This page is currently queued for revision.
Business Impact Analysis (BIA)*
The business impact analysis gathers asset valuation information that is beneficial for risk analysis and selection of security controls, and criticality information that helps in BC/DR planning by letting the organization understand which systems, data, and personnel are necessary to continuously maintain. It is an assessment of the priorities given to each asset and process within the organization.
It is based off the assumption that there are certain things the business needs to know in order to decide how they will handle risks within our organization.
The BIA is the basis of almost everything done with the organization. Business processes are based on the criticality of assets identified as a result of the BIA. A proper analysis should consider the effect (impact) any harm or loss of each asset might mean to the organization overall. Assets can be tangible or intangible.
- Identify critical business processes and dependencies. Such as determining RPOs and RTOs.
- Identify risks and threats. Such as CSP failure.
- Identify requirements. These may come from senior management, regulations, or a combination of both.
Inventory of Assets
We must understand what assets exist before we begin to determine their value.
Valuation of Assets
We determine a value for every asset (usually in terms of dollars), what it would cost the organization if we lost that asset (either temporarily or permanently), what it would cost to replace or repair that asset, and any alternate methods for dealing with that loss.
A proper analysis should consider the effect ("impact") any harm or loss of each asset might mean to the organization overall. Special care should be paid to identifying critical paths and single points of failure.
Determination of Criticality
Criticality denotes those aspects of the organization without which the organization could not operate or exist.
The organization is a rental car company; cars are critical to its operations-if it has no cars to rent to customers, it can't do business.
The organization is a music production firm; music is the intellectual property of the company-if the ownership of the music is compromised (for instance, if the copyright is challenged and the company loses ownership, or the encryption protecting the music files is removed and the music can be copied without protection), the company has nothing of value and will not survive.
The organization is a fast-food restaurant noted for its speed; the process of taking orders, preparing and delivering food, and taking payment is critical to its operations-if the restaurant cannot complete the process for some reason (for instance, the registers fail so that the restaurant cannot accept payment), the restaurant cannot function.
The organization is an international shipping line; matching orders to cargo carriers is critical to its operations. If the company cannot complete its logistical coordination-assigning cargo requests to carriers with sufficient capacity-it cannot provide its services, and will not survive.
The organization is a surgical provider; the surgeon is critical to the existence of the company-if the surgeon cannot operate, there is no company.