Risk Analysis Presentation for the UGA Disaster Recovery/Business Continuity (DRP/BCP) Plan

1
Risk Analysis Presentation for the UGADisaster
Recovery/Business Continuity (DRP/BCP) Plan
2
Introduction

• In a risk analysis, the UGA Office of Information
  Security seeks to establish and justify the SCOPE
  of the DRP/BCP and the CRITICAL University
  assets that need securing.

3
Overview of Preliminary Questions

• Before a protection strategy can be
• implemented, three basic questions must be
• answered.
• What am I protecting?
• What am I protecting against?
• How much money, time, and effort
• should I expend?

4
Protecting Assets

• When we purchase a home, we must consider the
  chance that harm will come to it.
• We try to protect ourselves from the financial
  loss that would come with harm to our home and
  its contents.
• We want to verify we are protected from loss in
  the face of the usual hazards (e.g., fire, theft,
  accidental harm).

5
Protecting Assets

• In each case, we must weigh the value of our home
  against the likeliness of floods or earthquakes
  and the cost of the insurance to decide whether
  or not the protection is worth the cost.

6
Risk Analysis Terminology

• Asset Anything with value that we want to
  
• protect
• Threat agent Any person or thing that can
• do harm
• Threat Anything that could harm an asset

7
Terminology

• Vulnerability A deficiency that leaves an asset
  open to harm
• Exposure Harm caused when a threat becomes real
  
• Countermeasure Any protective measure we take
  to safeguard an asset

8
A Brief Example

• Consider a home in a crime-riddled neighborhood.
• The threat agents are the denizens of the
  neighborhood,
• The threat is vandalism in the form of graffiti.
• The vulnerability of the home is that it is
  completely exposed to the neighborhood.

9
A Brief Example (cont)

• If the neighborhood residents paint graffiti on
  the home, a significant cost to repaint or clean
  will be incurred.
• This cost is the exposure

10
A Brief Example (cont)

• So we surround the house with an eight-foot
  stone fence topped with broken glass and razor
  wire and buy a really big dog.
• This is the countermeasure, which affects the
  threat agents by making it significantly more
  difficult for them to approach the house.

11
So, What is Risk?

• Risk is a statement of probability.
• It is the probability that a given threat will
  actually exploit a given vulnerability and cause
  harm.

12
The Asset Identification Stage

• The first stage of the (BIA) the asset
  identification stage
• answers the question, What am I protecting?
• It also identifies the relationship between
  assets
• The asset identification stage ensures that
  everything
• necessary for the preservation of essential
  university
• Functions and their associated assets, is
  identified.

13
An Example of Asset Identification

• Consider what would happen if we took all the
  necessary steps to provide our staff with an
  alternate location to work from in case the Data
  Center were destroyed
• But neglected to provide them with computers
  and voice and data networks

14
An Example of Asset Identification (cont)

• They would be safe and comfortable, but unable to
  resume
• their vital, university activities.
• The expense and effort incurred was wasted
• Why? because we did not understand the
  relationship
• between the people assets, the network and
  computer
• Assets and the function involved.

15
An Example of Asset Identification (cont)

• The result of the asset identification stage of
  a BIA is a
• complete list of assets and their relationships
  within a data
• center or a department
• This is vital in the determination of what we
  need
• to protect, and what will it will take to protect
  them before
• a disaster occurs and what it will take to
  restore them after
• a major interruption

16
The Threat Analysis

• The second step in the BIA Process is
• The Threat Analysis
• Which answers the question, What am
• I protecting against?
• During the threat analysis, each asset is
• examined to determine its vulnerabilities.

17
The Threat Analysis (cont)

• Each asset is paired with a vulnerability,
• (a weakness that makes it susceptible to
  interruption or destruction)
• For each asset/vulnerability pair, a list is then
  developed of the threat (s) that could exploit
  that particular asset/vulnerability pair

18
The Threat Analysis (cont)

• The threat analysis produces a list of
  vulnerabilities for each asset and the associated
  threats, which in turn, are ranked by likelihood
  of occurrence

19
Risk Assessment

• In the third stage of the BIA, the Risk
• Assessment stage
• We answer the question, How much time,
• effort, and money should I expend?
• Risk assessment involves examining possible
• countermeasures to each threat and weighing
• the countermeasures cost against the assets
• value and the impact of its loss.

20
Risk Assessment (cont)

• When the Risk Analysis is complete, we have
• A list of assets ranked by value to the
  department
• Their associated vulnerabilities, and
• The threats that could exploit those
  vulnerabilities
• ranked in order of likelihood.

21
Business Impact Analysis

• The BIA answers three questions,
• What am I protecting?
• What am I protecting against?
• How much money, time, and effort
• should I expend?
• The BIA also establishes the objectives for
  recovery
• (i.e., how long the department can do without the
  asset
• before restoration becomes essential).

22
The Business Impact Analysis (cont)

• The BIA is the basis and justification for any
  proposed recovery strategy.

23
Identification and Valuation of Assets

• An asset is anything of value to the department.
• A typical, IT disaster recovery plan is far more
  focused.
• It evaluates information-related assets onlythe
  assets that relate to how a department acquires,
  manipulates, stores, and retrieves information.

24
Identify and Valuate Assets (cont)

• Clearly this has a strong IT focus, but to
  answer
• the needs of the non-IT functions which in many
  cases
• are absolutely vital, of importance above and
  beyond that
• of IT, they too must also be considered
• Recovery has to extend beyond IT to include a
  number of
• non-IT assets such as Student Registration,
  Accounts
• Payable, E-Mail, in many cases, people,
  facilities and even
• the information stored in people.

25
Documenting the BIA

• Users access and interact with the data when
  doing their jobs or accessing department
  services.
• A user can be an employee, a student, or a
  independent contractor.
• The BIA should identify each asset that was
  evaluated, record its value, categorization,
  priority, and the designated recovery time
  objective and recovery point objective as
  appropriate.

26
Data The Linchpin of University Business
Continuation

• Though prioritizing assets remains the primary
  goal of a
• BIA, the BIA also seeks to establish a
  categorization
• system for assets to include data.
• All of a departments assets but one can be
  replaced.
• It may be difficult or expensive to replace any
  given
• asset, and the cost may be related to the urgency
  of the
• replacement, but it is almost always possible to
  replace
• systems, networks, facilities, applications, and
  people.
• The one thing that is irretrievable is Data.

27
Data

• A no more telling example of this can be found
  than the storm of paper that filled the air after
  the collapse of the World Trade Center on 9-11, a
  day of infamy
• Although it had the appearance of confetti, a
  significant amount of that paper represented
  irretrievably lost information that, in many
  cases, cost the companies their very existence.
• For this reason, data typically gets special
  attention in any recovery plan

28
A Priority Scale

• It is suggested that the following categories or
  like system
• of value be used to specify the value and order
  of the
• restoration of Assets
• Essential
• The asset is essential for core university
  operations and there is a considerable cost
  associated with downtime or failure of the
  asset.
• These assets must be considered top priority
  in any recovery plan.

29
A Priority Scale (cont)

• Delayed
• The asset is important, but there are simple
  strategies for working around the loss of the
  asset for short periods of time.
• Usually there is a significantly reduced cost
  related to downtime.

30
A Priority Scale (cont)

Suspended The asset is non-essential and can
be eliminated or worked around for extended
periods of time. These assets will be omitted
from the initial disaster recovery plan.
31
Introduction to The Threat Analysis

• With a completed Asset Identification in hand,
  the recovery planning team has a complete,
  prioritized list of assets that need protecting.
• But protected from what?
• To answer this question, we conduct a threat
  analysis.

32
Some Threatening Terms

• Vulnerability
• A vulnerability is a hardware, software, or
  operational
• deficiencya weakness that provides an
  opportunity for a
• threat to do harm.
• If the university is located on the banks of a
  river, and the
• data center is on the first floor, then its
  vulnerabilities are
• its low altitude and its proximity to the river.
  

33
Exposure

• Exposure is the harm that results from a threat
• taking advantage of vulnerability.
• If the data center flooded, computing equipment
• would be destroyed and revenue would be lost.
• These costs are exposures.

34
Threat

• A threat is any potential danger to a university
  asset.
• Threats can take a wide variety of forms, and any
  given
• asset may be exposed to multiple threats.
• The threat that could exploit the previously
  mentioned
• data centers vulnerability is the river, or
  flooding, or any
• event that would cause the rivers water level to
  rise.

35
Impact and Consequences

• Impact
• The impact of a threat exploiting vulnerability
  is the
• immediate damage.
• In the example cited, the impact is the loss of
  the data center.
• Consequences
• These are longer term, continuing, and often
  secondary
• damages.

36
What Is A Threat Analysis?

• The Threat analysis answers the question, What
• am I protecting against?
• The Threat analysis is part art and part
  science.
• The art is identifying both the threats and the
  
• vulnerabilities.

37
What Is A Threat Analysis? (cont)

• But there is also a science to it.
• Many information assets are collections of
• hardware and software that can be understood
• and their interactions analyzed
• The recovery planning team needs to have access
• to people who know the assets well

38
Assessing Risk

• Risk is a statement of probability, specifically
  the
• probability that a specific threat will exploit a
  given
• vulnerability.
• Risks can be operational, which means they are
• present and can impact day-to-day activities.
• Risks can be project or program oriented, which
• means they are associated with a specific set of
• assets for a specific period or activity.

39
Assessing Risk (cont)

• Risks can also be strategic, meaning that they
• are long term and typically associated with core
• university goals and objectives.
• In the risk assessment phase of a BIA, we seek to
  
• answer the question How much time, money, and
• energy should I expend to provide protection?

40
Risk Management

• Risk Management refers to the entire process of
• recovery planning.
• Two other terms are encountered
• A countermeasure is any step taken to reduce
  risk.
• Residual risk is the degree of risk remaining
  after
• implementing a countermeasure

41
The Risk Management Process

• In the risk assessment phase we identify
  appropriate
• countermeasures
• We then determine the overall cost of each
  countermeasure.
• In a quantitative analysis, a cost/benefit
  analysis (CBA) is
• conducted to determine which countermeasure is
  most cost-
• effective .
• In a qualitative analysis, the selection of a
  countermeasure is
• performed as a qualitative exercise.

42
There are four possible responses to risk.

• Acceptance Agree the risk exists but elect to
  live
• with it.
• Rejection Deny the risk exists and do
  nothing.
• Transference Pass the risk to someone or
• something else.
• Mitigation Establish countermeasures to
  reduce risk.

43
Summary

• Business Impact Analysis is the heart of
  effective recovery
• planning.
• It comprises three basic steps.
• First, the asset identification stage identifies
  the critical
• assets, evaluates the impact of their loss on the
  university,
• and establishes recovery time and recovery point
• objectives.

44
Summary (cont)

• Second, the threat analysis evaluates the
• vulnerability of critical assets and the
• threats that could exploit them. It derives a
• probability for each threat and the degree to
• which assets can be harmed.

45
Summary(cont)

• Finally, the Risk Assessment combines this
  information and assesses possible countermeasures
  to be used to minimize risk.
• Some of these mitigation steps will be proactive
  and seek to reduce the probability of a disaster
  occurring or the impact of a disaster if one does
  occur.
• Others will be more reactive, and will become
  part of the incident response plan which guides
  the department through appropriate steps to
  manage a disastrous incident.