| # | Question |
| 1 | Should we be using
be using a preventive control? Ask "Is the cost of using a preventive control less than the sum of cost-to-fix and possible impact penalties for all the events that the preventive control is designed to detect?" If the answer is yes, then there is indeed a case for using a preventive (i.e. Class 1) control. |
| 2 | Should we improve the efficiency of our detective controls? Upgrade from Class 4 to Class 3 Ask "Is the cost of the upgrade less than the average impact penalty times the number of events?" If the answer is yes, then an upgrade from a Class 4 to a Class 3 control is worthwhile. Upgrade from Class 3 to Class 2 Ask "Is the cost of the upgrade less than the average reduction in the cost-to-fix times the number of events?" If the answer is yes, then an upgrade from a Class 3 to a Class 2 control is worthwhile. |
| 3 | Should we pre-deploy our BCPs? Ask "Is the cost of pre-deployment over Y years minus the business benefit prior to invocation less than the reduction in impact penalty, minus the loss in business benefit, multiplied by the number of times the BCP might be invoked in that period of Y years?" If the answer is yes, then pre-deployment is worthwhile. |
| 4 | Should we have a BCP? Following consideration of the impact penalty and likelihood of occurrence, ask "Is his an acceptable risk?" If the answer is no, then you need a BCP. |