2 cissp ® Official Study Guide Eighth Edition

Chapter 3 ■ Business Continuity Planning Impact Assessment

Download 19,3 Mb.

Pdf ko'rish

bet	115/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 111 112 113 114 115 116 117 118 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

110
Chapter 3
■
Business Continuity Planning
Impact Assessment
As you may have surmised based on its name, the impact assessment is one of the most criti-
cal portions of the business impact assessment. In this phase, you analyze the data gathered
during risk identifi cation and likelihood assessment and attempt to determine what impact
each one of the identifi ed risks would have on the business if it were to occur.
From a quantitative point of view, we will cover three specifi c metrics: the exposure fac-
tor, the single loss expectancy, and the annualized loss expectancy. Each one of these values
is computed for each specifi c risk/asset combination evaluated during the previous phases.
The
exposure factor
(EF) is the amount of damage that the risk poses to the asset,
expressed as a percentage of the asset’s value. For example, if the BCP team consults with
fi re experts and determines that a building fi re would cause 70 percent of the building to be
destroyed, the exposure factor of the building to fi re is 70 percent.
The
single loss expectancy
(SLE) is the monetary loss that is expected each time the risk
materializes. You can compute the SLE using the following formula:
SLE AV EF
=
×
Continuing with the preceding example, if the building is worth $500,000, the single
loss expectancy would be 70 percent of $500,000, or $350,000. You can interpret this fi g-
ure to mean that a single fi re in the building would be expected to cause $350,000 worth of
damage.
The
annualized loss expectancy
(ALE) is the monetary loss that the business expects to
occur as a result of the risk harming the asset over the course of a year. You already have
all the data necessary to perform this calculation. The SLE is the amount of damage you
expect each time a disaster strikes, and the ARO (from the likelihood analysis) is the num-
ber of times you expect a disaster to occur each year. You compute the ALE by simply mul-
tiplying those two numbers:
ALE SLE ARO
=
×
Returning once again to our building example, if fi re experts predict that a fi re will
occur in the building once every 30 years, the ARO is ~1/30, or 0.03. The ALE is then
3 percent of the $350,000 SLE, or $10,500. You can interpret this fi gure to mean that the
business should expect to lose $10,500 each year due to a fi re in the building.
Obviously, a fi re will not occur each year—this fi gure represents the average cost over
the 30 years between fi res. It’s not especially useful for budgeting considerations but proves
invaluable when attempting to prioritize the assignment of BCP resources to a given risk.
These concepts were also covered in Chapter 2, “Personnel Security and Risk Management
Concepts.”
Be certain you’re familiar with the quantitative formulas contained in this
chapter and the concepts of asset value, exposure factor, annualized rate of
occurrence, single loss expectancy, and annualized loss expectancy. Know
the formulas and be able to work through a scenario.

Continuity Planning
111
From a qualitative point of view, you must consider the nonmonetary impact that interrup-
tions might have on your business. For example, you might want to consider the following:
■
Loss of goodwill among your client base
■
Loss of employees to other jobs after prolonged downtime
■
Social/ethical responsibilities to the community
■
Negative publicity
It’s difficult to put dollar values on items like these in order to include them in the quan-
titative portion of the impact assessment, but they are equally important. After all, if you
decimate your client base, you won’t have a business to return to when you’re ready to
resume operations!

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 111 112 113 114 115 116 117 118 ... 881