Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Guide for Business Impact Analysis

from [Shashank Rai] Network Security [Permanent Link]
Subject: RE: Guide for Business Impact Analysis
Date: Mon, 25 Oct 2004 12:20:09 +0400 
Hi Rafael,

thanks for your pointers. But i think i need to clarify my initial query
a bit. 

IMO, risk analysis is a part of risk management, which in turn is a part
of BCP (plz correct me if i'm wrong).  BS7799 says one needs to do "risk
management" but is silent on how to do so. Here comes in AS/NZS 4360,
which I believe is the best standard for risk management.

Similarly, the standard mentions, BCP and thus BIA, but not the
methodology. What I am looking for is a methodology to conduct BIA.

rgds,

Shashank  

On Mon, 2004-10-25 at 10:25, Rafael de Dios wrote:

Hi Shashank

In my opinion you might have two main alternatives: either using a tool
to carry out the risk analysis or to make a risk analysis on your own
following the guidelines of ISO 17799.

We have been carrying out risk analysis for the past two years using
CRAMM, which has been very useful to identify risk areas and to select
controls to mitigate subjacent risk. For more information please refer
to www.cramm.com

You can also refer to the ISO 17799 standard which describes the risk
analysis process: High level Business Impact analysis - gap analysis
current and desired situation benchmarking them against Standards of
Good Practice - - Produce a Statement of applicability selecting
controls to be implemented. (Please see the attached presentation)

You can also follow the Baseline Security approach: all informational
assets will have a baseline security (to be described by the business
itself) in order to cover the obvious gaps and then perform an analysis
on the remaining risk. This approach will reduce the analysis
environment. You can find documentation on this approach in www.bsi.de

I hope this helps. Regards,

Rafael

-----Original Message-----
From: Shashank Rai [mailto:shash@etisalat-nis.ae] 
Sent: zondag 24 oktober 2004 8:54
To: security-management@securityfocus.com
Subject: Guide for Business Impact Analysis

Hi all,

I looking for guides/standards/methodology on how to conduct "Business
Impact Analysis", for BS7799 certification (as a part of the business
continuity planning).

Any information/pointers will be greatly appreciated.

cheers,

-- 
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Guide for Business Impact Analysis, alan_willcox
Next by Date:  RE: Guide for Business Impact Analysis, Mario Santana
Previous by Thread:  RE: Guide for Business Impact Analysis, Rafael de Dios
Next by Thread:  RE: Guide for Business Impact Analysis, Nimrod Steinbock
Indexes:  [Date] [Thread] [Top] [All Lists]