top of page

Business Impact

Updated: Sep 20, 2023

Defining Business Impact is the fourth step in building an X-Analytics profile.


What you will learn:


The Business Impact section gives you the ability to modify your impact condition. Impact is directly related to confidentiality, integrity, and availability. This section is divided into a set of questions that are meant to capture availability and confidentiality details per asset group. Integrity is derived, within X-Analytics, based on company exposure and business impact answers.

The Business Impact section informs inherent and residual risk. If an asset group does not have strict availability requirements and does not have confidential records, then it will have moderate to low risk depending on the current threat condition. On the other hand, if an asset group has strict availability requirements and highly confidential records, then it will have moderate to high risk depending on the current threat condition.


To build your threat landscape, please follow the steps below.



Step 1: Answer the Asset Availability Questions

Before starting this section, you may need to interact with other business leaders or peers to make sure you understand the profile's availability requirements and which systems are processing, storing, and transferring confidential records.

For each question, you can:

  • Clear answers and start with a fresh input

  • Select the availability requirement. (Your options are between 30 minutes and 48 hours.)

A list of each questions is below:

  • Web application availability requirement

    • Purpose: to define the profile's web application asset availability requirements.

    • Informs: risk for the entire web application attack column on the residual risk grid.

  • Point-of-Sale availability requirement

    • Purpose: to define the profile's PoS asset ability availability requirements.

    • Informs: risk for the entire PoS Intrusion and Skimming columns on the residual risk grid.

  • End user system availability requirement

    • Purpose: to define the profile's end user system asset availability requirements.

    • Informs: risk for the entire end user systems row on the residual risk grid.

  • Terminal availability requirement

    • Purpose: to define the profile's terminal asset availability requirements.

    • Informs: risk for the entire terminal row on the residual risk grid.

  • Removable media availability requirement

    • Purpose: to define the profile's removable media asset availability requirements.

    • Informs: risk for the entire media and offline data row on the residual risk grid.

  • Network availability requirement

    • Purpose: to define the profile's network asset availability requirements.

    • Informs: risk for the entire network row on the residual risk grid.

  • Server availability requirement

    • Purpose: to define the profile's server asset availability requirements.

    • Informs: risk for the entire server row on the residual risk grid.

  • People availability requirement

    • Purpose: to define the profile's people asset availability requirements.

    • Informs: risk for the entire people row on the residual risk grid.

  • ICS, SCADA, OT availability requirement

    • Purpose: to define the profile's ICS, SCADA, and OT asset availability requirements.

    • Informs: risk for the entire people ICS, SCADA, OT on the residual risk grid.

  • Healthcare devices availability requirement

    • Purpose: to define the profile's healthcare device asset availability requirements.

    • Informs: risk for the entire healthcare device row on the residual risk grid.

  • Onboard systems availability requirement

    • Purpose: to define the profile's onboard system asset availability requirements.

    • Informs: risk for the entire onboard systems row on the residual risk grid.

  • Critical Internet of Things (IoT) availability requirement

    • Purpose: to define the profile's critical IoT asset availability requirements.

    • Informs: risk for the entire critical IoT row on the residual risk grid.


Step 2: Answer the Asset Criticality Questions

The criticality questions are arranged by records type. For each question, you can:

  • Clear answers and start with a fresh input

  • Select the asset groups which process, store, or transfer the corresponding record type. (Your options are all of the asset groups.)

  • Select "Do not know". This answer will assume the record type exists on all applicable asset groups.

A list of each questions is below:

  • Which asset process, store, or transfer PII records

    • Purpose: to define which asset groups process, store, or transfer PII records.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer PCI records

    • Purpose: to define which asset groups process, store, or transfer PCI records.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer PHI records

    • Purpose: to define which asset groups process, store, or transfer PHI records.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer Government Classified records

    • Purpose: to define which asset groups process, store, or transfer Government Classified records.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer Intellectual Property records.

    • Purpose: to define which asset groups process, store, or transfer Intellectual Property, Trade Secrets, and other proprietary information.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer Financial, Business Strategy, and Other Confidential records

    • Purpose: to define which asset groups process, store, or transfer Financial, BUsiness Strategy, and Other Confidential records.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer COPA PII records

    • Purpose: to define which asset groups process, store, or transfer COPA PII records. COPA PII are PII records related to minors, not adults.

    • Informs: risk for all selected asset groups.

  • Which asset process, store, or transfer PFI records

    • Purpose: to define which asset groups process, store, or transfer PFI records.

    • Informs: risk for all selected asset groups.



Step 3: Complete the Next Section of the Profile Builder.

For further Profile Build guidance, please return here.

ความคิดเห็น


ปิดการแสดงความคิดเห็น
bottom of page