Академический Документы
Профессиональный Документы
Культура Документы
SECURITY
Identifying critical business functions. Identifying critical computer resources that support key business functions.
Responsibility
It is necessary for the contingency planning project team to assess the criticality of all the organizations business processes and to determine the impact and consequences of loss of service or a reduction in normal service levels. The contingency planning coordinator is responsible for developing the BIA. This person works closely with several individuals, especially security professionals, to establish priorities and other considerations for vital systems and applications. The contingency planning coordinator must develop and prioritize recovery strategies that personnel will implement during contingency plan activation. With the prioritization of recovery strategies, it will be possible to make informed, tailored decisions regarding resource allocations and expenditures.
The Objective
The primary objective of a BIA is to understand the impact of a threat on the businesswhich can be economical, operational or both. Questionnaires or survey tools are often used to collect this kind of information. Also, interviews with key individuals in the organization can be conducted to establish the criticality of enterprise systems and applications. A BIA is performed to specifically identify the areas
Sensitive Information
Every organization must prioritize critical systems
tion on the threats to normal service levels and the impact on profitability and continued viability. The BIA lists the key business areas and assesses the risks that could affect each of the business processes. Specific topics addressed in the BIA document include key business processes, established time-bands for business service interruption management, and financial and operational impact.
and applications involved in the processing of sensitive information. The systems and applications that process sensitive information flowing through the organization may be prioritized as:
There are many potential disruptive threats that can occur at any time and affect normal business processes. The contingency planning team considers a wide range of potential threats, and the results of their deliberations are included in this section of the BIA document. Specific topics addressed in this section of the BIA document include serious information security incidents, environmental disasters, organized or deliberate disruption, loss of utilities and services, equipment or system failure, and other emergency situations.
Necessary:
Will be restored as soon as business returns to a normal processing environment. Data must be captured and saved for subsequent processing. the emergency.
Summary
The BIA is an essential step in developing the IT contingency plan. The contingency plan directly impacts the availability security principal. Security professionals must be involved and aware, and must influence the development of the BIA Report. This report provides the basis for the contingency plan document. By getting involved in the contingency planning process, security professionals can be more in tune with business-critical assets and the flow of sensitive information on the enterprise infrastructure. Excellent references for security professionals to learn more about this area are the National Institute of Standards and Technology (NIST) Special Publications document SP 800-34, Contingency Planning Guide for Information Technology Systems and the ISO 17799.
Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com, consults extensively in the areas of enterprise security and regulatory compliance (www.hipaaacademy .net). He is the author of the best-selling Getting Started With HIPAA and is the co-creator of the Security Certified Program. He can be reached at upabrai@certmag.com.
May 2005
CERTIFICATION MAGAZINE 33