Home > Ask the Security Experts > Security Management Questions & Answers > Is there a way to integrate business continuity planning and operational risk management?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Is there a way to integrate business continuity planning and operational risk management?

Mike Rothman EXPERT RESPONSE FROM: Mike Rothman

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 08 March 2007
We are facing the challenge of integrating business continuity planning and operational risk management. We are struggling to present our management with a meaningful comparative analysis between risk assessment and business impact analysis (scope, objective, input-output). Any ideas?

>
EXPERT RESPONSE
I've never been a big fan of trying to wedge certain activities into a somewhat arbitrary document category, like risk assessment and business impact analysis. In reality, you are trying to achieve the same thing with both activities -- it just depends at what stage of the incident you are looking at.

A risk assessment involves trying to understand where potential exposure points are. I recommend looking at the problem from the perspective of a business system, which I describe in my book, The Pragmatic CSO, as a set of networking resources, servers and applications that automate a business process. There are many tools to poke at a business system to see potential areas of exposure, including vulnerability scanners and penetration tests for all system components.

A business impact analysis involves understanding what's going to happen to the business if one of these systems goes down. It can apply to any kind of event or incident. This tends to be more of a qualitative analysis, working with cross-functional teams -- including finance and operations -- to understand what isn't going to happen if a system goes down.

For more information:

  • Contributing writer Ed Moyle offers advice on how to put together a business impact analysis.
  • In this tip, which is part of SearchSecurity.com's Compliance School, expert Richard E. Mackey explains how to approach these control and governance frameworks and why they're helpful in determining how to mitigate risks.


    • Sound Off! -   Be the first to post a message to Sound Off!


    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Security Management
    Is it against HIPAA regulations to permanently store sensitive information?
    Two-tier distributed systems vs. three-tier distributed systems
    How to prevent software piracy
    How do ISO 17799 and SAS 70 differ?
    Has FFIEC made any VoIP-specific mandates?
    What is the best way to administer exams to students via computer?
    Should computer exams be transmitted as PDF files or Word files?
    Is it against HIPAA regulations to display client names?
    Getting started on a career in penetration testing
    Are there security management products that can track compliance objectives?

    Risk Assessment and Analysis
    Security data lapses hamper researchers
    Panel: IT governance, risk and compliance program helps reduce expenses
    Like MLB scouts, IT security pros are turning to metrics
    Google shares struggle to manage security complexities
    GRC Tools Help Manage Regulations
    Interview: Financial Services CISO David Pollino
    The New School of Information Security
    Penetration testing: Helping your compliance efforts
    Failure mode and effects analysis: Process and system risk assessment
    The pros and cons of data breach insurance

    Business Impact Analysis
    Data breach costs soar
    Business Survival 101: How to Perform a Business Impact Analysis
    Business continuity planning standards and guidelines
    Disaster recovery report card: Measuring your company's disaster recovery profile
    Privacy Breach Impact Calculator
    Digital doomsday can be avoided with preparation
    Infosec pros need to get 'physical'
    Information security, 'CSI' style
    Security Bytes: Shockwave flaw fixed
    RSA Conference 2006
    Business Impact Analysis Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    risk analysis  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts