The process of evaluating all of the critical systems (important to core business functions) in an organization to define impact and recovery plans.
Determining the potential impacts (costs, resources, time) resulting from the interruption of time-sensitive or critical business processes.
Identify critical business functions, systems, services, and technologies along with the cost associated with their loss and the maximum acceptable outage period.
NIST Definition
Mission-essential functions, roles, services, systems, applications, or data required to sustain business.
Steps:
Identification & Analysis
Prioritization
Calculating a Timeframe for Critical Systems Loss
Estimating the Tangible and Intangible Impact on the Organization
One fault or malfunction can compromise an entire system or enterprise.
Can be people or technology.
Are avoided with redundancy and fault-tolerant protocols/procedures (HA - High Availability).
RTO - Recovery Time Objective - The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.
RPO - Recovery Point Objective - The point of last known good data prior to an outage that is used to recover systems.
As a general rule, the closer the RPO matches the time of the crash, the more expensive it is to obtain.
Mean Time to Failure (MTTF) - the average time to failure for a nonrepairable system.
Represents how long a product can reasonably be expected to perform, based on specific testing.
Mean Time Between Failures (MTBF) - the measure of the anticipated incidence of failure for a system or component.
Measurement determines the component's anticipated lifetime.
The average time required to repair a failed system, device, or component and return it to operational status.
The calculation includes preparation time, active maintenance time, and delay time.
Often part of a maintenance contract.
Personally Identifiable Information (PII) - Info that can be used to distinguish or trace an individuals identity, such as name, SSN, biometrics, etc. alone or when combined with other personal or identifying info that is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
Personal Health Information (PHI)
Privacy Impact Assessment (PIA)
Identifies the adverse impacts that can be associated with the destruction, loss, corruption, or accidental disclosure of sensitive, personal, or private data for the organization.
Required for any organization that collects, uses, stores, or processes PII or PHI.
Privacy Threshold Assessment (PTA)
Determines whether a system contains PII or PHI.
An agreement that specifies the security requirements for an interconnection between two organizations.