94 2.10 Endnotes
begin by identifying key business processes and establishing requirements
for business recovery. This information is usually gathered by creating a BIA
The information provided by the BIA questionnaire will allow you to
gain better understanding of the impact of a given threat on your operation.
We discussed the recommended BIA analysis report format and how to use
the data gathered in the report to ﬁne-tune your business priorities. Deter-
mining resource dependencies is a critical step in the process of developing
an impact analysis. Once your data has been gathered, it is necessary to
organize and tabulate the results in order to begin determining any impact
on operations. The report must be based on a prioritization and classiﬁca-
tion of business functions in order to tell the user what is most important to
cope with in an emergency. To do this, it is necessary to establish time
frames for service interruption measurement and determine what the ﬁnan-
cial and operational impact may be on your organization.
The last part of this chapter covered the information security, IT and
communications, considerations. We presented an overview of the
OCTAVE® methodology and outlined some preventive and recovery mea-
sures for information security managers to use in your organization. We
also talked about theft prevention for proprietary/intellectual property. Part
of the process of determining impact on operations for IT systems requires
you to specify IT/communications systems and dependencies, identify key
IT, communications, and data systems, identify your key IT personnel and
have emergency contact information readily available. This is also needed
for key IT suppliers and maintenance engineers. It is also a good idea to
periodically review your IT recovery procedures and ensure they are current
with any changes that may have occurred in the organization. In this chap-
ter, we have suggested some steps that will help you to determine the
impact resulting from a disaster. The next chapter will go into greater detail
on how to mitigate the effects of such events.
1. National Institute of Standards and Technology, Special Publica-
tion 800-34: Contingency Planning Guide for Information Technol-
ogy Systems. June 2002.
2. National Drought Mitigation Center, University of Nebraska at
Lincoln. Information retrieved from
http://www.drought.unl.edu/plan/plan.htm on March 5, 2005.