WEBVTT 00:00.000 --> 00:03.315 >> Business impact analysis. 00:03.315 --> 00:05.760 The learning objectives for this lesson are 00:05.760 --> 00:07.845 to define the business continuity plan, 00:07.845 --> 00:10.485 to explore business impact analysis, 00:10.485 --> 00:12.795 and to explain recovery objectives. 00:12.795 --> 00:15.720 Let's get started. We're going to 00:15.720 --> 00:17.430 begin discussing business impact 00:17.430 --> 00:19.230 analysis at a high level. 00:19.230 --> 00:21.300 Risk is just a part of doing business 00:21.300 --> 00:23.220 and it's not something we can avoid. 00:23.220 --> 00:25.590 But it's critical that we define the types 00:25.590 --> 00:28.155 of risks that our organization is likely to face, 00:28.155 --> 00:29.690 and then what those impacts 00:29.690 --> 00:31.340 would be on our organization if 00:31.340 --> 00:34.520 that risk were to actually happen to us. 00:34.520 --> 00:36.860 Some risks will be unlikely to 00:36.860 --> 00:38.000 happen and others will have 00:38.000 --> 00:39.350 a higher chance of occurring, 00:39.350 --> 00:40.850 and we need to make sure that 00:40.850 --> 00:43.130 we take into account those and 00:43.130 --> 00:45.380 then how those different things 00:45.380 --> 00:47.690 will cause a problem to our business. 00:47.690 --> 00:49.775 It might be something as simple as a 00:49.775 --> 00:52.210 hacker breaking into our website for defacing it, 00:52.210 --> 00:53.540 or it may be that we have 00:53.540 --> 00:57.175 a natural disaster that takes down a production facility. 00:57.175 --> 00:59.735 The natural disaster while 00:59.735 --> 01:01.865 might be less likely to happen, 01:01.865 --> 01:03.260 if we do live in an area where 01:03.260 --> 01:05.615 natural disasters do sometimes occur, 01:05.615 --> 01:07.730 we need to make sure that we account for that 01:07.730 --> 01:10.345 and have a plan to know what is that, 01:10.345 --> 01:11.925 what would that do to us, 01:11.925 --> 01:14.240 and then we can use this later on to 01:14.240 --> 01:17.020 build our plans on how to recover from that. 01:17.020 --> 01:18.740 We need to make sure we have plans 01:18.740 --> 01:21.680 created to address these different types of things but. 01:21.680 --> 01:23.375 Before we can make any plans, 01:23.375 --> 01:25.800 we have to have our business impact analysis. 01:25.800 --> 01:27.500 Now we're going to go into more detail 01:27.500 --> 01:29.540 into this a little bit later in this lesson, 01:29.540 --> 01:31.670 but I want to give you a high-level overview of 01:31.670 --> 01:33.950 what business impact analysis looks like. 01:33.950 --> 01:35.585 The key point to remember is, 01:35.585 --> 01:38.255 what are the risks that our organization faces, 01:38.255 --> 01:42.630 and how will those risks impact us, should they occur? 01:43.250 --> 01:45.780 The business continuity plan. 01:45.780 --> 01:47.405 The best way to describe this 01:47.405 --> 01:50.390 as a business will be able to continue 01:50.390 --> 01:52.430 delivering its product and services at 01:52.430 --> 01:55.240 an acceptable level following an incident. 01:55.240 --> 01:56.750 An incident has occurred, but 01:56.750 --> 01:58.490 the business still needs to be able to 01:58.490 --> 02:00.050 function as a business to 02:00.050 --> 02:02.150 keep delivering its product or services. 02:02.150 --> 02:04.220 It covers a wide scope from 02:04.220 --> 02:06.695 forming business continuity plans and policies, 02:06.695 --> 02:08.420 and by creating the following; 02:08.420 --> 02:09.865 we need response plans, 02:09.865 --> 02:11.810 we need evaluation activities, 02:11.810 --> 02:14.430 and we need planned maintenance. 02:17.060 --> 02:22.695 The NIST Special Publication 800-34 Revision-1, 02:22.695 --> 02:24.230 Contingency Planning Guide for 02:24.230 --> 02:25.940 Federal Information Systems. 02:25.940 --> 02:27.560 This is a guide that focuses on 02:27.560 --> 02:29.060 computer systems and it has 02:29.060 --> 02:31.625 the following steps for continuity planning. 02:31.625 --> 02:34.745 Develop the continuity planning policy statement, 02:34.745 --> 02:37.745 conduct the business impact analysis, 02:37.745 --> 02:40.370 identify preventative measures, 02:40.370 --> 02:44.045 create contingency strategies, and to develop 02:44.045 --> 02:46.835 an information system contingency plan 02:46.835 --> 02:49.130 moving to ensure plan testing, 02:49.130 --> 02:50.900 training and exercises, and 02:50.900 --> 02:53.435 finally, ensure plan maintenance. 02:53.435 --> 02:56.630 This is a very in-depth strategy to 02:56.630 --> 02:59.495 help you develop your own business continuity plan. 02:59.495 --> 03:01.280 We begin with making a statement. 03:01.280 --> 03:02.705 Our policy statement is, 03:02.705 --> 03:04.390 what are we trying to achieve with this? 03:04.390 --> 03:06.710 What level of recovery do we 03:06.710 --> 03:09.390 want to be able to do should an event happen? 03:09.390 --> 03:11.755 Then we perform our business impact analysis; 03:11.755 --> 03:13.750 what are those risks and how are they 03:13.750 --> 03:16.525 likely to impact our business if should they occur? 03:16.525 --> 03:18.760 Then we begin to identify things we can 03:18.760 --> 03:21.145 do to prevent those things from happening. 03:21.145 --> 03:24.490 After that, we create our contingency strategies. 03:24.490 --> 03:26.380 But we also need to come up with 03:26.380 --> 03:28.390 an Information Systems Contingency Plan 03:28.390 --> 03:30.670 because IT assets are so 03:30.670 --> 03:33.280 critical to all modern organizations. 03:33.280 --> 03:35.410 We need to make sure we have a plan in place ahead of 03:35.410 --> 03:37.940 time to react to those risks. 03:37.940 --> 03:40.195 Then we want to test, train, 03:40.195 --> 03:42.250 and then do exercises for this. 03:42.250 --> 03:43.930 It doesn't matter if we have these policies 03:43.930 --> 03:45.820 and plans in place if no one knows about them. 03:45.820 --> 03:47.785 We need to make sure that we 03:47.785 --> 03:50.620 inform our staff and then we train our staff, 03:50.620 --> 03:52.075 but they will need to test them. 03:52.075 --> 03:54.410 Just because we wrote a good policy or 03:54.410 --> 03:56.615 in a procedure in place for these types of things, 03:56.615 --> 03:58.100 if they're not tested, we don't 03:58.100 --> 03:59.915 know that maybe something doesn't work right. 03:59.915 --> 04:02.270 We need to have some testing to ensure that all that goes 04:02.270 --> 04:04.535 through and that leads us to exercises. 04:04.535 --> 04:06.755 Exercises allow us to have 04:06.755 --> 04:09.020 a fairly real-world feel 04:09.020 --> 04:12.005 to a given risk that has occurred, 04:12.005 --> 04:14.645 and then be able to use our plans to see 04:14.645 --> 04:17.795 how well those plans hold up against that type of risk. 04:17.795 --> 04:20.600 Then we want to make sure we maintain the plan. 04:20.600 --> 04:21.785 Are we keeping it up-to-date? 04:21.785 --> 04:23.030 Has anything changed since 04:23.030 --> 04:24.605 the last time we made the plan? 04:24.605 --> 04:26.705 By making sure we keep it up-to-date, 04:26.705 --> 04:30.690 we're ensuring that it's ready for us when we need it. 04:31.730 --> 04:34.240 Disaster recovery plans. 04:34.240 --> 04:37.115 These are part of the overall business continuity plan, 04:37.115 --> 04:38.870 but they're focused on the immediate needs 04:38.870 --> 04:40.610 of a specific event. 04:40.610 --> 04:42.350 Because when an event happens, 04:42.350 --> 04:44.065 you're going to be under a lot of stress, 04:44.065 --> 04:46.610 and the disaster plan includes 04:46.610 --> 04:48.590 specific steps that will need to be carried 04:48.590 --> 04:51.020 out to recover critical systems. 04:51.020 --> 04:53.180 No one wants to be thinking about all those steps 04:53.180 --> 04:55.730 when you have something very serious that's happened, 04:55.730 --> 04:56.990 you want to build or open up a 04:56.990 --> 04:58.560 playbook and look at it and say, 04:58.560 --> 05:00.325 ''First I do this and then I do this, 05:00.325 --> 05:01.830 then check those things off.'' 05:01.830 --> 05:03.845 But for that to be able to work, 05:03.845 --> 05:05.735 we go back to the previous slide where 05:05.735 --> 05:06.590 we need to make sure we're 05:06.590 --> 05:07.925 keeping those things up-to-date, 05:07.925 --> 05:09.605 we've trained our staff on them, 05:09.605 --> 05:11.660 and we've done exercises to ensure that 05:11.660 --> 05:15.750 those plans are actually going to work when we need them. 05:16.900 --> 05:19.190 Business impact analysis. 05:19.190 --> 05:21.110 Now we're going to go into a little bit deeper about it. 05:21.110 --> 05:23.930 The first step is to identify all the parts of 05:23.930 --> 05:27.380 our information systems and what they are composed of. 05:27.380 --> 05:30.130 This includes your internal hardware, your apps, 05:30.130 --> 05:32.150 your third party connections, 05:32.150 --> 05:34.070 as well as external services. 05:34.070 --> 05:35.660 Then you need to identify if there are 05:35.660 --> 05:38.435 any regulatory or compliance concerns that you may have, 05:38.435 --> 05:40.850 such as HIPAA or PCI. 05:40.850 --> 05:42.260 These are very critical 05:42.260 --> 05:43.700 because when you have an incident, 05:43.700 --> 05:46.700 you want to make sure that if it hasn't yet 05:46.700 --> 05:48.770 been a breach of one of 05:48.770 --> 05:50.795 these types of compliance frameworks, 05:50.795 --> 05:53.350 then you want to make sure that it doesn't get to that. 05:53.350 --> 05:55.610 Then all of these will play a part in 05:55.610 --> 05:57.560 your overall business impact analysis. 05:57.560 --> 05:59.435 Because again, different risks 05:59.435 --> 06:01.070 are likely or unlikely to happen. 06:01.070 --> 06:03.080 But given certain frameworks, 06:03.080 --> 06:06.365 a risk of data being 06:06.365 --> 06:08.390 exposed is of a higher concern 06:08.390 --> 06:11.190 if you're under one of these frameworks. 06:12.220 --> 06:15.020 Mission critical services. 06:15.020 --> 06:17.540 Identifying your critical services is not 06:17.540 --> 06:19.520 always as straightforward as it would seem. 06:19.520 --> 06:20.830 Typically, you would say my server, 06:20.830 --> 06:21.950 or my Internet connection 06:21.950 --> 06:24.020 or databases, that type of thing. 06:24.020 --> 06:25.910 But the more complex your organization is, 06:25.910 --> 06:27.590 you're going to have critical services that 06:27.590 --> 06:29.525 maybe you didn't realize. 06:29.525 --> 06:31.160 It requires you to meet with 06:31.160 --> 06:33.650 all the business units and discover what is important 06:33.650 --> 06:35.180 for them and how 06:35.180 --> 06:37.880 those units are going to interact with each other. 06:37.880 --> 06:39.050 By doing this, you're going to 06:39.050 --> 06:40.400 uncover things that, again, 06:40.400 --> 06:42.935 like I said, you didn't consider before. 06:42.935 --> 06:45.665 From there you can make a truly inclusive list 06:45.665 --> 06:47.300 of what is mission critical. 06:47.300 --> 06:48.650 Until you have that list, 06:48.650 --> 06:50.930 you really don't even know about 06:50.930 --> 06:52.550 creating a continuity plan 06:52.550 --> 06:55.290 because you might be missing something. 06:55.730 --> 06:59.240 Instructor side note. I had a customer that at 06:59.240 --> 07:00.290 one point they were very 07:00.290 --> 07:02.225 focused on selling products quickly, 07:02.225 --> 07:04.460 restocking so that they continue selling, 07:04.460 --> 07:06.140 and then paying their vendors quickly 07:06.140 --> 07:08.395 so they could keep receiving the products. 07:08.395 --> 07:10.190 We were building a disaster recovery 07:10.190 --> 07:11.645 plan for the organization, 07:11.645 --> 07:14.360 and it had more than 50 locations at that time. 07:14.360 --> 07:16.550 They were using a time clock system 07:16.550 --> 07:18.500 that was in their corporate office, 07:18.500 --> 07:20.270 and then all of the 50 locations 07:20.270 --> 07:22.100 were streaming back to 07:22.100 --> 07:24.785 that central location in their central office. 07:24.785 --> 07:26.960 When we sat down with everyone and 07:26.960 --> 07:28.400 we went over everything, 07:28.400 --> 07:31.190 in our initial setup of this customer, 07:31.190 --> 07:32.750 it was never mentioned how important 07:32.750 --> 07:34.490 this aspect of their business was, 07:34.490 --> 07:37.670 but when we re-framed the conversation in 07:37.670 --> 07:41.960 the contents of recovery and being back up and running, 07:41.960 --> 07:43.775 they were far more concerned with 07:43.775 --> 07:45.995 making sure that time clock was up and running 07:45.995 --> 07:47.960 so that all their employees were giving 07:47.960 --> 07:50.390 their proper work times 07:50.390 --> 07:52.910 logged than they were about paying vendors or 07:52.910 --> 07:56.020 even receiving product or any of that. 07:56.020 --> 07:57.430 If we hadn't sat down 07:57.430 --> 07:59.440 and re-frame the conversation to them, 07:59.440 --> 08:00.640 we never would've been able to 08:00.640 --> 08:02.980 identify that this time clock system 08:02.980 --> 08:04.780 was far more important to them than 08:04.780 --> 08:06.670 they had first lead us to believe. 08:06.670 --> 08:09.130 Even they had not thought of it in that way when we 08:09.130 --> 08:11.740 were talking about what is important to you, 08:11.740 --> 08:15.225 they would tell us it's our accounts payable system, 08:15.225 --> 08:17.260 and we need to make sure that we're paying our vendors. 08:17.260 --> 08:18.700 That server is very important. 08:18.700 --> 08:20.980 We need to make sure that it's backed up and everything. 08:20.980 --> 08:23.090 But the time clock was more of yeah, 08:23.090 --> 08:24.700 that's over there and we need to make 08:24.700 --> 08:26.380 sure that it's functional, 08:26.380 --> 08:28.480 then has access, and that it works, 08:28.480 --> 08:31.150 but it was never discussed in the context 08:31.150 --> 08:34.160 of what would happen if it totally crashed; 08:34.160 --> 08:36.685 is it more important than your other servers? 08:36.685 --> 08:38.665 Having these discussions is critical. 08:38.665 --> 08:40.510 Make sure you meet with 08:40.510 --> 08:42.970 all of the units in your organization so 08:42.970 --> 08:45.010 that you can identify everything that's 08:45.010 --> 08:48.290 critical to the organization as a whole. 08:49.460 --> 08:51.770 Recovery objectives. 08:51.770 --> 08:53.500 When we're thinking of recovery, 08:53.500 --> 08:56.650 it's not enough to just get things back up and running. 08:56.650 --> 08:58.145 Speed is a factor. 08:58.145 --> 09:00.195 If systems were down for a week, 09:00.195 --> 09:02.770 would this be acceptable as long as they recovered? 09:02.770 --> 09:05.700 Some organizations, maybe that's not such a big deal. 09:05.700 --> 09:09.084 But in others, even an hour down is unacceptable. 09:09.084 --> 09:11.110 To improve our recovery capability, 09:11.110 --> 09:13.165 we have to be able to measure 09:13.165 --> 09:16.370 how fast we get things back up and running. 09:16.710 --> 09:19.020 We have recovery objectives. 09:19.020 --> 09:21.385 The first is our recovery point objective. 09:21.385 --> 09:23.540 This is the amount of data that can be 09:23.540 --> 09:27.575 lost before an organization is irreparably harmed. 09:27.575 --> 09:30.590 Then we have our recovery time objective. 09:30.590 --> 09:33.290 This is the maximum amount of time that it should take to 09:33.290 --> 09:35.540 perform the recovery activities 09:35.540 --> 09:36.860 and be back up and running. 09:36.860 --> 09:38.090 On the next slide, I'm going to give 09:38.090 --> 09:39.200 you a visual to help you better 09:39.200 --> 09:42.330 understand and differentiate between these two. 09:43.040 --> 09:47.605 We can think of the explosion there is the event. 09:47.605 --> 09:49.460 Our recovery point objective is 09:49.460 --> 09:51.890 how far back do we have data? 09:51.890 --> 09:55.325 That is the last usable backup that we have, 09:55.325 --> 09:57.910 and that would be our recovery point objective. 09:57.910 --> 10:00.620 Our recovery time objective is going the other way. 10:00.620 --> 10:03.110 How long is it 10:03.110 --> 10:05.720 going to take for us to be able to recover? 10:05.930 --> 10:09.680 Right of bank moving away from the event, 10:09.680 --> 10:11.510 how much time is going 10:11.510 --> 10:14.160 to occur before we're up and running? 10:14.160 --> 10:15.305 That is our RTO, 10:15.305 --> 10:17.580 or recovery time objective. 10:18.610 --> 10:21.275 Privacy impact assessment. 10:21.275 --> 10:23.090 This is performed to discover where 10:23.090 --> 10:26.000 privacy data is stored, how it is stored, 10:26.000 --> 10:29.720 and the impact that would occur if the confidentiality, 10:29.720 --> 10:31.340 integrity, and availability of 10:31.340 --> 10:33.170 that data were compromised. 10:33.170 --> 10:35.150 This is critical to ensure 10:35.150 --> 10:37.445 that privacy data is kept safe, 10:37.445 --> 10:38.660 especially under 10:38.660 --> 10:40.220 the regulatory and compliance systems 10:40.220 --> 10:41.240 that we've mentioned. 10:41.240 --> 10:42.305 This is also a part of our 10:42.305 --> 10:44.315 overall business impact strategy. 10:44.315 --> 10:47.090 I keep coming back to these compliance laws 10:47.090 --> 10:48.410 because these are things that 10:48.410 --> 10:50.290 a lot of people just don't think about. 10:50.290 --> 10:54.200 You can have significant penalties for 10:54.200 --> 10:57.050 allowing data that is protected under 10:57.050 --> 11:00.140 a compliance framework such as HIPAA for being exposed. 11:00.140 --> 11:02.545 Some of these fines could be millions of dollars. 11:02.545 --> 11:04.475 It's been rare, but there 11:04.475 --> 11:06.500 have been occurrences where jail time 11:06.500 --> 11:10.400 was a punishment for a breach of patient information. 11:10.400 --> 11:13.400 You want to make sure that in the course of making 11:13.400 --> 11:14.870 your business impact assessment 11:14.870 --> 11:16.415 or your business impact analysis, 11:16.415 --> 11:21.710 that you're ensuring that you have accounted for 11:21.710 --> 11:24.710 any areas where breaches of privacy would 11:24.710 --> 11:26.600 be a possibility and 11:26.600 --> 11:29.070 then how you're going to mitigate that. 11:29.990 --> 11:32.660 Let's summarize. We discussed 11:32.660 --> 11:34.400 the business continuity plan and 11:34.400 --> 11:36.140 the business impact analysis. 11:36.140 --> 11:38.540 We also went over mission-critical services, 11:38.540 --> 11:42.235 recovery objectives, and the privacy impact assessment. 11:42.235 --> 11:46.065 Let's do some example questions. Question 1. 11:46.065 --> 11:49.280 True or false; the IT department is the 11:49.280 --> 11:50.705 one that makes the decisions 11:50.705 --> 11:53.245 on what is critical and what is not. 11:53.245 --> 11:56.150 False. All business units 11:56.150 --> 11:57.800 should be included in establishing what 11:57.800 --> 12:01.850 is critical to the organization. Question 2. 12:01.850 --> 12:04.100 This measures the amount of time that 12:04.100 --> 12:07.350 a system is down before it is recovered. 12:07.910 --> 12:11.865 Recovery time objective or RTO. 12:11.865 --> 12:15.320 Question 3. This measures how much data 12:15.320 --> 12:19.080 can be lost until an organization will be harmed. 12:19.340 --> 12:23.160 Recovery point objective or RPO. 12:23.160 --> 12:24.975 Finally, Question 4. 12:24.975 --> 12:27.770 True or false; a privacy impact assessment 12:27.770 --> 12:31.050 is separate and not a part of the BIA. 12:31.310 --> 12:34.250 False. A business impact assessment 12:34.250 --> 12:36.200 is inclusive of many parts, 12:36.200 --> 12:38.750 including a privacy impact assessment. 12:38.750 --> 12:40.580 I hope that this lesson was helpful 12:40.580 --> 12:43.050 for you, and I'll see you in the next one.