IT Examiner School, Seaside, CA

• A BIA identifies the potential impact of business disruptions. It should: Conduct a Business Impact Analysis (BIA) and Risk Assessment

o Prioritize all business functions and operations, not just IT.

o Determine maximum downtime for each function (recovery time objectives), minimum levels of service, and maximum tolerable financial losses.

o Establish minimum frequency in which backups must be made (recovery point objectives).

• A BIA should be developed based on goals for recovery based on customer expectations and operational needs, not on how rapidly or slowly recovery would actually take place.

Risk Assessment Considerations

• Location in a flood plain, hurricane/tornado/earthquake- prone area.

• Proximity to critical infrastructure, including power and telecommunication sources, transportation hubs.

• Services provided by the institution.