A key element of the BCP process is

A key element of the BCP process is conducting a BIA. The purpose of a BIA is
to create a document that outlines what impact a disruptive event would have on
the business. The impact might be financial (quantitative) or operational (qualitative), such as the inability to respond to customer complaints. A vulnerability
assessment is often part of the BIA process. A BIA has three primary goals:
+ Criticality prioritization— Every critical business unit process must
be identified and prioritized, and the impact of a disruptive event must
be evaluated.
+ Downtime estimation— The BIA is used to help estimate the maximum
tolerable downtime (MTD) that the business can withstand and still remain
viable; that is, what is the longest period of time a critical process can remain
interrupted before the company can never recover? The BIA process often
determines that this time period is much shorter than expected.
+ Resource requirements— The resource requirements for the critical processes are also identified at this time, with the most time-sensitive
processes receiving the most resource allocation.
A BIA generally involves four steps:
1. Gathering the needed assessment materials
2. Performing the vulnerability assessment
118 Chapter 3 Cloud Computing Software Security Fundamentals
3. Analyzing the information compiled
4. Documenting the results and presenting recommendations
The Vulnerability Assessment
The vulnerability assessment is often part of a BIA. It is similar to a risk assessment but it is smaller than a full risk assessment and is focused on providing
information that is used solely for the business continuity plan or disaster
recovery plan.
The function of a vulnerability assessment is to conduct a loss impact analysis.
Because there are two parts to the assessment, a financial assessment and an
operational assessment, it is necessary to define loss criteria both quantitatively
and qualitatively.
Quantitative loss criteria can be defi ned as follows:
+ Incurring fi nancial losses from loss of revenue, capital expenditure, or
personal liability resolution
+ Incurring additional operational expenses due to the disruptive event
+ Incurring fi nancial loss resulting from the resolution of violating contract
agreements
+ incurring financial loss resulting from the resolution of violating regulatory or compliance requirements

Qualitative loss criteria can consist of the following:
+ The loss of competitive advantage or market share
+ The loss of public confidence or credibility, or incurring public embarrassment
During the vulnerability assessment, critical support areas must be defined
in order to assess the impact of a disruptive event. A critical support area is
defined as a business unit or function that must be present to sustain continuity
of the business processes, protect life, provide safety, or avoid public relations
embarrassment.

Critical support areas could include the following:
+ Telecommunications, data communications, or information technology areas
+ Physical infrastructure or plant facilities, transportation services
+ Accounting, payroll, transaction processing, customer service, purchasing

Typical steps in performing a vulnerability assessment are as follows:
1. List potential disruptive events (i.e., natural, technological, and man-made).
2. Estimate the likelihood of occurrence of a disruptive event.
Chapter 3 Cloud Computing Software Security Fundamentals 119
3. Assess the potential impact of the disruptive event on the organization
(i.e., human impact, property impact, and business impact).
4. Assess external and internal resources required to deal with the disruptive
event.
Enterprise wide awareness of the plan is important because an organization’s
ability to recover from an event will most likely depend on the efforts of many
individuals. Employee awareness of the plan also emphasizes the organization’s
commitment to its employees. Specific training may be required for certain
personnel to carry out their tasks; and quality training is perceived as a benefit,
which increases the interest and commitment of personnel in the BCP process.
Using the Cloud for BCP/DRP
Adopting a cloud strategy for BCP/DRP offers significant benefits without large
amounts of capital and human resource investments. Effective cloud-based BCP/
DRP requires planning, preparation, and selecting the cloud provider that best
meets an organization’s needs. A critical issue is the stability and viability of
the vendor. The vendor should have the financial, technical, and organizational
resources to ensure it will be around for both the short term and the long term.
In addition, in order for cloud BCP/DRP to reach its full potential, standardization across a variety of architectures has to evolve.
Proper design of a cloud-based IT system that meets the requirements of a
BCP and DRP should include the following:
+ Secure access from remote locations
+ A distributed architecture with no single point of failure
+ Integral redundancy of applications and information
+ Geographical dispersion
Redundancy Provided by the Cloud
Cloud-based BCP and DRP eliminate the need for expensive alternative sites and
the associated hardware and software to provide redundancy. This approach
also provides for low cost and widely available, dynamically scalable, and virtualized resources.
With a cloud computing paradigm, the backup infrastructure is always in
place. Thus, data access and running business applications are available on
cloud servers. Another option is to implement a hybrid cloud with collocation
of resources and services. Cloud service providers also offer organizations the
120 Chapter 3 Cloud Computing Software Security Fundamentals
option to control the backup process thorough the use of storage area networks
(SANs). Examples of elements that require backup are application data, media
files, files that have changed, recent documents, the operating system, and
archival files.
Secure Remote Access
In order for cloud-based BCP/DRP to be effective, the cloud applications and
data must be securely accessible from all parts of the globe. One solution is
for the cloud vendor to establish a global traffic management system that provides the following customer services:
+ Meets service-level agreements for availability and performance
+ Regulates and controls traffic among virtual machines located at multiple
data centers
+ Maximizes speed and performance by directing traffic to the closest and
most logical cloud data center
These services have to be implemented and conducted in a secure environment to protect both the cloud consumer and cloud provider from compromises
and attacks.
Integration into Normal Business Processes
Services provided by a cloud vendor at a remote location are, in almost all cases,
isolated geographically from the customer’s facilities. The cloud enterprise is
strongly protected both physically and technically. At the consumer’s site, if cloud
processing and data storage are integrated into the daily routine of the business,
recovery from a disruptive event at the user organization can be more rapid and
involve less time and personnel. In many instances, the cloud resources will be
used in normal operations and will be available during a disruptive event at the
organization’s location without large amounts of transfer activity.