Page 231 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 231
work through a scenario.
From a qualitative point of view, you must consider the nonmonetary
impact that interruptions might have on your business. For example,
you might want to consider the following:
Loss of goodwill among your client base
Loss of employees to other jobs after prolonged downtime
Social/ethical responsibilities to the community
Negative publicity
It’s difficult to put dollar values on items like these in order to include
them in the quantitative portion of the impact assessment, but they
are equally important. After all, if you decimate your client base, you
won’t have a business to return to when you’re ready to resume
operations!
Resource Prioritization
The final step of the BIA is to prioritize the allocation of business
continuity resources to the various risks that you identified and
assessed in the preceding tasks of the BIA.
From a quantitative point of view, this process is relatively
straightforward. You simply create a list of all the risks you analyzed
during the BIA process and sort them in descending order according
to the ALE computed during the impact assessment phase. This
provides you with a prioritized list of the risks that you should address.
Select as many items as you’re willing and able to address
simultaneously from the top of the list and work your way down.
Eventually, you’ll reach a point at which you’ve exhausted either the
list of risks (unlikely!) or all your available resources (much more
likely!).
Recall from the previous section that we also stressed the importance
of addressing qualitatively important concerns. In previous sections
about the BIA, we treated quantitative and qualitative analysis as
mainly separate functions with some overlap in the analysis. Now it’s
