Information Technology Reference
In-Depth Information
n
Quantifiable opinion (individual perspective) versus fact (accepted
conventional perspective)
Caveat
: Do not overestimate the usefulness of a (stand-alone) question-
naire or underestimate the effectiveness of interviews; the bottom line is
that eye-to-eye conversation gets more than just pen to paper.
Determine key business functions.
Define
Categorize
Per key business function:
Survivability
Recovery time objective (RTO)/downtime tolerance (DTT)
Criticality
Operational impact of loss or performance reduction
Priority
Define what gets high-availability resources.
Define what receives first recovery efforts.
Accountability
Determine key personnel—who is critical to operations and how.
Primary
Alternate
Direct manager and department head
Decision makers; situational adjudicators
Determine critical infrastructure—information, information technology
directly providing key business function.
Determine supporting infrastructure—site, environmental, utilities sup-
porting personnel and critical infrastructure.
−
n
−
−
n
−
n
−
n
−
n
n
−
n
−
−
−
−
−
−
The BIA is a critical step to scope and focus efforts for business continuity,
disaster recovery, IT operational safeguards, personnel and physical safeguards,
and much more.
8.13.4
Best Practices
Disaster recovery and business continuity best practices typically mention the need
for a business impact assessment (BIA). BIA best practices include Queensland
government's Standard 18:
Information Architecture Information: Best Practice Sup-
plement
, and ISO 27002 includes business continuity and impact analysis.
The foundation of NIST security is asset categorization, where
high
denotes
critical systems,
medium
denotes important, and
low
is minimal; all consider the
potential organizational impact given the loss of the asset. The NIST model is
asset-centric, whereas the BIA model is process-centric or business function-cen-
tric. At the least, the NIST model provides best practice guidance when evaluating
