| CompTIA® Security+® (Exam SY0-501)

In the last topic, you analyzed organizational risk by identifying assets that need protection, potential
vulnerabilities and relevant threats, and the likelihood of exploits. Risk analysis also involves the
evaluation of the effect of potential threats so that you can determine exactly what effects those
threats will generate in your organization. The ability to identify and analyze how risks can affect
your organization can help you to select the most effective countermeasures to mitigate those risks.
In this topic, you will analyze the business impact of risk.

BIA A business impact analysis (BIA) is a systematic activity that identifies organizational risks and
determines their effect on ongoing, mission-critical operations and processes. BIAs contain
vulnerability assessments and evaluations to determine risks and their effects. BIAs should include
all phases of the business to ensure that all essential functions and critical systems are identified and
that all associated risks are dealt with.

As a risk is identified, an organization determines the chance of risk occurrence and then determines
The Spotlight on the quantity of potential organizational damage. For instance, if a roadway bridge crossing a local
river is washed out by a flood and employees are unable to reach a business facility for five days,
presentation is available estimated costs to the organization need to be assessed for lost manpower and production.
from the Spotlight tile on In many situations, performing a BIA and recording the results is a crucial step in the creation of a
the CHOICE Course
business continuity plan (BCP), which is covered in greater depth later in the course.
screen. You may choose
to include it in your
instructional plans, or Note: For more information, check out the Spotlight on Assessing Damage presentation from
you can remind students the Spotlight tile on the CHOICE Course screen.
about the tile and the
supplemental
information it contains.
Impact Scenarios (3
Slides) There are several ways that risk can have an impact on an organization. You need to be aware of
Encourage participants which scenarios are applicable to your organizational situation.
to brainstorm additional
impact scenarios.

Lesson 2: Analyzing Risk | Topic B

 CompTIA® Security+® (Exam SY0-501) |

Life Natural disasters and intentional man-made attacks can be severe enough
to jeopardize the lives of employees and customers. Examples include:
• Severe weather events
• Seismic events
• Arson and other fires
• Terrorist attacks
Property Physical damage to buildings and other property can be caused by natural
disasters and intentional man-made attacks, such as:
• Severe weather events
• Seismic events
• Arson
• Terrorist attacks
• Break-ins
• Equipment damage
Safety The personal safety of employees and customers can be caused by natural
disasters, intentional man-made attacks, and unintentional man-made
risks, such as:
• Severe weather events
• Seismic events
• Arson
• Terrorist attacks
• Excessive employee illnesses or epidemics
Finance Monetary damages can be caused by natural disasters, intentional man-
made attacks, unintentional man-made risks, and system risks, such as:
• Severe weather events
• Seismic events
• Arson
• Terrorist attacks
• Break-ins
• Theft
• Equipment damage
• File destruction
• Information disclosure, whether intentional or accidental
• User error
• Social networking and cloud computing
• Excessive employee illnesses or epidemics
• Unsecure mobile and networking devices
• Unstable virtualization environments
• Email and account-management vulnerabilities

Lesson 2: Analyzing Risk | Topic B

 | CompTIA® Security+® (Exam SY0-501)
Privacy Assessments
Critical Systems and
Functions
Encourage students to
share examples of
different types of critical
systems and functions,
Lesson 2: Analyzing Risk | Topic B
Reputation Man-made risks and system risks have the potential to cause harm to an
organization's reputation. For instance:
• Response time for restoration of disrupted services or damaged files.
• Frequent information disclosure, or the perception of any recurring
problem.
• Perceived susceptibility to security breaches.
The reputation of an organization can be affected by not only the various
types of risk, but also by how the organization reacts and responds to the
risks. Examples include:
• Price gouging during natural disasters.
• Response time for addressing information disclosure, whether
intentional or unintentional.
There are two fundamental types of privacy assessments that many organizations use as part of their
BIA efforts: the privacy impact assessment (PIA) and the privacy threshold analysis or
privacy threshold assessment (PTA).
PIA A privacy impact assessment is a tool for identifying and analyzing risks
to privacy during the life cycle of a program or system. It states what
personally identifiable information (PII) is collected and explains how
it is maintained and protected, as well as how it will be shared.
PTA A privacy threshold analysis or assessment is a document used to
determine when a PIA is required. PTAs normally consist of information
that describes the system, what PII is collected or used, and the source of
the PII.
In the United States, PIAs and PTAs are mandated for federal agencies that collect personal
information online. In other instances, regulations might affect whether or not an organization
should develop a PTA and PIA.
Another document that is related to privacy assessments is the system of records notice (SORN).
A system of records is any collection of information that uses an individual's name or an
identifying number, symbol, or other identification scheme. The SORN is a federally mandated
publication of any system of record in the Federal Register.
An organization's critical systems and functions are those that, when absent or severely degraded,
prevent the organization from operating at the established minimum level of expectations. While it
can be argued that all systems and functions are required for an organization to run, there are
varying levels of criticality among them. For a data center, the air quality/HVAC system might rank
higher than for the HVAC in an office building because the server farm can fail when the
temperature is too high.
One way to determine the relative importance of a system or function is to develop some
quantitative data for comparison. Common metrics that are included in a BIA include:
 CompTIA® Security+® (Exam SY0-501) |

• Maximum tolerable downtime (MTD).

• Mean time to failure (MTTF).
• Mean time to repair/replace (MTTR).
• Mean time between failures (MTBF).
• Recovery time objective (RTO).
• Recovery point objective (RPO).

Maximum tolerable downtime (MTD) is the longest period of time that a business outage may Maximum Tolerable
occur without causing irrecoverable business failure. Each business process can have its own MTD, Downtime
such as a range of minutes to hours for critical functions, 24 hours for urgent functions, 7 days for
normal functions, and so on. MTDs vary by company and event.

The MTD limits the amount of recovery time that a business has to resume operations. For
example, an organization specializing in medical equipment may be able to exist without incoming
manufacturing supplies for three months because it has stockpiled a sizeable inventory. After three
months, the organization will not have sufficient supplies and may not be able to manufacture
additional products, therefore leading to failure. In this case, the MTD is three months.

The recovery point objective (RPO) is the longest period of time that an organization can tolerate Recovery Point
lost data being unrecoverable. The RPO is typically expressed in hours, and in most IT scenarios, Objective
determines the frequency of backups. For example, if the organization's RPO is 10 hours, then
backups should be performed at least every 10 hours. The interval of time between the last backup
and the event would not exceed 10 hours, and therefore the data lost in this time is within the
organization's tolerance.

Lesson 2: Analyzing Risk | Topic B

 | CompTIA® Security+® (Exam SY0-501)

Continuing with the earlier example, if the last backup was executed Sunday afternoon and a failure
occurs on the following Tuesday, then the recovery point is Sunday afternoon. The latest backup is
restored and processing begins to recover all activity from Sunday afternoon to the Tuesday failure
point. However, the RPO was set at 10 hours, so more data would be lost than is deemed
acceptable.

Recovery Time The recovery time objective (RTO) is the length of time within which normal business operations
Objective and activities can be restored following an event. It includes the necessary recovery time to return to
the RPO and reinstate the system and resume processing from its current status. The RTO must be
achieved before the MTD.

Mean Time to Failure

If time permits and
students show interest, Mean time to failure (MTTF) is the average time that a device or component is expected to be in
you can demonstrate the operation. Often used to describe the reliability of those devices or components that are not
use of one of the free repairable, MTTF is calculated as the total hours of operation divided by the number of failures.
MTTF calculators MTTF is typically expressed in thousands of hours.
available on the web.

Lesson 2: Analyzing Risk | Topic B

 CompTIA® Security+® (Exam SY0-501) |

Mean time to repair (MTTR) is the average time taken for a device or component to recover Mean Time to Repair
from an incident or failure. The MTTR of a component will be less than the RTO if the component
is relevant to that particular recovery effort. In other words, the RTO will incorporate the MTTR of
vital components in the time it takes to return overall business to normal. MTTR is typically
expressed in hours.

Note: This metric is also referred to as mean time to recover (or replace).

Mean time between failures (MTBF) is the rating on a device or component that predicts the Mean Time Between
expected time between failures. This metric basically is a measurement of how reliable the device or Failures
component is. For most devices and components, MTBF is typically listed as thousands or tens of Provide a brief
thousands of hours. Based on the relative MTBF of a system, you might need to consider and plan introduction of the
for redundancy measures. concept of MTBF, in the
context of developing a
BIA. Save the detailed
discussion of redundant
systems for the end of
the course.

Lesson 2: Analyzing Risk | Topic B

 | CompTIA® Security+® (Exam SY0-501)

MTBF can also be calculated by adding MTTF and MTTR.

Note: Redundancy and other business continuity concepts are cover in greater depth later in the
course.

Guidelines for Consider the following guidelines as you perform a BIA:

Performing a Business • Identify mission-essential functions and the critical systems within each function. These are the
Impact Analysis
systems that you should assess for the level of impact.
• Identify impact scenarios that put your business operations at risk.
• Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF.
• Conduct a privacy threshold assessment, and if warranted, a privacy impact assessment.
• Identify single points of failure and, where possible, establish redundant or alternative systems
and solutions.

Lesson 2: Analyzing Risk | Topic B

 CompTIA® Security+® (Exam SY0-501) |

The single largest source or revenue for Develetech is its online storefront. The storefront is hosted
by numerous servers distributed all over the world, and services millions of customers in over one
hundred countries. On Monday at 9:00 A.M., during routine maintenance, an administrator issued
commands through his control console to wipe the hard drives of 3 servers so that they could be
updated with new system images. The administrator, however, mistyped the commands and actually
wiped the entire cluster servicing the storefront. This took the store down for all customers
worldwide.
Additional important facts about the event include: Activity: Performing a
• The last backups of the storefront servers were performed on Sunday at 9:00 P.M. Business Impact
Analysis
• The organization previously determined that a loss of transaction data stretching more than 6
hours could seriously complicate the fulfillment process and lead to thousands of angry
customers demanding refunds.
• All of the servers require a full restart and to undergo restoration from the backups before they
return to production. The disaster personnel reviewing the damage conclude that this process
will take an average of 8 hours for each server.
• Multiple servers can undergo recovery at the same time, but due to personnel and network
bandwidth limitations, some servers will be unable to undergo the recovery process right away.
• Overall, Develetech believes that it can recover the storefront fully in about 2 days.
• A prior assessment revealed that the Develetech cannot afford to go without the storefront as a
revenue source for more than 3 days.
Given this information, you'll use various metrics to conduct a BIA.

○ 3 hours
○ 6 hours
○ 9 hours
○ 12 hours

Develetech did not meet its RPO. The last backup was 12 hours before the event, but the
company's RPO is only 6 hours. This means there are 6 hours worth of unrecoverable data that
the organization could not tolerate losing. Develetech should increase the frequency of its
backups in order to meet the RPO.

○ 6 hours
○ 8 hours
○ 2 days
○ 3 days

Lesson 2: Analyzing Risk | Topic B

 | CompTIA® Security+® (Exam SY0-501)

○ 6 hours
○ 8 hours
○ 2 days
○ 3 days

This does not necessarily cause a conflict with the organization's RTO. If the MTTR is 8 hours,
then it will take 40 hours to recover 5 sets of 20 servers. Since 40 hours is less than the RTO of 2
days (48 hours), the organization can still hit its objective.

○ 2 days
○ 3 days
○ 4 days
○ 5 days

Answers may vary. The most prominent impact will be the hit the organization takes to its
finances. Because the storefront is Develetech's revenue leader, the lack of transactions for more
than 3 days will impact its ability to sustain its own operational costs, as well as cause its market
value to plummet. While less quantifiable, Develetech's reputation will likely take an impact as
well. A customer backlash to the outage may tarnish the company's brand irrevocably.

Lesson 2: Analyzing Risk | Topic B

 CompTIA® Security+® (Exam SY0-501) |

In this lesson, you analyzed risk and its potential impact on business. When risk is identified and
managed properly, the possible damage to an organization is decreased substantially. It is your
responsibility to analyze risk, and properly assess and determine vulnerabilities for your organization
in order to apply the most effective mitigation strategies. With these skills, you will be able to carry
out a full risk analysis and apply customized security measures tailored to not only control access,
but to also mitigate risk.
Encourage students to
use the social
networking tools
Answers will vary depending on where students will be located and what type of information they need provided on the CHOICE
to protect in their businesses. For their analysis, some may be inclined toward quantitative analysis Course screen to follow
up with their peers after
for a more scientific and mathematical approach, whereas others may see the value in subjective
the course is completed
qualitative analysis. Some will prefer to leverage both in a semi-quantitative approach.
for further discussion
and resources to support
continued learning.

Answers will vary depending on the type of organization it is. For example, if you worked for a
company with an online store, you might determine that the servers that host the online store need to
be always available so that orders can be received and processed.

Note: Check your CHOICE Course screen for opportunities to interact with your classmates,
peers, and the larger CHOICE online community about the topics covered in this course or
other topics you are interested in. From the Course screen you can also access available
resources for a more continuous learning experience.

Lesson 2: Analyzing Risk |