WEBVTT

00:00.760 --> 00:08.280
Business impact analysis is the study and analysis of the impact on your organization.

00:08.320 --> 00:13.720
If you have a disruption in your business whatever that business might be now a business impact analysis

00:13.720 --> 00:20.230
is a big deal and in fact as much as I loved the NIST there is one place where the NIST falls down a

00:20.230 --> 00:24.640
little bit and that's the way they describe business impact analysis.

00:24.730 --> 00:31.150
That three primary steps to business impact analysis are number one determine mission processes and

00:31.150 --> 00:36.220
recovery criticality number to identify resource requirements.

00:36.220 --> 00:40.750
Number three identify recovery priorities for system resources.

00:40.750 --> 00:41.230
Wow.

00:41.290 --> 00:41.810
OK.

00:41.860 --> 00:44.350
The steel can get pretty nerdy some time.

00:44.350 --> 00:49.240
So let's break these three steps down and make it a little bit easier for us to understand.

00:49.270 --> 00:55.030
Number one when we're talking about determined mission processes we have to say what are the things

00:55.030 --> 00:59.770
that we do within our I.T. infrastructure to do the voodoo we do so well.

00:59.770 --> 01:01.450
Now here are total seminars.

01:01.450 --> 01:07.960
We do a ton of work accessing outside servers web servers application servers things like that configuring

01:07.960 --> 01:08.360
them.

01:08.500 --> 01:13.650
We also do a lot of incoming business coming in for people hitting our website.

01:13.660 --> 01:19.870
So a big mission critical process for us is our Internet and having that up and running.

01:19.990 --> 01:23.460
Another big process for us is shooting all these videos.

01:23.470 --> 01:27.160
We have big servers that do nothing to store all this video data.

01:27.160 --> 01:32.710
So those two things alone are absolutely critical mission processes for total seminars.

01:32.710 --> 01:37.690
If the water cooler went down you know what we could still do business so that would not be a mission

01:37.690 --> 01:38.960
critical process.

01:39.100 --> 01:40.270
Now along with that.

01:40.270 --> 01:46.850
So now that we understand these processes are really we don't want to say process is more like functions.

01:46.960 --> 01:48.280
Keep the internet up.

01:48.280 --> 01:51.730
That is a mission essential function here at total seminars.

01:51.730 --> 01:53.950
Number two make sure the servers are working.

01:53.950 --> 01:57.400
That is a mission essential function here your total seminars.

01:57.400 --> 02:01.790
Now another big part of that would be identification of critical systems.

02:01.840 --> 02:07.960
If our cable modem doesn't work we have a problem and we're not going to be able to achieve our mission

02:07.960 --> 02:09.020
essential function.

02:09.160 --> 02:13.030
So certain pieces of equipment become really really important.

02:13.090 --> 02:16.840
Our server for example if it goes down we've got a problem.

02:16.840 --> 02:23.410
So what we have is actually known as a single point of failure and we want to avoid these single points

02:23.410 --> 02:27.120
of failure by using redundancy defense in depth.

02:27.160 --> 02:32.860
And for example I could set up to I espies I can configure raid for my raid server I can set up good

02:32.860 --> 02:35.210
backups whatever I need to do.

02:36.030 --> 02:39.480
The next thing I need to do is identify resource requirements.

02:39.480 --> 02:42.530
So what do I need for these different types of resources.

02:42.540 --> 02:46.560
Well for all of these different files where we need the server so that actually ties in a little bit

02:46.560 --> 02:53.370
with our single point of failure concept and then last we need to identify recovery priorities for system

02:53.370 --> 02:54.480
resources.

02:54.480 --> 03:01.900
So now what we're talking about is if everything goes down what are the priorities what are the steps

03:01.900 --> 03:04.630
that I have to do to get us to run the best.

03:04.630 --> 03:09.820
So here a total seminars probably the first thing I would be doing is making sure that my internet service

03:09.820 --> 03:14.890
provider was up in cooking making sure that my cable modem was working making sure that the router was

03:14.890 --> 03:17.350
up and running then making sure the network was cooking.

03:17.350 --> 03:24.880
So literally going through and prioritizing the steps necessary to get that whatever mission essential

03:24.880 --> 03:28.420
function I might have going back up and cooking again.

03:28.420 --> 03:36.160
So even though NIST uses some pretty fancy terms for it it's really mainly find out what are the incredibly

03:36.160 --> 03:38.440
important processes for your business.

03:38.440 --> 03:43.450
Identify whatever resource requirements they might need and then set up a priority too.

03:43.570 --> 03:47.750
If they go down which ones are you going to get up first.

03:47.870 --> 03:54.040
Now as easy as I've tried to make that there are other aspects of business impact analysis that can

03:54.040 --> 03:55.550
get a little bit complicated.

03:55.660 --> 04:00.530
And one of those is going to be called impact impact is a really important concept.

04:00.530 --> 04:06.210
Now it's easy for the layperson to hear a word like that and they say what's the impact on our business.

04:06.220 --> 04:07.230
We're going to lose money.

04:07.240 --> 04:14.260
Well OK first of all monetary loss is an impact and that's certainly one we need to register but you

04:14.260 --> 04:18.090
need to understand that there's more than just money involved here.

04:18.100 --> 04:21.550
First of all probably a really big one would be property.

04:21.660 --> 04:26.080
Now what we're talking about property we don't just mean real estate in this case we're talking about

04:26.080 --> 04:27.940
we can lose equipment.

04:28.090 --> 04:34.230
You know we could lose whatever it might be but it's going to be real stuff that we could lose who would

04:34.230 --> 04:37.180
lose a van or whatever it might be.

04:37.210 --> 04:43.660
So when we're thinking about the impact not only do we think about money but we also think about property.

04:43.840 --> 04:46.650
Arguably you can always get property back with money.

04:46.660 --> 04:49.240
But we treat those separately.

04:49.300 --> 04:51.400
The other two have to do with people.

04:51.460 --> 04:58.440
First of all we use the word safety safety in and of itself is an impact if people are getting hurt.

04:58.450 --> 04:59.360
Well that's a problem.

04:59.380 --> 05:01.060
And we want to avoid that.

05:01.180 --> 05:04.720
Again it does boil back down to money but we talk about safety.

05:04.720 --> 05:09.430
You know somebody could trip in this particular situation somebody could hurt their back trying to lift

05:09.430 --> 05:10.040
that.

05:10.060 --> 05:13.350
So safety by itself is an impact.

05:13.420 --> 05:20.330
Now along with that is life don't see that too much in the security world but it does happen unfortunately

05:20.540 --> 05:28.430
and that is literally loss of life can take place and loss of life has a huge impact in terms of how

05:28.430 --> 05:30.430
it's going to affect your organization.

05:31.190 --> 05:35.230
Next is going to be Finance be careful because you Google Finance is money right.

05:35.330 --> 05:37.900
Well it is money but it's more than that.

05:37.940 --> 05:40.240
It also might mean your ability to get money.

05:40.250 --> 05:46.600
So your credit might come into play or your cash flows might come into play your accounts receivables.

05:46.610 --> 05:52.430
So when we talk about an impact we talk about the finance and we break it down even more into these

05:52.430 --> 05:57.030
different types of streams and how the money does actually affect us.

05:57.140 --> 06:01.770
And the last one and this one's a hard when they actually put a number on is reputation.

06:01.940 --> 06:05.710
If total seminars website went down for three days people would stop coming to it.

06:05.720 --> 06:12.220
We would have a lack of reputation and it's hard to measure in dollars what that could possibly be.

06:12.380 --> 06:19.240
But reputation is a really really big deal now a big killer of reputation has to do with privacy.

06:19.250 --> 06:24.880
So let's take a moment and talk about privacy impact assessment and privacy threshold assessment.

06:24.950 --> 06:32.990
Now privacy is a really big deal and you letting go of other people's privacy can make a huge business

06:33.050 --> 06:34.070
impact.

06:34.070 --> 06:40.090
So when we're talking about privacy now in other episodes we talk about personally identifiable information

06:40.100 --> 06:43.700
PIII or personal health information.

06:43.820 --> 06:51.590
So those two types of information PIII would be your full name your address your Social Security number

06:51.590 --> 06:57.320
things like that personal health information would be as it implies your health history.

06:57.690 --> 06:59.330
Any diagnoses that you've had.

06:59.330 --> 07:05.630
Things like that so lot of people get into a lot of trouble not taking care of the privacy that they're

07:05.630 --> 07:06.610
in charge of.

07:06.800 --> 07:12.530
So when we're doing a business impact analysis we talk about two very specific things first of all we

07:12.530 --> 07:19.550
talk about the privacy impact assessment the privacy impact assessments simply means what will the impact

07:19.550 --> 07:26.690
be to us if these the privacy stuff that we're in control of where to get out one way or another and

07:26.750 --> 07:34.710
a privacy impact assessment really is looking at what laws and regulations and what obligations that

07:34.700 --> 07:39.960
we might run into and then you know what we would have to be doing if that were to get out.

07:40.090 --> 07:48.370
So to avoid privacy impact problems what we do is called a privacy threshold assessment a privacy threshold

07:48.370 --> 07:54.550
assessment simply means that you're going out to do an assessment you have certain types of data and

07:54.550 --> 08:00.580
you go out and say you know what is this data where is this data how are we storing this data.

08:00.580 --> 08:04.330
So privacy threshold assessments are often an in-house document.

08:04.330 --> 08:10.390
So I've got an example of a PTA that came from US Aid Society.

08:10.420 --> 08:16.660
We pull that up and we can talk a little bit about what you might see in a privacy threshold assessment.

08:16.660 --> 08:18.870
So if you take a look on this one.

08:18.870 --> 08:23.410
This is a big long document but if you take a look you'll see that this is an internal questionnaire.

08:23.560 --> 08:28.150
And what they're interested in is they're saying what type of paper documents systems electronic media

08:28.180 --> 08:34.240
digital collaboration tools or services and or mobile services you to employ to collect use maintain

08:34.270 --> 08:36.230
or disseminate information.

08:36.250 --> 08:41.140
So we're really talking about in this one particular example where within the organization they're not

08:41.140 --> 08:46.500
sure what other parts of the organization are doing with this type of personal information.

08:46.600 --> 08:51.190
And this gives them idea because you're not always sure somebody comes up with a new web page for you

08:51.190 --> 08:53.290
to enter your social security number.

08:53.290 --> 08:57.280
Have they made that particular page robust so that bad guys can't get into it.

08:57.280 --> 09:06.070
So a PDA and a PTA are both done in order to understand what the impact of the loss of personal information

09:06.250 --> 09:08.890
can do to a particular business.

09:08.890 --> 09:13.270
So the last one I want to go over is RTU and RPO.

09:13.360 --> 09:21.750
Now our Teoh's stands for recovery time objective and RPO stands for recovery point objective.

09:21.760 --> 09:28.660
Make sure you know what these are the recovery time objective is the minimum time necessary to restore

09:28.660 --> 09:31.200
a critical system to operation.

09:31.360 --> 09:36.910
Now it could also mean the maximum time that a critical system can be down without substantial impact

09:36.910 --> 09:40.060
so you can actually look at the art in two different ways.

09:40.060 --> 09:43.010
Number one what's the minimum time necessary.

09:43.030 --> 09:45.520
This is down that we can bring it back on line.

09:45.820 --> 09:51.490
And then the other way is how long is this down before we're in trouble so even though these seem like

09:51.490 --> 09:55.930
two different terms if you think about it for a little bit they can actually pretty much mean the same

09:55.930 --> 09:56.460
thing.

09:56.540 --> 09:58.360
I'm not exactly but they're close.

09:58.390 --> 10:00.400
If I have a router that goes down.

10:00.400 --> 10:09.310
All right the minimum time necessary for me to restore that back to operation can in many cases doesn't

10:09.310 --> 10:14.770
always have to be equal to the maximum time that a critical system can be down without some form of

10:14.770 --> 10:15.940
substantial impact.

10:15.940 --> 10:21.550
Now keep in mind the term substantial is a very soft term and part of business impact analysis is to

10:21.550 --> 10:26.730
try to get an idea of what substantial means for any particular organization.

10:26.900 --> 10:34.500
Now recovery point objective is the maximum amount of data that can be lost without substantial impact.

10:34.510 --> 10:39.760
Now here are total seminars we're backing stuff up almost constantly and we have to we have accounts

10:39.760 --> 10:46.270
receivable coming in we have accounts payable and you know do you guys like these training videos and

10:46.270 --> 10:52.750
test banks and vouchers from chapatti exams and things like that and you would be very crabby at me

10:52.750 --> 10:57.430
if we lost your data and I couldn't give you the stuff that you paid for.

10:57.430 --> 11:05.770
So for us here in total seminars it's our recovery point objective is a very very small space.

11:05.770 --> 11:10.870
It's less than 24 hours worth of data because usually if it's 24 hours we can call you back but any

11:10.870 --> 11:13.470
more that we would be in trouble.

11:14.140 --> 11:14.670
Wow.

11:14.680 --> 11:19.970
So business impact analysis covers a lot of terminology that you'll be seeing on the exam.

11:19.980 --> 11:26.830
What I want to stress to you is that compt He had barely touches all that business impact analysis says

11:27.250 --> 11:31.540
business impact analysis is a huge huge concept but at least for the exam.

11:31.660 --> 11:37.090
Make sure you're comfortable with things like recovery time objective and personal information and you'll

11:37.090 --> 11:39.150
do just fine.

11:41.420 --> 11:57.270
In.