Business Impact Analysis – CompTIA Security+ SY0-401: 2.8

When a security event occurs, the organization will need to completely understand the business impact of the event. In this video, you’ll learn strategies that you can use to determine the true impact to the business.

<< Previous Video: Physical Security Control TypesNext: Critical Systems and Components >>


Business continuity is all about keeping the business going. Making sure that you’re able to provide services or products to your end users and your customers. And it really doesn’t matter what the incident is. It could be, in fact, pretty far-ranging. You could have power outages or database breach or stolen laptop. But also it might be a much bigger problem. There might be a fire or a tornado or hurricane, something that provides a very, very big challenge to making sure that your organization continues to function if any of these types of things occur.

To get a better handle on what that means, you should start with analyzing what would happen if certain things occur. What are the critical business functions in your environment? You need to understand what your primary business objectives are, and you need to make sure those are documented somewhere, and that you understand what that might be. If you’re not able to produce a particular product, you’re not able to have people in a building, or if you happen to lose a database, you need to understand how that’s going to affect the overall business of what you’re doing in your organization. Is it going to provide a loss of revenue? Are there going to be additional legal requirements and people to contact? Is customer service going to suffer if that particular thing occurs? If you lose a database or if you lose a building, it’s something to consider as part of your analysis.

You also want to know how long you’re going to be impacted. Is this problem going to be something where I’m going to need to bring in additional people? Am I going to need more equipment? Am I going to need to bring in some power generators? Are we going to need to bring in additional resources, third parties to come in? All of these things need to be thought of before the problem occurs so that you can be ready for them. And ultimately, you need to understand– we have us a bottom line, we have either service we’re providing or profit that we’re trying to make. How’s this going to affect us? And if we’re going to invest the money in recovering from a disaster, are we really going to see that back in the end and the final bottom line to our organization?

And that’s the business decision that has to be made by everybody. Being able to invest in disaster recovery is very often a very expensive thing. It’s not trivial to be able to do disaster recovery, to plan, to buy the resources, to test. There’s a lot of money involved. And you have to make the decision of that investment that we’re going to make in disaster recovery, are we really going to get that back if we happen to use it? And that’s something that you have to make a decision very early on, so that you don’t go down the road putting all of these DR– these Disaster Recovery– things in effect. At the end of the day, you may be losing money because of that.