5.2.5 Business Impact Analysis
RTO, RPO, MTTR, MTBF.
The Business Impact Analysis (BIA) is a systematic process used to determine the potential consequences of business disruptions and identify the critical systems and data required for survival. It serves as the foundation for disaster recovery planning by quantifying or qualifying the impact of downtime.
BIA Fundamentals and Objectives - Mission-Essential Functions: The BIA identifies which workflows are critical to the organization’s continuous operation. If these fail, the business cannot fulfill its primary mission. - Identification of Critical Systems: Lists the specific hardware, software, and data dependencies required to support mission-essential functions. - Impact Analysis: Evaluates the consequences of disruptions, such as lost revenue, damaged reputation, or legal liabilities. - Resource Requirements: Determines the inventory of tools and personnel needed to resume operations as quickly as possible.
Service Level and Recovery Metrics - Recovery Time Objective (RTO): The maximum amount of time a system or application can be down before the impact is considered unacceptable. It defines the "target" time for restoration. - Recovery Point Objective (RPO): The maximum age of files that must be recovered from backup storage for operations to resume. This defines the organization's tolerance for data loss. - Service Level Agreement (SLA): A contract between a service provider and an end user that stipulates the minimum level of service required (e.g., "99.9% uptime").
Reliability and Repair Metrics - Mean Time Between Failures (MTBF): The predicted elapsed time between inherent failures of a system during normal operation. This is a measure of reliability for repairable items. - Mean Time to Failure (MTTF): The average time a non-repairable asset (like a single-use sensor or lightbulb) is expected to last before it fails completely. - Mean Time to Repair (MTTR): The average time required to troubleshoot, fix, and restore a failed component or system.
Risk and Impact Calculation - Quantitative vs. Qualitative: Security+ focuses primarily on qualitative impact (subjective assessment), though quantitative metrics (discrete numerical data) are used for technical downtime calculations. - Risk Mitigation: Implementing controls to reduce the likelihood or impact of a failure. - Risk Transference: Offloading the financial burden of an impact to a third party (e.g., purchasing cyber insurance).
Quick recall - RTO = Focus on downtime (clock time to fix). - RPO = Focus on data loss (age of the backup). - MTBF = Focus on uptime (how often it breaks). - MTTR = Focus on responsiveness (how fast it is fixed). - BIA = The "What if?" study that identifies critical business processes.