As part of our Business Impact Analysis Services we assess the business impact for your organization that may result from possible information security incidents, taking into account the consequences of a breach of information security such as loss of confidentiality, integrity or availability of the assets.
After identifying all assets under review, we assign values to these assets to be taken into account while assessing the consequences. The business impact value can be expressed in qualitative and quantitative forms, but any method of assigning monetary value may generally provide more information for decision making and hence facilitate a more efficient decision making process. Our asset valuation begins with classification of assets according to their criticality, in terms of the importance of assets to fulfilling the business objectives of your organization.
Asset valuation is a key factor in the impact assessment of an incident scenario, because the incident may affect more than one asset (e.g. dependent assets), or only a part of an asset. Different threats and vulnerabilities will have different impacts on assets, such as a loss of confidentiality, integrity or availability.
Assessment of consequences is related to asset valuation based on the business impact analysis. Consequences or business impact may be determined by modelling the outcomes of an event or set of events, or by extrapolation from experimental studies or past data. Consequences may be expressed in terms of monetary, technical or human impact criteria, or other criteria relevant to your organization. In some cases, more than one numerical value is required to specify consequences for different times, places, groups or situations. Consequences in time and finance may also be measured with the same approach used for threat likelihood and vulnerability.