Managing Risk In Information Systemslesson 6business Impact Analysis ✓ Solved
Managing Risk in Information Systems Lesson 6 Business Impact Analysis and Continuity Planning © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 1 Learning Objectives Perform a business impact analysis. Create a business continuity plan (BCP) based on the findings of a given risk assessment for an organization. Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts Purpose of BIA Critical success factors of BIA Steps involved in implementing a BIA BIA best practices Comparing a BCP and a DRP Major elements of BCP Phases of a BCP Steps for implementing a BCP Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Chapter 12 Slides Chapter 12: “Mitigating Risk with a Business Impact Analysis†Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. What Is a Business Impact Analysis? A study used to identify the impact that can result from disruptions in the business Focuses on the failure of one or more critical IT functions Terms: Maximum acceptable outage (MAO) Critical business functions (CBFs) Critical success factors (CSFs) Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 5 Seven Steps of Contingency Planning Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Develop the contingency planning policy statement Conduct the BIA Identify preventive controls Develop contingency strategies Develop an IT contingency plan Ensure plan testing, training, and exercises Ensure plan maintenance Dimensions of a BIA Identify the business impact of IT disruptions Mission-critical IT systems and components Does not analyze all IT functions Stakeholders identify mission-critical systems Compliance issues often drive BIA Inputs into the business continuity plan (BCP) and risk assessment (RA) Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Defining Scope of a BIA Define BIA scope early in the process Scope defines the boundaries of the plan Scope is affected by the size of the organization Small organizations: Scope could include entire organization Larger organizations: Scope could include only certain areas, department, divisions Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Defining Scope of a BIA (Cont.) Purchase phase Shipment phase Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Objectives of BIA Identify critical business functions (CBFs) Identify critical resources Identify maximum acceptable outage (MAO) and impact Direct and indirect costs Identify recovery requirements Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Identify critical business functions (CBFs). Unless you own the process, critical business functions are not always apparent. For example, if you are the security expert, you may not know the CBFs of an online Web site.
Identify critical resources. The critical resources are those that are required to support the CBFs. Once you’ve identified the CBFs, you can analyze them to determine the critical resources for each. Identify maximum acceptable outage (MAO) and its impact. Once you have identified the critical business functions and the IT resources that support them, you turn your attention to the MAO and its impact.
When calculating the MAO for an organization, it’s important to consider both direct and indirect costs. Identify recovery requirements. The recovery requirements show the time frame in which systems must be recoverable. 10 Balancing Costs Cost to recover Cost of disruption Consider Direct costs Indirect costs Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 11 Steps Involved in Implementing a BIA Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Identify the environment Identify stakeholders Identify CBFs Identify critical resources Identify maximum downtime Identify recovery priorities Develop the BIA report Identifying Mission-Critical Business Functions and Processes Mission-critical functions are: Any functions considered to be vital Derived from critical success factors (CSFs) Successful CSFs result in performing CBFs Experts have key information regarding mission-critical functions Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 13 BIA Best Practices Start with clear objectives Maintain focus on objectives Use a top-down approach Vary data collection methods Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Start with clear objectives: Make sure you and anyone involved with the BIA understands the scope of the BIA. This is best defined in writing, many projects get off track simply because individuals have a different understanding of the requirements. Don’t lose sight of the objectives: In addition to the scope statement, remember that the purpose of the BIA is to identify the critical functions, critical systems, and MAO. This data is used to determine the recovery priorities. Use a top-down approach: Start with the CBFs and drill down to the IT services that support them.
If you start with the servers, you’ll miss important elements that are needed for the success of the CBFs. Vary data collection methods: When collecting data, ensure you match your method to the organization’s practices. You may be able to get solid data from individual interviews with some people. 14 BIA Best Practices (cont.) Plan interviews and meetings in advance Avoid the quick solution Use normal project management methods Consider the use of technology resources Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Plan interviews and meetings in advance: Data gathering is an important part of the BIA.
You want to ensure that the attendees have enough time to give you the data you need. If they’re rushed or you are not prepared, you won’t get the data you need. Don’t look for the quick solution. The BIA will take time. It takes time to collect the data.
It takes time to evaluate the data. It takes time to identify priorities. Consider the BIA as a project: All normal project management practices apply. Set milestones and track the progress. Consider the use of tools: Many tools are available that can assist with the completion of disaster preparedness projects.
These include tools that can help with a BIA. 15 Chapter 13 Slides Chapter 13: “Mitigating Risk with a Business Continuity Plan†Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. What Is a Business Continuity Plan? A plan designed to help an organization continue to operate during and after a disruption BIA is included as part of a BCP Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. What Is a Business Continuity Plan?
BIA key objectives that directly support the BCP: Identify critical business functions (CBFs) Identify critical processes supporting the CBFs Identify critical IT services supporting the CBFs, including any dependencies Determine acceptable downtimes for CBFs, processes, and IT service Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Elements of a BCP Purpose and scope Assumptions and planning principles System description and architecture Responsibilities Phases Plan training, testing, and exercises Plan maintenance Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
System Description and Architecture Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Description and Architecture Show system interaction Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. BCP Roles and Responsibilities BCP program manager BCP coordinator BCP teams Emergency Management Team (EMT) Damage Assessment Team (DAT) Technical Recovery Team (TRT) Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Phases within a BCP Plan Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Notification/activation phase Recovery phase Reconstitution phase Defining Data that Needs to Be Protected Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. The BCP should list all the critical components for the system. There are two reasons for including this data: First, it makes it clear which components are needed for the critical business functions (CBF). Second, it provides a list that you can use to restore the system from scratch. This list includes any equipment, such as servers, switches, and routers.
The servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system. If an image is used to rebuild servers, it will list the version number. Data can include a database hosted on the system. It can also include any type of files, such as documents or spreadsheets.
Last, the list can include any needed supplies: This can be simple office supplies, such as printer paper and toner. For some systems, it can include technical supplies, such as special oils for machinery or tools needed for maintenance. 24 Identify all critical components for the system Identify all equipment ~ servers, switches, routers Include databases hosted on the system Include files ~ documents or spreadsheets Include necessary supplies BCP Best Practices Complete the BIA early Exercise caution when returning functionality from alternate locations Restore least critical functions first Review and update the BCP Test all individual pieces of the plan Conduct test exercises of the plan Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Complete the BIA early—Ensure the BIA is done early in the process for the BCP. Without the BIA, you won’t know what systems are critical. Exercise caution when returning functionality from alternate locations—When restoring functionality from an alternate location to the primary location, consider these best practices: Restore least critical functions first to the primary location—This allows you to get the bugs out of the process without affecting critical functions. Review and update the BCP regularly—The BCP coordinator should review and update the BCP at least annually. If critical systems are changed or modified between annual reviews, the BCP should be reviewed when those changes or modifications occur.
Test all the individual pieces of the plan—This includes basic procedures, such as recalls. Exercise the plan—Verify the plan works by performing test exercises. These exercises should not affect normal operations. 25 Summary Purpose of BIA Critical success factors of BIA Steps involved in implementing a BIA BIA best practices Comparing a BCP and a DRP Major elements of BCP Phases of a BCP Steps for implementing a BCP Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. OPTIONAL SLIDES Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
7/20/ Chapter 12 Optional Slides Chapter 12: “Mitigating Risk with a Business Impact Analysis†Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Roles Risk manager Auditor Data owners IT management Security manager Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 29 Significance of Business Impact Analysis How critical are IT infrastructures to business? What are the most critical IT systems to business? What happens if critical IT systems go down?
What are the direct and indirect costs? BIA shows urgent need for contingency plan Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Chapter 13 Optional Slides Chapter 13: “Mitigating Risk with a Business Continuity Plan†Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Business Continuity vs. Disaster Recovery Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
BCP Covers all functional areas of a business, it ensures the entire business can continue to operate in the event of a disruption. Includes a BIA, and also address other non-technical elements of the event. Focused on getting the overall business functions back to normal. DRP Is a function of the IT department, Includes the elements necessary to recover from a disaster, once one is declared. Involves copying the critical data to media or online and then, if required, moving the IT operations off site to recover, if required.
Focused on restoring and recovering IT functions. 32 BCP Covers all functional areas of business Includes a business impact analysis (BIA) Focused on business function recovery DRP Function of the IT department Focused on IT function recovery Recovery from a declared disaster Steps for Implementing a BCP Create BCP scope statements Conduct business impact analysis (BIA) Identify countermeasures and controls Develop individual disaster recovery plans (DRPs) Implement training Test and exercise plans Maintain and update plans Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Why Use a Business Continuity Plan? What happens if electrical power is lost?
What happens if servers go down? What are the critical business functions to maintain? What must remain intact to conduct business? What is the risk of being without a BCP? Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.
Paper for above instructions
Business Impact Analysis and Continuity Planning in Information Systems Management
Introduction
In today’s digital era, businesses heavily rely on information systems for their daily functions. A disruption of these systems can lead to significant financial losses and hinder operational capabilities. Therefore, organizations must implement a Business Impact Analysis (BIA) and a Business Continuity Plan (BCP) to mitigate risks associated with such disruptions. This essay explores the purpose and steps of BIA and BCP in risk management within information systems, emphasizing the critical aspects of these tools, methodologies involved, and best practices.
Understanding Business Impact Analysis (BIA)
BIA is a systematic process used to identify the potential impacts of disruptions on critical business functions (Hiles, 2017). It serves as a foundation for creating a BCP and helps organizations determine acceptable levels of disruption, essential resources, and recovery objectives. The primary focus of BIA is to establish critical business functions (CBFs), which are functions that are essential for the survival of the organization.
Key Elements of BIA:
1. Identification of Critical Business Functions (CBFs): This involves determining which functions are vital for operations. These can range from customer service to IT support (Smith & Murdock, 2019).
2. Assessment of Maximum Acceptable Outage (MAO): Understanding how long a function can be non-operational is crucial. MAO is a key metric that guides the recovery strategy (Rasmussen et al., 2020).
3. Cost Analysis: BIA should include both direct and indirect costs associated with disruptions. Direct costs might include revenue loss, while indirect costs can involve reputational damage (Wallace, 2016).
4. Recovery Requirements: This step looks at what resources are needed to recover CBFs and the timeframe for restoration (Varriale, 2021).
Steps Involved in Implementing BIA
1. Define Scope: Clearly outline the boundaries of the BIA, which could vary based on organizational size (Ritchie et al., 2018).
2. Identify Stakeholders: Engaging with relevant personnel who have knowledge about the organization's critical functions is essential (Zawadzki et al., 2018).
3. Analyze CBFs and Critical Resources: Gathering data on CBFs and the resources required to maintain them is fundamental to the BIA (Smith & Murdock, 2019).
4. Determine Maximum Downtime and Recovery Priorities: Identify how long functions can be non-operational and prioritize recovery efforts accordingly (Rasmussen et al., 2020).
5. Compile BIA Report: Document findings and recommendations in a formal report for stakeholders (Zawadzki et al., 2018).
Best Practices for BIA
Following best practices ensures effective BIAs. Starting with clear objectives, maintaining focus throughout the process, and adopting a top-down approach are essential (Varriale, 2021). Other practices include pre-planning interviews and meetings to maximize data collection, employing diverse data collection methods, and treating BIA as a project that requires careful management (Hiles, 2017).
Understanding Business Continuity Plan (BCP)
A BCP is a document that outlines how a business will continue to operate during and after a disruption (Wallace, 2016). BIA is integral to this plan, as it identifies critical functions and assists in formulating recovery strategies.
Key Objectives of BCP:
1. Identify CBFs, Critical Processes, and IT Services: A BCP must encompass all critical aspects of operations to ensure comprehensive recovery plans (Smith & Murdock, 2019).
2. Establish Recovery Time Objectives (RTO): RTO defines the targeted duration of time for the restoration of services (Varriale, 2021).
3. Ensure Adequacy of Resources for Recovery: The plan must define the resources necessary for recovery and continuity (Hiles, 2017).
Elements of a Business Continuity Plan (BCP)
A robust BCP consists of several key elements:
1. Purpose and Scope: Clearly define what the BCP is meant to address (Wallace, 2016).
2. Assumptions and Planning Principles: Outline any assumptions made during the planning process (Zawadzki et al., 2018).
3. System Description and Architecture: Include descriptions of the systems and operational dependencies involved (Ritchie et al., 2018).
4. Roles and Responsibilities: Assign roles to ensure accountability during the response to disruptions (Varriale, 2021).
5. Testing and Maintenance Phases: Establish regular testing of the BCP and procedures for a systematic review and updates (Smith & Murdock, 2019).
Steps for Implementing a BCP
The steps to implement a BCP include:
1. Create BCP Scope Statements: The scope should identify the operational areas covered in the BCP (Hiles, 2017).
2. Conduct BIA: As mentioned, a BIA should inform the BCP (Hiles, 2017).
3. Identify Countermeasures and Controls: Determine what preventive measures and controls can mitigate risks to critical functions (Ritchie et al., 2018).
4. Develop Individual Disaster Recovery Plans (DRPs): While BCP covers business functions, DRP focuses specifically on IT recovery (Varriale, 2021).
5. Implement Training and Exercises: Regularly train staff and conduct drills to ensure everyone knows their role (Wallace, 2016).
6. Maintain and Update Plans: Documentation should be revisited regularly to adapt to changes in the organization (Rasmussen et al., 2020).
Conclusion
Managing risks through effective BIA and BCP is essential for organizational resilience in the face of disruptions. By identifying critical functions, assessing potential impacts, and developing comprehensive recovery strategies, businesses can safeguard their operations and financial integrity. Embracing this proactive approach not only minimizes risks but also elevates the overall capacity of organizations to respond to unforeseen challenges.
References
1. Hiles, A. (2017). Business Continuity Management: Global Best Practices. Rothstein Publishing.
2. Rasmussen, L.; et al. (2020). Risk Management in Business Processes. Springer.
3. Ritchie, C.; et al. (2018). Business Impact Analysis: A Practical Guide. McGraw-Hill.
4. Smith, D., & Murdock, A. (2019). The Complete Guide to Business Security Analysis. Wiley.
5. Varriale, M. (2021). Continuity and Risk Management: Practices and Issues. Routledge.
6. Wallace, D. (2016). Crisis Management: Planning for the Unthinkable. CRC Press.
7. Zawadzki, R.; et al. (2018). Resilience and Risk Management: A Statistical Approach. Springer.
8. Creswell, J. W., & Creswell, J. D. (2017). Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. SAGE Publications.
9. Kahn, C. (2020). Effective Risk Management in Organizations. Taylor & Francis.
10. Beasley, M. S., & Frigo, M. L. (2019). Enterprise Risk Management: A Business-Driven Approach. CIMA Publishing.
This document addresses the importance of BIA and BCP in managing risk in information systems, summarizing key ideas and practices necessary for effective implementation. Implementing these strategies is vital for business continuity, given the increasingly complex and often unpredictable operational landscape.