Hi Shashank
In my opinion you might have two main alternatives: either using a tool
to carry out the risk analysis or to make a risk analysis on your own
following the guidelines of ISO 17799.
We have been carrying out risk analysis for the past two years using
CRAMM, which has been very useful to identify risk areas and to select
controls to mitigate subjacent risk. For more information please refer
to www.cramm.com
You can also refer to the ISO 17799 standard which describes the risk
analysis process: High level Business Impact analysis - gap analysis
current and desired situation benchmarking them against Standards of
Good Practice - - Produce a Statement of applicability selecting
controls to be implemented. (Please see the attached presentation)
You can also follow the Baseline Security approach: all informational
assets will have a baseline security (to be described by the business
itself) in order to cover the obvious gaps and then perform an analysis
on the remaining risk. This approach will reduce the analysis
environment. You can find documentation on this approach in www.bsi.de
I hope this helps. Regards,
Rafael
-----Original Message-----
From: Shashank Rai [mailto:shash@etisalat-nis.ae]
Sent: zondag 24 oktober 2004 8:54
To: security-management@securityfocus.com
Subject: Guide for Business Impact Analysis
Hi all,
I looking for guides/standards/methodology on how to conduct "Business
Impact Analysis", for BS7799 certification (as a part of the business
continuity planning).
Any information/pointers will be greatly appreciated.
cheers,
--
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523 Office
+971-50-6670648 Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B794740
26E36F5
Corporate IT Risk Analysis Methodology.ppt
Description: Corporate IT Risk Analysis Methodology.ppt
