I am preparing for upcoming CISSP exam and currently doing self study.
Need you advice for below question
Q. What assesses potential loss that could be caused by a disaster
As per the online material, the correct answer should be B.
but as per me the a risk assessment does assess the potential loss of a disaster (Quantitative or Qualitative) .The correct answer should be C.
Appreciate your advice on the correct answer.
A BIA would be broader than your typical InfoSec risk assessment.
If you think about it a BIA needs to consider things like loss of water supply to site, flooding in an area, severe weather etc. So imagine staff cannot get to site due to damage to their home or property due to a severe weather event, the impact is likely to be a reduction in staff being available, despite the fact remote access to info is still in place.
I like this definition:
Risk assessments analyze potential threats and their likelihood of happening, a business impact analysis explains the effects of particular disasters and their severity.
So the question asks:
>>> What assesses potential loss that could be caused by a disaster
Based on this definition, I would choose BIA and not the Risk assessment.
This article might help:
It's fairly common to look at a BIA from a value chain perspective. Take a single business function and determine the impact of its unavailability over a number of time horizons. Consider what the impact is on upstream supplier and downstream customers.
It's typical to turn those impacts into consequences, financial, legal, regulatory, reputational etc. You'd also need to consider support functions as well and most probably health and safety, HR/payroll, Finance, Procurement, business risk/insurance as they are likely to be part of the recovery effort for many disruption scenarios.
To give a practical example, the Ford motor company decided in the late 60s not to entertain an equal pay claim, so the women doing the upholstery machining, went out on strike. Consequence was that car production stopped once the stocks of finished car seats ran out, as the seats were critical to the finished product.
A risk assessment should identify / assess the scenarios and likelihood that may occur and the hazards to the assets.
A BIA will dig a little deeper into assessing the consequences/loss (aka "the impact") to the assets.
Yes, the answer is B as the online study material states. The likelihood of an event occurring ("potential loss") multiplied by impact equates to "risk". The "potential loss" is the impact or outcome of an event. An impact analysis would be used, not a risk assessment. Potential or probable Impact determines risk, not the other way around.