Common BIA Terminologies

Common BIA Terminologies

The first version of NIST SP 800-34 used the term Maximum Allowable Outage (MAO) to describe the downtime threshold of the information system. To further delineate the business process and the information system downtime, Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) terms are used.

Downtime here refers to the disruption of the business process, while outage emphasizes the unavailability of the information system. Terms such as downtime, interruption, and disruption can be used interchangeably, so do allowable, acceptable, and tolerable. Maximum Tolerable Downtime (MTD) is also known as Maximum Tolerable Period of Disruption (MTPD) and Maximum Allowable Outage (MAO) as Maximum Tolerable Outage (MTO).

As various methodologies or approaches may define those terminologies differently and lead to miscommunication, the diagram in this post demonstrates a scenario to introduce common languages used in the analysis of business impact.

Acceptable Interruption Window (AIW)

Acceptable Interruption Window (AIW) is “the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives.” (ISACA, 2019)

AIW is also known as the Maximum Tolerable Downtime (MTD) or Maximum Tolerable Period of Disruption (MTPD). However, the definition by ISACA emphasizes “system,” while MTD or MTPD is a business term that focuses on the disruption of business processes or prioritized activities.

Work Recovery Time (WRT)

Work Recovery Time (WRT) is the “length of time needed to recover lost data, work backlog, and manually captured work once a system is recovered and repaired.” (BRCCI, 2019)

WRT is typically related to the Recovery Point Objective (RPO). The shorter is the RPO; the quicker is the WRT. The sum of the repairing time and WRT should be less than the Recovery Time Objective (RTO).

Recovery Time Objective (RTO)

Recovery Time Objective (RTO) is “the amount of time allowed for the recovery of a business function or resource after a disaster occurs.” (ISACA, 2019)

The recovery of a business function or resource means it meets both the ROP and Service Delivery Objective (SDO), and subject to Maximum Tolerable Outages (MTO); it is restored with the latest data and operates at an adequate level of services within the constraint of MTO.

Recovery Point Objective (RPO)

Recovery Point Objective (RPO) is “determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.”  (ISACA, 2019)

The RPO drives the design of recovery or alternate site and backup strategy. It also affects Work Recovery Time (WRT).

Service Delivery Objective (SDO)

Service Delivery Objective (SDO) is “directly related to the business needs, it is the level of services to be reached during the alternate mode until the normal situation is restored.” (ISACA, 2019)

When a system is resumed within the RTO and RPO, it operates in alternate mode, in which the system should provide an adequate level of services and meet the SDO.

Maximum Tolerable Outage (MTO)

Maximum Tolerable Outage (MTO) is the maximum time that an enterprise can support processing in alternate mode. (ISACA, 2019)

The alternate mode is not viable for long-term operations. MTO sets the objective of the time period for the business continuity solutions to transit to normal mode.

Maximum Tolerable Downtime (MTD)

See Acceptable Interruption Window (AIW).

References

2 thoughts on “Common BIA Terminologies

  1. Pingback: CISSP PRACTICE QUESTIONS – 20200406 by Wentz Wu, CISSP-ISSMP,ISSAP,ISSEP/CCSP/CSSLP/CISM/CISA/CEH/PMP/CBAP

Leave a Reply