Title: Risk Analysis Presentation for the UGA Disaster Recovery/Business Continuity (DRP/BCP) Plan
1Risk Analysis Presentation for the UGADisaster
Recovery/Business Continuity (DRP/BCP) Plan
2Introduction
- In a risk analysis, the UGA Office of Information
Security seeks to establish and justify the SCOPE
of the DRP/BCP and the CRITICAL University
assets that need securing. -
3Overview of Preliminary Questions
- Before a protection strategy can be
- implemented, three basic questions must be
- answered.
- What am I protecting?
- What am I protecting against?
- How much money, time, and effort
- should I expend?
4Protecting Assets
- When we purchase a home, we must consider the
chance that harm will come to it. - We try to protect ourselves from the financial
loss that would come with harm to our home and
its contents. -
- We want to verify we are protected from loss in
the face of the usual hazards (e.g., fire, theft,
accidental harm).
5Protecting Assets
- In each case, we must weigh the value of our home
against the likeliness of floods or earthquakes
and the cost of the insurance to decide whether
or not the protection is worth the cost.
6Risk Analysis Terminology
- Asset Anything with value that we want to
- protect
- Threat agent Any person or thing that can
- do harm
- Threat Anything that could harm an asset
7Terminology
- Vulnerability A deficiency that leaves an asset
open to harm - Exposure Harm caused when a threat becomes real
- Countermeasure Any protective measure we take
to safeguard an asset
8A Brief Example
- Consider a home in a crime-riddled neighborhood.
-
- The threat agents are the denizens of the
neighborhood, - The threat is vandalism in the form of graffiti.
-
- The vulnerability of the home is that it is
completely exposed to the neighborhood. -
9A Brief Example (cont)
- If the neighborhood residents paint graffiti on
the home, a significant cost to repaint or clean
will be incurred. - This cost is the exposure
10A Brief Example (cont)
- So we surround the house with an eight-foot
stone fence topped with broken glass and razor
wire and buy a really big dog. - This is the countermeasure, which affects the
threat agents by making it significantly more
difficult for them to approach the house.
11So, What is Risk?
- Risk is a statement of probability.
- It is the probability that a given threat will
actually exploit a given vulnerability and cause
harm. -
12The Asset Identification Stage
- The first stage of the (BIA) the asset
identification stage - answers the question, What am I protecting?
- It also identifies the relationship between
assets - The asset identification stage ensures that
everything - necessary for the preservation of essential
university - Functions and their associated assets, is
identified. -
13An Example of Asset Identification
- Consider what would happen if we took all the
necessary steps to provide our staff with an
alternate location to work from in case the Data
Center were destroyed - But neglected to provide them with computers
and voice and data networks
14An Example of Asset Identification (cont)
- They would be safe and comfortable, but unable to
resume - their vital, university activities.
- The expense and effort incurred was wasted
- Why? because we did not understand the
relationship - between the people assets, the network and
computer - Assets and the function involved.
-
15An Example of Asset Identification (cont)
- The result of the asset identification stage of
a BIA is a - complete list of assets and their relationships
within a data - center or a department
- This is vital in the determination of what we
need - to protect, and what will it will take to protect
them before - a disaster occurs and what it will take to
restore them after - a major interruption
16The Threat Analysis
- The second step in the BIA Process is
- The Threat Analysis
- Which answers the question, What am
- I protecting against?
- During the threat analysis, each asset is
- examined to determine its vulnerabilities.
17The Threat Analysis (cont)
- Each asset is paired with a vulnerability,
- (a weakness that makes it susceptible to
interruption or destruction) - For each asset/vulnerability pair, a list is then
developed of the threat (s) that could exploit
that particular asset/vulnerability pair
18The Threat Analysis (cont)
- The threat analysis produces a list of
vulnerabilities for each asset and the associated
threats, which in turn, are ranked by likelihood
of occurrence
19Risk Assessment
- In the third stage of the BIA, the Risk
- Assessment stage
- We answer the question, How much time,
- effort, and money should I expend?
- Risk assessment involves examining possible
- countermeasures to each threat and weighing
- the countermeasures cost against the assets
- value and the impact of its loss.
20Risk Assessment (cont)
- When the Risk Analysis is complete, we have
- A list of assets ranked by value to the
department - Their associated vulnerabilities, and
- The threats that could exploit those
vulnerabilities - ranked in order of likelihood.
-
21Business Impact Analysis
- The BIA answers three questions,
- What am I protecting?
- What am I protecting against?
- How much money, time, and effort
- should I expend?
-
- The BIA also establishes the objectives for
recovery - (i.e., how long the department can do without the
asset - before restoration becomes essential).
22The Business Impact Analysis (cont)
- The BIA is the basis and justification for any
proposed recovery strategy.
23Identification and Valuation of Assets
- An asset is anything of value to the department.
- A typical, IT disaster recovery plan is far more
focused. - It evaluates information-related assets onlythe
assets that relate to how a department acquires,
manipulates, stores, and retrieves information.
24Identify and Valuate Assets (cont)
- Clearly this has a strong IT focus, but to
answer - the needs of the non-IT functions which in many
cases - are absolutely vital, of importance above and
beyond that - of IT, they too must also be considered
- Recovery has to extend beyond IT to include a
number of - non-IT assets such as Student Registration,
Accounts - Payable, E-Mail, in many cases, people,
facilities and even - the information stored in people.
25Documenting the BIA
- Users access and interact with the data when
doing their jobs or accessing department
services. - A user can be an employee, a student, or a
independent contractor. - The BIA should identify each asset that was
evaluated, record its value, categorization,
priority, and the designated recovery time
objective and recovery point objective as
appropriate.
26Data The Linchpin of University Business
Continuation
- Though prioritizing assets remains the primary
goal of a - BIA, the BIA also seeks to establish a
categorization - system for assets to include data.
- All of a departments assets but one can be
replaced. - It may be difficult or expensive to replace any
given - asset, and the cost may be related to the urgency
of the - replacement, but it is almost always possible to
replace - systems, networks, facilities, applications, and
people. - The one thing that is irretrievable is Data.
27Data
- A no more telling example of this can be found
than the storm of paper that filled the air after
the collapse of the World Trade Center on 9-11, a
day of infamy - Although it had the appearance of confetti, a
significant amount of that paper represented
irretrievably lost information that, in many
cases, cost the companies their very existence. - For this reason, data typically gets special
attention in any recovery plan
28A Priority Scale
- It is suggested that the following categories or
like system - of value be used to specify the value and order
of the - restoration of Assets
- Essential
- The asset is essential for core university
operations and there is a considerable cost
associated with downtime or failure of the
asset. - These assets must be considered top priority
in any recovery plan.
29A Priority Scale (cont)
- Delayed
- The asset is important, but there are simple
strategies for working around the loss of the
asset for short periods of time. - Usually there is a significantly reduced cost
related to downtime.
30A Priority Scale (cont)
Suspended The asset is non-essential and can
be eliminated or worked around for extended
periods of time. These assets will be omitted
from the initial disaster recovery plan.
31Introduction to The Threat Analysis
- With a completed Asset Identification in hand,
the recovery planning team has a complete,
prioritized list of assets that need protecting. - But protected from what?
- To answer this question, we conduct a threat
analysis.
32Some Threatening Terms
- Vulnerability
- A vulnerability is a hardware, software, or
operational - deficiencya weakness that provides an
opportunity for a - threat to do harm.
- If the university is located on the banks of a
river, and the - data center is on the first floor, then its
vulnerabilities are - its low altitude and its proximity to the river.
33Exposure
- Exposure is the harm that results from a threat
- taking advantage of vulnerability.
- If the data center flooded, computing equipment
- would be destroyed and revenue would be lost.
-
- These costs are exposures.
34Threat
- A threat is any potential danger to a university
asset. - Threats can take a wide variety of forms, and any
given - asset may be exposed to multiple threats.
-
- The threat that could exploit the previously
mentioned - data centers vulnerability is the river, or
flooding, or any - event that would cause the rivers water level to
rise.
35Impact and Consequences
- Impact
- The impact of a threat exploiting vulnerability
is the - immediate damage.
- In the example cited, the impact is the loss of
the data center. - Consequences
- These are longer term, continuing, and often
secondary - damages.
36What Is A Threat Analysis?
- The Threat analysis answers the question, What
- am I protecting against?
- The Threat analysis is part art and part
science. - The art is identifying both the threats and the
- vulnerabilities.
37What Is A Threat Analysis? (cont)
- But there is also a science to it.
- Many information assets are collections of
- hardware and software that can be understood
- and their interactions analyzed
- The recovery planning team needs to have access
- to people who know the assets well
38Assessing Risk
- Risk is a statement of probability, specifically
the - probability that a specific threat will exploit a
given - vulnerability.
- Risks can be operational, which means they are
- present and can impact day-to-day activities.
- Risks can be project or program oriented, which
- means they are associated with a specific set of
- assets for a specific period or activity.
39Assessing Risk (cont)
- Risks can also be strategic, meaning that they
- are long term and typically associated with core
- university goals and objectives.
- In the risk assessment phase of a BIA, we seek to
- answer the question How much time, money, and
- energy should I expend to provide protection?
40Risk Management
- Risk Management refers to the entire process of
- recovery planning.
- Two other terms are encountered
- A countermeasure is any step taken to reduce
risk. - Residual risk is the degree of risk remaining
after - implementing a countermeasure
41The Risk Management Process
- In the risk assessment phase we identify
appropriate - countermeasures
- We then determine the overall cost of each
countermeasure. - In a quantitative analysis, a cost/benefit
analysis (CBA) is - conducted to determine which countermeasure is
most cost- - effective .
- In a qualitative analysis, the selection of a
countermeasure is - performed as a qualitative exercise.
42There are four possible responses to risk.
- Acceptance Agree the risk exists but elect to
live - with it.
- Rejection Deny the risk exists and do
nothing. - Transference Pass the risk to someone or
- something else.
- Mitigation Establish countermeasures to
reduce risk.
43Summary
- Business Impact Analysis is the heart of
effective recovery - planning.
- It comprises three basic steps.
- First, the asset identification stage identifies
the critical - assets, evaluates the impact of their loss on the
university, - and establishes recovery time and recovery point
- objectives.
44Summary (cont)
- Second, the threat analysis evaluates the
- vulnerability of critical assets and the
- threats that could exploit them. It derives a
- probability for each threat and the degree to
- which assets can be harmed.
45Summary(cont)
- Finally, the Risk Assessment combines this
information and assesses possible countermeasures
to be used to minimize risk. - Some of these mitigation steps will be proactive
and seek to reduce the probability of a disaster
occurring or the impact of a disaster if one does
occur. - Others will be more reactive, and will become
part of the incident response plan which guides
the department through appropriate steps to
manage a disastrous incident.