ITS 4910 - Information Trends/Research and Design Project

Module 8

This lesson presents some background on the eighth week. Objectives important to this lesson:

1. What is this week about?
   
2. Current assignments
   
   

Concepts:

We have assignments from the last two weeks that are due in week 8. Remember to complete and submit them if you have not already done so.

This week the course provides you with a template for a Business Impact Analysis (BIA). The assignment is for two weeks, but a draft is due next week. Once again, there is no rubric for this assignment, so we should discuss what is required.

A BIA should build a list of the assets that are critical to an organization, but it should also let you rate how important all the other assets are.

Three concepts that relate to a BIA:

• Maximum acceptable outage (MAO) - if an outage falls below this level, the business should be able to continue; if downtime exceeds MAO, the organization cannot meet its mission
• Critical business functions (CBFs) - a list of functions that our organization must be able to perform to meet its mission; actions we must be able to take
  
• Critical success factors (CSFs) - a list of things that our organization depends on to perform its functions, such as access to a running Internet, and other factors that are either inside or outside our circle of control; things and conditions we must have to do our business
  

The BIA process is meant to tag the things that are most important to our organization, whether they are IT systems, processes and procedures, or components of a system. We are not charged with identifying everything that is an asset. That should have already been done. We are just identifying the important things.

That being said, we need to set the scope for our inquiry. Are we determining the important things for all users, or a subset of all users? We should determine who the stakeholders are for the system, the division, the location, or the function we are documenting. It would always be better to include stakeholders for all aspects of our organization, but there may not be time, funding, or interest in doing a BIA for the entire organization.

Some systems are more important than others because most or all of the organization depends on them, such as assets concerned with a customer making an Internet purchase. Even a short downtime for the firewalls, web server, and database server all affect the immediate experience of the buyer. However, the buyer is not immediately affected by longer downtime for the warehouse or the shipper. The customer does not expect immediate shipment or delivery, unless we have made a silly promise that such a thing will happen.

On the right, you see a graph that shows time increasing along the x-axis, and cost increasing up the y-axis. Its point is that as outage time increases, cost of a disruption increases as well. In fact, the blue line on the graph indicates that the longer an outage lasts the faster the costs go up. A second curve is also shown on that graph. It shows that the costs to recover from an outage diminish as time goes on. The graph is similar to the ones you will see on this technet web page. The argument to make from this data is that there is a point where the two curves intersect, and that this point defines the time at which the combination of outage cost and recovery cost is typically the lowest.

When considering the maximum acceptable outage, you should also define the recovery objective. You will have to specify what conditions define "recovery" to you and your organization, else there will be internal and external disagreements about the state of recovery having been reached. If there is more to be done to reach recovery, obviously the cost will go up.