Welcome to Cyber Aires. Video Siris on the copy of Security Plus 5 +01 Certification and example.
I'm your instructor, Ron Warner.
Please visit Cyber Ari Got I t. To learn more about security, plus the certification as well as many other certifications.
This video will help you prepare for Section five dot to summarize business impact and now says concepts
in the next few minutes explain what business impact analysis is and how they're used within all types of businesses.
of the risk management domain or domain five covers the following concepts associated with a business impact analysis.
What is a business impact?
What our mission. Essential functions, identification of critical systems,
Single point of failure,
Rto and R P o Recovery time Objective Recovery point objective
and T B F. Being time between failure and M t tr. Meantime, to recovery,
privacy impact assessment and privacy threshold assessment. Stay tuned to learn more about each topic.
Business impact analysis is the process of evaluating all of the critical systems
basically important to core business functions
in an organization to defined impact and recovery plans.
Be a isn't concerned with external threats or vulnerabilities
the analysis solely focuses on the impact a loss would have on the organization.
It's that impact part of a risk assessment, which we'll talk about in the future session.
Conducting a business impact analysis involves identifying critical business functions and the service's and technologies required for each,
along with determining the cost associated with loss of each and the maximum acceptable outage period,
you can find more by reading through the nous definition. Highly recommend spending a lot of time honest as your belt, developing your security skills and you're preparing yourself as a security plus professional
critical functions. Are those mission essential functions Rolls Service's system's applications or data required to sustain the business?
What is it that your organization must have to do business? What are the system?
Were people or data
focusing on those as your top risks?
The steps for conducting a critical function analysis, which is a part of a B I A.
Is the identification and analysis so identification
of assets, systems, data, et cetera,
prioritizing prioritization is step two. How do we determine which one should be recovered when we talk about disaster recovery? Cover this in more detail,
calculating the time frame for a critical system loss. How long can you be down?
Seconds. Milliseconds? That's the case. It, such as with Amazon or minutes. Our where a day can't depend on the business in the function
estimating the tangible and intangible impact on the business. So not only how much money will cost our time it will take.
But are there intangible, such as company's reputation with the public?
These are steps learned to do these not only for the security plus example, but also to be a good security professional.
A single point of failure is what you probably think of. It is.
It's that one falter man Mellie malfunction can compromise the whole business, an entire system or the enterprise. It's say you have one network router to get out to the Internet.
Well, if that rotor goes down, how you're gonna employees going to access Internet Resource is
that's a single point of failure. Example
that could be a person
or technology. So you have a person who handles a specific duty. They're the only one in the company who does, say, patching.
What happens if a patch is released while that person's unavailable say on vacation.
How do you avoid a single point of failure once identified
well through redundancy? So system redundancy, personnel redundancy. So you might just have multiple avenues to the Internet, for example, for redundancy or fault hollering protocols, procedures or technologies.
Great example, you often see, is high availability.
Take a look and think about in your environment where you're single point of failure may reside.
They're certain recovery objectives that you need to consider
this again is tied to that disaster recovery, which we'll talk about in a later session.
But keep this in mind when you're looking at your business impact assessment,
because this will also help determine those critical systems and functions. And service is
1st 1 I want to talk about it's R T o
re tough recovery time objective.
This is the maximum amount of time that process or service is allowed to be down,
and the consequence is still to be considered acceptable. For how long
can your email be down? Or a particular application?
So your recovery time objective,
is how quickly you want to be able to recover again. Cover this later in the business
recovery session. Disaster recovery, business continuity session.
Our P o recovery point objective recovery point objective is the point last known good data prior to an outage. So what point you're going to recover?
Can you afford to go back in time, say, two hours
where it has to be two minutes? You know, how much are you willing to lose?
So example Hammond's on
multiple transaction transactions every millisecond, so pretty much everything is mirrored for that. But maybe your organization can go back one day and not lose critical data.
That will be your recovery point objective.
As a general rule, the closer the R P o recovery point objective matches the time of the crash.
The more expensive it is to obtain, for example, mirroring very expensive, as opposed to daily backups not nearly as expensive.
Good point to remember for the exam.
Maur acronyms associated with a business impact assessment are empty. B f and M t t f.
Meantime, to failure.
This is the average time to fell for failure for not repairable system,
health. So how often will the system be anticipated to fail? For example, laptops, you know, have a limited life span,
so you can almost assume that eventually a laptop will die. But this isn't mean or average time for that failure.
It represents how long a product could reasonably be expected to perform
beast on specific testing. So it's good to know
when you're not only purchasing a particular device the M T T F,
within that life span of the device. How soon until you can anticipate it to fail.
Meantime, between failures is the measure of the anticipated incidents of failure to a system or component. This means is the measurement determined the components anticipated. Lifetime.
Make sure you don't get thes two terms confused. It's pretty easy to
review the study material that's available through this course and others. Make sure you get thes two terms down because there's a possibility you may see this on the security. Plus example,
another important concept associated with this is meantime to recovery
or restore were repair. I've seen MT. T R to me both recovery, restore or repair.
I'm sure you're familiar with all of those.
So how long will it take for you to recover that system? What's that average time? So my laptop goes down. How fast could I recover my lost data.
How can I restore business? How long will it take in that time period?
So it's average time to repair a failed system, the vice or component
in return it back to operational status. That's the key. It's not just repairing.
Getting back into business is so key.
The calculations includes the preparation time,
active meeting, it's time
and any delays. So police anticipate there's always going to be a delay,
and this is often part of a maintenance contract. If you remember from the previous video 51 I talked about an S L A M T tr could easily be part of an S L A agreement service level agreement.
how long will you anticipate your service provider to be able to recover the service for you?
Get something we see in business quite often.
The last session
in section 5.2 is focused on privacy. Granted will be covering privacy in more detail in Section five, Diet eight, which plucks about privacy best practices.
It's part of a business impact assessment, though you might have to do a privacy impact assessment, or P. I. A
Pia is important component of the General data protection regulations, which is in the European Union. A p I. A privacy impact assessment goes with a b i business impact assessment
As you're conducting your P I A. You need to understand and identify first what is personally identifiable information. P I
on the screen is the miss definition in general. It's your name associate with some other type of identify. Can you be quickly and easily identified?
Generally, what P. I I is
another common privacy terms. P h I Personal health information were protected health information. This is information about your medical status or health care.
When you're conducting a P I a privacy impact assessment,
you're looking at
adverse impacts If there's a privacy breach, so it's normally the confidentiality of personal information is inadvertently disclosed to be on accident or malicious activity
could be associated with the destruction, loss, corruption or, as I mentioned, the accidental disclosure of sensitive personal or private data
that your organization holds on the behalf of your clients or customers.
What you need to do. This is all part of a data investigation. Where is that data reside? How would it be disclosed? So it takes a lot of due diligence to identify and then classify. We'll talk about data classifications later in a different session.
Understand the details. Associate with a P I A. Because you will be seeing it in your career.
Also with the P I A. It's required for any organization that stores collects processes. Personal health information as part of HIPPA in the United States i. H. I. P. A. A Health insurance portability
act there. We have a privacy
rules associated with it where you need to conduct a P I A.
One other last term associated with privacy assessment is the privacy threshold assessment
You were actually assessing. What systems hold p I. I were P h I.
What is that threshold that can contain? How do you protect that private information?
Be aware of these privacy terms. Privacy has gotten to be a big deal, and we'll see it
in your lifetime. Maybe also on the security Plus example.
At this point, let's look at a question you may see on a typical security plus example
for this section on business impact assessments. Let's see you answer this one in the context of a B I A.
This term represents how long a product could be reasonably expected to perform based on specific testing.
Is it a recovery time objective? B and T, T, F, C, M, T, T, R or D. A single point of failure
And the answer is
the answer is B M T t f. Meantime, to failure.
You know it's not any of the others. The empty TR is about recovery,
a recovery time objective, how long it takes to recovery and single point of failure. Are those critical systems within your organization.
This concludes the video for section 5.2 part of domain five Risk management for the Company of Security Plus 5 +01 security certification.
This session we summarized Business impact assessment or analysis concepts.
Please refer to your study material for more information on this. I look forward to talking with you more in future videos.