Those who have a successful CRQ program, how did you tackle the Application Value element without the need to develop a BIA with the Business? Before we add the resources to go to this level, we want to create a POC to show value of the Tool we have for CRQ that shows the scenarios based on a subset (top 10) applications but without having to develop a BIA for each. How best to start is there a calculation to use (Users, Data Points, Revenue, Transactions etc), that we can build into a formula?

Security & GRCSecuritySecurity Strategy & Roadmap+3 more
557 views1 Upvote2 Comments
Sort By:
Oldest
Director of IT in Healthcare and Biotech3 months ago
There is no hard and fast rule or calculation, but for each asset or application in your inventory it is easiest to go directly to the application business and technical owners to get this data. Since we are talking about 10 applications here, I personally would start with an overview of each application and obtaining an understanding of what business processes or data (i.e., the underlying assets) that each application supports. You can certainly quantify at the application layer, but it might be more valuable if this is really 3 business processes and 1 type of sensitive data to structure your scenarios around those assets, versus individual applications.

For each application or asset - whatever approach you take - using the six forms of loss from FAIR is a good way to structure your requests. They are:

1) Productivity - you'll need profit (i.e., # of transactions and an estimate of profit per transaction or user) enabled by or cost reduced by asset (i.e., # of employees and their cost, plus effect on productivity if there is an outage)
2) Response - what is unique to the application? type of data processed, difficulty (i.e., # of hours) to rollback or patch in the event of a security incident, etc. Everything else can be done 1x here and applied to applications as appropriate.
3) Fines and Judgments - at the application level, you only need an estimate of the range and types of data impacted, or any penalties that might apply if the application is unavailable.
4) Competitive Advantage - here, you really just need an indication of what types of trade secrets the application contains, if any, and depending on your scenarios you might want to consider what potential future lost revenue there would be if these trade secrets are inappropriately accessed and used.
5) Reputation - if you collected all of the above, there is minimal additional data to collect here other than potentially customer lifetime value, which is unlikely to vary by application.
6) Replacement - if applicable, what would replacement hardware cost?
2
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
VP of Information Security3 months ago
Our approach is not to circumvent the need of a BIA with the business, but rather to base our analysis on the BIA developed by the business. Instead of assessing the most critical applications we base our approach on the applications that are included in critical value chains, and combine the security reviews of all applications within the value chain. The quantification is based on a calculation of probability of different attack scenarios (propagating through the value chains) and business disruption is calculated through analyzing downtime. Subsequently the downtime forms the basis for calculating impact mainly through lost revenue. 

Content you might like

I am increasingly having to present to our board and it’s not always the best experience. Do you have any advice on how best to approach a company board that is not technical at all?

People & Leadership
Chief Cloud Officer in Software6 years ago
My board experience has primarily been with board members that are not technical. The approach I take is to "translate" technical bits into business impact information. It seems many non-technical board members care most ...read more
64 3 Replies
Read More Comments
177.4k views169 Upvotes153 Comments

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

Who performs access fulfilment (provisioning and de-provisioning of user access) to the network and systems within your company?  Is it a first-line function operated by Technology (e.g. Service Desk)?  If not, what department or team performs this function within your company?

Security Strategy & RoadmapIT Strategy & RoadmapService Desk
VP of IT in Manufacturing9 days ago
IT Service Desk.  Hiring manager fills in a web form that starts a ticket.  We standardized equipment options (standard laptop, WFH equipment, iPhone) so they just have to tell us which one(s) apply.  And what apps of co...read more
1 Reply
Read More Comments
1k views4 Comments

How do you think AI will disrupt business across industries? Add to my list: 1. Content creation 2. Photos and video production 3. Basic coding and debugging 4. Strategic analysis to be highly complimented 

Disruptive & Emerging TechnologiesData & AnalyticsPeople & Leadership+1 more
Principal in Finance (non-banking)a year ago
Almost too many to list. I believe original content — written, photos, and videos — are all but certain to become widely synthetic. Perhaps people will do some humanizing of the content but most of it will be artificially ...read more
5 1 Reply
Read More Comments
175.5k views40 Upvotes97 Comments

Are below the operating system vulnerabilities a top concern for your organization?

EngineeringGovernance, Risk & ComplianceSecurity & GRC+1 more

Yes79%

No20%

5k views3 Comments