risk is the
organization willing to accept, reduce/correct, or
transfer
October 20, 2010 8Kastan Consulting/PJKlein Consulting

9. Business Impact Assessment
 Identifies:
 Mission Critical and Mission Essential Requirements
 Recovery Phases
 Critical Factors
 Assumptions
 Evaluation Criteria
 Critical Dependencies
 Recommendations
October 20, 2010 9Kastan Consulting/PJKlein Consulting

10. Business Impact Assessment
 Benefits
 Raises senior management’s awareness of the state of
their business and helps to justify the need for a
business continuity plan
 Ensures that a suitable business continuity strategy and
effective business continuity plan will be developed
 Identifies and prioritizes recovery of mission critical
business functions and processes
October 20, 2010 10Kastan Consulting/PJKlein Consulting

11. Business Impact Assessment
 Benefits – cont’d
 Identifies requirements for recovery of critical IT
systems, applications, vital records, equipment and
resources
 Identifies extent of financial impact
 Identifies extent of operational impact
October 20, 2010 11Kastan Consulting/PJKlein Consulting

12. Business Impact Assessment
 Process
 Awareness
 Provide to Management and Team
 Ensure buy-in to the process
 Data Gathering
 Management’s vision
 Interviews and/or general surveys
 Threat Analysis and Requirements Analysis
 Reviews
 Department review
 Senior management review
 Evaluation and Recommendation
 Build recovery plans for “time sensitive”/mission critical plans
October 20, 2010 12Kastan Consulting/PJKlein Consulting

13. Business Impact Assessment
 Awareness
 Brief Senior Management and Stakeholders
 GET BUY-IN
 Provide a high level overview of the process
 Identify benefits
 Reference guide
 Useful and easy to follow presentation of the data collected
 Comprehensive view of all the requirements
 Requirements guide for developing and implementing risk
mitigation strategies
 Provides validation and justification for funding all BCP
requirements
October 20, 2010 13Kastan Consulting/PJKlein Consulting

14. Business Impact Assessment
 Gather data
 Business processes
 Resources
 Interdependencies
 Impacts over time
 Maximum Allowable Downtime (MAD)
 Recovery Time Objective (RTO)
 Recovery Point Objective (RPO)
October 20, 2010 14Kastan Consulting/PJKlein Consulting

15. Business Impact Assessment
 Determine the impact of scenarios on processes
 Loss of key people
 Loss of location
 Loss of power
 Loss of communications
 Loss of technology
 Loss of information
October 20, 2010 15Kastan Consulting/PJKlein Consulting

16. Business Impact Assessment
 Impact types/categories
 Financial
 Legal/regulatory
 Customer loss/dissatisfaction
 Reputation impact
 Time sensitive material
October 20, 2010 16Kastan Consulting/PJKlein Consulting

17. Business Impact Assessment
 Low - May result in the loss of some tangible
assets or resources or may noticeably affect an
organization’s mission, reputation, or interest.
 Medium - May result in the costly loss of tangible
assets or resources; may violate, harm, or impede
an organization’s mission, reputation, or interest;
or may result in human injury.
Based on NIST 800-30
October 20, 2010 17Kastan Consulting/PJKlein Consulting

18. Business Impact Assessment
 High - May result in the highly costly loss of major
tangible assets or resources; may significantly
violate, harm, or impede an organization’s
mission, reputation, or interest; or may result in
human death or serious injury.
Based on NIST 800-30
October 20, 2010 18Kastan Consulting/PJKlein Consulting

19. Business Impact Assessment
 Department Review
 Changes
 Inaccuracies/ misinterpretation
 Verify timelines are correct
 RTO
 RPO
 MAD
October 20, 2010 19Kastan Consulting/PJKlein Consulting

20. Business Impact Assessment
 Senior Management Review
 Prioritize for entire company
 Determine path forward based on
 Cost
 Speed of Recovery
 Quality
 Impacts to business
October 20, 2010 20Kastan Consulting/PJKlein Consulting

21. Business Impact Assessment
 Follow On
 Take what you’ve learned and build out the Business
Continuity Plan
 BIA is the basis for the risk decisions
 Start with most critical or time sensitive
October 20, 2010 21Kastan Consulting/PJKlein Consulting

22. Exercise
 Santa attended a conference in January about business
continuity.
 He wants to put a business continuity plan in place.
 It’s a little later than he would like, but he would like to
start with the Business Impact Assessments.
 Our goal:
 Identify critical processes
 Create list of top 10
October 20, 2010 22Kastan Consulting/PJKlein Consulting

23. Exercise
 Santa delivers 2 toys (or coal) to all children around
the globe who believe in him
 24 hours to do it
 Santa is the President of Santa’s Workshop, Inc.
 151,000+ employees
 Week before (and Christmas day) is critical to him
 Everyone believes what they do is critical to operations
 A little bit of technology helps!
October 20, 2010 Kastan Consulting/PJKlein Consulting 23

24. Contact Information
Penny Klein
PJKlein Consulting, LLC
Penny.Klein@
pjkleinllc.com
www.pjkleinllc.com
703.901.1932
Susan Kastan
Kastan Consulting, LLC
Susan.Kastan@
kastanconsulting.com
www.kastanconsulting.com
585.724.0804
October 20, 2010 24Kastan Consulting/PJKlein Consulting