Blog by Chris Gausden, Arcanum Principal Consultant.
I think that it is undisputed that a critical part of any accurate business security risk analysis, is the use of an accurate Business Impact Analysis (BIA), to focus on truly critical business assets. However, I often wonder how many business organisations, let alone their security teams, fully understand their business in terms of the joined-up core processes, sub processes, and their dependant component assets (people/technology/data/ facilities/raw materials etc).
Put simply almost every business has 3 high level core processes:
- Things they buy in (Raw materials/software/hardware/cloud services/people etc);
- Things they create (products, designs, applications, configure and operate service delivery capability etc);
- Things they deliver/sell (products/services etc).
Beneath each of these high-level processes, there is a series of supporting subprocesses, for things like purchasing, receipt and despatch, data storage, asset management, research and development, CNC design and build, product storage, sales, service delivery, payroll, HR etc. For each of these subprocesses in turn, there is a list of common supporting component “assets” that normally consist of:
- Technology (cloud SaaS/PaaS/FaaS, hardware, infrastructure, and software)
- People (technical resource, Cyber etc)
- Process (manual or automated and internal and/or with 3rd parties)
- Data (various formats structured and unstructured)
- Facilities (corporate buildings, industrial work areas etc)
A combination of some or all of these component assets will be required to support the delivery of subprocesses, and ultimately a core business process consistently. Conversely, any loss or interruption of the component assets can have varying degrees impact on the sub and core process delivery and the success of the organisation. The BIA challenge is to identify these subprocesses, and their component “assets” and to prioritise them based on their relative importance, and number of higher-level processes that they support. This list of business prioritised assets can then be fed into business security risk assessment processes, and then on to risk treatment plans, to ensure that the risks to real business critical assets can be accurately identified, assessed, and mitigated.
It all sounds simple enough, but how do you achieve this?
Top down is the order of the day and talking to all of the business function owners, starting with the high-level core business processes at senior management levels; you need to work your way down through subprocesses to individual assets, (assuming that there is an asset register for technology if only for accounting purposes). If the business process mapping is done properly and presented using a standard methodology and associated graphical representation it will be of use across the business, not just to find the critical business assets to be protected by security controls.
Typical high level initial business process view for a satellite company
Common Process Mapping methodologies and technologies:
- ArchiMate (Enterprise Architecture Modelling and business process)
- BPMS (Business Process Management Suite)
- Nimbus/Tibco
- Swim Lanes
Whilst most business process mapping methodologies can be bought with a supporting technology to quickly create the relevant graphical representations; it is possible to use most methodologies in common visualising products, such as Visio, Powerpoint, and even Word once you understand the syntax/shapes used.
For more information, or to speak with an Arcanum Consultant, get in touch today by calling: 01558 66914, or alternatively email: marie.caruso@arcanumis.com.
Sources:
[1] https://pubs.opengroup.org/architecture/archimate3-doc/
[2] https://kissflow.com/bpm/bpms-business-process-management-suite/