Pub. 9 2020 Issue 4

Pub. 9 2020 Issue 4 29 Deposit Capture process and the Reputational impact category. If a disruption to this process occurred, what impact would this have on the organization? Don’t spend too much time thinking about why the process is unavailable. Knowing why a process is unavailable is irrelevant to how long your organization can tolerate going without it before the missing piece begins to affect the organization’s mission, customer experiences, other business functions or compliance requirements. After one hour, the institution may have a few unhappy customers, but the impact would overall be Insignificant. Even after one day, the impact might still be Low. If the process was down for three days, clients may really start to notice and could be upset (Medium). After one week, the organization would likely have to do a lot of work to regain trust (High). If the process was unavailable for 60 days, the impact might be Extreme, as clients could be lost and damage our reputation with the community. See the image below for an example of what the ratings could look like. When this assessment is performed for each category, the level of tolerance can be identified before a disruption becomes too detrimental for the business. That is the process’ maximum tolerable downtime, and thus, criticality level. In this example, perhaps the impact is generally low prior to three days, so this process is set as Important. This means, in the event of a widespread business disruption, other higher priority processes will be given attention before this one, until the three-day mark is reached. Override for Dependent Processes Don’t forget about process dependencies. This could completely override the criticality level you determine through the BIA process. If there is another process with a shorter MTD which depends on this one to function, you must shorten the MTD of this process to have it ready to support the dependent one. Another option would be to reconsider the relationship between the two processes or reconsider if the other process has an accurate MTD. Leticia Saiid has been in the information security industry and providing public speaking for eight years. Leticia has a passion for clear and concise communication. After earning a B.A. and an M.A. in Mathematics, Leticia joined CoNetrix, where she served as the Tandem Software Support Manager for several years. She built and directed Tandem’s first team of support specialists. Leticia now serves as chief of staff, where she focuses on corporate strategy, employee development and training. Leticia is Security+ certified, has published various security blog posts and articles, and has presented multiple conference sessions over information security topics. Impact Category 2 hours (Critical) 24 Hours (Urgent) 72 Hours Important 7 Days (Normal) 30 Days (Nonessential) Compliance Insignificant Insignificant Insignificant Low Medium Financial Insignificant Low Medium High Extreme Operational Insignificant Insignificant Medium Medium Medium Reputational Insignificant Low Medium High Extreme Highest Insignificant Low Medium High Extreme Average Insignificant Low Medium High High Potential Impacts

RkJQdWJsaXNoZXIy OTM0Njg2