Defining Business Impact is the fourth step in building an X-Analytics profile.
The Business Impact section gives you the ability to modify your impact condition. Impact is directly related to confidentiality, integrity, and availability. This section is divided into a set of questions that are meant to capture availability and confidentiality details per asset group. Integrity is derived, within X-Analytics, based on company exposure and business impact answers.
The Business Impact section informs inherent and residual risk. If an asset group does not have strict availability requirements and does not have confidential records, then it will have moderate to low risk depending on the current threat condition. On the other hand, if an asset group has strict availability requirements and highly confidential records, then it will have moderate to high risk depending on the current threat condition.
To build your threat landscape, please follow the steps below.
Step 1: Answer the Asset Availability Questions
Before starting this section, you may need to interact with other business leaders or peers to make sure you understand the profile's availability requirements and which systems are processing, storing, and transferring confidential records.
For each question, you can:
Clear answers and start with a fresh input
Select the availability requirement. (Your options are between 30 minutes and 48 hours.)
A list of each questions is below:
Web application availability requirement
Purpose: to define the profile's web application asset availability requirements.
Informs: risk for the entire web application attack column on the residual risk grid.
Point-of-Sale availability requirement
Purpose: to define the profile's PoS asset ability availability requirements.
Informs: risk for the entire PoS Intrusion and Skimming columns on the residual risk grid.
End user system availability requirement
Purpose: to define the profile's end user system asset availability requirements.
Informs: risk for the entire end user systems row on the residual risk grid.
Terminal availability requirement
Purpose: to define the profile's terminal asset availability requirements.
Informs: risk for the entire terminal row on the residual risk grid.
Removable media availability requirement
Purpose: to define the profile's removable media asset availability requirements.
Informs: risk for the entire media and offline data row on the residual risk grid.
Network availability requirement
Purpose: to define the profile's network asset availability requirements.
Informs: risk for the entire network row on the residual risk grid.
Server availability requirement
Purpose: to define the profile's server asset availability requirements.
Informs: risk for the entire server row on the residual risk grid.
People availability requirement
Purpose: to define the profile's people asset availability requirements.
Informs: risk for the entire people row on the residual risk grid.
ICS, SCADA, OT availability requirement
Purpose: to define the profile's ICS, SCADA, and OT asset availability requirements.
Informs: risk for the entire people ICS, SCADA, OT on the residual risk grid.
Healthcare devices availability requirement
Purpose: to define the profile's healthcare device asset availability requirements.
Informs: risk for the entire healthcare device row on the residual risk grid.
Onboard systems availability requirement
Purpose: to define the profile's onboard system asset availability requirements.
Informs: risk for the entire onboard systems row on the residual risk grid.
Critical Internet of Things (IoT) availability requirement
Purpose: to define the profile's critical IoT asset availability requirements.
Informs: risk for the entire critical IoT row on the residual risk grid.
Step 2: Answer the Asset Criticality Questions
The criticality questions are arranged by records type. For each question, you can:
Clear answers and start with a fresh input
Select the asset groups which process, store, or transfer the corresponding record type. (Your options are all of the asset groups.)
Select "Do not know". This answer will assume the record type exists on all applicable asset groups.
A list of each questions is below:
Which asset process, store, or transfer PII records
Purpose: to define which asset groups process, store, or transfer PII records.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer PCI records
Purpose: to define which asset groups process, store, or transfer PCI records.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer PHI records
Purpose: to define which asset groups process, store, or transfer PHI records.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer Government Classified records
Purpose: to define which asset groups process, store, or transfer Government Classified records.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer Intellectual Property records.
Purpose: to define which asset groups process, store, or transfer Intellectual Property, Trade Secrets, and other proprietary information.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer Financial, Business Strategy, and Other Confidential records
Purpose: to define which asset groups process, store, or transfer Financial, BUsiness Strategy, and Other Confidential records.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer COPA PII records
Purpose: to define which asset groups process, store, or transfer COPA PII records. COPA PII are PII records related to minors, not adults.
Informs: risk for all selected asset groups.
Which asset process, store, or transfer PFI records
Purpose: to define which asset groups process, store, or transfer PFI records.
Informs: risk for all selected asset groups.
Step 3: Complete the Next Section of the Profile Builder.
For further Profile Build guidance, please return here.
Comments