Archive for March, 2009

BIA (Business Impact Analysis) or not?

Tuesday, March 31st, 2009

Recently, I am observing a new trend of running a Business Continuity programs where BIA is completely skipped. Performing BIA from start to finish is expensive and often intangible.  Reason being, BIA, in my opinion is more of a bottom-up approach of analyzing the potential impacts and figuring out the qualitative or quantitative losses.

Rather a different approach is ‘top-down’ approach where business process owners decide where and when is IT needed the most. For example, will need Order-to-cash business process at the minimal and maybe customer service also depending on the budget availability. Clearly, this is a top-down approach as against performing BIA and the value offered here, although intangible it is, helps ‘carve out’ areas of the IT ecosystem for focusing with budget and resources to keep the continuity.

In my opinion, focusing the Business continuity program on objectives is a better investment than BIA.

Who needs ISO-27001?

Monday, March 30th, 2009

If you hold your client’s classified or sensitive data as part of performing business with your client, you may want to get an ISO 27001 to offer ’security’ comfort to your clients. Get it?

Here is an example, if you hapenned to hold your clients’ source code or similar sensitive data as part of performing your business, your client will be concerned about the security of their sensitive data -  specifically, they would like to know if your Information security department is reliable and sustainable.  That is where ISO 27001 comes in. Not all companies benefit from ISO 27001. Right?

What does ISO 27001 offer that is different from what you have today? It is a measuring Framework. Framework which enables you to scale your policies and handle them appropriately as your grow.

Security policies in companies today are often abstract and gets close to the ‘terms of usage’ policy within a company. However, it is worth exploring an ISO security framework - ISO 27001. This enables you to formally enumerate policies, data classifications and provide an appropriate risk treatment and provide continuity.