2.9 Chapter Summary 93
Chapter 2
the reason for it. A description of the technical alternatives is covered along,
with the recovery goals, in subsequent sections.
2.9 Chapter Summary
This chapter has attempted to help you learn about assessing the risk
impact for potential emergencies. In assessing risk, we began by learning
how to determine threats. A process called risk certification and accredita-
tion was presented. We talked about the process of risk management, the
role of the risk manager, and the process of risk assessments. The basics ele-
ments of the risk assessment process were discussed, along with a discussion
of the various risk assessment models one may choose to use. The Emer-
gency Incident Assessment (EIA) process was presented, and therein we
explained the various types of environmental disasters one should plan for,
such as tornado, hurricane, flood, severe winter storms, drought, earth-
quake, electrical storms, and fire. Organized or deliberate acts of destruc-
tion were another consideration we presented for the EIA. Such actions
included acts of terrorism, act of sabotage, act of war, theft, arson, and labor
disputes. Common items that also must be a part of your assessment
include the loss of utilities or service, such as electrical power failure, loss of
gas supply, loss of water supply, petroleum and oil shortage, communica-
tions services breakdown, and the loss of drainage/waste removal capabili-
ties. We discussed facilities issues, such as system failures, internal power
failures, air conditioning failures, production line failures, cooling plant
failures, and equipment failures.
We presented many types of information security incidents that must
also be factored into the assessment process. We talked about cybercrime,
loss of records or data, disclosure of sensitive information, and coping with
IT system failures. Other emergency situations we presented related to con-
tamination and environmental hazards, epidemics, workplace violence,
public transportation disruption, and neighborhood hazards. Non-emer-
gency factors, such as health and safety regulations, employee morale, merg-
ers and acquisitions, negative publicity, and legal problems must also be
considered as part of the incident assessment process.
Next, we moved from the EIA to cover business risk assessment, which
consists of a multistaged process of performing asset characterization and
developing a risk/benefit (likelihood) analysis statement and risk level
matrix. We discussed the risk assessment report and how it should be for-
matted for your organization. In order to gather necessary information for
the assessment, it is necessary to perform a BIA, which requires you to
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
