Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Disaster Recovery Risk Assessment

Has anyone ever seen mention of the concept of a Disaster Recovery Risk Assessment? Our company has done a risk assessment and we have a Disaster Recovery Plan, but they are separate document though of course related but I had never seen the idea even, of a DR Risk Assessment separate and distinct from the Risk Assessment done as one of the earliest steps in the development of a Comprehensive Information Security Program until one of our outside auditors suggested we develop one. I have been through all the ISACA literature I have and read some on the Internet and this site, and I cannot find the terms linked in this way anywhere. Could someone please direct me to such information if it does indeed exist? Thanks, Steve
You must sign in to rate content.
(Unrated)

Comments

RE: Disaster Recovery Risk Assessment

Have you tried the following sites/bodies: Disaster Recovery Institute (DRI) International - https://drii.org/ Business Continuity Management (BCM) Institute - https://www.bcm-institute.org/
Vladimir804Lively at 12/11/2017 6:53:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Years ago, before InfoSec was in vougue, risk assessments were undertaken as part of the business continuity plan development process. (Simple BC plan consisted of a risk assessment, business impact assessment, and finally a plan) The risk assessment analyzed any and all potential risk associated with the business operations. These risks included hurricanes, tornados, power failures, floods, and etc. each of the risks were reviewed as to potential impact, probability of occurrence (based on geographic location of business operation) along with any mitigation strategies. Then the risk probabilities and mitigation strategies were developed and presented in a report that senior management would review and de ide on what risks the would mitigate and how. So then when a BIA was undertaken the impact of previously defined risks could be reviewed to ascertain if any would have adverse impacts on operations and IT.

Dr. Jim Kennedy, MRP
phdad_ccmLively at 12/14/2017 11:45:01 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Disaster Recovery Risk Assessment

Jim, Thanks for the response but you were not clear as to whether you were describing the standard risk assessment I expressed in my question and thus implying that a DR risk assessment is a new way to do that you did not bother to go on and describe (thus not covering the reasoning, benefits or basis in the literature for doing them) OR were you implying that you were describing that DR risk assessment I asked about and it was the methodology you were referring to as belonging to the years ago before InfoSec. I ask because I just this past fall studied and certified as a CISM and the term was never mentioned and appears no where in the literature that I could find. So I am tempted to assume you were expressing that a DR risk assessment belongs to the years ago - but I hate to assume anything. Thanks, Steve
Steven373Lively at 12/14/2017 12:17:32 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Hi Steve, Like you, I have searched for a standard DR risk assessment over the years and have yet to find one that fits the bill. There is a peaceful night's sleep in knowing you have checked all the boxes from the industry standard, but when no such standard is available, I have to find my peace elsewhere. Like many of these things, I have pulled together so many ideas from various resources over the years, adapted them, and bent them to my will. If you have a similar experience, you will find some things that make sense for your company and some that don't -- I'm not a municipality, a hotel chain, farm, industrial site, etc, but I made as comprehensive a list as possible, borrowed what made sense, and edited out, or categorized, what did not. Like Jim's, my risk assessment defines reasonably anticipated risk via severity and likelihood and defines appropriate controls and mitigation accordingly. The point of the assessment is to define controls and mitigation in line with your judgment of impact and probability. I determined the risks to include from the materials I amassed, but there was no one authoritative, all-encompassing standard. If you and your outside auditor create one, I will use it. :)
Joel223Lively at 1/30/2018 4:12:25 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Hi Steve, Like you, I have searched for a standard DR risk assessment over the years and have yet to find one that fits the bill. There is a peaceful night's sleep in knowing you have checked all the boxes from the industry standard, but when no such standard is available, I have to find my peace elsewhere. Like many of these things, I have pulled together so many ideas from various resources over the years, adapted them, and bent them to my will. If you have a similar experience, you will find some things that make sense for your company and some that don't -- I'm not a municipality, a hotel chain, farm, industrial site, etc, but I made as comprehensive a list as possible, borrowed what made sense, and edited out, or categorized, what did not. Like Jim's, my risk assessment defines reasonably anticipated risk via severity and likelihood and defines appropriate controls and mitigation accordingly. The point of the assessment is to define controls and mitigation in line with your judgment of impact and probability. I determined the risks to include from the materials I amassed, but there was no one authoritative, all-encompassing standard. If you and your outside auditor create one, I will use it. :)
Joel223Lively at 1/30/2018 4:12:25 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Jim, Thanks for the response but you were not clear as to whether you were describing the standard risk assessment I expressed in my question and thus implying that a DR risk assessment is a new way to do that you did not bother to go on and describe (thus not covering the reasoning, benefits or basis in the literature for doing them) OR were you implying that you were describing that DR risk assessment I asked about and it was the methodology you were referring to as belonging to the years ago before InfoSec. I ask because I just this past fall studied and certified as a CISM and the term was never mentioned and appears no where in the literature that I could find. So I am tempted to assume you were expressing that a DR risk assessment belongs to the years ago - but I hate to assume anything. Thanks, Steve
Steven373Lively at 12/14/2017 12:17:32 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Years ago, before InfoSec was in vougue, risk assessments were undertaken as part of the business continuity plan development process. (Simple BC plan consisted of a risk assessment, business impact assessment, and finally a plan) The risk assessment analyzed any and all potential risk associated with the business operations. These risks included hurricanes, tornados, power failures, floods, and etc. each of the risks were reviewed as to potential impact, probability of occurrence (based on geographic location of business operation) along with any mitigation strategies. Then the risk probabilities and mitigation strategies were developed and presented in a report that senior management would review and de ide on what risks the would mitigate and how. So then when a BIA was undertaken the impact of previously defined risks could be reviewed to ascertain if any would have adverse impacts on operations and IT.

Dr. Jim Kennedy, MRP
phdad_ccmLively at 12/14/2017 11:45:01 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Disaster Recovery Risk Assessment

Have you tried the following sites/bodies: Disaster Recovery Institute (DRI) International - https://drii.org/ Business Continuity Management (BCM) Institute - https://www.bcm-institute.org/
Vladimir804Lively at 12/11/2017 6:53:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Years ago, before InfoSec was in vougue, risk assessments were undertaken as part of the business continuity plan development process. (Simple BC plan consisted of a risk assessment, business impact assessment, and finally a plan) The risk assessment analyzed any and all potential risk associated with the business operations. These risks included hurricanes, tornados, power failures, floods, and etc. each of the risks were reviewed as to potential impact, probability of occurrence (based on geographic location of business operation) along with any mitigation strategies. Then the risk probabilities and mitigation strategies were developed and presented in a report that senior management would review and de ide on what risks the would mitigate and how. So then when a BIA was undertaken the impact of previously defined risks could be reviewed to ascertain if any would have adverse impacts on operations and IT.

Dr. Jim Kennedy, MRP
phdad_ccmLively at 12/14/2017 11:45:01 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Disaster Recovery Risk Assessment

Have you tried the following sites/bodies: Disaster Recovery Institute (DRI) International - https://drii.org/ Business Continuity Management (BCM) Institute - https://www.bcm-institute.org/
Vladimir804Lively at 12/11/2017 6:53:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Jim, Thanks for the response but you were not clear as to whether you were describing the standard risk assessment I expressed in my question and thus implying that a DR risk assessment is a new way to do that you did not bother to go on and describe (thus not covering the reasoning, benefits or basis in the literature for doing them) OR were you implying that you were describing that DR risk assessment I asked about and it was the methodology you were referring to as belonging to the years ago before InfoSec. I ask because I just this past fall studied and certified as a CISM and the term was never mentioned and appears no where in the literature that I could find. So I am tempted to assume you were expressing that a DR risk assessment belongs to the years ago - but I hate to assume anything. Thanks, Steve
Steven373Lively at 12/14/2017 12:17:32 PM Quote
You must sign in to rate content.
(Unrated)

RE: Disaster Recovery Risk Assessment

Hi Steve, Like you, I have searched for a standard DR risk assessment over the years and have yet to find one that fits the bill. There is a peaceful night's sleep in knowing you have checked all the boxes from the industry standard, but when no such standard is available, I have to find my peace elsewhere. Like many of these things, I have pulled together so many ideas from various resources over the years, adapted them, and bent them to my will. If you have a similar experience, you will find some things that make sense for your company and some that don't -- I'm not a municipality, a hotel chain, farm, industrial site, etc, but I made as comprehensive a list as possible, borrowed what made sense, and edited out, or categorized, what did not. Like Jim's, my risk assessment defines reasonably anticipated risk via severity and likelihood and defines appropriate controls and mitigation accordingly. The point of the assessment is to define controls and mitigation in line with your judgment of impact and probability. I determined the risks to include from the materials I amassed, but there was no one authoritative, all-encompassing standard. If you and your outside auditor create one, I will use it. :)
Joel223Lively at 1/30/2018 4:12:25 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.