Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


Risk Assessment

Risk assessment is a decision process that weighs the cost of implementing preventive measures against the risk of loss from not implementing them. There are many qualitative and quantitative approaches to risk analysis. Typically, two major cost factors arise for the systems environment: the first is the loss incurred from a cease in business operations due to system downtime, and the second is the replacement cost of equipment.

The potential for significant revenue loss when systems are down for an extended period of time is readily understood in today’s business environment, because the majority of businesses rely exclusively on systems for much of their information needs. However, the cost of replacing systems and information in the event of catastrophic loss is often grossly underrated. Major organizations, when queried on insurance coverage for systems, come up with some surprising answers. Typically, organizations have coverage for mainframes and midrange systems and for the software for these environments. The workstations and the network servers, however, are often deemed as not valuable enough to insure. Coverage for the information itself is usually neglected as well, despite the fact that the major replacement cost for a company in crisis is the recreation of its information data base.

Notably, the personal computer, regardless of how it is configured or networked, is usually perceived as a standalone unit from the risk assessment point of view. Even companies that have retired their mainframes and embraced an extensive client/server architecture, and that fully comprehend the impact of the loss of its use, erroneously consider only the replacement cost of the unit rather than that of the distributed system as the basis of risk.

Risk assessment is the control point of the recovery planning process. The amount of exposure a company believes it has, or is willing to accept, determines how much effort the company will expend on this process. Simply put, a company with no plan is fully exposed to catastrophic loss. Companies developing plans must approach risk assumption by identifying their worst-case scenario and then deciding how much they will spend to offset that scenario through mitigation, contingency plans, and training. Risk assessment is the phase required to formulate a company’s management perspective, which in turn supports the goal of developing and maintaining a companywide contingency plan.

Mitigation

The primary objectives of mitigation are to lessen risk exposures and to minimize possible losses. History provides several lessons in this area. For example, since the underground floods of 1992, companies in Chicago think twice before installing data centers in the basements of buildings. Bracing key computer equipment and office furniture has become popular in California because of potential injuries to personnel and the threat of loss of assets from earthquakes. Forward-thinking companies in the South and southern Atlantic states are installing systems far from the exterior of buildings because of the potential damage from hurricanes.

Although it is a simple exercise to make a backup copy of key data and systems, it is difficult to enforce this activity in a distributed systems environment. As systems have been distributed and the end user empowered, the regimen of daily or periodic backups has been adversely affected. In other words, the end user has been empowered with tools but has not been educated about, or held responsible for, the security measures that are required for those tools. One company, a leader in the optical disk-drive market, performs daily backups of its accounting and manufacturing systems to optical disk (using its own product), but never rotates the media and has never considered storing the backup off-site. Any event affecting the hardware (e.g., fire, theft, or earthquake) could therefore destroy the sole backup and the means of business recovery for this premier company. Mitigation efforts must counter such oversights.

Preparation

The preparation phase of the disaster planning process delineates what specific actions must be taken should a disaster occur. Based on an understanding of plausible threats, planners must determine who will take what action if a disaster occurs. Alternates should be identified for key staff members who may have been injured as a result of the event. A location for temporary operations should be established in case the company’s building is inaccessible after a disaster, and the equipment, supplies, and company records that will be required at this site should be identified. Preparation may include establishing a hot site for systems and telecommunications. Off-hours or emergency telephone numbers should be kept for all vendors and services providers that may need to be contacted. Moreover, the contingency plans must be clearly documented and communicated to all personnel.

Testing

The testing phase proves the viability of the planning efforts. The recovery planner must determine, during testing, whether there are invalid assumptions and inadequate solutions in the company’s plan. It is important to remember that organizations are not static and that an ever-changing business environment requires a reasonable frequency of testing. Recovery planners must repeat this phase of the plan until they are comfortable with the results and sure that the plan will work in a time of crisis.

Response and Recovery

This final phase of the contingency plan is one that organizations hope never to have to employ. Preparing for actual response and recovery includes identifying individuals and training them to take part in emergency response in terms of assessment of damage, cleanup, restoration, alternate site start-up, emergency operations duties, and any other activities that managing the crisis might demand.

Every phase of the planning process, prior to this phase, is based on normalcy. The planning effort is based on what is perceived to be plausible. Responses are developed to cover plausible crises and are done so under rational conditions. However, dealing with a catastrophic crisis is not a normal part of an employee’s work day, and the recovery team must be tested under more realistic conditions to gauge how they will perform under stress and where lapses in response might occur. Ideally, recovery planners should stage tests that involve role playing to give their team members a sense of what they may be exposed to in a time of crisis.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.