A Business Impact Analysis is a critical piece of documentation that can help guide disaster recovery and business continuity tasks. When an incident occurs, not all assets will necessarily be affected. Some assets may also be affected worse than others. The main purpose of a BIA is to quantify just how much of an impact damage to a specific asset will have on your organization. Doing a BIA will also help you prioritize which assets need security controls the most.
To start a business impact analysis, you should start by clearly defining the central mission of your business. The mission statement of your business is ultimate high-level goal of its existence. Once you have clearly defined the mission, you will want to break it down into a list of specific functions and services that enable you to pursue it. For example, if you run a small café on the main street of your hometown, the core mission is probably something like: “To serve quality baked goods and beverages to customers in a clean, organized, and friendly environment”. To fulfill this mission, you will need reliable Point of Sale systems to perform transactions, an Internet connection to support transactions and ordering, and likely some sort of cloud solution to host and manage CRM and ERP systems.
Once you have a high-level view of the core digital processes and systems that allow you to perform effectively, you can start breaking them down further into individual assets. Make sure to try and list every digital asset that supports the successful execution of each process. Earlier in this stage, you were directed to make inventories of hardware assets, software assets, digital identities, and network infrastructure. These inventories will make this step of the BIA much easier. Following the example of a small-town café, your key assets may look something like this:
- Successful execution of customer transactions with reliable Point of Sale systems: iPad devices, PoS application, licenses for each instance of the PoS system, MDM software to manage and supervise activity on iPads, chargers to ensure iPad availability, user identities for each cashier, IAM software to supervise use of cashier identities
- Wireless networking to host Point of Sale and backend systems: Subscription to an ISP to provide network connectivity, cable modem, Wi-Fi router, extenders and additional access points for better connectivity, cabling to connect network devices.
- Cloud CRM and ESP systems: subscription to Software as a Service software to host the systems, privileged identities to interact with systems, encryption to protect data in the cloud, MFA for privileged identities, backups of cloud systems
You should now start focusing on ranking each process and its associated technology according to criticality. Having Wi-Fi go down in the middle of a workday is much more serious than an iPad running out of battery, which in turn is much more critical than the CRM system going offline. Since businesses rely on systems and processes working together to produce results, you should always factor in dependencies for each process and asset. You may come across one particular asset that seems irrelevant at first, until you realize that higher level assets rely on its existence to perform. Therefore, that seemingly irrelevant asset is suddenly much more important than you originally thought. Earlier in this stage, you were directed to map the dependencies of your network resources. This map should be consulted heavily for ranking of processes and assets.
Once you have a comprehensive list of your core business processes and their associated assets, you will want to assemble a list of cyber threats that are applicable to your environment. In the risk assessment earlier in this stage, you were directed to identify specific threats that could be combined with vulnerabilities to pose risks to your business. These identified risks are precisely what you want to list here. They should also be ranked according to relevance. Going back to the bakery for example, the risk of a customer walking in and stealing a piece of technology is much higher than the risk of an intruder connecting a rogue access point to a network jack, especially since the café doesn’t have any network jacks in their building. Make sure to follow logic and insights from risk assessments and vulnerability scans to get a relevant list of cyber threats or the BIA.
At this point you have identified the critical processes and assets that make your business function, as well as the major threats that pose risk to said processes and assets. You can now begin assessing the impact a successful cyberattack will have on each technical asset. You will want to assess the impact in multiple categories, such as:
- Financial Impact (lost revenue, replacement cost, customer refunds, fines)
- Operational Impact (workflow disruption, service interruptions, production issues)
- Reputational Impact (damage to customer trust, press coverage)
- Legal Impact (data protection issues, breaches, non-compliance fines)
- Human Impact (cessation of employment for employees, exposure of sensitive personal data resulting in emotional damage, physical safety concerns)
Let’s take the Wi-Fi router in the bakery as an example. If a cyberattack causes it to cease functioning, we can fill in the impact categories like this:
- Financial Impact = loss of revenue since the PoS devices cannot serve customers without Internet, potential cost of a replacement router
- Operational Impact = complete cessation of sales
- Reputational Impact = word of mouth goes around that the bakery has bad Internet and may not be able to sell goods.
- Human Impact = employees are sent home for the rest of the day, resulting in lost wages
Some assets may have an impact in only one category, others may have multiple, and some will have impacts in all of them. You can start to get an idea of what assets are the most critical for your business. Now you will need to perform some quantitative analysis to make these impressions even more clear:
Maximum Tolerable Downtime (MTD): the amount of time an asset can be out of use before it starts negatively affecting business operations. For example, the Wi-Fi router has an MTD of 0 to a few minutes since its absence is felt almost immediately. However, something like the company QuickBooks account could sustain an MTD of one or two days.
Recovery Time Objective (RTO): the RTO is the amount of time you should take to get the affected asset restored. It should always be less than the MTD. In the previous example, since the router has an MTD of 0 minutes, the RTO also needs to be 0, implying that failover controls are necessary. The QuickBooks program outage, however, could have an RTO of 24 hours or so.
Recovery Point Objective (RPO): the amount of data loss that is acceptable from the asset. It is expressed in the form of hours as in, “These many hours’ worth of lost data are acceptable”. This is especially relevant in cases of ransomware attacks. Data loss is a very sensitive consequence for any system, so most RPOs will be very short. For example, the company’s network file server could have a maximum RPO of one workday, or 8 hours. However, the cloud storage for financial transactions with customers should only have an RPO of 15 minutes or so, if that.
At this point, you have both qualitative and quantitative assessments of the impact each asset has on your core business processes. You now have the figures to properly prioritize the assets. The final criticality rating of each asset should factor in how many categories the asset impacts, the severity of the impact in each category, the duration of time for the MTD, RTO, and RPO, and the number of other assets and systems that depend on it. Analyzing all of these factors should result in a criticality level of Low, Medium, or High.
Once you have a criticality ranking for each asset, you can proceed with eh rest of the framework. You now know which assets are the most vital to your business mission, and thus which assets need security controls the most urgently. The highest impact assets should receive the most attention when designing and implementing your cybersecurity program, while the medium and low-level assets can be placed on secondary priority.