02. Business Impact Analysis (395)

Question 1

Business Impact Analysis

Business Impact Analysis (BIA) is the study of business processes to understanding criticality and dependencies and how they are affected when interruptions occur

395

Question 2

Business Impact Analysis

Organisations should start with an executive level BIA to determine business priorities

395

Question 3

Business Impact Analysis

An intake form is a means of gathering information of business systems

397

Question 4

Business Impact Analysis

BIA may include different means of impact statements;

1. Statements of impact on IT systems
2. Statements of impact on business processes
3. Statements of impact for revenue generating business functions

398

Answer 4

1. three thousand users in France and Italy will be unable to access customer records
2. Accounts payable and accounts receivable functions will be unable to process invoices
3. Inability to place orders for appliances at a rate of $12,000 per hour

398

Question 5

Criticality Analysis

Criticality analysis is a study of each system and process, consideration of the impact on the organisation, liklihood and estimate cost.
It is a special type of risk analusis focusing on key processes and systems

398

Answer 5

Vulnerability analysis is not a deep dive vulnerability assessment like dicovering missing patches but identifying things such as single points of failure, systems not being backed up etc..

Question 6

Criticality Analysis

Criticality analysis needs to include a vulnerability analysis and threat analysis

Threat Analysis

399

Answer 6

• Vulnerability analysis is not a deep dive vulnerability assessment like dicovering missing patches but identifying things such as single points of failure, systems not being backed up etc..
• Threat analysis is a risk analysis that identifies every threat that has a reasonable probabiltiy of occurrance

Question 7

Criticality Analysis

• Business Analysis must be completed first before criticality analysis
• Without analysis, criticality analuysis is impossible to evaluate

400

Question 8

Maximum Tolerable Downtime

• Maximum Tolerable Downtime (MTD) - time measured from onset of disaster to a point that the organisations survival is at risk
• Maximum tolerable - cannot go past this point
• MTD establishes key recovery targets

400

Question 9

Maximum Tolerable Outage (MTO)

• Maximum Tolerable Outage (MTO) - Maximum time an organisation can tolerate operating in recovery mode
• MTO defines the need to reestablish normal operations within a specific period of time
• Maximum Tolerable - cannot go past this point

400

Question 10

MTD and MTO and Key Recovery Targets

When MTD and MTO are in place, the following can be established;

Recovery Time Objective (RTO)
Maximum period that elapses from onset of disaster to resumption of service
Recovery Point Objective (RPO)
Maximum data loss point from onset of disaster
Service Delivery Objective (SDO)
Minimum acceptable processing or storage capacity of alternate systems compared to primary systems
Recovery Consistency Objective (RCO)
Agreed level of quality of service of alternate processing site compared to primary
Recovery Capacity Objective (RCapO)
Consistency and integirty of processing in recovery system, compared to primary system

401

Question 11

Recovery Time Objective (RTO)

Recovery Time Objective - Establishes measurable time window during which necessary activities for recovering or resuming business operations must take place

401

Answer 11

• RTOs, Data classification, and asset classification are interrelated
• Systems with higher classification are likely to have shorter RTOs
• Shorter RTOs associated with higher costs

Question 12

Recovery Point Objective (RPO)

Recovery Point Objective (RPO) - Equates to maximum period of time between backups or data replication intervals

402

Answer 12

• Shorter RPO have higher associated costs
• If an application server is backed up once a date, the RPO is 24 hours
• RPOs reflect a measurable requirement of rework
• When RPOs are established, contingency plans can be established

Question 13

Recovery Capacity Objective (RCapO)

Recovery Capacity Objective (RCapO) - Expressed generally as a percentage based on capacity of capability. For example, point of sale outage reverts sales reps to hand write cash invoices, taking more time meaning a reduction in how many can be processed in an hour.

403

Answer 13

Management may decide a recovery site can operate at 80% capacity as the trade off of the liklihood of a full failover to a recovery site is low compared to the loss of capacity in the event of a scenario vs the cost of having a 100% capacity recovery site in place

Question 14

Service Delivery Objective (SDO)

Service Delivery Objective (SDO) - a measureable objective that is defined based on the nature of the business. For example, Transaction throughput targets

403

Question 15

Recovery Consistency Objective (RCO)

Recovery Consistency Objective (RCO) - A measure of consistency and integrity of processing at a recovery site comparead to the primary

403

Answer 15

• RCO decisions are result of careful analysis of cost of recovering different features and functions