Skip to content

What is it?

A systematic process by which an organization gathers information about its essential business functions and processes and evaluates the potential impact to the organization if those functions and processes were interrupted or otherwise adversely affected. Also referred to as a business impact analysis.

Why is it important?

This term is important because it helps organizations prioritize the allocation of time and resources to prevent, manage, and recover from incidents that affect critical business operations and assets. A business impact assessment also provides information to help create an incident response plan and a business continuity plan.

Why does a business professional need to know this?

Conducting a business impact assessment (BIA) can help you see how security and risk management relates to the critical functions and overall mission of your organization. Security must support those functions and that mission.

Implementing security controls and managing cybersecurity risks costs time, money, and resources. A business impact assessment helps business professionals balance priorities and apply resources where they can have the greatest effect.

A business impact assessment is critical to both the risk management program and the business continuity plan, which enable an organization to assess and manage risks to critical assets and functions and recover and continue business operations when those assets and functions are negatively affected.

Essential questions that must be answered as part of the BIA include the following:

  • What information systems and functions are critical to the mission of the organization?
  • What do those systems and functions depend on?
  • If those systems and functions are impaired or interrupted, how quickly must they resume before the organization incurs a significant loss or unacceptable business impact?

Business professionals must work with cybersecurity professionals to help identify security risks to the organization’s business operations and information systems. A business impact assessment can help prioritize efforts to mitigate the potential impact of those risks to the organization.

About William McBorrough

Photo of William McBorrough

William J. McBorrough is the co-founder of and CEO at MCGlobalTech, a Washington DC-based information security management consulting firm. For more than 19 years, Mr. McBorrough has demonstrated success as an administrator, engineer, architect, consultant, manager, and practice leader, developing cost-effective solutions to support the strategic and operational goals of client organizations in the areas of enterprise information security risk management, IT governance, security organization development and management, and government information assurance and compliance.

Term: Business Impact Assessment

Email: wjm4@mcglobaltech.com

Website: mcglobaltech.com

Twitter: @infosec3t

LinkedIn: linkedin.com/in/mcborrough

Facebook: facebook.com/MCGlobalTech

What is it?

A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.

Why is it important?

When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.

Why does a business professional need to know this?

Vulnerability assessments provide cybersecurity specialists, and the organizations they serve, with a reasonable level of assurance that their information is safeguarded against known threats such as viruses, adware, spyware, trojans, worms, backdoors, bots, and Potentially Unwanted Programs (PUP)(ITBusinessEdge 2014).

Vulnerability assessments help cybersecurity specialists determine where to allocate finite resources to minimize the potential for security breaches. They also help organizations determine what course of action to follow if -- and when -- threats are discovered. Business professionals must understand the elements of a vulnerability assessment and support their cybersecurity specialists in creating one and keeping it up to date.

For organizations that are mandated to follow specialized security standards (e.g., HIPAA(HIPAA), PCI DSS(PCI-DSS), or GDPR(General Data Protection Regulation)) vulnerability assessments can help identify areas of weakness that need hardening.

Vulnerability assessments may include the following:

  • Cybersecurity audits: audits to evaluate and demonstrate compliance with government-imposed regulations. Cybersecurity audits have both a tactical and strategic component -- tactically, they help organizations comply with security standards, and strategically, they help organizations monitor their internal security efforts.
  • Penetration tests: authorized testing of a computer system or network with the intention of finding vulnerabilities. Penetration tests are typically intended to counter specific threats, such as attempts to steal customer data, gain administrative privileges, or modify salary information.
  • White/grey/black-box assessments: three different approaches to vulnerability assessments. The color refers to how much internal information is given to the tester: white box gives the tester access to all internal information, black box gives the tester zero internal information, and grey box gives the tester a limited amount of information, for example the internal data structures.

References

  • (ITBusinessEdge 2014) 10-Step Security and Vulnerability Assessment Plan: ITBusinessEdge (2014). Slide deck. Suggests security and vulnerability assessments be performed against all information systems on a pre-determined, regularly scheduled basis. Recommends third parties be retained periodically to ensure appropriate levels of coverage and oversight. (source: Info-Tech Research Group).
  • (HIPAA) HIPAA Overview: US Department of Health and Human Services (2015). Answers general questions regarding the Standards for Privacy of Individually Identifiable Health Information and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
  • (PCI-DSS) PCI DSS (Payment Card Industry Data Security Standard) Compliance Overview: TechTarget (2017). Overview of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information.
  • (General Data Protection Regulation) GDPR (EU General Data Protection Regulation): Frequently asked questions regarding GDPR.

About Jeff Schaffzin

Photo of Jeff Schaffzin

Jeff Schaffzin is a corporate, product, strategy, marketing, and business development expert with over 20 years of experience in high tech, covering industries such as security (network, cyber, physical), enterprise software, business intelligence and analytics, big data, the internet of things (IoT), cloud technologies (software as a service (SaaS) and platform as a service (PaaS)), mobile, marketing technology, and financial technology.

Jeff is currently the managing director and principal with the Genysys Group (Silicon Valley) and also heads product marketing and management for a visionary cybersecurity/IoT company in the San Francisco Bay Area.

Term: Vulnerability Assessment

Email: jschaffzin@genysysgroup.com

Twitter: @JeffSchaffzin

LinkedIn: linkedin.com/in/jeffschaffzin

What is it?

Controls to ensure that software applications are developed and operated in accordance with an organization’s requirements and risk tolerance levels(NIST 2017).

Why is it important?

Application risk governance provides a framework to ensure an appropriate balance between security and operations.
...continue reading "Term of the Week: Application Risk Governance"

What is it?

A combination of three approaches that organizations use to demonstrate compliance with international standards, global rules, laws, and state regulations. Referred to as IT GRC when a company uses information technology (IT) to apply GRC.

Why is it important?

Governance, risk management, compliance (GRC) is often implemented by companies that are growing globally to maintain consistent policies, processes, and procedures across all parts of the organization. It is important for business professionals to understand and follow the internal information security rules, company risk factors, and industry requirements that drive the implementation of GRC in order to ensure that the company as a whole remains compliant.
...continue reading "Term of the Week: Governance, Risk Management, Compliance (GRC)"