Business impact analysis (BIA) helps an organization in identifying critical systems and components that are essential to the organization’s success. If you’re planning on taking the Security+ exam, you should have a good understanding of BIA.
For example, can you answer this question?
Q. A business continuity expert is creating a BIA. Which of the following elements is MOST likely to be omitted from the BIA?
A. List of critical systems and functions
B. Recommended solutions
C. Critical downtime limit
D. Potential loss
More, do you know why the correct answer is correct and the incorrect answers are incorrect? Answer and explanation at end of this post.
BIA as part of BCP
A business impact analysis (BIA) is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organization’s success. If critical systems and components fail and cannot be restored quickly, it’s very possible that the organization will not survive the disaster.
For example, if a disaster such as a hurricane hit, what services must the organization restore to stay in business? Imagine a financial institution. It may decide that customers must have uninterrupted access to account data through an online site. If customers can’t access their funds online, they may lose faith with the company and leave in droves.
On the other hand, the company may decide that it doesn’t need the ability to accept and process loan applications right away. Loan processing is still important to the company’s bottom line, but a delay will not seriously affect its ability to stay in business. In this case, the online site is a critical function, but the systems used for loan applications are not critical.
Initial Phase of BIA
The time to make these decisions is not during a crisis. Instead, the organization completes a BIA in advance. The BIA involves collecting information from throughout the organization and documenting the results. This documentation identifies core business or mission requirements. The BIA does not recommend solutions. However, it provides management with valuable information so that they can focus on critical business functions. It helps them address some of the following questions:
- What are the critical systems and functions?
- Are there any dependencies related to these critical systems and functions?
- What is the maximum downtime limit of these critical systems and functions?
- What scenarios are most likely to impact these critical systems and functions?
- What is the potential loss from these scenarios?
As an example, imagine an organization earns an average of $5,000 an hour through online sales. In this case, management might consider online sales to be a critical function and all systems that support online sales are critical systems. This includes web servers and back-end database servers. These servers depend on the network infrastructure connecting them, Internet access, and access to payment gateways for credit card charges.
After analysis, they might determine that the maximum allowable outage for online sales is five hours. Identifying the maximum downtime limit for the critical systems and functions is extremely important. It drives decisions related to recovery objectives and methods and helps an organization identify various contingency plans and policies.
Evaluation Phase of BIA
The BIA evaluates various scenarios, such as fires, attacks, power outages, data loss, hardware and software failures, and natural disasters. Additionally, the BIA attempts to identify the potential loss from these scenarios. For example, a database server might host customer data, including credit card information. If an attacker was able to access this customer data, the cost to the organization might exceed millions of dollars.
You might remember the attack on retail giant Target during November and December 2013. Attackers accessed customer data on more than 110 million customers, resulting in significant losses for Target. Estimates of the total cost of the incident have ranged from $600 million to over $1 billion. This includes loss of sales—Target suffered a 46 percent drop in profits during the last quarter of 2013, compared with the previous year. Customers were afraid to use their credit cards in Target and simply stayed away. It also includes the cost to repair their image, the cost of purchasing credit monitoring for affected customers, fines from the payment-card industry, and an untold number of lawsuits. Target reportedly has $100 million in cyber insurance that will help pay claims related to the data breach.
Remember this
The BIA identifies systems and components that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.
Q. A business continuity expert is creating a BIA. Which of the following elements is MOST likely to be omitted from the BIA?
A. List of critical systems and functions
B. Recommended solutions
C. Critical downtime limit
D. Potential loss
Answer is B. A business impact analysis (BIA) does not include recommended solutions.
It does identify critical systems and functions, dependencies, critical downtime limits, potential scenarios causing a loss, and the potential loss.