Business continuity planning helps an organization predict and plan for potential outages of critical services or functions. The goal is to ensure that critical business operations continue and the organization can survive the outage. If you’re planning to take the SY0-501 exam, you should know how to identify critical systems and components that are essential to the organization’s success.
For example, can you answer this practice test question?
Q. A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential impact on life, property, finances, and the organization’s reputation. Which of the following documents is she MOST likely creating?
A. BCP
B. BIA
C. MTBF
D. RPO
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important. Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes: Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it. If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide is an update to the top-selling SY0-201, SY0-301, SY0-401, and SY0-501 study guides, which have helped thousands of readers pass the exam the first time they took it. It includes the same elements readers raved about in the previous four versions.
Business Impact Analysis Concepts
A business impact analysis (BIA) is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organization’s success. These critical systems support mission-essential functions. The BIA also helps identify vulnerable business processes. These are processes that support mission-essential functions.
As an example, imagine an organization has an online e-commerce business. Some basic mission-essential functions might include serving web pages, providing a shopping cart path, accepting purchases, sending email confirmations, and shipping purchases to customers. The shopping cart path alone is a business process and because it is essential to the mission of e-commerce sales, management will likely consider it a vulnerable business process to protect. The customer needs to be able to view products, select a product, enter customer information, enter credit card data, and complete the purchase. Some critical systems that support the web site are web servers and a back-end database application hosted on one or more database servers.
If critical systems and components fail and cannot be restored quickly, mission-essential functions cannot be completed. If this lasts too long, it’s very possible that the organization will not survive the disaster.
For example, if a disaster such as a hurricane hit, which services must the organization restore to stay in business? Imagine a financial institution. It might decide that customers must have uninterrupted access to account data through an online site. If customers can’t access their funds online, they might lose faith with the company and leave in droves.
However, the company might decide to implement alternate business practices in other elements of the business. For example, management might decide that accepting and processing loan applications is not important enough to continue during a disaster. Loan processing is still important to the company’s bottom line, but a delay will not seriously affect its ability to stay in business. In this scenario, continuous online access is a mission-essential function, but processing loan applications during a disaster is not mission-essential.
Creating a BIA
The time to make these decisions is not during a crisis. Instead, the organization completes a BIA in advance. The BIA involves collecting information from throughout the organization and documenting the results. This documentation identifies core business or mission requirements. The BIA does not recommend solutions. However, it provides management with valuable information so that they can focus on critical business functions. It helps them address some of the following questions:
- What are the critical systems and functions?
- Are there any dependencies related to these critical systems and functions?
- What is the maximum downtime limit of these critical systems and functions?
- What scenarios are most likely to impact these critical systems and functions?
- What is the potential loss from these scenarios?
As an example, imagine an organization earns an average of $5,000 an hour through online sales. In this scenario, management might consider online sales to be a mission-essential function and all systems that support online sales are critical systems. This includes web servers and back-end database servers. These servers depend on the network infrastructure connecting them, Internet access, and access to payment gateways for credit card charges.
After analysis, they might determine that the maximum allowable outage for online sales is five hours. Identifying the maximum downtime limit is extremely important. It drives decisions related to recovery objectives and helps an organization identify various contingency plans and policies.
Remember this
The BIA identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.
Q. A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential impact on life, property, finances, and the organization’s reputation. Which of the following documents is she MOST likely creating?
A. BCP
B. BIA
C. MTBF
D. RPO
Answer is B. A business impact analysis (BIA) includes information on potential monetary losses along with the impact on life, property, and the organization’s reputation. It is the most likely document of those listed that would include this information.
A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP is.
The mean time between failures (MTBF) provides a measure of a system’s reliability.
The recovery point objective (RPO) refers to the amount of data you can afford to lose, but it does not include monetary losses.
