1. What is the goal and purpose of a BIA? To identify which business units, operations and process are crucial to the survival of the business. A timeframe in which business functionality must be restored. Also identifies resources that will be necessary for business functionality.
2. Why is a business impact analysis (BIA) an important first step in defining a business continuity plan (BCP)? The BIA identifies the critical and non-critical functions of the business. The BIA provides timeframes for critical functions to resume, for the business to become functional. The BIA estimates the cost related to the failure such as loss of cash flow, salaries for critical employees to recovery from a failure, and the cost of new equipment. The BIA provides framework to build the BCP upon.
3. How do risk management and risk assessment relate to a business impact analysis for an IT infrastructure? Identification of risk is necessary to establish the impact it will have on the IT infrastructure. The assessment gives the risk a category and priority. The process of prioritizing helps to manage the risk of high impact and probability of occurring.
4. True or False – If the Recovery Point Objective (RPO) metric does not equal the Recovery Time Objective (RTO), you may potentially lose data or not have data backed-up to recover. This represents a gap in
potential lost or unrecoverable data. False, the RPO could be 30 mins while the RTO could be 1 hour. The RPO depends upon the backup, if it occurs every day at 5pm, then no data would be lost. If the backup is every hour, then data not backed up prior to the outage would have the potential for being lost. 5. What questions would you have for executive management prior to finalizing a BIA report? Do all critical employees understand their role should an outage/disaster occur? Are there third party vendors that need to be considered in the BIA? Is there an alternate site available, should the current building not survive? Is data stored at an off-site facility?
6. How does a BCP help mitigate risk? With planning and testing a business will be prepared in the event of a disaster. The BCP acts as steps to take to get the business back to functionality.
7. What kind of risk does a BCP help mitigate? The interruption of business critical operations or process. The BCP helps in planning and testing of procedures to allow business to continue during a disaster. The prevention of lost data, and services not available for customers.
8. If you have business liability insurance, asset replacement insurance, and natural disaster insurance, do you still need a BCP or DRP? Why or why not? Yes, the BCP’s objective is to get business back to functioning normally, The DRP is focused on restoring and recovering IT functions of the business. Insurance may replace buildings, equipment, but without plans where would the business start to get back to functionality? Those are the questions that are answered by the BCP and DRP.
9. What does a BIA help define for a BCP? By defining the critical and non-critical process/operations of a business.
10. Who should participate in the development of BCP within an organization? All personnel that has an interest in the survivability of a business. All levels of management, IT personnel, and users essential to the normal functions/operations of the business.
11. Why does disaster planning and disaster recovery belong in a BCP? To define the steps necessary for the continuation of business, in the event of a disaster.
12. What is the purpose of having documented IT system, application, and data recovery procedures and steps? To provide a lay of the land in the event a network has to rebuild from scratch, the original configurations and applications can be rebuilt to avoid conflicts in the network.
13. Why must you include testing of the plan in your BCP? To verify that the plan works prior to the actual need of the BCP. The testing procedures should not interfere with normal operations.
14. How often should you update your BCP document? Ensure the BCP is reviewed and updated at least annually. If critical systems are changed or modified between annual reviews, the BCP should be updated.