Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
So what is impact analysis? It's basically identifying characterizing the impact of any business function and supporting system
00:13
involved
00:14
in a business function that's critical to your organization.
00:18
Now some of the documents that cover
00:21
impact analysis and more death actually kind of split
00:25
across the federal space. Um, one of them missed 830 is specifically tailored to risk management, and the other one missed 861 is specifically tailored. Toe incident Management
00:37
Impact analysis occurs both before and after incidents air discovered, so it has feet both in risk management and in the carrying out of incident management.
00:50
So impact analysis and risk management, A Z said before missed 830 is
00:57
spells up part of why impact analysis involves such a heavy preparation phase.
01:02
Um,
01:03
so in risk management,
01:06
part of what you look for in determining risk
01:10
is both likelihood of an incident of a particular incident that is
01:15
occurring on a particular organizational function
01:18
as well as its impact. So you look for likelihood times impact equals risk.
01:25
So part of the preparation
01:27
in determining what risk your organization is dealing with
01:33
is conducting in
01:34
preparatory impact analysis. Assessment is the first step in impact analysis the preparation to conduct the impact analysis.
01:44
Second is the actual conduction of impact analysis itself. This happens when incidents are taking place or when impact is occurring on your organization. After you measure that potential impact, the next step is measuring the impact of individual incidents or groups of incidents as they're occurring or after they've occurred.
02:04
So just 861 specifically references this partisan. The handling of the incident is perhaps the most important critical decision point the incident handling process.
02:14
Um,
02:15
the
02:15
impact analysis section of incident handling
02:20
basically lets you triage incidents
02:22
in a way that
02:24
brings it up in sophistication from simply being a first in first out way of Hansel handling incidents. You wanna handle incidents in the order in which they
02:35
our most impactful to your organization, like whatever your critical functions are
02:39
and what that whatever is impacting them? You wanna handle those incidents first,
02:46
So we kind of gave a little intro to this, but now we're gonna talk a little bit more about how to prepare to conduct impact analysis on your organization and its organizational functions.
03:00
How do you determine impact
03:01
first I need to know the potential impact of failure or degradation to constituents, assets or lines of business. This can include anything from an organization, will functions, degradation or it's complete failure.
03:15
You have to understand and organizations baseline functionality to perform good impact analyses of other situations.
03:23
So if you
03:23
if your organization doesn't really understand its function or what it does,
03:29
you won't really have a good understanding of how an incident is impacting your organization.
03:35
When should your organization conduct?
03:38
And in fact, analysis, Ideally,
03:40
this happens
03:43
before an incident actually starts.
03:46
You start the preparation phase and start cataloguing your functions
03:50
and looking out
03:52
what
03:53
impacts could potentially, uh,
03:55
work against them.
03:58
So the more you know about your function is your assets, the quicker you're Ceaser came to conduct impact analysis. Once these do occur,
04:04
it is really critical toe. Take that inventory
04:08
beforehand so that,
04:10
uh,
04:12
your incident analysis process isn't just overwhelmed with trying to figure out
04:17
what the impact is to organization
04:20
during an incident when,
04:23
frankly, resource is arm or scarce than they are during down time.
04:29
Planning is valuable, Um,
04:31
but incidents will occur that require you to alter existing plans or create new plans.
04:36
Consider some things when you're Ceasar encounters a situation. But what you have no plan. How do you respond?
04:44
Kind of. It's the idea of planning for not having a plan. Do you have
04:48
ideas for how to build plans on the fly?
04:51
Um,
04:54
during your preparation phase, do you have notification? You need to make a list of notification requirements?
05:00
Do you have, uh,
05:02
a way to alter those requirements on the fly? Can you,
05:06
um,
05:09
easily like this may sound trivial, but
05:12
with the way your information set up, can you easily bring to contact list together in orderto notify a constituent about impact of incident?
05:23
Can you get in touch with your consistent quickly to determine a course of action?
05:27
Part of the preparation phase might be planning for
05:30
a potential impact to a function
05:33
and putting a contact list together for each individual function and
05:39
making sure that those lists exists in the same spot and are accessible to everybody on your incident management team or any other constituent that might have ah need toe have access to it.
05:53
Um, finally, a plan like we said before for not having a plan plan to be able to,
05:59
um,
06:00
document things on the fly
06:02
Thio. Determine impact on the fly.
06:05
Really Take the time to
06:09
learn how your organization works and learn how your impact preparation
06:15
worked. So they when you need to do it quickly, you can.
06:20
Some considerations fridge process asked these, um,
06:26
what dependencies exist for? Service is in functions. When you're conducting impact analysis,
06:31
you might be looking at a particular organizational function
06:34
and ignoring dependencies that exists below it, that will, if impacted themselves, degrade the performance of that particular organization function.
06:47
Um, it's important tohave
06:49
a idea of what dependencies, existing organisation have it mapped out and ready as part of your plan.
06:57
In addition to having a dependency chart, you need to understand
07:02
assuming a function is impacted. How long can your constituents deal without that particular function?
07:11
So
07:12
part of impact analysis is not only determining
07:15
how
07:16
it will impact your constituents, but how long you can do without something if you can. If a process is particularly critical, it may be important no matter what to keep it online and even a degradation fashion
07:30
if it's not particularly important, or if it's more important to get it back to a full functionality.
07:36
It may be best to leave a process. Bring a process off line, and you need to have a record
07:42
on hand about how long a particular constituent can deal
07:46
with an incident while that process is off line.
07:50
So some considerations
07:54
a lot of, ah healthcare providers, for instance, have processes that, if taken off line,
08:01
our life threatening. So how do you deal
08:03
with impact to systems that have taken off line?
08:09
Might actually pose a threat or oppose a physical harm to your employees or to your constituents?
08:16
And finally, does your organization have a legal requirement to function at a certain level?
08:22
Certain places are legally mandated. Thio meet a certain level of service. You always have to be able to provide information to constituents in some areas,
08:33
so maintaining that minimum level of service
08:37
might be your absolute,
08:39
um,
08:41
absolute top line requirement.
08:43
So how do you maintain even a degradation form of service,
08:46
no matter what,
08:48
when you're dealing with an incident

Up Next