Risk Assessments

Hello! 
Does anybody use a Business Impact Analysis / Questionnaire? Do you use it for all vendors? If not for all, what categories vendors are subject for BIQ? What areas do you cover in BIQ? 

Thank you

Original Message:
Sent: 3/7/2022 12:08:00 PM
From: Natalia Weems
Subject: Business Impact Questionnaire

Hello! 
Does anybody use a Business Impact Analysis / Questionnaire? Do you use it for all vendors? If not for all, what categories vendors are subject for BIQ? What areas do you cover in BIQ? 

Thank you

Jamie, that would be awesome. I'd love to get your input, my email: [email removed by Community Manager for privacy reasons. Please reach out directly to the member through the Community for additional contact information}
Original Message:
Sent: 03-07-2022 02:19 PM
From: Jamie Sumter
Subject: Business Impact Questionnaire

We don't use BIQ, however we do have an assessment which is used for those we deem critical or high based on an initial risk questionnaire.

 

Happy to connect if you would like to discuss.

 

Jamie Sumter

IT Risk Management Lead

Clarios

 

Original Message:
Sent: 3/7/2022 12:08:00 PM
From: Natalia Weems
Subject: Business Impact Questionnaire

Hello! 
Does anybody use a Business Impact Analysis / Questionnaire? Do you use it for all vendors? If not for all, what categories vendors are subject for BIQ? What areas do you cover in BIQ? 

Thank you

I am working more with the business impact portions (operations, finance) of the CIS RAM v2.1 for CIS critical security controls v8. 

It covers the Center for Internet Security Risk Assessment Method (CIS RAM) to assess posture.  However, using the workbook developed by HALACK Security Labs it has 5 levels of Impact and a helpful definition of what they mean.  https://learn.cisecurity.org/cis-ram

For slides and a webinar, see answer in this thread: https://www.thirdpartythinktank.com/communities/community-home/digestviewer/viewthread?GroupId=79&MessageKey=3a59621a-b30d-4cd3-af17-995f72801f81&CommunityKey=529e881c-f368-4adf-9712-4838e3d8e521&tab=digestviewer

It helped me expand how I look at business side if impact analysis and made it easy to help envision how new clauses in contracts can help protect our information and ourselves and actually reduce the overhead of vendor management by at least 20 percent.

From the linked page, https://learn.cisecurity.org/cis-ram, you can see it is meant as an open forum for risk assessment methods and is backed by surveyed findings and recommendations by firms and people facing the same issues we do.


"Developed by HALOCK Security Labs in partnership with CIS, CIS RAM provides three separate security approaches to support different levels of organizational capability.

• New to risk analysis? You can use CIS RAM's instructions for modeling foreseeable threats against the CIS Controls as your organization applies them.
• Experienced with cybersecurity? Follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them.
• Cyber risk expert? Use CIS RAM's instructions for analyzing risks based on "attack paths" using CIS' Community Attack Model.

"

I hope this helps.   Review the workbook spreadsheet to help frame the problem at the very least.  All the best.
Original Message:
Sent: 03-07-2022 12:07 PM
From: Natalia Weems
Subject: Business Impact Questionnaire

Hello! 
Does anybody use a Business Impact Analysis / Questionnaire? Do you use it for all vendors? If not for all, what categories vendors are subject for BIQ? What areas do you cover in BIQ? 

Thank you