94 2.10 Endnotes
begin by identifying key business processes and establishing requirements
for business recovery. This information is usually gathered by creating a BIA
The information provided by the BIA questionnaire will allow you to
gain better understanding of the impact of a given threat on your operation.
We discussed the recommended BIA analysis report format and how to use
the data gathered in the report to fine-tune your business priorities. Deter-
mining resource dependencies is a critical step in the process of developing
an impact analysis. Once your data has been gathered, it is necessary to
organize and tabulate the results in order to begin determining any impact
on operations. The report must be based on a prioritization and classifica-
tion of business functions in order to tell the user what is most important to
cope with in an emergency. To do this, it is necessary to establish time
frames for service interruption measurement and determine what the finan-
cial and operational impact may be on your organization.
The last part of this chapter covered the information security, IT and
communications, considerations. We presented an overview of the
OCTAVE® methodology and outlined some preventive and recovery mea-
sures for information security managers to use in your organization. We
also talked about theft prevention for proprietary/intellectual property. Part
of the process of determining impact on operations for IT systems requires
you to specify IT/communications systems and dependencies, identify key
IT, communications, and data systems, identify your key IT personnel and
have emergency contact information readily available. This is also needed
for key IT suppliers and maintenance engineers. It is also a good idea to
periodically review your IT recovery procedures and ensure they are current
with any changes that may have occurred in the organization. In this chap-
ter, we have suggested some steps that will help you to determine the
impact resulting from a disaster. The next chapter will go into greater detail
on how to mitigate the effects of such events.
2.10 Endnotes
1. National Institute of Standards and Technology, Special Publica-
tion 800-34: Contingency Planning Guide for Information Technol-
ogy Systems. June 2002.
2. National Drought Mitigation Center, University of Nebraska at
Lincoln. Information retrieved from
http://www.drought.unl.edu/plan/plan.htm on March 5, 2005.
2.10 Endnotes 95
Chapter 2
3. IBid.
4. U.S. House of Representatives, H. R. 3210, 107th Cong., 1
November 2001. Terrorism Risk Insurance Act of 2002.
5. http://www.fema.gov/library/prepandprev.shtm#terrorprev
6. Federal Emergency Management Agency, FEMA 426: Reference
Manual to Mitigate Potential Terrorist Attacks Against Buildings.
Washington, DC: U.S. Federal Emergency Management Agency,
December 2003.
7. http://www.fema.gov/fima/rmsp.shtm#426.
8. URL reference is http://thomas.loc.gov/home/terrorleg.htm.
9. National Institute of Standards and Technology, Special Publica-
tion 800-30: Risk Management Guide. June 2001.
10. National Institute of Standards and Technology, Special Publica-
tion 800-18: Guide for Developing Security Plans and Information
Technology Systems. December 1998.
This Page Intentionally Left Blank

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.