Lab #7: Assessment Worksheet

Part A — Perform a Business Impact Analysis for an IT Infrastructure

Course Name:IAA202
Student Name:Hoang Tuan Phong

Overview
When performing a BIA, you are trying to assess and align the affected IT systems,
applications, and resources to their required recovery time objectives (RTOS). The
prioritization of the identified mission critical business functions will define what IT systems,
applications, and resources are impacted. The RTO will drive what kind of business
continuity and recovery steps are needed to maintain IT operations within the specified time
frames.
1. Performa BIA assessment and fill in the following chart:

Business Function Business Impact Recovery IT system

Or Process Factor Time Objective

Internal and external voice Critical Within the hour Sever

communications with
customers in real-time

Internal and external e-mail Major Within a day Internet,network

communications with
customers Via store and
forward messaging

DNS—for internal and Minor Within a hour DNS server

external IP
Communications

Internet connectivity Major Within a day Email server

for e-mail and store
and forward customer
Service

Self-service website Major Within a day Server,Internet

for customer access to
information and
personal account
Information.

e-Commerce site for Critical Within a hour Internet,network

online customer
purchases or
scheduling 24x7x365
 Part B — Craft a Business Impact Analysis Executive Summary
Craft a BIA executive summary, follow this structure and fomiat:
a. Goals and purpose of the BIA — unique to your scenario
b. Summary of Findings — business functions and assessment
c. Prioritizations — critical, major, and minor classifications
d. IT systems and applications impacted — to support the defined recovery time objectives

Overview
After completing your BIA report for your scenario and IT infrastructure, answer the following
Lab #7 —Assessment Worksheet questions. These questions are specific to your BIA you
performed for your scenario and IT infrastructure. Justify your answers where needed.

1. What is the goal and purpose of a BIA?

A Business Impact Analysis (BIA) is a crucial tool for organizations to assess and prioritize
the potential impacts of disruptions on their critical business functions and resources. Its
primary goals are to identify these critical functions, assess the potential consequences of
disruptions, prioritize resources, and inform continuity planning efforts. By conducting a BIA,
organizations can better understand their vulnerabilities, allocate resources effectively, and
develop resilience strategies to ensure continuity of operations during and after disruptions.

2. Why is a business impact analysis (BIA) an important first step in defining a business
continuity plan (BCP)?

A Business Impact Analysis (BIA) serves as a foundational step in developing a Business

Continuity Plan (BCP). It helps organizations identify and prioritize critical business functions
(CBFs) by assessing the potential impacts of disruptions. By understanding these impacts,
organizations can set recovery objectives, prioritize resources effectively, and inform the
development of strategies to maintain operations during and after disruptions. The BIA
ensures that continuity planning efforts are focused on safeguarding essential functions and
minimizing the overall impact of disruptions, thereby enhancing organizational resilience and
readiness to manage unexpected events.

3. How does risk management and risk assessment relate to a business impact analysis for
an IT infrastructure?

1. Risk Assessment: Identifies and evaluates potential risks to IT systems and

services, including cyber threats, system failures, and human errors. It quantifies
risks by assessing likelihood and impact, providing foundational data for subsequent
analyses.
2. Business Impact Analysis (BIA): Focuses on understanding how disruptions to IT
infrastructure affect critical business functions. It identifies which IT systems and
 services are essential and assesses the financial, operational, and reputational
impacts of disruptions.
3. Integration and Relationship:
○ Input and Alignment: Findings from risk assessments inform the scope and
focus of the BIA. They prioritize critical IT functions vulnerable to identified
risks, ensuring alignment between risk management strategies and continuity
planning.
○ Impact Assessment: BIA uses risk assessment data to quantify potential
consequences of IT disruptions accurately. This includes determining
recovery time objectives (RTOs) and recovery point objectives (RPOs) critical
for continuity planning.
○ Mitigation Strategies: Together, risk assessment and BIA guide the
development of mitigation strategies. Risk assessment identifies
vulnerabilities and threats, while BIA identifies critical functions. This synergy
enables organizations to prioritize resources effectively, strengthen resilience,
and maintain operational continuity in the face of disruptions.

4. What is the definition of Recovery Time Objective (RTO)? Why is this important to define
in an IT Security Policy Definition as part of the Business Impact Analysis (BIA) or Business
Continuity Plan (BCP)?

The Recovery Time Objective (RTO) specifies the maximum acceptable downtime for
restoring critical business functions or IT systems after a disruption. Defining RTOs in an IT
Security Policy as part of the Business Impact Analysis (BIA) or Business Continuity Plan
(BCP) is crucial for several reasons:In essence, integrating RTOs into IT Security Policies
within the BIA or BCP framework enhances organizational resilience, minimizes downtime,
and supports continuity of operations during unforeseen events, thereby safeguarding
business continuity and customer confidence.

5.True or False - If the Recovery Point Objective (RPO) metric does not equal the Recovery
Time Objective (RTO), you may potentially lose data or not have data backed-up to recover.
This represents a gap in potential lost or unrecoverable data.

True. If the Recovery Point Objective (RPO) metric does not equal the Recovery Time
Objective (RTO), there is a potential risk of data loss or unrecoverable data in the event of a
disruption. The RPO defines the maximum allowable data loss that an organization can
tolerate, specifying the point in time to which data must be restored. If the RPO is not aligned
with the RTO, there may be a gap where data backed up or recovered does not meet the
organization's acceptable data loss limits, potentially leading to data loss or incomplete
restoration during recovery efforts. This highlights the importance of aligning RPO and RTO
metrics to ensure comprehensive data protection and continuity planning.

6. If you have an RPO of 0 hours - what does that mean?

An RPO (Recovery Point Objective) of 0 hours means that the organization cannot tolerate
any data loss. This implies that data must be continuously backed up or replicated in
real-time to ensure that in the event of a disruption, no data is lost. Essentially, the data
recovery process must restore the data to the exact state it was in at the moment of the
disruption, requiring robust and continuous data protection mechanisms.

7. What must you explain to executive management when defining RTO and RPO objectives
for the BIA?

Definitions and Differences:

● RTO: Maximum acceptable downtime after a disruption.

● RPO: Maximum acceptable data loss measured in time.

Business Impacts:

● Effects on operations, finances, customer satisfaction, and compliance.

● Consequences of not meeting RTO and RPO.

Cost Implications:

● Costs of achieving different RTOs and RPOs.

● Trade-offs between implementation costs and potential losses.

Feasibility and Resources:

● Technical feasibility with current infrastructure.

● Additional resources or technology needed.

Risk Management:

● Alignment with risk management strategy.

● Mitigating risks and enhancing resilience.

Alignment with Business Priorities:

● Support for critical business functions and continuity goals.

Compliance and Regulatory Considerations:

● Regulatory requirements and industry standards.

● Legal and financial implications of compliance.

8. What questions do you have for executive management in order to finalize your BIA?

1. Critical Business Functions:

○ Which business functions are considered critical to the organization’s
operations and must be prioritized during disruptions?
○ Are there any upcoming changes in business operations that could affect the
prioritization of these functions?
2. Impact Tolerance:
 ○ What is the maximum acceptable downtime (RTO) for each critical business
function?
○ What is the maximum acceptable data loss (RPO) for each critical business
function?
○ Are there specific financial, reputational, or regulatory impacts that should be
considered when defining these objectives?
3. Resource Allocation:
○ What resources (personnel, budget, technology) are available for
implementing and maintaining business continuity and disaster recovery
plans?
○ Are there any constraints or limitations that could affect the allocation of these
resources?
4. Recovery Priorities:
○ Are there specific systems, applications, or data sets that must be prioritized
for recovery in the event of a disruption?
○ How should dependencies between systems and functions be managed
during recovery efforts?
5. Regulatory and Compliance Requirements:
○ Are there any industry-specific regulations or compliance requirements that
mandate specific RTOs and RPOs?
○ What are the potential legal or financial consequences of non-compliance?
6. Risk Tolerance:
○ What is the organization’s overall risk tolerance when it comes to disruptions
and data loss?
○ Are there specific risks that are deemed unacceptable and must be mitigated
at all costs?
7. Stakeholder Communication:
○ Who are the key stakeholders that need to be informed about the BIA findings
and continuity plans?
○ What is the preferred method and frequency of communication with these
stakeholders?
8. Testing and Maintenance:
○ How frequently should business continuity and disaster recovery plans be
tested and reviewed?
○ Are there specific scenarios or types of disruptions that should be included in
the testing process?
9. Continuous Improvement:
○ What metrics or indicators should be used to measure the effectiveness of the
business continuity and disaster recovery plans?
○ How should feedback from tests and real incidents be incorporated into
ongoing improvements to the plans?
10. Budget Considerations:
○ What is the budget allocated for business continuity and disaster recovery
planning and implementation?
○ Are there any budget constraints that need to be considered when finalizing
the BIA?
9. Why do customer service business functions typically have a short RTO and RPO
maximum allowable time objective?

Customer Expectations: Quick recovery is essential to meet customer expectations for

efficient service.
Competitive Advantage: Ensuring uninterrupted service helps maintain a competitive edge.
Revenue Impact: Downtime can lead to lost sales and reduced customer loyalty, impacting
revenue.
Brand Reputation: Prompt recovery maintains a positive public image and protects the
brand.
Operational Continuity: Customer service disruptions can affect overall business
operations.
Compliance and SLAs: Meeting regulatory requirements and Service Level Agreements
(SLAs) often requires short RTO and RPO.
Customer Retention: Effective, responsive customer service is crucial for retaining
customers and preventing churn.