CompTIA Security+

Security+: Business impact analysis concepts [updated 2021]

Preetam Kaushik
June 2, 2021 by
Preetam Kaushik

A business works via a network of relationships and operations that are constantly being established and re-established. What this means is, what works for the business right now, might not do the job two months (or any other point in the future) from now. The many variables that keep the cog of industry turning constantly change, which makes running a business very challenging. At every step of the way, some sort of blocker might arise, stopping, delaying or damaging the usual processes of the day-to-day running of a business. Identifying and dealing with these potential errors and risks is what makes business impact analysis (BIA) so crucial. A clear understanding of BIA is crucial for those taking the Security+ exam.

Become a SOC Analyst: get Security+ certified!

Become a SOC Analyst: get Security+ certified!

More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.

Three main steps of BIA

A highly recommended approach for developing a BIA is built upon the following three steps:

Developing a comprehensive understanding of the business environment

For a business to implement a holistic BIA, it must have a proper understanding of the multitude of information assets used to achieve the company’s mission. This is accomplished by meeting with each business unit and understanding which technologies are essential for them to unleash their day-to-day responsibilities. By cataloging the entire business environment, organizations are then able to ensure that their disaster recovery plan properly includes all the systems necessary to maintain operations and achieve its goals. As an added benefit, during this portion of the exercise, a company may discover potential cost-saving avenues by identifying unnecessary or redundant technologies.

Quickly identifying the critical technologies and processes

As soon as the company has cataloged the technologies that make up its core environment, it must then prioritize the technologies based on how crucial they are for achieving the organization’s mission and performing daily operations. While there are many ways to assess criticality, the assessment must be completed in a manner that lets the users of the BIA consistently compare technologies across the company. An organization can achieve this by establishing a common criterion by which technology or process is assessed.

Establishing clear RTOs and RPOs

With critical technologies and processes identified, users of the BIA, in conjunction with business unit leads, will be able to easily identify and allocate proper recovery time objectives (RTOs) and recovery point objectives (RPOs). RTO is the targeted duration of time a system can be unavailable and must be restored before an unacceptable impact to operations occurs. And RPO is the maximum targeted period in which an undesirable event can go on before the system starts falling apart. Assets that have a higher criticality score will have smaller RTOs and RPOs and will need to be recovered as quickly as possible. Processes that score low and have larger RTOs and RPOs can be handled at a much slower rate, relatively speaking.

What does BIA achieve?

The purpose of a business impact analysis is to make a company less vulnerable to the obstacles that might arise due to various reasons. It does so by achieving the following goals.

  • Identify key processes and functions of the business.
  • Establish a detailed list of requirements for business recovery.
  • Determine what the resource interdependencies are.
  • Figure out the impact on daily operations.
  • Develop priorities and classification of business processes and functions.
  • Develop recovery time requirements.
  • Determine the financial, operational and legal impact of disruption.

How does BIA achieve results?

Getting the right information to conduct a BIA for a company can be a tedious process, which is why it is important to get professionals to handle it. These guys have three main techniques for digging up the information to create the most well-adjusted BIA for any organization. They are surveys, interviews and workshops.

Impact scenarios for businesses

All scalable or scaled businesses must deal with possible loss scenarios which have the potential of disrupting or interrupting everyday operations. Performing risk assessment using BIA can help a company pre-emptively identify such scenarios. Some of the most common ones that are found across businesses and industries are below: 

Workplace accidents

Often, businesses suffer from losses due to workplace accidents. A fire at a factory where the critical tasks of the business are performed can cause a closure. A burst pipe in the water supply in a company where workers work on the floor may also incapacitate the work area for quite a lengthy amount of time. Any such accident can lead to machines malfunctioning which puts a whole other kind of dent in the work plan. An accident that causes personal injury or harm to a critical worker can even slow down or shut down the complete process.

Natural disasters

While insurance companies might look at natural disasters as acts of God, this does not negate the fact that incidents like earthquakes, floods, hurricanes and the like can dramatically impact the functioning of a business. Any of these can cause power outages that can shut down entire industrial belts.

Human error

Computer virus attack, theft, embezzlement, fraud, market decline and the like count as human errors. These can be instigated by people both inside and outside the organization, at times willfully, and at times by accident. The seriousness of these incidents’ impacts might differ, which makes it even more necessary to have a business impact analysis available beforehand.

Scope of business impact analysis

Lots of organizations try to make their business impact analysis more manageable by breaking it down into smaller business unit-sized parts, with different department leads conducting BIAs in silos. However, this can be a major error that puts the viability of the entire business continuity at risk.

To truly understand recovery requirements unless one must compare the functions and the recovery procedures of those functions across the entire business. For example, it does not help to do a BIA for marketing, and then do a separate one for operations. However, the scope of BIA can be gradually scaled from department to department, as long as you decide beforehand how the recovery priorities that emerge from departments compare across the spectrum of the whole company.

The BIA identifies systems and components that are essential to a company or brand’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components and the potential losses from an incident. These are all necessary tools that need to be studied and understood by those who are serious about taking the Security+ exam.

IT administrators who are focused on security need to have the ability to precisely prioritize their time and efforts when it comes to taking steps to fix any security concerns a business might face. A Security+ certification can go a long way in making that possible.

However, there are other areas as well that the Security+ certification holder needs to be aware of, and these include the following:

Single point of failure

Many information technology systems are dependent upon one another. In many cases, if one part of it fails, then it is quite likely that the entire subsystem or even the entire system could potentially fail. Therefore, it is important to realize and understand in the implementation of a system, that the appropriate countermeasures should be put into place to make sure that the appropriate backups are in place in order make sure that the IT system is still running even if one point in the segment (such as a network subnet) fails.

Property and finance

These two topics are interlinked with one another because obviously, the property has financial value to it. In this instance, there are two types of property:

  • Physical property: This is the land, the building and the physical assets that the business or corporation owns to carry normal, day-to-day functions.
  • Intellectual property: this includes the trademarks, patents and other ideas or inventions that the organization owns or possesses. Both above types of property have financial value to them, and even the concept of finance includes the cash flow and the bottom line of the company. In both cases, any impacts from a cyberattack must be taken into consideration here, as these are some of the prime targets for a cyberattacker.
    • Privacy impact assessment: this can be defined specifically as the following: “A privacy impact assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared and maintained.” In this instance, this would include such pieces of data as credit card and banking information, Social Security numbers, physical addresses, email addresses and more. This component should also be included in any kind of BIA, yet once again, this type of information is a prime target for the cyberattacker.
    • Identification of critical systems

In the business or corporation, this very often refers to the IT Infrastructure. Critical systems would include such things as servers, databases, backup tools, employee workstations, wireless devices and more. If there is an outage or downtime with these systems, this can have a significant impact on the organization. As a result, this needs to be taken into serious consideration as well into the BIA, to make sure that downtime can be minimized as much as possible.

For more on the Security+ certification, view our Security+ certification hub.


Preetam Kaushik
Preetam Kaushik