Security Experts:

What is YOUR Cool Data? DIY Business Impact Analysis

I remember an old exercise, designed to make you consider what is truly important to you, in which you had to answer the question, “Your house is on fire. Every person and pet is safe, but you have time to go into your house and save exactly ONE thing. What would that ONE thing be?”

I am not going to answer that question, but it is a way to try to force you to consider what is of greatest value to you – or of greatest value to your organization. For the purposes of an information security exercise, I might change the question to, “Your organization has been breached by a team of malicious attackers. You have just enough time to completely protect exactly one data asset (drive, server, application, database, etc.). What data do you save?”

Protecting Important DataCan you answer that question off the top of your head?

Maybe. But based on the experience I have had working with clients, the answer is very often “no”. And, if I ask five directors or “C”s around your company that same exact question, how many of them would give the same exact answer? Of course, we would like to think that answer is “five”, but experience tells us the answer is probably “two”, or maybe “three”. We all have different experiences and different points of view. That doesn’t necessarily mean any of us are wrong; we just don’t approach the problem the same way. The issue is that, as a business, you need that answer in order to effectively protect your critical data and the environment in which it resides.

In the environment in which I grew up, the process used to help identify your cool data was called a Business Impact Analysis (BIA), and companies almost always went to one of the BIG FOUR accounting companies, and paid something on the order of $400-600K for someone to do that BIA for you, and identify your cool data, with an expected loss. But, you don’t really have to do it that way. At least, you can identify your own set of “cool data” that makes sense for your organization, by doing your own BIA.

No, it will not have the same level of analysis, statistics, and perhaps supporting documentation. But, I assert that you can get 85-90% of the same answer that you would get from the BIG FOUR simply by going through a simplified BIA process.

What process?

BIA-R-Us

Start by identifying the five people listed here. Use the examples for Joe’s Hat, Boot and Shoe Company as inspiration. (Joe’s is, by the way, a real company. It is just that “Joe’s Hat, Boot and Shoe Company” is not their real name.)

A. CFO:______________________________

 A. CFO

B. CIO:______________________________

 B. CIO

C. COO:_____________________________

 C. COO

D. Business Line Manager #2:___________

 D. Director, Manufacturing

E. Business Line Manager #3:___________

 E. Director, Retail Support and Distribution

If you want the process to succeed, you have to start with people who know about the business. The three identified “C” levels and the business line managers of the biggest business lines make up your starting point. The CFO, CIO, and COO each REPLACE an existing business line manager with a new one, or add another business line manager to your list. For a general rule, they can then add no more than two other people like the Director of IT and a Compliance Officer , so your own list should end up with between five and 10 names on it.

You should actually only need 15-30 minutes from each person in the list, so you are not asking for a huge time commitment. If they cannot answer the questions in something on the order of 20 minutes, they should be appointing a subordinate to gather any required data for them and find the answers. You want each person on the list to go through the exercise described below:

What are your big three data assets?

Identify your three most important systems, databases, or applications, following the examples for Joe’s COO.

1.


1. EXODUS, online order taking

2.

2. CAWTABA, Retail and distribution

3.

3. CARACOL, manufacturing management

Realistically, if you have five people go through this, you will probably have a list of at least six important data assets. This is your base list of critical data assets. There is no editing of this list allowed at this stage – you are just identifying systems that your organization feels are important.

Is it critical? Is it really? Really?

Actual “criticality” is the catch in the list. Someone thinks everything on that list is important. And most likely, they are all “important” or they would not get listed. But some are more important than others, and some are critical to your operations. The next step in your do-it-yourself BIA is assigning fixed values to those systems. The good news here is that is much easier than it sounds.

Build your BIA table and list all of the identified data assets in no particular order in a single column. The real Joe’s Hat, Boot and Shoe Company created this list of data assets that at least one of the participants listed as critical.

Data Asset

1. EXODUS, online order taking

2. CATAWBA, Retail and distribution

3. CARACOL, manufacturing management

4. Juniper, Accounts payable/receivable

5. Exchange, corporate email and calendar

6. Payroll

Add three more columns and label them “2 hours”, “8 hours”, and “24 hours”.

Data Asset

2 Hour

8 Hours

24 Hours

1.




2.




3.




4.




5.




6.



 

The next step is not nearly as hard as it sounds at first. Take a step back and think about the timeframe. Think about what the impact to your organization would be if that particular data asset was unavailable for the listed timeframe. For Joe’s Hat, Boot and Shoe Company, the first question is exactly “what is the impact to the company if the EXODUS online order taking application is offline, and not available for two hours (and 8 hours and 24 hours)?” The analysis and math here do not have to be perfect. We are looking for a general feel of the impact. Remember your timeframe of trying to complete your portion of the exercise in 20 minutes or so. Joe’s complete table appears below, with the approximate numbers and descriptions that were actually entered by the “real” Joe’s Hat, Boot and Shoe Company.

 

Data Asset

2 Hour

8 Hours

24 Hours

1. EXODUS, online order taking

Reflects negatively on brand. Our perception is that most customers will tolerate a 2 hours outage as an inconvenience. We gain about as many of these from our competitors as we lose. Overall minimal impact.

Normal online sales account for approx. $10B annually. We do 75% of online sales in small time windows, Christmas, and season changes (spring, fall). When shopping online, we expect 50% of shoppers will buy elsewhere if we are down for 8 hours – resulting in an effective loss of approx. $88K per MINUTE. 8 hour outage means probable $42M in lost sales.

Same analysis as 4 hours, but estimate abandonment rate at 75%. Estimated lost sales for a 24 hours outage are $140-150M.

2. CATAWBA, retail and distribution

Reflects negatively on vendor relations. 2 hour outage is inconvenience only. Minimal impact.

8 hour outage could mean we miss daily shipping for retail stores. Unlikely to result in out of stock for any products.

24 hours outage could result in retail shortage of popular products. Worst-case loss is daily sales of “A” product lines - approx. $10M.

3. CARACOL, manufacturing management

Systems are updated on-demand, and process orders placed weekly. In a 2 hour outage, we would continue to manufacture with no impact.

No impact for a 4 hour outage on weekly manufacturing planning.

No impact for a 24 outage on weekly manufacturing planning. We normally maintain a 10 day run cycle so would not be impacted for at least seven days.

4. Juniper, Accounts payable/receivable

No Impact for 2 hour outage.

Minimal impact for 4 hour outage. We could miss some accounts if the 4 hours hit exact end of month, but unlikely.

It would be difficult to run month end, collect invoices and pay vendors. No vendor impact for us. Daily interest on cash float is approx. $2M.

5. Exchange, corporate email and calendar

Inefficiency in operations among corporate staff, but minimal effective impact.

Inefficiency in operations, especially among distributed staff. 10% loss in productivity is estimated at $500K.

Given our distributed operations, a full day outage would impact productivity. 20% loss in productivity for 8 hours is estimated at $13M.

6. Payroll

At no time would a 2 hour outage affect payroll. We run payroll in a 48 hour window before the end of the current pay period.

No impact.

No impact.

Chances are that the important people in your organization can pretty readily provide numbers at this level of detail, but not everyone is going to have the same exact numbers for each data asset. If multiple contributors provide numbers for the same asset, start by averaging the numbers, and then sort the entire list of data assets by the identified impacts. For Joe’s, this process was pretty straight forward. With potential losses the size of $42M/$140M, the online order taking system is clearly their most critical system. After that, they identified CATAWBA, their retail and distribution systems as having the next greatest impact on their company. While, technically, their Outlook email system showed a slightly higher potential loss, contributors felt that the impact of an outage in retail and distribution would have a greater impact on the perception of the company, and to the bottom line, and was therefore considered more critical (so, the process does require some critical thinking). Notice that even though their payroll systems were initially identified as absolutely critical to operations (by the COO, no less – “We have to pay people or they stop working.”) payroll would effectively not be impacted by any outage of less than 32 hours.

Keep in mind that these numbers should show simply a measure of the relative impact that an outage of the identified data asset could have on the company. And, if your numbers are of high quality, they actually provide an absolute measure of that impact. But the numbers do not include risk evaluation and probabilities. That is additional work to be completed to fully plan your security program. But, if Joe’s Hat, Boot and Shoe Company, is spending all of their operations and security budget to strengthen the resiliency of the CARACOL manufacturing management environment, then they are clearly missing the boat because they have at least four data assets that they acknowledge as being “more important” to their company. Just maybe it would be a better use of limited assets making sure that their online ordering process is robust and protected.

 This is simply a prioritization process. But, consider that the original question was “what would you save?” Perhaps having some validation for what you have identified as your more/most critical data assets makes this a worthwhile exercise.

Related Reading: Where and How am I at Risk in Today's Cyber Environments?

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.