Why don’t other business units read your Security Risk Assessments? Because they aren’t written in their language. Asset inventories and Business Impact Analysis are the most commonly skipped components of a comprehensive risk assessment. If you are making the case for security updates by speaking only about vulnerabilities then you are setting your proposals up to fail.
Business Impact Analysis is a critical part of the Risk Assessment process. Business Protection Specialists explain as much in a wonderful blog post here. The key takeaway is that without understanding the potential IMPACT of failing to mitigate risks, your stakeholders won’t see the ROI in security investments.
We’ve made Business Impact Analysis easier than ever in Quill by ranking asset criticality along three distinct dimensions:
It’s simple to change any given asset’s name, location, quantity or criticality with in-line editing. And Business Impact metrics and reports roll up through their site to the organizational level.
The Business Impact Analysis Challenge
Business Impact Analysis, critical as it may be, is often skipped because it can be extremely subjective and is difficult to standardize. To solve this problem, Quill has introduced Criticality Definitions! These definitions can be set at the facility or organizational level and ensure that BIA are consistent from year to year, location to location, and assessor to assessor.
Updating Assets in the future is a breeze as the Criticality Definitions appear as tool text anywhere asset criticality can be edited.