CompTIA Security+

Security+: Business impact analysis concepts

Preetam Kaushik
November 19, 2024 by
Preetam Kaushik

A business works via a network of relationships and operations that are constantly established and re-established. This means that what works for the business right now might not do the job in six months (or any other point in the future). The many variables that keep the cog of industry turning constantly change, which makes running a business very challenging. At every step of the way, some sort of blocker might arise, stopping, delaying or damaging the usual processes of the day-to-day running of a business.

Identifying and dealing with these potential errors and risks is what makes business impact analysis (BIA) so crucial. The topic of BIA is covered on the CompTIA Security+ exam. The primary objective related to it is 5.2, "Explain elements of the risk management process." Impact analysis is also covered in objective 1.3, "Explain the importance of change management processes
and the impact to security."

Read on to learn more about BIA. For more information on the Security+ exam, download our free Security+ ebook or explore Infosec's Security+ Training Boot Camp.

Three main steps of BIA

A recommended approach for developing a BIA is built upon the following three steps:

1. Developing a comprehensive understanding of the business environment

For a business to implement a holistic BIA, it must have a proper understanding of the multitude of information assets used to achieve the company’s mission. This is accomplished by meeting with each business unit and understanding which technologies are essential for them to unleash their day-to-day responsibilities. By cataloging the entire business environment, organizations can ensure that their disaster recovery plan properly includes all the systems necessary to maintain operations and achieve its goals.

As an added benefit, during this exercise, a company may discover potential cost-saving avenues by identifying unnecessary or redundant technologies.

2. Quickly identifying the critical technologies and processes

As soon as the company has cataloged the technologies that make up its core environment, it must prioritize them based on how crucial they are for achieving the organization’s mission and performing daily operations.

While there are many ways to assess criticality, the assessment must be completed in a manner that allows the BIA users to consistently compare technologies across the company. An organization can achieve this by establishing a common criterion for assessing a technology or process.

3. Establishing clear RTOs and RPOs

With critical technologies and processes identified, users of the BIA, in conjunction with business unit leads, can easily identify and allocate proper recovery time objectives (RTOs) and recovery point objectives (RPOs). RTO is the targeted duration for which a system can be unavailable and must be restored before an unacceptable impact on operations occurs. RPO is the maximum targeted period in which an undesirable event can occur before the system starts falling apart. 

Assets with a higher criticality score will have smaller RTOs and RPOs and need to be recovered as quickly as possible. Processes that score low and have larger RTOs and RPOs can be handled at a much slower rate, relatively speaking.

What does BIA achieve?

The purpose of a business impact analysis is to make a company less vulnerable to the obstacles that might arise due to various reasons. It does so by achieving the following goals.

  • Identify key processes and functions of the business.
  • Establish a detailed list of requirements for business recovery.
  • Determine what the resource interdependencies are.
  • Figure out the impact on daily operations.
  • Develop priorities and classification of business processes and functions.
  • Develop recovery time requirements.
  • Determine the financial, operational and legal impact of disruption.

How does BIA achieve results?

Getting the right information to conduct a BIA for a company can be a tedious process, which is why it is important to have professionals handle it. These professionals have three main techniques for digging up the information to create the most well-adjusted BIA for any organization:

  1. Surveys
  2. Interviews
  3. Workshops

Impact scenarios for businesses

All scalable or scaled businesses must deal with possible loss scenarios that have the potential to disrupt or interrupt everyday operations. Performing risk assessment using BIA can help a company pre-emptively identify such scenarios. Some of the most common ones that are found across businesses and industries are below: 

Workplace accidents

Often, businesses suffer from losses due to workplace accidents. A fire at a factory where critical business tasks are performed can cause a closure. A burst pipe in the water supply in a company where workers work on the floor may also incapacitate the work area for quite a lengthy amount of time. Any such accident can lead to machines malfunctioning, which puts a whole other kind of dent in the work plan. An accident that causes personal injury or harm to a critical worker can even slow down or shut down the process.

Natural disasters

While insurance companies might consider natural disasters acts of God, this does not negate the fact that incidents like earthquakes, floods, hurricanes and the like can dramatically impact a business's functioning. Any of these can cause power outages that can shut down entire industrial belts.

Human error

Social engineering, phishing, accidental data exposure and other attacks involving employees are human errors. A related category is malicious insiders, which is the intentional theft or cyber incident caused by an employee instead of an accidental incident. The seriousness of these incidents’ impacts might differ, which makes it even more necessary to have a business impact analysis available beforehand.

Scope of business impact analysis

Many organizations try to make their business impact analysis more manageable by breaking it down into smaller business unit-sized parts, with different department leads conducting BIAs in silos. However, this can be a major error that puts the viability of the entire business continuity at risk.

To truly understand recovery requirements, one must compare the functions and recovery procedures of those functions across the entire business. For example, it does not help to do a BIA for marketing and then a separate one for operations. However, the scope of BIA can be gradually scaled from department to department as long as you decide beforehand how the recovery priorities that emerge from departments compare across the spectrum of the whole company.

The BIA identifies systems and components essential to a company or brand’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components and the potential losses from an incident. These are all necessary tools that need to be studied and understood by those conducting these assessments.

A few other important areas to consider include are outlined below:.

Single point of failure

Many information technology systems are dependent upon one another. In many cases, if one part of it fails, then it is quite likely that the entire subsystem or even the entire system could potentially fail. Therefore, it is important to realize and understand, in the implementation of a system, that the appropriate countermeasures should be put into place to make sure that the appropriate backups are in place to make sure that the IT system is still running even if one point in the segment (such as a network subnet) fails.

Property and finance

Property and finance are interlinked because the property has financial value. In this instance, there are two types of property:

  • Physical property is the land, buildings and other physical assets the business or corporation owns to perform normal, day-to-day functions.
  • Intellectual property includes trademarks, patents and other ideas or inventions that the organization owns or possesses.

Both of the above types of property have financial value, and even the concept of finance includes the company's cash flow and bottom line. In both cases, any impacts from a cyberattack must be taken into consideration, as these are some of the prime targets for a cyberattacker.

Takaway: Business impact assessments

Conducting a thorough business impact analysis is essential for organizations seeking to navigate the complexities of operational risks and maintain continuity in the face of potential disruptions. This skill is valuable for a variety of IT, cybersecurity and risk professionals, which is why it's covered on the Security+ exam.

By understanding critical processes, establishing recovery objectives, and identifying interdependencies, businesses can strategically prepare for challenges, ensuring resilience and long-term success.

For more on the Security+ certification, view our Security+ certification hub.

Preetam Kaushik
Preetam Kaushik