1 00:00:00,004 --> 00:00:01,009 - [Narrator] Business continuity planning 2 00:00:01,009 --> 00:00:03,008 is one of the core responsibilities 3 00:00:03,008 --> 00:00:06,009 of the information security profession. 4 00:00:06,009 --> 00:00:09,008 Business continuity efforts are a collection of activities 5 00:00:09,008 --> 00:00:11,003 designed to keep a business running 6 00:00:11,003 --> 00:00:13,000 in the face of adversity. 7 00:00:13,000 --> 00:00:14,006 This adversity may come in the form 8 00:00:14,006 --> 00:00:18,002 of a small-scale incident such as a single system failure, 9 00:00:18,002 --> 00:00:22,000 or a catastrophic incident such as an earthquake or tornado. 10 00:00:22,000 --> 00:00:24,008 Business continuity plans may also be activated 11 00:00:24,008 --> 00:00:27,009 by manmade disasters such as a terrorist attack 12 00:00:27,009 --> 00:00:30,003 or hacker intrusion. 13 00:00:30,003 --> 00:00:32,007 While many organizations place responsibility 14 00:00:32,007 --> 00:00:36,005 for business continuity with operational engineering teams, 15 00:00:36,005 --> 00:00:40,000 business continuity is a core security concept 16 00:00:40,000 --> 00:00:41,007 because it is the primary control 17 00:00:41,007 --> 00:00:45,002 that supports the security objective of availability. 18 00:00:45,002 --> 00:00:48,001 Remember, that's one of the big three objectives 19 00:00:48,001 --> 00:00:49,007 of information security: 20 00:00:49,007 --> 00:00:53,009 confidentiality, integrity, and availability. 21 00:00:53,009 --> 00:00:57,001 When an organization begins a business continuity effort, 22 00:00:57,001 --> 00:00:59,004 it's easy to quickly become overwhelmed 23 00:00:59,004 --> 00:01:02,003 by the many possible scenarios and controls 24 00:01:02,003 --> 00:01:04,000 that the project might consider. 25 00:01:04,000 --> 00:01:06,000 For this reason, the team developing 26 00:01:06,000 --> 00:01:07,007 a business continuity plan 27 00:01:07,007 --> 00:01:11,005 should take time upfront to carefully define their scope. 28 00:01:11,005 --> 00:01:14,004 What business activities will be covered by the plan? 29 00:01:14,004 --> 00:01:16,006 What types of systems will it cover? 30 00:01:16,006 --> 00:01:19,000 What types of controls will it consider? 31 00:01:19,000 --> 00:01:20,009 The answers to these questions 32 00:01:20,009 --> 00:01:23,007 will help make critical prioritization decisions 33 00:01:23,007 --> 00:01:25,006 down the road. 34 00:01:25,006 --> 00:01:27,004 Continuity planners use a tool 35 00:01:27,004 --> 00:01:31,002 known as a business impact assessment, or BIA, 36 00:01:31,002 --> 00:01:33,000 to help make these decisions. 37 00:01:33,000 --> 00:01:35,000 The BIA is a risk assessment 38 00:01:35,000 --> 00:01:37,008 that follows one of the quantitative or qualitative 39 00:01:37,008 --> 00:01:41,003 processes that we discussed earlier in this course. 40 00:01:41,003 --> 00:01:44,005 The BIA begins by identifying the organization's 41 00:01:44,005 --> 00:01:46,001 critical business processes 42 00:01:46,001 --> 00:01:48,001 and then tracing those backwards 43 00:01:48,001 --> 00:01:49,008 to the critical IT systems 44 00:01:49,008 --> 00:01:52,000 that support those processes. 45 00:01:52,000 --> 00:01:55,003 Once planners have identified the affected IT systems, 46 00:01:55,003 --> 00:01:57,007 they then identify the potential risks 47 00:01:57,007 --> 00:02:00,008 to those systems and conduct a risk assessment. 48 00:02:00,008 --> 00:02:03,004 The output of a business impact assessment 49 00:02:03,004 --> 00:02:05,004 is a prioritized listing of risks 50 00:02:05,004 --> 00:02:07,009 that might disrupt the organization's business, 51 00:02:07,009 --> 00:02:09,006 such as the one shown here. 52 00:02:09,006 --> 00:02:11,008 Planners can then use this information 53 00:02:11,008 --> 00:02:13,003 to help select controls 54 00:02:13,003 --> 00:02:16,004 that mitigate the risks facing the organization 55 00:02:16,004 --> 00:02:18,008 within acceptable expense limits. 56 00:02:18,008 --> 00:02:22,000 For example, notice that the risks in this scenario 57 00:02:22,000 --> 00:02:25,004 are listed in descending order of expected loss. 58 00:02:25,004 --> 00:02:27,009 It makes sense to place the highest priority 59 00:02:27,009 --> 00:02:30,004 on addressing the risk at the top of the list, 60 00:02:30,004 --> 00:02:32,005 hurricane damage to the data center. 61 00:02:32,005 --> 00:02:34,008 But the organization must then make decisions 62 00:02:34,008 --> 00:02:36,007 about control implementation 63 00:02:36,007 --> 00:02:38,004 that factor in cost. 64 00:02:38,004 --> 00:02:42,002 For example, if a $50,000 flood prevention system 65 00:02:42,002 --> 00:02:44,004 would reduce the risk of hurricane damage 66 00:02:44,004 --> 00:02:46,008 to the data center by 50%, 67 00:02:46,008 --> 00:02:49,009 purchasing the system is clearly a good decision 68 00:02:49,009 --> 00:02:51,009 because it has an expected payback period 69 00:02:51,009 --> 00:02:53,007 of less than one year.