1 20 Table of Contents 22 24

Pub. 9 2020 Issue 3

21 F A L L | 2020 Review one process at a time. Gather a group of people who deeply know and understand the process and how the lack of the process could impact the institution in different ways over differ- ent periods of time. Identifying the impact level for each category at each timeframe allows you to determine the MTD for this process. Example Analysis Let’s look at an example business impact analysis with the Mobile Deposit Capture process and the Reputational impact category. If a disruption to this process occurred, what impact would this have on the organization? Don’t spend too much time thinking about why the process is unavailable. Knowing why a process is unavailable is irrelevant to how long your organiza - tion can tolerate going without it before the missing piece begins to affect the organization’s mission, customer experiences, other business functions or compliance requirements. After one hour, the institution may have a few unhappy cus- tomers, but the impact would overall be Insignificant. Even after one day, the impact might still be Low. If the process was down for three days, clients may start to notice and could be upset (Me- dium). After one week, the organization would likely have to do a lot of work to regain trust (High). If the process was unavailable for 60 days, the impact might be Extreme, as clients could be lost and our reputation would be damaged with the community. See the image for an example of what the ratings could look like. When this assessment is performed for each category, the level of tolerance can be identified before a disruption becomes too det - rimental for the business. That is the process’s maximum tolerable downtime, and, thus, criticality level. In this example, perhaps the impact is generally low prior to three days, so this process is set as Important. This means, in the event of a widespread business disruption, other higher priority processes will be given attention before this one until the three-day mark is reached. Override for Dependent Processes Don’t forget about the process dependencies. This could completely override the criticality level you determine through the BIA process. If there is another process with a shorter MTD which depends on this one to function, you must shorten the MTD of this process to have it ready to support the dependent one. Another option would be to reconsider the relationship between the two processes or reconsider if the other process has an accurate MTD. Leticia Saiid has been in the information security industry and providing public speaking for eight years. Leticia has a passion for clear and concise communication. After earning a B.A. and an M.A. in Mathematics, Leticia joined CoNetrix, where she served as the Tandem Software Support Manager for several years. She built and directed Tandem’s first team of support specialists. Leticia now serves as chief of staff, where she focuses on corporate strategy, employee development, and training. Leticia is Security+ certified, has published various security blog posts and articles, and has presented multiple conference sessions about information security topics. Let’s look at an example business impact analysis with the Mobile Deposit Capture process and the Reputational impact category. If a disruption to this process occurred, what impact would this have on the organization? Don’t spend too much time thinking about why the process is unavailable. F E A T U R E

RkJQdWJsaXNoZXIy OTM0Njg2