Forum

BIA Repository: IT ...
 
Notifications
Clear all

BIA Repository: IT Dependencies Assessment Questions

6 Posts
5 Users
1 Reactions
329 Views
Shane Mathew
Posts: 14
Topic starter
(@shanemstoneriskconsulting-com)
Eminent Member
Joined: 1 year ago

Overview: Identifying IT dependencies is a critical part of the Business Impact Analysis (BIA). This section focuses on understanding the applications and IT infrastructure that support essential business functions. Assessing these dependencies ensures that effective disaster recovery (DR) strategies are in place, and helps determine the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each application.


Contributions:

Please share your methodology or sample questions you use when assessing IT dependencies for critical functions. You can include text and/or attach relevant screenshots for clarity.

Key Areas to Address:

  • Methodology: Describe your approach to identifying and documenting IT dependencies.
  • Sample Questions: Share examples of the questions you ask to gather necessary information.
  • Best Practices: Highlight any tips or best practices that have worked well for you.

Example Contribution:

Methodology: We conduct a detailed inventory of all IT applications and systems that support critical functions, focusing on their disaster recovery (DR) strategies and RTO/RPO requirements. This involves collaboration with IT teams and reviews of existing documentation.

Sample Questions:
- List the applications that support the function.

- Describe the disaster recovery (DR) strategy for each application.

- What is the Recovery Time Objective (RTO) for each application?

- What is the Recovery Point Objective (RPO) for each application?

- If the pull-down menu for RTO/RPO does not contain appropriate options, use the "MANUAL ENTRY" column to state the correct RTO/RPO.

Best Practices:
- Maintain an up-to-date inventory of all applications and IT systems supporting critical functions.

- Collaborate closely with IT teams to ensure accurate and comprehensive DR strategies.

- Regularly review and update RTO/RPO requirements to reflect changes in business needs.

- Document any custom RTO/RPO entries clearly for future reference.


Reminder:

  • Confidentiality: Do not include any confidential or sensitive information from your organization.
  • Tags: Tag your response appropriately so others can easily search and find your contribution.

Your contributions will help in building a comprehensive understanding of IT dependencies and their disaster recovery needs, which is essential for developing an effective Business Continuity Strategy.

5 Replies
Kevin Low
Posts: 6
(@klowpurestorage-com)
Active Member
Joined: 11 months ago

One aspect of this topic is about IT dependencies that the process depends on to perform the function of the process...  These IT dependencies are infrastructure or application that a department needs (primarily applications).  We ask them what applications they depend on, describe the dependency, desired RTO and RPO and if they have any alternate or manual workarounds.

Reply
Kevin Low
Posts: 6
(@klowpurestorage-com)
Active Member
Joined: 11 months ago

Another aspect of this is the technology impact assessment.  We need to capture a full inventory (source of truth) for applications and infrastructure.  We need to discover any shadow IT systems, appl, infra.  We need to know their RTO, RPO, architecture design, DR architecture, criticality of the application, resiliency, redundancy and recovery capabilities.  We need to know the backup type, frequency and retention.  We want to know if all of it is documented (i.e. DR Plan, runbooks, SOPs, etc)

Reply
Posts: 3
(@renukadarbha)
New Member
Joined: 6 years ago

For those that are starting from ground zero, I have provided an easy way to capture technology dependencies - see attached screenshot.

  • Methodology: Identify all of the systems/applications that the department/business function depends on for their service/process.
  • Sample Questions
    • Identify the application/system used for your process
    • Is it SaaS, on prem, home grown?
    • What is the impact to your service/process if this technology was not available?
    • Identified recovery capability?
    • RTO and RPO?
  • Best Practices
    • Review the data you gathered with the application or system owners
    • If RTO and RPO information is provided, ask how these were derived and ask for "evidence" to support it.  
1719964362-Screenshot-2024-07-02-at-43901PM.png
Reply
Posts: 1
(@shellymunoz)
New Member
Joined: 6 years ago

Holistic Resilience Planning

An aspect of a TIA/BIA that may be overlooked is utility. Utilities such as power, water, and HVAC systems are critical components that support the operational environment of applications. If these utilities fail, they can cause significant disruptions, even if the applications themselves are not directly affected.
While utilities might not directly define RTO (the maximum acceptable length of time that an application can be offline) and RPO (the maximum acceptable amount of data loss measured in time), their failure can impact the ability to meet these objectives. If an application has a stringent RTO or RPO, but the underlying infrastructure (powered by utilities) is unreliable, then the RTO/RPO goals may become unachievable in practice.

Including utility aspects in your assessments ensures that you are planning for resilience at a systemic level, rather than just at the application level.

  • Identify Critical Utilities: List all the utilities that support your applications and business processes (e.g., power, water, HVAC, internet connectivity).
    Assess Dependency and Impact: Determine how each utility affects the operations of applications and business processes. Identify the critical dependencies and potential impacts of utility failures.
  • Mitigation Strategies: Develop and implement mitigation strategies, such as UPS systems, backup generators, redundant cooling systems, and alternative network connections.
  • Integrate into BIA: Include utility failure scenarios in your BIA process. Assess the impact of utility failures on RTO and RPO, and adjust your recovery plans accordingly.
Reply
Page 1 / 2
Share: