95. Lesson 11: Strategy Resources
We’re going to take a look at our strategic resources. Now, as an information security manager, we should determine what resources are available as well as be aware, as we’ve said, of those potential constraints. And as a reminder, we said there were some constraints. Things that may be cultural, financial, or simply resources (technology resources, human resources, etc.), or any other reason that we may face constraints. So it’s important that we focus our strategy around the resources we have available.
96. Policies and Standards
Now, part of those resources are our policies and standards. So, first, let’s define policies and standards. First of all, the definitions that are going to be used throughout this lesson in this course are those that are in agreement with the major standards bodies, and they should be adopted here to avoid any confusion. These, of course, are the standards that ISAC Asaka is using throughout their definitions in the CISM course, and as I am going to use them here as I present CIS M to you, we’re going to keep the same kind of definitions that they use.
So, as an example, policies and standards are really considered tools of governance and management, respectively. So what we’re quickly saying is that policies are part of governance, and standards are part of management. And you’ll see that as we talk about them and how they are different and how they also support each other. Now, meanwhile, your procedures and guidelines are going to fall under the purview of operations.
So as we look at the definitions, a policy is a high-level statement of management intent, expectations, and direction. They usually remain pretty static. Now, just to oversimplify my example, I might just say, “Make a policy that says our customer accounts must be secure.” Sure, okay, well, that’s easy enough to say. That’s a very high level example, in fact, a very high level example that gives me the management intent and expectations, if not necessarily the direction where I might include adding there that our customer accounts must be safely maintained in accordance with certain regulations, regulatory laws, and frameworks that we might put in there. So now I’m kind of still giving you a high-level statement; you know what the management intent is, you know what my expectations are, and I’ve given you a bit of a direction or maybe a framework that you have to use to be able to be in compliance with this policy. Now, that’s not going to necessarily change over time. If I suddenly decide I don’t like my customers, I hope I don’t create a new policy requiring me to give away their data.
But that’s the idea—to stay static. Now the standards are the metrics, the allowable boundaries, or the process used to decide if your procedures, processes, or systems meet those policy requirements. So let’s take a look at this idea. If I already know, as an example, that the server that is storing this information is susceptible to a plain old brute force attack by somebody trying to guess the password or try every combination of passwords to be able to get in there, then I might have a standard with allowable boundaries that says that for these very secure, highly classified targets, if you have an account on here, you need at least a 20-character password. So there’s a boundary right there, and it expires within 30 days. So I’m putting in some boundaries so they can represent the metrics and boundaries of the process that we’d use to set that up. And again, our goal is to try to meet those policy requirements. Now, the procedures might tell me how to go about creating that password, and there may be other processes I have to incur to be able to get that password to actually be accepted, be verified, or maybe even be issued to me.
There are some places that have programmes that create these really randomized, hard-to-crack passwords. Anyway, that’s one example of a standard that was on the way. So there may be a series of standards in place just to get to that one statement about keeping those customer accounts secure. Now, our procedures are ways to clarify the responsibility of operations that include security operations, and they should give us a step-by-step set of instructions for the required requirements of any activity. Now, one of the nice things about having procedures is that we are going to know if they follow procedures—the path by which they get from point A to point B in support of our standard. Because we said this is how you do X, Y, and Z. If I’m going to talk about ways of being able to log in for the day, if I’m coming into work, there’s a series of procedures that are going to say, “Go to this program, entering your username and password, whatever it is,” and we’re going to have a step-by-step set of procedures. If we don’t, we run the risk of people guessing or finding the programme so frustrating that they don’t even want to try. We’re not clarifying responsibilities or thinking people aren’t smart enough to figure out a certain operation when we have a lack of procedures, but we’re trying to make sure it’s clearly understandable, usable by everyone, and consistently applied.
Now, our guidelines are also used for executing the procedures, and they often contain information that’s helpful in executing these procedures. Now, I do want to say this: your standards will change over time because, as I was talking about the standards representing the metrics, the allowable boundaries, maybe now we’ve learned that people can crack 20-character passwords in a matter of minutes. So we’re going to have to go into a passphrase, or we may have to have a new standard of having smart cards in conjunction with usernames and passwords. In fact, one standard you should have from time to time is how to deviate from the norm.
I realise that sounds really weird to say that, but sometimes that happens. I know from the work that I’ve done with a lot of law enforcement agencies that they can’t create standards for every situation that can come up. So oftentimes, they can only create guidelines for the use of force and those types of things. And even within the standards that they have, the standards might be the actual laws that they enforce under rulings from the Supreme Court. Sometimes they have to go outside of those standards because some new situation that has never been thought of before has occurred. That can happen as well when it comes to the security aspects of attacks and the ways in which new breaches can be found. Sometimes you have to go beyond those standards. So, not only do your standards have to change to keep up with new technologies and attack types, but they also have to change about what to do to get around the standard, or to say that I had to go against these standards because of these conditions. In other words, we’re kind of adding that catch-all phrase in there.
98. Enterprise Information Security Architectures
When we examine your enterprise information security architecture, we must keep in mind that it can be a very powerful integrating tool that can assist us in developing a strategy. And again, we’re talking about enterprise information working with and integrating with the enterprise. You can think of this as a blueprint that is going to be used to build a house. And even though it’s possible for us to develop a strategy without architecture, there could be some serious drawbacks, such as perhaps having less functional security integration and also having increased expenses and maybe being more time-consuming. So when I think about building a house, I might have the idea that, look, I’m not going to have this big blueprint, but I’m going to ask somebody to build a bathroom for me, and somebody to build a master bedroom, and somebody to build a dining room.
And then we’re going to bring them together, put them on a concrete slab, and realise they don’t quite fit together. I might lose the functionality of my bathroom door because it’s in the way of the wall to my bedroom. And so now I have to go to the expense of creating a new cut-out hole that’s time-consuming and potentially breaching another area of security by creating this new extra hole in the wall. And, once again, I realised that my examples are perhaps implausible, but I’m attempting to illustrate the points of what they’re discussing by having an architecture, an actual blueprint, knowing how things are built together, and working together to develop that strategy. to get to that end point.
Our controls are now the primary components we consider when redeveloping an information security strategy. Now, your controls are often categorised as physical, technical, or procedural. Some examples could be the controls it offers. It Controls are now frequently categorised as our technical controls. Now, you should know that Kobet focuses almost solely on its controls, and you have some of the most comprehensive approaches for determining your control objectives. Now again, most often we might think of those as our technical controls, and we’ll get into all these different types of options here in just a second. Let me just kind of hit some of these other examples. It’s possible that you have non-It controls.
These are controls for dealing with nontechnical events, such as how to deal with social engineering or what to do if someone calls you and asks for your password. How do we deal with device reuse? Do I donate hard drives? Do I have to do something special if I’m going to get rid of or throw away a hard drive? So things that are not technical but can still cause us a loss of information can also be looked at as layered defenses. Now remember, one important aspect of a layer of defence is that any one failure of a layer should not be able to cascade and cause the next layer to fail. that they should have independence or be autonomous from each other.
So that even if one layer of defence fails, whether through negligence, configuration, or an actual attack, the next layer of defence is still in place and still functioning as it should. OK, so back to the idea of physical, technical, or procedural When we talk about physical controls, we’re often talking about things that deal with physical security and physical access to facilities. We can give examples of those controls as guards. Fences, fences with reservoirs, closed-circuit TVs, motion alarms, fire alarms, and temperature controls Those are physical types of controls. Technical controls get us into some of the things that we can simply look at when we log on to a computer with a username and password. I have a smart card or a fingerprint scanner.
And of course, those are just examples of authentication as a technical control. The procedural—sometimes it’s called administrative—is what I like to call paperwork. That’s where we get into the standards, policies, procedures, and having them enforced from the top down, so that people really do look at them as more than just, “Oh, whoever does that, we just ignore it and do it this way” type of attitude that says, “Kathy, these are our standards.” This is the way we’re going to do things. Because if we don’t, then we won’t be here to do them wrong again tomorrow. It’s an important aspect, so that kind of encompasses the entire concept of controls and hopefully provides us with a good foundation for how we look at or view them as we discuss them in the context of our existing security strategy and security programs.
Now, countermeasures are usually measures of protection that reduce the level of vulnerability to a threat. Now, sometimes you can think of those as targeted controls. So we went through a lot of discussion about what a control is. And I’ll be honest with you, one of the main purposes of the controls has always been to reduce threats. So they’re almost always thought of as a countermeasure. Now, being targeted means we might have a specific device or specific action that we’ve chosen to do. As an example, you might restrict access to important information to a secure subnet and not to any other outside subnet. You might have made the determination to create a place for firewall intrusion detection systems for specific types of traffic, again, targeting the location of the network and the traffic direction that it’s going to travel and where it can go.
Now, with our technologies, we have to realise that there are different types of technologies that we can use to improve security, and they continue to evolve over the years. You know, I talk about a firewall. Originally, when a firewall came out, it was a very good idea. There was often a software-based programme running on a machine with two networks that looked at all the packets going back and forth and looked at a list of rules and decided if it was permitted or not. And it had to look at every single packet. And back in those days, firewalls were often just called “stateless firewalls.” And one of the things I read in articles back then was that, at the time of the article, this was more than a decade ago, if not a little more. It said that within five years, firewalls as we know them would be dead. They’re gone. They’re not going to be around anymore.
And I was like, “Wow, how can you do without a firewall?” All right, we still have devices that perform the same function as that original packet filter. They just do it better. Some now keep track of the state, which makes them harder to spoof. Some do deep packet inspections, looking into the actual data fields and not just layers three and four of the OSI model. Some perform antivirus scanning, anti-spam protection, and have web sense capability to categorise the web addresses that people are attempting to access in order to determine whether they are permitted within the internal network. And all of this is now done on one single platform. So from that statement that I heard—that the firewalls we know will not exist in five years’ time—they’re absolutely right. They don’t. They’re better. They do more things for us. So, when we discuss technologies, we must keep in mind that these technologies will continue to improve and security will evolve over time. And that means that you need to be familiar with how these technologies can help you achieve your desired state of security, especially when you consider that your roadmap may be a multi-year process.
Now, in working with personnel, your personal security is an important area for you to think about. Now, unfortunately, when I talk about personnel security, I’m not necessarily talking about ensuring their safety should there be a fire or an earthquake. By the way, those are very valid policies. They are very valid issues that your company should take care of. I don’t want to go to work for you if you aren’t worried about my security. But in our context here, we’re talking about what the personnel in our department can do. So I talk a lot about authentication, having multifactor and biometric smart cards, and having strong passwords. But, you know, that doesn’t secure my network. It just helps me prove who was in my network.
That person can still maliciously destroy information, and they can do it on purpose or completely accidentally. So we have to think about that. Now, remember that the personnel are often the weakest link in our security, and that’s a sad fact. In fact, going back to the firewall discussion, I used to tell people there were two problems with the firewall. The first problem was that it allowed traffic through, and that was kind of a joke. It must address the second issue, which was us. We configured them. We have the same issue with the way things might be configured.
So, once again, there are numerous weak links. Remember that people, though, are usually your first line of defense. They’re hopefully the first ones to notice something irregular happening and help report it or provide feedback. But we need to make sure we have good-quality people, ones that we can trust. So it means that we should have thorough background screenings conducted for all new hires. Methods of tracking the theft of information should be developed so we can track and see if it may have been internally, may have been externally, or where that point of theft occurred. But these are all issues that we should look at when we talk about them. Now security.
103. Organizational Structure
Another consideration we can look at is the organisational structure. Now that you know, it’s really not enough for the information security manager to simply verify that the manager reports to the CIO. We discussed how we have many other communication needs and how sometimes the issues of security and IT operations are at odds, or should I say buttheads, with each other and may be a conflict of interest. So we need to make sure that we have good lines of communication. Now, that can also depend on the type of management model that might be used by your corporation. We think of them as decentralized, centralized, and distributed at times. In a centralised system, we usually refer to a headquarters facility where the knowledge is stored.
which is great because we can all work together, on common projects, and we can most likely be managed fairly easily. But you know what? If I’m a multinational company, that’s horrible. And why is it horrible? Let’s say I’m based in the United States, but I have companies in India. There is a potential twelve-hour time difference ranging from ten to thirteen hours depending on where you are in the country. And if your centralised staff goes home at five, that means there’s nobody to help those folks in India that are working with your company. So we sometimes lose that autonomy or that ability to help. We lose the cultural basis and maybe even the language barrier. So you might consider a decentralized.Now the idea of a decentralised type of management is that we’re putting the help and the knowledge at different locations and bringing them closer to those users.
Now one of the other problems we might have in that aspect is that we might have different levels of help depending on how well trained and skilled the people are at these different locations. Now you may notice I’m playing the game of a politician. For every option I give you as a type of management, I’m giving you reasons why it might not be the best idea. There is no perfect method here that I can give you. I’m just talking about the types of organisations that you might have.
And, of course, we see something very similar to the decentralised system in a distributed system. Except, of course, that I might look at that as a more multinational effect of having different pockets of companies running. So a little different from decentralised and distributed, maybe if I had a company that, well, as an example, wasn’t quite distributed, but there was a company that I did some work for that actually owned several restaurant chains under different brand names, You could kind of make an argument that says chain A has separate management from chain B and separate management from chain C. They all worked, obviously, for one central company.
But command and control were distributed throughout the business functions of this corporation. That could be the case if you’ve made some mergers or purchased some businesses. Currently, I do a lot of flying, and my airline just purchased another airline, although the way it’s looking, it looks like it was the other way around. Right now I can’t upgrade a flight that I’m going to take because it’s with the company we just acquired, but apparently they’re not enough under the management of the company that acquired them. So they’re very dispersed and apparently not communicating very well because it’s affecting my flights. But that’s another example of mergers where they promise that at some point they’re going to be centralized, but at the moment they’re of a distributed nature.
104. Employee Roles and Responsibilities
Now, as we talk about our security strategy, another area is the employee roles and responsibilities. That means that we should have a strategy and mechanism to define all of those roles and responsibilities, as well as list them within the job descriptions. That means we should include security issues in an employee’s job performance. And often, that’s just sufficient to help improve any employee’s security awareness because they realize, “Hey, part of my rating is based on my ability to understand security.”
Another part of our assessment of employees should be their skills and skill sets. Indeed, you should compile a list of skill inventories from all of your current employees. These skills could be very important in the implementation of a security strategy. As an example, when I’m looking at skill sets, it’s important for me to understand that maybe I have a person who’s really good at firewall technology, but before they got into the firewalls, they were doing Windows administration, and that might be a useful tool. I may even have people, believe it or not, who are volunteer fire fighters, maybe volunteer paramedics or EMTs. That’s part of a security policy, especially in disaster recovery and response. So don’t just limit your questions to skill sets. When you’re creating a security strategy, you may have a wide variety of skill sets out there that could be very important. Now, it also includes one of the skills—increasing people’s skills through your training and education—and giving them the awareness that they’re always going to be vital to the overall strategy. This is especially true when dealing with security issues. Let people be aware; the more they know what to look for, the better off they’re going to be. as your first line of defense.
Internal and external audits are the main methods that we have of determining any information security deficiencies that might exist. Now, your internal audits in most large organisations are conducted by internal departments, and they generally are going to report to the chief risk officer or to an audit committee. Now, the emphasis is usually on policy compliance. External audits are often done under the supervision of the finance department, and these are often done outside of any involvement with security.
Again, if you consider the fact that financial reports, financial regulations, and regulatory laws often need an outside set of eyes looking at the books to make sure that there’s nobody playing any strange games or laundering, any money, hiding funds or finances, or doing embezzlement because they have a fiduciary responsibility to their stakeholders to be honest, accurate, and pay them appropriately. If there is a dividend, That has some issues to do with security, obviously internally as we try to safeguard information, but they are kind of generalised as “internal” and “external” audits. Now some of you might think, “Well, external auditing” means hiring a third person to come in and do a penetration test against our network. Well, yes, that can be considered an external type of audit in the realm of IT security, but generally, it’s for internal use, right? We’re going to use it for reporting our compliance with our security. So, at the very least, I can assist you with some of the categorization ideas.
107. Compliance Enforcement
When we get into the issue of compliance enforcement, we have to have procedures that are there for security violations, and they should be completed now. These procedures need to be supported from the top down, especially in the area of enforcement. When you think about the goal of enforcement, that means that sometimes we have to take some sort of action against an employee. It could be a suspension, a termination, or, depending on the issue, even a criminal prosecution. Now, if you don’t have enforcement from the top down, then you’re going to have a tough time actually enforcing these policies or these procedures. If you think of it this way, you also need consistency in the enforcement, by the way, in the enforcement.If I regularly let somebody download music from some BitTorrent site, And my policies and procedures explicitly say you can’t do this. My standards for the use of the Internet are not for personal use, and they’re doing it anyway, and you take no action. And then some other employee does the same thing, and you selectively decide.
I’m going to set a new example. By taking action against that employee, you’ve got yourself a really interesting type of potential for a lawsuit for discriminatory practices. So you have to be very careful about how you do the compliance enforcement. All right. Now, without sounding so cruel about suspending, terminating, or prosecuting employees, there is another effective approach that you can use to ensure compliance, and that is to consider an open system of trust that should include self-reporting. When people see violations, they see problems. If they understand the true need for and nature of security, then hopefully they will report. They’ll say, “Look here, we have some problems,” and there should also be voluntary compliance. If the rules say I cannot download music while I’m at work, then I will voluntarily make sure I don’t download music while I’m at work. Now that I’m behind the scenes on the security side, I want to be monitoring the traffic anyway and looking to see if they’re doing it. I guess I’m kind of less trustworthy, or at least I don’t trust people as often as I would try to. But it is an effective approach to getting people to kind of rally around the compliance of the different procedures that you have.
108. Threat Assessment
Now, threat assessment is typically part of risk assessment and is critical for strategic considerations in how policies are created. Now, threats are going to ultimately lead to the choice of controls that you use for the mitigation and reduction of risk. Now, your policy development should actually be mapped to a threat profile. Notice I didn’t talk about vulnerabilities. We often refer to a threat profile because threats are somewhat constant in some ways. I mean, a fire is a fire, a flood is a flood, and malware is malware. Somebody stole something. However, how the fire started, where the flood came from, how the malware was delivered, what process on my server it took over, or how the thief got into the building—those are vulnerabilities, and those can change frequently as a result of changes in my business, processes, technology, or even personnel.
But, once again, having a policy that goes against the threat profile, what happens if a laptop containing sensitive information is stolen? We want to address that kind of threat profile. The vulnerabilities result from it being left in an open office or in a public park. All these things are kind of iffy. As far as how I make this map to a vulnerability because I did a new upgrade of Windows, I’ve got some new vulnerabilities that I didn’t have before, and I got rid of some I used to have that are always on the change list. And that’s kind of what we’re trying to get at—how the threat assessment helps us along this path to policy development and why we’re developing policy in the first place.
109. Vulnerability Assessment
Now, we can also take a look at doing vulnerability assessments. Now, these are often conducted by automated scans, but by themselves, they’re very limited in their value. That means that we should also think about human involvement or intervention.
So what do I mean by that? If you’ve run it, and if I’m looking at just a technical type of scam, something that we can automate with a free programme like Nessus, it’s going to have its specific plugins, it’s going to have the limitations of addresses you asked it to look at, and it’ll scan it and run some automated tests. But that doesn’t help us with the human involvement. For example, many, many years ago, I was on a website for an amusement park that was giving away free front-of-the-line passes. And their system was that I had to go through 30 minutes of commercials to be able to go and get the pass and print the pass. Obviously, once I arrived at the location where the pass was, I wanted to go print it several times. And then it said, “Well, no, you can’t print it again unless I go through the commercial.” I tried to right-click and save the particular picture so that I could just print it on my own, but they disabled right-click. So I saved the web page and downloaded the picture onto my machine.
I printed as many as I needed. Now, I don’t know whether or not I should have done that, but it was a perfect test as to the human involvement. The vulnerability scan wouldn’t have gone through that kind of thought process about how to get around some of those systems. By the way, there were no limits on how many I could have; I just had to watch that commercial over and over again. So human involvement helps test those types of things. And we can also take the vulnerability beyond technology. We can look at processes and facilities. Well, all right, so there are many different types of processes. Some could be technological, and some might involve the human element. Again, the way we interact with people, testing to see if there are any flaws in the system, seeing if I can trick someone into giving me their passwords so that I can do social engineering. I’m not going to get out of an automated program. Trying to see if there are any ways to break into a facility, if there are any gaps or weaknesses that can be exploited. And again, something else is not usually done through an automated program. All of these are going to be able to provide crucial information about the state of your current security.
110. Risk Assessment
Risk assessment is accomplished by first figuring out what the viable threats to the information resources are going to be. Now, it is an important aspect, and as we’ve said over and over again, the risk assessment must be there to really come up with an idea or a strategy of where you want to be for a desired state of security. And we can use it to help figure out how to get from where we are to where we want to be and create a roadmap to get there. Now, to even begin the risk assessment, we at least have to know what the viable threats are. Now, that can include things that are physical and environmental as well as technological. For example, physical threats that we look at are going to be things like earthquakes, floods, other natural events, or storms. Now, we’ve told you that you should probably consider the likelihood of any particular threat to have good security, but I have to say that there are going to be some sort of limitations to that. When we look at a threat, we do want to know about the probability of it occurring as well, so that we can kind of focus our energies on something that’s more important.
As an example, if you live in a flood plain, you realise that there is a high probability that there could be floods. Often we build raised floors for the purpose of not having to worry about water coming into the actual facility. If you live in an area that’s close to faults for earthquakes, that makes sense. But if you’re worried about a comet coming out and striking your building, then we’re probably looking at the probability of that occurring as being so minute that we probably won’t even consider it as part of the risk assessment. So it also has to make some sense in terms of what you’re choosing as viable threats against your data or even the facilities that are housing the data. Now, having said that, the likelihood of it happening has to be part of the risk assessment as well as the frequency and magnitude of the currents. In other words, the exposure factor—how much damage can be done—should be included in that original assessment. Now, of course, as I’ve said, your formal risk assessment has to determine what those viable threats are. And you need to make sure that you lock them in there, because that information is what we’re going to use in either a quantitative or qualitative assessment of what could happen should this particular threat actually occur.
One solution you may choose is insurance. Now, as we address some risks, we may have decided that, rather than accepting whatever is left over, we will transfer the risk to a third party. And that’s where we get into the purchase of insurance. Now, you’d probably see that more often than not for some of your natural disasters, for the facilities that you actually own that have earthquake or flood insurance. Tornado coverage has been big this year. It’s been pretty bad across the country. All of those can be assured against, which means that will take care of the property damage. You may also consider liability insurance. Now, there are, of course, some professions, such as mine.
If I go out and do some consulting work and I make a mistake in the information that I provide that causes some damage to the company that I’m working with, I’m liable for their loss. So I have to carry errors and emissions insurance so that I can say, “Okay, look, I realise that I can lower my risk by trying to get more education, more experience, and doing my job as well as I can, but there are still going to be times when I’m going to worry about making a mistake.” And so I’ll do what I can to lower my risk, but at the same time, I’m going to transfer that residual risk to the type of insurance I buy.
We even see that in the medical profession as well. And I’ve even seen insurance for the business interruption. When Hurricane Katrina hit the south, many of the casinos, many of which I’ve visited in the blocks area, were destroyed. And I heard on the news that some of those casinos had business interruption insurance, which meant that they were still able to make payroll and pay their employees while they were rebuilding the casinos to be able to come back into business. And I thought, “Well, you know, there’s a company that really went out of its way to think about all the potentials of what could happen to their business.”
112. Business Impact Assessment
A part of this risk assessment is to also conduct a business impact assessment. Some of you might call it BiA; others might call it a business impact analysis. The idea is that we’re talking about the bottom line of risk, and the BA is designed to be able to consider the criticality and sensitivity of your systems and your information. Another way of looking at it, again, is to say that all of your assets should be classified—those that you just can’t live without, the loss of which would maybe just destroy the company completely.
And what do we need to do to protect them? And that was a list of criticality where we focused our energies on saying, “Look, in order for my company to continue to survive, I need these assets to be available at all times and not compromised.” And then we had to say, “Okay, now in order for those assets to be available, it’s one thing to have them stolen, compromised, altered, or destroyed.” It’s another thing to say, “Okay, now what other supporting dependencies are there that are going to help us get to that critical asset?”
So if I’m thinking of a banking institution and obviously the accounts that contain the customers, their balances, or deposits, the rest of that information, if that’s what’s critical, and I need to have access to that information as one part of the criticality, I also need to make sure that it’s not destroyed, altered, damaged, or hit by malicious attackers.
I’ve got to look at a couple of things. Number one, we can say, “Okay, we know that that data is critical, and so we’ll take a look at the business impact assessment of what would happen to our company if that went down.” But then we have to realise that that also means we probably need network connectivity. We need a facility with power to be able to power on the storage devices.
So there are some dependencies as well. And so part of your business impact assessment should also consider those resource dependency analyses, which again could even just be having people available to work with this information, particular office supplies, computers, servers, and the rest of it, whatever it is that we need to be able to help keep that very critical asset available, functionable, and secure. You may also want to consider the use of your business continuity plan and disaster recovery plan, which are being built around this business impact assessment of what it would take to restore something that’s critical to the company.