Business Impact Analysis

Business Impact Analysis (BIA)

  • The process of evaluating all of the critical systems (important to core business functions) in an organization to define impact and recovery plans.

  • Determining the potential impacts (costs, resources, time) resulting from the interruption of time-sensitive or critical business processes.

  • Identify critical business functions, systems, services, and technologies along with the cost associated with their loss and the maximum acceptable outage period.

  • NIST Definition

Critical Functions

Mission-essential functions, roles, services, systems, applications, or data required to sustain business.

  • Steps:

    • Identification & Analysis

    • Prioritization

    • Calculating a Timeframe for Critical Systems Loss

    • Estimating the Tangible and Intangible Impact on the Organization

Single Point of Failure

  • One fault or malfunction can compromise an entire system or enterprise.

  • Can be people or technology.

  • Are avoided with redundancy and fault-tolerant protocols/procedures (HA - High Availability).

Recovery Objectives

  • RTO - Recovery Time Objective - The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.

  • RPO - Recovery Point Objective - The point of last known good data prior to an outage that is used to recover systems.

    • As a general rule, the closer the RPO matches the time of the crash, the more expensive it is to obtain.


  • Mean Time to Failure (MTTF) - the average time to failure for a nonrepairable system.

    • Represents how long a product can reasonably be expected to perform, based on specific testing.

  • Mean Time Between Failures (MTBF) - the measure of the anticipated incidence of failure for a system or component.

    • Measurement determines the component's anticipated lifetime.

Mean Time to Recovery/Restore/Repair (MTTR)

  • The average time required to repair a failed system, device, or component and return it to operational status.

  • The calculation includes preparation time, active maintenance time, and delay time.

  • Often part of a maintenance contract.

Privacy Assessments

  • Personally Identifiable Information (PII) - Info that can be used to distinguish or trace an individuals identity, such as name, SSN, biometrics, etc. alone or when combined with other personal or identifying info that is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

  • Personal Health Information (PHI)

Privacy Assessments

  • Privacy Impact Assessment (PIA)

    • Identifies the adverse impacts that can be associated with the destruction, loss, corruption, or accidental disclosure of sensitive, personal, or private data for the organization.

    • Required for any organization that collects, uses, stores, or processes PII or PHI.

  • Privacy Threshold Assessment (PTA)

    • Determines whether a system contains PII or PHI.

Interconnection Security Agreement (ISA)

  • An agreement that specifies the security requirements for an interconnection between two organizations.