Security and Compliance
Security Controls
Business Impact Analysis in the handbook

Business Impact Analysis

The Business Impact Analysis (BIA) is developed as part of the Business Continuity Plan process.


The purpose of the BIA is to identify and prioritize system components by correlating them to mission critical processes that support the functioning of IllumiDesk. Using this information to characterize what would be the impact to IllumiDesk, if any of these systems were to be unavailable.

The Business Impact Analysis is composed of the following:

  1. 1.
    Determine data classification and approved operating System usage: IllumiDesk data and system resources can more clearly be linked to mission critical business processes by way of classifying them based on sensitivity. These priority levels can be established for sequencing recovery activities and resources. Additionally, the existence of an approved set of operating systems platforms will facilitate ease of management and quick turnaround and repair when they are non-functional.
    • IllumiDesk's Data Classification policy covers all aspects of this requirement:
    • Approved Operating Systems
  2. 2.
    Determine mission critical business processes and recovery criticality: In this step, IllumiDesk's mission critical business processes / systems are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime reflects the maximum, that an organization can tolerate while still maintaining the mission.
    • This is covered in the P1, P2, P3: Outages and their immediate impact on IllumiDesk customer/user operations
  3. 3.
    Identify resource requirements: Realistic recovery efforts require a thorough evaluation of the resources required to resume business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include software, data files, system components, and vital records.
    • The Backup and Recovery process in IllumiDesk is robust enough to satisfy the above requirement as it relates to IllumiDesk.com.
  4. 4.
    Determine alternate storage and strategies: Identify any alternate strategies in place to meet expected RTOs. This includes backup or spare equipment and vendor support contracts. IllumiDesk alternate storage process, serves to securely store data in an alternate location from source data
  5. 5.
    Identify recovery priorities for system resources based on standards: Adherence to IllumiDesk's agreed upon RTO/ RPO: Apart from determining the RTO and RPO, BIA also defines Maximum Tolerable Downtime (MTD)
  • The Maximum Tolerable Downtime (MTD) - represents the total amount of time senior management are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.
  1. 1.
    Delegation and defining the process: Designate each incident as critical or non-critical based on the business priority. Compile a list of personnel who must be in place to perform these functions. In times of an occurence of an incident, a detailed step-by-step approach about how to communicate it to the group, how it is performed, who performs it, and the operational mode of action taken.
The following links show the process carried out at IllumiDesk to cater to this requirement:
  • Impact values for assessing category impact
  • Security issue triage process
  • Security Incident issues are tagged with the incident label and are further tagged with S1 S2 S3 S4 labels to determine the severity and accordingly work on resolution]
  • Support team contact information - Quick Reference
  • On-Call Runbooks - Incident response runbooks for on-call engineers. .
  • Support Team function in the handbook.


The most important part of the Business Impact Analysis is to weigh the exactness of all findings. Communicate the findings to the respective department managers or key personnel to ensure that the assumptions made are in fact accurate and realistic. Once the accuracy of the documented findings has been established and agreed to by all parties, these BIA findings are submitted to IllumiDesk's e-group for approval.

Plan update and protect from disclosure

The BIA report will be updated based on changes to the organization, information system, or environment of operation and problems encountered during the implementation, execution, or testing. This plan will be protected from unauthorized disclosure and modification. Finally, all the Business Impact Analysis data will be stored in a safe place for future reference in the event of a disaster.