TECHNIQUES

SECURITY

Contingency Planning: Business Impact Analysis

UDAY O. ALI PABRAI Business contingency planning is a coordinated strategy that involves procedures and technical measures to enable the recovery of systems, operations and data after a disruption. The contingency plan must be developed with the input and support of line-of-business managers and all key constituencies, because the plan will need to work across the entire organization. The plan must be based on the risks faced by the organization, as well as risks associated with partners, suppliers and customers. All technology issues must be addressed in the context of business operations. The plan itself must be tested regularly and refined as required. The core objectives of contingency planning include the capability to restore operations at an alternate site with alternate equipment, and to perform some or all of the affected business processes using other means. One of the first critical steps in contingency planning is developing a business impact analysis. A business impact analysis (BIA) is a critical step toward successful contingency planning. It is imperative for security professionals to better understand the BIA framework and work closely with a contingency team to ensure the continued security of vital information and systems during an emergency. A BIA helps to identify and prioritize numerous critical IT systems, interfaces, processes and components. As part of the BIA process, information is collected, analyzed and interpreted, providing the basis for defining contingency requirements and priorities. IT systems may have numerous components, interfaces and processes. A BIA enables a complete characterization of system requirements, processes and interdependencies. A BIA identifies the priorities associated with systems in the event of a disaster, and is of tremendous value to security professionals and architects because it provides information on a critical security principalavailability. that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It is key to identify all critical systems that are required for the continuity of the business. Further, the analysis must include a determination of disruption impacts and allowable outage timesincluding the time it would take to recover systems in the event of a loss. The critical steps for a BIA include:

Identifying critical business functions. Identifying critical computer resources that support key business functions.

Identifying disruption impacts and allowable outage times.

Developing recovery priorities.

Some examples of critical business functions that need to be acknowledged within the scope of a BIA include payroll, order entry, customer support, accounting, communications, software support, data processing, production scheduling, purchasing and IT network support. Next, loss criteria must be applied to determine the impact of a disruption. These loss criteria may include a loss in profits, revenue, reputation, customer confidence, an increase in operational expenses, a delay in income and possible agreement violations.

Responsibility
It is necessary for the contingency planning project team to assess the criticality of all the organizations business processes and to determine the impact and consequences of loss of service or a reduction in normal service levels. The contingency planning coordinator is responsible for developing the BIA. This person works closely with several individuals, especially security professionals, to establish priorities and other considerations for vital systems and applications. The contingency planning coordinator must develop and prioritize recovery strategies that personnel will implement during contingency plan activation. With the prioritization of recovery strategies, it will be possible to make informed, tailored decisions regarding resource allocations and expenditures.

The Objective
The primary objective of a BIA is to understand the impact of a threat on the businesswhich can be economical, operational or both. Questionnaires or survey tools are often used to collect this kind of information. Also, interviews with key individuals in the organization can be conducted to establish the criticality of enterprise systems and applications. A BIA is performed to specifically identify the areas

Sensitive Information
Every organization must prioritize critical systems

30 CERTIFICATION MAGAZINE May 2005

FINAL BIA REPORT

The BIA Report will include information in the following areas: BIA Process Control Summary Business Risk Assessment: Includes identification of key business processes, time-bands for business service interruption management, and financial and operational impact. Critical Systems and Applications Summary Emergency Incident Assessment: Includes BIA process control summary for emergency incident assessment, serious information security incidents, environmental disasters, organized or deliberate disruption, loss of utilities and services, equipment or system failure, and other emergency situations.

tion on the threats to normal service levels and the impact on profitability and continued viability. The BIA lists the key business areas and assesses the risks that could affect each of the business processes. Specific topics addressed in the BIA document include key business processes, established time-bands for business service interruption management, and financial and operational impact.

and applications involved in the processing of sensitive information. The systems and applications that process sensitive information flowing through the organization may be prioritized as:

Critical: Must be restored to maintain as close to

normal processing as possible. Maximum allowable downtime is measured in hours.

Essential: Will be restored as soon as resources

become available. Maximum allowable downtime is measured in days.

There are many potential disruptive threats that can occur at any time and affect normal business processes. The contingency planning team considers a wide range of potential threats, and the results of their deliberations are included in this section of the BIA document. Specific topics addressed in this section of the BIA document include serious information security incidents, environmental disasters, organized or deliberate disruption, loss of utilities and services, equipment or system failure, and other emergency situations.

Necessary:

Will be restored as soon as business returns to a normal processing environment. Data must be captured and saved for subsequent processing. the emergency.

Summary
The BIA is an essential step in developing the IT contingency plan. The contingency plan directly impacts the availability security principal. Security professionals must be involved and aware, and must influence the development of the BIA Report. This report provides the basis for the contingency plan document. By getting involved in the contingency planning process, security professionals can be more in tune with business-critical assets and the flow of sensitive information on the enterprise infrastructure. Excellent references for security professionals to learn more about this area are the National Institute of Standards and Technology (NIST) Special Publications document SP 800-34, Contingency Planning Guide for Information Technology Systems and the ISO 17799.

Desirable: Will be suspended for the duration of

Security professionals should take into consideration compliance legislation such as the Health Information Portability & Accountability Act (HIPAA) or Sarbanes-Oxley and go beyond these requirements to clearly identify all systems and applications that process confidential or otherwise sensitive or critical business information.

Process Control Summary

The BIA requires a review of all the possible serious situations that could disrupt the business operations and the potential impact of such events. This includes a review of key business processes and systems identification, business interruption analysis, emergency incident assessment, implement risk avoidance measures and an understanding of loss potential and vulnerabilities. The BIA enables an organization to create a contingency planning document that will contain informa-

Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com, consults extensively in the areas of enterprise security and regulatory compliance (www.hipaaacademy .net). He is the author of the best-selling Getting Started With HIPAA and is the co-creator of the Security Certified Program. He can be reached at upabrai@certmag.com.

May 2005

CERTIFICATION MAGAZINE 33