Page 226 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 226
Fires/explosions
Prolonged power outages
Building collapses
Transportation failures
Internet disruptions
Service provider outages
Remember, these are by no means all-inclusive lists. They merely
identify some common risks that many organizations face. You may
want to use them as a starting point, but a full listing of risks facing
your organization will require input from all members of the BCP
team.
The risk identification portion of the process is purely qualitative in
nature. At this point in the process, the BCP team should not be
concerned about the likelihood that each type of risk will actually
materialize or the amount of damage such an occurrence would inflict
upon the continued operation of the business. The results of this
analysis will drive both the qualitative and quantitative portions of the
remaining BIA tasks.
Business Impact Assessment and the Cloud
As you conduct your business impact assessment, don’t forget to
take any cloud vendors on which your organization relies into
account. Depending on the nature of the cloud service, the vendor’s
own business continuity arrangements may have a critical impact
on your organization’s business operations as well.
Consider, for example, a firm that outsourced email and
calendaring to a third-party Software as a service (SaaS) provider.
Does the contract with that provider include details about the
provider’s SLA and commitments for restoring operations in the
event of a disaster?
Also remember that a contract is not normally sufficient due
diligence when choosing a cloud provider. You should also verify
