#Laws vs. Regulations vs. Standards# Holistic What Does Holistic Mean? In simple terms, “holistic” refers to the understanding of the relationship between all of the parts of a whole. In problem solving, a holistic approach starts by first identifying an obstacle, then taking a step back to understand the situation as a whole. Business Impact Analysis (BIA) Evaluate critical processes (and IT components supporting them) Determine time frames, priorities, resources, interdependencies Often based on risk assessment The auditor must be able to evaluate the BIA Objective Definitions Recovery Time Objective (RTO) is the amount of time allowed for the recovery of a business function or resource to an acceptable level after a disaster occurs. Service Delivery Objective (SDO) is the minimal level of services to be reached during the alternate process mode until the normal situation is restored. It is directly related to business needs. Recovery Point Objective (RPO) indicates the earliest point in time to which it is acceptable to recover data. It effectively quantifies the permissible amount of data loss in case of interruption.It is determined based on the acceptable data loss in case of disruption of operations. Maximum Tolerable Outage (MTO) is the maximum time the organization can support processing in alternate mode. Factors that may affect the MTO: availability of fuel to operate emergency generators, accessibility of a recovery site that might be located remotely and limited operational capacity of the recovery site. Allowable Interruption Window (AIW) is the amount of time the normal operations can be down before the organization faces major financial difficulties that threaten its existence. The length of the AIW is defined by buseinss management and determines the acceptable tiem frame between a disaster and ther restoration of criticalservices/applications. AIW is generally based on the downtime before the organization suffers major financial damage. The technical implemenation of the disaster recovery site will be based on this constraint, espeially the choice between a mirrored, hot, warm or cold site. Relationship between terms The acceptable level of a RTO is defined by the SDO. The MTO should in any event be as long as the AIW to minimize the risk to the organization in the event of disaster. MTO ≤ AIW The RTO must be shorter than the allowable interruption windows (AIW). RTO ≤ MTO The RTO must be shorter than the maximum tolerable outage (MTO). As a conclusion: RTO ≤ MTO ≤ AIW