BIA microsoft network
Has anyone ever performed BIA's (impact analysis to the busienss) for security issues in microsoft networks - i.e. encryption, 2 factor authentication etc. If so how is the analysis conducted and reported - what does the report show - this risks to the busienss by NOT having such controls in place, or the risk to the business by IMPLEMENTING such control. I'd much rather some comments from folk who have done his before rather than a link to wikipedia BIA. Thanks in advance.
October 19th, 2011 4:47am

Many risk models focus on security and view risk management from the perspective of maintaining hardware and data security and integrity. One example is the Office of Government Commerce (OGC) Risk Analysis and Management Methodology (known as CRAMM). Another example would be the use of business impact analysis methods and techniques to assess the impact on the business due to the loss or degradation of service. CRAMM Sanctioned by the Information Technology Infrastructure Library (ITIL), CRAMM was developed by Insight Consulting. CRAMM is a structured, three-step process embodied in a software package for assessing risks to information systems and identifying appropriate countermeasures. CRAMM asserts that risk is dependent on asset values, threats, and vulnerabilities. The importance of these parameters is assessed by the CRAMM team in a series of interviews with the business owners of the assets, the users of the systems and services, the organization's security department, suppliers and partners, and the in-house support teams. The outcome of this CRAMM review is an analysis of current risks and a set of recommended countermeasures that are deemed appropriate to the classification of risk and to the IT infrastructure. Business Impact Analysis Business impact analysis (BIA) is a controlled method of analyzing and determining the immediate and ongoing impact of the loss of a service (or part of a service) to business resources and business processes. Once these are understood, then the financial impact can be determined. BIA is a key discipline within the MOF IT Service Continuity Management SMF, and together with the service catalog (from the Service Level Management SMF) and the risk assessment (from the Availability Management SMF), provides an essential view of how IT supports and enables the business. Additionally, when added to the costing and charging models (from the Financial Management SMF), this method can provide financial information about the cost of downtime and loss of service. By working with the business, the IT service provider can, through the use of BIA, identify which services must be recovered, in what order, over what timescale, and to what level. Beyond Security CRAMM and BIA are valuable approaches, but the MOF Risk Management Discipline broadens the scope of potential risks beyond security or business impact to include risks related to people, process, and technology. The MOF Risk Management Discipline provides guidance and stresses continual review of security risks in six steps: identifying, analyzing, planning, tracking, controlling, and learning. Moreover, MOF recognizes that security management is just one component of managing risks in the operations environment. The MOF Risk Management Discipline takes a comprehensive view of risk management that includes risks associated with agility, performance, and cost-in addition to security. From the business perspective, an IT operation can have an effective security structure but still could fail if it does not address the risks inherent in agility, performance, and cost. Please see the video in below link for more details: http://technet.microsoft.com/en-us/edge/Video/ff711403 Vinod H
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2011 7:44am

Many risk models focus on security and view risk management from the perspective of maintaining hardware and data security and integrity. One example is the Office of Government Commerce (OGC) Risk Analysis and Management Methodology (known as CRAMM). Another example would be the use of business impact analysis methods and techniques to assess the impact on the business due to the loss or degradation of service. CRAMM Sanctioned by the Information Technology Infrastructure Library (ITIL), CRAMM was developed by Insight Consulting. CRAMM is a structured, three-step process embodied in a software package for assessing risks to information systems and identifying appropriate countermeasures. CRAMM asserts that risk is dependent on asset values, threats, and vulnerabilities. The importance of these parameters is assessed by the CRAMM team in a series of interviews with the business owners of the assets, the users of the systems and services, the organization's security department, suppliers and partners, and the in-house support teams. The outcome of this CRAMM review is an analysis of current risks and a set of recommended countermeasures that are deemed appropriate to the classification of risk and to the IT infrastructure. Business Impact Analysis Business impact analysis (BIA) is a controlled method of analyzing and determining the immediate and ongoing impact of the loss of a service (or part of a service) to business resources and business processes. Once these are understood, then the financial impact can be determined. BIA is a key discipline within the MOF IT Service Continuity Management SMF, and together with the service catalog (from the Service Level Management SMF) and the risk assessment (from the Availability Management SMF), provides an essential view of how IT supports and enables the business. Additionally, when added to the costing and charging models (from the Financial Management SMF), this method can provide financial information about the cost of downtime and loss of service. By working with the business, the IT service provider can, through the use of BIA, identify which services must be recovered, in what order, over what timescale, and to what level. Beyond Security CRAMM and BIA are valuable approaches, but the MOF Risk Management Discipline broadens the scope of potential risks beyond security or business impact to include risks related to people, process, and technology. The MOF Risk Management Discipline provides guidance and stresses continual review of security risks in six steps: identifying, analyzing, planning, tracking, controlling, and learning. Moreover, MOF recognizes that security management is just one component of managing risks in the operations environment. The MOF Risk Management Discipline takes a comprehensive view of risk management that includes risks associated with agility, performance, and cost-in addition to security. From the business perspective, an IT operation can have an effective security structure but still could fail if it does not address the risks inherent in agility, performance, and cost. Please see the video in below link for more details: http://technet.microsoft.com/en-us/edge/Video/ff711403 Vinod H
October 19th, 2011 2:39pm

As a new Microsoft employee i am in the process of being familiar with MOF and the templates available for our customer. In particular i am interested in the Disater Recovery planning area and am looking for guidance. For the immeidate need, I am interested in seeing BIA output examples for an exchange environment. Additionally, is there new (2012) link to our MOF Buisness Impact Anayalsis instruction set? Specifically; any excel spreadsheets that customer can use and customize? Any assistsance is greatly appreciated !!! T2
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 8:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics