IS 3110
Debra Williams
1. What is the goal and purpose of a BIA?
a. The purpose of a business impact analysis (BIA) report is to describe the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.
2. Why is a business impact analysis (BIA) an important first step in defining a business continuity plan (BCP)?
a. The BIA is the first step because it is used to identify the impact that can result from disruptions in the business. Without the BIA, the BCP would not identify and prioritize which systems and processes must be sustained and provide the necessary information for maintaining them.
3. How does risk management and risk assessment relate to a business impact analysis for an IT infrastructure?
a. Risk assessment relates to a business impact analysis by showing the amount of risk in making a business deal, by comparing the potential loss to the percent the loss could occur.
b. Risk management relates to a business impact analysis by identifying resources and associated risks, determining their magnitude, identifying what safeguards are needed, and maintain the proper techniques to mitigate the risks.
4. What is the definition of Recovery Time Objective (RTO)? Why is this important to define in an IT Security Policy Definition as part of the Business Impact Analysis (BIA) or Business Continuity Plan (BCP)?
a. The RTO is the time in which the system or function must be recovered. The RTO would be equal to or less than the MAO. For example, if the MAO is