Page335
Identify Critical Assets
Remember, the BIA is conducted and the Critical State Asset List is created for every IT system within the organization, no matter how trivial or unimportant. This is to ensure that each system has been accounted for. Once the list is assembled and users and user representatives have received input, the critical asset list can be created. The critical asset list is a list of those IT assets that are deemed business-essential by the organization. These systems’ DRP/BCP must have the best available recovery capabilities assigned to them.
Conduct BCP/DRP-Focused Risk Assessment
The BCP/DRP-focused risk assessment determines what risks are inherent to which IT assets. A vulnerability analysis is also conducted for each IT system and major application. This is done because most traditional BCP/DRP evaluations focus on physical security threats, both natural and human. However, because of the nature of Internet-connected IT systems, the risk of a disruption occurring is much greater and therefore must be mitigated.
Table 8.4 demonstrates a basic risk assessment for a company’s email system. In this example case, the company is using Microsoft Exchange and has approximately 100 users. Notice that each mitigation tactic will have an effect on the overall risk by accepting, reducing, eliminating, or transferring the risk. Risk assessment and mitigation are covered in depth in Chapter 2, Domain 1: Security and Risk Management.
Table 8.4 Risk Assessment for Company X’s Email System.
| Risk Assessment Finding | Vulnerability | BIA | Mitigation |
|---|---|---|---|
| Server located in unlocked room | Physical access by unauthorized persons | Potentially cause loss of Confidentiality, Integrity, and Availability (CIA) for email system through physical attack on the system | Install hardware locks with PIN and alarm system (risk is reduced to acceptable level) |
| Software is two versions out of date | This version is insecure and has reached end of life from vendor | Loss of CIA for email system through cyber attack | Update system software (risk is eliminated) |
| No firewall solution implemented/no DMZ | Exposure to Internet without FW increases cyber threat greatly | Loss of CIA for email system through cyber attack | Move email server into a managed hosting site (risk is transferred to hosting organization) |
Determine Maximum Tolerable Downtime
The primary goal of the BIA is to determine the Maximum Tolerable Downtime (MTD), which describes the total time a system can be inoperable before an organization is severely impacted. It is the maximum time it takes to execute the reconstitution phase. Reconstitution is the process of moving an organization from disaster recovery to business operations.
Maximum Tolerable Downtime is comprised of two metrics: the Recovery Time Objective (RTO) and the Work Recovery Time (WRT) (see below).