Business Impact Analysis Marc Scarborough Information Security Officer
Business Impact Analysis Marc Scarborough Information Security Officer Rice University marcs@rice. edu
Agenda � Business Impact Analysis (BIA) � Walk Through a Basic Template � Example � General Notes � Questions � Links
Why BIA? � From NIST (your tax dollars at work): ◦ “The purpose of the BIA is to identify and prioritize system components by correlating them to the mission/business process(es) the system supports, and using this information to characterize the impact on the process(es) if the system were unavailable. ”
Why BIA? � Inventory ◦ When is the last time you had a good inventory of the systems performing your mission critical work? � Documentation ◦ In an emergency situation do people know what to do? � Prioritization ◦ Knowing what is integral in supporting critical University functions and its mission before something happens is good to know.
Example BIA Template � Service Description � Outage Impact � Maximum Tolerable Downtime � Recovery Time Objectives � Resource Requirements � Recovery Priorities for System Resources
Service Description �A primary focus of the BIA is to identify systems that support services critical to the University. � The Service Description should include as much information as is not available elsewhere. ◦ As documentation for services progresses, pointers to existing, more often updated information might be more appropriate, if it contains the right information.
Service Description � Description of what the service provides � Hardware and software � Customers potentially impacted, both internal and external, due to outages ◦ Contact information as well � Systems and services that depend on it � Systems and services that it depends on � Vendor and support contact information
Outage Impact � Which services should receive priority during or after an emergency should be determined by how much (and how quickly) that service impacts operations within the University
Outage Impact � When a service goes offline, how does it impact operations in the University? ◦ How long until operations are impacted? ◦ How long until operations are halted? �Maximum Tolerable Downtime (MTD) ◦ How long will it take to recover? �Recovery Time Objectives (RTO) � Many IT services support several University operations ◦ Outage impact should be analyzed for each
Maximum Tolerable Downtime � MTD ◦ This is represented as the absolute maximum time that can be tolerated for a University operation to be stopped. ◦ For example, how long can the University go without the ability to pay for services? ◦ Each operation the service facilitates should have this information.
Recovery Time Objectives � RTO ◦ This is represented as the time a system (not an operation) is unavailable before potentially affecting other systems. ◦ For example, how long can DNS stay down before Email goes down, affecting University business? ◦ This should be smaller than the MTD, and include time to restore information or re-run processes (like tape restores), all within the MTD window.
Resource Requirements � The systems, hardware and software that support the service should be listed here. � This might contain items from the Service Description section as well as specific dependencies.
Recovery Priorities � Which systems and resources should be restored to service first? � Now that the critical University operations, impacts to the campus, tolerable downtimes and service components have been identified, prioritize the recovery steps by system and resource.
Example - Sakai � Service Description
Example - Sakai � Outage Impact
Example - Sakai � Maximum Tolerable Downtime and Recovery Time Objective
Example - Sakai � Resource Requirements
Example - Sakai � Recovery Priorities for System Resources
General Notes � Its late in the day. . . � Remember what the BIA is designed to help you do: ◦ Identify and prioritize ◦ Help with both continuity and recovery planning � The template I use is based on NIST guidelines, but each University will most likely need to create or modify one that works for them. � Thank you
Questions?
Links � NIST ◦ http: //csrc. nist. gov/publications/nistpubs/800 -34 rev 1/sp 800 -34 -rev 1. pdf
- Slides: 21