Business impact analysis is the study and analysis of the impact on your organization. If you have a disruption in your business, whatever that business might be. Now, business impact analysis is a big deal. And in fact, as much as I love the NIS T, there's one place where the NIS t falls down a little bit, and that's the way they describe business impact analysis. The three primary steps to business impact analysis are, number one, determine mission processes, and recovery criticality. Number two, identify resource requirements.
Number three, identify recovery priorities for system resources. Wow, okay, the NIS T can get pretty nerdy sometime. So let's break these three steps down and make it a little bit easier for us to understand. Number one, when we're talking about determined mission processes, we have to say, what are the things that we do within our IT infrastructure to do the Voodoo we do so well. Now here Total seminars, we do a ton of work, accessing outside servers, web servers, application servers, things like that configuring them. We also do a lot of incoming business coming in for people hitting our website.
So a big mission critical process for us is our internet. And having that up and running. Another big process for us is shooting all these videos, we have big servers that do nothing to store all this video data. So those two things alone are absolutely critical mission processes for total seminars, if the watercooler went down, you know what, we could still do business so that would not be a mission critical process. Now, along with that, so now that we understand these processes are really we also don't want to say, process. It's more like functions, keep the internet up.
That is a mission essential function here at total seminars. Number two, make sure the servers are working. That is a mission essential function here at total seminars. Now, another big part of that would be identity. have critical systems. If our cable modem doesn't work, we have a problem.
And we're not going to be able to achieve our mission essential function. So certain pieces of equipment become really, really important. Our server, for example, if it goes down, we've got a problem. So what we have is actually known as a single point of failure. And we want to avoid these single points of failure by using redundancy defense in depth. And for example, I could set up to ISP fees, I can configure raid for my raid server, I can set up good backups, whatever I need to do.
The next thing I need to do is identify resource requirements. So what do I need for these different types of resources? Well, for all these different files, well, we need the server so that actually ties in a little bit with our single point of failure concept. And then last, we need to identify recovery priorities for system resources. So now what we're talking about is if everything goes down, what are The priorities, what are the steps that I have to do to get us to run the best. So here at total seminars, probably the first thing I would be doing is making sure that my internet service provider was up and cooking, making sure that my cable modem was working, making sure that the router was up and running, then making sure the network was cooking.
So you literally going through and prioritizing the steps necessary to get that whatever mission essential function I might have going back up and cooking again. So even though NIS t uses some pretty fancy terms for it, it's really mainly find out what are the incredibly important processes for your business, identify whatever resource requirements they might need, and then set up a priority to if they go down, which ones are you going to get up first? Now is easy as I've tried to make that there are other aspects of business impact analysis that can get a little bit complicated, and one of those is going to be called impact. Impact is a really important Concept now. It's easy for the layperson to hear a word like that and they say, what's the impact on our business? We're going to lose money?
Well, okay, first of all, monetary loss is an impact. And that's certainly one we need to register. But you need to understand that there's more than just money involved here. First of all, probably a really big one would be property. Now, when we're talking about property, we don't just mean real estate, in this case we're talking about we can lose equipment. You know, we could lose whatever it might be, but it's going to be real stuff that we could lose, we lose a van or whatever it might be.
So when we're thinking about the impact, not only do we think about money, but we also think about property. Yeah, arguably, you can always get property back with money, but we treat those separately. The other two have to do with people. First of all, we use the word safety. Safety in and of itself is an impact if people are getting hurt. Well, that's a problem and we want to avoid void that, yeah, again, it does boil back down to money, but we talk about safety, you know, somebody could trip in this particular situation, somebody could hurt their back trying to lift that.
So safety by itself is an impact. Now along with that is life. Don't see that too much in the IT security world, but it does happen, unfortunately. And that is literally loss of life can take place. And loss of life has a huge impact in terms of how it's going to affect your organization. Next is going to be finance.
Now be careful because you go well, finances money, right? Well, it is money, but it's more than that. It also might mean your ability to get money. So your credit might come into play, or your cash flows might come into play your accounts receivables. So when we talk about an impact, we talked about the finance and we break it down even more into these different types of streams, and how the money does actually affect us. And the last one, and this one's a hard one to actually put a number on His reputation.
If total seminars website went down for three days, people would stop coming to it, we would have a lack of reputation. And it's hard to measure in dollars what that could possibly be. But reputation is a really, really big deal. Now, a big killer of reputation has to do with privacy. So let's take a moment and talk about privacy Impact Assessment and privacy threshold assessment. Now, privacy is a really big deal and you letting go of other people's privacy can make a huge business impact.
So when we're talking about privacy, now in other episodes, we talk about personally identifiable information PII, or personal health information pH i. So those two types of information. PII would be your full name, your address, your social security number, things like that. personal health information would be as it implies, your health history, any diagnosis that you've had, things like that. A lot of people get into a lot of trouble not taking care of the privacy that they're in charge of. So when we're doing a business impact analysis, we talk about two very specific things.
First of all, we talk about the privacy impact assessment. The Privacy Impact Assessment simply means, what will the impact beat us if these the privacy stuff that we're in control of were to get out one way or another, and a privacy Impact Assessment really is looking at what laws and regulations and what obligations that we might run into, and then you know, what we would have to be doing if that were to get out. So to avoid privacy impact problems, what we do is called a privacy threshold assessment. A privacy threshold assessment simply means that you're going out to do an assessment or you you have certain types of data, and you go out and say, you know, what is this data? Where is this data? How are we storing this data?
So privacy threshold assessments are often an in house document. So I've got an example of a PTA that came from us Aid Society. Let me pull that up. And we can talk a little bit about what you might see in a privacy threshold assessment. So take a look on this one. This is a big long document.
But if you take a look, you'll see that this is an internal questionnaire. And what they're interested in is they're saying, what type of paper documents systems electronic media, digital collaboration tools or services, and or mobile services do you employ to collect, use maintain or disseminate information? So we're really talking about in this one particular example, where within the organization, they're not sure what other parts of the organization are dealing with this type of personal information. And this gives them idea because you're not always sure somebody comes up with a new web page for you to enter your social security number. Have they made that particular page robust so the bad guys can't get into it? So a p i A, and A pts are both done in order to understand what the impact of the loss of personal information can do to a particular business.
So the last one I want to go over is RTO and RPO. Now RTO stands for recovery time objective, and RPO stands for recovery point objective, make sure you know what these are, the recovery time objective is the minimum time necessary to restore a critical system to operation. Now, it can also mean the maximum time that a critical system can be down without substantial impact. So you can actually look at the RTO in two different ways. Number one, what's the minimum time necessary if this is down that we can bring it back online? And then the other way is, how long is this down before we're in trouble?
So even though these seem like two different terms, if you think about it for a little bit, they can actually pretty much mean the same thing. Good. I'm not exactly but they're close. If I have a router that goes down All right, the minimum time necessary for me to restore that back to operation can in many cases, it doesn't always have to be equal to the maximum time that a critical system can be down without some form of substantial impact. Now, keep in mind, the term substantial is a very soft term. And part of business impact analysis is to try to get an idea of what substantial means for any particular organization.
Now, recovery point objective is the maximum amount of data that can be lost without substantial impact. Now, here, total seminars, we're backing stuff up almost constantly. And we have to we have accounts receivable coming in, we have accounts payable. And you know, a lot of you guys like these training videos and test banks and vouchers from company exams and things like that. And you'd be very crabby at me if we lost your data and I couldn't give you the stuff that you paid for. So for us here, total stuff seminars, it's our recovery point objective is a very, very small space, it's less than 24 hours worth of data because usually if it's 24 hours, we can call you back, but any more than that, we would be in trouble.
Wow. So business impact analysis covers a lot of terminology that you'll be seen on the exam. What I want to stress to you is that comp ti a barely touches all the business impact analysis is business impact analysis is a huge, huge concept, but at least for the exam, make sure you're comfortable with things like recovery time, objective and personal information, and you'll do just fine