~ Inventory and document business processes ~ Identify and categorize threats and vulnerabilities ~ Measure and quantify threats ~ Compile risk assessment reports Collecting Risk Assessment Data
~ Risks are the potential consequences of events or conditions that
can adversely affect an organization’s operations and revenues, as well as its relationships with communities, business partners, suppliers, and customers ~ Before analyzing risks, the disaster recovery planning team must first determine the likelihood of an event’s occurrence and their organization’s related operating conditions ~ The disaster recovery planning team must inventory its exposure to such events to understand the possible impact of adverse events and related conditions Exposure Inventory
~ An exposure inventory is an annotated list of all facilities,
processes, systems, and resources that an organization uses to maintain operations and sustain revenue ~ The scope of the exposure inventory depends on the organization’s size, number of employees, number of locations, and numerous other factors ~ The exposure inventory should be conducted for each facility that an organization owns or operates ~ Exposure inventory sheets are numbered in a series Numbering Scheme for Exposure Inventory Sheets Facility Exposure Inventory Overview Sheet
~ The facility exposure inventory overview sheet is used to keep track
of the more detailed exposure inventories needed for each facility ~ The overview sheet shows • The name and address of the facility • Its main telephone number • Fax number • E-mail address • Disaster recovery contact ~ There are spaces to indicate • Which detailed exposure inventories are attached • When the exposure inventories were last updated • When the next update is scheduled ~ The bottom of the sheet includes a space to explain which business processes are performed at the facility Inventory Sheets Exposure Inventory Sheet
~ Exposure inventory sheets
• Used for physical facilities, personnel, heavy equipment, light equipment, installed systems, information technology, office equipment, and products or parts • Provide details for assets at the facility identified by the inventory overview sheet • Additional inventory sheets can be used if a single sheet cannot accommodate all necessary data Inventory Sheets
~ Physical facilities exposure inventory sheet
describes every building at a facility ~ Personnel exposure inventory sheet lists for all employees in each building ~ Heavy equipment exposure inventory sheet lists all of the heavy equipment in each building ~ Light equipment exposure inventory sheet lists all of the light equipment in each building Inventory Sheets
~ Installed systems exposure inventory sheet lists
all computer networks, telephone systems, fire prevention systems, and premises security systems in each building ~ Information technology exposure inventory sheet lists all of the information technology in each building ~ Office equipment exposure inventory sheet lists all of the office equipment in each building ~ Products/parts exposure inventory sheet lists all the products and parts in each building Documenting Business Processes
~ The disaster recovery team should
• Know which business processes are supported at every facility and by every department • Evaluate which business processes and facilities are most critical to the organization’s operations and revenues ~ A product-focused organization creates or distributes physical goods ~ A service-focused organization provides a specific service for a customer Key Organization Goals Functionality
~ Under normal conditions, organizations try to maintain a full level
of functionality and achieve their key goals ~ When a disaster occurs, business processes can be completely or partially disabled ~ Disaster recovery planners need to examine the processes that make their organization successful ~ Before they can begin classifying the organization’s systems and functions, planners must fully understand the organization’s nature, mission, and goals ~ Several key tests can be applied to help in this process Test One
~ Do any legal requirements affect the classification of
systems and functions? ~ An organization may need to address legal requirements or government regulations ~ The legal counsel representative on the disaster recovery planning team must advise upper management and team members about these legal and regulatory requirements Test Two
~ Do contractual requirements affect the classification of
systems and functions? ~ Some organizations may have contractual arrangements with customers or suppliers requiring certain functions or activities to be maintained at a specific level ~ Legal counsel must explain the meaning of these requirements to upper management and the planning team Test Three
~ Do labor requirements affect the classification of
systems and functions? ~ Some organizations may have labor union contracts in place ~ These contracts may specify working conditions that must be established before work can continue after a disaster ~ Legal counsel must explain the meaning of these requirements to upper management and the planning team Test Four
~ Do competitive pressures affect the classification of
systems and functions? ~ Almost all organizations face some level of competitive pressure ~ Representatives from the Marketing and Sales departments may be the best source of information about the magnitude of these pressures ~ These departments should advise upper management and the planning team accordingly Test Five
~ Do financial pressures affect the classification of
systems and functions? ~ Many organizations do not have sufficient cash reserves to absorb the cost or the potential loss caused by business disruptions ~ The chief financial officer (CFO) must advise upper management and the disaster recovery planning team about the financial consequences of disruptions Test Six
~ Do humanitarian or social expectations affect the
classification of systems and functions? ~ Some organizations face great humanitarian and social pressures that may affect their need to recover smoothly and quickly from a disaster ~ The Public Relations Department or the office of Social Responsibility must advise upper management and the planning team on the potential impact of these pressures on disaster recovery priorities and timelines Test Seven
~ Do management requirements affect the classification
of systems and functions? ~ Some organizations also face management or stockholder mandates regarding operations and the speed of disaster recovery ~ The Investor Relations Department and upper management must ensure that the planning team understands these mandates when formulating disaster recovery priorities and procedures Creating a Business Process Inventory
~ A business process inventory is an annotated list of the key
business processes needed to maintain operations, including revenue collection, sales, distribution and delivery, manufacturing, and procurement. ~ A business process inventory illustrates: • How a process works • The facilities and buildings in which the process occurs • The departments that perform the process • The personnel who work in the departments • The equipment used by the departments • The installed systems on which the departments rely • The information technology that the departments have in place • The parts and supplies that the departments need to accomplish their work Creating a Business Process Inventory
~ Developing a business process inventory requires the assistance of
all departments involved in a business process ~ Each department is represented on the disaster recovery planning team ~ When a business process spans more than one department, planning team representatives from each department must collaborate to create the business process inventory ~ Business process inventory sheets • There should be one for each facility or each group of related facilities in their business process • Provide details on the process, including which facilities, buildings, and departments support it, as well as the resources required to accomplish the process Business Process Inventory Sheets Numbering Scheme Business process inventory overview sheet
~ Business process inventory overview sheet is
used to keep track of the more detailed business process inventories needed for each facility ~ There are specific business process inventory sheets for revenue collection, sales, product distribution, service delivery, product manufacturing, and procurement ~ Each inventory sheet provides detailed information for a specific division, product line, or location in an organization Business process inventory overview sheet Business Process Support Requirements Sheet
~ Each inventory sheet also has a related business
process support requirements sheet ~ The sheet details the resources needed to support each process, including • physical facilities • personnel • heavy equipment • light equipment • installed systems • information technology • office equipment Inventory and Requirement Sheets
~ Each of these documents helps the disaster recovery
planning team develop procedures later in the planning process ~ Additional inventory sheets if a single sheet cannot accommodate all the necessary data ~ Planners should number these sheets in the space directly under the form number ~ There is also space for the entity name covered by the sheet, a business process number, a facility number, and a building number Inventory and Requirement Sheets
information about revenue collection ~ Revenue collection support requirements sheet details the resources needed to support revenue collection ~ Each sales inventory sheet provides detailed information about product or service sales ~ Sales support requirements sheet details the resources needed to support sales ~ Product distribution inventory sheet provides detailed information about product distribution ~ Distribution support requirements sheet details the resources needed to support distribution Inventory and Requirement Sheets
~ Service delivery inventory sheet provides detailed
information about service delivery ~ Service delivery support requirements sheet details the resources needed to support service delivery ~ Product manufacturing inventory sheet provides detailed information about manufacturing ~ Product manufacturing support requirements sheet details the resources needed to support manufacturing ~ Procurement inventory sheet provides detailed information about procurement ~ Procurement support requirements sheet details the resources needed to support procurement Identifying Threats and Vulnerabilities
~ Disaster recovery planners need to determine which threats could
adversely affect their organization’s assets and operations ~ A good place to start is to study records of historic events that have affected a facility or its surrounding communities and regions ~ This study is especially important in the case of recurring natural disasters ~ Other threats to consider are accidental events that may damage a facility and its operations ~ A third type of threat to consider is destructive or disruptive deliberate actions against a facility and its operations Potential Threat Forms
~ Facility threat inventory sheet details
• Potential threats to an entire facility • Specific potential threats to personnel • Heavy equipment • Light equipment • Installed systems • Information technology • Office equipment • Products or parts Potential Threat Forms
~ Threat mitigation sheet - details the actions taken or the
systems in place to reduce the impact of the threats described in the facility threat inventory sheet ~ Business process threat inventory sheet - details the potential threats to a business process, as well as specific potential threats to personnel, equipment, installed systems, and information technology ~ Business process threat mitigation sheet - details the actions taken or the systems in place to reduce the impact of the threats described in the business process threat inventory sheet Measuring and Quantifying Threats
~ The key to successfully measuring the likelihood of threats being
realized is to obtain data from as many sources as possible ~ Data on natural disasters is relatively easy to obtain from historical records ~ Accidents may be more difficult to quantify • Some locations certainly have a greater number of transportation- related accidents than others, depending on road conditions and weather patterns • Data on the frequency of such accidents is often available from police or public safety departments • Other data on the frequency of power outages may be readily available from facility maintenance staff Measuring and Quantifying Threats
~ Destructive or disruptive deliberate actions against a facility and its
operations, can be extremely difficult to quantify ~ There has been considerable research on the frequency and severity of malicious hacking attacks ~ Because this research is in its infancy, it is often difficult to determine threats to a specific organization ~ For more than a decade, information security professionals and law enforcement officials have been well aware that only a small percentage of computer crimes are reported Threat Evaluation and Quantification Methods Compiling Risk Assessment Reports
~ A risk assessment report describes an asset or business process
that is exposed to risk, the risks themselves, and the effectiveness of existing systems designed to mitigate these risks ~ The report ends by recommending which types of procedures an organization should include in its disaster recovery plan ~ The format and length of a risk assessment report vary based on the complexity of the components described in the previous paragraph ~ The disaster recovery planning team uses this report as a decision- making tool and as a starting point in developing disaster recovery procedures Compiling Risk Assessment Reports
~ When compiling a risk assessment report, use the
following guidelines to make it a more valuable tool: • The report should be easy to read by people with different knowledge and skill levels • The executive summary should be brief and to the point • The table of contents should be complete, and should list all sections and exhibits in the report • The narrative sections should clearly identify which sheets, forms, or reports were used to provide support • If photocopies are used in the exhibits, the copies should be clear and readable Risk Assessment Report Outline Risk Assessment Report Outline Facility Exposure Inventory Overview Sheet Physical Facilities Exposure Inventory Sheet Personnel Exposure Inventory Sheet Heavy Equipment Exposure Inventory Sheet Light Equipment Exposure Inventory Sheet Installed Systems Exposure Inventory Sheet Information Technology Exposure Inventory Sheet Office Equipment Exposure Inventory Sheet Products/Parts Exposure Inventory Business Process Inventory Overview Sheet Revenue Collection Inventory Sheet Sales Inventory Sheet Product Distribution Inventory Sheet Service Delivery Inventory Sheet Product Manufacturing Inventory Sheet Procurement Inventory Sheet Revenue Collection Support Requirement Sheet Sales Support Requirements Sheet Product Distribution Support Requirements Sheet Service Delivery Support Requirement Sheet Product Manufacturing Support Requirements Sheet Procurement Support Requirements Sheet Facility Threat Inventory Sheet Facility Threat Mitigation Sheet Business Process Threat Inventory Sheet Business Process Threat Mitigation Sheet Assessing Progress and Preparing to Move Ahead
~ Assessing risks in the enterprise is the second
step in disaster recovery planning ~ This step enables the planning team to move forward ~ It may take several months to perform risk assessments for all facilities and business processes Chapter Summary
~ Risks are the potential consequences of events or
conditions that can adversely affect an organization’s operations and revenues, as well as its relationships with communities, business partners, suppliers, and customers ~ The disaster recovery planning team must inventory the organization’s exposure to adverse events ~ Individual exposure inventory sheets provide details for assets at the facility identified by the inventory overview sheet Chapter Summary
~ The two primary types of organizations are product-
focused and service-focused ~ A business process inventory is an annotated list of the key business processes necessary to maintain operations, including revenue collection, sales, distribution and delivery, manufacturing, and procurement ~ Organizations should maintain a series of business process inventory sheets for each facility or each group of related facilities in their business process Chapter Summary
~ The key to successfully measuring the likelihood of
threats being realized is to obtain data from as many sources as possible ~ A risk assessment report describes an asset that is exposed to risk, what the risks are, and the effectiveness of existing systems designed to mitigate these risks ~ A risk assessment report may include proprietary information on business processes, market conditions and positions, manufacturing procedures, and IT security