|
Integration
An effective BIA is a living document; creating yet another document to gather dust on a shelf obviously isn't useful. Integrating the BIA into other areas outside BCP ensures that the document will continue to be relevant.
In other words, once an organization has invested the time and resources required to gather, correlate and document its business processes, that investment can be maximized by using the BIA in as many other areas of the firm as possible. Additionally, using the BIA for other activities outside BCP will keep it current. After all, the business processes documented in the BIA are continuously evolving—updating the document as they evolve is critical.
A good place to make broad use of the document is in the "non-disaster planning" information security world. Vulnerability assessment, application assessment, risk management and incident response can all benefit from having a BIA.
For security organizations that perform automated vulnerability assessment, the information in the BIA can increase an assessment's effectiveness by taking into account a machine's criticality. During assessment planning, organizations can decide whether to include critical servers in their scans to help harden those machines or to preclude scans of those servers to minimize potential downtime. Alternatively, organizations may want to use a blended approach with less intrusive scan settings against critical servers than they would against non-critical ones.
A BIA can also assist in application assessment by allowing assessors to use them as a means of gathering intelligence. Specifically, the BIA can provide dependency information to help companies understand how these applications interact, how they relate to the business, and how dat...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
a flows into and out of the application.
Data gathered during application and vulnerability assessments can drive changes to the BIA. Assessments may highlight application changes, and those changes can reflect updates to the underlying business process. Personnel evaluating applications can periodically "freshen" the BIA by aligning it with those changes.
Risk management is another area outside continuity planning where the BIA can help. Often, information security teams that try to quantify overall risk either cannot assign dollar amounts to risk or are forced to use soft dollar values derived from rough estimates. However, by drawing on a BIA that contains hard dollar values, you can replace estimated costs with actual costs to enhance the precision and credibility of risk management activities and provide more effective communication of risks to business partners.
Some risk management activities are also limited by the domino effect caused by compromised systems cascading risk to dependent systems. Having those interactions documented in a BIA can provide insight into this phenomenon and allow risk management activities to include these risks in the overall risk profile for a given application.
BIA content can also help incident response. If the BIA includes operational information about critical applications—such as application owners' contact information and addresses/platforms of critical servers—response personnel can take proactive steps in the event of an incident to ensure that these critical applications stay up. For example, if a worm is spreading through the network, personnel can contact the managers of the highest priority systems early on to relay protection measures—hopefully before those critical machines become infected.
|
