3.17 The Business Impact Analysis (BIA)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
now one of the most important documents with business continuity is gonna be the business impact analysis that business impact analysis is gonna be the basis of almost everything that we do. So the main purpose of a business impact analysis is to identify and then prioritize
all business functions based
on criticality. Because when it comes right down to it, criticality is where it's at right and what that means. We talked about critical. We're talking about time sensitive. Where do we bleed? Money is sort of what we're looking at, right? So
if I have a service that the longer that service is down, the more money I lose more money, that's a critical service.
Don't confuse critical with important. So I might be in an organization where compliance is very, you know, it is very important. So we have an audit team. They're really important to the health of our business.
But if we have a fire, I doubt that the first thing I think of is get the auditing back up and running. I tend to think, get the call center back up, get carte service, is get, um, the Web presence. Right? So that's a difference in criticality and importance, sometimes the same, but not always.
All right, So we're gonna figure out what resource is air the most critical. And then we're gonna determine how critical.
So, for instance, we're going to think about from a customer service perspective, we may think about service level objectives in the event of a disaster. What's the degree of service we're going to provide our customers?
If I'm in a call center in Jacksonville, North Carolina and there is a hurricane and we're down, we'll switch operations, maybe over to Kansas City, Kansas.
But Kansas City, Kansas, is handling all their fold calls, plus the ones from Jacksonville, North Carolina. They're not gonna be at 100% performance, So we'll say 80% is our service level agreement. Whatever. We want a target for customer service, other ideas, a recovery point, objective
an or P o. How much or what is our tolerance for data loss? How much data are we willing to lose
now, when we hear that the first thought is none lose data. Well, you could do that, but it's gonna cost a lot of money,
right? That's gonna be up to the second redundancy, and that's expensive. So what we have to do is take a real look and say, OK, I can tolerate to lose half an hour's worth of transactions.
Well, I need to make sure based on that information, the plan that if I lose my live processing that I can restore
up to half an hour ago, that makes sense. I get those transactions back from half a Knauer forward.
All right, Maximum tolerable downtime sometimes has referred to his recovery time objective. Either of those,
how quickly do I have to restore a resource? So I've got ah, mail server. You can only be down in our That's your recovery time objective. So to give you the difference between our P O and Artie. Oh,
recovery point objective is how old your data can be.
Maximum tolerable downtime is how quickly
you need a service restored. For instance,
the business impact analysis states that my mail server can only be down two hours.
Server fails at nine. I have it back up and running it. 10. I've met my maximum tolerable downtime. Right. I get it back up within an hour when dammit nine. I gotta back attempt. However, I have lost all of your email messages from this year. Anything prior to 2019? I could get back for you easily,
but anything since then, forward. I've lost books.
That's a recovery point. Objective problem. Hope that makes sense. All right. Recovery service level. Um, so, in a reduced capacity, maybe we've had an issue with power
and we're gonna be powered by generators. Well, obviously, I'm not going to have the same amount of resource. Is the same amount of power available? So, to what degree do I need to restore that service
so that I can have that minimum based operating capacity that I need in the event of a disaster? So these air some metrics that air specified in the B I a definitely testable indefinitely important this b I A document is where we figure out
where we suffer the greatest loss, and that's from our critical resource is
we determine what's critical and how critical.
On this slide, we see our recovery point objective and recovery time objective again. Just a reiteration of what I said. So the exploit patient is to understand recovery. Point of that objective is about data loss.
Recovery time Objective is how quickly service needs to be restored. So,
uh, just exactly what we talked about just a second ago.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By