Bus usine iness s Impac t Assessment
Infor mation Risk Risk Analysis Methodologies (I(IRRA M ) pr oje oject ct
June 2004
WARNING
This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on
[email protected] or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
WARNING
This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on
[email protected] or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Table of contents Page
Part 1 Introduction
This report Purpose of this report Who should read this report? Basis for this report
Part 2 Understanding business impact assessment What is a business impact assessment? Why undertake a business impact assessment? When to carry out a business impact assessment?
1 1 1 1
2 3 4
Part 3 Establishing a business impact assessment programme
Introduction Developing a Business Impact Reference Table Identifying systems to be assessed
Part 4 The ISF approach to business impact assessment
Introduction Key characteristics of the ISF’s approach to business impact assessment The business impact assessment process Tools and forms to help conduct a business impact assessment
business impact assessment assessment Part 5 Performing a business Introduction Preparing for a business impact assessment A – Determining the system profile B – Planning the assessment Conducting a business impact assessment A – Introducing the assessment B – Assessing business impact C – Determining overall results D – Reviewing results
Appendix A Tools, information sheets and forms to use in a
6 6 11
13 13 14 17
18 20 20 21 22 22 26 34 37 40
business impact assessment
Appendix B Further sources of information
42
Figure 1: Key steps and activities in the business impact assessment process
Part
1
This report
Introduction Introduction This report provides practical guidance on how to conduct effective, business-driven, business impact assessments. It explains what a business impact assessment (BIA) is, outlines the sound business reasons why organisations should undertake them and highlights the key features of the business-driven approach that has been developed by the ISF. The report fully describes the steps and activities that need to be carried out in a business impact assessment (see Figure 1) and the tools and forms that should be used to support this undertaking. Significantly the report also provides clear guidance on how to review the results of a business impact assessment and determine the next steps that should be taken to help ensure information risk is managed effectively.
NOTE
Purpose of this report
The purpose of this report is to help information risk analysts and information security practitioners carry out effective business impact assessments. In particular it will help them understand the: •
• •
Who should read this report?
sound business reasons for carrying out business impact assessments forms and tools that should be used steps and activities that need to be undertaken to prepare for and conduct business impact assessments.
This report should be read by: •
•
•
Basis for this report
This report has evolved from the ISF’s previous risk analysis methodologies SARA and SPRINT and has been designed to replace SARA – Phase 2 (Identify business requirements for security) and SPRINT Phase 1 (Assess business risks).
information risk analysts and information security practitioners responsible for conducting business impact assessments information security managers planning programmes of work in information risk analysis auditors and risk specialists wishing to gain a better understanding of the business impact assessment of systems.
This report is based on information i nformation gathered from: •
•
•
workgroups held with ISF Members to examine the issues and requirements of business impact assessment analysing information risk analysis and business impact assessment methodologies (including those developed by the ISF – SARA and SPRINT ) third party experts on information risk analysis.
1
Part
2
Understanding business impact assessment
What is a business impact assessment?
A business impact assessment is a method of determining the possible business impact that an organisation could experience as a result of an incident that compromises information in a system.
NOTE
The business impact assessment method described in this report has been designed to analyse information risk in systems (eg business applications such as e-commerce systems, sales order processing systems, and production control systems). It has not been designed to be used to analyse information risk in other environments (such as networks and data centres) although much of the overall approach may still be applicable. Care should be taken when it is used in other environments and customisation may be necessary.
Business impact assessment helps determine the business security requirements for a system and the appropriate next steps that need to be taken to protect information adequately. A business impact assessment is the first step in an overall process (the information risk analysis process) that enables effective security measures to be identified to help minimise the frequency and impact of damaging incidents (see Figure 2 below).
Figure 2: The information risk analysis process
2
Business impact assessment is a business-driven undertaking that helps ensure the business need of the organisation for protecting information is clearly identified. In doing so it helps determine both the scope and the focus of all subsequent steps in the information risk analysis process. Why undertake a business impact assessment?
Most organisations have to deal with a constant barrage of threats to information. These threats vary considerably from malfunctions of hardware and software to internal misuse of systems and external attack (eg from hacking and viruses). Where threats to information are not effectively countered by measures such as preventative controls, incidents can and do occur. The ISF’s 2003 Information Security Status Survey (the ISF Survey) shows that on average applications, in those organisations who participated, experienced 160 incidents per annum, or three incidents per working week. The business impact of these incidents upon organisations is considerable. Figure 3 below, which is based on data from the ISF Survey, shows the types of business impact that applications suffering incidents typically experience (see the ISF’s report entitled Critical Business Applications: Improving Security).
Figure 3: The business impact of incidents
3
Business impacts such as unforeseen costs, delayed deliveries to customers and reduction in staff morale/productivity directly affect the ability of an organisation to operate effectively and can have a significant cost implication (the average cost of ‘most serious’ incidents recorded in the ISF Survey for critical business applications was $1.9 million). Details of the top three most serious incidents recorded for applications in the ISF Survey can be seen in Figure 4 below.
Figure 4: Top three costliest ‘most serious’ incidents experienced by surveyed applications
The high percentage of organisations that experience serious business impacts and the high cost of incidents indicate that many organisations are not protecting their key business information adequately. Business impact assessment, as part of an effective information risk analysis process, helps organisations identify effective security measures to address this major business problem. When to carry out a business impact assessment?
Business impact assessment should ideally be carried out during the development of new systems (eg at the initiation and design stages) as building in security at this stage is likely to be far more cost effective than adding it on later when a system is fully operational.
4
By undertaking a business impact assessment at the commencement of a new systems development project it is possible to ensure the business security requirements are clearly identified right from the outset. The outcome from a business impact assessment undertaken at this early stage should directly affect the degree of rigour and attention to detail that is applied during the development of the system (and the level of sign off that is required). For systems that are already live, priority should be given to those that appear more important to the organisation. Guidelines for identifying and prioritising live systems for business impact assessment can be found in Part 3: Establishing a business impact assessment programme.
5
Part
3
Establishing a business impact assessment programme
Introduction
Prior to conducting a business impact assessment there are a number of important programme-related elements of work that should be undertaken. These activities are generic and can be conducted at any time leading up to a business impact assessment. They are necessary to ensure business impact assessments are run in an effective and professional manner and that reliable and trustworthy results are produced. The key elements of work to be undertaken prior to performing a business impact assessment are: 1. Developing a Business Impact Reference Table 2. Identifying systems to be assessed. This part of the report describes these elements of work and explains how they should be carried out.
NOTE
Developing a Business Impact Reference Table
Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the information sheets, forms and other supporting documents that are referred to in this part of the report.
The ISF approach to business impact assessment is based on organisations using their own pre-defined, organisation-specific, Business Impact Reference Table. This section of the report explains how an organisation can develop its own Business Impact Reference Table. A Business Impact Reference Table is a powerful yet relatively simple tool that enables business impact to be determined in an accurate and consistent manner throughout an organisation. Using business language and a straightforward approach that is easy-to-understand, it enables non-specialists to make well-informed judgements about the level of business impact that could occur in the event of an incident that compromises the confidentiality, integrity or availability of information. Typically signed-off at senior management (or preferably board) level, a Business Impact Reference Table provides a standard against which business impact judgements can be made throughout an organisation. Its widespread use is key to undertaking business impact assessments in a consistent manner across an organisation, and is necessary to enable valid comparisons and relative judgements about business impact in different systems to be made.
6
Figure 5 below shows a sample of a Business Impact Reference Table. It explains the key fields and shows the different levels of impact (from Very high to Very low) for each business impact type. The property of information being assessed (Confidentiality, Integrity or Availability)
Property of information
Ref.
Business impact type
Appropriate measure
The appropriate measure for each type of business impact
The level of impact that could occur
Level of impact A Very high
B High
C Medium
D Low
E Very low
Financial F1
Loss of sales, orders or contracts (eg sales opportunities missed)
Financial impact
20%+
11% to 20%
6% to 10%
1% to 5%
Less than 1%
F2
Loss of tangible assets (eg fraud, theft of money, lost interest)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F3
Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F4
Unforeseen costs (eg recovery costs)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F5
Depressed share price (eg sudden loss of share value)
Loss of share value
25%+
11% to 25%
6% to 10%
1% to 5%
Less than 1%
The category of business impact (eg Financial, Operational, Customer-related, Employee-related)
The main types of business impact that could occur as a result of an incident
Figure 5: Sample of a Business Impact Reference Table
NOTE
In some organisations, particularly those that are highly diversified, it may be necessary to create different Business Impact Reference Tables for use in different divisions or operating units. Where this is warranted, care should be taken to ensure use of each Business Impact Reference Table is restricted to the appropriate division or operating unit.
7
For information risk analysts and those familiar with carrying out information risk analysis, creating a Business Impact Reference Table is a relatively straightforward undertaking. Using the example Business Impact Reference Table that accompanies this report as a starting point (see Appendix A: Tools, information sheets and forms to use in a business impact assessment ) it is possible to develop one relatively quickly by carrying out the following three activities: 1. Determine the business impact types to be used 2. Determine business impact measures and values 3. Gain senior management (board level) sign off.
NOTE
1. Determine the business impact types to be used
It is recommended that the first two activities are undertaken in a workshop setting and should include the participation of business managers.
The business impact types that are used in a Business Impact Reference Table should be representative of what could happen in the event of the compromise of the confidentiality, integrity or availability of information. It is therefore important that these are selected with care and should be reviewed and subject to peer inspection to ensure they are correct. Although there is a wide variety of possible business impacts that could occur there are a core set that are common to most organisations. The ISF has identified 15 business impact types that are representative of what can happen in most organisations and it is recommended that these are used as the basis for determining the appropriate ones in a specific organisation. These business impact types are shown in Table 1 o pposite.
8
Table 1: ISF business impact types Ref.
Business impact type
Examples
Appropriate measure
Financial
F1
Loss of sales, orders or contracts
Sales opportunities missed, orders not taken or contracts that cannot be signed.
Financial impact (%)
F2
Loss of tangible assets
Fraud, theft of money and lost interest.
Financial impact ($)
F3
Penalties/legal liabilities
Breach of legal, regulatory or contractual obligations.
Financial impact ($)
F4
Unforeseen costs
Recovery costs, uninsured losses, increased insurance.
Financial impact ($)
F5
Depressed share price
Sudden loss of share value, prolonged loss of share value, random share value fluctuation.
Loss of share value (%)
Operational
O1
Loss of management control
Impaired decision-making, inability to monitor financial positions, process management failure.
Extent of loss of control
O2
Loss of competitiveness
Repetitive production line failures, degraded customer service, introduction of new pricing policies.
Targets underachieved (%)
O3
New ventures held up
Delayed new products, delayed entry into new markets, delayed mergers/acquisitions.
Extent of delay (time)
O4
Breach of operating standards
Contravention of regulatory standards, quality or safety standards.
Extent of sanctions imposed
Customer-related
C1
Delayed deliveries to customers or clients
Failure to meet product delivery deadlines, failure to complete contracts on time.
Extent of delay (time)
C2
Loss of customers or clients
Customer/client defection to competitors, withdrawal of preferred supplier status by customer/client.
Percentage of customers lost (%)
C3
Loss of confidence by key institutions
Adverse criticism by investors, regulators, customers or suppliers.
Extent of loss of confidence
C4
Damage to reputation
Confidential financial information published in media, compromising internal memos broadcast by media.
Extent of negative publicity
Employee-related
E1
Reduction in staff morale/productivity
Reduced efficiency, lost time, job losses.
Extent of loss of morale
E2
Injury or death
Harm to staff, customers or suppliers associated with the organisation.
Number of incidents (n)
To identify the specific business impact types that are appropriate for the organisation, the business impact types identified in Table 1 above should be reviewed and any that are inappropriate should be amended or removed. In addition organisation-specific business impact types that may be required should be added at this stage (eg lost production, return on investment, R&D project failure).
9
2. Determine business impact measures and values
Property of information Ref. Business impact type
The measures and values that are used for each business impact type should also be appropriate for the organisation and meaningful to those taking part in a business impact assessment (see Figure 6 below). The measures should accurately reflect the business impact types and the values should reflect the gradation in the Level of impact ratings (ie Very high to Very low). These two elements combined should enable participants to easily determine the severity of impact that could occur.
Appropriate measure
Level of impact A Very high
B High
C Medium
D Low
E Very low
Financial F1
Loss of sales, orders or contracts (eg sales opportunities missed)
Financial impact
20%+
11% to 20%
6% to 10%
1% to 5%
Less than 1%
F2
Loss of tangible assets (eg fraud, theft of money, lost interest)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F3
Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F4
Unforeseen costs (eg recovery costs)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F5
Depressed share price (eg sudden loss of share value)
Loss of share value
25%+
11% to 25%
6% to 10%
1% to 5%
Less than 1%
Examples of business impact measures
Examples of business impact values
Figure 6: Examples of business impact measures and values in a sample Business Impact Reference Table
NOTE
Members may wish to change business impact measures and values, where appropriate, to those that accurately represent their own organisation (eg a global financial institution is likely to require much larger Level of impact values than a medium sized manufacturing organisation).
It is recommended that the business impact types along with the measures and values identified in the example Business Impact Reference Table that accompanies this report should be used as the basis for developing organisation-specific measures and values.
NOTE
An example Business Impact Reference Table can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.
10
3. Gain senior management (board level) sign off
Once the organisation-specific Business Impact Reference Table has been fully populated it is important that it is underwritten at senior management or, preferably, at board level. Its use throughout the organisation can then be promoted effectively and it should be distributed for use by all staff who undertake business impact assessments and information risk analysis. Senior management sign-off will help considerably in ensuring a single, consistent, approach to determining business impact is adopted. The signed-off (definitive) Business Impact Reference Table should be placed under change control and any proposed amendments should be subject to a formal review process. When the Business Impact Reference Table is updated it should be distributed immediately to all relevant staff.
Identifying systems to be assessed
Before any business impact assessment is undertaken within an organisation the systems to which it should be applied should first be identified. This enables the scale of work to be determined and the relative priority of systems that should undergo business impact assessment to be identified. Regardless of their type or nature all systems under development should be subjected to business impact assessment. This should be an inherent part of the systems development life-cycle and therefore triggered when a new systems development project is initiated. In live environments, organisations will typically face a backlog of systems that need to undergo information risk analysis (and therefore business impact assessment). Determining the order in which these systems should undergo business impact assessment is problematic and some form of ranking will typically be required to establish the priority of systems.
11
Organisations should first determine the inventory of all main systems in the organisation. Once this undertaking has been completed there are a variety of different methods that can be used to identify those systems which appear to be of greater importance than others, such as the: •
•
•
•
importance of the system to senior management (eg a system may be very important to the success of the organisation and subject to a high degree of senior management scrutiny) experience of incidents (eg a high number of recent incidents may make a system worthy of specific attention) advice from internal audit (eg to undertake information risk analysis on specific systems) recommendations from business and IT experts (eg using experts within the organisation to help identify those systems which are key to its operation).
While all of the above factors have their merits it is recommended that a more objective approach is taken based upon the use of the criticality assessment in the Information Risk Scorecard from the ISF’s FIRM methodology (see Figure 7 below, taken from the ISF’s report Fundamental Information Risk Management (FIRM): Implementation Guide). This quick, easy-to-use, approach provides a high-level view of the confidentiality, integrity and availability requirements of the system to be determined and enables easy comparisons of relative importance to be made.
Information Risk Scorecard Criticality
1
Monitoring period
Reference
1. What is the maximum level of harm that the business could suffer if key information held in, processed or transmitted by the information resource were to be accidentally or deliberately:
Disclosed to the wrong people?
Loss of confidentiality
Falsified or otherwise corrupted?
Loss of integrity
Rendered unavailable for: -
Less than an hour?
-
Half a day or so?
-
A day? 2-3 days?
-
A week?
-
A month?
Loss of availability for defined periods of time
Please enter one of the following in each box to indicate the maximum possible level of harm:
A Extremely serious harm B Very serious harm C Serious harm D Minor harm E No significant harm
Figure 7: Criticality assessment (from the FIRM’s Information Risk Scorecard)
The FIRM criticality assessment can be carried out relatively quickly and different systems can easily be compared using the calculation guidelines in FIRM (see the ISF’s report Fundamental Information Risk Management (FIRM): Supporting Material ) or by simply comparing the values for Loss of confidentiality, Loss of integrity and Loss of availability.
12
Part
4
The ISF approach to business impact assessment The ISF approach to conducting business impact assessment is a straightforward undertaking that uses a structured process and easy-to-use tools.
Introduction
This part of the report provides a brief overview of the main steps required to conduct a business impact assessment and the key tools that are used to support the process.
NOTE
Key characteristics of the ISF’s approach to business impact assessment
Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, forms, information sheets and other supporting documents that are referred to in this part of the report.
The ISF’s approach to business impact assessment is based on practical experience and the needs of its Members. The key characteristics of this approach are shown in Figure 8 below.
Characteristic
Examples •
Easy-to-use
•
•
•
Non-technical
•
•
•
Flexible and scalable •
•
•
Comprehensive and thorough •
Clear and business-oriented approach. Process-based with step-by-step guidance for the information risk analyst. Straightforward tools and forms. Uses business language. Based on participation by business managers. Key decisions in the assessment taken by business managers. Can be applied to any type of system (eg e-commerce applications, back office applications, manufacturing applications). Can be used on any size of system (eg single user, department-wide, enterprise-wide). Can be used on live systems and those under development. Covers everything required to perform a business impact assessment - from preparation through to analysis of results. Explains in detail all key steps that need to be undertaken.
Figure 8: Key characteristics of the ISF’s approach to business impact assessment 13
The business impact assessment process
The main objectives of the ISF approach to business impact assessment are to determine the business security requirements for a system and identify the appropriate next steps that need to be taken to adequately protect information in that system. These objectives are achieved by assessing the possible business impact that could arise as a result of the compromise of the confidentiality, integrity and availability of information. The business impact assessment process is shown in Figure 9 below.
Figure 9: Key steps and activities in the business impact assessment process
14
The business impact assessment process has been developed to ensure possible business impact is assessed rigorously, business security requirements determined and the appropriate next steps identified clearly. The process is designed to be undertaken sequentially and should ideally (based on Member experience) be conducted in a workshop setting in order to maximise the input from business managers and to ensure transparency and objectivity in the process. A brief overview of the purpose, the duration, the tools, information sheets and forms that are used and the outputs that are produced in performing a business impact assessment is shown in Table 2 below. Table 2: Overview of the business impact assessment process Purpose
Duration
Tools, information sheets and forms used
Main outputs
Preparing for a business impact assessment
To gather key background information about the system to be assessed.
~ 1 day
•
To plan and prepare the meeting for the business impact assessment.
~120 mins
•
•
Blank System Profile form
Example invitation letter Information sheets
•
•
•
•
Completed System Profile form
Agenda for the BIA Completed invitation letter Information sheets
Conducting a business impact assessment
To set the scene for the assessment and familiarise participants with the system to be assessed and the main tools that will be used.
~30 mins
•
BIA Presentation
•
BIA Assistant
•
•
•
Not applicable
Completed System Profile form Business Impact Reference Table Information sheets
15
Table 2: Overview of the business impact assessment process (continued) Purpose
Duration
Tools, information sheets and forms used
Main outputs
Conducting a business impact assessment (continued)
To assess possible business impact for confidentiality, integrity and availability.
~90 mins
•
BIA Presentation
•
BIA Assistant
•
•
Business Impact Reference Table
•
•
Blank Business Impact Rating forms •
To determine the business requirements and overall classification for the system.
security security
~15 mins
•
BIA Presentation
•
BIA Assistant
•
To review the results of the assessment and determine the next steps that need to be taken.
~15 mins
NOTE
Blank Business Impact Assessment Summary form
•
BIA Presentation
•
BIA Assistant
•
•
Partially completed Business Impact Assessment Summary form
•
Completed Business Impact Rating form for confidentiality Completed Business Impact Rating form for integrity Completed Business Impact Rating form for availability
Partially completed Business Impact Assessment Summary form
Completed Business Impact Assessment Summary form
The timescales required to undertake each of the above steps are approximate and will vary according to the complexity of the system being assessed and the experience of the information risk analyst.
The main tools and forms that are used to conduct a business impact assessment that are identified in Table 2 are now described in more detail in the following section.
16
Tools and forms to help conduct a business impact assessment
The ISF approach to business impact assessment uses five main tools and forms to help information risk analysts conduct a business impact assessment. These are shown in Figure 10 below.
BIA Presentation
The BIA Presentation (see Appendix A: Tools, information sheets and forms to use in a business impact assessment ) is used by the information risk analyst to guide participants through the business impact assessment.
Business Impact Reference Table
A Business Impact Reference Table is used by participants to determine the level of business impact that could occur as a result of the loss of confidentiality, integrity and availability of information.
Business Impact Rating forms
Business Impact Rating forms are used by the information risk analyst to record the ratings for each business impact type from the participants’ use of the Business Impact Reference Table.
Business Impact Assessment Summary form
The Business Impact Assessment Summary form is used to record the overall results from the assessment, including the Key Business Impact Assessment Ratings and the Overall Security Classification.
BIA Assistant
The BIA Assistant (see Appendix A: Tools, information sheets and forms to use in a business impact assessment ) is a spreadsheet-based tool that captures business impact ratings from a Business Impact Reference Table and automatically transfers them to the Business Impact Rating form and then to the Business Impact Assessment Summary form.
Figure 10: Tools and forms used to conduct a business impact assessment
Each of the tools and forms shown in Figure 10 are described in detail in Part 5: Performing a business impact assessment .
17
Part
5
Performing a business impact assessment
Introduction
In order to conduct effective business impact assessments in different system environments it is important to employ a process that is structured and consistent. The ISF’s business impact assessment process has been developed with this in mind. It has been designed to meet the Member requirement for an approach that is not only flexible, easy-to-use and practical but also thorough and action oriented. As described earlier there are two main parts to performing a business impact assessment. These parts and their key steps are shown in Figure 11 below and then described in detail in the sections that follow.
Figure 11: Key steps in the business impact assessment process
NOTE
Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, information sheets, forms and other supporting documents that are referred to in this part of the report.
18
The importance of workshops
Members of the ISF have confirmed that, ideally, business impact assessments should be conducted in a workshop setting with participants taking part who represent appropriate parts of the organisation. With good facilitation (a key requirement) workshops provide an environment in which business impact can be fully and objectively discussed. They enable business staff to exchange ideas and reach a common view on the importance of a system and, ultimately, its business security requirements. It is recognised, however, that due to the dispersed nature of many organisations convening a workshop may not always be possible. In these circumstances (or where a business impact assessment must be conducted in short timescales) either video-conferencing or telephone-conferencing technologies should be used or, alternatively, individual interviewing.
19
Preparing for a business impact assessment Before a business impact assessment is conducted there are a number of preparatory steps that should be undertaken to ensure it is effective and successful. The main steps that should be carried out at this stage are:
These two steps are explained below.
Prior to undertaking a business impact assessment it is important to gather background information about the system to be assessed. This information provides a profile of the system and in particular gives an insight into its function, scale and relative importance before a business impact assessment is undertaken. In gathering background information the main characteristics of the system should be determined. Typical information that is likely to be required includes: • • • • •
key staff involved in the system (eg system owner) business function of the system (eg funds transfer) scale of activity (eg number of users) key trends (eg increases/decreases in operating costs) technical details (eg network type).
Gathering this information will typically necessitate interviewing a number of key staff, and particular the system owner (or their appropriate representative).
NOTE
TIP
A blank System Profile form that can be used to gather information about a system can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version. Interviewing the system owner (or their representative) provides a good opportunity to reinforce the requirement for conducting a business impact assessment and the importance and need for effective information risk management.
20
By analysing the information on the System Profile form it is possible to form an initial view of the relative importance of the system to the organisation. In organisations where there are many systems that require a business impact assessment to be conducted, this information can be used to help prioritise the order in which assessments take place (see Identifying systems to be assessed in Part 3: Establishing a business impact assessment programme).
TIP
The information gathered about a system in a System Profile form should be retained for use in later phases of the information risk analysis process.
To ensure a business impact assessment runs smoothly and is effective it is important that it is planned in a thorough manner. The two most important actions that should be undertaken at this stage are to determine with the system owner the date when the business impact assessment should take place and to identify the key staff (eg representatives from key business functions and IT management) who should take part. For new systems the schedule of when a business impact assessment should be held is determined by the systems development life-cycle (eg a business impact assessment would ideally be undertaken during the project initiation stage). For live systems the date for undertaking a business impact assessment will largely depend on the system owner but may be influenced by factors such as the availability of key staff, the timing of important processes (eg end-of-month processing) and concerns about the adequacy of existing measures to manage information risk.
TIP
To ensure the judgements that are made about business impact and the business security requirements for a system are objective and representative, key staff from a variety of business functions should be identified to attend the business impact assessment.
Once the date for the business impact assessment has been agreed and the prospective participants determined, a formal agenda, invitation letter and information sheets about business impact assessment should be sent out.
NOTE
An example invitation letter and information sheets that can be used to inform staff about a business impact assessment can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.
21
Conducting a business impact assessment In conducting a business impact assessment the following steps should be undertaken:
These four steps are explained below.
NOTE
A presentation (entitled BIA Presentation) has been developed to accompany this report. This presentation, which can be customised by the information risk analyst, is designed to lead participants through each stage of a business impact assessment. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this presentation can be found.
The main objective of this step is to ensure participants are adequately prepared to take part in the assessment. The key activities to be undertaken during this step of the process are: A1 – Set the scene for the assessment A2 – Provide overview of the system A3 – Familiarise participants with the tools and forms. This section of the report describes these activities and explains how they should be carried out. Activity title
A1 – Set the scene for the assessment
Objective
To explain the purpose of the business impact assessment and provide the business context for undertaking business impact assessment.
22
At the commencement of the business impact assessment participants should be provided with a brief overview of the agenda, an explanation of the purpose of the business impact assessment and an insight into the business reasons for conducting the business impact assessment. The following items should be covered in the introduction: • • • • •
welcome and round table introductions agenda and timings purpose of the business impact assessment what is business impact assessment? why carry out a business impact assessment?
NOTE
Slides covering the above items are contained in the BIA Presentation.
Explaining the nature and use of information
In many cases staff attending a workshop or being interviewed as part of a business impact assessment will not have a technical background and will therefore have a limited understanding of the nature and use of information and how it can be compromised. Furthermore the concept of information having different properties – confidentiality, integrity and availability – will also be unfamiliar to most participants. To ensure those taking part in a business impact assessment are able to make a full and worthwhile contribution it is important that the information risk analyst provides a thorough explanation of information and should cover the: • •
•
•
•
definition of information (eg facts that convey meaning) main types of information that are used in the workplace (eg data, paper, speech, phone-calls) main ways in which information is acted on in a system (eg stored, processed or transferred) key properties of information (ie confidentiality, integrity, availability) threats to information and the controls that are required to ensure it is adequately protected.
TIP
To introduce and explain the concept of the different properties of information it is recommended to use the examples of compromises of confidentiality, integrity and availability that are contained in the information sheet Why we need to protect our information (located in the pocket at the end of the printed version of this report). Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.
23
In addition to the agenda and the attendance list it is recommended that all participants are provided with a pack of reference material. This pack should include the items identified in Table 3 below. Table 3: Contents of a business impact assessment reference pack Item name
Brief description
BIA Presentation
The slides from the presentation used by the information risk analyst to guide participants through the business impact assessment.
Business Impact Reference Table
The organisation’s approved Business Impact Reference Table.
Business Impact Rating forms (for confidentiality, integrity and availability)
Blank Business Impact Rating forms that can be used by participants to record their own ratings and comments.
Business Impact Assessment Summary form
Blank Business Impact Assessment Summary form that can be used by participants to record their own ratings and comments.
System Profile form
A brief profile of the key business and technical characteristics of the system.
Information sheets: •
Why we need to protect our information
•
Determining the business requirement for information security
•
Threats to information
•
The business impact of incidents
Information sheets sent to participants prior to a business impact assessment – included for reference purposes.
Information sheets provided to participants during a business impact assessment – included for reference purposes.
NOTE
Printed versions of the Business Impact Reference Table, Business Impact Rating forms, Business Impact Assessment Summary form, System Profile form and information sheets can be found in the pocket at the end of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.
The information risk analyst should explain the contents of the pack and how it should be used during the business impact assessment.
24
Activity title
A2 - Provide overview of the system
Objective
To brief business impact assessment participants on the key characteristics of the system.
After the introduction to the business impact assessment, participants should be briefed on the key characteristics of the system being assessed. Typically taken from the System Profile form this information should be used to ensure all business impact assessment participants have a common understanding of the: • •
•
•
function of the system (eg product sales) scale of the system (eg high-volume of low to medium-value transactions) importance to the organisation (eg very important system, accounts for 25% of revenue) technical make-up of the system (eg internet-based).
TIP
It is important to ensure all participants are well informed and have a common understanding of the system if sound judgements about business impact are to be made during the business impact assessment.
Activity title
A3 - Familiarise participants with the tools and forms
Objective
To ensure participants understand the tools and forms that will be used in the business impact assessment.
Before commencing the assessment of business impact it is important that participants understand the main tools and forms that will be used in the business impact assessment. This activity is concerned with familiarising participants with the: • • • •
Business Impact Reference Table Business Impact Rating forms Busines Impact Assessment Summary form BIA Assistant.
The information risk analyst facilitating the business impact assessment should show and explain the contents and use of each of the above tools and forms. Particular emphasis should be placed on the Business Impact Reference Table that is approved for use within the organisation.
25
NOTE
The BIA Presentation contains slides that explain the business impact assessment process and the tools and forms that should be used.
At this stage it is recommended that the process for transferring results between the Business Impact Reference Table and the Business Impact Rating forms is explained and also how the summary information from the Business Impact Rating forms is transferred to the Business Impact Assessment Summary form.
NOTE
A spreadsheet-based tool (entitled BIA Assistant) for capturing the results of a business impact assessment has been developed to accompany this report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this tool can be found.
This step of the business impact assessment process is concerned with assessing business impact for a loss of confidentiality, integrity and availability. The main objective of this step is to ensure participants assess business impact in an objective and considered manner. The key activities to be undertaken during this step of the process are: B1 – Assess possible business impact for a loss of confidentiality B2 – Assess possible business impact for a loss of integrity B3 – Assess possible business impact for a loss of availability. This section of the report describes these activities and explains how they should be carried out.
26
When assessing business impact using the Business Impact Reference Table, business impact assessment participants should be requested to follow the steps shown in Figure 12 below. 1. Examine the business impact type
Property of information
Ref.
Business impact type
2. Determine the most serious impact that could possibly occur
Appropriate measure
Level of impact A Very high
B High
C Medium
D Low
E Very low
Financial F1
Loss of sales, orders or contracts (eg sales opportunities missed)
Financial impact
20%+
11% to 20%
6% to 10%
1% to 5%
Less than 1%
F2
Loss of tangible assets (eg fraud, theft of money, lost interest)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F3
Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F4
Unforeseen costs (eg recovery costs)
Financial impact
$20m+
$1m to $20m
$100K to $1m
$10K to $100K
Less than $10K
F5
Depressed share price (eg sudden loss of share value)
Loss of share value
25%+
11% to 25%
6% to 10%
1% to 5%
Less than 1%
4. Repeat for the remaining business impact types
3. Reach a consensus as a group and record the level of impact
Figure 12: Assess possible business impact
NOTE
When assessing the level of impact for a loss of availability, each duration of outage (ie an hour, a day, 2-3 days, a week, a month) will need to be assessed for each business impact type (see B3 – Assess possible business impact for a loss of availability).
27
Business Impact Rating Confidentiality Ref.
Business impact type Business impact of unintended or unauthorised disclosure of information (most serious case)
Explanatory comments
Business impact rating A –Very high, B – High, C - Medium, D – Low, E – Very low
A
B
C
D
E
Financial
Disclosure of pricing information would seriously damage sales.
F1
Loss of sales, orders or contracts
F2
Loss of tangible assets
X
F3
Penalties/legal liabilities
X
F4
Unforeseen costs
X
F5
Depressed share price
X
X
Operational O1
Loss of management control
O2
Loss of competitiveness
O3
New ventures held up
O4
Breach of operating standards
X Disclosure of pricing information would undermine competitiveness.
X X X
Customer-related C1
Delayed deliveries to customers or clients
C2
Loss of customers or clients
C3
Loss of confidence by key institutions
C4
Damage to reputation
X Pricing information disclosure would lead to customer losses.
X X
Disclosure of pricing information by press would be damaging.
X
Employee-related E1
Reduction in staff morale/productivity
E2
Injury or death
X X
Overall Rating A
In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from unintended or unauthorised disclosure of information?
B
C
D
E
X
(This would normally be at least as high as the highest individual rating)
Figure 13: Example Business Impact Rating form for Confidentiality
28
Activity title
B1 - Assess possible business impact for a loss of confidentiality
Objective
To determine the possible business impact that the organisation could experience as a result of an incident that compromises the confidentiality of information in the system.
In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term ‘confidentiality’, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider: •
•
•
what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the confidentiality of this information be compromised (eg hacking into systems or theft of proprietary business information)? what would be the business impact that could arise from the compromise of the confidentiality of this information (eg disclosure of pricing information to a competitor)?
TIP
To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).
In completing the steps required to assess business impact participants should use the organisation’s approved Business Impact Ref erence Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur. 3. R each a consensus as a group and record the level of impact (see Figure 13 o pposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of confidentiality could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.
29
Business Impact Rating Integrity Ref.
Business impact type Business impact of errors in information or of deliberate manipulation of information to perpetrate or conceal fraud (most serious case)
Explanatory comments
Business impact rating A –Very high, B – High, C - Medium, D – Low, E – Very low
A
B
C
D
E
Financial F1
Loss of sales, orders or contracts
F2
Loss of tangible assets
X
F3
Penalties/legal liabilities
X
F4
Unforeseen costs
F5
Depressed share price
X
X X
Operational
Corrupted end-of-month data will lead to poor decision making.
O1
Loss of management control
O2
Loss of competitiveness
X
O3
New ventures held up
X
O4
Breach of operating standards
X
X
Customer-related C1
Delayed deliveries to customers or clients
C2
Loss of customers or clients
C3
Loss of confidence by key institutions
C4
Damage to reputation
Corrupted order information will cause delivery delays.
X X X X
Employee-related E1
Reduction in staff morale/productivity
X
E2
Injury or death
X
Overall Rating A
In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from errors or unauthorised changes to information?
B
C
D
E
X
(This would normally be at least as high as the highest individual rating)
Figure 14: Example Business Impact Rating form for Integrity
30
Activity title
B2 - Assess possible business impact for a loss of integrity
Objective
To determine the possible business impact that the organisation could experience as a result of an incident that compromises the integrity of information in the system.
In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term ‘integrity’, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider: •
•
•
what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the integrity of this information be compromised (eg misusing systems to create fraud or errors by staff) what would be the business impact that could arise from the compromise of the integrity of this information (eg corrupted customer order information).
TIP
To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).
In completing the steps required to assess business impact participants should use the organisation’s approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur. 3. Reach a consensus as a group and record the level of impact (see Figure 14 o pposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of integrity could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.
31
Business Impact Rating Availability Ref.
Business impact type Business impact of a prolonged outage of the system (most serious case)
Explanatory comments
Business impact rating A –Very high, B – High, C – Medium, D – Low, E – Very low
Duration of outage An hour
A day
2-3 days
A week
A month
Financial F1
Loss of sales, orders or contracts
B
B
B
A
A
F2
Loss of tangible assets
E
D
C
C
C
F3
Penalties/legal liabilities
E
D
C
C
C
F4
Unforeseen costs
E
D
C
C
B
F5
Depressed share price
E
D
D
C
C
Any system outage would prevent tele-sales being processed.
Manual fall-back will be required.
Operational O1
Loss of management control
E
D
C
B
B
O2
Loss of competitiveness
E
D
C
C
C
O3
New ventures held up
E
D
B
B
A
O4
Breach of operating standards
E
E
E
E
E
Levels of stock and ordering requirements will be unknown.
The launch of new products would be prevented.
Customer-related C1
Delayed deliveries to customers or clients
E
D
C
C
C
C2
Loss of customers or clients
E
D
C
C
B
C3
Loss of confidence by key institutions
E
D
C
C
C
C4
Damage to reputation
E
D
C
C
C
Customers will use alternative suppliers.
Employee-related E1
Reduction in staff morale/productivity
E
D
C
C
C
E2
Injury or death
E
E
E
E
E
An hour
A day
2-3 days
A week
A month
C
B
B
A
A
Overall Rating
In summary, what is the most serious impact which would arise from an outage of the s ystem? (This would normally be at least as high as the highest individual rating)
Overall Critical Timescale What is the critical timescale for recovering of this system (ie the timescale beyond which an outage is unacceptable to the business)?
1 day
An outage of one day or more would cause a high impact.
Figure 15: Example Business Impact Rating form for Availability 32
Activity title
B3 - Assess possible business impact for a loss of availability
Objective
To determine the possible business impact that the organisation could experience as a result of an incident that compromises the availability of information in the system.
In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term ‘availability’, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider: •
•
•
what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the availability of this information be compromised (eg malfunction of application software or loss of power) what would be the business impact that could arise from the compromise of the availability of this information (eg customers switching to alternative suppliers).
TIP
To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).
In completing the steps required to assess business impact participants should use the organisation’s approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur for each duration (ie an hour, a day, 2-3 days, a week, a month). 3. R each a consensus as a group and record the level of impact (see Figure 15 o pposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of availability could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating for a business impact type. Additionally, for availability, the Overall Critical Timescale should be recorded. Typically this is the timescale beyond which an outage would be unacceptable to the business.
33
This step of the business impact assessment process is concerned with determining the overall results for the assessment. The main objectives of this step are to determine the business security requirements and security classification for the system. The key activities to be undertaken during this step of the process are: C1 – Transfer results to summary form C2 – Determine business security requirements and overall security classification. This section of the report describes these activities and explains how they should be carried out. Activity title
C1 - Transfer results to summary form
Objective
To transfer all results obtained in the business impact assessment to the Business Impact Assessment Summary form.
Prior to commencing the transfer of results to the Business Impact Assessment Summary form the general identification information and description of the system should be entered. The Overall Rating on each Business Impact Rating form (for Confidentiality, Integrity and Availability) should then be transferred to the Overall Business Impact Ratings table of the Business Impact Assessment Summary form (see Figure 16 below). The Overall Critical Timescale for the system from the Business Impact Rating form for Availability should also be entered at this stage.
Key Business Impact Assessment Ratings Overall Business Impact Ratings
Loss of confidentiality Loss of integrity Loss of availability - an hour - a day - 2-3 days - a week - a month
Business Security Requirements Rating
A
Rating B C D
E
Confidentiality
A
B
E
Integrity
C
D
A
B
C
D
E
Availability
A A A A A
B B B B B
C C C C C
D D D D D
E E E E E
Overall Critical Timescale Time
1 hr
1d
2-3d
1 wk
1m
Business impact ratings: A –Very high, B – High, C – Medium, D – Low, E – Very low
Figure 16: Example Overall Business Impact Ratings table 34
NOTE
NOTE
The transfer of values is a straightforward activity and does not require any specific input from the business impact assessment participants. The BIA Assistant automatically transfers the results from the Business Impact Rating form to the Business Impact Assessment Summary form.
Activity title
C2 Determine requirements and classification
Objective
To discuss and agree the Business Security Requirements Rating and the Overall Security Classification for the system.
business overall
security security
When the Overall Business Impact Ratings and the Critical Timescale have been entered, the information risk analyst should, in conjunction with the participants, determine the Business Security Requirements Rating and the Overall Security Classification for the system. Typically the values that are entered in the Business Security Requirements Rating table are taken from the highest values for confidentiality, integrity and the highest value for availability from the Overall Business Impact Ratings table (see Figure 17 overleaf). The Business Security Requirements Rating table shows in a clear manner the security requirement of the system in terms of the requirement for the confidentiality, integrity and availability of information. A high value means there is a high requirement to protect that property of information (because a loss of that property of information would result in a high business impact). The Business Security Requirements Rating table provides the basis for determining the Overall Security Classification. The colour coding that is used to indicate High (red), Medium (orange) and Low (green) in the Business Security Requirements Rating table helps in the determination of the level of Overall Security Classification. It is recommended that where there is at least one Business Security Requirements Rating that is an A, the Overall Security Classification should be High. In all other cases it is a matter for discussion with the participants in the business impact assessment (although typically the highest Business Security Requirements Rating should determine the minimum level of Overall Security Classification that is determined).
35
As part of determining the Overall Security Classification the information risk analyst should ensure that the business impact assessment participants fully understand the meaning of the different values (in terms of the requirement for security) and how this will ultimately affect the level (and cost) of security that is implemented.
Overall Security Classification HIGH
MEDIUM
LOW
I agree with the Key Business Impact Assessment Ratings, Overall Security Classification and chosen Next Steps.
System owner signature
JS Dawes
Risk analyst signature
HA Frost
Date
3 June 2004
Date
3 June 2004
Key Business Impact Assessment Ratings Overall Business Impact Ratings
Loss of confidentiality
A
Rating B C D
Loss of integrity
A
B
Loss of availability - an hour - a day - 2-3 days - a week - a month
C
D
Business Security Requirements Rating A E
Confidentiality
E
Integrity
B B B B B
C C C C C
D D D D D
E E E E E
C
D
E
X X
Availability
A A A A A
B
X
Overall Critical Timescale Time
1 hr
1d
2-3d
1 wk
1m
Business impact ratings: A –Very high, B – High, C – Medium, D – Low, E – Very low
Figure 17: Example of Overall Security Classification and Key Business Impact Assessment Ratings sections
36
This step of the business impact assessment process is concerned with determining the appropriate steps that need to be taken after the assessment. The main objectives of this phase are to: •
•
identify clearly the next steps to be taken after the business impact assessment document all post-business impact assessment actions to be undertaken.
The key activities to be undertaken during this step of the process are: D1 – Review results of assessment D2 – Agree next steps. This section of the report describes these activities and explains how they should be carried out. Activity title
D1 - Review results of assessment
Objective
To review the results of the assessment with the participants to ensure there is widespread agreement on the results.
Prior to concluding the business impact assessment the information risk analyst should review the contents of the Business Impact Assessment Summary form with the business impact assessment participants. This provides those attending with an opportunity to comment on the validity of the findings and whether the ratings and Overall Security Classification accurately reflect the security needs of the system being assessed. Activity title
D2 - Agree next steps
Objective
To agree the next steps that should be taken after the assessment to ensure information risk is adequately managed.
As part of the review of results the information risk analyst should also examine with the participants the next steps that should be taken after the business impact assessment. The Next Steps ratings that are available for selection in the Business Impact Assessment Summary form are directly related to the Overall Security Classification (see Figure 18 overleaf).
37
Next Steps Level
Appropriate action
Tick next step
Conduct detailed Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process HIGH Focus on the applicable security requirements identified Conduct standard Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process MEDIUM Focus on the applicable security requirements identified
Terminate the Information Risk Analysis Process LOW Verify that appropriate fundamental controls will be implemented
Actions Number
Description of action and date for completion
Responsible
1
Send results with cover letter to system owner (24/06/04).
HA Frost
2
Contact IT Operations manager and arrange meeting to discuss results of the assessment (by 24/06/04).
JS Dawes
3
Forward results to IT department and Internal Audit (24/06/04).
HA Frost
4
Commence preparations for standard Threat and Vulnerability Assessment (30/06/04).
HA Frost
5
Log results of the assessment in the risk register (30/06/04).
HA Frost
Figure 18: Example of Next Steps and Actions in the Business Impact Assessment Summary form
In most cases the Next Steps rating selected would directly correspond with Overall Security Classification. On occasions, however, the business impact assessment participants and in particular the system owner may wish to select a different level of rating for the Next Steps (eg Medium when the Overall Security Classification is High).
38
Business impact assessment participants may wish to select a different level of rating for the Next Steps when they believe either more, or less, detailed subsequent analysis of information risk is required. The information risk analyst should ensure that all participants understand the appropriate action that is associated with each level. The Actions section of the Business Impact Assessment Summary form should be used to capture the main actions that need to be completed as a result of the business impact assessment. Each action should include a date by when it should be undertaken and indicate the individual responsible for its completion. As a result of the level of Next Step ( High, Medium or Low) that is selected there are certain direct actions that are implied (see Figure 18 o pposite). In addition there may also be specific actions that the business impact assessment participants or the system owner may wish to see undertaken as a result of the assessment (eg initiate contact with the outsourcing organisation to confirm basic controls are applied to the system). Progress against all actions should be tracked by the information risk analyst and reported to the system owner. Upon completion of the business impact assessment the actions indicated in the Next Steps and those in the Actions should be commenced. For systems that are rated High or Medium this will entail commencing preparations for the next phase of the information risk analysis process – Threat and Vulnerability Assessment.
39
Appendix
ATools, information sheets and forms to use in a business impact assessment
Introduction
This appendix contains a list of the tools, information sheets, forms and other useful documents that have been developed to support performing a business impact assessment. The following tools have been developed for use with this report: •
•
BIA Presentation (a Microsoft PowerPoint presentation that the information risk analyst can use to help facilitate a business impact assessment) BIA Assistant (a Microsoft Excel spreadsheet that automates the data capture and reporting of results in a business impact assessment process).
NOTE
The above software tools can be found on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX 2 ) System (the ISF’s Members-only web site).
The following information sheets have been developed for use with this report: •
•
•
•
Why we need to protect our information (a single page explanation of the importance of information that should be sent to participants prior to a business impact assessment) Determining the business requirement for information security (a single page explanation of what takes place in a business impact assessment that should be sent to participants prior to a business impact assessment) Threats to information (a description of some of the main threats to information – to be used as a reference for participants during a business impact assessment) The business impact of incidents (an explanation and description of some of the business impacts that can occur from the compromise of information – to be used as a reference for participants during a business impact assessment).
NOTE
Copies of the above information sheets can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX 2 ) System (the ISF’s Members-only web site).
40
The following forms and other useful documents have been developed for use with this report: Preparatory documents •
•
Example invitation letter (a letter that can be used to invite staff to take part in a business impact assessment) System Profile form (a form used to capture business and technical details about a system prior to a business impact assessment)
Business Impact Reference Table •
Example Business Impact Reference Table (a Business Impact Reference Table developed as a basis for enhancement by Member organisations)
Business Impact forms •
•
•
•
Business Impact Rating form – Confidentiality (a form used to capture the possible business impact that could occur in the event of the loss of confidentiality of information) Business Impact Rating form – Integrity (a form used to capture the possible business impact that could occur in the event of the loss of integrity of information) Business Impact Rating form – Availability (a form used to capture the possible business impact that could occur in the event of the loss of availability of information) Business Impact Assessment Summary form (a form used to capture the overall results from the business impact assessment).
NOTE
Copies of the above forms can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX 2 ) System (the ISF’s Members-only web site).
41
Appendix Contents of this appendix Work group material
ISF reports
B Further sources of information This appendix contains details of further sources of information about information risk management that the ISF has produced. Minutes, briefing packs and additional background material relating to this report can be found in the IRAM project area on the ISF’s Member Exchange (MX 2 ) System. Gaining management support for information risk analysis (2004) Information Security Status Survey 2003: Consolidated Reports (2004) Understanding and using management tools (2003)
the
ISF’s
information
risk
Requirements for improving information risk analysis (2003) The Standard of Good Practice for Information Security (2003) Fundamental Information Implementation Guide (2000)
Risk
Management
(FIRM):
Fundamental Information Supporting Material (2000)
Risk
Management
(FIRM):
SPRINT: User Guide (1997) SPRINT: Directory of Controls (1997) SARA – Simple to apply risk analysis for information systems (1993) Implementation Guide: How to build Security into your information systems (1993) Business Risk Analysis: How to establish a satisfactory IT risk analysis process (1990)
42
Acknowledgements The Information Security Forum acknowledges the positive contribution to this project by the following individuals: Work Group Jesper Hauge Nissen
A P Møller
Kenneth Silsbee
Boeing
Marguerite Talary Joop A Zomer
Abbey National
Boeing
ABN-AMRO Bank
Curtis Ames Kit Bender
Johan Opperman
ABSA Bank
Martin Taylor
British Airways
George de Beer Dieter Teichert
ABSA Bank
British Broadcasting Corporation
ABSA Bank
Jill Trebilcock Angus Pinkerton
BSkyB
Thon de Blok
Boeing
British Energy
Akzo Nobel AUD
Matthew Smith
Prakash Rao
Alcon Laboratories
Andy Waddell
BSkyB
Michael Bownes
Allen & Overy
Sanjay Patel
BSkyB
John Pendleton
Alliance & Leicester
Thomas Haeberlen
Bundesamt für Sicherheit in der
George Hazell
Alliance & Leicester
Sagaran Naidoo
Anglo American
Len Hendry Franzo Cirinna
Anglo American Anglo American
David Grant
Cadbury Schweppes
Andre Botha
Anglo American
Paul Sherry
Cadbury Schweppes
Paul Raubenheimer Henry Chai
Anglo American
Caltex International Pte
ANZ
Hong Kong Tey Alan Speed
Anita Lussetti
ANZ
David Austin
Centrica
Petra Claessens Wendy Kachelhoffer
ANZ
ChevronTexaco
arivia.kom
Harvey Roth Brian Peterson
Andre Noack
arivia.kom
Satya Vithala
Citigroup
Oscar Stark
arivia.kom
Gerald Mucklow
Clariant International
Geoff Dale
AstraZeneca
Martin Hawkins
Clifford Chance
George Waterman
AstraZeneca Pharmaceuticals
Ronald Chung
CMG Information Technology Pte
Tom Bakker
AVIVA
Boris Hemkemeier
Commerzbank
Foong Hoe Tan-Ho Dominique Remy
AVIVA
Commerzbank
AXA
Kai BuchholzStepputtis
Trevor Cardwell
AXA
Howard Eakin
ConocoPhillips
Sandy Monnappa Simon Krug
AXA
Corus Group
AXA
Peter van Boxtel Stephen Fitzpatrick
Paul Johnson
AXA
Rolston Wiltshire
Credit Suisse First Boston
Kirsty Still
B&Q
Michael Papais
DaimlerChrysler
Richard Nealon
Bank of Ireland Group
Hans Henrik
Danske Bank
Michael Hanna
Bank of Ireland Group
Nielsen
Jennifer Kane
Bank of Ireland Group
Kjell Hermansson
Danske Bank
Kevin Harrington
Bank of Tokyo-Mitsubishi
Tiaan van
Deloitte & Touche
Victor J. Talamo
Bank One Corporation
Schalkwyk
Angus Burden
Barclays Bank
Paul Carroll
Lee Li Hoon
BASF South East Asia Pte
Jennifer Khow Wilfried Kehr
BASF South East Asia Pte
Informationstechnik
Martina Rohde
Bundesamt für Sicherheit in der Informationstechnik
Centrica
ChevronTexaco
Credit Suisse First Boston
Department of Social, Community & Family Affairs Department of Trade & Industry
Bayer
Ted Humphreys Ola Sannes
Donald Michniuk
Bechtel Corporation
Simon Royal
Dresdner Kleinwort Wasserstein
Terrence Spencer Miroslav Kis
BHP Billiton
Dresdner Kleinwort Wasserstein
BMO Financial Group
Tina Wade Paul De Graaff
Vivek Khindria
BMO Financial Group
Michael Robinette
DTCC
Herbert Canfield
Boeing
Pat Everitt
EDF Energy
Jody Wahlgren
Boeing
Thomas Cummings
EDS Information Security Solutions
Det Norske Veritas
DTCC
43
Ian Baulch-Jones
Electrolux IT Solutions
Wendy Sale
Electronic Data Systems
Dolly Kapadia Paul de Luca
Electronic Data Systems
Lucent Technologies
Electronic Data Systems
Jim Murphy Amanda Finch Bengt Arild Unnerud
Michael Harrison
Electronic Data Sytems
Steve Pomfret
Nationwide Building Society
Erol Mustafa
Ernst & Young
Anne-Lize de Beer
New Africa Capital
Michel Soupart
Euroclear F Hoffmann La Roche
Colin Campbell Leonard Ong
New Africa Capital
Guenther Kerker Steve Smit
First Rand Bank
Jukka P Savolainen
Nokia
James Cleland
First Rand Bank
Svein Nygard
Norges Bank
Gerhard Cronje Phil Cogger
First Rand Bank
Tom Remberg
Norsk Hydro
Ford Motor Company
Anthony Mullany
Norwich Union
Christof Müllender Loek Sleper
Ford of Europe
David Ward
Norwich Union
Fortis
Phillip Gregory
Norwich Union
Lori Blair
Fortis Fujitsu Services
Manfred Schreck Harmen Frobeen
Novartis International
Stephen Gill Iain Andrews Steve Greenham
Fujitsu Services
Nykredit
GlaxoSmithKline
Steen Ledet Niels Rasmussen
Andrew Bebbington
Goldman Sachs & Co
Joy Buckingham
O2 (UK)
Katie C Jenkins
Guardent
David Clarke
O2 (UK)
Randy Kaeder
Guardent
Dave Cooper
Orange
Paul Charles
HarrierZeuros
Louis Sherman
Orange
Tom Stapleton
HarrierZeuros
Donna Staniforth
Orange
Robert J Symmons Paul Dann
Hawker de Havilland
Vagn E Nielsen
Post Danmark
HBOS Group
Tanya Preston
HBOS Group
Philip Godwin Neil Wainman
PowerGen UK PowerGen UK
Alan Savage Lynn Yang Pheng
HBOS Group
Roar Gulbrandsen
PricewaterhouseCoopers
HSBC Singapore
Ciaran Kelly Sally Boyce
PricewaterhouseCoopers
Pat Reed Tarik Tahesh Stephen Donnelly Jean-Christophe Gaillard Adrie Janssen Steenberg Yun Patricia Siow Lup Kuen Wong Lip-Ping Chew George Wang Christopher Somers Andrew MacGovern Jonathan Keefe Ian Curry Brendon Harris Michael Payne Carl Taylor Jonathan Randall
Prudential Prudential Prudential Rabobank International
Mindy Ziskin Gary Marsh Jean-Serge Laurent Pierre Coenen Davor Vlahovic Johan Marnewick Karin Höne Bee Ngah Tan Geetha Kanagasingam
Royal Bank of Canada Royal Bank of Scotland Group S.W.I.F.T. S.W.I.F.T. Sanlam Sanlam Sanlam SATS SATS
Kuek Peter Berlich
IBM Switzerland
David Spinks Susan Swope Marc Callaway Geoffrey Tumber Melle Beverwijk Frans Gahrmann Nathan Thompson Simon Marvell Pearly Cheng Johan Kempenaers Ann Hill Chris Hoffman Mark Firgens Gavin Rayner Jerold R Kobiske Erwin Bosma Sipho Ndaba Jaap Halfweeg
Information Security EMEA Information Security Forum InfoSecure InfoSecure InfoSecure ING Bank Netherlands Innogy Insight Consulting JP Morgan Chase KBC Bank and Insurance Holding Company Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation KLM Royal Dutch Airlines KPMG KPN
June Gamber David Lanigan Niek Ijzinga Frans Kersten George McBride William Lim Stephen Fried Barry Pulliam
Legal and General Lloyds TSB LogicaCMG LogicaCMG Lucent Technologies Lucent Technologies Lucent Technologies Lucent Technologies
Marks & Spencer National Insurance Administration
Nokia
Novartis International Nykredit
Prudential
Rabobank Nederland Reuters Reuters Reuters Reuters Reuters Reuters Reuters Reuters Reuters Rolls Royce Rolls Royce Rolls Royce
44
Silva Kandiah Lars Eriksson Bodil Wiklund Kevin Kennedy Klaus Pape Conrad Tan Ching Ching Lim Patrick Bong
SATS SCA Scania Schlumberger Siemens Singapore Airlines Singapore Airlines Singapore Airlines
Dan Landess
Siew Leng Leck Seow Hong Tay Paul Nagel Martina Ramhitshana Tony Apsey Gerhard Kruger Hettie Booysen Pedro C Pretorius Joe Norman Jean-Pierre Margaillan Gilbert Agopome Richard Aylard Nomazulu Taukobong Claudia Jollivet Jacqui Bothwell Riana Crafford Emily Manganyi Pavana Ranjith John Murdoch Edwin Aldridge Carsten Paasch Adam Spencer Joe Rohde
Singapore Airlines Singapore Airlines SKF South African Revenue South African Revenue South African Revenue South African Revenue Spoornet ST Microelectronics ST Microelectronics
Jan Skogqvist Jeremy Ward Michael Volkert Arne Normann Tommy Brundin Michael Robinette
Dan Hlavac Alan Pacocha
Dan Sokulski Anza Botha Kjell Andersson Christian Thunberg
Service Service Service Service
ST Microelectronics Standard Bank London Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Chartered Bank Standard Chartered Bank Standard Chartered Bank State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company
Paul de Graaff Laserian M Kelly Ventatakrishnan Vatsaraman Ruedi Siegenthaler Paul Wood Ged Edgcumbe Marco Van Putten Ed Schrijvers Alan M Jones David Pinchbeck Kamaljit Singh Bent Poulsen Chris Weegar Viki Baxter Mark Steger Giancarlo Bombardieri Joachim Droese
State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company State Information Technology Agency Stora Enso Stora Enso Svenska Handelsbanken Symantec Security Services Syngenta International Telenor Tetra Pak The Depository Trust & Clearing Corporation The Depository Trust & Clearing Corporation The Emirates Group The Emirates Group UBS UBS UBS Unilever Unilever Unisys Unisys Unisys Værdipapircentralen Verizon Verizon Zurich Financial Services Zurich Financial Services Zurich Financial Services
Jason Creasey
Information Security Forum
Nick Frost
Information Security Forum
Andrew Wilson
Information Security Forum
Review and quality assurance
Alan Stanley
Information Security Forum
Production
Louise Liu
Information Security Forum
Charl Porter
Information Security Forum
Project team
45
