• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
shawnee.edu/off/ri/New research/Business Impact Analyses in Hi...
 

shawnee.edu/off/ri/New research/Business Impact Analyses in Hi...

on

  • 1,204 views

 

Statistics

Views

Total Views
1,204
Views on SlideShare
1,204
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    shawnee.edu/off/ri/New research/Business Impact Analyses in Hi... shawnee.edu/off/ri/New research/Business Impact Analyses in Hi... Document Transcript

    • Hanover Research November 2008 Business Impact Analyses in Higher Education: An Outline of Methodologies In the following report, The Hanover Research Council reviews the performance of Business Impact Analyses (BIAs) in institutions of higher education along with some government agencies. © 2008 The Hanover Research Council
    • Hanover Research November 2008 Introduction In the following pages, The Hanover Research Council provides background on the development and use of Business Impact Analyses (BIA) in institutions of higher education, governmental auditing agencies and the Information Technology industry. The methodologies and framework of BIA performance in a higher education setting, including scope, framework, approach, oversight, and governance are then reviewed in more detail. Information concerning BIA performance at the institutions studied in this report indicates that higher education institutions regardless of enrollment size follow BIA methodologies and frameworks that are similar to each other and to those recommended in best practice and industry literature. The report is organized as follows:  Section One: Business Impact Analyses (BIA) Defined: In this section, we define BIAs, including the process, usage and importance of this type of analysis in business continuity and recovery planning for institutions of higher education, governmental agencies, and private business.  Section Two: Methodologies of Business Impact Analyses: Initial Development: In this section, we review best practice literature concerning the developing and planning phases of Business Impact Analyses, with particular emphasis on the process of development and planning for data collection. Also reviewed are industry recommendations concerning the development of the BIA questionnaire and suggested components of the questionnaire.  Section Three: Methodologies of Business Impact Analyses: Scope: In this section, we analyze the scope, purpose and any additional information concerning BIA performance in 14 institutions of higher education to determine common methodologies and best practices for BIA performance in higher education.  Section Four: Methodologies of Business Impact Analyses: Framework: In this section, we review best practice literature and information concerning the BIA frameworks used in institutions of higher education and governmental agencies. BIA framework is discussed as a set of three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals.  Section Five: Methodologies of Business Impact Analyses: Approach: In this section, we review best practice literature and the various approaches used in BIA performance in higher education settings to determine common approaches used in successful Business Impact Analyses. 2 © 2008 The Hanover Research Council
    • Hanover Research November 2008  Section Six: Methodologies of Business Impact Analyses: Oversight: In this section, we review best practice literature and the individuals involved in overseeing the BIA performance and their associated responsibilities to determine commonalities and best practices in the oversight of Business Impact Analyses.  Section Seven: Methodologies of Business Impact Analyses: Governance: In this section, we review the literature about the individuals involved in BIA governance and their associated responsibilities to determine commonalities and best practices in the governance process associated with Business Impact Analyses.  Section Eight: Appendix: The Appendix includes a links to sample BIA templates from a variety of intuitions of higher education profiled in this report. 3 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Business Impact Analyses (BIA) Defined As a part of the foundation of all business continuity planning,1 a Business Impact Analysis (BIA) “identifies the operational (qualitative) and financial (quantitative) impact of an inoperable or inaccessible core process on a College/Department’s ability to conduct its critical business processes.”2 The BIA’s analysis of the effect of different external and internal impacts on various components of an organization, with particular emphasis on the effect of negative impacts on critical business and Information Technology (IT) processes,3 makes it an important tool that enables organizations to respond – and recover – effectively and efficiently from a disruption to business.4 Additionally, a BIA provides management with essential information, including the identification of the most critical/time sensitive business departments; the most critical resources required by each department; the necessary availability of these resources; alternative business locations in the case of an unplanned disruption to work; and the reasons for the recovery of critical departments and resources.5 The analysis’s identification of critical resources, functions or processes for a business is related to the BIA’s ability to identify high availability services, defined as those critical resources, functions or processes whose negative operational impact as a result of a disruption to the service can be mitigated through the use of process or resource redundancy.6 The compilation of this information provides organizations with an analytic and economic basis for risk-based decision making and resource allocation that is separate from risk analysis. While risk analyses identify the most probable threats to an organization and analyze the related vulnerabilities of the organization to those threats,7 Business Impact Analyses involve the identification of critical business units, 1 The University of Arizona. “University Information Technology Services: Business Impact Analysis.” <http://web.arizona.edu/~ccit/index.php?id=974> 2 Northern Arizona University. “Comptrollers Office: NAU Business Continuity and Disaster Recovery.” <http://home.nau.edu/comptr/businesscontinuity.asp> 3 Global Information Assurance Certification (GIAC). “Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP): Business Impact Analysis.” <http://www.giac.org/resources/whitepaper/planning/122.php> 4 The University of Arizona. “University Information Technology Services: Business Impact Analysis.” Op.cit. 5 Connecticut Community Colleges. “SunGard Availability Services: Business Impact Analysis (BIA).” <http://64.233.169.104/search?q=cache:rI9oeuNbxPUJ:www.commnet.edu/IT/docs/BIA-Kickoff- 20050714.ppt+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=7&gl=us> 6 Stanford University. “Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements.” <http://stanford.edu/dept/itss/docs/oracle/10g/server.101/b10726/hadesign.htm> 7 Texas State Office of Risk Management. “Business Continuity Impact Analysis.” 4 © 2008 The Hanover Research Council
    • Hanover Research November 2008 the quantitative costs - such as cash flow, replacement of equipment, salaries paid to catch up with work backlog, loss of profits - as well as the qualitative costs - such as impacts on safety, marketing, legal compliance, quality assurance and public image - that are effected in the event of a disruption.8 The process of the BIA usually involves five steps:9  Project Planning,  Data gathering,  Data analysis,  Documentation of the findings, and,  Management review and signoff While the management of a BIA may be completed either intra-organizationally or by an outside consulting agency, the key benefits derived from the performance of a BIA are uniform across industries, organizations and departments. A BIA is an essential piece of an organization’s  Understanding of the financial and intangible impacts of a disruption to business ability to review critical processes to the organization;  Identification of vital resources and high availability services; and  Development of business recovery/continuity strategies.10 <http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php> 8 SearchStorage.com. “Definitions: What is business impact analysis? – a definition from Whatis.com.” <http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci820947,00.html> 9Global Information Assurance Certification (GIAC), Op.cit. 10 Ibid. 5 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies of Business Impact Analyses: Initial Development The development and planning phase that occurs prior to the performance of a BIA is particularly important given the high degree of inter and intra-organization communication and cooperation that is needed during the BIA process. Best practice literature concerning BIA performance recommends that the professional(s) responsible for the establishment of the BIA process and methodology, coordination and planning of data collection and analyses, and preparation and presentation of the BIA to management should be able to implement the following components of BIA development and planning during the initial phase of the BIA:11 Establish the Business Impact Analysis Process and Methodology 1. Identify and obtain a sponsor for the Business Impact Analysis (BIA) activity 2. Define objectives and scope for the BIA process 3. Identify, define and obtain management approval for criticality criteria a. Recommend and obtain agreement as to how potential financial and non- financial impact can be quantified and evaluated b. Identify and obtain agreement on requirements for non-quantifiable impact information c. Establish definition and criticality scale (e.g., high, medium, low) d. Negotiate with management for acceptance of criticality scale 4. Choose an appropriate BIA planning methodology/tool a. Develop questionnaire and instructions as required b. Determine data analysis methods (manual or computer) c. Data collection via questionnaires i. Understand the need for appropriate design and distribution of questionnaires, including explanation of purpose, to participating departmental managers and staff ii. Manage project kick-off meetings to distribute and explain the questionnaire iii. Support respondents during completion of questionnaires iv. Review completed questionnaires and identify those requiring follow-up interviews 11 The following information is quoted verbatim from: The Institute for Continuity Management. “Business Impact Analysis.” <https://www.drii.org/professional_prac/profprac_business_impact_analysis.html> 6 © 2008 The Hanover Research Council
    • Hanover Research November 2008 v. Conduct follow-up discussions when clarification and/or additional data is required d. Data collection via interviews only i. Provide consistency with the structure of each interview being predefined and following a common format ii. Ensure the base information to be collected at each interview is predefined iii. Enable interviewee to review and verify all data gathered iv. Schedule follow-up interviews if initial analysis shows a need to clarify and/or add to the data already provided e. Data collection via workshop i. Set a clear agenda and set of objectives ii. Identify the appropriate level of workshop participants and obtain agreement from management iii. Choose appropriate venue, evaluating location, facilities and participant availability iv. Facilitate and lead the workshop v. Ensure workshop objectives are met vi. Ensure all outstanding issues at the end of the workshop are identified and appropriate follow-up conducted 5. Determine report format, content and obtain management approval for next steps 6. Obtain agreement for management on final time schedule and initiate the BIA process Plan and Coordinate Data Gathering and Analysis 1. Identify all Organization Functions a. Collect and review existing organizational charts b. Identify the major areas of the organization 2. Identify and Train Knowledgeable Functional Management Representatives a. Identify specific individuals to represent in the collection process b. Inform the selected individuals of the BIA process and its purpose c. Identify training requirements and establish a training schedule and undertake training as appropriate As can be seen from the steps outlined above, best practice literature concerning BIA development focuses on the need for communications between the individuals/department responsible for administering the BIA and the 7 © 2008 The Hanover Research Council
    • Hanover Research November 2008 individuals/departments from which BIA data are collected.12 Additionally, it is important that a sponsor from within the upper management ranks of the organization is identified prior to data collection in order to increase inter- departmental cooperation with the data collection process and to approve the BIA so that subsequent steps of the business continuity management process may be completed.13 A crucial component of this initial development phase is the creation of a BIA questionnaire that will be able to effectively identify critical processes and resources for the organization. Literature recommends that the BIA questionnaire include the following elements:14  Function Description: Includes a brief description of the function being performed by the department/individual.  Dependencies: Includes a description of the dependencies of the function being performed, including components and processes necessary for function performance.  Impact Profile: Determines if there is a specific time or period of time in which the described function would be more vulnerable to risk/exposure or in which the impact to business would be greater.  Operational Impacts: Determines the operational impact of a disruption to the function and time at which the operational impact of a disruption would be felt.  Financial Impacts: Determines the financial impact of a disruption to the function and time at which the financial impact of disruption would be felt.  Work backlog: Determines the time at which the backlog of work as a result of a disruption will begin to impact business processes.  Recovery Resources: Determines the resources needed to support the function, including quantity of resources and the point at which they are needed after a disruption.  Technology Resources: Determines the software/applications necessary to support the business function. This includes the need for standalone PCs or workstations and local area networks (LAN) to functioning.  Work-around procedures: Determines the availability of manual workaround procedures in place that would enable continued performance after a disruption to the function. 12 Ibid. 13 Ibid. 14 Texas State Office of Risk Management. “Business Continuity Impact Analysis.” Op.cit. 8 © 2008 The Hanover Research Council
    • Hanover Research November 2008  Work-at-home: Determines the ability of employees to perform the function at home.  Workload shifting: Determines the options for shifting workload to another part of the organization to minimize the impact of a disruption.  Business records: Determines the business records needed to perform the function and the frequency at which records are saved and/or replicated.  Regulatory reporting: Determines what regulatory documents are created as a result of the function.  Work inflows: Determines the internal or external inputs necessary to perform the function.  Business disruption experience: Determines if previous disruptions to business have occurred.  Competitive Analysis: Determines if a competitive impact would occur as a result of a disruption to the function, and if so, the time of impact and potential customer loss.  Other issues: Determines if there are other issues relevant to the success of function performance. These elements of the BIA questionnaire are used to identify the effects of disruptions and assess the impact of these effects. The identified effects of disruptions may include the loss of key personnel and physical, informational, financial and intangible assets, the resulting discontinuity of service and operations, and any resulting violations to law/regulation and the effect of public perception. Questions should also identify the financial and business impact as well as quantitative (including property loss, revenue loss, fines, cash flow, accounts receivable/payable, legal liability, human resources, additional expenses) and qualitative (human resources, morale, stakeholder confidence, legal, social and corporate image, financial community credibility) impacts. The accumulation of this information can help to inform recovery objectives and vital resources or processes to the organization.15 The following sections of this report will provide a detailed review of the scope, approach, framework, oversight and governance of the BIA implementation and performance. The analysis of BIA methodologies in higher education settings includes a review of BIA process and performance of individual institutions that is supplemented with best practice literature from industry experts. 15 The Institute for Continuity Management. “Business Impact Analysis.” Op.cit. 9 © 2008 The Hanover Research Council
    • Hanover Research November 2008 In order to provide a diverse cross-section for analysis and determine if BIA methodologies vary with institution size, the institutions profiled in this report vary in size as measured by enrollment (from 93,198 students enrolled in the Virginia Community Colleges System to 4,727 students enrolled in Longwood University). 10 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies of Business Impact Analyses: Scope The Hanover Research Council’s review of the scope of Business Impact Analyses performed by various institutions of higher education, including the Virginia Community College System, Pennsylvania State University, University of Texas at Austin, Texas A&M University, Michigan State University, Connecticut Community College System, University of Arizona, North Carolina State University, University of Nebraska – Lincoln, Old Dominion University, Northern Arizona University, Stanford University, Georgia Institute of Technology, and Longwood University, revealed that the majority of BIA performed in a educational setting took place on a departmental level, and that Information Technology departments were particularly likely to undergo a BIA. While at many higher education institutions, multiple departments performed BIAs at the same time, the primary level of BIA administration and analysis was within individual departments rather than throughout the institution. The size of the institution did not appear to affect the scope or purpose of the BIA at any of the institutions profiled. Figure 1 below reviews the detailed scope of each intuition’s BIA. Three of the institutions featured below, Virginia Community College System, Old Dominion University, and Longwood University, are located in Virginia and are required by law to perform a routine BIA to (1) define minimum requirements for the agency/organization/institution’s information technology security program, (2) promote secure communications and protect information resources, and (3) facilitate the alignment and adaptation of security technology to the needs of business and Virginia.16 Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report (scope, framework, approach, oversight, and governance) concerning BIA performance. Despite this lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies. 16Commonwealth of Virginia. “Information Technology Resource Management Standard: Information Technology Security Standard.” Pg.1. <http://www.vita.virginia.gov/uploadedFiles/Library/COVA_STMGT_Security_Std_REV.pdf > 11 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Figure 1: Scope of Business Impact Analyses Performed in Institutions of Higher Education Institution Enrollment17 Participating Units Purpose Additional Information For more information on Virginia’s COV To identify critical business functions ITRM Standard SEC2001-01.1, a law Covers all System Office, VCC Utility and Virginia Community associated with the organizational units providing protections for state institution’s college business processes and supporting College (VCC) 93,19818 participating in the BIA in order to comply information technology resources, please see: applications, however19, analysis takes place System with Virginia’s COV ITRM Standard SEC2001- <http://www.vita.virginia.gov/uploadedFiles on a departmental level.20 01.1.21 /Library/COVA_STMGT_Security_Std_RE V.pdf> Piloted in 2005 to the Academic Services and Emerging Technologies Dept., the Consulting and Support Services Dept., the Pennsylvania State Develop the necessary training and tools to Approx. 90,00022 Digital Library Technologies Dept., the N/A University assist with disaster recovery efforts.24 Teaching and Learning with Technology Dept., and the Telecommunications and Networking Services Dept.23 17 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 18 Enrollment figure represents the “Annualized FTE Enrollment, 2005-06.” Figure from: The Virginia Community College System. “Virginia Community College System Enrollment Report.” Pg. 1. <http://www.schev.edu/Reportstats/EnrollmentReportApp/InstProfiles2007/VCCS.pdf> 19 Virginia Community College System. “Technology Models: Business Impact Analysis.” <http://system.vccs.edu/ITS/models/bia.htm> 20 Texas A&M University. “University Risk and Compliance: University-Wide Risk Management.” <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx > 21 Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 22 Pennsylvania State University. “Live: The University’s Official News Source.” <http://live.psu.edu/image/21894 > 23 Pennsylvania State University. “Administrative Information Services Online Newsletter: November 2005.” <http://ais.its.psu.edu/news/nov_2005.html> 24 Ibid. 12 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment17 Participating Units Purpose Additional Information Identify critical processes within an University of Texas organization to determine the impact of a 50, 170 All University departments.25 N/A at Austin disruption to business and create ways to work around disruptions to processes.26 Texas A&M includes the BIA process as part of its “Enterprise Risk Management” Has a university-wide risk management and Identify events that may affect the organization Texas A&M program, an emerging model at institutions of 46,542 business continuity plan in place that and manage risks in order to aid business University higher education where risk management is includes a BIA component.27 continuity and recovery objectives.28 integrated and coordinated across the university as a whole.29 Identify and prioritize critical systems. Use the information recovered from the BIA, such as the identification of common elements of Michigan State plausible disruptions that might disrupt critical 46,045 BIA conducted at University-Unit level.30 N/A University units, the anticipation of the impact of these disruptions, and the development of contingent responses for a timely recovery, to form a Unit Disaster Recovery Planning Project.31 25 University of Texas at Austin. “Information Security Office: Risk Management Services – Disaster Recovery Planning Instructions and Templates.” <http://security.utexas.edu/risk/planning/ > 26 Ibid. 27 Texas A&M University . “University Risk and Compliance: University-Wide Risk Management.” <http://universityrisk.tamu.edu/moreRiskMgmtDefn.aspx> 28 Ibid. 29 Ibid. 30 Michigan State University. “Michigan State University Unit Guide to Disaster Recovery Planning Overview.” <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_lite.doc> 31 Ibid. 13 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment17 Participating Units Purpose Additional Information All Academic departments, Student Records department, Financial Aid departments, Finance/Budget business Connecticut Determine recovery objectives for critical units, Human Resources departments, Community College 43,33532 business units based upon the business impact N/A Legal departments, Libraries, and System of units.34 Institutional Departments, as well as all Information Technology networks and applications.33 Enable the University to prepare for and University of respond to disruptions through the 37,217 All University departments.35 N/A Arizona identification of priorities, strategies, and solutions for managing continuity/recovery.36 30 business units at the University For each business unit, identify university participated, including Administrative functions, functional area representatives, North Carolina State 31,802 Services, Budget Office, Controller’s criticality criteria, RTOs, and RPOs, as well as N/A University Office, and Enrollment Management present criticality criteria to an oversight Services.37 committee.38 32 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. “Spring 2004 Credit Enrollment Report – February 23, 2004.” Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 33 Connecticut Community Colleges. “Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges.” <http://64.233.169.104/search?q=cache:rI9oeuNbxPUJ:www.commnet.edu/IT/docs/BIA-Kickoff- 20050714.ppt+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=7&gl=us > 34 Ibid. 35 The University of Arizona. “University Information Technology Services: Business Impact Analysis,” Op cit. 36 Ibid. 37 For a complete listing of participating business units, please see: North Carolina State University. “BIA: OIT Organizational Resilience.” <http://www.fis.ncsu.edu/or/history/history_funcreq_bia.htm >. 14 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment17 Participating Units Purpose Additional Information Identify and prioritize critical services Critical services provided by Information supported by IS and work with the University of Security (IS) to support the technology of 22,973 coordinators of the services to review or N/A Nebraska - Lincoln the University. No systems external to IS develop a plan for each service to minimize the are covered.39 negative effects in the event of a disaster.40 For more information on Virginia’s COV Identify assets and associated risks within the ITRM Standard SEC2001-01.1, a law University, determine the importance of these providing protections for state institution’s Old Dominion 22,287 University-wide administration assets and identify safeguards in compliance information technology resources, please see: University with Virginia’s COV ITRM Standard SEC2001- <http://www.vita.virginia.gov/uploadedFiles 01.141 /Library/COVA_STMGT_Security_Std_RE V.pdf> Stanford has already undergone a BIA of its Determine vulnerabilities and dependencies financial systems conducted by IBM, however, Stanford University 19,782 Focus on University financial systems.42 between core business processes to assist in the the University believes that there is need for a development of response and recovery plans. 43 larger scope to address other systems necessary to operations.44 38 Ibid. 39 University of Nebraska – Lincoln. “Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity.” <http://is.unl.edu/about/documents/Disaster%20Mitigation.PDF> 40 Ibid. 41 Old Dominion University. “Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description.” <http://64.233.169.104/search?q=cache:0wSgnLEwyjkJ:occs.odu.edu/security/risk/Risk_Assess_Us ers_Guide.doc+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=39&gl=us&client=firefox-a> 42 Stanford University. “Stanford University Emergency Management Program: Presentation to Stanford University Cabinet.” <http://facultysenate.stanford.edu/2005_2006/reports/SenD5790_emerg_prepare.pdf> 43 Ibid 44 Ibid. 15 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment17 Participating Units Purpose Additional Information Department identified as relevant for risk assessments: Academic Departments (which collect financial data during payment of fees for affiliated programs), Accounts Payable, Admissions, Alumni, Aquatic Center, To identify core business processes and to Athletics (including Summer Sports Camps), Bookstore, Central Ticket Office, Library, establish risk management and disaster recovery Dental Hygiene, Dining Services, Distributed Northern Arizona All NAU College campuses and planning processes to respond to business Learning, Financial Aid Office, Health Center, 21,347 High Altitude Sports Training Complex, IT University departments.45 disruptions and risks associated with the Services, Inn at NAU, Mountain Campus University’s loss of its ability to execute core Card Office, Office of the Bursar, Parking Services, Performing Arts (Including Summer processes.46 Music Camps), Postal Services, Property Administration, Purchasing Services, Recreation Center, Registrar's Office, Residence Life, Skydome, Transportation Services, and University Advancement.47 Enable all units to be able to uniformly assess All academic and administrative units, and develop strategies for identification, Georgia Tech 18,742 including Human Resources and assessment and mitigation of risks to N/A Information Technology.48 Information Systems and to comply with regulatory requirements.49 45 Northern Arizona University. “NAU Business Continuity and Disaster Recovery Site.” <http://home.nau.edu/comptr/businesscontinuity.asp> 46 Ibid. 47 Northern Arizona University. “Comptroller’s Office Policies and Procedures Manual: CMP 110: Information Security Plan for Northern Arizona University.” <http://www4.nau.edu/comptr/policies_procedures/com110.html> 48 Georgia Institute of Technology. “Welcome to the Georgia Tech Risk Self Assessment Program. – Business Analysis IT Risk Document.” <http://www.risks.gatech.edu/Documents/Self- Assessment/Risk%20Assessment%20Process%20Rev727.PDF > 49 Ibid. 16 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment17 Participating Units Purpose Additional Information For more information on Virginia’s COV Identify assets and associated risks within the ITRM Standard SEC2001-01.1, a law University, determine the importance of these providing protections for state institution’s Longwood 4,727 University- wide administration.50 assets and identify safeguards in compliance information technology resources, please see: University with Virginia’s COV ITRM Standard SEC2001- <http://www.vita.virginia.gov/uploadedFiles 01.1.51 /Library/COVA_STMGT_Security_Std_RE V.pdf> 50 Longwood University. “Policy 6126: Business Impact Analysis/Risk Assessment Policy.” <http://www.longwood.edu/vpaf/final_policy_base/6000/6126.htm> 51 Ibid. 17 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies in Business Impact Analyses: Framework While the identification of critical resources is no easy task, the development of an appropriate framework for the organization’s BIA is a critical component of the successful completion of the analysis.52 A review of higher education institutions and government agencies reveals that although criticality definitions and assets vary among organizations, the general framework of Business Impact Analyses tends to be relatively uniform. For purposes of discussion, we have separated BIA framework into three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals. Plan Development Plan development is the first step towards successful BIA completion, and reports from Iowa State University, Old Dominion University and Georgia Tech assert that the most important component of plan development is the commitment and involvement of management in the BIA process.53 Support from management enhances departmental-level cooperation with the BIA and increases compliance and completion of the BIA process, in part due to the selecting of Team Leaders and members who are able to effectively perform the needed tasks for BIA completion. 54 The specific positions of individuals involved in the BIA process and their responsibilities are discussed in later sections of this report, but a review of plan development across institutions reveals that the individuals assigned to perform the BIA tend to work within the unit/department in which the BIA is being performed and are highly knowledgeable of the department.55 Please see the “Oversight” and “Governance” sections of this report for a detailed review of the individuals and responsibilities involved in the BIA process in institutions of higher education. The plan development phase requires a high degree of inter and intra-departmental communication as the BIA questionnaire is developed, timetables for completion are 52 The Institute for Continuity Management. “Business Impact Analysis.” Op.cit. 53 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources – General Information and Process Description.” Op.cit. and Old Dominion University. “Business Impact Analysis/Risk Assessment for Information Assets – General Information and Process Description.” Op.cit. and Georgia Institute of Technology. “Business Impact Analysis and Risk Assessment for Information Assets – General Information and Process Description.” Op.cit. 54 Ibid. 55 Pennsylvania State University. “Administration Information Services: Recovery Planning Process.” <http://ais.its.psu.edu/disaster_recovery/media/Recovery_Planning_Guide.pdf> 18 © 2008 The Hanover Research Council
    • Hanover Research November 2008 established, and workshop/training sessions are hosted to inform all faculty and staff of the BIA process and goals.56 Assessment and Analysis Processes The next components of the BIA framework are the assessment and analysis processes, which begin with a determination of what will be assessed by the BIA. Because the “what” of the BIA assessment is the critical business functions/processes relative to the department’s mission, it tends to vary by organization and within departments.57 While this process may include the development of criteria to guide the creation of a list of critical services,58 a list of all business activities (including academic activities, accounting activities, budget and planning activities, etc),59 or the determination of the core processes performed by each College or department and the flow of information, materials, and services through these core processes,60 there are many commonalities among these assessments. Similar characteristics of BIA assessment categories include their importance to the functioning of business and the threat to business operations if these critical services/activities/functions/resources are disturbed. Some institutions also include a risk assessment component to the BIA, which often involves the identification and evaluation of scenarios, risks, and internal and external threats, as well as the impact of these activities on the critical services/activities/ function/resources.61 In order to help departments obtain a basic understanding of their critical business processes, some higher education institutions provide “Business Analysis Checklists” for departments in the process of BIA performance. Checklists may include the purpose, overview and objective of the BIA, as well as questions meant to determine the exact function of the business process, the time period the process can function without information technology support, and any impacts associated with disruption 56 Connecticut Community Colleges. “Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges.” Op.cit. 57 Texas A&M University. “University Risk and Compliance: University-Wide Risk Management – URC Business Continuity Checklist.” < http://universityrisk.tamu.edu/DataFiles/BC-Checklist.doc> 58 University of Nebraska – Lincoln. “Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity.” Op.cit. 59Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 60 Northern Arizona University. “Comptroller’s Office Policies and Procedures Manual: CMP 110” Op.cit. 61 Texas A&M University. “University Risk and Compliance: University-Wide Risk Management.” Op.cit. 19 © 2008 The Hanover Research Council
    • Hanover Research November 2008 to the process.62 To view an example of one of these checklists, please follow the following link provided by the University of Arizona: BIA Checklist. Business processes must undergo an analysis process in which criticality and importance for the processes is defined and processes are prioritized or ranked. The level of detail of these definitions and criteria varies widely among institutions, although the definition of “critical” is generally accepted to encompass those functions which “have a direct and immediate effect on the general campus community.”63 Functions are defined as “essential” by multiple higher education institutions if the department could continue operations after a disruption to the function for days or even a week, but eventually would need the function again,” and are defined as “normal” if the department can continue operations without the function for an extended period of time.64 Many institutions also consider extent of impact, costs of a failure, publicity, legal and ethical issues, and regulatory concerns in their determination of criticality criteria and definitions.65 While some higher education institutions, like the Virginia Community College System, use a relatively simple ranking scale that rates the importance of business activities on a scale of one to three, one being the most important and three being the least important,66 other institutions use more detailed ranking scales. The University of Arizona, for example, provides a scale that ranks critical functions on a scale of one to five, and criticality is denoted based on the extent of the time period between a disruption to the function and the point at which business processes will be impacted if the function is not resumed (in this case, the University of Arizona defines the most critical functions as those in which only 24 hours may pass before the function needs to be resumed).67 Iowa State University uses similar criteria to determine criticality by dividing impact rankings into “high” (cannot operate without resource even for a short period of 62 The University of Arizona. “Business Analysis Checklist.” <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/BIAChecklist.pdf> and Texas A&M University. “University Risk and Compliance,” Op.cit. 63 Northern Arizona University. “Comptroller’s Office Policies and Procedures Manual: CMP 110,” Op.cit. 64 See footnote 53. 65 Georgia Institute of Technology. “Business Impact Analysis and Risk Assessment for Information Assets – General Information and Process Description.” Op.cit. 66 Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 67 University of Arizona. “Critical Functions Assessment Survey.” <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/CFA_Survey.pdf > 20 © 2008 The Hanover Research Council
    • Hanover Research November 2008 time), “medium” (could work around the loss of the resource for a few days or a week), and “low” (could operate without the resource for an extended period of time).68 The University of Texas also includes impact into its ranking criteria, defining resource importance through the following four “impact levels:”69  N: None – There is no impact on any work function. An example would be a process that runs only intermittently; normal function would continue until the next interval that process is scheduled to run.  M: Moderate – The failure of the process results in minor or moderate disruption to the function of the department itself or to another department with a downstream dependency.  S: Severe – The failure of the process results in the department or another department with a downstream dependency being unable to function.  C: Catastrophic – The failure of the process results in a disruption of the university’s daily functioning. It is also possible to incorporate recovery time objectives into criticality definitions, as shown in the figure provided by the Global Information Assurance Certification organization (GIAC). Figure 2: Criticality Levels Defined in Relation to Recovery Objectives and Method Recovery Criticality Level Possible Recovery Method Objective Level 1: The business process must be available < 2 hours Data replication during all business hours. Level 2: Indicates that the business function can 2 hours to 24 survive without normal business processes for a Data shadowing hours limited amount of time. Level 3: The business function can survive for 24 to 72 Tape recovery at an offsite one to three days with a data loss of one day. hours facility Low priority for tape recovery / Level 4: Business unit can survive without the 72 hours plus rebuild infrastructure / relocate business function for an extended period of time. operations to a new facility Table provided by The Global Information Assurance Certification. “Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). <http://www.giac.org/resources/whitepaper/planning/122.php > 68 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources – General Information and Process Description.” Op.cit. 69 Impact levels are quoted verbatim from: The University of Texas at Austin. “Information Security Office: Business Impact Analysis Instructions.” <http://security.utexas.edu/risk/planning/bia-instructions.html> 21 © 2008 The Hanover Research Council
    • Hanover Research November 2008 The BIA framework shown above, where recovery time is included in the ranking analysis, is called a “high availability analysis framework.”70 This type of framework allows the organization to define service level agreements in terms of high availability for the critical functions and processes defined in the BIA. Information from the BIA is then used to identify critical business functions/processes, and then to determine the appropriate amount of redundancy for these functions/processes to increase recovery time.71 The following shows an example of Stanford University’s Oracle database categorization and ranking system for high availability services:72  Tier 1: Includes business processes with a maximum impact and the most stringent high availability requirements. The Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are often close to zero, and these processes require almost continuous supporting services.  Tier 2: Includes business processes with fewer high availability requirements and longer RTO and RPO times.  Tier 3: Includes business processes related to internal development and quality assurance but do not have rigorous high availability requirements. The high availability framework is similar to other BIA frameworks, differing only in its categorization of some services as “high availability” based on recovery time objectives, but using otherwise similar criticality criteria and ranking systems to determine the importance and impact of business processes to inform business recovery and continuity plans. Business Impact Analyses conducted at government agencies generally follow the same procedures and processes as those conducted in higher education settings, but the literature showed that government agencies use slightly different criteria to define the criticality level of functions. For example, both the Federal Emergency Management Agency and the National Institute of Standards and Technology Recommendations define the adverse impact of an event in terms of loss or degradation to the security goals of integrity, availability and confidentiality. 73 In 70 Stanford University. “Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements.” Op.cit. 71 Ibid. 72 Ibid. 73 Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. “Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology.” National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/800-30/sp800- 30.pdf> and Federal Emergency Management Agency. “Emergency Management Guide for Business and Industry: A Step- 22 © 2008 The Hanover Research Council
    • Hanover Research November 2008 these types of analyses, vulnerability and magnitude of impact are ranked on three levels, “high,” “medium,” and “low,” as in many higher education settings. The difference is that the three ranking levels are defined by the government agencies in terms of the asset’s vulnerability and the resulting levels of quantitative and qualitative costs to the organization.74 Although not strictly part of a BIA, some institutions include risk assessment in the BIA critical services/activities/functions/resources prioritization process. This includes ranking the risks or threats associated with critical services/activities/functions /resources by the probability of occurrence and then aligning this information with impact levels to help prioritize critical functions in terms of risk. Provided below is an example of this alignment of risk and impact level. Figure 3: Risk-Level Matrix Impact Threat Likelihood Low (10) Medium (50) High (100) Low Medium High High (1.0) 10 x 1.0 = 10 50 x 1.0 = 50 100 x 1.0 = 100 Low Medium Medium Medium (0.5) 10 x 0.5 = 5 50 x 0.5 = 25 100 x 0.5 = 50 Low Low Low Low (0.1) 10 x 0.1 =1 50 x 0.1 = 5 100 x 0.1 = 10 Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10) Figure from: Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. “Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology.” Table 3-6. Risk-Level Matrix. National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/800- 30/sp800-30.pdf> by-Step Approach to Emergency Planning, Response and Recovery for Companies of All Sizes.” October 1993. <http://www.fema.gov/pdf/business/guide/bizindst.pdf> 74 Stoneburner, Goguen, and Feringa, Op.cit. 23 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Outcomes and End Goals While the identification of critical business functions and processes to the institution or department’s mission is the primary goal of the impact analyses, most higher education institutions and government agencies use the BIA and the information obtained therein to inform a broader business recovery and continuity plan. Information concerning critical processes and the time period at which these processes can continue operations after a disruption to business was used as part of disaster mitigation and business recovery plan at the majority of the institutions surveyed, including Texas A&M University, the University of Nebraska – Lincoln, the Connecticut Community College System, Northern Arizona University, the University of Arizona, the University of Texas at Austin, Michigan State University, Georgia Institute of Technology, Pennsylvania State University, and Iowa State University. Specific outcomes desired form the BIA include the determination of cross- dependencies among departments within an organization, including the ability to define dependencies as “upstream,” or external processes that the process relies upon, and “downstream,” of external process that rely on the process and will be affected by its failure.75 Recovery Time Objectives, or the desired amount of time it should take to restore a service, and Recovery Point Objectives, or the maximum amount of data the organization can lose before a negative impact is felt, are also included as goal outcomes of the BIA.76 75 Northern Arizona University. “Comptroller’s Office Policies and Procedures Manual: CMP 110,” Op.cit. 76 Ibid, The Global Information Assurance Certification, op.cit, and North Carolina State University. “Policies, Regulations & Rules.: Developing Business Continuity and Disaster Recovery Plans.” <http://www.ncsu.edu/policies/campus_environ/REG04.00.7.php> 24 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies in Business Impact Analyses: Approach Best practice literature and industry standards list a number of different approaches to information gathering and data collection during the BIA process. The National Institute of Standards and Technology suggests that any of the following techniques are useful for data collection relevant to information technology systems and BIAs:77  Questionnaire: A questionnaire can be developed concerning the management and operational aspects of the department or information technology system. Questionnaires can be distributed to the applicable personnel or used during on-site visits and interviews.  On-site Interviews: Interviews with information technology specialists and management personnel can help with data collection as well as allow BIA personnel to observe and gather information about the physical, environmental, and operational security of the IT system.  Document Review: Policy documents (such as legislative documentation and directives), system documentation (such as system user guides and manuals), security-related documentation (such as previous audit reports and security policies), and previous risk assessment/BIA results, as well as organizational mission statements can be useful to help gain an understanding of organizational processes during the BIA.  Use of an Automated Scanning Tool: Technical methods such as the use of network mapping tools can be used to collect system information efficiently. GIAC’s white paper “Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)” affirms suggestions from the National Institute of Standards and Technology and emphasizes the success of BIA data collection through face-to-face interviews, questionnaires, or conference calls.78 The vast majority of the higher education institutions profiled in Figure 4 below used a questionnaire to gather information for the BIA, and most use some sort of interview, whether one-on-one or in a training session/workshop, to supplement the BIA information collection process. Both Pennsylvania State University and the University of Arizona used Strohl Systems software to help guide the creation and analysis of the BIA questionnaire. Two of the institutions, Stanford University and Baylor University, hired an outside consulting group to develop and administer the 77 Stoneburner, Goguen, and Feringa, Op.cit. 78 The Global Information Assurance Certification, Op.cit. 25 © 2008 The Hanover Research Council
    • Hanover Research November 2008 BIA. Interestingly, both of these schools had smaller enrollment sizes then most the other profiled institutions (Stanford University has an enrollment of 19,872 students and Baylor University has an enrollment of 14,174 students). Please see Figure 4 below for details and the report’s Appendix for links to BIA templates used by a selection of the higher education institutions profiled. Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report. Despite the lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies. Figure 4: Approach Used in BIAs Performed in Institutions of Higher Education Institution Enrollment79 BIA Approach Used Three separate BIA forms are administered to departments. The first form Virginia identifies all business activities and ranks their importance, the second form Community 93,198 determines all applications and manual processes for business activities ranked College System most highly in form 1. The third form described the systems ranked as critical on form 2.80 Provide training for BIA and Risk Assessment for Recovery Coordinator and Unit Managers. Recovery Coordinators distribute the BIAs to appropriate units Pennsylvania Approx. and Unit Managers. BIA results are then reviewed for completeness by the State University 90,00081 Recovery Coordinator and reported to management.82 Strohl Systems’ BIA Professional software is used to help create the survey, collect and analyze data.83 University of Post on-line instructions84 to help business process units complete the posted 50,170 Texas at Austin Business Analysis Template.85 Texas A&M Questionnaire administered to departments. Training for personnel on business 46,542 University continuity plan after BIA administration.86 79 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 80 Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 81 Pennsylvania State University. “Live: The University’s Official News Source.” Op.cit. 82 Pennsylvania State University. “Administrative Information Services: Recovery Planning Process.” Op.cit. 83 Pennsylvania State University. “PSU Business Continuity Blog: The Misunderstood Business Impact Analysis (BIA).” <http://www.personal.psu.edu/psd5/blogs/Business_Continuity/2007/10/bia-and-the-rto.html> 84 University of Texas at Austin. “Information Security Office: Risk Management Services – Disaster Recovery Planning Instructions and Templates.” Op.cit. 85 University of Texas at Austin. “BIA Template.” <http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.doc> 26 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment79 BIA Approach Used Coordinator/project leader and functional unit administrators work to identify Michigan State critical functions and processes, then interview information systems support 46,045 University personnel and business unit personnel. These results are then analyzed in order to complete a Risk Assessment.87 Connecticut Use of a questionnaire and interview process, as well as a technical review of Community 43,33588 current capabilities and practices. Information used to determine recovery College System options.89 University of Used Strohl BIA software to help create a “Critical Functions Assessment 37,217 Arizona Survey” and aid in the planning process.90 Texas Tech University 28,260 Hired an outside consultant to administer BIA.91 System Iowa State Team leader conducts the BIA process, which includes having 26,160 University departments/institution units fill out a BIA form.92 Old Dominion Team leader conducts the BIA process, which includes having 22,287 University departments/institution units fill out a BIA form.93 Review relevant documentation, including critical success factors, strategic plans, budget measurements, etc to build an understanding of organizational structure. Northern Arizona 21,347 Conduct interviews with College/Department leadership to gather data on University operations, and compile the results of the interviews into “business flows” that describe core processes and flow of information/goods/services.94 86 Texas A&M University. “University Risk and Compliance: University-Wide Risk Management – URC Business Continuity Checklist.” Op.cit. 87 Michigan State University. “Disaster Recovery Planning: Planning Guide: Michigan State University Unit Guide to Disaster Recovery Planning Compete with Step by Step Guide and Forms and Sample Plan Template.” <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_complete.doc> 88 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. “Spring 2004 Credit Enrollment Report – February 23, 2004.” Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 89 Connecticut Community Colleges. “Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges.” Op.cit. 90 The University of Arizona. “University Information Technology Services: Business Impact Analysis.” Op.cit. 91 Texas Tech University System. “Minutes: Board of Regents – October 27,2006.” <http://www.irs.ttu.edu/reports/statereports/SYSTEM/Minutes/BoardMinutes102706.pdf> 92 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources – General Information and Process Description.” Op.cit. 93 Old Dominion University. “Business Impact Analysis/Risk Assessment for Information Assets – General Information and Process Description.” Op.cit. 94 Northern Arizona University. “Comptroller’s Office Policies and Procedures Manual: CMP 110,” Op.cit. 27 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Institution Enrollment79 BIA Approach Used Stanford 19,782 Hired an outside Consulting group (IBM).95 University Use of trained BIA evaluators to administer a survey to each institution unit, and Georgia Tech 18,742 then develop a business continuity plan based on BIA results.96 Survey is a multiple choice self-assessment.97 Baylor University 14,174 Hired an outside consultant to administer BIA.98 95 Stanford University. “Stanford University Emergency Management Program: Presentation to Stanford University Cabinet.” Op.cit 96 Georgia Institute of Technology. “Welcome to the Georgia Tech Risk Self Assessment Program.” Op.cit. 97 Georgia Institute of Technology. “Self-Assessment Questionnaire.” <http://www.risks.gatech.edu/survey.htm > 98 Hanover Research Council Interview with Baylor University, November 4, 2008. 28 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies in Business Impact Analyses: Oversight Business Impact Analysis literature asserts that the successful completion of a BIA depends on the level of management involvement in both the oversight and governance of the BIA, as well as their commitment to the project. 99 For the purposes of this report, oversight is defined as the management or supervision of the BIA process itself. Among the majority of the studied higher education institutions with documented information concerning BIA oversight processes, the governing body responsible for mandating the BIA and its processes appoints a BIA team from departmental personnel. It is this team that is then responsible for the actual organization, development, administration, timely completion, and analysis/assessment of the BIA, as well as for the reporting of the BIA results to upper management.100 This oversight process does not appear to vary with institution size as measured by enrollment. Figure 5 reviews the individuals responsible for BIA oversight and their associated responsibilities for each of the institutions studied. Figure 5: Oversight of Business Impact Analyses Performed in Institutions of Higher Education Individual(s) Responsible for Institution Enrollment101 BIA Oversight Responsibilities BIA oversight College Presidents and System Allocate resources to conduct a BIA and Risk Virginia Office Vice Chancellors conduct Assessment. The Risk Assessment Coordinator Community 93,198 BIA, and a Risk Assessment coordinates the review of all business functions, College System Coordinator is appointed to help but all are active in the BIA.103 oversee the process.102 Team Leader selected by Assure risks are reviewed and addressed, updates Iowa State 26,160 management and a team with a are made to the initial report, and a process is in University minimum of three individuals.104 place for periodic BIA and Risk Assessment.105 99 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description,” Op cit. 100 Ibid. 101 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 102 Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 103 Ibid. 104 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description.” Op.cit. 29 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment101 BIA Oversight Responsibilities BIA oversight Management Planning team, which The sponsor must make decisions that can affect includes the BIA sponsor, recovery the organization, determine constraints and coordinator and two unit managers limitations for recovery planning, and ensure the Pennsylvania Approx. who are knowledgeable of the project stays on focus. The Recovery Coordinator State University 90,000106 recovery planning process and must be fluent in project management principles. manage the critical service on a The Unit Manager must manage the critical service daily basis.107 on a daily basis.108 A Business Continuity Coordinator Act as a liaison between emergency operations is assigned within each department center and departmental recovery team, coordinate to coordinate the continuity plan, the development of departmental plan, and Texas A&M 46,542 including the BIA, act as an inter- maintain pre-determined departmental decision- University departmental liaison, and assemble making authority. Departmental Committee may a Departmental Continuity seek faculty/staff representation and input on plan Committee.109 development and resource allocation.110 A BIA Coordinator/Project leader Organize the BIA by setting the scope, objectives, in conjunction with functional unit assumptions, timetable, draft of project plan; Michigan State administrators such as chair 46,045 assigning task responsibilities; and obtain the University persons, assistant directors, Dean’s approval. Conducts BIA in conjunction associate directors, department with functional unit administrators.112 chairs or directors.111 Review the annual work goals of the Department Business Continuity and Disaster of Business Continuity, develop and review BIA Recovery Oversight Committee and Risk Assessment Plans. The Cohort North Carolina composed of a cross section of 31,802 Coordinator ensures that each business unit within State University academic and administrative the cohort has completed the BIA or Risk leaders. Also included is a Cohort Assessment and has developed a Business Coordinator.113 Continuity Plan.114 105 Ibid. 106 Pennsylvania State University. “Live: The University’s Official News Source.” Op.cit. 107 Pennsylvania State University. “Administration Information Services: Recovery Planning Process,” Op cit. 108 Ibid. 109 Texas A&M University. “University Risk and Compliance,” Op.cit. 110 Ibid. 111 Michigan State University. “Step by Step Guide for Disaster Recovery Planning for Michigan State University Units.” <http://www.drp.msu.edu/Documentation/StepbyStepGuide.htm> 112 Ibid. 113 North Carolina State University. “Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans.” Op.cit. 114 Ibid. 30 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment101 BIA Oversight Responsibilities BIA oversight Individuals responsible for BIA oversight include a sponsor, project manager, management from the Information Services Executive Must hold weekly meetings or more with meeting Committee, and other stakeholders, minutes posted as IS intends. Responsible for including coordinators of University of completing the following deliverables: criteria to Information Security Critical Nebraska - 22,973 develop list of critical services, list of critical Services. The Project Team for the Lincoln services, components and resources of critical Disaster Mitigation Plan includes a services, redundancy of resources, and mitigation communications and operations plan for each critical service.116 unit, an instructional technology group, and an enterprise information solutions component.115 Ensure report is completed on time. Responsible for reporting the BIA to management. Must be Old Dominion The Office of Computing and 22,287 able to use understanding of university operations University Communications Services117 and interaction of department with central systems and operations to enhance analysis.118 Stanford 19,782 IBM Consulting group119 N/A University Responsible for the timely completion of the BIA and for reporting the BIA to management. Also Departmental personnel are responsible for assuring risks are reviewed and Georgia Tech 18,742 selected to become part of the addressed, updates are made to the initial report, BIA/Risk Assessment Team.120 and that a process is in place for an annual BIA performance. Responsible for forming a team to help with this maintenance process.121 115 University of Nebraska – Lincoln. “Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity.” Op.cit. 116 Ibid. 117 Old Dominion University. “Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description.” Op.cit. 118 Ibid. 119 Stanford University. “Stanford University Emergency Management Program: Presentation to Stanford University Cabinet.” Op.cit 120 Georgia Institute of Technology. “Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description.” Op cit. 121 Ibid. 31 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment101 BIA Oversight Responsibilities BIA oversight Baylor University 14,174 Outside consulting group.122 N/A Departmental Team Leaders will Follow the Information Security Office’s be directed by the Information instructions and format for BIA, conduct and Longwood Security Office and provided with 4,727 complete the BIA. The Team Leader may form University information and training sessions teams to include departmental individuals to assist to aid in Team Leaders BIA in the process.124 completion.123 122 Hanover Research Council contact with Baylor University, November 4, 2008. 123 Longwood University. “Policy 6126: Business Impact Analysis/Risk Assessment Policy.” Op.cit. 124 Ibid. 32 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Methodologies in Business Impact Analyses: Governance As noted in the previous section of this report, management commitment and support for the BIA process is a crucial component in the successful completion of the analysis.125 For the purposes of this report, we define the upper levels of management associated with the BIA process as those individuals with duties associated with BIA governance. These duties include responsibilities concerning the policies, processes, mandates or decisions involved in at the macro level of higher education institution BIA performance. A review of the individuals and responsibilities involved in the governance process in higher education settings reveals that the institution’s Business Continuity, Auditing, Information Security, or Risk Management Office (or office with a similar function) is generally the governing body responsible for the initiation of a BIA. The responsibilities involved in this position involve mandating the performance of Business Impact Analyses, reviewing the BIA, and providing final approval for the BIA. In some cases, the governing body also selects the team of individuals responsible for overseeing and conducting the BIA. The individuals involved in BIA governance and their associated responsibilities do not appear to vary by institution size as measured by enrollment. Figure 6 profiles the individuals responsible for BIA governance and their related responsibilities for twelve institutions of higher education. 125 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description.” Op.cit. 33 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Figure 6: Governance of Business Impact Analyses in Institutions of Higher Education Individual(s) Responsible for Institution Enrollment126 BIA Governing Body Responsibilities BIA Governance Virginia Review all business functions and can initiate College Presidents and System Community 93,198 additional reviews to isolate specific business Office Vice Chancellors.127 College System functions the governing body’s discretion.128 Must be able to make decisions that can affect the organization, determine constraints Pennsylvania Approx. and limitations for organizational recovery Sponsor.130 State University 90,000129 planning, ensure the project stays on focus, and have an overall understanding of the organization and recovery planning process.131 Provides tools and resources for individuals Texas A&M University Risk and Compliance 46,542 who will complete or are completing BIAs University Office.132 and Risk Assessments.133 Dean must approve BIA,136 and the Client Michigan State Dean of department134 and the 46,045 Advocacy Office coordinates the Disaster University Client Advocacy Office.135 Recovery Planning Team.137 Department Head, Dean or Vice Chancellor sign off on final BIA North Carolina approval. Chancellor appoints Reviews annual reports from Committee, 31,802 State University Business Continuity and Disaster must approve and sign off on BIA.139 Recovery Oversight Committee.138 126 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 127 Virginia Community College System. “Technology Models: Business Impact Analysis.” Op.cit. 128 Ibid. 129 Pennsylvania State University. “Live: The University’s Official News Source.” Op.cit. 130 Pennsylvania State University. “Administration Information Services: Recovery Planning Process.” Op.cit. 131 Ibid. 132 Texas A&M University. “University Risk and Compliance: Business Continuity Planning.” <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx> 133 Ibid. 134 Michigan State University. “Step by Step Guide for Disaster Recovery Planning for Michigan State University Units.” Op.cit. 135 Michigan State University. “Disaster Recovery Planning: About.” <http://www.drp.msu.edu/about_the_site.htm> 136 Michigan State University. “Step by Step Guide for Disaster Recovery Planning for Michigan State University Units.” Op.cit. 137 Michigan State University. “Disaster Recovery Planning: About.” Op.cit. 138 North Carolina State University. “Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans.” Op.cit. 34 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment126 BIA Governing Body Responsibilities BIA Governance IT Security and Policies Establishes policies to ensure the university Iowa State 26,160 Department and the Chief has a secure information technology University Information Officer.140 environment. CIO receives BIA report.141 The sponsor must attend one-on-one monthly meetings with the Project Manager, and the Executive Committee must attend University of Sponsor, Project Manager and the meetings quarterly. The Project Manager Nebraska - 22,973 Information Services Executive must prepare an initial draft of the statement Lincoln Committee.142 of work and communications plan for the BIA/Risk Assessment and submit the plan to stakeholders for their review.143 Office of Computing and Required to mandate the performance of a Old Dominion Communications Services and the 22,287 BIA and a Risk Assessment at a minimum of University Commonwealth of Virginia every three years.145 SEC2001-01.1.144 Assessing the University’s emergency Stanford University Emergency management capabilities and initiating 19,782 University Management program.146 recovery planning activities such as BIA performance at its discretion.147 Host annual information sessions and 148 Georgia Tech 18,742 Department of Internal Audits. provide a point of contact for departments completing the BIA process.149 139 Ibid. 140 Iowa State University. “Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description.” Op.cit. 141 Ibid. 142 University of Nebraska – Lincoln. “Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity.” Op.cit. 143 Ibid. 144 Old Dominion University. “Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description.” Op.cit. 145 Ibid. 146 Stanford University. “Stanford University Emergency Management Program: Presentation to Stanford University Cabinet.” Op.cit 147 Ibid. 148 Georgia Institute of Technology. “Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description,” Op cit. 149 Ibid. 35 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment126 BIA Governing Body Responsibilities BIA Governance Responsible for providing business continuity Baylor University 14,174 Risk Management Department.150 and risk management services.151 CIO or designee may initiate a BIA on any Chief Information Officer or entity/department throughout the University. Longwood 4,727 designee. Vice Presidents of Vice Presidents are responsible for the University Colleges.152 execution, development and implementation of business remediation programs.153 150 Baylor University. “ Risk Management: Crisis Management.” <http://www.baylor.edu/risk_management/index.php?id=49706> 151 Ibid. 152 Longwood University. “Policy 6126: Business Impact Analysis/Risk Assessment Policy.” Op.cit. 153 Ibid. 36 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Appendix Links to BIA Templates Institution Link Northern Arizona University http://www4.nau.edu/comptr/docs/BCP%20Template.doc The University of Arizona http://web.arizona.edu/~ccit/index.php?id=976 Texas A&M University http://universityrisk.tamu.edu/DataFiles/BC-Plan-Template.doc The University of Texas, Austin http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.doc Form 1: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM1.doc Virginia Community College Form 2: System http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM2.doc Form 3: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM3.doc New Jersey City University http://www.njcu.edu/assoc/njcuitma/documents/addendums/Sample_BIA_Report.pdf Harvard University Beth Israel https://research.bidmc.harvard.edu/ost/download/Impact_Continuity.pdf Deaconess Medical Center BIA Template: http://www.drp.msu.edu/Documentation/Step2sampleBIA.htm Michigan State University Critical System Ranking Form: http://www.drp.msu.edu/Documentation/Step2sampleCriticalSystemRanking.htm 37 © 2008 The Hanover Research Council
    • Hanover Research November 2008 Note This brief was written to fulfill the specific request of an individual member of The Hanover Research Council. As such, it may not satisfy the needs of all members. We encourage any and all members who have additional questions about this topic – or any other – to contact us. Caveat The publisher and authors have used their best efforts in preparing this brief. The publisher and authors make no representations or warranties with respect to the accuracy or completeness of the contents of this brief and specifically disclaim any implied warranties of fitness for a particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by representatives of The Hanover Research Council or its marketing materials. The accuracy and completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every member. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Moreover, The Hanover Research Council is not engaged in rendering legal, accounting, or other professional services. Members requiring such services are advised to consult an appropriate professional. 38 © 2008 The Hanover Research Council