4.4 Business Impact Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

6 hours 30 minutes
Video Transcription
one of the most important tools that we use in information technology in disaster recovery. Business continuity Planning is a tool. Help the business impact analysis. So the purpose of the business impact analysis is to identify and prioritize our business processes
based on the impact of their loss
to the organization. So this is focused, focused on criticality and criticality means just that
the damage. That's the damage.
Try that again. The damage that's occurred Should we have lost to this process? This system, this service. So, for instance, if you think about an organization that has, ah, huge Web presence, let's think about like Amazon, for instance, How much money do you think Amazon loses
if it's off line for a day,
May as gonna lose a Tana money and not just today, but even an hour, even 15 minutes. So based on the amount of loss the organization would suffer, we're gonna make that Web presence is being a highly highly critical part of the business.
So with their business impact analysis, what we do is we go through and we categorize our resource is our processes are service's air systems,
and we prioritize them based on criticality and what that's going to drive. And we all know we've got limited funds. We don't have money for everything we want to take care of in the world. That's gonna help us put our priorities in place so that we direct Our resource is at those areas where we would suffer the greatest potential for loss.
Hey, so it's simply a way of prioritizing
when we look at um, using the business impact analysis. One of the things that will need to do is part of that is just determined how critical thes elements are. Right? So say it's critical. But what does that mean? Well, the criticality is going to drive things like
how quickly that project that product needs to be restored
or that process needs to be restored. And we can also use that to address dabba and talk about how current our data must be.
Now, if you were to go to senior management and say, how much data can we lose? I can just about guarantee you the initial response would be
no one,
Well, I can get you almost 0% data loss, a guarantee that no matter what, you'll not lose dabba
you know, tiny little
potential there, but it's gonna cost a lot of money. Toe have that degree of redundancies very expensive. I can get you 99.999997% up time.
But it's gonna cost money.
So when we go through and we look at this business impact, we have to have a really under the honest discussion about what is acceptable because when you say will tolerate zero data loss and zero downtime, the expenses to accomplish that can be very great.
So that tends to start the discussion where, when you say okay, in order to get this degree of redundancy, it's gonna cost us $1.5 million. That's when Senior Management says, Well, what I meant to say was, we can tolerate 15 minutes of downtime. We can lose an hour's worth of data. But whatever that discussion leads to,
that needs to be documented.
And our recovery strategies as well as our protection strategies, were going to be based on the metrics like MTD rto an rpm.
All right, so for MTD maximum tolerable downtime,
what is the longest amount of time? That device that process that service could be out of commission.
Okay, before we suffer a loss that's unacceptable to senior management.
The maximum tolerable downtime could be called the maximum tolerable outage as well. But what's the absolute longest we can be without this device
now? Recovery time objective.
Uhm, ideally, that's kind of like, ideally, when we'd like to have it back up and running
Maximum Peller roll down Time is the absolute longest, but we'd like to have it back up and running within 20 minutes. That's the recovery time objective. Could I feasibly bring this back in this device back in 20 minutes? Yeah, but if it goes longer than an hour, then we failed.
All right now, recovery point objective. That's the tolerance for data loss. How current must data be, And if you think about it, if we do in nightly, back up
and we back up our files every night, but that's it.
We're really saying we're willing to lose a day's worth of data, right? Because I could have a failure at 4:55 p.m. And I can't restore anything more current than for, you know, yesterday or last night's backup.
So again a lot of times when you're creating this business impact analysis, it leads the way to have a really honest discussion with senior management to figure out what we're doing Now. Is it gonna help us meet our goals realistically? Or do we need to start looking at upgrading or updating our approaches?
Now, this is just, ah, sample of a business impact analysis. It's just, you know, very high level. You can go out to Aunt Google and say, B, I a template in there, lots of different options there. But if you can see this ultimately what we're looking at is the various processes on the left. So we have three D printing
as the first
okay, critical activity. It's ah, it's equipment. And then you can see kind of a description of what the three D printer does for us. How does it impact us if it's off line while we have financial loss? Recovery time objective is 24 hours.
We'd like to have that back up and running within 24
hours. A, um, this alternative provided that doesn't really apply to three D printing. But as you go through, you can see just for this particular template we're tracking, our processes are assets. Our systems are service's
so that we can understand in the grand scheme of things,
the critic hot the criticality of this element
now over on the next slide. Because I know sometimes it's hard to read thes pronounce or these screen shots. So I just went through and indicated each of the fields that was on that little business impact analysis template that we had and just gave a brief description off them. So
if you wanted to build a B I A just like this one,
I've included all the fields there. But like I said, that's just a template there many templates that are out there that can help you build your B I. A. But that's one of those documents that you have tohave, because when I want to know what's most critical to the organization and by the way, most critical to the
not to the I t department not to production not to sales but to the organization as a whole, which means senior management has toe have signed off on this because senior management really thes air. The folks that really have the bird's eye view of the organization as a whole,
and they really understand
what the organization needs. So if I were to look at who might sponsor the business impact analysis or have ultimate sign off, I would tend to be thinking about the chief operating officer, and that might be a serious question that would come up. But the C O is focused on the business.
They've got to find that balance between
risk in performance and walk that fine line.
Up Next

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By