Lab #7: Identify Necessary Policies for Business Continuity – BIA &

Recovery Time Objectives

Course Name: IAP301
Student Name: Đặng Nam Bình
Instructor Name: Mai Hoàng Đỉnh
Lab Due Date: June, 20
Business Function Business Impact RTO / RPO IT Systems/Apps

e BIA
nSampl
izatio
priorit
with
):
theses
(paren
in (paren
e BIA
nSampl
izatio
priorit
with
):
theses
in (paren
or Process
e BIA
nSampl
izatio
priorit
with
):
theses
in (paren
Internal and external voice
e BIA
nSampl
izatio
priorit
with
):
theses
in Factor

Critical RTO – 8 hrs

Infrastructure
Impacts
Server, Intra/Internet,
communications with RPO - 0 hrs Network, Telephone
customers in real-time system
Internal and external e- Critical RTO – 8 hrs Email Systems, Internet,
mail communications with RPO - 0 hrs network
customers via store and
forward messaging
DNS – for internal and Major RTO – 24 hrs DNS Server, VOIP
external IP RPO - 8 hrs network
communications
Internet connectivity for e Major RTO – 24 hrs Email server, Intra/Internet
mail and store and forward RPO - 8 hrs network
customer service
Self-service website for Major RTO – 8 hrs Server, Intra/Internet
customer access to RPO - 12 hrs network
information and personal
account information
e-Commerce site for Critical RTO – 4 hrs Intra/Internet, network,
online customer purchases RPO - 0 hrs Server
or scheduling 24x7x365
Payroll and human Critical RTO – 4 hrs Server, Internal Network
resources for employees RPO - 0 hrs
Real-time customer Critical RTO – 4 hrs Intra/Internet network,
service via website, e- RPO - 0 hrs VOIP, e- mail server
mail, or telephone requires
CRM
Network management and Major RTO – 8 hrs Network, Helpdesk
technical support RPO - 12 hrs support
Marketing and events Major RTO – 48 hrs Marketing server, planner
RPO - 24 hrs app
Sales orders or customer/ Major RTO – 48 hrs Orders Database,
student registration RPO - 24 hrs registration database,
Intra/Internetwork, Server
Remote branch office sales Major RTO – 48 hrs Remote access,
order entry to headquarters RPO - 24 hrs Internetwork, VPN
Voice and e-mail Major RTO – 8 hrs Remote access,
communications to remote RPO - 12 hrs Internetwork, VPN,
branches Server, VOIP
Accounting and finance Critical RTO – 24 hrs Accounting and Finance
support: Accts payable, RPO - 8 hrs Systems
Accts receivable, etc.

Lab #7 – Assessment Worksheet

Part B – Craft a Business Continuity Plan Policy – Business Impact
Analysis
Course Name: Identify Necessary Policies for Business Continuity –
BIA & Recovery Time Objectives

ABC Credit Union

Policy Name
Policy Statement
Business Continuity Policy

Purpose/Objectives
Maintain the Continuity of Essential Business Operations: Ensure that vital business functions
remain operational and resilient.

Reduce Operational Interruptions and Financial Impact: Take steps to minimize disruptions to
operations and limit financial losses.

Establish Clear Roles and Procedures for Incident Response and Recovery: Define specific roles,
responsibilities, and processes for effectively responding to and recovering from incidents.

Adhere to Regulatory and Industry Standards: Ensure compliance with all relevant regulatory
requirements and industry best practices.

Scope
This policy applies to all ABC Credit Union employees, contractors, and third-party service
providers involved in critical business operations. It covers all business units, departments, and
locations of ABC Credit Union.
Within the Business Continuity Plan (BCP) outline, the scope includes:

- Identifying critical functions, resources, and dependencies

- Developing recovery strategies

- Creating communication plans

- Establishing testing protocols

- Defining escalation procedures

Standards
This policy includes Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)
as essential benchmarks for business continuity planning. RTOs specify the maximum
permissible downtime for each critical function, whereas RPOs establish the acceptable amount
of data loss in the event of an incident. Following these benchmarks ensures prompt recovery
and minimizes data loss.

Procedures
- Performing a thorough Business Impact Analysis (BIA) to pinpoint critical functions,
dependencies, and recovery priorities.

- Creating and consistently updating Business Continuity Plans (BCPs) informed by BIA results.

- Setting up communication protocols, roles, and responsibilities for incident response and
recovery.

- Regularly conducting tests, training sessions, and drills to ensure the BCP's effectiveness.

Guidelines
Potential obstacles in implementing the policy may include limited resources, insufficient
awareness, or resistance to change. To overcome these challenges, ABC Credit Union will:

- Allocate necessary resources and support for BCP development and training.

- Run awareness campaigns and training sessions to educate employees about their roles during
disruptions.

- Establish a feedback mechanism to continuously refine the BCP based on insights from testing
and actual incidents.
 Lab #7 – Assessment Worksheet
Perform a Business Impact Analysis for an IT Infrastructure
Lab Assessment Questions & Answers
Why must an organization define policies for an organization’s Business
Continuity and Disaster Recovery Plans?
Organizations need to establish policies for Business Continuity and Disaster Recovery Plans to
provide clear guidelines, roles, and procedures for effective response and recovery from
disruptions. This ensures operational resilience and minimizes downtime.

When should you define a policy definition and when should you not define
one?
A policy should be defined when specific actions or behaviors within an organization require
clear guidelines, rules, and procedures. However, it should not be defined when situations call
for flexibility, adaptability, and individual discretion.

What is the purpose of having a Business Continuity Plan policy definition

that defines the organization’s Business Impact Analysis?
The purpose of including a Business Impact Analysis in a Business Continuity Plan policy is to
identify critical business functions, assess their dependencies and vulnerabilities, prioritize
recovery efforts, and ensure effective resource allocation to minimize disruptions and financial
losses during an incident.

Why is it critical to align the RTO and RPO standards within the policy
definition itself?
Aligning Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) within the
policy is crucial to ensure that the organization's continuity and disaster recovery strategies meet
specific time and data loss thresholds, enabling timely recovery and minimal operational
disruption.

What is the purpose of a Business Impact Analysis (BIA)?

The purpose of a Business Impact Analysis (BIA) is to identify, prioritize, and evaluate the
potential impacts of disruptions on critical business functions, processes, and resources. This
analysis guides effective business continuity planning and resource allocation strategies.
Why is a business impact analysis (BIA) an important first step in defining a
business continuity plan (BCP)?
A Business Impact Analysis (BIA) is a critical initial step in defining a Business Continuity Plan
(BCP). It identifies critical functions, dependencies, recovery priorities, and resource
requirements by assessing the impact of disruptions. This analysis guides the development of
effective response and recovery strategies.

How does risk management and risk assessment relate to a business impact
analysis for an IT infrastructure?
Risk management encompasses the comprehensive approach of identifying, assessing, and
mitigating risks throughout an organization. Within this framework, risk assessment focuses
specifically on evaluating the likelihood and impact of risks on IT infrastructure. Both risk
management and risk assessment provide crucial inputs for a Business Impact Analysis, aiding in
the identification of critical IT functions and prioritization of recovery efforts.

True or False – If the Recovery Point Objective (RPO) metric does not equal
the Recovery Time Objective (RTO), you may potentially lose data or not
have data backed-up to recover. This represents a gap in potential lost or
unrecoverable data.
True. Misalignment between the Recovery Point Objective (RPO) and Recovery Time Objective
(RTO) can lead to a gap where data loss may occur. The RPO sets the maximum acceptable data
loss, while the RTO defines the timeframe for recovering systems and data.

What question should an organization answer annually to update its BCP,

BIA, and RTOs and RPOs?
An organization should conduct annual reviews and updates of its Business Continuity Plan
(BCP), Business Impact Analysis (BIA), Recovery Time Objectives (RTOs), and Recovery Point
Objectives (RPOs) by evaluating whether there have been changes in business operations,
technology, or risks that require adjustments to continuity strategies and objectives.

Why is it a good idea to have critical documentation recordkeeping defined in

a policy definition?
It is advantageous to include clear recordkeeping guidelines in policy definitions to ensure
consistency, compliance, accessibility, and integrity of essential documentation. This supports
efficient business operations, audit readiness, and regulatory adherence.
From Part A - Sample BIA for an IT Infrastructure Worksheet, which
systems, applications, and functions were mission critical to this organization?
Internal and external communication, e-commerce site for online customers, scheduling payroll,
accounting and finance support

From Part B – Define a Policy Definition for a BCP/DRP, how did you answer
the procedures for how to implement this policy throughout your business?
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) serve as an
organization's final corrective measures when other controls have failed. They aim to prevent or
address extreme circumstances like injury, loss of life, or the failure of an entire organization due
to unforeseen events.

True or False. It is a best practice to define policy definitions for an

organization-wide BCP and DRP
True

True or False. An organization must have a Business Impact Analysis and list
of prioritized business functions and operations defined first prior to building
a BCP and DRP.
True

True or False. An organization must have a Business Impact Analysis and list
of prioritized business functions and operations defined first prior to building
a BCP and DRP.
Because having proper security controls and documented BIA, BCP, DRP help reduce risk of
disaster and data loss, increase customers’ trusS