Continuity Planning and Risk Assessment

Enterprise Risk Management

• Business Continuity

• Legal

• Reputational

Continuity Plan

• Disaster Recovery Plan

• Business Recovery Plan

• Contingency Plan

Risk = Probability x Impact

Quantitative Risk Assessment

• AV = Asset Value (cost to replace)

• EF = Exposure Factor (% of AV)

• SLE = Single loss expectancy

  • SLE = AV x EF

• ARO = Annual rate of occurrence (how often does it happen)

• ALE = Annual Loss Expectancy (how much do we expect to lose)

  • ALE = SLE x ARO

Qualitative Risk Assessment

• Based on people’s opinions

• Ask people to estimate the risk using subjective statements such as Low, Medium, High

Business Impact Analysis

• MTTR – Mean time to repair

• MTBF – Mean Time Between failures

• MTD – Maximum Tolerable Downtime

• RTO – Recovery time objective

• WRT - Work time recovery

• Recovery point objective – Point in time of backup to restore to.

How do we handle risk?

• Avoidance – just get rid of the function

• Transference or sharing – insurance. Convert risk to money.

• Mitigation or remediation – reduce risk to an acceptable level

• Acceptance

Incident Impact

• High level identification of an incident

  • Category

  • Vector

• Scope based classification of an incident

  • Organization vs local

  • Anything critical?

  • Number of systems?

• How difficult is recovery?

• Immediate vs total impact

Risk Assessments

• System characteristics

• Threat identification

• Vulnerability identification

• Control analysis

• Likelihood

• Impact analysis

• Control recommendations

• Documentation

• Objectives: always security for assets (people first)

  • Minimize loss

  • Avoid it happening again

  • Increase stability

  • Avoid liability

• Planning

  • IR team

  • BIA to assess risk

  • Create procedures, communicate them

  • Test the procedures