Business Impact and Risk Assessments in Business Continuity and Disaster Recovery


Published on

Business Impact Assessments and Risk Assessments lay the foundation for a successful Disaster Recovery and Business Continuity program. This presentation will examine the elements of the assessments and focus on how the assessment results help a business determine areas of risk and potential impact to their business when things go wrong. Audience members will participate in an assessment exercise.

Susan Kastan, Kastan Consulting

Susan Kastan has worked over 20 years in the information technology field with experience in business continuity planning, security analysis, systems development, and project management.

She is currently focused on developing business continuity and disaster recovery plans for companies and associations. Susan has experience in all areas of the business continuity life cycle including risk and business continuity assessments, business impact analysis, plan development, training, testing, and plan maintenance. She also writes information security policies and procedures providing organizations the necessary framework to secure their information systems.

Penny Klein, PJKlein Consulting

Penny Johnson Klein has been in the Information Assurance field for over 20 years and is a recognized expert in the field. During her career, she has provided support for various Department of Defense (DOD) Agencies, Federal Agencies, and the Private Sector. She spent 14 years with DOD, with 13 of those years in the Information Assurance arena, assisting in the development of security policies, processes, and procedures. She was one of the prime authors of the DOD Information Technology Security Certification and Accreditation Process (DITSCAP), and contributor to the National Information Assurance Certification and Accreditation Process (NIACAP). In addition, Ms. Klein has directed numerous successful Security Test and Evaluations and has developed information security programs.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Impact and Risk Assessments in Business Continuity and Disaster Recovery

  1. 1. October 20, 2010 Presented By: Susan Kastan Penny Klein
  2. 2. Bio  Susan Kastan has been in the information technology field for 20+ years, and currently specializes in Business Continuity. She has developed numerous security policies, procedures and plans for various government, association and private industry.  Penny Klein brings 20+ years of information assurance experience, specializing in IA policies. She has developed a Business Contingency Program for a major association, as well as policies, procedures and plans for numerous government and private industries October 20, 2010 2Kastan Consulting/PJKlein Consulting
  3. 3. Business Continuity  Business Continuity – The smooth continuation of business activity despite an interruption of service  No size restrictions  Tailored to environment  Information technology as well as personnel and processes October 20, 2010 3Kastan Consulting/PJKlein Consulting
  4. 4. Business Continuity  In the event a incident occurs:  Operations are likely to be disrupted  Offices are likely to be closed down or destroyed  People may get hurt or killed  People are likely to have their employment disrupted October 20, 2010 4Kastan Consulting/PJKlein Consulting
  5. 5. Risk Assessment  Risk Assessment – Activities that discover an organization's vulnerabilities, threats and impact. Additionally , it identifies the countermeasure to mitigate the risk, the associated costs, and the risk tolerance (risk the organization is willing to accept) October 20, 2010 5Kastan Consulting/PJKlein Consulting
  6. 6. Business Impact Assessment  Business Impact Assessment (BIA) - Analyzes mission criticality of all enterprise functions, the current threats, and consequences of losing some or all of these functions.  Also known as Business Impact Analysis October 20, 2010 6Kastan Consulting/PJKlein Consulting
  7. 7. Steps in Business Continuity  Conduct Risk Assessment  Conduct BIA  Develop and Document  Train & Test  Implement  Maintain October 20, 2010 7Kastan Consulting/PJKlein Consulting
  8. 8. Risk Assessment  Purpose of a Risk Assessment  Identifies current threats  Identifies current vulnerabilities  Identifies impact of the threats to the vulnerabilities  Provides for Risk Management, that is, what risk is the organization willing to accept, reduce/correct, or transfer October 20, 2010 8Kastan Consulting/PJKlein Consulting
  9. 9. Business Impact Assessment  Identifies:  Mission Critical and Mission Essential Requirements  Recovery Phases  Critical Factors  Assumptions  Evaluation Criteria  Critical Dependencies  Recommendations October 20, 2010 9Kastan Consulting/PJKlein Consulting
  10. 10. Business Impact Assessment  Benefits  Raises senior management’s awareness of the state of their business and helps to justify the need for a business continuity plan  Ensures that a suitable business continuity strategy and effective business continuity plan will be developed  Identifies and prioritizes recovery of mission critical business functions and processes October 20, 2010 10Kastan Consulting/PJKlein Consulting
  11. 11. Business Impact Assessment  Benefits – cont’d  Identifies requirements for recovery of critical IT systems, applications, vital records, equipment and resources  Identifies extent of financial impact  Identifies extent of operational impact October 20, 2010 11Kastan Consulting/PJKlein Consulting
  12. 12. Business Impact Assessment  Process  Awareness  Provide to Management and Team  Ensure buy-in to the process  Data Gathering  Management’s vision  Interviews and/or general surveys  Threat Analysis and Requirements Analysis  Reviews  Department review  Senior management review  Evaluation and Recommendation  Build recovery plans for “time sensitive”/mission critical plans October 20, 2010 12Kastan Consulting/PJKlein Consulting
  13. 13. Business Impact Assessment  Awareness  Brief Senior Management and Stakeholders  GET BUY-IN  Provide a high level overview of the process  Identify benefits  Reference guide  Useful and easy to follow presentation of the data collected  Comprehensive view of all the requirements  Requirements guide for developing and implementing risk mitigation strategies  Provides validation and justification for funding all BCP requirements October 20, 2010 13Kastan Consulting/PJKlein Consulting
  14. 14. Business Impact Assessment  Gather data  Business processes  Resources  Interdependencies  Impacts over time  Maximum Allowable Downtime (MAD)  Recovery Time Objective (RTO)  Recovery Point Objective (RPO) October 20, 2010 14Kastan Consulting/PJKlein Consulting
  15. 15. Business Impact Assessment  Determine the impact of scenarios on processes  Loss of key people  Loss of location  Loss of power  Loss of communications  Loss of technology  Loss of information October 20, 2010 15Kastan Consulting/PJKlein Consulting
  16. 16. Business Impact Assessment  Impact types/categories  Financial  Legal/regulatory  Customer loss/dissatisfaction  Reputation impact  Time sensitive material October 20, 2010 16Kastan Consulting/PJKlein Consulting
  17. 17. Business Impact Assessment  Low - May result in the loss of some tangible assets or resources or may noticeably affect an organization’s mission, reputation, or interest.  Medium - May result in the costly loss of tangible assets or resources; may violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human injury. Based on NIST 800-30 October 20, 2010 17Kastan Consulting/PJKlein Consulting
  18. 18. Business Impact Assessment  High - May result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury. Based on NIST 800-30 October 20, 2010 18Kastan Consulting/PJKlein Consulting
  19. 19. Business Impact Assessment  Department Review  Changes  Inaccuracies/ misinterpretation  Verify timelines are correct  RTO  RPO  MAD October 20, 2010 19Kastan Consulting/PJKlein Consulting
  20. 20. Business Impact Assessment  Senior Management Review  Prioritize for entire company  Determine path forward based on  Cost  Speed of Recovery  Quality  Impacts to business October 20, 2010 20Kastan Consulting/PJKlein Consulting
  21. 21. Business Impact Assessment  Follow On  Take what you’ve learned and build out the Business Continuity Plan  BIA is the basis for the risk decisions  Start with most critical or time sensitive October 20, 2010 21Kastan Consulting/PJKlein Consulting
  22. 22. Exercise  Santa attended a conference in January about business continuity.  He wants to put a business continuity plan in place.  It’s a little later than he would like, but he would like to start with the Business Impact Assessments.  Our goal:  Identify critical processes  Create list of top 10 October 20, 2010 22Kastan Consulting/PJKlein Consulting
  23. 23. Exercise  Santa delivers 2 toys (or coal) to all children around the globe who believe in him  24 hours to do it  Santa is the President of Santa’s Workshop, Inc.  151,000+ employees  Week before (and Christmas day) is critical to him  Everyone believes what they do is critical to operations  A little bit of technology helps! October 20, 2010 Kastan Consulting/PJKlein Consulting 23
  24. 24. Contact Information Penny Klein PJKlein Consulting, LLC Penny.Klein@ 703.901.1932 Susan Kastan Kastan Consulting, LLC Susan.Kastan@ 585.724.0804 October 20, 2010 24Kastan Consulting/PJKlein Consulting