5.2 Summarize business impact analysis concepts.

Question 1

RTO/RPO

Answer 1

RTO
Recovery time objective (RTO) is a BCP term for the amount of time allowable before a business function must be restored to a functional state after a failure.

RPO
Recovery point objective (RPO) is a BCP term to represent how much of a system is expected to be recovered.
For example, your company may expect that when a system fails, you should be able to restore up to the point of failure, while another company may only expect a recovery of data up to 24 hours prior to the point of failure.

Question 2

MTBF

Answer 2

Mean time between failures (MTBF) is the amount of time between failures of a system or device.

Question 3

MTTR

Bonus MTTF

Answer 3

Mean time to restore (MTTR), also known as mean time to recovery, is the average time for a system or device to recover from a failure.

Mean time to failure (MTTF) is the amount of time a device is expected to last in production before it fails. MTTF is usually a value reported by the manufacturer on hardware, which you can use as evaluation criteria when selecting hardware.

The difference between MTBF and MTTF is that a device with an MTBF rating is recoverable and you are getting the time between failures. A device with an MTTF rating is not recoverable and you are getting an indication on how long that device will last.

Question 4

Mission-essential Functions

Answer 4

Functions that are critical to the business known as mission-essential functions. The primary method of
identifying the critical functions is to identify any loss of function that would result in huge revenue loss or that would present a safety concern to employees. Another example of how to identify critical business tasks or functions is to determine whether, if the function goes down, you may be failing to meet contractual agreements or to comply with regulations, both of which could result in lawsuits against the business.

Question 5

Identification of Critical Systems

Answer 5

Identification of critical systems, which are systems that the mission-essential functions cannot do without. For example, you may have identified the sales of online products as being a critical function to your business. This function relies on resources such as the Internet connection, web site, or product database—if any of those resources are lost, online sales cannot occur.

Question 6

Single Point of Failure

Answer 6

A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or other industrial systems.

Question 7

Impact

Answer 7

Determining the impact is important because it helps justify the cost of the mitigation technique used to protect the asset.

Question 8

Impact - Life

Answer 8

Identify if the threat’s impact would cause loss of life.

Question 9

Impact - Property

Answer 9

Identify if the threat’s impact would cause damage to the facility or property. Determine if this damage would make the site non-operational.

Question 10

Impact - Safety

Answer 10

Identify if the threat’s impact would cause bodily harm or health problems.

Question 11

Impact - Finance

Answer 11

Identify if the threat’s impact would cause a loss of revenue. Also, identify the cost to fix the system if the threat were to occur.

Question 12

Impact - Reputation

Answer 12

A bit more of an intangible impact is what would happen to the reputation of the business if the threat occurred. Would the company lose the trust of its customers and business partners?

Question 13

Privacy Impact Assessment

Answer 13

A privacy impact assessment (PIA) is a type of assessment performed by an organization that allows it to review how it handles sensitive or private information, and to address any issues that could compromise the privacy of individuals in regard to how the information is handled. The PIA is designed to ensure that the organization is following policies and is compliant with any regulations governing the organization.

Question 14

Privacy Threshold Assessment

Answer 14

A privacy threshold assessment (PTA) is a document that is needed for each system that goes through the certification and accreditation process in order to authorize a system for use in a highly secure environment. The PTA document identifies the purpose of the system, and any personally identifiable information (PII) the system may store or process. The PTA document may also specify whether a PIA is needed for the system.