Continuity Planning and Risk Assessment

Enterprise Risk Management
- Business Continuity
- Legal
- Reputational
Continuity Plan
- Disaster Recovery Plan
- Business Recovery Plan
- Contingency Plan
Risk = Probability x Impact
Quantitative Risk Assessment
- AV = Asset Value (cost to replace)
- EF = Exposure Factor (% of AV)
- SLE = Single loss expectancy
  - SLE = AV x EF
- ARO = Annual rate of occurrence (how often does it happen)
- ALE = Annual Loss Expectancy (how much do we expect to lose)
  - ALE = SLE x ARO
Qualitative Risk Assessment
- Based on people’s opinions
- Ask people to estimate the risk using subjective statements such as Low, Medium, High
Business Impact Analysis
- MTTR – Mean time to repair
- MTBF – Mean Time Between failures
- MTD – Maximum Tolerable Downtime
- RTO – Recovery time objective
- WRT - Work time recovery
- Recovery point objective – Point in time of backup to restore to.
How do we handle risk?
- Avoidance – just get rid of the function
- Transference or sharing – insurance. Convert risk to money.
- Mitigation or remediation – reduce risk to an acceptable level
- Acceptance
Incident Impact
- High level identification of an incident
  - Category
  - Vector
- Scope based classification of an incident
  - Organization vs local
  - Anything critical?
  - Number of systems?
- How difficult is recovery?
- Immediate vs total impact
Risk Assessments
- System characteristics
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood
- Impact analysis
- Control recommendations
- Documentation
- Objectives: always security for assets (people first)
  - Minimize loss
  - Avoid it happening again
  - Increase stability
  - Avoid liability
- Planning
  - IR team
  - BIA to assess risk
  - Create procedures, communicate them
  - Test the procedures

PreviousSecurity Policies and Procedures NextIncident Response Phases and Communication

Last updated 2 years ago

Continuity Planning and Risk Assessment

Enterprise Risk Management
- Business Continuity
- Legal
- Reputational
Continuity Plan
- Disaster Recovery Plan
- Business Recovery Plan
- Contingency Plan
Risk = Probability x Impact
Quantitative Risk Assessment
- AV = Asset Value (cost to replace)
- EF = Exposure Factor (% of AV)
- SLE = Single loss expectancy
  - SLE = AV x EF
- ARO = Annual rate of occurrence (how often does it happen)
- ALE = Annual Loss Expectancy (how much do we expect to lose)
  - ALE = SLE x ARO
Qualitative Risk Assessment
- Based on people’s opinions
- Ask people to estimate the risk using subjective statements such as Low, Medium, High
Business Impact Analysis
- MTTR – Mean time to repair
- MTBF – Mean Time Between failures
- MTD – Maximum Tolerable Downtime
- RTO – Recovery time objective
- WRT - Work time recovery
- Recovery point objective – Point in time of backup to restore to.
How do we handle risk?
- Avoidance – just get rid of the function
- Transference or sharing – insurance. Convert risk to money.
- Mitigation or remediation – reduce risk to an acceptable level
- Acceptance
Incident Impact
- High level identification of an incident
  - Category
  - Vector
- Scope based classification of an incident
  - Organization vs local
  - Anything critical?
  - Number of systems?
- How difficult is recovery?
- Immediate vs total impact
Risk Assessments
- System characteristics
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood
- Impact analysis
- Control recommendations
- Documentation
- Objectives: always security for assets (people first)
  - Minimize loss
  - Avoid it happening again
  - Increase stability
  - Avoid liability
- Planning
  - IR team
  - BIA to assess risk
  - Create procedures, communicate them
  - Test the procedures

PreviousSecurity Policies and Procedures NextIncident Response Phases and Communication

Last updated 2 years ago