вторник, 3 февраля 2015 г.

Сравнение BIA, TRA и PIA

Нашел очень неплохой материал по сравнению трех дисциплин, в информационной безопасности: BIA (оценка влияния на бизнес), TRA (оценка угроз и рисков), PIA (оценка влияния на соблюдение требований о защите частной жизни). Материал на английском, переводить к сожалению некогда, так что выкладываю в оригинале:


BIA (Business Impact Analysis) – “to identify and prioritise the department’s critical services and assets.”

PIA (Privacy Impact Analysis) – “to ensure that privacy is considered throughout the design or re-design of projects and services” and provide “assurance that all privacy issues have been identified and resolved or mitigated.”

TRA (Threat and Risk Assessment) – “to determine the necessity of safeguards beyond baseline levels.”

In short, all three processes involve an element of analysis in support of recommendations for future action to address various risks. With a BIA, the prioritized list of critical services and assets provides an objective basis for selecting suitable BCP plans, measures and arrangements to address availability risks. In a similar fashion, the PIA helps responsible authorities make fully informed policy, system design and procurement decisions to avoid or mitigate privacy risks. Finally, the TRA identifies unacceptable risks to employees, assets and service delivery, and recommends additional safeguards beyond baseline controls to achieve cost-effective security solutions.


Although the BIA, PIA and TRA are complementary analytical methods for assessing and ultimately mitigating various risks, the scope of the three activities can differ significantly. 


In general, the TRA tends to encompass a broader array of assets and asset values than either the BIA or PIA. Depending upon the subject of the assessment, a TRA might analyze risks to all assets (tangible, intangible, personnel and services) and asset values (confidentiality, integrity and availability), as illustrated in figure below. 

In order to identify critical assets and services, the BIA concentrates on the availability and, to a lesser extent, integrity values of assets whose compromise (unauthorized destruction, removal, modification, interruption or use) could cause a high degree of injury. Of course, confidentially concerns must be addressed during the subsequent selection and implementation of BCP plans, measures and arrangements, but assets with high and very high availability values remain the primary focus of a BIA, as illustrated in figure below.

The PIA only applies to programs and services that handle personal information, an important but limited subset of tangible assets. Other information, facilities, personnel, services and intangible assets generally fall outside the scope of assessment. Unlike the BIA, however, the PIA considers all three dimensions of asset value, assessing risks to confidentiality and integrity as well as availability, as illustrated in figure below. 


The BIA is the second of five elements in a complete BCP program described in section 10.14 of the GSP. The others include BCP governance, BCP plans and arrangements, BCP program readiness, and continuous review testing and audit. Section 3.2 of the Operational Security Standard – Business Continuity Planning (BCP) Program identifies five steps within the BIA to establish a sound basis for subsequent recommendations regarding appropriate BCP plans, measures and arrangements. As indicated in table below, these five steps (identify business lines/services, determine impact of disruptions, assess high level injuries, identify/prioritize critical services, and obtain management approval) correspond closely to the Data Analysis component of a PIA and the Asset Identification/Valuation Phase of a TRA. Thus, the BIA by itself is a more tightly constrained activity than either the PIA or the TRA. That being said, other elements of a complete BCP Program, such as the selection of BCP plans and arrangements, match the Conclusion and Path Forward portion of a PIA and the Recommendations Phase of a TRA to establish closer parallels. Finally, a BCP Program has no equivalent to the Threat Assessment and Risk Assessment Phases of a TRA because the inevitability of disruptive threat events is an underlying assumption throughout the analytical process.

The Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks prescribe a four-step PIA process: (1) Project Initiation; (2) Data Analysis; (3) Privacy Analysis; and (4) Privacy Impact Assessment. An examination of the subordinate activities within each step reveals that Project Initiation is substantially the same as the Preparation Phase of a TRA. Data Analysis corresponds closely with the Asset Identification and Valuation Phase. As with the BIA, there is no equivalent to the Threat Assessment Phase, but Privacy Analysis is similar to the Risk Assessment and Recommendation Phases of a TRA. Thus, the purpose and scope of a PIA are certainly more focused than those of a TRA, but there remains a strong resemblance between the analytical processes to assess and mitigate risks. 

With its unique Threat Assessment Phase and a more explicit Vulnerability Assessment, a typical TRA tends to be longer with many more details than either the BIA or PIA. Nevertheless, the Calculation of Residual Risk and Recommendations Phase map very well with the Privacy Impact Assessment step of a PIA and the BCP Plans and Arrangements element of a BCP Program. As noted above, these relationships are illustrated in table below.


BIA/PIA as Inputs to a TRA
Both the BIA and PIA can be valuable inputs to a TRA project, especially the Asset Identification and Valuation Phase, as indicated in sections 5.4.6 and 5.5.1 of Annex A. The response to questionnaires A and B in the Privacy Analysis step of a PIA can also provide useful information for the Vulnerability Assessment, as can the mitigating factors or safeguards specified in the final step of the PIA. 

TRA as an Input to a BIA/PIA
In the absence of either a BIA or PIA, the data collected during a TRA project may be culled to produce the other related documents, especially if this objective is clearly identified at the outset. For example, the Statement of Sensitivity in a TRA report should provide enough information to compile both a BIA and the Data Analysis step of a PIA. Then, the Vulnerability Assessment and Recommendations Phase should contain a thorough analysis of availability safeguards, including BCP plans and arrangements, the third element of a complete BCP program. Similarly, the information collected for the Vulnerability Assessment should address most of the questions in Questionnaires A and B of the Privacy Analysis step of a PIA, especially those related to the following privacy principles: (5) disclosure and disposition; (6) accuracy of personal information; (7) safeguarding personal information; and (9) individual’s access to personal information.

Комментариев нет:

Отправить комментарий