Summary of activities during the period 2017-2018

In conducting a business impact assessment the following steps should be undertaken:

These four steps are explained below.

NOTE

A presentation (entitled BIA Presentation) has been developed to accompany this report. This  presentation, which can be customised by the information risk analyst, is designed to lead  participants through each stage of a business impact assessment. Please refer to  Appendix A: Tools, information sheets and forms to use in a business impact assessment   for further information on where this presentation can be found.

The main objective of this step is to ensure participants are adequately prepared to take part in the assessment.

The key activities to be undertaken during this step of the process are:

A1 – Set the scene for the assessment A2 – Provide overview of the system

A3 – Familiarise participants with the tools and forms.

This section of the report describes these activities and explains how they should be carried out.

 Activity title A1 – Set the scene for the assessment

Objective To explain the purpose of the business impact assessment and provide the business context for undertaking business impact assessment.

At the commencement of the business impact assessment  participants should be provided with a brief overview of the agenda, an explanation of the purpose of the business impact assessment and an insight into the business reasons for conducting the business impact assessment.

The following items should be covered in the introduction:

• welcome and round table introductions

• agenda and timings

•  purpose of the business impact assessment

• what is business impact assessment?

• why carry out a business impact assessment?

NOTE

Slides covering the above items are contained in the BIA Presentation.

Explaining the nature and use of information

In many cases staff attending a workshop or being interviewed as  part of a business impact assessment will not have a technical  background and will therefore have a limited understanding of the nature and use of information and how it can be compromised.

Furthermore the concept of information having different  properties – confidentiality, integrity and availability – will also be

unfamiliar to most participants.

To ensure those taking part in a business impact assessment are able to make a full and worthwhile contribution it is important that the information risk analyst provides a thorough explanation of information and should cover the:

• definition of information (eg facts that convey meaning)

• main types of information that are used in the workplace (eg data, paper, speech, phone-calls)

• main ways in which information is acted on in a system (eg stored, processed or transferred)

• key properties of information (ie confidentiality, integrity, availability)

• threats to information and the controls that are required to ensure it is adequately protected.

TIP

To introduce and explain the concept of the different  properties of information it is recommended to use the

examples of compromises of confidentiality, integrity and availability that are contained in the information sheet Why we need to protect our information (located in the pocket at the end of the printed version of this report). Please refer to Appendix A: Tools, information sheets and forms to use in a business impact assessment   for further information on the electronic version.

In addition to the agenda and the attendance list it is recommended that all participants are provided with a pack of reference material.

This pack should include the items identified inTable 3 below.

Table 3: Contents of a business impact assessment reference pack

Item name Brief description

BIA Presentation The slides from the presentation used by the information risk analyst to guide participants through the business impact assessment.

Business Impact Reference Table The organisation’s approved Business Impact Reference Table.

Business Impact Rating forms (for confidentiality, integrity and availability)

Blank Business Impact Rating forms that can be used by participants to record their own ratings and comments.

Business Impact Assessment Summary form

Blank Business Impact Assessment Summary form that can be used by  participants to record their own ratings and comments.

System Profile form A brief profile of the key business and technical characteristics of the system.

Information sheets:

• Why we need to protect our information

• Determining the business requirement for information security

Information sheets sent to participants prior to a business impact assessment – included for reference purposes.

• Threats to information

• The business impact of incidents

Information sheets provided to participants during a business impact assessment – included for reference purposes.

NOTE

Printed versions of the Business Impact Reference Table, Business Impact Rating forms, Business Impact Assessment Summary form, System Profile form and information sheets can be found in the  pocket at the end of the report. Please refer to  Appendix A: Tools, information sheets and forms to use in a business impact assessment   for further information on the electronic versions.

The information risk analyst should explain the contents of the  pack and how it should be used during the business impact

assessment.

 Activity title A2 - Provide overview of the system

Objective To brief business impact assessment participants on the key characteristics of the system.

After the introduction to the business impact assessment,  participants should be briefed on the key characteristics of the system being assessed. Typically taken from the System Profile form this information should be used to ensure all business impact assessment participants have a common understanding of the:

• function of the system (eg product sales)

• scale of the system (eg high-volume of low to medium-value transactions)

• importance to the organisation (eg very important system, accounts for 25% of revenue)

• technical make-up of the system (eg internet-based).

TIP

It is important to ensure all participants are well informed and have a common understanding of the system if sound judgements about business impact are to be made during the business impact assessment.

 Activity title A3 - Familiarise participants with the tools and forms

Objective To ensure participants understand the tools and forms that will be used in the business impact assessment.

Before commencing the assessment of business impact it is important that participants understand the main tools and forms that will be used in the business impact assessment.

This activity is concerned with familiarising participants with the:

• Business Impact Reference Table

• Business Impact Rating forms

• Busines Impact Assessment Summary form

• BIA Assistant.

The information risk analyst facilitating the business impact assessment should show and explain the contents and use of each of the above tools and forms. Particular emphasis should be placed on the Business Impact Reference Table that is approved for use within the organisation.

NOTE

The BIA Presentation contains slides that explain the  business impact assessment process and the tools and

forms that should be used.

At this stage it is recommended that the process for transferring results between the Business Impact Reference Table and the Business Impact Rating forms is explained and also how the summary information from the Business Impact Rating forms is transferred to the Business Impact Assessment Summary form.

NOTE

A spreadsheet-based tool (entitled BIA Assistant) for capturing the results of a business impact assessment has been developed to accompany this report. Please refer to Appendix A: Tools, information sheets and  forms to use in a business impact assessment   for

further information on where this tool can be found.

This step of the business impact assessment process is concerned with assessing business impact for a loss of confidentiality, integrity and availability. The main objective of this step is to ensure participants assess business impact in an objective and considered manner.

The key activities to be undertaken during this step of the process are:

B1 – Assess possible business impact for a loss of confidentiality B2 – Assess possible business impact for a loss of integrity

B3 – Assess possible business impact for a loss of availability.

This section of the report describes these activities and explains how they should be carried out.

When assessing business impact using the Business Impact Reference Table, business impact assessment participants should  be requested to follow the steps shown inFigure 12 below.

Property of information Level of impact

Ref. Business impact type

Appropriate

F1 Loss of sales, orders or contracts (eg sales

F2 Loss of tangible assets (eg fraud, theft of money, lost interest)

F3 Penalties/legal liabilities (eg breach of legal, regulatory or contractual

F4 Unforeseen costs (eg recovery costs) F5 Depressed share price

(eg sudden loss of share value)

Figure 12: Assess possible business impact

NOTE

1. Examine the business impact type

2. Determine the most serious impact that could possibly occur

3. Reach a consensus as a group and record the level of impact

4. Repeat for the remaining business impact types