Security+: Business Impact Analysis Concepts [Updated 2019]
A business works via a network of relationships and operations that are constantly being established and re-established. What this means is, what works for the business right now, might not do the job two months (or any other point in the future) from now. The many variables that keep the cog of industry turning, constantly change, which makes running a business a very challenging. At every step of the way, some sort of blocker might arise, stopping, delaying, or damaging the usual processes of the day to day running of a business. Identifying and dealing with these potential errors and risks is what makes Business Impact Analysis (BIA) so crucial. A clear understanding of BIA is crucial for those taking the Security+ exam.
Three main steps of BIA
A highly recommended approach for developing a BIA is built upon the following three steps:
Developing a comprehensive understanding of the business environment
For a business to implement a holistic BIA, it is essential that they have a proper understanding of the multitude of information assets used to achieve the company’s mission. This is accomplished by meeting with each business units and understanding which technologies are essential for them to unleash their day to day responsibilities. By cataloging the entire business environment, organizations are then able to ensure that their disaster recovery plan properly includes all the systems necessary to maintain operations and achieve its goals. As an added benefit, during this portion of the exercise, a company may discover potential cost-saving avenues by identifying unnecessary or redundant technologies.
Quickly identifying the critical technologies and processes
As soon as the company has cataloged the technologies that make up its core environment, they must then prioritize the technologies based on how crucial they are for achieving the organization’s mission and performing daily operations. While there are many ways to assess criticality, it is imperative that the assessment is completed in a manner that lets the users of the BIA consistently compare technologies across the company. An organization can achieve this by establishing a common criterion by which technology or process is assessed.
Establishing clear RTOs and RPOs
With critical technologies and processes identified, users of the BIA, in conjunction with business unit leads, will be able to easily identify and allocate proper Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). Recovery Time Objective (RTO) is the targeted duration of time a system can be unavailable and must be restored before unacceptable impact to operations occurs. And Recovery Point Objective (RPO) is the maximum targeted period in which an undesirable event can go on before the system starts falling apart. Assets that have a higher criticality score will obviously have smaller RTOs and RPOs and will need to be recovered as quickly as possible. Processes that score low and have larger RTOs and RPOs can be handled at a much slower rate, relatively speaking.
What does BIA achieve?
The purpose of a business impact analysis is to make a company less vulnerable to the obstacles that might arise due to various reasons. It does so by achieving the following goals.
- Identify key processes and functions of the business.
- Establish a detailed list of requirements for business recovery.
- Determine what the resource interdependencies are.
- Figure out the impact on daily operations.
- Develop priorities and classification of business processes and functions.
- Develop recovery time requirements.
- Determine financial, operational, and legal impact of disruption.
How does BIA achieve results?
Getting the right information to conduct BIA for a company can be a tedious process, which is why it is important to get professionals to handle it. These guys have three main techniques for digging up the information to create the most well-adjusted BIA for any organization. They are – surveys, interviews, and workshops.
Impact scenarios for businesses
All scalable or scaled businesses must deal with possible loss scenarios which have the potential of disrupting or interrupting everyday operations. Performing risk assessment using BIA can help a company pre-emptively identify such scenarios. Some of the most common ones that are found across businesses and industries are –
Often, businesses suffer from losses due to workplace accidents. A fire at a factory where the critical tasks of the business are performed can cause closure. A burst pipe in the water supply in a company where workers work on the floor may also incapacitate the work area for quite a lengthy amount of time. Any such accident can lead to machines malfunctioning which puts a whole other kind of dent in the work plan. An accident that causes personal injury or harm to a critical worker can even slow down or shut down the complete process.
While insurance companies might look at natural disasters as ‘acts of God,’ this does not negate that fact that incidents like earthquakes, floods, hurricanes, etc. can dramatically impact the functioning of a business. Any of these can cause power outages that can shut down entire industrial belts.
Computer virus attack, theft, embezzlement, fraud, market decline, etc. count as human errors. These can be instigated by people both inside and outside the organization, at times willfully, and at times by accident. The seriousness of these incidents’ impacts might differ, which makes it even more necessary to have a business impact analysis available beforehand.
Scope of Business Impact Analysis
Lots of organizations try to make their business impact analysis more manageable by breaking it down into smaller business unit-sized parts, with different department leads conducting BIAs in silos. However, this can be a major error that puts the viability of the entire business continuity at risk.
To truly understand recovery requirements unless one must compare the functions and the recovery procedures of those functions across the entire business. For example, it does not help to do a BIA for marketing, and then do a separate one for operations. However, the scope of BIA can be gradually scaled from department to department, as long as you decide beforehand how the recovery priorities that emerge from departments compare across the spectrum of the whole company.
The BIA identifies systems and components that are essential to a company or brand’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident. These are all necessary tools that need to be studied and understood by those who are serious about taking the Security+ exam.
IT administrators who are focused on security, need to have the ability to precisely prioritize their time and efforts when it comes to taking steps to fix any security concerns a business might face. A Security+ certification can go a long way in making that possible.
However, there are other areas as well that the Security+ cert holder needs to be aware of, and these include the following:
- Single Point of Failure:
Many Information Technology systems are dependent upon one another. In many cases, if one part of it fails, then it is quite likely that the entire subsystem or even the entire system could potentially fail. Therefore, it is important to realize and understand in the implementation of a system, that the appropriate countermeasures should be put into place to make sure that the appropriate backups are in place in order make sure that the IT system is still running even if one point in the segment (such as a network subnet) fails.
- Property, Finance:
These two topics are interlinked with one another because obviously, the property has financial value to it. In this instance, there are two types of property:
- Physical property:
This is the land, the building, and the physical assets that the business or corporation owns to carry normal, day to day functions.
- Intellectual Property:This includes the trademarks, patents, and other ideas or inventions that the organization owns or possesses.Both above types of property have financial value to them, and even the concept of finance includes the cash flow and the bottom line of the company. In both cases, any impacts from a Cyber-attack must be taken into consideration here, as these are some of the prime targets for a Cyber attacker.
- Privacy Impact Assessment:This can be defined specifically as the following:“A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained.”(SOURCE: http://www.dataversity.net/privacy-impact-assessments/)
In this instance, this would include such pieces of data like credit card and banking information, Social Security numbers, physical addresses, E-Mail addresses, etc. This component should also be included in any kind of BIA, yet once again, this type of information is a prime target for the Cyber attacker.
- Identification of critical systems:
In the business or corporation, this very often refers to the IT Infrastructure. Critical systems would include such things as the servers, database, backup tools, employee workstations, wireless devices, etc. If there is any outage or downtime with these systems, this can have a significant impact on the organization. As a result, this needs this needs to take into serious consideration as well into the BIA, to make sure that downtime can be minimized as much as possible.