Defining the Scope of the Business Impact Analysis
As with any project, defining the scope, or the boundaries, of a BIA early in the process is important. Defining the scope helps ensure that the BIA is focused and that the correct functions are analyzed.
The scope is affected by the size of the organization. For a small organization, the scope of the BIA could include the entire organization. For larger organizations, the scope may include only certain areas. For example, one BIA may include only the online sales division of a large business, and other BIAs would examine other areas of the business.
FIGURE 12-1 shows an online web server with a back-end database used for e-commerce. The BIA could focus only on the critical functions needed to support this web server. Based on the figure, the systems needed to support online sales are the web server, the firewalls, and the database server, representing the phase when a customer purchases a product. It doesn’t include other phases, such as the shipment of the product, which is shown in FIGURE 12-2. The functions needed for these two phases are distinctly different and so is the MAO of each. The MAO for the website is much shorter than the MAO for the shipping function.
FIGURE 12-1 Online web server with back-end database.
FIGURE 12-2 Product shipment phase.
For example, if the website is down at the time a customer is ready to purchase a product, then the sale is lost, regardless of how long it was down. Similarly, if a point-of-sale system is down and a customer can pay with only a credit or debit card, then the sale is lost.
TIP
The budget should also be considered when identifying the scope. If the organization is large enough, a security consultant can be hired to assist with the BIA, whereas, if the budget is limited, hiring a security consultant may not be possible.
On the other hand, if an outage occurs at the shipping end, its impact isn’t immediate. Even if it lasted a full day, it might result in only a slight delay in a shipment, which isn’t critical.
Just because the impact of an outage is not critical in the shipping phase doesn’t mean it shouldn’t be included in the BIA. Instead, the point is that the scope should be specifically identified. Here is an example of a vague scope statement:
The scope of the BIA will cover the functions of the website.
One person conducting a BIA may interpret this scope to mean only the purchase phase. If the intent of the BIA is to include both the purchase and shipment phases, the BIA would then be incomplete. Another person may interpret it to mean both the purchase and shipment phases. If the intent is to have the BIA cover only the purchase phase, money would be wasted doing both.
The following scope statement is clearer:
The scope of the BIA will cover the functions of the website during the customer purchase phase, which includes all the functions that support a customer’s visit and purchase. The shipment phase is not included in this BIA.
If the shipment phase is to be included, the scope statement could be modified as follows:
The scope of the BIA will cover all functions of the online website, which includes all the functions that support a customer’s visit and purchase and all the functions that support the shipment of the product.