Escolar Documentos
Profissional Documentos
Cultura Documentos
June 2004
WARNING
This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Table of contents
Page
Part 1 Introduction
This report Purpose of this report Who should read this report? Basis for this report
1 1 1 1
2 3 4
Introduction Key characteristics of the ISFs approach to business impact assessment The business impact assessment process Tools and forms to help conduct a business impact assessment
13 13 14 17
18 20 20 21 22 22 26 34 37 40 42
Figure 1: Key steps and activities in the business impact assessment process
Part
Introduction
This report provides practical guidance on how to conduct effective, business-driven, business impact assessments. It explains what a business impact assessment (BIA) is, outlines the sound business reasons why organisations should undertake them and highlights the key features of the business-driven approach that has been developed by the ISF. The report fully describes the steps and activities that need to be carried out in a business impact assessment (see Figure 1) and the tools and forms that should be used to support this undertaking. Significantly the report also provides clear guidance on how to review the results of a business impact assessment and determine the next steps that should be taken to help ensure information risk is managed effectively. This report has evolved from the ISFs previous risk analysis methodologies SARA and SPRINT and has been designed to replace SARA Phase 2 (Identify business requirements for security) and SPRINT Phase 1 (Assess business risks).
This report
NOTE
The purpose of this report is to help information risk analysts and information security practitioners carry out effective business impact assessments. In particular it will help them understand the:
Who should read this report?
sound business reasons for carrying out business impact assessments forms and tools that should be used steps and activities that need to be undertaken to prepare for and conduct business impact assessments.
information risk analysts and information security practitioners responsible for conducting business impact assessments information security managers planning programmes of work in information risk analysis auditors and risk specialists wishing to gain a better understanding of the business impact assessment of systems.
workgroups held with ISF Members to examine the issues and requirements of business impact assessment analysing information risk analysis and business impact assessment methodologies (including those developed by the ISF SARA and SPRINT) third party experts on information risk analysis.
1
Part
NOTE
Business impact assessment helps determine the business security requirements for a system and the appropriate next steps that need to be taken to protect information adequately. A business impact assessment is the first step in an overall process (the information risk analysis process) that enables effective security measures to be identified to help minimise the frequency and impact of damaging incidents (see Figure 2 below).
Business impact assessment is a business-driven undertaking that helps ensure the business need of the organisation for protecting information is clearly identified. In doing so it helps determine both the scope and the focus of all subsequent steps in the information risk analysis process. Why undertake a business impact assessment? Most organisations have to deal with a constant barrage of threats to information. These threats vary considerably from malfunctions of hardware and software to internal misuse of systems and external attack (eg from hacking and viruses). Where threats to information are not effectively countered by measures such as preventative controls, incidents can and do occur. The ISFs 2003 Information Security Status Survey (the ISF Survey) shows that on average applications, in those organisations who participated, experienced 160 incidents per annum, or three incidents per working week. The business impact of these incidents upon organisations is considerable. Figure 3 below, which is based on data from the ISF Survey, shows the types of business impact that applications suffering incidents typically experience (see the ISFs report entitled Critical Business Applications: Improving Security).
Business impacts such as unforeseen costs, delayed deliveries to customers and reduction in staff morale/productivity directly affect the ability of an organisation to operate effectively and can have a significant cost implication (the average cost of most serious incidents recorded in the ISF Survey for critical business applications was $1.9 million). Details of the top three most serious incidents recorded for applications in the ISF Survey can be seen in Figure 4 below.
Figure 4: Top three costliest most serious incidents experienced by surveyed applications The high percentage of organisations that experience serious business impacts and the high cost of incidents indicate that many organisations are not protecting their key business information adequately. Business impact assessment, as part of an effective information risk analysis process, helps organisations identify effective security measures to address this major business problem. When to carry out a business impact assessment? Business impact assessment should ideally be carried out during the development of new systems (eg at the initiation and design stages) as building in security at this stage is likely to be far more cost effective than adding it on later when a system is fully operational.
By undertaking a business impact assessment at the commencement of a new systems development project it is possible to ensure the business security requirements are clearly identified right from the outset. The outcome from a business impact assessment undertaken at this early stage should directly affect the degree of rigour and attention to detail that is applied during the development of the system (and the level of sign off that is required). For systems that are already live, priority should be given to those that appear more important to the organisation. Guidelines for identifying and prioritising live systems for business impact assessment can be found in Part 3: Establishing a business impact assessment programme.
Part
Introduction
NOTE
The ISF approach to business impact assessment is based on organisations using their own pre-defined, organisation-specific, Business Impact Reference Table. This section of the report explains how an organisation can develop its own Business Impact Reference Table. A Business Impact Reference Table is a powerful yet relatively simple tool that enables business impact to be determined in an accurate and consistent manner throughout an organisation. Using business language and a straightforward approach that is easy-to-understand, it enables non-specialists to make well-informed judgements about the level of business impact that could occur in the event of an incident that compromises the confidentiality, integrity or availability of information. Typically signed-off at senior management (or preferably board) level, a Business Impact Reference Table provides a standard against which business impact judgements can be made throughout an organisation. Its widespread use is key to undertaking business impact assessments in a consistent manner across an organisation, and is necessary to enable valid comparisons and relative judgements about business impact in different systems to be made.
Figure 5 below shows a sample of a Business Impact Reference Table. It explains the key fields and shows the different levels of impact (from Very high to Very low) for each business impact type.
The property of information being assessed (Confidentiality, Integrity or Availability) The appropriate measure for each type of business impact The level of impact that could occur
Ref.
Appropriate measure
D Low 1% to 5%
E Very low Less than 1% Less than $10K Less than $10K
Financial
F1 Loss of sales, orders or contracts (eg sales opportunities missed) Loss of tangible assets (eg fraud, theft of money, lost interest) Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations) Unforeseen costs (eg recovery costs) Depressed share price (eg sudden loss of share value) Financial impact Financial impact Financial impact
F2
$20m+
F3
$20m+
F4 F5
$20m+ 25%+
$10K to $100K 1% to 5%
The main types of business impact that could occur as a result of an incident
Figure 5: Sample of a Business Impact Reference Table In some organisations, particularly those that are highly diversified, it may be necessary to create different Business Impact Reference Tables for use in different divisions or operating units. Where this is warranted, care should be taken to ensure use of each Business Impact Reference Table is restricted to the appropriate division or operating unit.
NOTE
For information risk analysts and those familiar with carrying out information risk analysis, creating a Business Impact Reference Table is a relatively straightforward undertaking. Using the example Business Impact Reference Table that accompanies this report as a starting point (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) it is possible to develop one relatively quickly by carrying out the following three activities: 1. Determine the business impact types to be used 2. Determine business impact measures and values 3. Gain senior management (board level) sign off. It is recommended that the first two activities are undertaken in a workshop setting and should include the participation of business managers.
NOTE
The business impact types that are used in a Business Impact Reference Table should be representative of what could happen in the event of the compromise of the confidentiality, integrity or availability of information. It is therefore important that these are selected with care and should be reviewed and subject to peer inspection to ensure they are correct. Although there is a wide variety of possible business impacts that could occur there are a core set that are common to most organisations. The ISF has identified 15 business impact types that are representative of what can happen in most organisations and it is recommended that these are used as the basis for determining the appropriate ones in a specific organisation. These business impact types are shown in Table 1 opposite.
Financial F1 F2 F3 F4 F5 Loss of sales, orders or contracts Loss of tangible assets Penalties/legal liabilities Unforeseen costs Depressed share price Sales opportunities missed, orders not taken or contracts that cannot be signed. Fraud, theft of money and lost interest. Breach of legal, regulatory or contractual obligations. Recovery costs, uninsured losses, increased insurance. Sudden loss of share value, prolonged loss of share value, random share value fluctuation. Impaired decision-making, inability to monitor financial positions, process management failure. Repetitive production line failures, degraded customer service, introduction of new pricing policies. Delayed new products, delayed entry into new markets, delayed mergers/acquisitions. Contravention of regulatory standards, quality or safety standards. Failure to meet product delivery deadlines, failure to complete contracts on time. Customer/client defection to competitors, withdrawal of preferred supplier status by customer/client. Adverse criticism by investors, regulators, customers or suppliers. Confidential financial information published in media, compromising internal memos broadcast by media. Reduced efficiency, lost time, job losses. Harm to staff, customers or suppliers associated with the organisation.
O2
Loss of competitiveness
O3 O4
New ventures held up Breach of operating standards Delayed deliveries to customers or clients Loss of customers or clients
Customer-related C1 C2
C3 C4
Employee-related E1 E2 Reduction in staff morale/productivity Injury or death Extent of loss of morale Number of incidents (n)
To identify the specific business impact types that are appropriate for the organisation, the business impact types identified in Table 1 above should be reviewed and any that are inappropriate should be amended or removed. In addition organisation-specific business impact types that may be required should be added at this stage (eg lost production, return on investment, R&D project failure).
The measures and values that are used for each business impact type should also be appropriate for the organisation and meaningful to those taking part in a business impact assessment (see Figure 6 below). The measures should accurately reflect the business impact types and the values should reflect the gradation in the Level of impact ratings (ie Very high to Very low). These two elements combined should enable participants to easily determine the severity of impact that could occur.
Ref.
Appropriate measure
D Low 1% to 5%
E Very low Less than 1% Less than $10K Less than $10K
Financial
F1 Loss of sales, orders or contracts (eg sales opportunities missed) Loss of tangible assets (eg fraud, theft of money, lost interest) Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations) Unforeseen costs (eg recovery costs) Depressed share price (eg sudden loss of share value) Financial impact Financial impact Financial impact
F2
$20m+
F3
$20m+
F4 F5
$20m+ 25%+
$10K to $100K 1% to 5%
Figure 6: Examples of business impact measures and values in a sample Business Impact Reference Table Members may wish to change business impact measures and values, where appropriate, to those that accurately represent their own organisation (eg a global financial institution is likely to require much larger Level of impact values than a medium sized manufacturing organisation).
NOTE
It is recommended that the business impact types along with the measures and values identified in the example Business Impact Reference Table that accompanies this report should be used as the basis for developing organisation-specific measures and values. An example Business Impact Reference Table can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.
NOTE
10
Once the organisation-specific Business Impact Reference Table has been fully populated it is important that it is underwritten at senior management or, preferably, at board level. Its use throughout the organisation can then be promoted effectively and it should be distributed for use by all staff who undertake business impact assessments and information risk analysis. Senior management sign-off will help considerably in ensuring a single, consistent, approach to determining business impact is adopted. The signed-off (definitive) Business Impact Reference Table should be placed under change control and any proposed amendments should be subject to a formal review process. When the Business Impact Reference Table is updated it should be distributed immediately to all relevant staff.
Before any business impact assessment is undertaken within an organisation the systems to which it should be applied should first be identified. This enables the scale of work to be determined and the relative priority of systems that should undergo business impact assessment to be identified. Regardless of their type or nature all systems under development should be subjected to business impact assessment. This should be an inherent part of the systems development life-cycle and therefore triggered when a new systems development project is initiated. In live environments, organisations will typically face a backlog of systems that need to undergo information risk analysis (and therefore business impact assessment). Determining the order in which these systems should undergo business impact assessment is problematic and some form of ranking will typically be required to establish the priority of systems.
11
Organisations should first determine the inventory of all main systems in the organisation. Once this undertaking has been completed there are a variety of different methods that can be used to identify those systems which appear to be of greater importance than others, such as the:
importance of the system to senior management (eg a system may be very important to the success of the organisation and subject to a high degree of senior management scrutiny) experience of incidents (eg a high number of recent incidents may make a system worthy of specific attention) advice from internal audit (eg to undertake information risk analysis on specific systems) recommendations from business and IT experts (eg using experts within the organisation to help identify those systems which are key to its operation).
While all of the above factors have their merits it is recommended that a more objective approach is taken based upon the use of the criticality assessment in the Information Risk Scorecard from the ISFs FIRM methodology (see Figure 7 below, taken from the ISFs report Fundamental Information Risk Management (FIRM): Implementation Guide). This quick, easy-to-use, approach provides a high-level view of the confidentiality, integrity and availability requirements of the system to be determined and enables easy comparisons of relative importance to be made.
Monitoring period
Reference
1. What is the maximum level of harm that the business could suffer if key information held in, processed or transmitted by the information resource were to be accidentally or deliberately: