The overall objective of the BIA is to identify the impact of outages. More specifically, the goal is to identify the critical functions that can affect the organization. After identifying these, you can identify the critical resources that support these functions.
Each resource has a MAO and an impact if it fails. The ultimate goal is to identify the recovery requirements. Figure 12-3 shows these overall steps. You gather input from process owners and experts. This helps you identify the CBFs. You then identify the critical resources that support the critical business functions. You then identify the impact and MAO of the resources. The MAO is used to determine the recovery requirements.
An indirect objective of the BIA is to justify funding. After you’ve identified the recovery requirements in the BIA, the BCP will identify controls. If the impact is high, it is cost effective to spend money to prevent the outage.
Identify Critical Business Functions
Unless you own the process, it’s not always apparent what the critical functions are. For example, if you are the security expert, you may not know the critical functions of a Web site. The Web server is the obvious component, but there are others.
By interviewing or surveying the experts, you can gain insight into all the components that support the Web server. It’s often worthwhile to use this data to identify the specific steps for the process. For example, the following bullets detail the steps for a customer’s online purchase. It also includes the steps after the purchase.
- The customer visits the Web site—The customer uses any Web browser to access the Web site. The Web site is hosted on a Web server located in the demilitarized zone (DMZ). A firewall provides access to the Web site with a layer of security.
- The customer browses the product catalog—Users can search for specifi c products. The Web site sends queries to a back-end database. The database server is on the internal network behind a second fi rewall. The database results are included in
- a Web page that is sent back to the customer.
- The customer picks a product—While browsing, the customer can place any product into his or her shopping cart.
- The customer checks out—When the customer is ready to purchase the product, he or she clicks the Checkout button. This starts a secure session. Previous customers can log on to access previously used information, such as their address and credit card numbers. This information is stored on a back-end database server behind the second fi rewall. New customers are prompted to enter their customer data. This data is then stored on the back-end database server. After the order is completed, the customer is sent an acknowledgement e-mail.
- a message is sent to the order processing application— The database server sends a message to the order processing application. A different server in the internal network hosts the order processing application.
- Order is processed—The order processing application tracks the order until the customer receives it. If inventory levels are low, it will automatically order products to replenish the stock. It sends the customer’s order to a warehouse application for shipping. It also accepts status data from the warehouse application. If a shipment is delayed, it sends a notification to the customer. When the order is shipped, it sends a follow up e-mail to the customer. It tracks the shipment with the carrier to ensure the order is successfully delivered.
In this example, the critical business functions are:
- The customer accessing the Web site
- The Web server accessing the database server
- The order-processing application receiving and processing the order
With this information, you can identify the critical resources.
Identify Critical Resources
The critical resources are those that are required to support the CBFs. Once you’ve identified the CBFs, you can analyze them to determine the critical resources for each.
Following the example of the Web site, you can see how to identify critical resources from the CBFs. One of the CBFs identified earlier was the customer accessing the Web site. The following IT resources are required to support this function:
- Internet access
- The Web server
- The Web application
- Network connectivity
- The firewall on the Internet side of the DMZ
The second CBF is the Web server’s ability to access the database server. The database server hosts product information. It also hosts customer information. The customer information is used when a customer makes a purchase and to target advertising for the returning customer. The following IT resources are required to support this function:
- The Web server
- The Web application
- The database server
- Network connectivity
- The firewall on the internal side of the DMZ
The third critical function is the order processing application. It needs to receive orders from the database server. It also needs to be able to track the order until delivery. The following IT resources are required to support this function:
- The server hosting the order processing application
- The database server
- Warehouse application
- Network connectivity
- Internet access
In many instances, there will be overlap in the critical resources. In other words, a critical resource required for one function may also be required for another function. For example, the Web server is required for two of the functions.
Summarized from the book Risk List and Control - Darril Gibson
Darril Gibson is the CEO of Security Consulting and Training, LLC. He regularly teaches, writes, and consults on a wide variety of security and technical topics. He’s been a Microsoft Certified Trainer for more than 10 years and holds several certifications, including MCSE, MCDBA, MCSD, MCITP, ITIL v3, Security , and CISSP. He has authored, coauthored, or contributed to 10 books including the successful Security : Get Certified, Get Ahead.
No comments:
Post a Comment