IT6583 Business Continuity Planning and Implementation

Exercise 3- Risk Assessment- Chapter 4 and Appendix A of Textbook

Developed by Richard Halstead-Nussloch, Version 05Jan15
Course Textbook: Susan Snedaker and Chris Rima Business Continuity & Disaster
Recovery for IT Professionals 2nd Edition. Burlington:Syngress, 2014, ISBN-13 978-012-410526-3.

Your name: Sandeep Aluru

Policies:

Submissions made through a means other than the D2L Dropbox will be ignored
and earn a 0.

Submissions without your name stated above earn a 0.

Submissions not in an rtf or pdf file or with the original questions and/or
formatting removed from the file earn a 0.

Submissions without adequate references or acknowledgements will earn a

discounted grade, potentially a 0.

Submissions that I can not open or require a password will earn a 0.

Second chances might be requested at any time through D2L email, and are
awarded at the sole discretion of the instructor.

Risk Assessment is Critical to BC/DR Success

The assessment of risk is a key step to a successful business continuity effort. Being
successful in this course requires you to understand how to assess risk and use this
assessment in developing plans for business continuity and related areas. This exercise
intends to aid you in doing so.

Readings for this assignment:

Selected readings on the web for deepening your understanding

Course Textbook [1] Chapter 4 plus Appendix A

Actions/Deliverables for this assignment:

Read as per above

Research what you read and other information on risk assessment

Respond to this assignment within the rtf file (leaving all questions and formatting
intact)

Deliverable: Upload your response using the D2L Dropbox

Deliverable: Make entries on the Module 3 Discussion and attach your

spreadsheet from question 3 below

Q1) Read, review and analyze Chapter 4 and Appendix A of the textbook:

What is the process of risk management that the author recommends?

Answer: Risk management is the process identifying risk, assessing the risk and
taking steps to minimize the risk

Risk Assessment, Approach of the assessment and Determination.

Author describes risk management through flow chart giving a brief description
of various factors. According to him, risk management consists 3 steps.
1. Risk Assessment
2. Approach or strategy
3. Determination
One has to make a detailed analysis of possible vulnerabilities and risk
probabilities as a pat of risk assessment.
Develop a strategy to mitigate the risks
Follow the plan and document the design in the final step.
In Risk assessment phase, we have different factors to consider such as

Threat assessment

Vulnerability assessment

Impact assessment

Risk mitigation strategy development.

Threat Assessment: The initial step in the risk analysis is identifying the likelihood
of possible threats to the company. The quantitative method uses numbers to
represent the threats whereas qualitative uses business terms to represent possible
threats to the business. Various threats to the business are taken into consideration
and assessed according to the impact they create to the business depending on their
occurrence probability.

Vulnerability Assessment: Vulnerability assessment and threat assessment are

almost similar terms but in this phase vulnerbailities relate to infrastructure, people
and processes. This is used to know the impact created by a business due to threats.
The output of the initial phase will be an input in this phase often measured in
frequency.

Based on the table above all the vulnerabilities are rated accordingly and moved to
next phase.
Impact Assessment: Based on the likelihood of the occurrence of the events, the
amount of imapct created to the services and business is being focused in this
particular segment.
Risk mitigation strategy is developed accordingly, to events with highest frequency.
For example the whole cycle would be as described below, took from the textbook

Three magical words according to author are Identifying, Controlling, eliminating

or minimizing affect of unnatural events.

Where does risk assessment fall in that process and what is the risk assessment
sub-process?

Risk assessment is generally divided into subprocess to make the cycle simple and
easier to implement.Risk assessment is a part of risk management and sub
processes include

Threat Assessment

Vulnerability Assessment

Impact Assessment.

How does the author define risk?

Answer: According to the author risk is defined as an probability of occurrence
of an unnatural event either due to natural calamities or due to a human action
(voluntary or involuntary) which can impact the services in a business is defined
as risk.
Risk = Threat+ Vulnerability+likelihood+Impact

How should people, process, technology and infrastructure factor into risk
management?
Answer: People: People here refers to all the employees in an organization
starting from cleaners to CEO. Necessary reviews must be taken from each
individual by conducting surveys as a part of risk assessment. IT staff should be
given enough equipment to test the environment and develop a risk mitigation
policy. Trainings must be given to employees if necessary.
Process: A process is being developed based on the employees views regarding
the probable risks to the company. It establishes the process which can mitigate
the risks from gorvnance bodies to all parts of the company.
Technology & Infrastructure: Technology and infrastructure play a vital role in
risk management. Sufficient infrastructure along with sophisticated technology
should be provided to the risk management team so that they can develop an
efficient strategy to mitigate the oncoming risks.

For an example, Company offering cloud services should be able to provide test
servers in spare to test the functionality and cluster services provided by them.

What are the IT-specific aspects of risk management?

Answer:

1. Securing IT systems more fully

2.

Enabling management to make well-informed decisions with regard to the

purchase and implementation of IT systems

3. Enabling management to authorize (accredit) the IT systems on the basis of

supporting documentation that results from the IT risk management activities

What are some information gathering methods and which do you recommend for
a personal1 risk (and vulnerability) assessment?

Answer: If I had to develop a risk assessment then, I would have followed below
process to gather required information.

Surveys

Following up with upcoming company strategies

Seminars

Discussions

On-site interviews
In my point of view, The information is collected based on the following factors.

Security Requirement
Databases information
1

If you are unclear about this requirement consider as those risks in the way of your personal business, i.e.,
those steps you need to take in maintaining your status as a student, e.g., assignments, records, etc.

 Infrastructure such as server information

Guidelines we follow

What are the major categories of threats and some examples from each?

Answer: Threats are divided into 2 types. Natural threats, Human threats and
Infrastructure threats.
Natural threats include Earthquakes, Floods, Tornado, Tsunami etc (unnatural events)
Human threats include terrorists attack or accidental failures
Infrastructure threats include power outage.

What are the qualitative and quantitative methods of risk assessment?

Answer: Risks can be assessed in two ways, Quantitative and qualitative depending
on how they are assessed.
In Qualitative assessment risks are measured on a scale from high to low
representing the probability of the threats. Usually stakeholders determine the
occurrence and often their views and ratings are considered as a standard and design a
strategy accordingly.
Pros:
Risks are ordered in priority
Can determine the areas of greater risk with less time and are less costly
Quicker and simple in nature
Quantification of values of loss is not done but they are perceived.
Sequential rating of vulnerabilities can be done on a relative scale

Cons:
Cost benefit analysis is more difficult to attain with this method.
Not possible to determine the probabilities and results on numerical terms.
Quantitative Assessment: Assessment in this kind seems to be more accurate since the
assessment has a result in numbers, and determined based on pre-determined scales. But
this method is cost based.
Risk exposure = Potential loss X Severity of potential loss
Annualized loss expectancy which is the product of annual rate of occurrence and single
loss expectancy is calculated, followed by cost per impact and then tried to protect the
companys infrastructure.
Advantages:
ms.

obability, monetary values and percentages.

Disadvantages:

more tools for its completion.

Inappropriate to many simple or moderate projects.

What is vulnerability assessment? Does it just apply to IT? How does it apply to
IT-related business continuity plans?

Answer: The process of identifying, quantifying and prioritizing the vulnerabilities in

a system is defined as vulnerability assessment.
Assessment is performed according to following steps.
Cataloging the assets and capabilities in a system
Assigning quantifiable value (or at least rank order) and importance to those
resources
Identifying the vulnerabilities or potential threats to each resource
Mitigating or eliminating the most serious vulnerabilities for the most
valuable resources
Vulnerability assessment doesnt just apply to to IT. It also includes energy supply
systems, water supply systems and transportation systems. This assessment has
different phases
Threat analysis phase: All possible threats are listed out in this phase.
Asset analysis phase: An organizations asset analysis is developed based on its
infrastructure and assets. Cost to the damage due to disasters is also documented
Vulnerability phase: In this phase, the information from above phases is combined
and possible loss is prepared in a report
Defining security policy phase: Based on the above phases, risk strategy team comes
up with a strategy how to deal with the possible threats and what should be the plan
of action during and post a disaster.
For a company to run smooth on tracks, it is must that company has a risk
management team and risk handling strategy to deal with disasters. By analyzing
vulnerability assessment output with business risk, and by applying this information
to the development of security strategy and policy, the management can ensure their
organization to strengthen its overall security and compliance posture.

What questions do you have remaining after your review and analysis of Chapter
4 and Appendix A?

Answer: Nothing
Q2) Our course textbook covers many of the materials, frameworks and resources for
Business Continuity and/or Risk Assessment or Risk Management. Search the web for
suitable additional and supplementary materials. (Hints: The section of Chapter 4 on IT
Specific Risk Management identifies many sources. Failure Mode and Effects Analysis
(FMEA) is becoming a best practice for risk assessment and prioritization in many
industry segments, including healthcare [2]. Although FMEA focuses on preventing
failures, it can provide a common risk-assessment framework that is well-understood
across an organization.) Identify, scan and assess at least two of these for use in this class;
report your findings here providing a summary paragraph of the contents of each of your
chosen sources:
Business Continuity Institute: This institute has been in the industry since 20years
promoting the awareness about business continuity. It certifies organization for business
professionals. It even offers various certifications to IT professionals on business
continuity.

Development of business case.

Research related to BC.

It focuses on BCI events like Threats and opportunities events and enables the
individuals to participate in BCI related conferences. It also provides various many

related BC resources like BC24(online simulation incident game), Virtual work shop
recordings which are related to communication in crisis, Human aspects of business
continuity etc., DVD's on business impact analysis etc.
Disaster resource.com: This website shares all the information about emergency
management and all the news regarding DR management. It helps in finding
organizations who can help in getting prepared or recovering from a disaster. This
website shares entire information about vendors who can help in planning BC/DR.

Globalcontinuity.com: This website starts with an awesome picking line If you fail
to plan then you plan to fail. This portal has group of subject matter experts who can
help you mitigating the risk of business interruption.

Fema.gov: Federal Emergency Management Agency focus is to support and protect the
citizens against the unexpected disasters. They let localities to develop disaster
preparedness plan for a nation, incident management by conducting various surveys and
taking people opinion.
The (NAC) National Advisory Council advises FEMA administrators on all
aspects of emergency and incident management. Emergency kits and warning
systems(like tools used for communications) disaster survivor assistance, disaster
declarations and services are provided by the agency.FEMA's strategic plan is to enable
risk reduction services globally thereby making the organizations to build capability in
facing catastrophic disasters.

sba.gov: SBA stands for Small Business administration; which is an independent agency
of federal government which helps out in protecting data in a company. It helps us in
building and growing our business by understanding the federal market. It focuses on
data storage processing, strategic planning, policies and regulations etc., it gives
information about how to run and grow a business.

Q3) Review the quantitative method of risk and vulnerability assessment described in the
textbook. Develop a spreadsheet with the four columns from textbook page 201:

Potential threat source for your personal business, e.g., fire

Likelihood of occurrence (do some research)

Vulnerability (in your personal business, see footnote 1 below)

Interim risk value (threat likelihood times vulnerability)

Sno

Threat

Probability Vulnerability Probability*Vulnerability

Earthquake 0.02

0.16

Sink holes

0.006

0.024

Power

0.0045

0.0135

0.1

0.4

0.1

0.1

outage
4

Employee
fraud

Tsunami

List up to five threat sources for your personal business in column one (Note: Appendix
A lists many possibilities from which you can choose); then, for each threat source, do
some research to determine the likelihood of occurrence, estimate your vulnerability

quantitatively and calculate your interim risk value. Attach the spreadsheet to your
assignment submission. What thoughts do you have about scaling up such a spreadsheet
from your personal business to the business of a larger organization, e.g., KSU?
The main goal of risk assessment is to reduce the level of its risk by adding appropriate
control measures.
In general, to do an assessment, you should:
Identify hazards.
Evaluate the likelihood of an injury or illness occurring, and its severity.
Consider normal operational situations as well as non-standard events such as
shutdowns, power outages, emergencies, etc.
Review all available health and safety information about the hazards
Identify actions necessary to eliminate or control the risk.
Monitor and evaluate to confirm the risk is controlled.
Keep any documentation or records that may be necessary including risk reports
and impact analysis reports.
The checklist is vital for any business to operate because it aids in mitigating the risks
involved in a disaster which is applicable either for my personal business or giant like
KSU.
Q4) Do you have any questions about the course at this time?
No
Q5) Lab Exercise Question:

Review and summarize your ideas and experience about risk assessment and risk
management. Discuss the steps you might recommend in scaling up what you did in
this assignment for your personal business to a larger organization such as KSU.
Dont forget to attach your spreadsheet to your discussion posting.

As discussed above, risk assessment and risk management help to build a better
company. A better company with a better risk strategy helps to provide better service.

Better service provides better customers. Better customers provide best business. Best
business leads to better company worth. As per my research on risk assessment I can
probably develop the below checklist.

Identify the possible threats

Identify the vulnerabilities

Calculate the current value of the assets

Prepare a report focusing on the loss impact factor

Based on the probability of the occurrence of unnatural events form a team

Make sure risk strategy fits enough to face the disaster.

Document the work including all the analysis and reports and strategy developed

Perform frequent testing to know the functionality of the system.

Record your answers here.

Also, enter your answers on the Module 3 Discussion.

Sources and works used in completing this exercise (if none, please explicitly state so):

1. Susan Snedaker and Chris Rima Business Continuity & Disaster Recovery for IT
Professionals 2nd Edition. Burlington:Syngress, 2014.
U.S. Veterans Administration Healthcare Failure Mode and Effects Analysis.
Retrieved on January 5 from
http://www.patientsafety.va.gov/professionals/onthejob/hfmea.asp
3. "Risk Assessment." Wikipedia. Wikimedia Foundation, 5 Dec. 2014. Web. 15 Feb.
2015. <http://en.wikipedia.org/wiki/Risk_assessment>.

4. "Common Menu Bar Links." Risk Assessment : OSH Answers. Canadian Centre of
Occupational Health and Society, 19 June 2006. Web. 15 Feb. 2015.
<http://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html>.

5. "Vulnerability Assessment." Wikipedia. Wikimedia Foundation, 5 Dec. 2014. Web. 15

Feb. 2015. <http://en.wikipedia.org/wiki/Vulnerability_assessment>.

6. "Incident Command System (ICS): What Is an Incident Command System?"Incident

Command System (ICS): What Is an Incident Command System? N.p., n.d. Web. 29
Jan. 2015. <https://www.osha.gov/SLTC/etools/ics/what_is_ics.html>.

7. "Emergency Preparedness and You." |CDC. N.p., 30 Feb. 2014. Web. 30 Jan. 2015.
<http://emergency.cdc.gov/preparedness/>.

8. "Disaster Recovery." Wikipedia. Wikimedia Foundation, 08 Dec. 2014. Web. 30 Jan.

2015. <http://en.wikipedia.org/wiki/Disaster_recovery>.

9. "Continuity of Operations | FEMA.gov." Continuity of Operations | FEMA.gov. N.p.,

n.d. Web. 30 Jan. 2015. <https://www.fema.gov/continuity-operations>.

10. "Business Continuity." Wikipedia. Wikimedia Foundation, 30 Jan. 2015. Web. 30

Jan. 2015. <http://en.wikipedia.org/wiki/Business_continuity>.

11. "The Business Continuity Institute." The Business Continuity Institute. N.p., n.d. Web.
31 Jan. 2015. <http://www.thebci.org/>.

12.

Acknowledgements of people (and other exercise submissions) used in completing this

exercise (if none, please explicitly state so):