Page334
Assessing the Critical State
Assessing the critical state can be difficult because determining which pieces of the IT infrastructure are critical depends solely on how it supports the users within the organization. For example, without consulting all of the users, a simple mapping program may not seem to be a critical asset for an organization. However, if there is a user group that drives trucks and makes deliveries for business purposes, this mapping software may be critical for them to schedule pick-ups and deliveries.
Listed in Table 8.3 is a list of example critical assets. Also notice that, when compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called “Business Impact.”
Table 8.3 Example Critical State IT Asset List.
| IT Asset | User Group Affected | Business Process Affected | Business Impact |
|---|---|---|---|
| GIS Mapping Software V2.8 | Delivery drivers | On-time delivery of goods | Customer relations and trust may be damaged |
| Time Keeping System V3.0 | All employees | Time keeping and payment for employees | Late paychecks are tolerable for a very short period (max. 5 days). Employees may walk off job site or worse |
| Microsoft Teams internal messaging system | Executive board, finance, accounting | Financial group communications with executive committee | Mild impact, financial group can also use email to communicate |
As you see in Table 8.3, not all IT assets have the same critical state. Within the Critical State asset list, it is encouraged that the BCP/DRP project manager uses a qualitative approach when documenting the assets, groups, processes, and impacts. During the business impact analysis, a quantitative measurement will be determined to associate with the impact of each entry.
Conduct Business Impact Analysis (BIA)
The Business Impact Analysis (BIA) is the formal method for determining how a disruption to the IT system(s) of an organization will impact the organization’s requirements, processes, and interdependencies with respect to the business mission [12]. It is an analysis to identify and prioritize critical IT systems and components. It enables the BCP/DRP project manager to fully characterize the IT contingency requirements and priorities [12]. The objective is to correlate the IT system components with the critical service it supports. It also aims to quantify the consequence of a disruption to the system component and how that will affect the organization. The primary goal of the BIA is to determine the Maximum Tolerable Downtime (MTD) for a specific IT asset. This will directly impact what disaster recovery solution is chosen. For example, an IT asset that can only suffer a loss of service of 24 hours will have to utilize a warm recovery site at a minimum in order to prevent catastrophic loss in the event of a disruption.
Another benefit of conducting the BIA is that it also provides information to improve business processes and efficiencies because it details all of the organization’s policies and implementation efforts. If there are inefficiencies in the business process, the BIA will reflect that.
Exam Warning
The BIA is comprised of two processes. First, identification of critical assets must occur. Second, a comprehensive risk assessment is conducted.