Business Impact Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now, we're going to talk about
00:00
>> Business Impact Analysis.
00:00
>> In this lesson,
00:00
>> we're going to talk about the importance
00:00
>> of business impact analysis,
00:00
the process of business impact analysis,
00:00
and really the required components for
00:00
doing an effective business impact analysis.
00:00
What is business impact analysis?
00:00
This really is a cornerstone process
00:00
for establishing effective security in the cloud.
00:00
We talked about that the only way to
00:00
really justify going into the cloud is doing
00:00
cost-benefit analysis to see
00:00
that the benefits that are coming from
00:00
utilizing cloud services or a cloud deployment
00:00
really makes sense for
00:00
an organization what it's trying to achieve.
00:00
Well, the business impact analysis really ensures that
00:00
security is well set up to
00:00
properly defend the assets
00:00
that are being deployed in the cloud.
00:00
The first part of
00:00
business impact analysis is
00:00
to establish the existing state.
00:00
What are you currently doing?
00:00
What currently exists in your environment,
00:00
and what are you trying to replicate
00:00
or duplicate in the cloud?
00:00
There are a number of different things you can
00:00
do to establish the existing state.
00:00
One is you want to gather up
00:00
>> all the network diagrams or
00:00
>> artifacts that describe the processes
00:00
that are involved in the existing state
00:00
of your organization.
00:00
Two, you want to really interview
00:00
people who are involved in running
00:00
these pieces or maintaining
00:00
these pieces that are critical to the existing state.
00:00
You'll really understand and get a greater depth of
00:00
understanding of what is
00:00
really required in the existing state.
00:00
You want to collect network traffic to
00:00
know what your baseline is for the traffic that's
00:00
expected in this existing state and that will also
00:00
benchmark what you should expect when
00:00
examining the network traffic when moving to the cloud.
00:00
Another really critical step here
00:00
is doing an asset inventory,
00:00
understanding all the pieces that are involved
00:00
in the existing state from
00:00
an infrastructure perspective,
00:00
the databases, the applications,
00:00
the servers, authentication servers, load balancers,
00:00
everything in terms of
00:00
the assets that are
00:00
required for the architecture of the system,
00:00
as well as the information assets.
00:00
What information is really going in
00:00
to each of these components of the existing state?
00:00
Another important thing to
00:00
understand in terms of the existing state
00:00
are what regulations apply to your business?
00:00
What laws do you have to adhere to?
00:00
What are you currently doing to ensure
00:00
that compliance is maintained?
00:00
Then you also want to see what level of
00:00
insurance does your organization
00:00
have to protect and maintain
00:00
their existing business operations.
00:00
This helps you understand,
00:00
from a risk perspective,
00:00
what things are covered or have been transferred,
00:00
to use the proper terminology,
00:00
to this third party,
00:00
meaning the insurance company.
00:00
Once you've really understood
00:00
this whole universe of
00:00
the existing state of your organization,
00:00
then you can really determine the criticality.
00:00
Which assets are the most important,
00:00
most essential, the crown jewels,
00:00
if you will, of your organization?
00:00
That is really important for
00:00
a security perspective because
00:00
those are the elements
00:00
>> that deserve the most protection.
00:00
>> You really want to spend the most time
00:00
ensuring that they are properly secure,
00:00
that there's effective governance over
00:00
those information assets,
00:00
and that there's also that defense in
00:00
depth quality to how
00:00
the controls are set up to maintain the protection.
00:00
Now that we know what's the most important thing,
00:00
we also want to figure out what is
00:00
the organization's risk appetite.
00:00
We've discussed what risk is in
00:00
prior lessons that risk is really
00:00
the likelihood that a threat will seize
00:00
upon a vulnerability and that the damage we realized.
00:00
Now, one really important thing about risk,
00:00
you can never eliminate risk completely.
00:00
You can't just eliminate risks.
00:00
You really have to examine the risk,
00:00
compare it to the business value
00:00
that the opportunity presents,
00:00
and figure out how your organization wants to respond.
00:00
Would taking on this opportunity
00:00
potentially ruin the business if something went wrong?
00:00
That's a risk you probably are going to take.
00:00
That's outside of what's referred to as
00:00
the organization's risk appetite,
00:00
ensuring that something is
00:00
not nicely [inaudible] to the highest standard possible.
00:00
Well, if the asset isn't worth
00:00
as much as the highest standard or
00:00
the operational burden of
00:00
maintaining that control, then you'd say, "Well,
00:00
that control is overkilled
00:00
really to where risk appetite is and
00:00
we really think that lower control is appropriate."
00:00
There are only four ways to really respond to risks.
00:00
You can avoid something.
00:00
In the example of just saying,
00:00
"Well, that's not a risk appetite.
00:00
We're not going to pursue
00:00
that," that's an example of avoidance.
00:00
Accepting a risk is saying, "Well,
00:00
we know there's a possibility that this could happen,
00:00
but we think the impact will really be low.
00:00
We think we have controls in place
00:00
that are enough to handle that,
00:00
so we're going to accept this risk transfer."
00:00
We've already alluded to this by talking
00:00
about the amount of insurance that a company has.
00:00
Many companies now have
00:00
>> cyber security breach insurance,
00:00
>> which handles sometimes the negotiation
00:00
in instances where ransomware occurs,
00:00
but you're transferring the cost of
00:00
the risks through your premiums
00:00
that you're paying to the insurance company.
00:00
Mitigate, although you can put controls in place,
00:00
all these controls, they decrease
00:00
the likelihood of the risk
00:00
or the potential impact of the risk.
00:00
But they just lower the impact or likelihood of
00:00
the risk to an acceptable threshold
00:00
with the only organization's risk appetite.
00:00
Remember, you can't completely eliminate risks.
00:00
The possibility of things is always going to happen.
00:00
Let's reflect on a few things.
00:00
Does your organization have an asset inventory?
00:00
This is really important because in order to effectively
00:00
secure anything or run a business for that matter,
00:00
you got to understand what you have,
00:00
potentially the things on hand that are
00:00
being properly protected or maybe
00:00
aren't being utilized to their full extent
00:00
to get the most business value out of them.
00:00
What is the most critical asset in your organization?
00:00
This seems simplistic, but it is really
00:00
important from a security and operational perspective.
00:00
If you don't really know the answer to this question,
00:00
how effectively are you
00:00
securing your organization if you don't know
00:00
the top items that
00:00
are really the most critical
00:00
that keep your business functioning?
00:00
Because that is really should be the focus
00:00
of your security efforts.
00:00
How are risks identified, evaluated, and monitored?
00:00
Many organizations talk about risk,
00:00
but when it comes to the granular nitty-gritty,
00:00
there are sometimes gaps when it comes
00:00
to figuring out what risks are,
00:00
educating stakeholders on how to even identify risks,
00:00
and then ensuring that
00:00
the risks are truly within the appetite.
00:00
Defining the appetite itself
00:00
can be difficult for some organizations.
00:00
But as security professionals,
00:00
we really need to ensure that
00:00
we know what the most important things are,
00:00
how they're evaluated,
00:00
and how we're going to monitor them.
00:00
In summary, we talked about
00:00
the importance of business impact assessment.
00:00
It really establishes the most critical assets
00:00
and functions within an organization,
00:00
and thus those that require
00:00
the most focus from a security perspective.
00:00
We talked about the business impact analysis process
00:00
: understand the existing state,
00:00
figuring out what those critical assets are,
00:00
figuring out the risks that are associated with them,
00:00
and how to reduce them within
00:00
the acceptable range from
00:00
the organization's risk appetite.
00:00
I'll see you in the next lesson.
Up Next