Mastering Business Impact Analysis in Information Systems
School
Northern Kentucky University**We aren't endorsed by this school
Course
CSC MISC
Subject
Information Systems
Date
Dec 11, 2024
Pages
7
Uploaded by CommodoreOryx3711
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 09Student:Email:Emily Carsoncarsone4@mymail.nku.eduTime on Task:Progress:100%Report Generated:Friday, November 15, 2024 at 9:00 PMGuided ExercisesPart 1: Research the Business Impact Analysis Process3.ExplainFigure 3-2: Business Impact Analysis Process for the Information System on Page 16.It is indeed a sample of the BIA process as well as data collection activities comprising of suchrepresentative information systems with just many components (like servers) developed to help theISCP Coordinator throughout streamlining as well as the focusing contingency plan inventionoperations to produce a more effective strategy.4.ExplainFigure 3-3: Cost Balancing on Page 18.This depicts this same system's cost versus that cost of the resources required to recover the system,and even the system's general support for critical goal/business functions.Page 1 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 095.Summarizethe BIA process in your own words.The BIA is an important step within contingency planning process. This BIA can be used by the ISCPCoordinator for characterizing system components, supporting goal/business processes, as well asinterdependencies. This BIA's purpose is to compare any system to critical goal/business processesincluding services, and thereafter characterize the implications of a disruption based by thatinformation. This same BIA is usually done in three steps:1. Assess the importance of themission/business processes, as well as recovery.2. Figure out how many resources you'll need.3.Determining the system's priorities for recovery.Part 2: Explore the BIA Template3.Review the template and describethe three main sections.The BIA template is structured into three main sections: Overview, System Description, and BIA DataCollection. The Overview defines the purpose of the BIA, outlining its role in identifying criticalmission/business processes, resource requirements, and recovery priorities while integrating withbroader contingency planning efforts. The System Description provides a detailed overview of thesystem's architecture, operating environment, and recovery considerations, often referencing theSystem Security Plan (SSP). Lastly, the BIA Data Collection section details the process for evaluatingsystem criticality, identifying resource requirements, and establishing recovery priorities, focusing onimpact categories, downtime tolerances (MTD, RTO, RPO), and strategies to ensure timely recoveryof critical system resources.5.Mapthe subsections under Section 3 with the subsections under Section 3.2 of NIST SP800-34.Section 3 of the template aligns with Section 3.2 of NIST SP 800-34 by mapping its subsections tocritical aspects of the Business Impact Analysis process. 3.1 Determine Process and SystemCriticality corresponds to 3.2.1 Identify Critical Functions and Resources in NIST SP 800-34, focusingon identifying mission/business processes and assessing the impact of downtime. 3.2 IdentifyResource Requirements aligns with 3.2.2 Identify Resource Requirements, detailing the hardware,software, and other resources needed to support or recover critical functions. Finally, 3.3 IdentifyRecovery Priorities for System Resources maps to 3.2.3 Identify Recovery Priorities, establishingrecovery sequencing and priorities based on criticality and recovery objectives (MTD, RTO, RPO).This alignment ensures the BIA comprehensively addresses criticality, resource needs, and recoverypriorities in line with NIST guidelines.Page 2 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 096.Describethe Maximum Tolerable Downtime (MTD) value.The Maximum Tolerable Downtime (MTD) represents the maximum amount of time that anorganization can tolerate the disruption of a mission/business process or system without experiencingunacceptable consequences. It includes all impacts, such as operational, financial, legal, andreputational, and serves as the upper limit for recovery efforts. The MTD value is critical for guiding thedevelopment of recovery strategies and selecting recovery solutions, as it defines the absolutethreshold for resuming operations to prevent significant harm to the organization.7.Describethe Recovery Time Objective (RTO) value.The Recovery Time Objective (RTO) is the maximum allowable time a system, application, or processcan be unavailable following a disruption before its downtime begins to cause unacceptable impacts tobusiness operations. The RTO value helps determine how quickly recovery efforts must restorefunctionality to meet the organization's continuity requirements. It is a subset of the MaximumTolerable Downtime (MTD) and directly influences the choice of recovery strategies and technologiesto ensure that operations resume within the acceptable timeframe.8.Describethe Recovery Point Objective (RPO) value.The Recovery Point Objective (RPO) represents the maximum acceptable amount of data lossmeasured in time. It defines the point in time to which data must be restored after a disruption toensure business continuity.9.Explainthe relationship between MTD and RTO.The Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) are closely related,with the RTO serving as a subset of the MTD. The MTD represents the total amount of time amission/business process can be disrupted before the impact becomes unacceptable, including allphases of disruption and recovery. The RTO, on the other hand, specifies the maximum time allowedto restore system functionality to avoid significant impacts. For recovery planning, the RTO mustalways be less than or equal to the MTD to ensure recovery actions are completed within the tolerabledowntime threshold, preventing long-term or irreversible damage to the organization.Page 3 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 0910.Explainthe difference between RTO and RPO.The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two distinct butcomplementary concepts in business continuity planning. The RTO defines the maximum acceptabledowntime for a system or process after a disruption occurs, focusing on how quickly the system mustbe restored to avoid unacceptable impacts on business operations. It is concerned with time—howquickly recovery must occur. The RPO, on the other hand, defines the maximum allowable data loss interms of time. It specifies the point in time to which data must be restored after a disruption,determining the frequency of backups and how much data can be lost without significant harm. TheRPO is focused on data—how much data loss is tolerable before recovery efforts need to bring it backto an acceptable state.Page 4 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 09Challenge ExerciseIdentify the impact to Cost for the eCommerce business process and explain why you chose thatimpact level.Impact Level: HighExplanation: If the eCommerce process is unavailable, Acme could face asignificant financial impact due to lost sales, potential refunds, and legal implications from customersunable to complete transactions. The total cost of the outage could easily exceed 0K, consideringcustomer demand, order volumes, and potential compensation for breached service agreements.Identifythe impact to Prestige for the eCommerce business process and explain why you chose thatimpact level.Impact Level: High Explanation: A disruption in the eCommerce process would severely damageAcme’s reputation, leading to significant customer loss. Customers would likely turn to competitors,causing long-term brand damage, which could lead to reduced trust and loyalty, and result in negativemedia attention.Identifythe impact to Cost for the Payroll business process and explain why you chose that impactlevel.Impact Level: Moderate Explanation: Payroll is crucial but not immediately catastrophic in terms offinancial impact. If the payroll system is down, employees may not receive timely payments, potentiallycausing some temporary dissatisfaction or operational delays, but it is unlikely to cost more than 0K.The cost impact would fall within the K-0K range, factoring in potential overtime to resolve the issueand minor administrative penalties.Identifythe impact to Prestige for the Payroll business process and explain why you chose thatimpact level.Impact Level: Moderate Explanation: A payroll disruption could negatively affect employee satisfactionand trust in Acme, especially if they are unable to receive their pay on time. However, the reputationdamage would be limited to internal stakeholders, not affecting customers directly, and would likely beshort-lived once the issue is resolved.Page 5 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 09Identify MTD, RTO, and RPO values for the eCommerce business process, then describe the driversfor these values (for example, customer satisfaction, regulations, performance measures, orcompliance with a standard).MTD: 4 hoursDrivers: Customer satisfaction, revenue loss, and operational continuity. eCommerce iscore to Acme’s business model, so a disruption of more than 4 hours could have serious financialconsequences.RTO: 2 hoursDrivers: Business continuity needs, customer expectations for quickrecovery, and minimizing revenue loss. Restoring functionality within 2 hours would mitigate mostpotential operational disruptions.RPO: 1 hourDrivers: Data integrity and transaction continuity. Withhigh transaction volumes, it is essential to recover recent data with minimal loss to avoid issues withprocessing payments, shipping, and customer orders.Identify MTD, RTO, and RPO values for the Payroll business process, then describe the drivers forthese values (for example, customer satisfaction, regulations, performance measures, or compliancewith a standard).MTD: 12 hoursDrivers: Legal and employee satisfaction considerations. While payroll is essential,Acme has some buffer in terms of timing. A full day without payroll processing could be tolerated butmust be avoided.RTO: 4 hoursDrivers: Employee trust and regulatory compliance. Restoring payrollprocessing within 4 hours is vital to avoid delays in paying employees and to comply with payrollregulations.RPO: 24 hoursDrivers: Weekly backup schedule for payroll. Given that backups are takenweekly, a 24-hour RPO ensures that only minimal data is lost in case of a disruption.Identifythe information systems (servers, security devices, etc.) that play a role in the eCommercebusiness process.Servers: eCommerce front-end server, database serverSecurity Devices: Firewall, routersNetworkDevices: SwitchesIdentifythe information systems (servers, security devices, etc.) that play a role in the Payrollbusiness process.Servers: Payroll server, domain controllerSecurity Devices: Firewall (for internal networksecurity)Network Devices: SwitchesPage 6 of 7
Performing a Business Impact Analysis (3e)Managing Risk in Information Systems, Third Edition - Lab 09Identifythe RTO values for each information system you identified in the previous steps and providejustifications.eCommerce Business Process:eCommerce Front-End Server: RTO = 2 hoursJustification: Critical for enabling customer access andtransactions. Fast recovery ensures minimal loss of sales.Database Server: RTO = 4hoursJustification: Essential for storing transaction data. Restoration within 4 hours ensures continuityof the eCommerce process.Payroll Business Process:Payroll Server: RTO = 4 hoursJustification: Payroll data processing must be restored quickly to ensurethat employees are paid on time. A 4-hour RTO allows for a rapid recovery process.DomainController: RTO = 6 hoursJustification: The domain controller is important for authentication, but it isslightly less urgent than the payroll server itself.Powered by TCPDF (www.tcpdf.org)Page 7 of 7