Skip to content

What is it?

A systematic process by which an organization gathers information about its essential business functions and processes and evaluates the potential impact to the organization if those functions and processes were interrupted or otherwise adversely affected. Also referred to as a business impact analysis.

Why is it important?

This term is important because it helps organizations prioritize the allocation of time and resources to prevent, manage, and recover from incidents that affect critical business operations and assets. A business impact assessment also provides information to help create an incident response plan and a business continuity plan.

Why does a business professional need to know this?

Conducting a business impact assessment (BIA) can help you see how security and risk management relates to the critical functions and overall mission of your organization. Security must support those functions and that mission.

Implementing security controls and managing cybersecurity risks costs time, money, and resources. A business impact assessment helps business professionals balance priorities and apply resources where they can have the greatest effect.

A business impact assessment is critical to both the risk management program and the business continuity plan, which enable an organization to assess and manage risks to critical assets and functions and recover and continue business operations when those assets and functions are negatively affected.

Essential questions that must be answered as part of the BIA include the following:

  • What information systems and functions are critical to the mission of the organization?
  • What do those systems and functions depend on?
  • If those systems and functions are impaired or interrupted, how quickly must they resume before the organization incurs a significant loss or unacceptable business impact?

Business professionals must work with cybersecurity professionals to help identify security risks to the organization’s business operations and information systems. A business impact assessment can help prioritize efforts to mitigate the potential impact of those risks to the organization.

About William McBorrough

Photo of William McBorrough

William J. McBorrough is the co-founder of and CEO at MCGlobalTech, a Washington DC-based information security management consulting firm. For more than 19 years, Mr. McBorrough has demonstrated success as an administrator, engineer, architect, consultant, manager, and practice leader, developing cost-effective solutions to support the strategic and operational goals of client organizations in the areas of enterprise information security risk management, IT governance, security organization development and management, and government information assurance and compliance.

Term: Business Impact Assessment

Email: wjm4@mcglobaltech.com

Website: mcglobaltech.com

Twitter: @infosec3t

LinkedIn: linkedin.com/in/mcborrough

Facebook: facebook.com/MCGlobalTech

What is it?

A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.

Why is it important?

When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.

Why does a business professional need to know this?

Vulnerability assessments provide cybersecurity specialists, and the organizations they serve, with a reasonable level of assurance that their information is safeguarded against known threats such as viruses, adware, spyware, trojans, worms, backdoors, bots, and Potentially Unwanted Programs (PUP)(ITBusinessEdge 2014).

Vulnerability assessments help cybersecurity specialists determine where to allocate finite resources to minimize the potential for security breaches. They also help organizations determine what course of action to follow if -- and when -- threats are discovered. Business professionals must understand the elements of a vulnerability assessment and support their cybersecurity specialists in creating one and keeping it up to date.

For organizations that are mandated to follow specialized security standards (e.g., HIPAA(HIPAA), PCI DSS(PCI-DSS), or GDPR(General Data Protection Regulation)) vulnerability assessments can help identify areas of weakness that need hardening.

Vulnerability assessments may include the following:

  • Cybersecurity audits: audits to evaluate and demonstrate compliance with government-imposed regulations. Cybersecurity audits have both a tactical and strategic component -- tactically, they help organizations comply with security standards, and strategically, they help organizations monitor their internal security efforts.
  • Penetration tests: authorized testing of a computer system or network with the intention of finding vulnerabilities. Penetration tests are typically intended to counter specific threats, such as attempts to steal customer data, gain administrative privileges, or modify salary information.
  • White/grey/black-box assessments: three different approaches to vulnerability assessments. The color refers to how much internal information is given to the tester: white box gives the tester access to all internal information, black box gives the tester zero internal information, and grey box gives the tester a limited amount of information, for example the internal data structures.

References

  • (ITBusinessEdge 2014) 10-Step Security and Vulnerability Assessment Plan: ITBusinessEdge (2014). Slide deck. Suggests security and vulnerability assessments be performed against all information systems on a pre-determined, regularly scheduled basis. Recommends third parties be retained periodically to ensure appropriate levels of coverage and oversight. (source: Info-Tech Research Group).
  • (HIPAA) HIPAA Overview: US Department of Health and Human Services (2015). Answers general questions regarding the Standards for Privacy of Individually Identifiable Health Information and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
  • (PCI-DSS) PCI DSS (Payment Card Industry Data Security Standard) Compliance Overview: TechTarget (2017). Overview of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information.
  • (General Data Protection Regulation) GDPR (EU General Data Protection Regulation): Frequently asked questions regarding GDPR.

About Jeff Schaffzin

Photo of Jeff Schaffzin

Jeff Schaffzin is a corporate, product, strategy, marketing, and business development expert with over 20 years of experience in high tech, covering industries such as security (network, cyber, physical), enterprise software, business intelligence and analytics, big data, the internet of things (IoT), cloud technologies (software as a service (SaaS) and platform as a service (PaaS)), mobile, marketing technology, and financial technology.

Jeff is currently the managing director and principal with the Genysys Group (Silicon Valley) and also heads product marketing and management for a visionary cybersecurity/IoT company in the San Francisco Bay Area.

Term: Vulnerability Assessment

Email: jschaffzin@genysysgroup.com

Twitter: @JeffSchaffzin

LinkedIn: linkedin.com/in/jeffschaffzin

What is it?

Controls to ensure that software applications are developed and operated in accordance with an organization’s requirements and risk tolerance levels(NIST 2017).

Why is it important?

Application risk governance provides a framework to ensure an appropriate balance between security and operations.
...continue reading "Term of the Week: Application Risk Governance"

What is it?

A combination of three approaches that organizations use to demonstrate compliance with international standards, global rules, laws, and state regulations. Referred to as IT GRC when a company uses information technology (IT) to apply GRC.

Why is it important?

Governance, risk management, compliance (GRC) is often implemented by companies that are growing globally to maintain consistent policies, processes, and procedures across all parts of the organization. It is important for business professionals to understand and follow the internal information security rules, company risk factors, and industry requirements that drive the implementation of GRC in order to ensure that the company as a whole remains compliant.
...continue reading "Term of the Week: Governance, Risk Management, Compliance (GRC)"

What is it?

The act or process of making a network, data repository, sensor, computer system, software, or other equipment resistant to unauthorized access or damage.

Why is it important?

Unauthorized access is one of the primary catalysts for operational, financial, strategic, legal, and other damage to an organization. These breaches also increase the risk of harm to third parties, including customers, patients, and other stakeholders. Hardening hardware, software, and data systems is a key risk mitigation strategy.
...continue reading "Term of the Week: Hardening"

The Language of Cybersecurity has received a 2018 STC Touchstone award for excellence from the Northern California Chapters of the Society for Technical Communication.

The citation for this honor highlights the usefulness of the references, the crispness of the writing, and the consistency of its format.

Congratulations to editor Tonie Flores and the 60+ industry experts who contributed to this book.

Touchstone Award

What is it?

The practice of isolating malware, or software that is suspected to contain malware, within a contained or quarantined environment to observe and study its communications, infection vectors, and other behavioral heuristics.

Why is it important?

Sandboxing allows security researchers to investigate malware execution, heuristics, and communications within an isolated environment and aids in the development of indicators of compromise (IOC) and anti-malware signatures.

...continue reading "Term of the Week: Sandboxing"

What is it?

The process of encoding a message or information in such a way that only authorized parties can read it.

Why is it important?

Encryption is important to our personal, business, community, and national security. Criminals, competitors, or hostile governments may seek to exploit weak or non-existent encryption to hack systems or steal data. Strong, well-managed encryption renders content unreadable to anyone who does not have authorized access.

...continue reading "Term of the Week: Encryption"

What is it?

A network security system built into hardware or software that monitors network traffic and controls incoming and outgoing traffic based on a set of rules.

Why is it important?

Firewalls enable system administrators to monitor and control network traffic coming into and out of their systems. Firewalls provide a first line of defense against network-based cybersecurity attacks. They are also used to censor information by blocking traffic to and from certain sites.

...continue reading "Term of the Week: Firewall"

What is it?

The range of actions an authenticated user or device is allowed to take in a system.

Why is it important?

A good society works like this: we expect promises to be kept, contracts to be honored, and a lost wallet to be returned. However, when applied to your IT infrastructure, such a mindset leaves your system wide open to an insider or an unhappy former employee. Privilege management gives you detailed control over the permissions given to each user and device.

Why does a business professional need to know this?

Giving your house key to a neighbor so they can water your plants does not mean you want to allow them to look through your closets or bedroom drawers. However, most of us do not have the technical means to restrict access in this way; we either give access to the entire house, or we don’t give access at all. Giving your key to a neighbor relies on implicit trust. You trust that your neighbor will not try on your underwear or eat all your cookies.

To put it mildly, this is not an ideal trust model for your IT infrastructure; you need a model that relies on least privilege, which gives each user only the privileges needed to perform their job duties and nothing more.

In many organizations, the highest possible access rights are given to system administrators. Companies that blindly trust system administrators open themselves to unnecessary risk. It is safer to have fine-grained control over privileges and give each administrator only the privileges needed to carry out their assigned tasks. For example, an administrator responsible for the payroll database probably doesn’t need access to the customer database.

To do this you need to implement an access-level classification scheme and have procedures that support your daily operations. This approach eliminates the need to give users higher levels of access than they need. This would be the equivalent of putting a password on your underwear drawer, making it inaccessible to your neighbor who has only the front door key.

References

  • (Rouse 2008) Principle of least privilege (POLP) : Rouse, Margaret (2008). TechTarget. Discusses the principle of least privilege and its application to restricting access rights for people, systems, software applications, and devices connected to the Internet of Things. Includes video on how to address privileged user access.
  • (Seltzer 2013) Excess privilege makes companies and data insecure : Seltzer, Larry (2013). ZDNet. Research results that show most companies do a poor job of managing the permissions and privileges of users on their computers and networks.
  • (Prince 2015) Excessive User Privileges Challenges Enterprise Security: Survey: Prince, Brian (2015). Security Week. Research results from the Privilege Gone Wild 2 survey that shows 47 percent of employees say they have elevated privileges not necessary for their roles.

About Emma Lilliestam

Photo of Emma Lilliestam

Emma Lilliestam is a Swedish software security tester. She has previously worked in Support and DevOps and is now a consultant for House of Test.

Term: Privilege

Website: emalstm.tech/

Twitter: @emalstm

LinkedIn: se.linkedin.com/in/emma-lilliestam-0122a789