iram- business impact assessment

June 2004

Information RiskAnalysis Methodologies(IRAM) project

Business ImpactAssessment

WARNING

This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected] or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Table of contents Page

Part 1 Introduction This report Purpose of this report Who should read this report? Basis for this report

1 1 1 1

Part 2 Understanding business impact assessment What is a business impact assessment? Why undertake a business impact assessment? When to carry out a business impact assessment?

2 3 4

Part 3 Establishing a business impact assessment programme Introduction Developing a Business Impact Reference Table Identifying systems to be assessed

6 6

11

Part 4 The ISF approach to business impact assessment Introduction Key characteristics of the ISF’s approach to business impact assessment The business impact assessment process Tools and forms to help conduct a business impact assessment

13

13 14 17

Part 5 Performing a business impact assessment Introduction Preparing for a business impact assessment A – Determining the system profile B – Planning the assessment Conducting a business impact assessment A – Introducing the assessment B – Assessing business impact C – Determining overall results D – Reviewing results

18 20 20 21 22 22 26 34 37

Appendix A Tools, information sheets and forms to use in a business impact assessment

40

Appendix B Further sources of information 42

Figure 1: Key steps and activities in the business impact assessment process

1

Part 1 Introduction This report This report provides practical guidance on how to conduct

effective, business-driven, business impact assessments.

It explains what a business impact assessment (BIA) is, outlines the sound business reasons why organisations should undertake them and highlights the key features of the business-driven approach that has been developed by the ISF.

The report fully describes the steps and activities that need to be carried out in a business impact assessment (see Figure 1) and the tools and forms that should be used to support this undertaking. Significantly the report also provides clear guidance on how to review the results of a business impact assessment and determine the next steps that should be taken to help ensure information risk is managed effectively.

NOTE

This report has evolved from the ISF’s previous risk analysis methodologies SARA and SPRINT and has been designed to replace SARA – Phase 2 (Identify business requirements for security) and SPRINT Phase 1 (Assess business risks).

Purpose of this report The purpose of this report is to help information risk analysts and information security practitioners carry out effective business impact assessments. In particular it will help them understand the:

• sound business reasons for carrying out business impact assessments

• forms and tools that should be used • steps and activities that need to be undertaken to prepare for

and conduct business impact assessments.

Who should read this report?

This report should be read by:

• information risk analysts and information security practitioners responsible for conducting business impact assessments

• information security managers planning programmes of work in information risk analysis

• auditors and risk specialists wishing to gain a better understanding of the business impact assessment of systems.

Basis for this report This report is based on information gathered from:

• workgroups held with ISF Members to examine the issues and requirements of business impact assessment

• analysing information risk analysis and business impact assessment methodologies (including those developed by the ISF – SARA and SPRINT)

• third party experts on information risk analysis.

2

Part 2 Understanding business impact assessment

What is a business impact assessment?

A business impact assessment is a method of determining the possible business impact that an organisation could experience as a result of an incident that compromises information in a system.

NOTE

The business impact assessment method described in this report has been designed to analyse information risk in systems (eg business applications such as e-commerce systems, sales order processing systems, and production control systems). It has not been designed to be used to analyse information risk in other environments (such as networks and data centres) although much of the overall approach may still be applicable. Care should be taken when it is used in other environments and customisation may be necessary.

Business impact assessment helps determine the business security requirements for a system and the appropriate next steps that need to be taken to protect information adequately.

A business impact assessment is the first step in an overall process (the information risk analysis process) that enables effective security measures to be identified to help minimise the frequency and impact of damaging incidents (see Figure 2 below).

Figure 2: The information risk analysis process

3

Business impact assessment is a business-driven undertaking that

helps ensure the business need of the organisation for protecting information is clearly identified. In doing so it helps determine both the scope and the focus of all subsequent steps in the information risk analysis process.

Why undertake a business impact assessment?

Most organisations have to deal with a constant barrage of threats to information. These threats vary considerably from malfunctions of hardware and software to internal misuse of systems and external attack (eg from hacking and viruses).

Where threats to information are not effectively countered by measures such as preventative controls, incidents can and do occur. The ISF’s 2003 Information Security Status Survey (the ISF Survey) shows that on average applications, in those organisations who participated, experienced 160 incidents per annum, or three incidents per working week.

The business impact of these incidents upon organisations is considerable. Figure 3 below, which is based on data from the ISF Survey, shows the types of business impact that applications suffering incidents typically experience (see the ISF’s report entitled Critical Business Applications: Improving Security).

Figure 3: The business impact of incidents

4

Business impacts such as unforeseen costs, delayed deliveries to

customers and reduction in staff morale/productivity directly affect the ability of an organisation to operate effectively and can have a significant cost implication (the average cost of ‘most serious’ incidents recorded in the ISF Survey for critical business applications was $1.9 million). Details of the top three most serious incidents recorded for applications in the ISF Survey can be seen in Figure 4 below.

Figure 4: Top three costliest ‘most serious’ incidents experienced by surveyed applications

The high percentage of organisations that experience serious business impacts and the high cost of incidents indicate that many organisations are not protecting their key business information adequately.

Business impact assessment, as part of an effective information risk analysis process, helps organisations identify effective security measures to address this major business problem.

When to carry out a business impact assessment?

Business impact assessment should ideally be carried out during the development of new systems (eg at the initiation and design stages) as building in security at this stage is likely to be far more cost effective than adding it on later when a system is fully operational.

5

By undertaking a business impact assessment at the

commencement of a new systems development project it is possible to ensure the business security requirements are clearly identified right from the outset. The outcome from a business impact assessment undertaken at this early stage should directly affect the degree of rigour and attention to detail that is applied during the development of the system (and the level of sign off that is required).

For systems that are already live, priority should be given to those that appear more important to the organisation. Guidelines for identifying and prioritising live systems for business impact assessment can be found in Part 3: Establishing a business impact assessment programme.

6

Part 3 Establishing a business impact assessment programme

Introduction Prior to conducting a business impact assessment there are a number of important programme-related elements of work that should be undertaken. These activities are generic and can be conducted at any time leading up to a business impact assessment. They are necessary to ensure business impact assessments are run in an effective and professional manner and that reliable and trustworthy results are produced.

The key elements of work to be undertaken prior to performing a business impact assessment are:

1. Developing a Business Impact Reference Table

2. Identifying systems to be assessed.

This part of the report describes these elements of work and explains how they should be carried out.

NOTE

Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the information sheets, forms and other supporting documents that are referred to in this part of the report.

Developing a Business Impact Reference Table

The ISF approach to business impact assessment is based on organisations using their own pre-defined, organisation-specific, Business Impact Reference Table. This section of the report explains how an organisation can develop its own Business Impact Reference Table.

A Business Impact Reference Table is a powerful yet relatively simple tool that enables business impact to be determined in an accurate and consistent manner throughout an organisation.

Using business language and a straightforward approach that is easy-to-understand, it enables non-specialists to make well-informed judgements about the level of business impact that could occur in the event of an incident that compromises the confidentiality, integrity or availability of information.

Typically signed-off at senior management (or preferably board) level, a Business Impact Reference Table provides a standard against which business impact judgements can be made throughout an organisation. Its widespread use is key to undertaking business impact assessments in a consistent manner across an organisation, and is necessary to enable valid comparisons and relative judgements about business impact in different systems to be made.

7

Figure 5 below shows a sample of a Business Impact Reference

Table. It explains the key fields and shows the different levels of impact (from Very high to Very low) for each business impact type.

Property of information Level of impact Ref. Business impact type

Appropriate measure A

Very high B

High C

Medium D

Low E

Very low Financial F1 Loss of sales, orders or

contracts (eg sales opportunities missed)

Financial impact

20%+ 11% to 20%

6% to 10% 1% to 5% Less than 1%

F2 Loss of tangible assets (eg fraud, theft of money, lost interest)

Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K

F3 Penalties/legal liabilities (eg breach of legal, regulatory or contractual obligations)

Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K

F4 Unforeseen costs (eg recovery costs)

Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K

F5 Depressed share price (eg sudden loss of share value)

Loss of share value

25%+ 11% to 25%

6% to 10% 1% to 5% Less than 1%

Figure 5: Sample of a Business Impact Reference Table

NOTE

In some organisations, particularly those that are highly diversified, it may be necessary to create different Business Impact Reference Tables for use in different divisions or operating units. Where this is warranted, care should be taken to ensure use of each Business Impact Reference Table is restricted to the appropriate division or operating unit.

The property of information being assessed (Confidentiality, Integrity or Availability)

The appropriate measure for each type of business impact

The level of impact that could occur

The main types of business impact that could occur as a result of an incident

The category of business impact (eg Financial, Operational, Customer-related, Employee-related)

8

For information risk analysts and those familiar with carrying out

information risk analysis, creating a Business Impact Reference Table is a relatively straightforward undertaking. Using the example Business Impact Reference Table that accompanies this report as a starting point (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) it is possible to develop one relatively quickly by carrying out the following three activities:

1. Determine the business impact types to be used

2. Determine business impact measures and values

3. Gain senior management (board level) sign off.

NOTE

It is recommended that the first two activities are undertaken in a workshop setting and should include the participation of business managers.

1. Determine the business impact types to be used

The business impact types that are used in a Business Impact Reference Table should be representative of what could happen in the event of the compromise of the confidentiality, integrity or availability of information. It is therefore important that these are selected with care and should be reviewed and subject to peer inspection to ensure they are correct.

Although there is a wide variety of possible business impacts that could occur there are a core set that are common to most organisations. The ISF has identified 15 business impact types that are representative of what can happen in most organisations and it is recommended that these are used as the basis for determining the appropriate ones in a specific organisation. These business impact types are shown in Table 1 opposite.

9

Table 1: ISF business impact types

Ref. Business impact type Examples Appropriate measure

Financial F1 Loss of sales, orders or

contracts Sales opportunities missed, orders not taken or contracts that cannot be signed.

Financial impact (%)

F2 Loss of tangible assets Fraud, theft of money and lost interest. Financial impact ($) F3 Penalties/legal liabilities Breach of legal, regulatory or contractual

obligations. Financial impact ($)

F4 Unforeseen costs Recovery costs, uninsured losses, increased insurance.

Financial impact ($)

F5 Depressed share price Sudden loss of share value, prolonged loss of share value, random share value fluctuation.

Loss of share value (%)

Operational O1 Loss of management control Impaired decision-making, inability to

monitor financial positions, process management failure.

Extent of loss of control

O2 Loss of competitiveness Repetitive production line failures, degraded customer service, introduction of new pricing policies.

Targets underachieved (%)

O3 New ventures held up Delayed new products, delayed entry into new markets, delayed mergers/acquisitions.

Extent of delay (time)

O4 Breach of operating standards

Contravention of regulatory standards, quality or safety standards.

Extent of sanctions imposed

Customer-related C1 Delayed deliveries to

customers or clients Failure to meet product delivery deadlines, failure to complete contracts on time.

Extent of delay (time)

C2 Loss of customers or clients Customer/client defection to competitors, withdrawal of preferred supplier status by customer/client.

Percentage of customers lost (%)

C3 Loss of confidence by key institutions

Adverse criticism by investors, regulators, customers or suppliers.

Extent of loss of confidence

C4 Damage to reputation Confidential financial information published in media, compromising internal memos broadcast by media.

Extent of negative publicity

Employee-related E1 Reduction in staff

morale/productivity Reduced efficiency, lost time, job losses. Extent of loss of

morale E2 Injury or death Harm to staff, customers or suppliers

associated with the organisation. Number of incidents (n)

To identify the specific business impact types that are appropriate

for the organisation, the business impact types identified in Table 1 above should be reviewed and any that are inappropriate should be amended or removed. In addition organisation-specific business impact types that may be required should be added at this stage (eg lost production, return on investment, R&D project failure).

10

2. Determine business

impact measures and values

The measures and values that are used for each business impact type should also be appropriate for the organisation and meaningful to those taking part in a business impact assessment (see Figure 6 below). The measures should accurately reflect the business impact types and the values should reflect the gradation in the Level of impact ratings (ie Very high to Very low). These two elements combined should enable participants to easily determine the severity of impact that could occur.



Very high B

High C

Medium D

Low E



Financial impact

20%+ 11% to 20%

6% to 10% 1% to 5% Less than 1%


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Loss of share value

25%+ 11% to 25%

6% to 10% 1% to 5% Less than 1%

Figure 6: Examples of business impact measures and values in a sample Business Impact Reference Table

NOTE

Members may wish to change business impact measures and values, where appropriate, to those that accurately represent their own organisation (eg a global financial institution is likely to require much larger Level of impact values than a medium sized manufacturing organisation).

It is recommended that the business impact types along with the measures and values identified in the example Business Impact Reference Table that accompanies this report should be used as the basis for developing organisation-specific measures and values.

NOTE

An example Business Impact Reference Table can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.

Examples of business impact values Examples of business impact measures

11

3. Gain senior

management (board level) sign off

Once the organisation-specific Business Impact Reference Table has been fully populated it is important that it is underwritten at senior management or, preferably, at board level. Its use throughout the organisation can then be promoted effectively and it should be distributed for use by all staff who undertake business impact assessments and information risk analysis.

Senior management sign-off will help considerably in ensuring a single, consistent, approach to determining business impact is adopted.

The signed-off (definitive) Business Impact Reference Table should be placed under change control and any proposed amendments should be subject to a formal review process. When the Business Impact Reference Table is updated it should be distributed immediately to all relevant staff.

Identifying systems to be assessed

Before any business impact assessment is undertaken within an organisation the systems to which it should be applied should first be identified. This enables the scale of work to be determined and the relative priority of systems that should undergo business impact assessment to be identified.

Regardless of their type or nature all systems under development should be subjected to business impact assessment. This should be an inherent part of the systems development life-cycle and therefore triggered when a new systems development project is initiated.

In live environments, organisations will typically face a backlog of systems that need to undergo information risk analysis (and therefore business impact assessment). Determining the order in which these systems should undergo business impact assessment is problematic and some form of ranking will typically be required to establish the priority of systems.

12

Organisations should first determine the inventory of all main

systems in the organisation. Once this undertaking has been completed there are a variety of different methods that can be used to identify those systems which appear to be of greater importance than others, such as the:

• importance of the system to senior management (eg a system may be very important to the success of the organisation and subject to a high degree of senior management scrutiny)

• experience of incidents (eg a high number of recent incidents may make a system worthy of specific attention)

• advice from internal audit (eg to undertake information risk analysis on specific systems)

• recommendations from business and IT experts (eg using experts within the organisation to help identify those systems which are key to its operation).

While all of the above factors have their merits it is recommended that a more objective approach is taken based upon the use of the criticality assessment in the Information Risk Scorecard from the ISF’s FIRM methodology (see Figure 7 below, taken from the ISF’s report Fundamental Information Risk Management (FIRM): Implementation Guide). This quick, easy-to-use, approach provides a high-level view of the confidentiality, integrity and availability requirements of the system to be determined and enables easy comparisons of relative importance to be made.

Figure 7: Criticality assessment (from the FIRM’s Information Risk Scorecard)

The FIRM criticality assessment can be carried out relatively quickly and different systems can easily be compared using the calculation guidelines in FIRM (see the ISF’s report Fundamental Information Risk Management (FIRM): Supporting Material) or by simply comparing the values for Loss of confidentiality, Loss of integrity and Loss of availability.

1

Criticality

Disclosed to the wrong people? Falsified or otherwise corrupted? Rendered unavailable for:

- Less than an hour? - Half a day or so? - A day? - 2-3 days? - A week? - A month?

1. What is the maximum level of harm that the business could suffer if key information held in, processed or transmitted by the information resource were to be accidentally or deliberately:

Please enter one of the following in each box to indicate the maximum possible level of harm:

Information Risk Scorecard Monitoring period Reference

Loss of confidentiality Loss of integrity

A Extremely serious harm

B Very serious harm

C Serious harmD Minor harm E No significant

harm

Loss of availability for defined periods of time

13

Part 4 The ISF approach to business impact assessment

Introduction The ISF approach to conducting business impact assessment is a straightforward undertaking that uses a structured process and easy-to-use tools.

This part of the report provides a brief overview of the main steps required to conduct a business impact assessment and the key tools that are used to support the process.

NOTE

Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, forms, information sheets and other supporting documents that are referred to in this part of the report.

Key characteristics of the ISF’s approach to business impact assessment

The ISF’s approach to business impact assessment is based on practical experience and the needs of its Members. The key characteristics of this approach are shown in Figure 8 below.

Figure 8: Key characteristics of the ISF’s approach to business impact assessment

Easy-to-use

Characteristic

• Uses business language. • Based on participation by business

managers. • Key decisions in the assessment taken

by business managers.

Examples

Non-technical

• Clear and business-oriented approach. • Process-based with step-by-step

guidance for the information risk analyst.

• Straightforward tools and forms.

Flexible and scalable • Can be applied to any type of system

(eg e-commerce applications, back office applications, manufacturing applications).

• Can be used on any size of system (eg single user, department-wide, enterprise-wide).

• Can be used on live systems and those under development.

Comprehensive and thorough • Covers everything required to perform a

business impact assessment - from preparation through to analysis of results.

• Explains in detail all key steps that need to be undertaken.

14

The business impact assessment process

The main objectives of the ISF approach to business impact assessment are to determine the business security requirements for a system and identify the appropriate next steps that need to be taken to adequately protect information in that system.

These objectives are achieved by assessing the possible business impact that could arise as a result of the compromise of the confidentiality, integrity and availability of information.

The business impact assessment process is shown in Figure 9 below.

Figure 9: Key steps and activities in the business impact assessment process

15

The business impact assessment process has been developed to

ensure possible business impact is assessed rigorously, business security requirements determined and the appropriate next steps identified clearly.

The process is designed to be undertaken sequentially and should ideally (based on Member experience) be conducted in a workshop setting in order to maximise the input from business managers and to ensure transparency and objectivity in the process.

A brief overview of the purpose, the duration, the tools, information sheets and forms that are used and the outputs that are produced in performing a business impact assessment is shown in Table 2 below.

Table 2: Overview of the business impact assessment process

Purpose Duration Tools, information sheets and forms used

Main outputs

Preparing for a business impact assessment

To gather key background information about the system to be assessed.

~ 1 day • Blank System Profile form

• Completed System Profile form

To plan and prepare the meeting for the business impact assessment.

~120 mins • Example invitation letter

• Information sheets

• Agenda for the BIA

• Completed invitation letter


Conducting a business impact assessment

To set the scene for the assessment and familiarise participants with the system to be assessed and the main tools that will be used.

~30 mins • BIA Presentation • BIA Assistant • Completed

System Profile form

• Business Impact Reference Table


Not applicable

16

Table 2: Overview of the business impact assessment process (continued)

Purpose Duration Tools, information sheets and forms used

Main outputs

Conducting a business impact assessment (continued)

To assess possible business impact for confidentiality, integrity and availability.

~90 mins • BIA Presentation • BIA Assistant • Business Impact

Reference Table • Blank Business

Impact Rating forms

• Completed Business Impact Rating form for confidentiality

• Completed Business Impact Rating form for integrity

• Completed Business Impact Rating form for availability

To determine the business security requirements and overall security classification for the system.

~15 mins • BIA Presentation • BIA Assistant • Blank Business

Impact Assessment Summary form

• Partially completed Business Impact Assessment Summary form

To review the results of the assessment and determine the next steps that need to be taken.

~15 mins • BIA Presentation • BIA Assistant • Partially

completed Business Impact Assessment Summary form

• Completed Business Impact Assessment Summary form

NOTE

The timescales required to undertake each of the above steps are approximate and will vary according to the complexity of the system being assessed and the experience of the information risk analyst.

The main tools and forms that are used to conduct a business impact assessment that are identified in Table 2 are now described in more detail in the following section.

17

Tools and forms to help conduct a business impact assessment

The ISF approach to business impact assessment uses five main tools and forms to help information risk analysts conduct a business impact assessment. These are shown in Figure 10 below.

BIA Presentation

The BIA Presentation (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) is used by the information risk analyst to guide participants through the business impact assessment.

Business Impact Reference Table

A Business Impact Reference Table is used by participants to determine the level of business impact that could occur as a result of the loss of confidentiality, integrity and availability of information.

Business Impact Rating forms

Business Impact Rating forms are used by the information risk analyst to record the ratings for each business impact type from the participants’ use of the Business Impact Reference Table.

Business Impact Assessment Summary form

The Business Impact Assessment Summary form is used to record the overall results from the assessment, including the Key Business Impact Assessment Ratings and the Overall Security Classification.

BIA Assistant

The BIA Assistant (see Appendix A: Tools, information sheets and forms to use in a business impact assessment) is a spreadsheet-based tool that captures business impact ratings from a Business Impact Reference Table and automatically transfers them to the Business Impact Rating form and then to the Business Impact Assessment Summary form.

Figure 10: Tools and forms used to conduct a business impact assessment

Each of the tools and forms shown in Figure 10 are described in detail in Part 5: Performing a business impact assessment.

18

Part 5 Performing a business impact assessment

Introduction In order to conduct effective business impact assessments in different system environments it is important to employ a process that is structured and consistent.

The ISF’s business impact assessment process has been developed with this in mind. It has been designed to meet the Member requirement for an approach that is not only flexible, easy-to-use and practical but also thorough and action oriented.

As described earlier there are two main parts to performing a business impact assessment. These parts and their key steps are shown in Figure 11 below and then described in detail in the sections that follow.

Figure 11: Key steps in the business impact assessment process

NOTE

Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for details of all of the tools, information sheets, forms and other supporting documents that are referred to in this part of the report.

19

The importance of workshops

Members of the ISF have confirmed that, ideally, business impact assessments should be conducted in a workshop setting with participants taking part who represent appropriate parts of the organisation.

With good facilitation (a key requirement) workshops provide an environment in which business impact can be fully and objectively discussed. They enable business staff to exchange ideas and reach a common view on the importance of a system and, ultimately, its business security requirements.

It is recognised, however, that due to the dispersed nature of many organisations convening a workshop may not always be possible. In these circumstances (or where a business impact assessment must be conducted in short timescales) either video-conferencing or telephone-conferencing technologies should be used or, alternatively, individual interviewing.

20

Preparing for a business impact assessment

Before a business impact assessment is conducted there are a number of preparatory steps that should be undertaken to ensure it is effective and successful. The main steps that should be carried out at this stage are:

These two steps are explained below.

Prior to undertaking a business impact assessment it is important

to gather background information about the system to be assessed. This information provides a profile of the system and in particular gives an insight into its function, scale and relative importance before a business impact assessment is undertaken.

In gathering background information the main characteristics of the system should be determined. Typical information that is likely to be required includes:

• key staff involved in the system (eg system owner) • business function of the system (eg funds transfer) • scale of activity (eg number of users) • key trends (eg increases/decreases in operating costs) • technical details (eg network type).

Gathering this information will typically necessitate interviewing a number of key staff, and particular the system owner (or their appropriate representative).

NOTE

A blank System Profile form that can be used to gather information about a system can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.

TIP

Interviewing the system owner (or their representative) provides a good opportunity to reinforce the requirement for conducting a business impact assessment and the importance and need for effective information risk management.

21

By analysing the information on the System Profile form it is possible

to form an initial view of the relative importance of the system to the organisation. In organisations where there are many systems that require a business impact assessment to be conducted, this information can be used to help prioritise the order in which assessments take place (see Identifying systems to be assessed in Part 3: Establishing a business impact assessment programme).

TIP

The information gathered about a system in a System Profile form should be retained for use in later phases of the information risk analysis process.

To ensure a business impact assessment runs smoothly and is

effective it is important that it is planned in a thorough manner. The two most important actions that should be undertaken at this stage are to determine with the system owner the date when the business impact assessment should take place and to identify the key staff (eg representatives from key business functions and IT management) who should take part.

For new systems the schedule of when a business impact assessment should be held is determined by the systems development life-cycle (eg a business impact assessment would ideally be undertaken during the project initiation stage). For live systems the date for undertaking a business impact assessment will largely depend on the system owner but may be influenced by factors such as the availability of key staff, the timing of important processes (eg end-of-month processing) and concerns about the adequacy of existing measures to manage information risk.

TIP

To ensure the judgements that are made about business impact and the business security requirements for a system are objective and representative, key staff from a variety of business functions should be identified to attend the business impact assessment.

Once the date for the business impact assessment has been agreed and the prospective participants determined, a formal agenda, invitation letter and information sheets about business impact assessment should be sent out.

NOTE

An example invitation letter and information sheets that can be used to inform staff about a business impact assessment can be found in the pocket at the end of the printed version of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.

22

Conducting a business impact assessment

In conducting a business impact assessment the following steps should be undertaken:

These four steps are explained below.

NOTE

A presentation (entitled BIA Presentation) has been developed to accompany this report. This presentation, which can be customised by the information risk analyst, is designed to lead participants through each stage of a business impact assessment. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this presentation can be found.

The main objective of this step is to ensure participants are

adequately prepared to take part in the assessment.

The key activities to be undertaken during this step of the process are:

A1 – Set the scene for the assessment

A2 – Provide overview of the system

A3 – Familiarise participants with the tools and forms.

This section of the report describes these activities and explains how they should be carried out.

Activity title A1 – Set the scene for the assessment Objective To explain the purpose of the business impact

assessment and provide the business context for undertaking business impact assessment.

23

At the commencement of the business impact assessment

participants should be provided with a brief overview of the agenda, an explanation of the purpose of the business impact assessment and an insight into the business reasons for conducting the business impact assessment.

The following items should be covered in the introduction:

• welcome and round table introductions • agenda and timings • purpose of the business impact assessment • what is business impact assessment? • why carry out a business impact assessment?

NOTE

Slides covering the above items are contained in the BIA Presentation.

Explaining the nature and use of information

In many cases staff attending a workshop or being interviewed as part of a business impact assessment will not have a technical background and will therefore have a limited understanding of the nature and use of information and how it can be compromised. Furthermore the concept of information having different properties – confidentiality, integrity and availability – will also be unfamiliar to most participants.

To ensure those taking part in a business impact assessment are able to make a full and worthwhile contribution it is important that the information risk analyst provides a thorough explanation of information and should cover the:

• definition of information (eg facts that convey meaning) • main types of information that are used in the workplace (eg

data, paper, speech, phone-calls) • main ways in which information is acted on in a system (eg

stored, processed or transferred) • key properties of information (ie confidentiality, integrity,

availability) • threats to information and the controls that are required to

ensure it is adequately protected.

TIP

To introduce and explain the concept of the different properties of information it is recommended to use the examples of compromises of confidentiality, integrity and availability that are contained in the information sheet Why we need to protect our information (located in the pocket at the end of the printed version of this report). Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic version.

24

In addition to the agenda and the attendance list it is recommended

that all participants are provided with a pack of reference material. This pack should include the items identified in Table 3 below.

Table 3: Contents of a business impact assessment reference pack

Item name Brief description BIA Presentation The slides from the presentation used by the information risk analyst to

guide participants through the business impact assessment. Business Impact Reference Table The organisation’s approved Business Impact Reference Table. Business Impact Rating forms (for confidentiality, integrity and availability)

Blank Business Impact Rating forms that can be used by participants to record their own ratings and comments.

Business Impact Assessment Summary form

Blank Business Impact Assessment Summary form that can be used by participants to record their own ratings and comments.

System Profile form A brief profile of the key business and technical characteristics of the system.

Information sheets:

• Why we need to protect our information

• Determining the business requirement for information security

Information sheets sent to participants prior to a business impact assessment – included for reference purposes.

• Threats to information • The business impact of

incidents

Information sheets provided to participants during a business impact assessment – included for reference purposes.

NOTE

Printed versions of the Business Impact Reference Table, Business Impact Rating forms, Business Impact Assessment Summary form, System Profile form and information sheets can be found in the pocket at the end of the report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on the electronic versions.

The information risk analyst should explain the contents of the pack and how it should be used during the business impact assessment.

25

Activity title A2 - Provide overview of the system Objective To brief business impact assessment participants

on the key characteristics of the system. After the introduction to the business impact assessment,

participants should be briefed on the key characteristics of the system being assessed. Typically taken from the System Profile form this information should be used to ensure all business impact assessment participants have a common understanding of the:

• function of the system (eg product sales) • scale of the system (eg high-volume of low to medium-value

transactions) • importance to the organisation (eg very important system,

accounts for 25% of revenue) • technical make-up of the system (eg internet-based).

TIP

It is important to ensure all participants are well informed and have a common understanding of the system if sound judgements about business impact are to be made during the business impact assessment.

Activity title A3 - Familiarise participants with the tools

and forms Objective To ensure participants understand the tools and

forms that will be used in the business impact assessment.

Before commencing the assessment of business impact it is

important that participants understand the main tools and forms that will be used in the business impact assessment.

This activity is concerned with familiarising participants with the:

• Business Impact Reference Table • Business Impact Rating forms • Busines Impact Assessment Summary form • BIA Assistant.

The information risk analyst facilitating the business impact assessment should show and explain the contents and use of each of the above tools and forms. Particular emphasis should be placed on the Business Impact Reference Table that is approved for use within the organisation.

26

NOTE

The BIA Presentation contains slides that explain the business impact assessment process and the tools and forms that should be used.

At this stage it is recommended that the process for transferring results between the Business Impact Reference Table and the Business Impact Rating forms is explained and also how the summary information from the Business Impact Rating forms is transferred to the Business Impact Assessment Summary form.

NOTE

A spreadsheet-based tool (entitled BIA Assistant) for capturing the results of a business impact assessment has been developed to accompany this report. Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment for further information on where this tool can be found.

This step of the business impact assessment process is concerned

with assessing business impact for a loss of confidentiality, integrity and availability. The main objective of this step is to ensure participants assess business impact in an objective and considered manner.


B1 – Assess possible business impact for a loss of confidentiality

B2 – Assess possible business impact for a loss of integrity

B3 – Assess possible business impact for a loss of availability.


27

When assessing business impact using the Business Impact

Reference Table, business impact assessment participants should be requested to follow the steps shown in Figure 12 below.



Very high B

High C

Medium D

Low E



Financial impact

20%+ 11% to 20%

6% to 10% 1% to 5% Less than 1%


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Financial impact

$20m+ $1m to $20m

$100K to $1m

$10K to $100K

Less than $10K


Loss of share value

25%+ 11% to 25%

6% to 10% 1% to 5% Less than 1%

Figure 12: Assess possible business impact

NOTE

When assessing the level of impact for a loss of availability, each duration of outage (ie an hour, a day, 2-3 days, a week, a month) will need to be assessed for each business impact type (see B3 – Assess possible business impact for a loss of availability).

1. Examine the business impact type

2. Determine the most serious impact that could possibly occur

3. Reach a consensus as a group and record the level of impact

4. Repeat for the remaining business impact types

28

Business Impact Rating Confidentiality

Business impact rating A –Very high, B – High, C - Medium, D – Low, E – Very low

Ref. Business impact type

Business impact of unintended or unauthorised disclosure of information (most serious case)

A B C D E

Explanatory comments


contracts X Disclosure of pricing information

would seriously damage sales.

F2 Loss of tangible assets

X

F3 Penalties/legal liabilities

X

F4 Unforeseen costs

X

F5 Depressed share price

X

Operational O1 Loss of management control

X

O2 Loss of competitiveness

X Disclosure of pricing information would undermine competitiveness.

O3 New ventures held up

X


X


customers or clients X

C2 Loss of customers or clients

X Pricing information disclosure would lead to customer losses.


X

C4 Damage to reputation

X Disclosure of pricing information by press would be damaging.


morale/productivity X

E2 Injury or death

X

Overall Rating A B C D E

In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from unintended or unauthorised disclosure of information? (This would normally be at least as high as the highest individual rating)

X

Figure 13: Example Business Impact Rating form for Confidentiality

29

Activity title B1 - Assess possible business impact for a

loss of confidentiality Objective To determine the possible business impact that

the organisation could experience as a result of an incident that compromises the confidentiality of information in the system.

In order for participants to play a full and active part in a business

impact assessment it is important that they have a good understanding of the term ‘confidentiality’, how it can be compromised and what impact this could have on the organisation.

Accordingly the information risk analyst should ask participants to consider:

• what are the main types of information stored in or processed by the system (eg product marketing plans, secret research, sensitive financial information)?

• how could the confidentiality of this information be compromised (eg hacking into systems or theft of proprietary business information)?

• what would be the business impact that could arise from the compromise of the confidentiality of this information (eg disclosure of pricing information to a competitor)?

TIP

To help participants understand the above it is recommended that a scenario is developed based around real life examples of incidents taken from within the organisation (or a similar organisation).

In completing the steps required to assess business impact participants should use the organisation’s approved Business Impact Reference Table and follow the approach shown in Figure 12 earlier:

1. Examine the business impact type.

2. Determine the most serious impact that could possibly occur.

3. Reach a consensus as a group and record the level of impact (see Figure 13 opposite).

4. Repeat for the remaining business impact types.

For ratings of Very high and High an explanation of how a loss of confidentiality could be damaging to the business should be recorded in the Explanatory comments.

When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.

30

Business Impact Rating Integrity

Business impact rating A –Very high, B – High, C - Medium, D – Low, E – Very low


Business impact of errors in information or of deliberate manipulation of information to perpetrate or conceal fraud (most serious case)

A B C D E



contracts X


X


X

F4 Unforeseen costs

X


X


X Corrupted end-of-month data will

lead to poor decision making. O2 Loss of competitiveness

X


X


X


customers or clients X Corrupted order information will

cause delivery delays. C2 Loss of customers or clients

X


X


X


morale/productivity X

E2 Injury or death

X

Overall Rating A B C D E

In summary, taking into account the ratings noted above and any other consequence, what is the most serious impact which would arise from errors or unauthorised changes to information?

(This would normally be at least as high as the highest individual rating)

X

Figure 14: Example Business Impact Rating form for Integrity

31


loss of integrity Objective To determine the possible business impact that

the organisation could experience as a result of an incident that compromises the integrity of information in the system.


impact assessment it is important that they have a good understanding of the term ‘integrity’, how it can be compromised and what impact this could have on the organisation.



• how could the integrity of this information be compromised (eg misusing systems to create fraud or errors by staff)

• what would be the business impact that could arise from the compromise of the integrity of this information (eg corrupted customer order information).

TIP




2. Determine the most serious impact that could possibly occur.



For ratings of Very high and High an explanation of how a loss of integrity could be damaging to the business should be recorded in the Explanatory comments.

When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating recorded for a business impact type.

32

Business Impact Rating Availability

Business impact rating A –Very high, B – High, C – Medium, D – Low, E – Very low

Duration of outage


Business impact of a prolonged outage of the system (most serious case)

An hour

A day

2-3 days

A week

A month



contracts B B B A A Any system outage would prevent

tele-sales being processed.


E D C C C


E D C C C

F4 Unforeseen costs

E D C C B Manual fall-back will be required.


E D D C C


E D C B B Levels of stock and ordering

requirements will be unknown. O2 Loss of competitiveness

E D C C C


E D B B A The launch of new products would be prevented.


E E E E E


customers or clients E D C C C

C2 Loss of customers or clients

E D C C B Customers will use alternative suppliers.


E D C C C


E D C C C


morale/productivity E D C C C

E2 Injury or death

E E E E E

Overall Rating An

hour A

day 2-3

days A

week A

month

In summary, what is the most serious impact which would arise from an outage of the system?

(This would normally be at least as high as the highest individual rating)

C B B A A

Overall Critical Timescale What is the critical timescale for recovering of this system (ie the timescale beyond which an outage is unacceptable to the business)?

1 day An outage of one day or more would cause a high impact.

Figure 15: Example Business Impact Rating form for Availability

33


loss of availability Objective To determine the possible business impact that

the organisation could experience as a result of an incident that compromises the availability of information in the system.


impact assessment it is important that they have a good understanding of the term ‘availability’, how it can be compromised and what impact this could have on the organisation.



• how could the availability of this information be compromised (eg malfunction of application software or loss of power)

• what would be the business impact that could arise from the compromise of the availability of this information (eg customers switching to alternative suppliers).

TIP




2. Determine the most serious impact that could possibly occur for each duration (ie an hour, a day, 2-3 days, a week, a month).



For ratings of Very high and High an explanation of how a loss of availability could be damaging to the business should be recorded in the Explanatory comments.

When all impact types have been assessed an Overall Rating should be determined. Typically this is at least as high as the highest individual rating for a business impact type. Additionally, for availability, the Overall Critical Timescale should be recorded. Typically this is the timescale beyond which an outage would be unacceptable to the business.

34


with determining the overall results for the assessment. The main objectives of this step are to determine the business security requirements and security classification for the system.


C1 – Transfer results to summary form

C2 – Determine business security requirements and overall security classification.


Activity title C1 - Transfer results to summary form Objective To transfer all results obtained in the business

impact assessment to the Business Impact Assessment Summary form.

Prior to commencing the transfer of results to the Business Impact

Assessment Summary form the general identification information and description of the system should be entered.

The Overall Rating on each Business Impact Rating form (for Confidentiality, Integrity and Availability) should then be transferred to the Overall Business Impact Ratings table of the Business Impact Assessment Summary form (see Figure 16 below). The Overall Critical Timescale for the system from the Business Impact Rating form for Availability should also be entered at this stage.

Key Business Impact Assessment Ratings Overall Business Impact Ratings Business Security Requirements Rating

Rating A B C D E Loss of confidentiality

A B C D E Confidentiality

Loss of integrity A B C D E Integrity

Loss of availability

Availability

Overall Critical Timescale

- an hour - a day - 2-3 days - a week - a month

A A A A A

B B B B B

C C C C C

D D D D D

E E E E E

Time 1 hr 1 d 2-3d 1 wk 1 m Business impact ratings: A –Very high, B – High, C – Medium, D – Low, E – Very low

Figure 16: Example Overall Business Impact Ratings table

35

NOTE

The transfer of values is a straightforward activity and does not require any specific input from the business impact assessment participants.

NOTE

The BIA Assistant automatically transfers the results from the Business Impact Rating form to the Business Impact Assessment Summary form.

Activity title C2 - Determine business security

requirements and overall security classification

Objective To discuss and agree the Business Security Requirements Rating and the Overall Security Classification for the system.

When the Overall Business Impact Ratings and the Critical

Timescale have been entered, the information risk analyst should, in conjunction with the participants, determine the Business Security Requirements Rating and the Overall Security Classification for the system.

Typically the values that are entered in the Business Security Requirements Rating table are taken from the highest values for confidentiality, integrity and the highest value for availability from the Overall Business Impact Ratings table (see Figure 17 overleaf).

The Business Security Requirements Rating table shows in a clear manner the security requirement of the system in terms of the requirement for the confidentiality, integrity and availability of information. A high value means there is a high requirement to protect that property of information (because a loss of that property of information would result in a high business impact).

The Business Security Requirements Rating table provides the basis for determining the Overall Security Classification. The colour coding that is used to indicate High (red), Medium (orange) and Low (green) in the Business Security Requirements Rating table helps in the determination of the level of Overall Security Classification.

It is recommended that where there is at least one Business Security Requirements Rating that is an A, the Overall Security Classification should be High. In all other cases it is a matter for discussion with the participants in the business impact assessment (although typically the highest Business Security Requirements Rating should determine the minimum level of Overall Security Classification that is determined).

36

As part of determining the Overall Security Classification the

information risk analyst should ensure that the business impact assessment participants fully understand the meaning of the different values (in terms of the requirement for security) and how this will ultimately affect the level (and cost) of security that is implemented.

Overall Security Classification HIGH MEDIUM LOW

I agree with the Key Business Impact Assessment Ratings, Overall Security Classification and chosen Next Steps.

System owner signature JS Dawes Date 3 June 2004

Risk analyst signature HA Frost Date 3 June 2004

Key Business Impact Assessment Ratings Overall Business Impact Ratings Business Security Requirements Rating

Rating A B C D E Loss of confidentiality

A B C D E Confidentiality X

Loss of integrity A B C D E Integrity

X

Loss of availability

Availability X

Overall Critical Timescale

- an hour - a day - 2-3 days - a week - a month

A A A A A

B B B B B

C C C C C

D D D D D

E E E E E

Time 1 hr 1 d 2-3d 1 wk 1 m Business impact ratings: A –Very high, B – High, C – Medium, D – Low, E – Very low

Figure 17: Example of Overall Security Classification and Key Business Impact Assessment Ratings sections

37


with determining the appropriate steps that need to be taken after the assessment. The main objectives of this phase are to:

• identify clearly the next steps to be taken after the business impact assessment

• document all post-business impact assessment actions to be undertaken.


D1 – Review results of assessment

D2 – Agree next steps.


Activity title D1 - Review results of assessment Objective To review the results of the assessment with the

participants to ensure there is widespread agreement on the results.

Prior to concluding the business impact assessment the

information risk analyst should review the contents of the Business Impact Assessment Summary form with the business impact assessment participants. This provides those attending with an opportunity to comment on the validity of the findings and whether the ratings and Overall Security Classification accurately reflect the security needs of the system being assessed.

Activity title D2 - Agree next steps Objective To agree the next steps that should be taken

after the assessment to ensure information risk is adequately managed.

As part of the review of results the information risk analyst should

also examine with the participants the next steps that should be taken after the business impact assessment. The Next Steps ratings that are available for selection in the Business Impact Assessment Summary form are directly related to the Overall Security Classification (see Figure 18 overleaf).

38

Next Steps

Level Appropriate action Tick next step

HIGH

Conduct detailed Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process Focus on the applicable security requirements identified

MEDIUM

Conduct standard Threat and Vulnerability Assessment using Phase 2 and 3 of the Information Risk Analysis Process Focus on the applicable security requirements identified

LOW

Terminate the Information Risk Analysis Process Verify that appropriate fundamental controls will be implemented

Actions

Number Description of action and date for completion Responsible

1 Send results with cover letter to system owner (24/06/04).

HA Frost

2 Contact IT Operations manager and arrange meeting to discuss results of the assessment (by 24/06/04).

JS Dawes

3 Forward results to IT department and Internal Audit (24/06/04).

HA Frost

4 Commence preparations for standard Threat and Vulnerability Assessment (30/06/04).

HA Frost

5 Log results of the assessment in the risk register (30/06/04).

HA Frost

Figure 18: Example of Next Steps and Actions in the Business Impact Assessment Summary form

In most cases the Next Steps rating selected would directly correspond with Overall Security Classification. On occasions, however, the business impact assessment participants and in particular the system owner may wish to select a different level of rating for the Next Steps (eg Medium when the Overall Security Classification is High).

39

Business impact assessment participants may wish to select a

different level of rating for the Next Steps when they believe either more, or less, detailed subsequent analysis of information risk is required. The information risk analyst should ensure that all participants understand the appropriate action that is associated with each level.

The Actions section of the Business Impact Assessment Summary form should be used to capture the main actions that need to be completed as a result of the business impact assessment. Each action should include a date by when it should be undertaken and indicate the individual responsible for its completion.

As a result of the level of Next Step (High, Medium or Low) that is selected there are certain direct actions that are implied (see Figure 18 opposite). In addition there may also be specific actions that the business impact assessment participants or the system owner may wish to see undertaken as a result of the assessment (eg initiate contact with the outsourcing organisation to confirm basic controls are applied to the system). Progress against all actions should be tracked by the information risk analyst and reported to the system owner.

Upon completion of the business impact assessment the actions indicated in the Next Steps and those in the Actions should be commenced. For systems that are rated High or Medium this will entail commencing preparations for the next phase of the information risk analysis process – Threat and Vulnerability Assessment.

40

Appendix ATools, information sheets and forms to use in a business impact assessment

Introduction This appendix contains a list of the tools, information sheets, forms and other useful documents that have been developed to support performing a business impact assessment.

The following tools have been developed for use with this report:

• BIA Presentation (a Microsoft PowerPoint presentation that the information risk analyst can use to help facilitate a business impact assessment)

• BIA Assistant (a Microsoft Excel spreadsheet that automates the data capture and reporting of results in a business impact assessment process).

NOTE

The above software tools can be found on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISF’s Members-only web site).

The following information sheets have been developed for use with this report:

• Why we need to protect our information (a single page explanation of the importance of information that should be sent to participants prior to a business impact assessment)

• Determining the business requirement for information security (a single page explanation of what takes place in a business impact assessment that should be sent to participants prior to a business impact assessment)

• Threats to information (a description of some of the main threats to information – to be used as a reference for participants during a business impact assessment)

• The business impact of incidents (an explanation and description of some of the business impacts that can occur from the compromise of information – to be used as a reference for participants during a business impact assessment).

NOTE

Copies of the above information sheets can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISF’s Members-only web site).

http://mx2.securityforum.org


41

The following forms and other useful documents have been

developed for use with this report:

Preparatory documents

• Example invitation letter (a letter that can be used to invite staff to take part in a business impact assessment)

• System Profile form (a form used to capture business and technical details about a system prior to a business impact assessment)

Business Impact Reference Table

• Example Business Impact Reference Table (a Business Impact Reference Table developed as a basis for enhancement by Member organisations)

Business Impact forms

• Business Impact Rating form – Confidentiality (a form used to capture the possible business impact that could occur in the event of the loss of confidentiality of information)

• Business Impact Rating form – Integrity (a form used to capture the possible business impact that could occur in the event of the loss of integrity of information)

• Business Impact Rating form – Availability (a form used to capture the possible business impact that could occur in the event of the loss of availability of information)

• Business Impact Assessment Summary form (a form used to capture the overall results from the business impact assessment).

NOTE

Copies of the above forms can be found in the pocket at the end of the printed version of this report. They are also provided on the IRAM Phase II CD and in the IRAM project area on the Member Exchange (MX2) System (the ISF’s Members-only web site).


42

Appendix B Further sources of information Contents of this appendix

This appendix contains details of further sources of information about information risk management that the ISF has produced.

Work group material

Minutes, briefing packs and additional background material relating to this report can be found in the IRAM project area on the ISF’s Member Exchange (MX2) System.

ISF reports Gaining management support for information risk analysis (2004)

Information Security Status Survey 2003: Consolidated Reports (2004)

Understanding and using the ISF’s information risk management tools (2003)

Requirements for improving information risk analysis (2003)

The Standard of Good Practice for Information Security (2003)

Fundamental Information Risk Management (FIRM): Implementation Guide (2000)

Fundamental Information Risk Management (FIRM): Supporting Material (2000)

SPRINT: User Guide (1997)

SPRINT: Directory of Controls (1997)

SARA – Simple to apply risk analysis for information systems (1993)

Implementation Guide: How to build Security into your information systems (1993)

Business Risk Analysis: How to establish a satisfactory IT risk analysis process (1990)


43

Acknowledgements The Information Security Forum acknowledges the positive

contribution to this project by the following individuals:

Work Group Jesper Hauge Nissen A P Møller Kenneth Silsbee Boeing Marguerite Talary Abbey National Curtis Ames Boeing Joop A Zomer ABN-AMRO Bank Kit Bender Boeing Johan Opperman ABSA Bank Martin Taylor British Airways George de Beer ABSA Bank Jill Trebilcock British Broadcasting Corporation Dieter Teichert ABSA Bank Angus Pinkerton British Energy Thon de Blok Akzo Nobel AUD Matthew Smith BSkyB Prakash Rao Alcon Laboratories Andy Waddell BSkyB Michael Bownes Allen & Overy Sanjay Patel BSkyB John Pendleton Alliance & Leicester Thomas Haeberlen Bundesamt für Sicherheit in der George Hazell Alliance & Leicester Informationstechnik Sagaran Naidoo Anglo American Martina Rohde Bundesamt für Sicherheit in der Len Hendry Anglo American Informationstechnik Franzo Cirinna Anglo American David Grant Cadbury Schweppes Andre Botha Anglo American Paul Sherry Cadbury Schweppes Paul Raubenheimer Anglo American Hong Kong Tey Caltex International Pte Henry Chai ANZ Alan Speed Centrica Anita Lussetti ANZ David Austin Centrica Petra Claessens ANZ Harvey Roth ChevronTexaco Wendy Kachelhoffer arivia.kom Brian Peterson ChevronTexaco Andre Noack arivia.kom Satya Vithala Citigroup Oscar Stark arivia.kom Gerald Mucklow Clariant International Geoff Dale AstraZeneca Martin Hawkins Clifford Chance George Waterman AstraZeneca Pharmaceuticals Ronald Chung CMG Information Technology Pte Tom Bakker AVIVA Boris Hemkemeier Commerzbank Foong Hoe Tan-Ho AVIVA Kai Buchholz- Commerzbank Dominique Remy AXA Stepputtis Trevor Cardwell AXA Howard Eakin ConocoPhillips Sandy Monnappa AXA Peter van Boxtel Corus Group Simon Krug AXA Stephen Fitzpatrick Credit Suisse First Boston Paul Johnson AXA Rolston Wiltshire Credit Suisse First Boston Kirsty Still B&Q Michael Papais DaimlerChrysler Richard Nealon Bank of Ireland Group Hans Henrik Danske Bank Michael Hanna Bank of Ireland Group Nielsen Jennifer Kane Bank of Ireland Group Kjell Hermansson Danske Bank Kevin Harrington Bank of Tokyo-Mitsubishi Tiaan van Deloitte & Touche Victor J. Talamo Bank One Corporation Schalkwyk Angus Burden Barclays Bank Paul Carroll Department of Social, Community Lee Li Hoon BASF South East Asia Pte & Family Affairs Jennifer Khow BASF South East Asia Pte Ted Humphreys Department of Trade & Industry Wilfried Kehr Bayer Ola Sannes Det Norske Veritas Donald Michniuk Bechtel Corporation Simon Royal Dresdner Kleinwort Wasserstein Terrence Spencer BHP Billiton Tina Wade Dresdner Kleinwort Wasserstein Miroslav Kis BMO Financial Group Paul De Graaff DTCC Vivek Khindria BMO Financial Group Michael Robinette DTCC Herbert Canfield Boeing Pat Everitt EDF Energy Jody Wahlgren Boeing Thomas Cummings EDS Information Security Solutions

44

Ian Baulch-Jones Electrolux IT Solutions Jim Murphy Lucent Technologies Wendy Sale Electronic Data Systems Amanda Finch Marks & Spencer Dolly Kapadia Electronic Data Systems Bengt Arild National Insurance Paul de Luca Electronic Data Systems Unnerud Administration Michael Harrison Electronic Data Sytems Steve Pomfret Nationwide Building Society Erol Mustafa Ernst & Young Anne-Lize de Beer New Africa Capital Michel Soupart Euroclear Colin Campbell New Africa Capital Guenther Kerker F Hoffmann La Roche Leonard Ong Nokia Steve Smit First Rand Bank Jukka P Savolainen Nokia James Cleland First Rand Bank Svein Nygard Norges Bank Gerhard Cronje First Rand Bank Tom Remberg Norsk Hydro Phil Cogger Ford Motor Company Anthony Mullany Norwich Union Christof Müllender Ford of Europe David Ward Norwich Union Loek Sleper Fortis Phillip Gregory Norwich Union Lori Blair Fortis Manfred Schreck Novartis International Stephen Gill Fujitsu Services Harmen Frobeen Novartis International Iain Andrews Fujitsu Services Steen Ledet Nykredit Steve Greenham GlaxoSmithKline Niels Rasmussen Nykredit Andrew Bebbington Goldman Sachs & Co Joy Buckingham O2 (UK) Katie C Jenkins Guardent David Clarke O2 (UK) Randy Kaeder Guardent Dave Cooper Orange Paul Charles HarrierZeuros Louis Sherman Orange Tom Stapleton HarrierZeuros Donna Staniforth Orange Robert J Symmons Hawker de Havilland Vagn E Nielsen Post Danmark Paul Dann HBOS Group Philip Godwin PowerGen UK Tanya Preston HBOS Group Neil Wainman PowerGen UK Alan Savage HBOS Group Roar Gulbrandsen PricewaterhouseCoopers Lynn Yang Pheng HSBC Singapore Ciaran Kelly PricewaterhouseCoopers Kuek Sally Boyce Prudential Peter Berlich IBM Switzerland Pat Reed Prudential David Spinks Information Security EMEA Tarik Tahesh Prudential Susan Swope Information Security Forum Stephen Donnelly Prudential Marc Callaway InfoSecure Jean-Christophe Rabobank International Geoffrey Tumber InfoSecure Gaillard Melle Beverwijk InfoSecure Adrie Janssen Rabobank Nederland Frans Gahrmann ING Bank Netherlands Steenberg Nathan Thompson Innogy Yun Patricia Siow Reuters Simon Marvell Insight Consulting Lup Kuen Wong Reuters Pearly Cheng JP Morgan Chase Lip-Ping Chew Reuters Johan Kempenaers KBC Bank and Insurance George Wang Reuters Holding Company Christopher Somers Reuters Ann Hill Kimberly-Clark Corporation Andrew MacGovern Reuters Chris Hoffman Kimberly-Clark Corporation Jonathan Keefe Reuters Mark Firgens Kimberly-Clark Corporation Ian Curry Reuters Gavin Rayner Kimberly-Clark Corporation Brendon Harris Reuters Jerold R Kobiske Kimberly-Clark Corporation Michael Payne Rolls Royce Erwin Bosma KLM Royal Dutch Airlines Carl Taylor Rolls Royce Sipho Ndaba KPMG Jonathan Randall Rolls Royce Jaap Halfweeg KPN Mindy Ziskin Royal Bank of Canada June Gamber Legal and General Gary Marsh Royal Bank of Scotland Group David Lanigan Lloyds TSB Jean-Serge Laurent S.W.I.F.T. Niek Ijzinga LogicaCMG Pierre Coenen S.W.I.F.T. Frans Kersten LogicaCMG Davor Vlahovic Sanlam George McBride Lucent Technologies Johan Marnewick Sanlam William Lim Lucent Technologies Karin Höne Sanlam Stephen Fried Lucent Technologies Bee Ngah Tan SATS Barry Pulliam Lucent Technologies Geetha Kanagasingam SATS

45

Silva Kandiah SATS Dan Landess State Farm Mutual Automobile Lars Eriksson SCA Insurance Company Bodil Wiklund Scania Dan Sokulski State Farm Mutual Automobile Kevin Kennedy Schlumberger Insurance Company Klaus Pape Siemens Anza Botha State Information Technology Conrad Tan Singapore Airlines Agency Ching Ching Lim Singapore Airlines Kjell Andersson Stora Enso Patrick Bong Singapore Airlines Christian Thunberg Stora Enso Siew Leng Leck Singapore Airlines Jan Skogqvist Svenska Handelsbanken Seow Hong Tay Singapore Airlines Jeremy Ward Symantec Security Services Paul Nagel SKF Michael Volkert Syngenta International Martina Ramhitshana South African Revenue Service Arne Normann Telenor Tony Apsey South African Revenue Service Tommy Brundin Tetra Pak Gerhard Kruger South African Revenue Service Michael Robinette The Depository Trust & Clearing Hettie Booysen South African Revenue Service Corporation Pedro C Pretorius Spoornet Paul de Graaff The Depository Trust & Clearing Joe Norman ST Microelectronics Corporation Jean-Pierre ST Microelectronics Laserian M Kelly The Emirates Group Margaillan Ventatakrishnan The Emirates Group Gilbert Agopome ST Microelectronics Vatsaraman Richard Aylard Standard Bank London Ruedi Siegenthaler UBS Nomazulu Taukobong Standard Bank of South Africa Paul Wood UBS Claudia Jollivet Standard Bank of South Africa Ged Edgcumbe UBS Jacqui Bothwell Standard Bank of South Africa Marco Van Putten Unilever Riana Crafford Standard Bank of South Africa Ed Schrijvers Unilever Emily Manganyi Standard Bank of South Africa Alan M Jones Unisys Pavana Ranjith Standard Bank of South Africa David Pinchbeck Unisys John Murdoch Standard Bank of South Africa Kamaljit Singh Unisys Edwin Aldridge Standard Chartered Bank Bent Poulsen Værdipapircentralen Carsten Paasch Standard Chartered Bank Chris Weegar Verizon Adam Spencer Standard Chartered Bank Viki Baxter Verizon Joe Rohde State Farm Mutual Automobile Mark Steger Zurich Financial Services Insurance Company Giancarlo Zurich Financial Services Dan Hlavac State Farm Mutual Automobile Bombardieri Insurance Company Joachim Droese Zurich Financial Services Alan Pacocha State Farm Mutual Automobile Insurance Company

Project team Jason Creasey Nick Frost Andrew Wilson

Information Security Forum Information Security Forum Information Security Forum

Review and quality assurance

Alan Stanley Information Security Forum

Production Louise Liu Charl Porter

Information Security Forum Information Security Forum

Reference: 2004/06/09 Copyright © 2004 Information Security Forum Limited. All rights reserved.

The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security solutions that meet the business needs of its Members.

Members of the ISF benefit from sharing information security solutions drawn from the considerable experience within their organisations and developed through an extensive work programme. Members recognise that information security is a key business issue and the ISF provides a mechanism which can ensure that the practices they adopt are on the leading edge of information security developments, while avoiding the significant expenditure that individual development of solutions would incur.

For further information contact:

Information Security Forum Southwark Towers

Level 17 32 London Bridge Street

London SE1 9SY United Kingdom

Telephone: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813

E-mail: [email protected] Web: www.securityforum.org

iram- business impact assessment

Documents

business impact assessment

business impact c

business impact assessments

business requirements

business risks

businessdriven approach

sound business reasons

report purpose