Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
13

Video Description

This lesson focuses on Business Impact Analysis (BIA). The BIA is initiated by the BCP committee and identifies and prioritizes all business practices based on criticality. A BIA looks at the quantitative and qualitative losses an organization can incur in the event of a loss a service or process. Key metrics to establish in a BIA are: • RPO: Recovery Point Objective • MTD: Maximum Tolerable Downtime o RTO: Recovery Time Objective o WRT: Work Recovery Time • MTBF: Mean Time Between Failures • MTTR: Mean Time to Repair • MOR: Minimum Operating Requirements Results of the BIA should contain: • ALL Businesses processes and assets • Impact company can handle dealing with each risk • Outage time that would be critical vs which would not be critical • Preventative controls

Video Transcription

00:04
Okay, so we've looked at the first phase of the plan, which is Project Initiation. And that's where we get the policy. The BCP policy, which essentially is management's backing in writing now. The first riel action I didn't, though for those of us on the BCP Committee is to conduct the business impact analysis.
00:24
This is huge. And as a matter of fact, when you find failings with actually carrying out the plan Ah, lot of times the problems can be traced back to the B I. A.
00:34
Okay, so the job of the business impact analysis is to identify and prioritize all business functions based on criticality,
00:44
so identify and prioritize all business functions based on criticality.
00:50
Okay, we identify first,
00:52
then we prioritize
00:54
business functions. Not I t functions, but business functions. And then basing that prioritization on criticality is all about time sensitivity. What we're trying to figure out here is what causes the greatest loss. So, for instance, if I'm in it, you know, uh, Amazon, for instance,
01:14
when we look at Amazon, think about how much money they lose for every hour they're offline.
01:19
Wherever 15 minutes, they're off lawn for that matter and it could be millions of dollars. So you can rest assure that one of Amazon's most critical processes is their web presence. Right. And it's based on how much money do I lose as this goes down.
01:34
Okay. Now,
01:36
Ah, we want to get both of value qualitatively and quantitatively, so I want to know. Okay, this is a high priority. But I also want the numeric data to say Yeah, for every five minute time down, we lose $100,000 because it's that quantitative value that's going to justify
01:53
the counter measures I'm gonna put in place won't vote that qualitative and quantitative.
01:59
Now you have to know certain metrics and several of these air really important service level of direct objectives, recovery point objectives, maximum tolerable downtime. Those air. Probably the biggest on here. So your service level objective is gonna be identified in the B I A.
02:17
And ultimately,
02:19
the service level objective is understanding that were, if there has been a disaster, we're gonna be operating at a reduced capacity. But we still are gonna have targets we want to hit for customer service. So for instance, years ago, I worked for a large customer service call center,
02:37
and we had to answer 96% of incoming calls
02:40
with a minimum of maximum whole time of five minutes. I'm just kind of making these metrics up, but But we had a pretty tough metrics to me and, um, you know, day in India, day out. We had to meet those goals.
02:53
Now, this was back in North Carolina. In one winter. We had just a crazy snowstorm dumped something like 25 inches and greens for North Carolina
03:02
and that just shut the city down. So most of the roads were closed. We couldn't get into work. So what happens? They sent the call center operations from Greensboro down to Fort Lauderdale, Florida,
03:15
because obviously, they were not affected by the snowstorm.
03:17
So Fort Lauderdale had to answer their normal incoming calls. Plus all the calls that have been rerouted from Greensboro. Were the folks in Fort Lauderdale gonna meet their goals? No, But does that just mean management said Hey, get out there and give it a try. Good luck. No management still has expectations.
03:37
So the service level objectives were to answer 85% of incoming calls
03:43
to have a maximum whole time. No longer than 10 minutes. So they're understanding we're gonna reduce capacity. But we still have objectives we want to reach for service. Okay, that's an SL. Oh, don't confuse that with an S l A. A service level of green.
03:57
And that's a vendor's commitment for a certain amount of up time for their profit. Okay, which could also come in and be very relevant with business continuity.
04:06
All right, recovery point objective is my tolerance for loss of data.
04:13
How current must my dad would be
04:15
Now I can guarantee if you go ask senior management say so. How much data are we willing to lose? The answer's gonna be Nolan. We can't lose any Gavin.
04:25
Well, good. I can do that for you to get your checkbook. It's gonna be expensive,
04:29
right? 24 7 up time. Ah, 100% data recovery. That's costly. That's not cheap. That's not easy to guarantee. So usually when you come back and say, get your checkbook Management says, Well, what I meant was an hour's worth of death
04:43
or days working. Whatever. And if you think about it, if your organization does nightly back up, you back up. Dab it
04:48
every night at midnight. Um, in your own Monday through Friday, 8 to 5. Company. If you're only doing nightly backups, you're essentially saying you're willing to lose a day's worth of death.
05:00
And, you know, I mean, technically, you could have a failure for 45 not be able to recover anything and have to restore from the night before his backup and having lost everything from the day.
05:11
So you know, sometimes coming through this plan and developing the plane is a good time to open up discussions with senior management and make sure that we're really able to meet their requirements.
05:21
Usually, there's a backing fourth, where senior management wants no downtime, no data loss. Well, that's gonna take money. Then we go back and forth, and generally what we'll do is we'll create, you know, 234 options. And if you truly want 24 7 up time, here's the expense. Here's what we have to implement
05:40
if we can sustain an hours downtime that here's how we would go forward.
05:44
So we generally like to give senior management multiple options and have them sign off by the at option that they've chosen because ultimately, what we decide as our metrics for the business impact analysis plan, that's what everything else is gonna be based on. So we want to make sure that senior management acknowledges
06:01
what they put in place, their metrics so that when we you know, if they decide that losing a day's worth of data is okay based on cost,
06:10
and then we have a disaster in a day's worth of data is lost. We want to make sure that it's their name match to that decision. My philosophy is I never want my name to be the highest on a bad decision,
06:21
right? I'm gonna get somebody hired me to sign off maximum tolerable downtime. That's exactly what it sounds like. What is the absolute longest We can tolerate having this system or service or process down sometime? That's you. Sometimes that's used in conjunction with Rto
06:40
Recovery time objective. I've even seen it written that those two were the same terms. They're technically not. Usually the Rto is how long it takes to get the hardware restored and then work recovery. Thomas, how long it it takes to restore the software and the process is so usually the recovery time objective in the work recovery time together
07:00
Give us the MTT. I do not expect them to go that detailed into it. Okay, So, honestly, if they see if you see maximum color of downtime or recovery time objective, think of that as the longest we can be without this process before we suffer a loss.
07:18
That's unacceptable to senior mange.
07:21
All right, meantime, between failures and meantime to repair this is with hardware components in T B F. It's the life span of the device. So hardware has an MTV F three years. That's its life span
07:34
meantime, to repairs, how much it takes us, it does fail to rebuild
07:41
and then minimum operating requirements. M. O. R. You know, if I've got a sequel database, I'm not gonna be able to run that on opinion 200 megahertz system. So if I've got specific at Applications Service's, I need it Well documented. The hardware and software necessary to run those surfaces and that would be documented in
08:00
minimum operating requirements.
08:03
So with this Plan B. I A or the key elements of the plan, the most important element is the B. I. A management, Uh,
08:13
management specifies and signs off on the priorities for the business they want personnel named. We've gotta have succession plans, you know, people move in the organization. So if the director of I t. Is not available than the co director or
08:31
if the lead technician isn't available than this,
08:33
we'll step in
08:35
M o use and m o a. CZ are also gonna be important because that makes sure
08:43
that the people responsible for activities sign off and acknowledge they're aware of their roles and responsibilities on the test. If they say someone was supposed to be there and didn't show up,
08:54
what document would have corrected this problem? They're getting at either an em away or a MOU, and they do not differentiate between the two on the test.
09:03
All right, we've got to think about recovering technologies, facilities, our communication systems, their records, the data. You know, we've got to think about the criticality and how we're gonna rebuild all this stuff. But it starts by figuring out what impact loss of these elements have on the business.
09:20
So once the B I A is completed, we've identified all our business processes and our assets not just the critical ones. We've identified them all and prioritize based on criticality.
09:33
We have documented how critical those elements are and what our tolerance for losses
09:41
and that's gonna lead us to put in recovery strategies. And those recovery strategies are going to make sure that we can cover out the metrics specified in the B I. A. So, for instance, if I say I only have a max, I have a maximum taller debt. Tolerable downtime for my email server of two hours.
10:00
Well, my recovery strategies, which come next,
10:03
better be set up to maintain and to restore that server within two hour time, period. So every decision that we make from this point forward really stems from the B I. A. Look to the B I. A. Is being the source of the problem, but also of the solution

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor