Information Technology Reference
In-Depth Information
relative importance to business functions. Priority determines which business func-
tions to address first in continuity and recovery situation. Accountability identifies
key players (decision makers and doers—not to imply decision makers do not do,
but rather that most doers are not decision makers).
The BIA methodology applies to disaster recovery (DR), business continuity
(BC), or BC variants like contingency planning (CP) or continuity of operations
plan (COOP). The need for a BIA varies according to the status of the organization
and organizational change. Figure 8.12 provides a decision process for the perfor-
mance or reperformance of a BIA.
8.13.1
Compliance Requirements
Compliance requirements in so far as legislation or regulation do not specifically
address business impact assessments. NIST SP 800-30:
Risk Management Guide for
IT Systems
does mention an impact analysis as part of the risk assessment process.
However, the impact analysis is in context of how a threat affects confidentiality,
integrity, and availability; this is not the same approach as a BIA focus on busi-
ness functionality. Organizational policy is more likely to define BIA compliance
requirement as a precursor to business continuity and disaster recovery planning.
8.13.2
Policy
Security policies address the need for and provide details on disaster recovery and
business continuity; these policies address the specific need for BIA. BIA-specific
documentation finds form in guidelines and methodologies. The organizational
risk management policy should also address BIAs. Risk management policy should
primarily maintain a business focus and coincide with the need to present security
solutions in business terms.
8.13.3
Practice
The BIA methodology outline includes:
n
−
−
−
n
−
−
Define scope
Physical (e.g., geographic region)
Functional (e.g., finance/accounting or manufacturing)
Enterprisewide
Interviews/questionnaires
Interview guidelines
Questionnaires
Subjective opinion (individual perspective) versus fact (accepted con-
ventional perspective)
n
