Risk and Business Impact Analysis

Table of Contents

Risk Assessment .............................................................................................................................. 2

Business Continuity ......................................................................................................................... 4

Risk and Business Impact Analysis .................................................................................................. 9

Types of Risk ................................................................................................................................. 11

Notices .......................................................................................................................................... 13

Page 1 of 13

Risk Assessment

14

Risk Assessment

A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures

Critical Assets & Processes

Threats Vulnerabilities Impacts

Risks

Mitigation

**014 Look at the process of doing a risk assessment. What's involved in a risk assessment? How do you figure out what your actual risks are? So, there are a couple different strategies for this. One of them is posed right here. But generally when we say risk assessment, what we mean is we're looking at the vulnerabilities, the threats, the likelihoods, the impacts, and potential controls or security controls that we put in place. We put all that together and say do I have a potential problem. And that's what you do in risk assessment. So, you start off at the top in this diagram here, and you look at your critical assets. So, what do I need to do to make my

Page 2 of 13

business successful? Sorry, what do I have that makes my business successful? People, servers, the secret pizza sauce recipe, whatever the case may be, those are critical assets and processes. Once I understand that, I start looking at how can those critical assets be affected? What are the threats? What are the vulnerabilities? And what are the impacts to my business from those threats, vulnerabilities against my critical assets? So, once I do that, I get an understanding of what my real risk is within the organization. And sometimes-- usually what should happen is these are prioritized. So, I probably come up with a list of twenty things, twenty risks. Some of them are going to be we really should do something about that. So, five of them might be that. Ten of the might be it's important but not as important as the others. And then the last five in that list of twenty might be we can ignore these. We don't have to worry about them. But it's usually prioritized according to some schema. And so, you've got this list of prioritized list. If they're prioritized, now you can assign resources to fixing those risks or addressing those risks. And that's what you do in the mitigation step.

Page 3 of 13

Business Continuity

15

Business Continuity

Business Continuity Management• Identify potential impacts that threaten a business• Build resilience and capability for effective response• Safeguard critical interests (financial, reputation, etc.)

Business Continuity Planning• Basic objectives are to keep an organization running as normally as

possible at all times, even in an emergency and the protection of critical business operations

• Covers both disaster recovery planning and business resumption planning

Project Initiation Risk Assessment Business Impact

Analysis

Mitigation Strategy

Development

BC/DR Plan Development

Training, Testing, Auditing

BC/DR Plan Maintenance

**015 So, business continuity then is a function of risk management. And business continuity management, you're trying to identify all of the potential impacts or threats to your business that are out there. and you try to build resistance or resiliency or capabilities to prevent those from affecting you in a significant manner. So generally, you're looking at safeguarding critical interests, or critical functions, or critical aspects of your business. What's a critical aspect of the business? Depends on who you are, what your business is. It could be reputational, could be financial. We'll talk about those in a little bit here.

Page 4 of 13

But business continuity management is all about safeguarding your critical business functions, so that you can keep operating. Your business can continue if something bad happens to those particular interests. So, business continuity planning, then, is a function of business continuity management. In business continuity management you'll do all sorts of things in there. One of the things you do is the continuity planning piece. And what you want to do with planning is come up with a strategy that will keep your business running when the bad stuff happens to it. So, in an emergency, in a cyber attack, any time there is a negative impact to your business, your continuity plan-- your business continuity plan, should tell you, okay what do I do. How do I keep my business running? Now, as part of business continuity planning, there are a couple different aspects to that. There's disaster recovery planning, business resumption planning, continuity of operations planning. There's all sorts of sub-functions within business continuity planning. But at the end of the day, what are you trying to do with business continuity planning? Student: Make sure you can bring your business back online. Chris Evans: Yep, make sure you can bring your business back online. That whatever happened to you is not significant enough to cause you to shut down or close the doors on the business. So, if you look at a general process here for how to do business continuity, what we're basically talking about here is in

Page 5 of 13

project initiation, you're going to say it's important to me. It's important to the business. We are going to do business continuity planning. That happens right here in project initiation. From there you start doing a risk assessment. So, recall what we presented on the previous slide where you're looking at threats and vulnerabilities and impacts. You're starting to do that here with your risk assessment. You'll do some type of business impact analysis where you're looking at those risks and saying how is this going to impact or affect my business. And prioritize those accordingly based on that. Then you move into mitigation strategy development. So, you have this idea of I've got all these risks. I've got these vulnerabilities, these threats. I understand that there's a potential impact to my business. What do I do about it? How do I prevent it from happening? If it does happen, what do I do about it? All of that happens here in the mitigation strategy development and in the business continuity and disaster recovery plan development. What's the difference between mitigation strategy development and plan development? In mitigation strategy development, what you're trying to do is prevent it from happening or limit the impact of it after it happens. So, if there's a fire or a flood in your data center, mitigation strategy might be put in a fire system. You're trying to prevent the fire from happening to begin with.

Page 6 of 13

Business continuity and disaster recovery plan development, that kicks in once that event already happens. So, here you're trying to prevent it or prevent a big impact from it. With business continuity, you're saying there was a fire in my data center, now what do I do. I need to evacuate the building. I need to move to my alternate site. I need to stand up additional capabilities. And all that happens here in the plan development. So, this is great. You've got this wonderful plan that tells you exactly what to do and when to do it. Training, testing, and auditing, how do you know that your plan is going to work? How do you know that the people who have the plan can actually do it? Well, you need to train them on how to use the plan. Then you need to test the plan and make sure that it's going to work. You can do an exercise, a tabletop exercise, a functional exercise, whatever have you, to actually do a test and make sure that your plan's going to work. And then auditing, are you sure it's going to work? Are the controls that you've put in place correct? Do they work as you intend them to do, or intended them to do? All of that happens here with training, testing, and auditing. And I'd argue with you that this is probably one of the more important aspects of this because if you go through all this and you come up with a plan, and you've got this six hundred page document, and you put it on the shelf, and you forget about it for two years, what could happen to you? Student: It won't be effective when you need it.

Page 7 of 13

Chris Evans: It won't be effective when you need it because what's going to change in two years? I have no idea, but I'm betting it's going to be a lot. So, if you shelve your plan here at the end of it, and you don't touch it again, when the time comes for you to activate it and actually use it, you're going to pull it off the shelf, blow the dust off of it and go uh oh. This says I was supposed to pack up the exchange server. We don't have that any more. Now, what do I do? So, the training, testing, and auditing, you do that on a regular basis. You'll find things that are wrong with your plan because I could just about guarantee that the first time you do a plan, what comes out of that process is good. It's not perfect. I think every time you do this process it's not perfect. But you'll find that-- through training, testing, and auditing you'll find there are things that you can do to improve. And you do that here in the plan maintenance. So, you update your plan. You update your controls, update your strategies. And then it's a big circle. So, you start over again. You say what are the new risks. What are the new threats? What are the new vulnerabilities that I'm concerned about?

Page 8 of 13

Risk and Business Impact Analysis

16

Risk and Business Impact Analysis

Know what is important to you.• What are your critical business functions?

Know what threats you have.

Know your vulnerabilities and the likelihood they get exploited.

Know the impact to your business if the threat occurred.

Analyze your risks. • Risk = Threat x (Likelihood x Vulnerability) x Impact

Decide what to do about the risks.

**016 Risk and business impact analysis, this is all about understanding what's really important to you. What are your critical business functions? Based on your business, what do you do? What do you provide? So, you have to first understand that, then you look at things like what threats are out there. What are the vulnerabilities and the likelihood of things taking advantage of you or taking advantage of those vulnerabilities? So, you look at vulnerabilities and likelihood. And you start thinking about impact. So, if this particular vulnerability or this particular threat happens, what's the impact to my business? It could range anywhere from nothing to we're going out

Page 9 of 13

of business. And somewhere usually within that range is where-- somewhere in the middle is where you're going to fall. So, know the impact to the business. Based on that, take a look at your real risk. And why do we keep coming back to this statement here of threats, vulnerabilities, likelihoods, and impact. Why is this statement so important? When you're going through and doing your risk assessment, you'll want to look at this and go-- this will allow you to prioritize risk and say I've got a really big threat, but no impact, or little impact. So, it's not a big risk versus I have a threat. I have a huge impact. And there's a vulnerability for it. That equals big risk. So, now using this equation or this process, you can look at risk management as I'm coming up with a whole bunch of risk. And I can prioritize them accordingly and say this one is more important than this one. Why is that important? Because chances are you don't work in an organization with unlimited budget, unlimited time, unlimited resources, right? So, I think if you're one of the-- one of those of us in the real world that have resource constrained environments, you need to be able to prioritize and say I' can't fix everything. What do I focus on? I focus on the things that have the biggest risk to my organization, not the threat of the month club or something down here. Where that's cool. And it's sexy. And it's neat and people want to concentrate on it, but you know what? We don't have a risk from that. So, let me focus on the big risk, the important things.

Page 10 of 13

So, one you've prioritized that, then you can figure out what do I do. How do I address this? If I've only got a thousand dollars to spend on six risks, but my risks are prioritized, I can say all right. The most bang for the buck is going to be spending five hundred dollars on a firewall and another five hundred dollars on an intrusion detection system to help me mitigate the risks to the business.

Types of Risk

17

Types of Risk

Inherent Risk is the risk linked to a particular activity itself.• Complex regulations• Poor management

Control Risk comes from a failure of the controls to properly mitigate risk.

• Failure of firewall to block malicious traffic

Residual Risk is the combination of the inherent and the control risk; it is what remains after the controls have been applied to mitigate risk.

• Eliminating risk is not possible IF you have chosen to expose yourself to it.

• Residual risk must be accepted by management.

**017 There are different types of risk that are out there. So, as you're going through your risk analysis, you'll want to remember what are the basic types of risks that are out there. There's inherent risk. And this is risk that's intrinsic to

Page 11 of 13

certain activities. It could be due to complex regulations, or poor management, or we just have a process that involves several different types of servers and components and people. And there's risk associated with that. That's called inherent risk. There's control risk. And this is risk that comes from the controls or counter measures or safeguards that you put in place. What is a good example of a control? We'll talk more about controls later. But what's a good example of a control? A firewall, right? You're there to-- that firewall is there to block access from the outside or maybe filter communication between your network and the outside world. Well, control risk comes from the fact that you've got all your traffic routed through that one firewall. What happens if the firewall crashes or stops working? Do you lose Internet connectivity? That's a risk. Now, you didn't have that risk until you put the control in place. And that's an example of control risk. Residual risk is everything that's left over from you've put mitigation strategies in place, you've done these controls, you've got this inherently risky activities going over here, everything that's left. That entire risk that's left is called residual risk. So, once your controls have been put in place to mitigate the risk, once your strategies have been implemented, the entire bunch of risks that you have left is called residual risk. Residual risk is kind of a dangerous area because it's risk that you can't get rid of. You can't put a control in place to get rid of it. Maybe you haven't been able to

Page 12 of 13

transfer it to somebody else. You can't get rid of this risk. What do you have to do? You have to live with it, right? But at least it's an informed decision about I've got this left over risk. At least I know about it. And we are going to have to live with it. But at least it's informed. And so again, what's left over after you put all your mitigation strategies in place, that's residual risk.

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 13 of 13