You are on page 1of 52

Business Impact Assessment

Information Risk Analysis Methodologies (IRAM) project

June 2004

WARNING

This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Table of contents
Page

Part 1 Introduction

This report Purpose of this report Who should read this report? Basis for this report

1 1 1 1

Part 2 Understanding business impact assessment


What is a business impact assessment? Why undertake a business impact assessment? When to carry out a business impact assessment?

2 3 4

Part 3 Establishing a business impact assessment


programme
Introduction Developing a Business Impact Reference Table Identifying systems to be assessed 6 6 11

Part 4 The ISF approach to business impact assessment

Introduction Key characteristics of the ISFs approach to business impact assessment The business impact assessment process Tools and forms to help conduct a business impact assessment

13 13 14 17

Part 5 Performing a business impact assessment


Introduction Preparing for a business impact assessment A Determining the system profile B Planning the assessment Conducting a business impact assessment A Introducing the assessment B Assessing business impact C Determining overall results D Reviewing results

18 20 20 21 22 22 26 34 37 40 42

Appendix A Tools, information sheets and forms to use in a


business impact assessment

Appendix B Further sources of information

Figure 1: Key steps and activities in the business impact assessment process

Part

Introduction
This report provides practical guidance on how to conduct effective, business-driven, business impact assessments. It explains what a business impact assessment (BIA) is, outlines the sound business reasons why organisations should undertake them and highlights the key features of the business-driven approach that has been developed by the ISF. The report fully describes the steps and activities that need to be carried out in a business impact assessment (see Figure 1) and the tools and forms that should be used to support this undertaking. Significantly the report also provides clear guidance on how to review the results of a business impact assessment and determine the next steps that should be taken to help ensure information risk is managed effectively. This report has evolved from the ISFs previous risk analysis methodologies SARA and SPRINT and has been designed to replace SARA Phase 2 (Identify business requirements for security) and SPRINT Phase 1 (Assess business risks).

This report

NOTE

Purpose of this report

The purpose of this report is to help information risk analysts and information security practitioners carry out effective business impact assessments. In particular it will help them understand the:


Who should read this report?

sound business reasons for carrying out business impact assessments forms and tools that should be used steps and activities that need to be undertaken to prepare for and conduct business impact assessments.

This report should be read by:

information risk analysts and information security practitioners responsible for conducting business impact assessments information security managers planning programmes of work in information risk analysis auditors and risk specialists wishing to gain a better understanding of the business impact assessment of systems.

Basis for this report

This report is based on information gathered from:

workgroups held with ISF Members to examine the issues and requirements of business impact assessment analysing information risk analysis and business impact assessment methodologies (including those developed by the ISF SARA and SPRINT) third party experts on information risk analysis.
1

Part

Understanding business impact assessment


A business impact assessment is a method of determining the possible business impact that an organisation could experience as a result of an incident that compromises information in a system. The business impact assessment method described in this report has been designed to analyse information risk in systems (eg business applications such as e-commerce systems, sales order processing systems, and production control systems). It has not been designed to be used to analyse information risk in other environments (such as networks and data centres) although much of the overall approach may still be applicable. Care should be taken when it is used in other environments and customisation may be necessary.

What is a business impact assessment?

NOTE

Business impact assessment helps determine the business security requirements for a system and the appropriate next steps that need to be taken to protect information adequately. A business impact assessment is the first step in an overall process (the information risk analysis process) that enables effective security measures to be identified to help minimise the frequency and impact of damaging incidents (see Figure 2 below).

Figure 2: The information risk analysis process

Business impact assessment is a business-driven undertaking that helps ensure the business need of the organisation for protecting information is clearly identified. In doing so it helps determine both the scope and the focus of all subsequent steps in the information risk analysis process. Why undertake a business impact assessment? Most organisations have to deal with a constant barrage of threats to information. These threats vary considerably from malfunctions of hardware and software to internal misuse of systems and external attack (eg from hacking and viruses). Where threats to information are not effectively countered by measures such as preventative controls, incidents can and do occur. The ISFs 2003 Information Security Status Survey (the ISF Survey) shows that on average applications, in those organisations who participated, experienced 160 incidents per annum, or three incidents per working week. The business impact of these incidents upon organisations is considerable. Figure 3 below, which is based on data from the ISF Survey, shows the types of business impact that applications suffering incidents typically experience (see the ISFs report entitled Critical Business Applications: Improving Security).

Figure 3: The business impact of incidents

Business impacts such as unforeseen costs, delayed deliveries to customers and reduction in staff morale/productivity directly affect the ability of an organisation to operate effectively and can have a significant cost implication (the average cost of most serious incidents recorded in the ISF Survey for critical business applications was $1.9 million). Details of the top three most serious incidents recorded for applications in the ISF Survey can be seen in Figure 4 below.

Figure 4: Top three costliest most serious incidents experienced by surveyed applications The high percentage of organisations that experience serious business impacts and the high cost of incidents indicate that many organisations are not protecting their key business information adequately. Business impact assessment, as part of an effective information risk analysis process, helps organisations identify effective security measures to address this major business problem. When to carry out a business impact assessment? Business impact assessment should ideally be carried out during the development of new systems (eg at the initiation and design stages) as building in security at this stage is likely to be far more cost effective than adding it on later when a system is fully operational.

By undertaking a business impact assessment at the commencement of a new systems development project it is possible to ensure the business security requirements are clearly identified right from the outset. The outcome from a business impact assessment undertaken at this early stage should directly affect the degree of rigour and attention to detail that is applied during the development of the system (and the level of sign off that is required). For systems that are already live, priority should be given to those that appear more important to the organisation. Guidelines for identifying and prioritising live systems for business impact assessment can be found in Part 3: Establishing a business impact assessment programme.

Part

Establishing a business impact assessment programme


Prior to conducting a business impact assessment there are a number of important programme-related elements of work that should be undertaken. These activities are generic and can be conducted at any time leading up to a business impact assessment. They are necessary to ensure business impact assessments are run in an effective and professional manner and that reliable and trustworthy results are produced. The key elements of work to be undertaken prior to performing a business impact assessment are: 1. Developing a Business Impact Reference Table 2. Identifying systems to be assessed. This part of the report describes these elements of work and explains how they should be carried out. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the information sheets, forms and other supporting documents that are referred to in this part of the report.

Introduction

NOTE

Developing a Business Impact Reference Table

The ISF approach to business impact assessment is based on organisations using their own pre-defined, organisation-specific, Business Impact Reference Table. This section of the report explains how an organisation can develop its own Business Impact Reference Table. A Business Impact Reference Table is a powerful yet relatively simple tool that enables business impact to be determined in an accurate and consistent manner throughout an organisation. Using business language and a straightforward approach that is easy-to-understand, it enables non-specialists to make well-informed judgements about the level of business impact that could occur in the event of an incident that compromises the confidentiality, integrity or availability of information. Typically signed-off at senior management (or preferably board) level, a Business Impact Reference Table provides a standard against which business impact judgements can be made throughout an organisation. Its widespread use is key to undertaking business impact assessments in a consistent manner across an organisation, and is necessary to enable valid comparisons and relative judgements about business impact in different systems to be made.

Figure 5 below shows a sample of a Business Impact Reference Table. It explains the key fields and shows the different levels of impact (from Very high to Very low) for each business impact type.
The property of information being assessed (Confidentiality, Integrity or Availability) The appropriate measure for each type of business impact The level of impact that could occur

Ref.

Property of information Business impact type

Appropriate measure

A Very high 20%+

B High 11% to 20% $1m to $20m $1m to $20m

Level of impact C Medium 6% to 10%

D Low 1% to 5%

E Very low Less than 1% Less than $10K Less than $10K

Financial
F1 Loss of sales, orders or contracts (eg sales opportunities missed) Loss of tangible assets (eg fraud, theft of money, lost interest) Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations) Unforeseen costs (eg recovery costs) Depressed share price (eg sudden loss of share value) Financial impact Financial impact Financial impact

F2

$20m+

$100K to $1m $100K to $1m

$10K to $100K $10K to $100K

F3

$20m+

F4 F5

Financial impact Loss of share value

$20m+ 25%+

$1m to $20m 11% to 25%

$100K to $1m 6% to 10%

$10K to $100K 1% to 5%

Less than $10K Less than 1%

The category of business impact (eg Financial, Operational, Customer-related, Employee-related)

The main types of business impact that could occur as a result of an incident

Figure 5: Sample of a Business Impact Reference Table In some organisations, particularly those that are highly diversified, it may be necessary to create different Business Impact Reference Tables for use in different divisions or operating units. Where this is warranted, care should be taken to ensure use of each Business Impact Reference Table is restricted to the appropriate division or operating unit.

NOTE

For information risk analysts and those familiar with carrying out information risk analysis, creating a Business Impact Reference Table is a relatively straightforward undertaking. Using the example Business Impact Reference Table that accompanies this report as a starting point (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) it is possible to develop one relatively quickly by carrying out the following three activities: 1. Determine the business impact types to be used 2. Determine business impact measures and values 3. Gain senior management (board level) sign off. It is recommended that the first two activities are undertaken in a workshop setting and should include the participation of business managers.

NOTE

1. Determine the business impact types to be used

The business impact types that are used in a Business Impact Reference Table should be representative of what could happen in the event of the compromise of the confidentiality, integrity or availability of information. It is therefore important that these are selected with care and should be reviewed and subject to peer inspection to ensure they are correct. Although there is a wide variety of possible business impacts that could occur there are a core set that are common to most organisations. The ISF has identified 15 business impact types that are representative of what can happen in most organisations and it is recommended that these are used as the basis for determining the appropriate ones in a specific organisation. These business impact types are shown in Table 1 opposite.

Table 1: ISF business impact types


Ref. Business impact type Examples Appropriate measure
Financial impact (%) Financial impact ($) Financial impact ($) Financial impact ($) Loss of share value (%) Extent of loss of control Targets underachieved (%) Extent of delay (time) Extent of sanctions imposed Extent of delay (time) Percentage of customers lost (%) Extent of loss of confidence Extent of negative publicity

Financial F1 F2 F3 F4 F5 Loss of sales, orders or contracts Loss of tangible assets Penalties/legal liabilities Unforeseen costs Depressed share price Sales opportunities missed, orders not taken or contracts that cannot be signed. Fraud, theft of money and lost interest. Breach of legal, regulatory or contractual obligations. Recovery costs, uninsured losses, increased insurance. Sudden loss of share value, prolonged loss of share value, random share value fluctuation. Impaired decision-making, inability to monitor financial positions, process management failure. Repetitive production line failures, degraded customer service, introduction of new pricing policies. Delayed new products, delayed entry into new markets, delayed mergers/acquisitions. Contravention of regulatory standards, quality or safety standards. Failure to meet product delivery deadlines, failure to complete contracts on time. Customer/client defection to competitors, withdrawal of preferred supplier status by customer/client. Adverse criticism by investors, regulators, customers or suppliers. Confidential financial information published in media, compromising internal memos broadcast by media. Reduced efficiency, lost time, job losses. Harm to staff, customers or suppliers associated with the organisation.

Operational O1 Loss of management control

O2

Loss of competitiveness

O3 O4

New ventures held up Breach of operating standards Delayed deliveries to customers or clients Loss of customers or clients

Customer-related C1 C2

C3 C4

Loss of confidence by key institutions Damage to reputation

Employee-related E1 E2 Reduction in staff morale/productivity Injury or death Extent of loss of morale Number of incidents (n)

To identify the specific business impact types that are appropriate for the organisation, the business impact types identified in Table 1 above should be reviewed and any that are inappropriate should be amended or removed. In addition organisation-specific business impact types that may be required should be added at this stage (eg lost production, return on investment, R&D project failure).

2. Determine business impact measures and values

The measures and values that are used for each business impact type should also be appropriate for the organisation and meaningful to those taking part in a business impact assessment (see Figure 6 below). The measures should accurately reflect the business impact types and the values should reflect the gradation in the Level of impact ratings (ie Very high to Very low). These two elements combined should enable participants to easily determine the severity of impact that could occur.

Ref.

Property of information Business impact type

Appropriate measure

A Very high 20%+

B High 11% to 20% $1m to $20m $1m to $20m

Level of impact C Medium 6% to 10%

D Low 1% to 5%

E Very low Less than 1% Less than $10K Less than $10K

Financial
F1 Loss of sales, orders or contracts (eg sales opportunities missed) Loss of tangible assets (eg fraud, theft of money, lost interest) Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations) Unforeseen costs (eg recovery costs) Depressed share price (eg sudden loss of share value) Financial impact Financial impact Financial impact

F2

$20m+

$100K to $1m $100K to $1m

$10K to $100K $10K to $100K

F3

$20m+

F4 F5

Financial impact Loss of share value

$20m+ 25%+

$1m to $20m 11% to 25%

$100K to $1m 6% to 10%

$10K to $100K 1% to 5%

Less than $10K Less than 1%

Examples of business impact measures

Examples of business impact values

Figure 6: Examples of business impact measures and values in a sample Business Impact Reference Table Members may wish to change business impact measures and values, where appropriate, to those that accurately represent their own organisation (eg a global financial institution is likely to require much larger Level of impact values than a medium sized manufacturing organisation).

NOTE

It is recommended that the business impact types along with the measures and values identified in the example Business Impact Reference Table that accompanies this report should be used as the basis for developing organisation-specific measures and values. An example Business Impact Reference Table can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.

NOTE

10

3. Gain senior management (board level) sign off

Once the organisation-specific Business Impact Reference Table has been fully populated it is important that it is underwritten at senior management or, preferably, at board level. Its use throughout the organisation can then be promoted effectively and it should be distributed for use by all staff who undertake business impact assessments and information risk analysis. Senior management sign-off will help considerably in ensuring a single, consistent, approach to determining business impact is adopted. The signed-off (definitive) Business Impact Reference Table should be placed under change control and any proposed amendments should be subject to a formal review process. When the Business Impact Reference Table is updated it should be distributed immediately to all relevant staff.

Identifying systems to be assessed

Before any business impact assessment is undertaken within an organisation the systems to which it should be applied should first be identified. This enables the scale of work to be determined and the relative priority of systems that should undergo business impact assessment to be identified. Regardless of their type or nature all systems under development should be subjected to business impact assessment. This should be an inherent part of the systems development life-cycle and therefore triggered when a new systems development project is initiated. In live environments, organisations will typically face a backlog of systems that need to undergo information risk analysis (and therefore business impact assessment). Determining the order in which these systems should undergo business impact assessment is problematic and some form of ranking will typically be required to establish the priority of systems.

11

Organisations should first determine the inventory of all main systems in the organisation. Once this undertaking has been completed there are a variety of different methods that can be used to identify those systems which appear to be of greater importance than others, such as the:

importance of the system to senior management (eg a system may be very important to the success of the organisation and subject to a high degree of senior management scrutiny) experience of incidents (eg a high number of recent incidents may make a system worthy of specific attention) advice from internal audit (eg to undertake information risk analysis on specific systems) recommendations from business and IT experts (eg using experts within the organisation to help identify those systems which are key to its operation).

While all of the above factors have their merits it is recommended that a more objective approach is taken based upon the use of the criticality assessment in the Information Risk Scorecard from the ISFs FIRM methodology (see Figure 7 below, taken from the ISFs report Fundamental Information Risk Management (FIRM): Implementation Guide). This quick, easy-to-use, approach provides a high-level view of the confidentiality, integrity and availability requirements of the system to be determined and enables easy comparisons of relative importance to be made.

Information Risk Scorecard


Criticality

Monitoring period

Reference

1. What is the maximum level of harm that the business could suffer if key information held in, processed or transmitted by the information resource were to be accidentally or deliberately:

Disclosed to the wrong people? Falsified or otherwise corrupted? Rendered unavailable for:
-

Loss of confidentiality Loss of integrity

Less than an hour? Half a day or so? A day? 2-3 days? A week? A month? Loss of availability for defined periods of time

Please enter one of the following in each box to indicate the maximum possible level of harm:

A Extremely serious harm B Very serious harm C Serious harm D Minor harm E No significant harm

Figure 7: Criticality assessment (from the FIRMs Information Risk Scorecard) The FIRM criticality assessment can be carried out relatively quickly and different systems can easily be compared using the calculation guidelines in FIRM (see the ISFs report Fundamental Information Risk Management (FIRM): Supporting Material) or by simply comparing the values for Loss of confidentiality, Loss of integrity and Loss of availability.

12

Part

The ISF approach to business impact assessment


The ISF approach to conducting business impact assessment is a straightforward undertaking that uses a structured process and easy-to-use tools. This part of the report provides a brief overview of the main steps required to conduct a business impact assessment and the key tools that are used to support the process. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, forms, information sheets and other supporting documents that are referred to in this part of the report.

Introduction

NOTE

Key characteristics of the ISFs approach to business impact assessment

The ISFs approach to business impact assessment is based on practical experience and the needs of its Members. The key characteristics of this approach are shown in Figure 8 below.
Examples
Clear and business-oriented approach. Process-based with step-by-step guidance for the information risk analyst. Straightforward tools and forms. Uses business language. Based on participation by business managers. Key decisions in the assessment taken by business managers. Can be applied to any type of system (eg e-commerce applications, back office applications, manufacturing applications). Can be used on any size of system (eg single user, department-wide, enterprise-wide). Can be used on live systems and those under development. Covers everything required to perform a business impact assessment - from preparation through to analysis of results. Explains in detail all key steps that need to be undertaken.

Characteristic

Easy-to-use

Non-technical

Flexible and scalable

Comprehensive and thorough

Figure 8: Key characteristics of the ISFs approach to business impact assessment


13

The business impact assessment process

The main objectives of the ISF approach to business impact assessment are to determine the business security requirements for a system and identify the appropriate next steps that need to be taken to adequately protect information in that system. These objectives are achieved by assessing the possible business impact that could arise as a result of the compromise of the confidentiality, integrity and availability of information. The business impact assessment process is shown in Figure 9 below.

Figure 9: Key steps and activities in the business impact assessment process
14

The business impact assessment process has been developed to ensure possible business impact is assessed rigorously, business security requirements determined and the appropriate next steps identified clearly. The process is designed to be undertaken sequentially and should ideally (based on Member experience) be conducted in a workshop setting in order to maximise the input from business managers and to ensure transparency and objectivity in the process. A brief overview of the purpose, the duration, the tools, information sheets and forms that are used and the outputs that are produced in performing a business impact assessment is shown in Table 2 below. Table 2: Overview of the business impact assessment process
Purpose Duration Tools, information sheets and forms used Main outputs

Preparing for a business impact assessment

To gather key background information about the system to be assessed.

~ 1 day

Blank System Profile form

Completed System Profile form

To plan and prepare the meeting for the business impact assessment.

~120 mins

Example invitation letter Information sheets

Agenda for the BIA Completed invitation letter Information sheets

Conducting a business impact assessment

To set the scene for the assessment and familiarise participants with the system to be assessed and the main tools that will be used.

~30 mins

BIA Presentation BIA Assistant Completed System Profile form Business Impact Reference Table Information sheets

Not applicable

15

Table 2: Overview of the business impact assessment process (continued)


Purpose Duration Tools, information sheets and forms used Main outputs

Conducting a business impact assessment (continued)

To assess possible business impact for confidentiality, integrity and availability.

~90 mins

BIA Presentation BIA Assistant Business Impact Reference Table Blank Business Impact Rating forms

Completed Business Impact Rating form for confidentiality Completed Business Impact Rating form for integrity Completed Business Impact Rating form for availability

To determine the business requirements and overall classification for the system.

security security

~15 mins

BIA Presentation BIA Assistant Blank Business Impact Assessment Summary form

Partially completed Business Impact Assessment Summary form

To review the results of the assessment and determine the next steps that need to be taken.

~15 mins

BIA Presentation BIA Assistant Partially completed Business Impact Assessment Summary form

Completed Business Impact Assessment Summary form

NOTE

The timescales required to undertake each of the above steps are approximate and will vary according to the complexity of the system being assessed and the experience of the information risk analyst.

The main tools and forms that are used to conduct a business impact assessment that are identified in Table 2 are now described in more detail in the following section.

16

Tools and forms to help conduct a business impact assessment

The ISF approach to business impact assessment uses five main tools and forms to help information risk analysts conduct a business impact assessment. These are shown in Figure 10 below.

BIA Presentation

The BIA Presentation (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) is used by the information risk analyst to guide participants through the business impact assessment.

Business Impact Reference Table

A Business Impact Reference Table is used by participants to determine the level of business impact that could occur as a result of the loss of confidentiality, integrity and availability of information.

Business Impact Rating forms

Business Impact Rating forms are used by the information risk analyst to record the ratings for each business impact type from the participants use of the Business Impact Reference Table.

Business Impact Assessment Summary form

The Business Impact Assessment Summary form is used to record the overall results from the assessment, including the Key Business Impact Assessment Ratings and the Overall Security Classification.

BIA Assistant

The BIA Assistant (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) is a spreadsheet-based tool that captures business impact ratings from a Business Impact Reference Table and automatically transfers them to the Business Impact Rating form and then to the Business Impact Assessment Summary form.

Figure 10: Tools and forms used to conduct a business impact assessment Each of the tools and forms shown in Figure 10 are described in detail in Part 5: Performing a business impact assessment.

17

Part

Performing a business impact assessment


In order to conduct effective business impact assessments in different system environments it is important to employ a process that is structured and consistent. The ISFs business impact assessment process has been developed with this in mind. It has been designed to meet the Member requirement for an approach that is not only flexible, easy-to-use and practical but also thorough and action oriented. As described earlier there are two main parts to performing a business impact assessment. These parts and their key steps are shown in Figure 11 below and then described in detail in the sections that follow.

Introduction

Figure 11: Key steps in the business impact assessment process Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, information sheets, forms and other supporting documents that are referred to in this part of the report.
18

NOTE

The importance of workshops Members of the ISF have confirmed that, ideally, business impact assessments should be conducted in a workshop setting with participants taking part who represent appropriate parts of the organisation. With good facilitation (a key requirement) workshops provide an environment in which business impact can be fully and objectively discussed. They enable business staff to exchange ideas and reach a common view on the importance of a system and, ultimately, its business security requirements. It is recognised, however, that due to the dispersed nature of many organisations convening a workshop may not always be possible. In these circumstances (or where a business impact assessment must be conducted in short timescales) either video-conferencing or telephone-conferencing technologies should be used or, alternatively, individual interviewing.

19

Preparing for a business impact assessment


Before a business impact assessment is conducted there are a number of preparatory steps that should be undertaken to ensure it is effective and successful. The main steps that should be carried out at this stage are:

These two steps are explained below.

Prior to undertaking a business impact assessment it is important to gather background information about the system to be assessed. This information provides a profile of the system and in particular gives an insight into its function, scale and relative importance before a business impact assessment is undertaken. In gathering background information the main characteristics of the system should be determined. Typical information that is likely to be required includes:

key staff involved in the system (eg system owner) business function of the system (eg funds transfer) scale of activity (eg number of users) key trends (eg increases/decreases in operating costs) technical details (eg network type).

Gathering this information will typically necessitate interviewing a number of key staff, and particular the system owner (or their appropriate representative). A blank System Profile form that can be used to gather information about a system can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version. Interviewing the system owner (or their representative) provides a good opportunity to reinforce the requirement for conducting a business impact assessment and the importance and need for effective information risk management.

NOTE

T IP

20

By analysing the information on the System Profile form it is possible to form an initial view of the relative importance of the system to the organisation. In organisations where there are many systems that require a business impact assessment to be conducted, this information can be used to help prioritise the order in which assessments take place (see Identifying systems to be assessed in Part 3: Establishing a business impact assessment programme). The information gathered about a system in a System Profile form should be retained for use in later phases of the information risk analysis process.

T IP

To ensure a business impact assessment runs smoothly and is effective it is important that it is planned in a thorough manner. The two most important actions that should be undertaken at this stage are to determine with the system owner the date when the business impact assessment should take place and to identify the key staff (eg representatives from key business functions and IT management) who should take part. For new systems the schedule of when a business impact assessment should be held is determined by the systems development life-cycle (eg a business impact assessment would ideally be undertaken during the project initiation stage). For live systems the date for undertaking a business impact assessment will largely depend on the system owner but may be influenced by factors such as the availability of key staff, the timing of important processes (eg end-of-month processing) and concerns about the adequacy of existing measures to manage information risk. To ensure the judgements that are made about business impact and the business security requirements for a system are objective and representative, key staff from a variety of business functions should be identified to attend the business impact assessment.

T IP

Once the date for the business impact assessment has been agreed and the prospective participants determined, a formal agenda, invitation letter and information sheets about business impact assessment should be sent out. An example invitation letter and information sheets that can be used to inform staff about a business impact assessment can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.

NOTE

21

Conducting a business impact assessment


In conducting a business impact assessment the following steps should be undertaken:

These four steps are explained below. A presentation (entitled BIA Presentation) has been developed to accompany this report. This presentation, which can be customised by the information risk analyst, is designed to lead participants through each stage of a business impact assessment. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this presentation can be found.

NOTE

The main objective of this step is to ensure participants are adequately prepared to take part in the assessment. The key activities to be undertaken during this step of the process are: A1 Set the scene for the assessment A2 Provide overview of the system A3 Familiarise participants with the tools and forms. This section of the report describes these activities and explains how they should be carried out.
Activity title Objective A1 Set the scene for the assessment To explain the purpose of the business impact assessment and provide the business context for undertaking business impact assessment.

22

At the commencement of the business impact assessment participants should be provided with a brief overview of the agenda, an explanation of the purpose of the business impact assessment and an insight into the business reasons for conducting the business impact assessment. The following items should be covered in the introduction:

welcome and round table introductions agenda and timings purpose of the business impact assessment what is business impact assessment? why carry out a business impact assessment? Slides covering the above items are contained in the BIA Presentation. Explaining the nature and use of information

NOTE

In many cases staff attending a workshop or being interviewed as part of a business impact assessment will not have a technical background and will therefore have a limited understanding of the nature and use of information and how it can be compromised. Furthermore the concept of information having different properties confidentiality, integrity and availability will also be unfamiliar to most participants. To ensure those taking part in a business impact assessment are able to make a full and worthwhile contribution it is important that the information risk analyst provides a thorough explanation of information and should cover the:

definition of information (eg facts that convey meaning) main types of information that are used in the workplace (eg data, paper, speech, phone-calls) main ways in which information is acted on in a system (eg stored, processed or transferred) key properties of information (ie confidentiality, integrity, availability) threats to information and the controls that are required to ensure it is adequately protected. To introduce and explain the concept of the different properties of information it is recommended to use the examples of compromises of confidentiality, integrity and availability that are contained in the information sheet Why we need to protect our information (located in the pocket at the end of the printed version of this report). Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.

T IP

23

In addition to the agenda and the attendance list it is recommended that all participants are provided with a pack of reference material. This pack should include the items identified in Table 3 below. Table 3: Contents of a business impact assessment reference pack
Item name
BIA Presentation Business Impact Reference Table Business Impact Rating forms (for confidentiality, integrity and availability) Business Impact Assessment Summary form System Profile form Information sheets:

Brief description
The slides from the presentation used by the information risk analyst to guide participants through the business impact assessment. The organisations approved Business Impact Reference Table. Blank Business Impact Rating forms that can be used by participants to record their own ratings and comments. Blank Business Impact Assessment Summary form that can be used by participants to record their own ratings and comments. A brief profile of the key business and technical characteristics of the system.

Why we need to protect our information Determining the business requirement for information security Threats to information The business impact of incidents

Information sheets sent to participants prior to a business impact assessment included for reference purposes.

Information sheets provided to participants during a business impact assessment included for reference purposes.

NOTE

Printed versions of the Business Impact Reference Table, Business Impact Rating forms, Business Impact Assessment Summary form, System Profile form and information sheets can be found in the pocket at the end of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.

The information risk analyst should explain the contents of the pack and how it should be used during the business impact assessment.

24

Activity title Objective

A2 - Provide overview of the system To brief business impact assessment participants on the key characteristics of the system.

After the introduction to the business impact assessment, participants should be briefed on the key characteristics of the system being assessed. Typically taken from the System Profile form this information should be used to ensure all business impact assessment participants have a common understanding of the:

function of the system (eg product sales) scale of the system (eg high-volume of low to medium-value transactions) importance to the organisation (eg very important system, accounts for 25% of revenue) technical make-up of the system (eg internet-based). It is important to ensure all participants are well informed and have a common understanding of the system if sound judgements about business impact are to be made during the business impact assessment.
A3 - Familiarise participants with the tools and forms To ensure participants understand the tools and forms that will be used in the business impact assessment.

T IP

Activity title Objective

Before commencing the assessment of business impact it is important that participants understand the main tools and forms that will be used in the business impact assessment. This activity is concerned with familiarising participants with the:

Business Impact Reference Table Business Impact Rating forms Busines Impact Assessment Summary form BIA Assistant.

The information risk analyst facilitating the business impact assessment should show and explain the contents and use of each of the above tools and forms. Particular emphasis should be placed on the Business Impact Reference Table that is approved for use within the organisation.

25

NOTE

The BIA Presentation contains slides that explain the business impact assessment process and the tools and forms that should be used.

At this stage it is recommended that the process for transferring results between the Business Impact Reference Table and the Business Impact Rating forms is explained and also how the summary information from the Business Impact Rating forms is transferred to the Business Impact Assessment Summary form. A spreadsheet-based tool (entitled BIA Assistant) for capturing the results of a business impact assessment has been developed to accompany this report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this tool can be found.

NOTE

This step of the business impact assessment process is concerned with assessing business impact for a loss of confidentiality, integrity and availability. The main objective of this step is to ensure participants assess business impact in an objective and considered manner. The key activities to be undertaken during this step of the process are: B1 Assess possible business impact for a loss of confidentiality B2 Assess possible business impact for a loss of integrity B3 Assess possible business impact for a loss of availability. This section of the report describes these activities and explains how they should be carried out.

26

When assessing business impact using the Business Impact Reference Table, business impact assessment participants should be requested to follow the steps shown in Figure 12 below.
1. Examine the business impact type
Property of information Business impact type Appropriate measure

2. Determine the most serious impact that could possibly occur


Level of impact C Medium 6% to 10%

Ref.

A Very high 20%+

B High 11% to 20% $1m to $20m $1m to $20m

D Low 1% to 5%

E Very low Less than 1% Less than $10K Less than $10K

Financial
F1 Loss of sales, orders or contracts (eg sales opportunities missed) Loss of tangible assets (eg fraud, theft of money, lost interest) Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations) Unforeseen costs (eg recovery costs) Depressed share price (eg sudden loss of share value) Financial impact Financial impact Financial impact

F2

$20m+

$100K to $1m $100K to $1m

$10K to $100K $10K to $100K

F3

$20m+

F4 F5

Financial impact Loss of share value

$20m+ 25%+

$1m to $20m 11% to 25%

$100K to $1m 6% to 10%

$10K to $100K 1% to 5%

Less than $10K Less than 1%

4. Repeat for the remaining business impact types

3. Reach a consensus as a group and record the level of impact

Figure 12: Assess possible business impact When assessing the level of impact for a loss of availability, each duration of outage (ie an hour, a day, 2-3 days, a week, a month) will need to be assessed for each business impact type (see B3 Assess possible business impact for a loss of availability).

NOTE

27

Business Impact Rating


Confidentiality
Ref. Business impact type
Business impact of unintended or unauthorised disclosure of information (most serious case)

Business impact rating


A Very high, B High, C - Medium, D Low, E Very low

Explanatory comments E

Financial
F1 F2 F3 F4 F5 Loss of sales, orders or contracts Loss of tangible assets Penalties/legal liabilities Unforeseen costs Depressed share price

X X X X X X X X X X X X X X X
A B C D E

Disclosure of pricing information would seriously damage sales.

Operational
O1 O2 O3 O4 Loss of management control Loss of competitiveness New ventures held up Breach of operating standards Delayed deliveries to customers or clients Loss of customers or clients Loss of confidence by key institutions Damage to reputation

Disclosure of pricing information would undermine competitiveness.

Customer-related
C1 C2 C3 C4

Pricing information disclosure would lead to customer losses.

Disclosure of pricing information by press would be damaging.

Employee-related
E1 E2 Reduction in staff morale/productivity Injury or death

Overall Rating
In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from unintended or unauthorised disclosure of information? (This would normally be at least as high as the highest individual rating)

Figure 13: Example Business Impact Rating form for Confidentiality

28

Activity title Objective

B1 - Assess possible business impact for a loss of confidentiality To determine the possible business impact that the organisation could experience as a result of an incident that compromises the confidentiality of information in the system.

In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term confidentiality, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider:

what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the confidentiality of this information be compromised (eg hacking into systems or theft of proprietary business information)? what would be the business impact that could arise from the compromise of the confidentiality of this information (eg disclosure of pricing information to a competitor)? To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).

T IP

In completing the steps required to assess business impact participants should use the organisations approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur. 3. Reach a consensus as a group and record the level of impact (see Figure 13 opposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of confidentiality could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.

29

Business Impact Rating


Integrity
Ref. Business impact type
Business impact of errors in information or of deliberate manipulation of information to perpetrate or conceal fraud (most serious case)

Business impact rating


A Very high, B High, C - Medium, D Low, E Very low

Explanatory comments E

Financial
F1 F2 F3 F4 F5 Loss of sales, orders or contracts Loss of tangible assets Penalties/legal liabilities Unforeseen costs Depressed share price

X X X X X X X X X X X X X X X
A B C D E

Operational
O1 O2 O3 O4 Loss of management control Loss of competitiveness New ventures held up Breach of operating standards Delayed deliveries to customers or clients Loss of customers or clients Loss of confidence by key institutions Damage to reputation

Corrupted end-of-month data will lead to poor decision making.

Customer-related
C1 C2 C3 C4

Corrupted order information will cause delivery delays.

Employee-related
E1 E2 Reduction in staff morale/productivity Injury or death

Overall Rating
In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from errors or unauthorised changes to information? (This would normally be at least as high as the highest individual rating)

Figure 14: Example Business Impact Rating form for Integrity

30

Activity title Objective

B2 - Assess possible business impact for a loss of integrity To determine the possible business impact that the organisation could experience as a result of an incident that compromises the integrity of information in the system.

In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term integrity, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider:

what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the integrity of this information be compromised (eg misusing systems to create fraud or errors by staff) what would be the business impact that could arise from the compromise of the integrity of this information (eg corrupted customer order information). To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).

T IP

In completing the steps required to assess business impact participants should use the organisations approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur. 3. Reach a consensus as a group and record the level of impact (see Figure 14 opposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of integrity could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.

31

Business Impact Rating


Availability
Ref. Business impact type
Business impact of a prolonged outage of the system (most serious case)

Business impact rating


A Very high, B High, C Medium, D Low, E Very low

Explanatory comments

Duration of outage
An hour A day 2-3 days A week A month

Financial
F1 F2 F3 F4 F5 Loss of sales, orders or contracts Loss of tangible assets Penalties/legal liabilities Unforeseen costs Depressed share price

B E E E E

B D D D D

B C C C D

A C C C C

A C C B C

Any system outage would prevent tele-sales being processed.

Manual fall-back will be required.

Operational
O1 O2 O3 O4 Loss of management control Loss of competitiveness New ventures held up Breach of operating standards Delayed deliveries to customers or clients Loss of customers or clients Loss of confidence by key institutions Damage to reputation

E E E E

D D D E

C C B E

B C B E

B C A E

Levels of stock and ordering requirements will be unknown.

The launch of new products would be prevented.

Customer-related
C1 C2 C3 C4

E E E E

D D D D

C C C C

C C C C

C B C C
Customers will use alternative suppliers.

Employee-related
E1 E2 Reduction in staff morale/productivity Injury or death

E E

D E

C E

C E

C E

Overall Rating
An hour A day 2-3 days A week A month

In summary, what is the most serious impact which would arise from an outage of the system? (This would normally be at least as high as the highest individual rating)

Overall Critical Timescale


What is the critical timescale for recovering of this system (ie the timescale beyond which an outage is unacceptable to the business)?

1 day

An outage of one day or more would cause a high impact.

Figure 15: Example Business Impact Rating form for Availability


32

Activity title Objective

B3 - Assess possible business impact for a loss of availability To determine the possible business impact that the organisation could experience as a result of an incident that compromises the availability of information in the system.

In order for participants to play a full and active part in a business impact assessment it is important that they have a good understanding of the term availability, how it can be compromised and what impact this could have on the organisation. Accordingly the information risk analyst should ask participants to consider:

what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)? how could the availability of this information be compromised (eg malfunction of application software or loss of power) what would be the business impact that could arise from the compromise of the availability of this information (eg customers switching to alternative suppliers). To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).

T IP

In completing the steps required to assess business impact participants should use the organisations approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier: 1. Examine the business impact type. 2. Determine the most serious impact that could possibly occur for each duration (ie an hour, a day, 2-3 days, a week, a month). 3. Reach a consensus as a group and record the level of impact (see Figure 15 opposite). 4. Repeat for the remaining business impact types. For ratings of Very high and High an explanation of how a loss of availability could be damaging to the business should be recorded in the Explanatory comments. When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating for a business impact type. Additionally, for availability, the Overall Critical Timescale should be recorded. Typically this is the timescale beyond which an outage would be unacceptable to the business.

33

This step of the business impact assessment process is concerned with determining the overall results for the assessment. The main objectives of this step are to determine the business security requirements and security classification for the system. The key activities to be undertaken during this step of the process are: C1 Transfer results to summary form C2 Determine business security requirements and overall security classification. This section of the report describes these activities and explains how they should be carried out.
Activity title Objective C1 - Transfer results to summary form To transfer all results obtained in the business impact assessment to the Business Impact Assessment Summary form.

Prior to commencing the transfer of results to the Business Impact Assessment Summary form the general identification information and description of the system should be entered. The Overall Rating on each Business Impact Rating form (for Confidentiality, Integrity and Availability) should then be transferred to the Overall Business Impact Ratings table of the Business Impact Assessment Summary form (see Figure 16 below). The Overall Critical Timescale for the system from the Business Impact Rating form for Availability should also be entered at this stage.

Key Business Impact Assessment Ratings


Overall Business Impact Ratings
Loss of confidentiality Loss of integrity Loss of availability - an hour - a day - 2-3 days - a week - a month

Business Security Requirements Rating A E E


Confidentiality Integrity Availability

A A

Rating B C D B C D

A A A A A

B B B B B

C C C C C

D D D D D

E E E E E

Overall Critical Timescale Time 1 hr 1d 2-3d 1 wk 1m

Business impact ratings: A Very high, B High, C Medium, D Low, E Very low

Figure 16: Example Overall Business Impact Ratings table


34

NOTE

The transfer of values is a straightforward activity and does not require any specific input from the business impact assessment participants. The BIA Assistant automatically transfers the results from the Business Impact Rating form to the Business Impact Assessment Summary form.
C2 Determine requirements and classification business overall security security

NOTE

Activity title

Objective

To discuss and agree the Business Security Requirements Rating and the Overall Security Classification for the system.

When the Overall Business Impact Ratings and the Critical Timescale have been entered, the information risk analyst should, in conjunction with the participants, determine the Business Security Requirements Rating and the Overall Security Classification for the system. Typically the values that are entered in the Business Security Requirements Rating table are taken from the highest values for confidentiality, integrity and the highest value for availability from the Overall Business Impact Ratings table (see Figure 17 overleaf). The Business Security Requirements Rating table shows in a clear manner the security requirement of the system in terms of the requirement for the confidentiality, integrity and availability of information. A high value means there is a high requirement to protect that property of information (because a loss of that property of information would result in a high business impact). The Business Security Requirements Rating table provides the basis for determining the Overall Security Classification. The colour coding that is used to indicate High (red), Medium (orange) and Low (green) in the Business Security Requirements Rating table helps in the determination of the level of Overall Security Classification. It is recommended that where there is at least one Business Security Requirements Rating that is an A, the Overall Security Classification should be High. In all other cases it is a matter for discussion with the participants in the business impact assessment (although typically the highest Business Security Requirements Rating should determine the minimum level of Overall Security Classification that is determined).

35

As part of determining the Overall Security Classification the information risk analyst should ensure that the business impact assessment participants fully understand the meaning of the different values (in terms of the requirement for security) and how this will ultimately affect the level (and cost) of security that is implemented.

Overall Security Classification


HIGH MEDIUM LOW

I agree with the Key Business Impact Assessment Ratings, Overall Security Classification and chosen Next Steps.

System owner signature

JS Dawes HA Frost

Date

3 June 2004 3 June 2004

Risk analyst signature

Date

Key Business Impact Assessment Ratings


Overall Business Impact Ratings
Loss of confidentiality Loss of integrity Loss of availability - an hour - a day - 2-3 days - a week - a month

Business Security Requirements Rating A E E


Confidentiality Integrity Availability

A A

Rating B C D B C D

X X X

A A A A A

B B B B B

C C C C C

D D D D D

E E E E E

Overall Critical Timescale Time 1 hr 1d 2-3d 1 wk 1m

Business impact ratings: A Very high, B High, C Medium, D Low, E Very low

Figure 17: Example of Overall Security Classification and Key Business Impact Assessment Ratings sections

36

This step of the business impact assessment process is concerned with determining the appropriate steps that need to be taken after the assessment. The main objectives of this phase are to:

identify clearly the next steps to be taken after the business impact assessment document all post-business impact assessment actions to be undertaken.

The key activities to be undertaken during this step of the process are: D1 Review results of assessment D2 Agree next steps. This section of the report describes these activities and explains how they should be carried out.
Activity title Objective D1 - Review results of assessment To review the results of the assessment with the participants to ensure there is widespread agreement on the results.

Prior to concluding the business impact assessment the information risk analyst should review the contents of the Business Impact Assessment Summary form with the business impact assessment participants. This provides those attending with an opportunity to comment on the validity of the findings and whether the ratings and Overall Security Classification accurately reflect the security needs of the system being assessed.
Activity title Objective D2 - Agree next steps To agree the next steps that should be taken after the assessment to ensure information risk is adequately managed.

As part of the review of results the information risk analyst should also examine with the participants the next steps that should be taken after the business impact assessment. The Next Steps ratings that are available for selection in the Business Impact Assessment Summary form are directly related to the Overall Security Classification (see Figure 18 overleaf).

37

Next Steps
Level Appropriate action Conduct detailed Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process Focus on the applicable security requirements identified Conduct standard Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process Focus on the applicable security requirements identified Terminate the Information Risk Analysis Process LOW Verify that appropriate fundamental controls will be implemented Tick next step

HIGH

MEDIUM

Actions
Number Description of action and date for completion Responsible

1 2 3 4 5

Send results with cover letter to system owner (24/06/04). Contact IT Operations manager and arrange meeting to discuss results of the assessment (by 24/06/04). Forward results to IT department and Internal Audit (24/06/04). Commence preparations for standard Threat and Vulnerability Assessment (30/06/04). Log results of the assessment in the risk register (30/06/04).

HA Frost JS Dawes HA Frost HA Frost HA Frost

Figure 18: Example of Next Steps and Actions in the Business Impact Assessment Summary form In most cases the Next Steps rating selected would directly correspond with Overall Security Classification. On occasions, however, the business impact assessment participants and in particular the system owner may wish to select a different level of rating for the Next Steps (eg Medium when the Overall Security Classification is High).

38

Business impact assessment participants may wish to select a different level of rating for the Next Steps when they believe either more, or less, detailed subsequent analysis of information risk is required. The information risk analyst should ensure that all participants understand the appropriate action that is associated with each level. The Actions section of the Business Impact Assessment Summary form should be used to capture the main actions that need to be completed as a result of the business impact assessment. Each action should include a date by when it should be undertaken and indicate the individual responsible for its completion. As a result of the level of Next Step (High, Medium or Low) that is selected there are certain direct actions that are implied (see Figure 18 opposite). In addition there may also be specific actions that the business impact assessment participants or the system owner may wish to see undertaken as a result of the assessment (eg initiate contact with the outsourcing organisation to confirm basic controls are applied to the system). Progress against all actions should be tracked by the information risk analyst and reported to the system owner. Upon completion of the business impact assessment the actions indicated in the Next Steps and those in the Actions should be commenced. For systems that are rated High or Medium this will entail commencing preparations for the next phase of the information risk analysis process Threat and Vulnerability Assessment.

39

Appendix

ATools, information sheets and


forms to use in a business impact assessment
This appendix contains a list of the tools, information sheets, forms and other useful documents that have been developed to support performing a business impact assessment. The following tools have been developed for use with this report:

Introduction

BIA Presentation (a Microsoft PowerPoint presentation that the information risk analyst can use to help facilitate a business impact assessment) BIA Assistant (a Microsoft Excel spreadsheet that automates the data capture and reporting of results in a business impact assessment process). The above software tools can be found on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISFs Members-only web site).

NOTE

The following information sheets have been developed for use with this report:

Why we need to protect our information (a single page explanation of the importance of information that should be sent to participants prior to a business impact assessment) Determining the business requirement for information security (a single page explanation of what takes place in a business impact assessment that should be sent to participants prior to a business impact assessment) Threats to information (a description of some of the main threats to information to be used as a reference for participants during a business impact assessment) The business impact of incidents (an explanation and description of some of the business impacts that can occur from the compromise of information to be used as a reference for participants during a business impact assessment). Copies of the above information sheets can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISFs Members-only web site).

NOTE

40

The following forms and other useful documents have been developed for use with this report: Preparatory documents

Example invitation letter (a letter that can be used to invite staff to take part in a business impact assessment) System Profile form (a form used to capture business and technical details about a system prior to a business impact assessment)

Business Impact Reference Table

Example Business Impact Reference Table (a Business Impact Reference Table developed as a basis for enhancement by Member organisations)

Business Impact forms

Business Impact Rating form Confidentiality (a form used to capture the possible business impact that could occur in the event of the loss of confidentiality of information) Business Impact Rating form Integrity (a form used to capture the possible business impact that could occur in the event of the loss of integrity of information) Business Impact Rating form Availability (a form used to capture the possible business impact that could occur in the event of the loss of availability of information) Business Impact Assessment Summary form (a form used to capture the overall results from the business impact assessment). Copies of the above forms can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISFs Members-only web site).

NOTE

41

Appendix
Contents of this appendix Work group material

B Further sources of information


This appendix contains details of further sources of information about information risk management that the ISF has produced. Minutes, briefing packs and additional background material relating to this report can be found in the IRAM project area on the ISFs Member Exchange (MX2) System. Gaining management support for information risk analysis (2004) Information Security Status Survey 2003: Consolidated Reports (2004) Understanding and using management tools (2003) the ISFs information risk

ISF reports

Requirements for improving information risk analysis (2003) The Standard of Good Practice for Information Security (2003) Fundamental Information Implementation Guide (2000) Fundamental Information Supporting Material (2000) SPRINT: User Guide (1997) SPRINT: Directory of Controls (1997) SARA Simple to apply risk analysis for information systems (1993) Implementation Guide: How to build Security into your information systems (1993) Business Risk Analysis: How to establish a satisfactory IT risk analysis process (1990) Risk Risk Management Management (FIRM): (FIRM):

42

Acknowledgements
The Information Security Forum acknowledges the positive contribution to this project by the following individuals: Work Group
Jesper Hauge Nissen Marguerite Talary Joop A Zomer Johan Opperman George de Beer Dieter Teichert Thon de Blok Prakash Rao Michael Bownes John Pendleton George Hazell Sagaran Naidoo Len Hendry Franzo Cirinna Andre Botha Paul Raubenheimer Henry Chai Anita Lussetti Petra Claessens Wendy Kachelhoffer Andre Noack Oscar Stark Geoff Dale George Waterman Tom Bakker Foong Hoe Tan-Ho Dominique Remy Trevor Cardwell Sandy Monnappa Simon Krug Paul Johnson Kirsty Still Richard Nealon Michael Hanna Jennifer Kane Kevin Harrington Victor J. Talamo Angus Burden Lee Li Hoon Jennifer Khow Wilfried Kehr Donald Michniuk Terrence Spencer Miroslav Kis Vivek Khindria Herbert Canfield Jody Wahlgren A P Mller Abbey National ABN-AMRO Bank ABSA Bank ABSA Bank ABSA Bank Akzo Nobel AUD Alcon Laboratories Allen & Overy Alliance & Leicester Alliance & Leicester Anglo American Anglo American Anglo American Anglo American Anglo American ANZ ANZ ANZ arivia.kom arivia.kom arivia.kom AstraZeneca AstraZeneca Pharmaceuticals AVIVA AVIVA AXA AXA AXA AXA AXA B&Q Bank of Ireland Group Bank of Ireland Group Bank of Ireland Group Bank of Tokyo-Mitsubishi Bank One Corporation Barclays Bank BASF South East Asia Pte BASF South East Asia Pte Bayer Bechtel Corporation BHP Billiton BMO Financial Group BMO Financial Group Boeing Boeing Kenneth Silsbee Curtis Ames Kit Bender Martin Taylor Jill Trebilcock Angus Pinkerton Matthew Smith Andy Waddell Sanjay Patel Thomas Haeberlen Martina Rohde David Grant Paul Sherry Hong Kong Tey Alan Speed David Austin Harvey Roth Brian Peterson Satya Vithala Gerald Mucklow Martin Hawkins Ronald Chung Boris Hemkemeier Kai BuchholzStepputtis Howard Eakin Peter van Boxtel Stephen Fitzpatrick Rolston Wiltshire Michael Papais Hans Henrik Nielsen Kjell Hermansson Tiaan van Schalkwyk Paul Carroll Ted Humphreys Ola Sannes Simon Royal Tina Wade Paul De Graaff Michael Robinette Pat Everitt Thomas Cummings Boeing Boeing Boeing British Airways British Broadcasting Corporation British Energy BSkyB BSkyB BSkyB Bundesamt fr Sicherheit in der Informationstechnik Bundesamt fr Sicherheit in der Informationstechnik Cadbury Schweppes Cadbury Schweppes Caltex International Pte Centrica Centrica ChevronTexaco ChevronTexaco Citigroup Clariant International Clifford Chance CMG Information Technology Pte Commerzbank Commerzbank ConocoPhillips Corus Group Credit Suisse First Boston Credit Suisse First Boston DaimlerChrysler Danske Bank Danske Bank Deloitte & Touche Department of Social, Community & Family Affairs Department of Trade & Industry Det Norske Veritas Dresdner Kleinwort Wasserstein Dresdner Kleinwort Wasserstein DTCC DTCC EDF Energy EDS Information Security Solutions

43

Ian Baulch-Jones Wendy Sale Dolly Kapadia Paul de Luca Michael Harrison Erol Mustafa Michel Soupart Guenther Kerker Steve Smit James Cleland Gerhard Cronje Phil Cogger Christof Mllender Loek Sleper Lori Blair Stephen Gill Iain Andrews Steve Greenham Andrew Bebbington Katie C Jenkins Randy Kaeder Paul Charles Tom Stapleton Robert J Symmons Paul Dann Tanya Preston Alan Savage Lynn Yang Pheng Kuek Peter Berlich David Spinks Susan Swope Marc Callaway Geoffrey Tumber Melle Beverwijk Frans Gahrmann Nathan Thompson Simon Marvell Pearly Cheng Johan Kempenaers Ann Hill Chris Hoffman Mark Firgens Gavin Rayner Jerold R Kobiske Erwin Bosma Sipho Ndaba Jaap Halfweeg June Gamber David Lanigan Niek Ijzinga Frans Kersten George McBride William Lim Stephen Fried Barry Pulliam

Electrolux IT Solutions Electronic Data Systems Electronic Data Systems Electronic Data Systems Electronic Data Sytems Ernst & Young Euroclear F Hoffmann La Roche First Rand Bank First Rand Bank First Rand Bank Ford Motor Company Ford of Europe Fortis Fortis Fujitsu Services Fujitsu Services GlaxoSmithKline Goldman Sachs & Co Guardent Guardent HarrierZeuros HarrierZeuros Hawker de Havilland HBOS Group HBOS Group HBOS Group HSBC Singapore IBM Switzerland Information Security EMEA Information Security Forum InfoSecure InfoSecure InfoSecure ING Bank Netherlands Innogy Insight Consulting JP Morgan Chase KBC Bank and Insurance Holding Company Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation Kimberly-Clark Corporation KLM Royal Dutch Airlines KPMG KPN Legal and General Lloyds TSB LogicaCMG LogicaCMG Lucent Technologies Lucent Technologies Lucent Technologies Lucent Technologies

Jim Murphy Amanda Finch Bengt Arild Unnerud Steve Pomfret Anne-Lize de Beer Colin Campbell Leonard Ong Jukka P Savolainen Svein Nygard Tom Remberg Anthony Mullany David Ward Phillip Gregory Manfred Schreck Harmen Frobeen Steen Ledet Niels Rasmussen Joy Buckingham David Clarke Dave Cooper Louis Sherman Donna Staniforth Vagn E Nielsen Philip Godwin Neil Wainman Roar Gulbrandsen Ciaran Kelly Sally Boyce Pat Reed Tarik Tahesh Stephen Donnelly Jean-Christophe Gaillard Adrie Janssen Steenberg Yun Patricia Siow Lup Kuen Wong Lip-Ping Chew George Wang Christopher Somers Andrew MacGovern Jonathan Keefe Ian Curry Brendon Harris Michael Payne Carl Taylor Jonathan Randall Mindy Ziskin Gary Marsh Jean-Serge Laurent Pierre Coenen Davor Vlahovic Johan Marnewick Karin Hne Bee Ngah Tan Geetha Kanagasingam

Lucent Technologies Marks & Spencer National Insurance Administration Nationwide Building Society New Africa Capital New Africa Capital Nokia Nokia Norges Bank Norsk Hydro Norwich Union Norwich Union Norwich Union Novartis International Novartis International Nykredit Nykredit O2 (UK) O2 (UK) Orange Orange Orange Post Danmark PowerGen UK PowerGen UK PricewaterhouseCoopers PricewaterhouseCoopers Prudential Prudential Prudential Prudential Rabobank International Rabobank Nederland Reuters Reuters Reuters Reuters Reuters Reuters Reuters Reuters Reuters Rolls Royce Rolls Royce Rolls Royce Royal Bank of Canada Royal Bank of Scotland Group S.W.I.F.T. S.W.I.F.T. Sanlam Sanlam Sanlam SATS SATS

44

Silva Kandiah Lars Eriksson Bodil Wiklund Kevin Kennedy Klaus Pape Conrad Tan Ching Ching Lim Patrick Bong Siew Leng Leck Seow Hong Tay Paul Nagel Martina Ramhitshana Tony Apsey Gerhard Kruger Hettie Booysen Pedro C Pretorius Joe Norman Jean-Pierre Margaillan Gilbert Agopome Richard Aylard Nomazulu Taukobong Claudia Jollivet Jacqui Bothwell Riana Crafford Emily Manganyi Pavana Ranjith John Murdoch Edwin Aldridge Carsten Paasch Adam Spencer Joe Rohde Dan Hlavac Alan Pacocha

SATS SCA Scania Schlumberger Siemens Singapore Airlines Singapore Airlines Singapore Airlines Singapore Airlines Singapore Airlines SKF South African Revenue Service South African Revenue Service South African Revenue Service South African Revenue Service Spoornet ST Microelectronics ST Microelectronics ST Microelectronics Standard Bank London Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Bank of South Africa Standard Chartered Bank Standard Chartered Bank Standard Chartered Bank State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company

Dan Landess Dan Sokulski Anza Botha Kjell Andersson Christian Thunberg Jan Skogqvist Jeremy Ward Michael Volkert Arne Normann Tommy Brundin Michael Robinette Paul de Graaff Laserian M Kelly Ventatakrishnan Vatsaraman Ruedi Siegenthaler Paul Wood Ged Edgcumbe Marco Van Putten Ed Schrijvers Alan M Jones David Pinchbeck Kamaljit Singh Bent Poulsen Chris Weegar Viki Baxter Mark Steger Giancarlo Bombardieri Joachim Droese

State Farm Mutual Automobile Insurance Company State Farm Mutual Automobile Insurance Company State Information Technology Agency Stora Enso Stora Enso Svenska Handelsbanken Symantec Security Services Syngenta International Telenor Tetra Pak The Depository Trust & Clearing Corporation The Depository Trust & Clearing Corporation The Emirates Group The Emirates Group UBS UBS UBS Unilever Unilever Unisys Unisys Unisys Vrdipapircentralen Verizon Verizon Zurich Financial Services Zurich Financial Services Zurich Financial Services

Project team

Jason Creasey Nick Frost Andrew Wilson

Information Security Forum Information Security Forum Information Security Forum Information Security Forum Information Security Forum Information Security Forum

Review and quality assurance Production

Alan Stanley Louise Liu Charl Porter

45

The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security solutions that meet the business needs of its Members. Members of the ISF benefit from sharing information security solutions drawn from the considerable experience within their organisations and developed through an extensive work programme. Members recognise that information security is a key business issue and the ISF provides a mechanism which can ensure that the practices they adopt are on the leading edge of information security developments, while avoiding the significant expenditure that individual development of solutions would incur.

For further information contact:

Information Security Forum Southwark Towers Level 17 32 London Bridge Street London SE1 9SY United Kingdom Telephone: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 E-mail: isfinfo@securityforum.org Web: www.securityforum.org

Reference: 2004/06/09 Copyright 2004 Information Security Forum Limited. All rights reserved.