Lab #7: Assessment Worksheet

Part A – Perform a Business Impact Analysis for an IT Infrastructure

Course Name: IAA202

Student Name: DUONG NGOC PHUC

Instructor Name: DINHMH

Lab Due Date: 19.10.2024

Overview
When performing a BIA, you are trying to assess and align the affected IT systems, applications, and
resources to their required recovery time objectives (RTOs). The prioritization of the identified mission
critical business functions will define what IT systems, applications, and resources are impacted. The
RTO will drive what kind of business continuity and recovery steps are needed to maintain IT operations
within the specified time frames.

1. Performa BIA assessment and fill in the following chart:

Business Function Business Impact Recovery IT Systems/Apps

Or Process Factor Time Objective Infrastructure Impacts

Internal and external voice Email server

communications with Critical 8 hrs / 0 hr LAN
customers in real-time WAN network

Internal and external e-mail

Infra/Internet
communications with
Critical 8 hrs / 0 hr Network
customers via store and Email service
forward messaging
DNS – for internal and Email server
external IP communications Minor 48 hrs / 24 hrs DNS
Network
Internet connectivity for e- Web servers
Email server
mail and store and forward Minor 48 hrs / 24 hrs
LAN
customer service
WAN network
Self-service website for Web servers
customer access to Customer DB
Critical 2 hrs / 0 hr
information and personal Account application
account information WAN network
 Web servers
e-Commerce site for online
Inventory database
customer purchases or
Scheduling application
scheduling 24x7x365 Critical 1 hr / 0 hr
Purchase application
WAN network
Internet access
Employee DB
Payroll and human
Major 24 hrs / 12 hr Payroll application
resources for employees LAN network
Real-time customer service Web server
Account application
via website, e-mail, or Critical 2 hrs / 0 hr
Internet access
telephone requires CRM Inventory DB
Network management and LAN
technical support WAN network
Major 24 hrs / 12 hr
Internet access
Remote management
Marketing & event planning
Marketing and events Minor 1 week / 3 days
application
Sales orders or customer/ Web server
student registration Account application
Critical 2 hrs / 0 hr
Internet access
Inventory DB
Remote branch office sales VPN application
order entry to headquarters Critical 8 hrs / 0 hr Internet access
Inventory DB
Voice and e-mail Email Server
DNS
communications to remote Critical 8 hrs / 0 hr
LAN
branches WAN network
Accounting and finance Account application
support: Accts payable, Major 24 hrs / 12 hr Customer and employee DB
Accts receivable, etc. LAN network

Part B – Craft a Business Impact Analysis Executive Summary

Craft a BIA executive summary, follow this structure and format:

a. Goals and purpose of the BIA – unique to your scenario

- This BIA aims to evaluate the impact of potential disruptions on [Company Name]'s critical
business functions. It identifies key processes, assesses the consequences of outages, and defines
recovery time objectives (RTO) for IT systems to ensure business continuity during incidents like
cyberattacks or system failures.
b. Summary of Findings – business functions and assessment
- Critical: Customer Support, Sales/e-Commerce, Payroll
- Major: Inventory Management, Financial Reporting
- Minor: Human Resources (excluding payroll)
c. Prioritizations – critical, major, and minor classifications
 - Critical: Must be restored immediately (2-12 hours)
- Major: Restoration within 24 hours
- Minor: Can be restored within 48 hours or more.
d. IT systems and applications impacted - to support the defined recovery time objectives
- Critical systems like CRM, e-commerce platforms, and payroll systems need quick recovery
(within 2-12 hours). Major systems, including inventory and financial reporting, can tolerate longer
downtimes (24-48 hours).
 Lab #7: Assessment Worksheet

Perform a Business Impact Analysis for an IT Infrastructure

Course Name: IAA202

Student Name: DUONG NGOC PHUC

Instructor Name: DINHMH

Lab Due Date: 19.10.2024

Overview
After completing your BIA report for your scenario and IT infrastructure, answer the following Lab #7 –
Assessment Worksheet questions. These questions are specific to your BIA you performed for your
scenario and IT infrastructure. Justify your answers where needed.

Lab Assessment Questions

1. What is the goal and purpose of a BIA?
- To identify which business units, operations, and processes are crucial to the survival of the
business.

2. Why is a business impact analysis (BIA) an important first step in defining a business continuity plan
(BCP)?
- BIA identifies what is crucial which sets the path for what will be included in the BCP.

3. How does risk management and risk assessment relate to a business impact analysis for an IT
infrastructure?
- Risk Management/Risk Assessment identify risks/vulnerabilities to the 7 domains of an IT
infrastructure. BIA is basically doing the same thing but at the entire organization level.

4. What is the definition of Recovery Time Objective (RTO)? Why is this important to define in an IT
Security Policy Definition as part of the Business Impact Analysis (BIA) or Business Continuity Plan
(BCP)?
- Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected
failure or disaster and the resumption of normal operations and service levels. The RTO defines the point in time
after a failure or disaster at which the consequences of the interruption become unacceptable.
 5. True or False - If the Recovery Point Objective (RPO) metric does not equal the Recovery Time
Objective (RTO), you may potentially lose data or not have data backed-up to recover. This
represents a gap in potential lost or unrecoverable data.
- True

6. If you have an RPO of 0 hours – what does that mean?

- RPO is used to measure acceptable data loss in minutes. Every minute of data loss represents
lost sales revenue. So, if I have an RPO of 0 hours, then that means there is no data lost.

7. What must you explain to executive management when defining RTO and RPO objectives for the
BIA?
- The RPOs identify the maximum amount of data loss an organization can accept. This is the
acceptable data latency.

8. What questions do you have for executive management in order to finalize your BIA?
- Is there money in the budget for a separate backup site?
- If there is money in the budget for a separate backup site, how many of the backup servers
will be stored there?
- How often will we need to do a full back-up?

9. Why do customer service business functions typically have a short RTO and RPO maximum
allowable time objective?
- Short RTO means the time frame needs to be short because the longer they are down, the
more sales they are losing. And because when organizations dealing with customer service, time is
money.

10. In order to craft back-up and recovery procedures, you need to review the IT systems, hardware,
software and communications infrastructure needed to support business operations, functions and
define how to maximize availability. This alignment of IT systems and components must be based on
business operations, functions, and prioritizations. This prioritization is usually the result of a risk
assessment and how those risks, threats, and vulnerabilities impact business operations and functions.
What is the proper sequence of development and implementation for these following plans?
Business Continuity Plan : 2
Disaster Recovery Plan : 3
Risk Management Plan : 4
Business Impact Analysis : 1