Posted by: Pabrai
A Business Impact Analysis (BIA) is a key step in establishing the requirements of an IT contingency plan. The BIA enables an organization to characterize the system components, supported mission/business functions, and interdependencies. The BIA’s purpose is to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption.
An organization can use the BIA results to determine contingency planning requirements and priorities. Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the organization’s various documents related to the contingency plan, such as a Disaster Recovery Plan and an Emergency Mode Operations Plan.
The BIA must be inclusive of all key departments and business units within the organization. Incorporating FIPS 199 categorization helps to ensure that the BIA accounts appropriately for the level of risk to the organization.
The result of a BIA exercise is a report that establishes priorities for a contingency plan. The NIST Special Publication SP 800-34 Rev 1 outlines three steps that are typically involved in accomplishing the BIA:
1. Determine mission/business functions and recovery criticality. Mission/Business functions supported by the system are identified and the impact of a system disruption to those functions is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business functions and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can be linked more clearly to critical mission/business processes and functions. Priority levels can be established for sequencing recovery activities and resources.
So when is the last time you conducted a formal and thorough BIA exercise?