This chapter is from the book
This chapter is from the book
This chapter is from the book
Business Impact Analysis
Business impact analysis (BIA) is the process of determining the potential impacts resulting from the interruption of time-sensitive or critical business processes. IT risk assessment, as well as planning for both disaster recovery and operational continuity, relies on conducting a BIA as part of the overall plan to ensure continued operations and the capability to recover from disaster. The BIA focuses on the relative impact of the loss of operational capability on critical business functions. Conducting a business impact analysis involves identifying critical business functions and the services and technologies required for them, along with determining the associated costs and the maximum acceptable outage period.
For hardware-related outages, the assessment should also include the current age of existing solutions, along with standards for the expected average time between failures, based on vendor data or accepted industry standards. Planning strategies are intended to minimize this cost by arranging recovery actions to restore critical functions in the most effective manner based on cost, legal or statutory mandates, and calculations of the mean time to restore.
A business impact analysis is a key component in ensuring continued operations. For that reason, it is a major part of a business continuity plan (BCP) or continuity of operations plan (COOP) as well. The focus is on ensuring the continued operation of key mission and business processes. U.S. government organizations commonly use the term mission-essential functions to refer to functions that need to be immediately functional at an alternate site until normal operations can be restored. Essential functions for any organization require resiliency. Organizations also must identify the dependent systems for both the functions and the processes that are critical to the mission or business.
A BCP must identify critical systems and components. If a disaster is widespread or targets an Internet service provider (ISP) or key routing hardware point, an organization’s continuity plan should detail options for alternate network access. This should include dedicated administrative connections that might be required for recovery. Continuity planning should include considerations for recovery in case existing hardware and facilities are rendered inaccessible or unrecoverable. It should also consider the hardware configuration details, network requirements, and utilities agreements for alternate sites.
RTO and RPO
Recovery point objective (RPO) and recovery time objective (RTO) are important concepts of the BCP and form part of the broader risk management strategy. RPO, which specifically refers to data backup capabilities, is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP’s maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery can happen before business is disrupted. For example, if an organization does a backup at 10:00 p.m. every day and an incident happens at 7:00 p.m. the following day, everything that changed since the last backup would be lost. The RPO in this context is the backup from the previous day. If the organization set the threshold at 24 hours, the RPO would be within the threshold because it is less than 24 hours.
The RTO is the amount of time within which a process must be restored after a disaster to meet business continuity requirements. The RTO is how long the organization can go without a specific application; it defines how much time is needed to recover after a notification of process disruption.
MTTF, MTBF, and MTTR
When systems fail, one of the first questions asked is, “How long will it take to get things back up?” It is better to know the answer to such a question before disaster strikes than to try to find the answer afterward. Fortunately, established mechanisms can help you determine this answer. Understanding these mechanisms is a big part of the overall analysis of business impact.
Mean time to failure (MTTF) is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. MTTF metrics supplied by vendors about their products or components might not have been collected by running one unit continuously until failure. Instead, MTTF data is often collected by running many units for a specific number of hours and then is calculated as an average based on when the components fail.
MTTF is one of many ways to evaluate the reliability of hardware or other technology and is extremely important when evaluating mission-critical systems hardware. Knowing the general reliability of hardware is vital, especially when it is part of a larger system. MTTF is used for nonrepairable products. When MTTF is used as a measure, repair is not an option.
Mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. MTBF is intended to measure only the time a component is available and operating. MTBF is similar to MTTF, but it is important to understand the difference. MTBF is used for products that can be repaired and returned to use. MTTF is used for nonrepairable products. MTBF is calculated as a ratio of the cumulative operating time to the number of failures for that item.
MTBF ratings can be predicted based on product experience or data supplied by the manufacturer. MTBF ratings are measured in hours and are often used to determine the durability of hard drives and printers. For example, typical hard drives for personal computers have MTBF ratings of about 500,000 hours.
These risk calculations help determine the life spans and failure rates of components. These calculations help an organization measure the reliability of a product.
One final calculation assists with understanding approximately how long a repair will take on a component that can be repaired. The mean time to repair (MTTR; also called mean time to recovery) is the average time required to fix a failed component or device and return it to production status. MTTR is corrective maintenance. The calculation includes preparation time, active maintenance time, and delay time. Because of the uncertainty of these factors, MTTR is often difficult to calculate. In order to reduce the MTTR, some systems have redundancy built in so that when one subsystem fails, another takes its place and keeps the whole system running.
CRAM QUIZ
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this chapter again until you can.
1. Which of the following is the monetary loss that can be expected for an asset from risk over a year?
A. ALE
B. SLE
C. ARO
D. BIA
2. Your manager needs to know, for budgetary purposes, the average life span for each of the firewall appliances. Which of the following should you provide?
A. MTBF
B. RPO
C. RTO
D. MTTF
3. An organization is increasingly subject to compliance regulations and is making strong efforts to comply with them but is still concerned about issues that might occur. Management decides to buy insurance to help cover the costs of a potential breach. Which of the following risk response techniques is the organization using?
A. Avoidance
B. Transference
C. Acceptance
D. Mitigation
4. Which of the following equations best represents the proper assessment of exposure to danger?
A. Risk = Threat × Vulnerability × Impact
B. Impact = Risk × Threat × Vulnerability
C. Vulnerability = Threat × Risk × Impact
D. Threat = Risk × Impact × Vulnerability
5. A security analyst needs a single point of entry to record information about identified risks to his organization. What will allow him to do this?
A. ALE
B. Risk register
C. SLE
D. ARO
6. Which type of risk assessment uses a risk matrix/heatmap that plots the probability of risks using a scale of low, medium, or high?
A. Quantitative
B. Adversarial
C. Qualitative
D. Environmental
7. If a single loss expectancy is $25,000 and the annual rate of occurrence is .5, what is the annual loss expectancy?
A. $12,500
B. $25,000
C. $5,000
D. $2,500
Cram Quiz Answers
Answer 1: A. The annual loss expectancy (ALE) is the monetary loss that can be expected for an asset from risk over a 1-year period. It is calculated by multiplying the single loss expectancy by the annual rate of occurrence (that is, SLE × ARO). Therefore, answers B and C are incorrect. Answer D is incorrect because this is a business impact analysis, which is the process for determining potential impacts resulting from the interruption of business processes.
Answer 2: D. The mean time to failure (MTTF) is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. Answer A is incorrect because the mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. Answers B and C are incorrect because RPO and RTO are used for risk-mitigation planning. The recovery point objective (RPO) specifies the allowable data loss. The recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity requirements.
Answer 3: B. Insurance is a classic example of transferring risk. Answers A, C, and D are incorrect because none of them transfers the risk from one organization to another.
Answer 4: A. Risk is a function of threats, vulnerabilities, and potential impact. Assessing the level of risk is often portrayed through the simple equation Risk = Threat × Vulnerability × Impact. Answers B, C, and D are incorrect because threat, vulnerability, and impact are considered together to provide an appropriate measure of risk.
Answer 5: B. A risk register is a strategic component for organizations. The register also helps ensure that an organization’s risk tolerance and appetite are correctly aligned with the goals of the business. A risk register provides a single point of entry to record information about identified risks to the organization. Answer A is incorrect because the annual loss expectancy (ALE) is the monetary loss that can be expected for an asset from risk over a one-year period. Answer C is incorrect because single loss expectancy (SLE) is the expected monetary loss every time a risk occurs. Answer D is incorrect because the annual rate of occurrence (ARO) is the estimated possibility of a specific threat taking place in a 1-year time frame.
Answer 6: C. Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. Uncertainty is also estimated, allowing for a relative projection of qualitative risk for each threat, based on its position in a risk matrix/heat map that plots the probability (very low to very high) and impact (very low to very high). Numeric values can be assigned to each state (very low = 1, low = 2, moderate = 3, and so on) to perform a quasi-quantitative analysis, but because the categories are subjectively assigned, the result remains qualitative. Answer A is incorrect because a quantitative assessment is less subjective, and the process requires assigning a value to all the various components. To perform a quantitative risk assessment, an estimation of potential losses is calculated. Answers B and D are incorrect because these terms describe threat source types, which can be adversarial, accidental, structural, or environmental, for example.
Answer 7: A. The annual loss expectancy (ALE) is the monetary loss that can be expected for an asset from risk over a 1-year period. ALE equals the single loss expectancy (SLE) times the annual rate of occurrence (ARO): that is, SLE × ARO = ALE. So, if the SLE is $25,000 and the ARO is .5, the ALE is $12,500 (that is, $25,000 × .5 = $12,500). Therefore, Answers B, C, and D are incorrect.