Those who have a successful CRQ program, how did you tackle the Application Value element without the need to develop a BIA with the Business? Before we add the resources to go to this level, we want to create a POC to show value of the Tool we have for CRQ that shows the scenarios based on a subset (top 10) applications but without having to develop a BIA for each. How best to start is there a calculation to use (Users, Data Points, Revenue, Transactions etc), that we can build into a formula?
Sort By:
Oldest
VP of Information Security3 months ago
Our approach is not to circumvent the need of a BIA with the business, but rather to base our analysis on the BIA developed by the business. Instead of assessing the most critical applications we base our approach on the applications that are included in critical value chains, and combine the security reviews of all applications within the value chain. The quantification is based on a calculation of probability of different attack scenarios (propagating through the value chains) and business disruption is calculated through analyzing downtime. Subsequently the downtime forms the basis for calculating impact mainly through lost revenue.
For each application or asset - whatever approach you take - using the six forms of loss from FAIR is a good way to structure your requests. They are:
1) Productivity - you'll need profit (i.e., # of transactions and an estimate of profit per transaction or user) enabled by or cost reduced by asset (i.e., # of employees and their cost, plus effect on productivity if there is an outage)
2) Response - what is unique to the application? type of data processed, difficulty (i.e., # of hours) to rollback or patch in the event of a security incident, etc. Everything else can be done 1x here and applied to applications as appropriate.
3) Fines and Judgments - at the application level, you only need an estimate of the range and types of data impacted, or any penalties that might apply if the application is unavailable.
4) Competitive Advantage - here, you really just need an indication of what types of trade secrets the application contains, if any, and depending on your scenarios you might want to consider what potential future lost revenue there would be if these trade secrets are inappropriately accessed and used.
5) Reputation - if you collected all of the above, there is minimal additional data to collect here other than potentially customer lifetime value, which is unlikely to vary by application.
6) Replacement - if applicable, what would replacement hardware cost?