Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our business impact analysis module. There are three steps in our business impact analysis process. The first step is to determine and identify all of our business processes and the recovery criticality for these processes. We'll have to determine how a system disruption will affect our critical system, and we'll also have to determine our outage impacts, and our estimated downtime if an incident occurs.
Second, we will have to identify the resources that we will need to get our systems back online quickly. And third, we have to identify the recovery priorities for our system resources. We have to determine which systems are the most critical and make sure that we can recover the most critical systems first, and the least critical systems last, to make sure that our business processes and functions can continue without a negative impact.
When we're conducting our business impact assessment, we will have to determine how we will be affected if an incident occurs. And we'll also have to determine how long we can be without our systems. First, we'll have to identify our corporate assets and determine the risks that are associated with each of those assets.
During our inventory process, we will have to determine what our assets are. And an asset is anything that has value for our organization. While we are identifying our assets, we will have to perform a criticality assessment to determine which assets are the most critical and which are the least critical.
We'll have to perform a risk assessment on each of our assets to determine what risks may exist and how we can mitigate those risks. And then we'll have to assign our recovery goals and priorities. While we're conducting our business impact assessment there are several key metrics that we will come up.
Our MTD or maximum tolerable downtime is the amount of time we can spend without our resource. The RTO or recovery time objective is how quickly we can recover if an incident occurs. And our recovery point objective is the amount of data loss we can sustain. A lot of systems will not allow us to lose any data because the data is very important to the organization.
We also may need to consider the cost of the downtime, for example some businesses, like maybe Amazon, if their website goes offline they could be losing millions of dollars in sales per hour. We also have to consider our recovery expenses, and our loss of credibility if we have a data breach, for example, and we release our customers sensitive information, then we could lose credibility in the industry and no longer have those customers. Our recovery point objective is the maximum amount of time that an organization will tolerate between back ups. This means that the maximum amount of data we can lose will be the data that was created between the time that the last backup was successfully generated and the time that the incident occurs.
Most businesses will not allow any data to be lost. The RTO or recovery time objective is how long it will take us to restore all of our data and resume our normal business operations after an event occurs. This includes the time it will take you to reinstall the system, restore the data from your last backup or RPO point and get the system secured so that it can go back online and you can resume your normal operations.
Immediate recovery is the most desirable but it will also be the most expensive. This is typically done by having a mirrored hot site with a current copy of all of your data. In the event of an incident where your primary location goes offline or is destroyed, the secondary system or the back up system will automatically take over operations where the first system stopped.
And you will not lose any data and you will not have your system go offline for any point of time. The maximum tolerable downtown is the amount of time we are allowing our systems to be offline. Depending on our organization, this could be only a few minutes, or it could be several days.
You do wanna be familiar with the RPO, the RTO, and the MTD, because you may see these metrics on the CISSP examination, and you wanna be able to know the difference between them. It is important to remember that a disaster can occur at any time, usually, without warning.
It's important to make sure that you are prepared for disasters before they occur. You also have to make sure that you're in compliance with any legal regulations based on your industry. There are several different types of losses that you can experience in your business if an incident occurs.
You could lose revenue, an interruption in your cash flow. You could have extra expenses if a disaster occurs like needing to purchase new equipment or rent out an extra space for your organization. You may compromise your customer service by disrupting customer service and upsetting your clients. You could violate contracts that you have which could generate penalties and the loss of future business.
You could have your customers lose confidence in you and this could damage your reputation and create a large financial impact. And if you fail to meet your legal and regulatory requirements, you may need to pay fines or you may lose a license or could even be sentenced to jail for failing to practice due diligence.
It's also important to know how to prioritize an immediate crisis versus a smoldering one. So, do you need to make an immediate action? Is a high-priority incident that needs to be dealt with right a way? Or can you delay a response on an item for a short period of time, making it a low priority? It's important to make sure that you don't delay the response on a low priority incident which then causes it to become a high priority incident. Once you have finished conducting your business impact analysis you should have identified all of your critical departments and resources, determined your threats and risks, discovered the impact that risks could have on our organization, determine the outage time that would be acceptable.
Determine any recovery alternatives and also determine how to prioritize your recovery steps based on the criticality and relationship of each individual system that's affected. Once you've conducted the VIA, you want to document your results and present it to your management staff for approval. You can then create balanced recovery plans.
The longer your disruption occurs, the higher the cost will be, so you wanna make sure that you can minimize the length of the disruption. And the shorter the recovery time objective, the higher the recovery solution will cost. So it's important to do your cost benefit analysis to determine if you want to spend extra money to prevent an incident from occurring and be prepared for it, or if you want to spend extra money after an incident occurs to recover from it.
Once we've conducted our business impact analysis and submitted it to management, we can then derive all our disaster recovery plan and our business continuity plan. This concludes our business impact analysis module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!