Many organizations in the public, education, and non-profit world prioritize operations support while struggling to dedicate time or resources to technology business continuity planning. Physical safety and emergency operations may be addressed thoroughly with written plans, mandatory training, and practice drills, but continuity of technology operations may be missing from those plans. Disaster or disruption can be caused by or impact technology that is relied upon to respond and recover. Including technical representation during disaster recovery and business continuity planning is essential. As part of this process, here are suggestions for starting a technology business impact analysis (BIA).
Document and annually review the following information as part of an organization’s BIA:
- Inventory of all technology assets. “Technology assets” include: physical equipment, hosted systems, virtual systems, and cloud systems. Documentation options which don’t require buying special BIA/Governance software:
- Spreadsheet, if no other software supports BIA assessment data
- IT service management software or other inventory-type software to define and/or document BIA metrics.
- With input from the business owner of each asset define:
- Data Sensitivity
- Business Impact of asset being unavailable
- Financial Impact of asset being unavailable
- Recovery Time Objective (RTO) [How long can the business function without this asset before being significantly impacted?]
- Recovery Point Objective (RPO) [How much data loss from start of outage going back in time is acceptable before being significantly impacted?]
- For each asset define, with input from Technology:
- Mean Time to Restore (MTTR) [Average time to restore the system to operational]
- Use RTO, RPO, and MTTR to quantitatively define the overall business impact of an asset being unavailable.
Third-Party managed systems:
- Restoration may be out of your organization’s control, but the RTO and RPO metrics can help understand the impact of a cloud system outage.
- Your organization’s continuity planning may include external backup of third-party system data.
- Ask questions of critical third-party system providers related to their own business impact analysis and business continuity planning.
Working with Managed Service Providers:
- Ask your MSP for MTTR data for critical systems they manager for your organizaton.
- What are the MSP’s backup procedures (frequency, storage location and whether they are immutable)?
- Does the MSP have annually updated business continuity plans?
- Does the MSP conduct disaster tabletop exercises?
Completing the BIA for critical systems helps:
- Understand the asset owner’s needs and expectations.
- Evaluate current practices including data backup frequency/type/location, system mirroring, hot, warm, and cold site operations.
- Plan restoration in the event multiple assets are impacted.
- Better understand the time and cost of restoration in the event of a disaster.
TIP: Too much to document?– Start with the assets and systems needed to perform critical functions of the organization. Focus on the top 3, 5, or 10 most critical assets and systems, for example.
Additional Resources
- Cybersecurity Risk Foundation Policy Templates
- NIST Business Impact Analysis Template (Word document)
- CIS Controls Business Impact Analysis Tool (for ransomware risk)
- Sample generative AI starting prompt to help create a spreadsheet for BIA data: “Assume the role of a technology risk management expert for a [library, k-12 school district, non-profit, etc]. Create a spreadsheet to use for business impact analysis of the organization’s critical technology assets.”