Business Impact Analysis

 

 

Business Impact
IE'S BUSINESS IMPACT ANALYSIS

How do events impact business operations?

Every organization needs to understand how a business-impacting event could affect their organization. Manufacturers need to understand how to keep producing, schools need to understand how to keep students learning, healthcare providers need to understand how to keep treating patients, and government needs to understand how to keep providing services to their constituents. This knowledge comes from the result of a Business Impact Analysis.

REQUEST BIA

Business Impact

Business Impact Analysis

Business impact knowledge should guide broad business decisions, such as acquisitions and growth plans, and will impact risk management, with an emphasis on the deployment and usage of security controls. Typically, business impact knowledge will lead to smarter spending and possibly even savings. This is because the control mechanisms (people, processes, and technology) will be applied where the risks actually exist and are based on severity of those risks. 

IE will host and facilitate structured workshops with your team to gain an understanding of what resources and access are truly important to the function of the business. We call these the Critical Business Functions (CBF) and the Critical Business Processes (CBP). Once we have identified and prioritized the CBFs and the CFPs, will narrow the field to the top five or top ten and try to identify the threats and risks to those. This knowledge will then guide the risk mitigation, remediation, data protection, and control placement. 

Business Impact

 

Request Business Impact Analysis

Business Impact Analysis

Business impact knowledge should guide broad business decisions, such as acquisitions and growth plans, and will impact risk management, with an emphasis on the deployment and usage of security controls. Typically, business impact knowledge will lead to smarter spending and possibly even savings. This is because the control mechanisms (people, processes, and technology) will be applied where the risks actually exist and are based on severity of those risks. 

IE will host and facilitate structured workshops with your team to gain an understanding of what resources and access are truly important to the function of the business. We call these the Critical Business Functions (CBF) and the Critical Business Processes (CBP). Once we have identified and prioritized the CBFs and the CFPs, will narrow the field to the top five or top ten and try to identify the threats and risks to those. This knowledge will then guide the risk mitigation, remediation, data protection, and control placement. 

Business Impact

 

The BIA Process

  • Define Current State

  • Assessment and Analysis

  • Define Target State

  • Deliverables

Define Current State

The business impact assessment begins by identifying and defining the business priorities, compliance requirements, threats to the business, and relevant IT characteristics of the current state. We also begin to discover and map out the environment, run full vulnerability and configuration scans, identify roles and responsibilities, and review existing policies and procedures. This collected data, once analyzed, provides us with a composite view of the current state of cyber security threats and controls in the environment. 

Assessment and Analysis

IE will analyze the collected data, identify threats, categorize the identified risks, and determine probability and likelihood of an event. Additional clarification questions and data collection may be required during this phase to properly set severity and priority of remediation tasks and mitigation controls. 

Define Target State

IE will define the desired target state, based on a more secure business environment, with fewer risks to operations. Mitigation approaches will be determined and validated, with a focus on having the least amount of negative impact to the business. Mitigation and remediation activities will be defined and aligned to business outcomes. Potential residual risk will be identified and quantified. 

Deliverables

IE will compile a comprehensive report and executive summary, complete with findings and guidance, validations, and additional supporting documentation. Cybersecurity findings will be aligned to the NIST CSF functional areas and sub areas, with severity based on NIST CSF scoring models, prioritized either Tactically (<90 days) or Strategically (>90 days). Suggested implementations, acquisitions, and staffing changes will be called out over a timeline of up to three (3) years. 

 

Additional Resources