|
|
|
BUSINESS IMPACT ANALYSIS VS. RISK ASSESSMENT There is still confusion as to the difference between a Business Impact Analysis (BIA) and risk assessment. It is not unusual to hear the terms used interchangeably. But that is not correct. A BIA, at the minimum, is the equivalent of one task of a risk assessment — Asset Valuation, a determination of the value of the target body of information and its supporting information technology resources to the organization. At the most, the BIA will develop the equivalent of a Single Loss Exposure, with supporting details, of course, usually based on a worst-case scenario. The results are most often used to convince management that they should fund development and maintenance of a contingency plan. Information security is much more than contingency planning. A BIA often requires 75 to 100% or more of the work effort (and associated cost) of a risk assessment, while providing only a small fraction of the useful information provided by the same effort spent on a risk assessment. A BIA includes little if any vulnerability assessment, and no sound basis for cost/benefit analysis. TARGET AUDIENCE CONCERNS Risk assessment continues to be viewed with skepticism by many in the ranks of management. Yet those for whom a well-executed risk assessment has been done have found the results to be among the most useful analyses ever executed for them. To cite a few examples: in one case, an organization with multiple large IT facilities — one of which was particularly vulnerable, a well-executed risk assessment promptly secured the attention of the Executive Committee, which had successfully resisted all previous initiatives to address the issue. Why? Because IT management could not previously supply justifying numbers to support its case. With the risk assessment in hand, IT management got the green light to consolidate IT activities from the highly vulnerable site to another facility with much better security. This was accomplished despite strong union and staff resistance. The move was executed by this highly regulated and bureaucratic organization within three months of the quantitative risk assessment’s completion! The quantitative risk assessment provided what was needed: credible facts and numbers of their own. In another case, a financial services organization found, as a result of a quantitative risk assessment, that they were carrying four to five times the amount of insurance warranted by their level of exposure. They reduced coverage by half — still retaining a significant cushion — and have since saved hundreds of thousands of dollars in premiums. In yet another case, management of a relatively young but rapidly growing organization had maintained a rather “entrepreneurial” attitude toward IT in general — until presented with the results of a risk assessment that gave them a realistic sense of the risks inherent to that posture. Substantial policy changes were made on the spot, and information security began receiving real consideration, not just lip service. Some specific areas of concern are addressed below. Diversion of Resources That organizational staff will have to spend some time providing information for the risk assessment is often a major concern. Regardless of the nature of the assessment, there are two key areas of information gathering that will require staff time and participation beyond that of the person(s) responsible for executing the risk assessment: (1) valuing the intangible information asset’s confidentiality, integrity, and availability, and (2) conducting the vulnerability analysis. These tasks will require input from two entirely different sets of people in most cases. Valuing the Intangible Information Asset There are a number of approaches to this task, and the amount of time it takes to execute will depend on the approach as well as whether it is qualitative or quantitative. As a general rule of thumb, however, one could expect all but the most cursory qualitative approach to require one to four hours of continuous time from two to five key-knowledgeable staff for each intangible information asset valued. Experience has shown that the Modified Delphi approach is the most efficient, useful, and credible. For detailed guidance, refer to the Guideline for Information Valuation (GIV) published by the Information System Security Association (ISSA). This approach will require (typically) the participation of three to five staff knowledgeable on various aspects of the target information asset. A Modified Delphi meeting routinely lasts 4 hours, so, for each target information asset, key staff time of 12 to 16 hours will be expended in addition to about 12 to 20 hours total for a meeting facilitator (4 hours) and a scribe (8 to 16 hours). Providing this information has proven to be a valuable exercise for the source participants and the organization by giving them significant insight into the real value of the target body of information and the consequences of losing confidentiality, availability, or integrity. Still, this information alone should not be used to support risk mitigation cost/benefit analysis. While this “Diversion of Resources” may be viewed initially by management with some trepidation, the results have invariably been judged more than adequately valuable to justify the effort. Conducting the Vulnerability Analysis This task, which consists of identifying vulnerabilities, can and should take no more than 5 work days — about 40 hours — of one-on-one meetings with staff responsible for managing or administering the controls and associated policy, e.g., logical access controls, contingency planning, change control, etc. The individual meetings — actually, guided interviews, ideally held in the interviewees’ workspace, should take no more than a couple of hours. Often, these interviews take as little as 5 minutes. Collectively, however, the interviewees’ total diversion could add up to as much as 40 hours. The interviewer will, of course, spend matching time, hour for hour. This one-on-one approach minimizes disruption while maximizing the integrity of the vulnerability analysis by assuming a consistent level-setting with each interviewee.
|