You might want to take a look at:
NIST 800-60 (IT asset categorization) for a detailed overview on how to
classify information and information systems according to availability,
integrity and confidentiality (AIC) requirements
And than-
NIST 800-30 (Risk Management Guide for Information Technology Systems)
for a detailed overview on risk assessment and mitigation, based on the
AIC analysis for each information type and information system.
Hope that helps.
Nimrod Steinbock
-----Original Message-----
From: Shashank Rai [mailto:shash@etisalat-nis.ae]
Sent: ב 25 אוקטובר 2004 10:20
To: Rafael de Dios
Cc: security-management@securityfocus.com
Subject: RE: Guide for Business Impact Analysis
Hi Rafael,
thanks for your pointers. But i think i need to clarify my initial query
a bit.
IMO, risk analysis is a part of risk management, which in turn is a part
of BCP (plz correct me if i'm wrong). BS7799 says one needs to do "risk
management" but is silent on how to do so. Here comes in AS/NZS 4360,
which I believe is the best standard for risk management.
Similarly, the standard mentions, BCP and thus BIA, but not the
methodology. What I am looking for is a methodology to conduct BIA.
rgds,
Shashank
On Mon, 2004-10-25 at 10:25, Rafael de Dios wrote:
Hi Shashank
In my opinion you might have two main alternatives: either using a
tool to carry out the risk analysis or to make a risk analysis on your
own following the guidelines of ISO 17799.
We have been carrying out risk analysis for the past two years using
CRAMM, which has been very useful to identify risk areas and to select
controls to mitigate subjacent risk. For more information please refer
to www.cramm.com
You can also refer to the ISO 17799 standard which describes the risk
analysis process: High level Business Impact analysis - gap analysis
current and desired situation benchmarking them against Standards of
Good Practice - - Produce a Statement of applicability selecting
controls to be implemented. (Please see the attached presentation)
You can also follow the Baseline Security approach: all informational
assets will have a baseline security (to be described by the business
itself) in order to cover the obvious gaps and then perform an
analysis on the remaining risk. This approach will reduce the analysis
environment. You can find documentation on this approach in www.bsi.de
I hope this helps. Regards,
Rafael
-----Original Message-----
From: Shashank Rai [mailto:shash@etisalat-nis.ae]
Sent: zondag 24 oktober 2004 8:54
To: security-management@securityfocus.com
Subject: Guide for Business Impact Analysis
Hi all,
I looking for guides/standards/methodology on how to conduct "Business
Impact Analysis", for BS7799 certification (as a part of the business
continuity planning).
Any information/pointers will be greatly appreciated.
cheers,
--
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523 Office
+971-50-6670648 Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B794740
26E36F5
