2.6 Business Risk Assessment 65
Chapter 2
2.6 Business Risk Assessment
A key part of the BCP process is the assessment of the potential risks to the
business that could result from potential disasters or emergency situations.
This section will examine the possibility of serious situations disrupting the
business operations and the potential impact of such events. Risk assess-
ment is the exercise of identifying and analyzing the potential vulnerabili-
ties and threats. It is necessary to consider all the types of possible incidents
and the impact each may have on the organization’s ability to deliver its
normal business services. The sources of risks could be community-wide
hazardous events, accidents, or sabotage, causing extreme material disaster,
security threats, network and communication failures, or disastrous applica-
tion errors. Each of these areas should be examined in the light of the busi-
ness and the exact possible source located.
2.6.1 Asset Characterization
For each source identified, the magnitude of the risk and the probability of
its occurrence must be evaluated to judge the extent of risk exposure. Risk
exposure is the easiest way to know how much attention needs to be paid to
a source of risk. Planning is done for both prevention and control. Acci-
dents and sabotage can be prevented using measures of physical security
and personnel practices. Vulnerability assessment and reviews of existing
security measures can expose areas where access control, software and data
security, or backups are required. Application errors can be prevented by
effective reviews and testing during the software releases. Whenever you
conduct the risk assessment, you must first collect system-related informa-
tion, which is usually classified as follows:
Hardware, software, and system interfaces (e.g., internal/external
connectivity)
Data and information
Persons who support and use the asset
Mission (e.g., the processes performed)
Criticality (e.g., the value or importance to an organization)
Sensitivity
66 2.6 Business Risk Assessment
Additional information could include functional requirements of an
asset, key users, security policies governing the asset (organizational poli-
cies, federal requirements, laws, industry practices), security architectures,
network topology, information storage protection safeguards, technical
controls (e.g., built-in or add-on security products that support identifica-
tion and authentication; discretionary or mandatory access control; audit;
residual information protection; and encryption methods), management
controls (e.g., rules of behavior, security planning), and operational controls
(e.g., personnel security, backup, contingency, and resumption and recovery
operations; system maintenance; offsite storage; user account establishment
and deletion procedures; and controls for segregation of user functions,
such as privileged user access versus standard user access). It is important to
include physical security environments in this process (e.g., facility security,
data center policies) and environmental security environments (e.g., con-
trols for humidity, water, power, pollution, temperature, and chemicals).
For an asset that is in the initiation or design phase, information can be
derived from the design or requirements documents. For an IT system
under development, it is necessary to define key security rules and attributes
planned for the future IT system. System design documents and the system
security plan can provide useful information about the security of an IT sys-
tem that is in development. For an operational IT system, data is collected
about the IT system in its production environment, including data on sys-
tem configuration, connectivity, and documented and undocumented pro-
cedures and practices. Therefore, the system description can be based on
the security provided by the underlying infrastructure or on future security
plans for the IT system.
2.6.2 Risk Benefit (Likelihood) Analysis Statement
The end result of the risk assessment should be a risk-benefit analysis (or
likelihood) statement giving the exact threats and the estimated exposure,
together with the contingency and mitigation actions required, and also the
benefits arising out of covering the risk. This statement should also delin-
eate any assumptions or constraints that exist. To derive an overall likeli-
hood rating that indicates the probability that a potential vulnerability may
be exercised within the construct of the associated threat environment, the
following governing factors must be considered:
Threat-source motivation and capability
Nature of the vulnerability
Existence and effectiveness of current controls
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
