Final Project(Need in 10Hrs)

profileKrishRisk1_Sol
FinalProjectPartIITask1-BusinessImpactAnalysisBoilerPlate.pdf

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

1. Overview

This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the

HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was

prepared on Health Network, Inc (Health Network).

1.1 Purpose

The purpose of the BIA is to identify and prioritize system components by correlating them to the

mission/business process(es) the system supports, and using this information to characterize the impact

on the process(es) if the system were unavailable.

The BIA is composed of the following three steps:

1. Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.

2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.

3. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and resources.

This document is used to build the HNetExchange Message system, HNetConnect Directory system and

HNetPay Payment system Business Contingency Plan (BCP) and is included as a key component of the

BCP. It also may be used to support the development of other contingency plans associated with the

system, including, but not limited to, the Disaster Recovery Plan (DRP).

2. System Description

{Provide a general description of system architecture and functionality as provided in the scenario

instructions. Indicate the operating environment, physical location, general location of users, and

partnerships with external organizations/systems. Include information regarding any other technical

considerations that are important for recovery purposes, such as backup procedures. Provide a diagram,

as an appendix, of the architecture, including inputs and outputs and telecommunications connections.}

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

3. BIA Data Collection

{Normally data collection can be accomplished through individual/group interviews, workshops, email,

questionnaires, or any combination of these. For this assignment, review the scenario and include

information you would expect to obtain during the normal data collection process}

3.1 Determine Process and System Criticality

Step one of the BIA process - Working with input from users, managers, mission/business process

owners, and other internal or external points of contact (POC), identify the specific mission/business

processes that depend on or support the information system.

Mission/Business Process Description

3.1.1 Identify Outage Impacts and Estimated Downtime

Outage Impacts

The following impact categories represent important areas for consideration in the event of a disruption

or impact.

Values for assessing category Risk Factors/Impact:

 Critical = “1”

 Major = “2”

 Minor = “3” Values for assessing category Recovery Time Objectives (RTO):

 Critical-1 = 4 hours

 Critical-2 = 8 hours

 Critical-3 = 24 hours

 Major-1 = 36 hours

 Major-2 = 48 hours

 Minor = 1 week

The table(s) below summarizes the impact on each mission/business process if the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system were unavailable.

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

Mission/Business Process

for HNetExchange

Impact Category

Risk Factor RTO Describe the Impact if unavailable

Mission/Business Process

for HNetConnect

Impact Category

Risk Factor RTO Describe the Impact if unavailable

Mission/Business Process

for HNetPay

Impact Category

Risk Factor RTO Describe the Impact if unavailable

Estimated Downtime

Working directly with mission/business process owners, departmental staff, managers, and other

stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.

 Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.

 Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.

 Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.

The table below identifies the MTD, RTO, and RPO for the organizational mission/business processes

that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment

system.

Mission/Business Process

For HNetExchange MTD RTO RPO

Mission/Business Process

For HNetConnect MTD RTO RPO

Mission/Business Process

For HNetPay MTD RTO RPO

3.2 Identify Resource Requirements

The following table identifies the resources that compose the HNetExchange Message system,

HNetConnect Directory system and HNetPay Payment system including hardware, software, and other

resources such as data files.

System Resource/Component Description

It is assumed that all identified resources support the mission/business processes identified in Section 3.1

unless otherwise stated.

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

3.3 Identify Recovery Priorities for System Resources

The table below lists the order of recovery for <system name> resources. The table also identifies the

expected time for recovering the resource following a “worst case” (complete rebuild/repair or

replacement) disruption.

 Recovery Time Objective (RTO) - RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system

resources, supported mission/business processes, and the MTD. Determining the information

system resource RTO is important for selecting appropriate technologies that are best suited for

meeting the MTD.

Priority # System Resource/Component Recovery Time

Objective

ISOL 533 - Information Security and Risk Management BUSINESS IMPACT ANALYSIS University of the Cumberlands

Table 1 – BIA worksheet

Business Function or Process Business Impact Factor

Recovery Time

Objective IT Systems/Apps Infrastructure Impacts