HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


USE OF BIA QUESTIONNAIRES

There is no question that the people-to-people contact of the BIA process is the most important component in understanding the potential a disaster will have upon an organization. People run the organization, and can best describe business functionality and their business unit’s degree of reliance on support services. The issue here, however, is deciding what is the best and most practical technique for gathering the information from these people.

There are different schools of thought about the use of questionnaires during the BIA process. Our opinion is that a well-crafted questionnaire will provide the structure needed by the BCP project team to consistently acquire the required information. This consistent questioning structure requires that the same questions be asked of each BIA interviewee — reliance can be placed on the results because answers to questions can be compared one to another, and the comparisons are based on the same criterion.

While we consider a questionnaire to be a valuable tool, the structure of the questions in the questionnaire itself is subject to a great deal of customization. This customization of the questions depends largely upon the reason why the BIA is being conducted in the first place.

The BIA process can be approached differently depending upon the needs of the organization. Each BIA situation should be evaluated in order to understand the underlying purpose to properly design the scope and approach of the BIA process. BIAs may be desired for several reasons, including:

  Initiation of a BCP process where no BIA has been done before as part of the five-phase BCP methodology (Phase 2).
  Reinitiating a BCP process where there was a BIA performed but now it needs to be brought up to date.
  Conducting a BIA in order to justify BCP activities which have already been undertaken (i.e., the acquisition of a hot site or other recovery alternative).
  Simply updating the results of a previous BIA effort to identify changes in the environment and as a basis to plan additional activities.
  Initiating a BIA as a prelude to considering the beginning of a full BCP process for understanding or as a vehicle to sell management on the need to develop a BCP.

BIA INFORMATION-GATHERING TECHNIQUES

There are various schools of thought regarding how to best gather BIA impact information. Conducting individual one-on-one BIA interviews is popular, but organizational size and location issues sometimes make conducting one-on-one interviews impossible. Other popular techniques include group exercises and/or the use of an electronic medium (i.e., data or voice network) or a combination of all of these. The following points highlight the pros and cons of these interviewing techniques:

One-on-one BIA interviews — The one-on-one interview with organizational representatives is the preferred manner in which to gather the BIA impact information, in our opinion. The pros of this are that you have the ability to discuss the issues face-to-face and observe the person. This one-on-one discussion will give the interviewer a great deal of both verbal and visual information concerning the topic at hand. In addition, personal rapport can be built between the interviewee and the BIA team, with the potential for additional assistance and support to follow. This rapport can be very beneficial during later stages of the BCP development effort if the persons being interviewed understand that the BCP process was undertaken to help them get the job done in times of emergency or disaster. The minus to this approach is that it can become very time consuming and tends to stretch the length of the BIA process.

Group BIA interview sessions or exercises — This type of information-gathering activity can be very efficient in ensuring that a lot of data are gathered in a short period of time and can speed the BIA process tremendously. The problem with this type of an approach, if not conducted properly, is it can result in a meeting of many people without much useful information being accurately recorded for later consideration.

Electronic media — Especially these days, the use of voice, data, video conferencing, etc., media are popular. Many times, the physical size and diversity as well as the structural complexity of the organization lends itself to this clean information-gathering technique. The pros are that distances can be diminished and travel expenses reduced, and that the use of automated questionnaires and other data-gathering methods can facilitate the capture of tabular data and make the ease of consolidation of this information possible. Less attractive, however, is that this type of communication lacks the human touch, and sometimes ignores the importance of the ability of the interviewer to read the verbal and visual communications of the interviewee. Especially worrisome, however, is the universal broadcasting of BIA-related questionnaires. These inquiries go to an uninformed or little informed group of users on a network, whereby they are asked to supply answers to qualitative and quantitative BIA questions without regard to the point of the question or the intent of the use of the result. Such practices almost always lend themselves to misleading and downright wrong results. This type of unsupported data-gathering technique for purposes of formulating a thoughtful strategy for recovery should be avoided.

Most likely, however, your organization will need to use a mix of these suggested methods, or use others suited to the situation and culture of the enterprise.

CUSTOMIZING THE BIA QUESTIONNAIRE

There are a number of ways in which a BIA questionnaire can be constructed and/or customized to adapt itself for the purpose of serving as an efficient tool for accurately gathering BIA information. There are also an unlimited number of examples of BIA questionnaires in use by organizations. It should go without saying that any questionnaire, BIA or otherwise, can be constructed so as to elicit the response one would like to derive. It is important that the goal of the BIA be in the mind of the questionnaire developers so that the questions asked and the responses collected will meet the objective of the BIA process.


Previous Table of Contents Next