shawnee.edu/off/ri/New research/Business Impact Analyses in Hi

1. Hanover Research November 2008 Business Impact Analyses in HigherEducation: An Outline of MethodologiesIn the following report, The Hanover Research Council reviews the performance of Business Impact Analyses (BIAs) in institutions of higher education along with some government agencies. 2008 The Hanover Research Council

2. Hanover ResearchNovember 2008IntroductionIn the following pages, The Hanover Research Council provides background on the development and use of Business Impact Analyses (BIA) in institutions of higher education, governmental auditing agencies and the Information Technology industry. The methodologies and framework of BIA performance in a higher education setting, including scope, framework, approach, oversight, and governance are then reviewed in more detail. Information concerning BIA performance at the institutions studied in this report indicates that higher education institutions regardless of enrollment size follow BIA methodologies and frameworks that are similar to each other and to those recommended in best practice and industry literature. The report is organized as follows: Section One: Business Impact Analyses (BIA) Defined: In this section,we define BIAs, including the process, usage and importance of this type ofanalysis in business continuity and recovery planning for institutions of highereducation, governmental agencies, and private business. Section Two: Methodologies of Business Impact Analyses: InitialDevelopment: In this section, we review best practice literature concerningthe developing and planning phases of Business Impact Analyses, withparticular emphasis on the process of development and planning for datacollection. Also reviewed are industry recommendations concerning thedevelopment of the BIA questionnaire and suggested components of thequestionnaire. Section Three: Methodologies of Business Impact Analyses: Scope: Inthis section, we analyze the scope, purpose and any additional informationconcerning BIA performance in 14 institutions of higher education todetermine common methodologies and best practices for BIA performance inhigher education. Section Four: Methodologies of Business Impact Analyses: Framework:In this section, we review best practice literature and information concerningthe BIA frameworks used in institutions of higher education andgovernmental agencies. BIA framework is discussed as a set of three majorcomponents: (1) Plan development, (2) Assessment and Analysis Processes,and (3) Outcomes and End Goals. Section Five: Methodologies of Business Impact Analyses: Approach:In this section, we review best practice literature and the various approachesused in BIA performance in higher education settings to determine commonapproaches used in successful Business Impact Analyses. 2 2008 The Hanover Research Council 3. Hanover ResearchNovember 2008 Section Six: Methodologies of Business Impact Analyses: Oversight: Inthis section, we review best practice literature and the individuals involved inoverseeing the BIA performance and their associated responsibilities todetermine commonalities and best practices in the oversight of BusinessImpact Analyses. Section Seven: Methodologies of Business Impact Analyses:Governance: In this section, we review the literature about the individualsinvolved in BIA governance and their associated responsibilities to determinecommonalities and best practices in the governance process associated withBusiness Impact Analyses. Section Eight: Appendix: The Appendix includes a links to sample BIAtemplates from a variety of intuitions of higher education profiled in thisreport.3 2008 The Hanover Research Council 4. Hanover Research November 2008 Business Impact Analyses (BIA) DefinedAs a part of the foundation of all business continuity planning,1 a Business Impact Analysis (BIA) identifies the operational (qualitative) and financial (quantitative) impact of an inoperable or inaccessible core process on a College/Departments ability to conduct its critical business processes.2The BIAs analysis of the effect of different external and internal impacts on various components of an organization, with particular emphasis on the effect of negative impacts on critical business and Information Technology (IT) processes,3 makes it an important tool that enables organizations to respond and recover effectively and efficiently from a disruption to business.4 Additionally, a BIA provides management with essential information, including the identification of the most critical/time sensitive business departments; the most critical resources required by each department; the necessary availability of these resources; alternative business locations in the case of an unplanned disruption to work; and the reasons for the recovery of critical departments and resources.5 The analysiss identification of critical resources, functions or processes for a business is related to the BIAs ability to identify high availability services, defined as those critical resources, functions or processes whose negative operational impact as a result of a disruption to the service can be mitigated through the use of process or resource redundancy.6The compilation of this information provides organizations with an analytic and economic basis for risk-based decision making and resource allocation that is separate from risk analysis. While risk analyses identify the most probable threats to an organization and analyze the related vulnerabilities of the organization to those threats,7 Business Impact Analyses involve the identification of critical business units,1 The University of Arizona. University Information Technology Services: Business Impact Analysis. 2 Northern Arizona University. Comptrollers Office: NAU Business Continuity and Disaster Recovery. 3 Global Information Assurance Certification (GIAC). Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP): Business Impact Analysis. 4 The University of Arizona. University Information Technology Services: Business Impact Analysis. Op.cit. 5 Connecticut Community Colleges. SunGard Availability Services: Business Impact Analysis (BIA). 6 Stanford University. Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements.7 Texas State Office of Risk Management. Business Continuity Impact Analysis. 4 2008 The Hanover Research Council 5. Hanover Research November 2008the quantitative costs - such as cash flow, replacement of equipment, salaries paid to catch up with work backlog, loss of profits - as well as the qualitative costs - such as impacts on safety, marketing, legal compliance, quality assurance and public image - that are effected in the event of a disruption.8The process of the BIA usually involves five steps:9Project Planning, Data gathering, Data analysis, Documentation of the findings, and, Management review and signoffWhile the management of a BIA may be completed either intra-organizationally or by an outside consulting agency, the key benefits derived from the performance of a BIA are uniform across industries, organizations and departments. A BIA is an essential piece of an organizations Understanding of the financial and intangible impacts of a disruption to business ability to review critical processes to the organization; Identification of vital resources and high availability services; and Development of business recovery/continuity strategies.10 8 SearchStorage.com. Definitions: What is business impact analysis? a definition from Whatis.com. 9Global Information Assurance Certification (GIAC), Op.cit. 10 Ibid. 5 2008 The Hanover Research Council 6. Hanover Research November 2008Methodologies of Business Impact Analyses: Initial DevelopmentThe development and planning phase that occurs prior to the performance of a BIA is particularly important given the high degree of inter and intra-organization communication and cooperation that is needed during the BIA process.Best practice literature concerning BIA performance recommends that the professional(s) responsible for the establishment of the BIA process and methodology, coordination and planning of data collection and analyses, and preparation and presentation of the BIA to management should be able to implement the following components of BIA development and planning during the initial phase of the BIA:11 Establish the Business Impact Analysis Process and Methodology 1. Identify and obtain a sponsor for the Business Impact Analysis (BIA) activity2. Define objectives and scope for the BIA process3. Identify, define and obtain management approval for criticality criteriaa. Recommend and obtain agreement as to how potential financial and non- financial impact can be quantified and evaluatedb. Identify and obtain agreement on requirements for non-quantifiable impact informationc. Establish definition and criticality scale (e.g., high, medium, low)d. Negotiate with management for acceptance of criticality scale4. Choose an appropriate BIA planning methodology/toola. Develop questionnaire and instructions as requiredb. Determine data analysis methods (manual or computer)c. Data collection via questionnairesi. Understand the need for appropriate design and distribution of questionnaires, including explanation of purpose, to participating departmental managers and staff ii. Manage project kick-off meetings to distribute and explain the questionnaireiii. Support respondents during completion of questionnairesiv. Review completed questionnaires and identify those requiring follow-up interviews 11 The following information is quoted verbatim from: The Institute for Continuity Management. Business Impact Analysis. 6 2008 The Hanover Research Council 7. Hanover ResearchNovember 2008v. Conduct follow-up discussions when clarification and/or additional data is required d. Data collection via interviews onlyi. Provide consistency with the structure of each interview being predefined and following a common format ii. Ensure the base information to be collected at each interview is predefinediii. Enable interviewee to review and verify all data gatherediv. Schedule follow-up interviews if initial analysis shows a need to clarify and/or add to the data already provided e. Data collection via workshopi. Set a clear agenda and set of objectives ii. Identify the appropriate level of workshop participants and obtain agreement from managementiii. Choose appropriate venue, evaluating location, facilities and participant availabilityiv. Facilitate and lead the workshop v. Ensure workshop objectives are metvi. Ensure all outstanding issues at the end of the workshop are identified and appropriate follow-up conducted5. Determine report format, content and obtain management approval for next steps6. Obtain agreement for management on final time schedule and initiate the BIA process Plan and Coordinate Data Gathering and Analysis 1. Identify all Organization Functionsa. Collect and review existing organizational chartsb. Identify the major areas of the organization2. Identify and Train Knowledgeable Functional Management Representativesa. Identify specific individuals to represent in the collection processb. Inform the selected individuals of the BIA process and its purposec. Identify training requirements and establish a training schedule and undertake training as appropriateAs can be seen from the steps outlined above, best practice literature concerning BIA development focuses on the need for communications between the individuals/department responsible for administering the BIA and the 7 2008 The Hanover Research Council 8. Hanover Research November 2008individuals/departments from which BIA data are collected.12 Additionally, it is important that a sponsor from within the upper management ranks of the organization is identified prior to data collection in order to increase inter- departmental cooperation with the data collection process and to approve the BIA so that subsequent steps of the business continuity management process may be completed.13A crucial component of this initial development phase is the creation of a BIA questionnaire that will be able to effectively identify critical processes and resources for the organization. Literature recommends that the BIA questionnaire include the following elements:14 Function Description: Includes a brief description of the function beingperformed by the department/individual. Dependencies: Includes a description of the dependencies of the functionbeing performed, including components and processes necessary for functionperformance. Impact Profile: Determines if there is a specific time or period of time inwhich the described function would be more vulnerable to risk/exposure or inwhich the impact to business would be greater. Operational Impacts: Determines the operational impact of a disruption tothe function and time at which the operational impact of a disruption wouldbe felt. Financial Impacts: Determines the financial impact of a disruption to thefunction and time at which the financial impact of disruption would be felt. Work backlog: Determines the time at which the backlog of work as a resultof a disruption will begin to impact business processes. Recovery Resources: Determines the resources needed to support thefunction, including quantity of resources and the point at which they areneeded after a disruption. Technology Resources: Determines the software/applications necessary tosupport the business function. This includes the need for standalone PCs orworkstations and local area networks (LAN) to functioning. Work-around procedures: Determines the availability of manualworkaround procedures in place that would enable continued performanceafter a disruption to the function. 12 Ibid. 13 Ibid. 14 Texas State Office of Risk Management. Business Continuity Impact Analysis. Op.cit.8 2008 The Hanover Research Council 9. Hanover ResearchNovember 2008 Work-at-home: Determines the ability of employees to perform the functionat home. Workload shifting: Determines the options for shifting workload to anotherpart of the organization to minimize the impact of a disruption. Business records: Determines the business records needed to perform thefunction and the frequency at which records are saved and/or replicated. Regulatory reporting: Determines what regulatory documents are created asa result of the function. Work inflows: Determines the internal or external inputs necessary toperform the function. Business disruption experience: Determines if previous disruptions tobusiness have occurred. Competitive Analysis: Determines if a competitive impact would occur as aresult of a disruption to the function, and if so, the time of impact andpotential customer loss. Other issues: Determines if there are other issues relevant to the success offunction performance.These elements of the BIA questionnaire are used to identify the effects of disruptions and assess the impact of these effects. The identified effects of disruptions may include the loss of key personnel and physical, informational, financial and intangible assets, the resulting discontinuity of service and operations, and any resulting violations to law/regulation and the effect of public perception.Questions should also identify the financial and business impact as well as quantitative (including property loss, revenue loss, fines, cash flow, accounts receivable/payable, legal liability, human resources, additional expenses) and qualitative (human resources, morale, stakeholder confidence, legal, social and corporate image, financial community credibility) impacts. The accumulation of this information can help to inform recovery objectives and vital resources or processes to the organization.15The following sections of this report will provide a detailed review of the scope, approach, framework, oversight and governance of the BIA implementation and performance. The analysis of BIA methodologies in higher education settings includes a review of BIA process and performance of individual institutions that is supplemented with best practice literature from industry experts.15 The Institute for Continuity Management. Business Impact Analysis. Op.cit.9 2008 The Hanover Research Council 10. Hanover ResearchNovember 2008In order to provide a diverse cross-section for analysis and determine if BIA methodologies vary with institution size, the institutions profiled in this report vary in size as measured by enrollment (from 93,198 students enrolled in the Virginia Community Colleges System to 4,727 students enrolled in Longwood University).10 2008 The Hanover Research Council 11. Hanover Research November 2008 Methodologies of Business Impact Analyses: ScopeThe Hanover Research Councils review of the scope of Business Impact Analyses performed by various institutions of higher education, including the Virginia Community College System, Pennsylvania State University, University of Texas at Austin, Texas A&M University, Michigan State University, Connecticut Community College System, University of Arizona, North Carolina State University, University of Nebraska Lincoln, Old Dominion University, Northern Arizona University, Stanford University, Georgia Institute of Technology, and Longwood University, revealed that the majority of BIA performed in a educational setting took place on a departmental level, and that Information Technology departments were particularly likely to undergo a BIA. While at many higher education institutions, multiple departments performed BIAs at the same time, the primary level of BIA administration and analysis was within individual departments rather than throughout the institution. The size of the institution did not appear to affect the scope or purpose of the BIA at any of the institutions profiled.Figure 1 below reviews the detailed scope of each intuitions BIA. Three of the institutions featured below, Virginia Community College System, Old Dominion University, and Longwood University, are located in Virginia and are required by law to perform a routine BIA to (1) define minimum requirements for the agency/organization/institutions information technology security program, (2) promote secure communications and protect information resources, and (3) facilitate the alignment and adaptation of security technology to the needs of business and Virginia.16Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report (scope, framework, approach, oversight, and governance) concerning BIA performance. Despite this lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies. 16Commonwealth of Virginia. Information Technology Resource Management Standard: InformationTechnology Security Standard. Pg.1.11 2008 The Hanover Research Council 12. Hanover Research November 2008Figure 1: Scope of Business Impact Analyses Performed in Institutions of Higher Education Institution Enrollment17 Participating Units Purpose Additional Information For more information on Virginias COVTo identify critical business functions ITRM Standard SEC2001-01.1, a law Covers all System Office, VCC Utility and Virginia Communityassociated with the organizational unitsproviding protections for state institutions college business processes and supporting College (VCC)93,19818participating in the BIA in order to comply information technology resources, please see:applications, however19, analysis takes place System with Virginias COV ITRM Standard SEC2001-Piloted in 2005 to the Academic Services and Emerging Technologies Dept., the Consulting and Support Services Dept., thePennsylvania State Develop the necessary training and tools to Approx. 90,00022 Digital Library Technologies Dept., the N/AUniversity assist with disaster recovery efforts.24Teaching and Learning with TechnologyDept., and the Telecommunications andNetworking Services Dept.23 17 Enrollment data is taken from the NCES IPEDS database unless otherwise noted.18 Enrollment figure represents the Annualized FTE Enrollment, 2005-06. Figure from: The VirginiaCommunity College System. Virginia Community College System Enrollment Report. Pg. 1.19 Virginia Community College System. Technology Models: Business Impact Analysis. 20 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. 21 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit.22 Pennsylvania State University. Live: The Universitys Official News Source. 23 Pennsylvania State University. Administrative Information Services Online Newsletter: November 2005. 24 Ibid. 12 2008 The Hanover Research Council 13. Hanover Research November 2008InstitutionEnrollment17Participating UnitsPurposeAdditional Information Identify critical processes within anUniversity of Texasorganization to determine the impact of a50, 170 All University departments.25N/A at Austin disruption to business and create ways to work around disruptions to processes.26 Texas A&M includes the BIA process as part of its Enterprise Risk Management Has a university-wide risk management and Identify events that may affect the organization Texas A&M program, an emerging model at institutions of 46,542 business continuity plan in place thatand manage risks in order to aid businessUniversityhigher education where risk management isincludes a BIA component.27 continuity and recovery objectives.28 integrated and coordinated across theuniversity as a whole.29 Identify and prioritize critical systems. Use theinformation recovered from the BIA, such as the identification of common elements ofMichigan State plausible disruptions that might disrupt critical 46,045 BIA conducted at University-Unit level.30N/AUniversityunits, the anticipation of the impact of thesedisruptions, and the development of contingent responses for a timely recovery, to form a Unit Disaster Recovery Planning Project.3125 University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. 26 Ibid.27 Texas A&M University . University Risk and Compliance: University-Wide Risk Management.28 Ibid.29 Ibid.30 Michigan State University. Michigan State University Unit Guide to Disaster Recovery Planning Overview.31 Ibid. 13 2008 The Hanover Research Council 14. Hanover Research November 2008 Institution Enrollment17Participating Units Purpose Additional InformationAll Academic departments, Student Records department, Financial Aid departments, Finance/Budget business Connecticut Determine recovery objectives for critical units, Human Resources departments, Community College 43,33532 business units based upon the business impactN/A Legal departments, Libraries, and System of units.34Institutional Departments, as well as all Information Technology networks and applications.33 Enable the University to prepare for andUniversity of respond to disruptions through the 37,217 All University departments.35N/A Arizona identification of priorities, strategies, and solutions for managing continuity/recovery.36 30 business units at the University For each business unit, identify university participated, including Administrativefunctions, functional area representatives, North Carolina State 31,802 Services, Budget Office, Controllerscriticality criteria, RTOs, and RPOs, as well asN/AUniversityOffice, and Enrollment Management present criticality criteria to an oversight Services.37 committee.38 32 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4.33 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA)Connecticut Community Colleges.34 Ibid.35 The University of Arizona. University Information Technology Services: Business Impact Analysis, Op cit.36 Ibid.37 For a complete listing of participating business units, please see: North Carolina State University. BIA: OIT Organizational Resilience. .14 2008 The Hanover Research Council 15. Hanover Research November 2008InstitutionEnrollment17Participating Units Purpose Additional InformationIdentify and prioritize critical servicesCritical services provided by Information supported by IS and work with the University ofSecurity (IS) to support the technology of 22,973 coordinators of the services to review orN/ANebraska - Lincolnthe University. No systems external to IS develop a plan for each service to minimize theare covered.39 negative effects in the event of a disaster.40For more information on Virginias COVIdentify assets and associated risks within the ITRM Standard SEC2001-01.1, a lawUniversity, determine the importance of theseproviding protections for state institutionsOld Dominion 22,287University-wide administrationassets and identify safeguards in compliance information technology resources, please see:University with Virginias COV ITRM Standard SEC2001- Stanford has already undergone a BIA of its Determine vulnerabilities and dependencies financial systems conducted by IBM, however,Stanford University19,782Focus on University financial systems.42between core business processes to assist in the the University believes that there is need for a development of response and recovery plans. 43 larger scope to address other systemsnecessary to operations.44 38 Ibid.39 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigationand University Continuity. 40 Ibid.41 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description.42 Stanford University. Stanford University Emergency Management Program: Presentation to StanfordUniversity Cabinet. 43 Ibid44 Ibid. 15 2008 The Hanover Research Council 16. Hanover Research November 2008 Institution Enrollment17Participating Units PurposeAdditional Information Department identified as relevant for risk assessments: Academic Departments (which collect financial data during payment of fees for affiliated programs), Accounts Payable, Admissions, Alumni, Aquatic Center, To identify core business processes and toAthletics (including Summer Sports Camps), Bookstore, Central Ticket Office, Library, establish risk management and disaster recovery Dental Hygiene, Dining Services, DistributedNorthern Arizona All NAU College campuses andplanning processes to respond to business Learning, Financial Aid Office, Health Center,21,347 High Altitude Sports Training Complex, IT Universitydepartments.45 disruptions and risks associated with the Services, Inn at NAU, Mountain CampusUniversitys loss of its ability to execute core Card Office, Office of the Bursar, Parking Services, Performing Arts (Including Summer processes.46 Music Camps), Postal Services, Property Administration, Purchasing Services, Recreation Center, Registrar's Office, Residence Life, Skydome, Transportation Services, and University Advancement.47Enable all units to be able to uniformly assessAll academic and administrative units,and develop strategies for identification,Georgia Tech18,742 including Human Resources andassessment and mitigation of risks toN/A Information Technology.48Information Systems and to comply withregulatory requirements.4945 Northern Arizona University. NAU Business Continuity and Disaster Recovery Site. 46 Ibid. 47 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110: Information Security Plan for Northern Arizona University. 48 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Business Analysis IT Risk Document. 49 Ibid. 16 2008 The Hanover Research Council 17. Hanover ResearchNovember 2008 InstitutionEnrollment17 Participating Units Purpose Additional InformationFor more information on Virginias COV Identify assets and associated risks within the ITRM Standard SEC2001-01.1, a law University, determine the importance of theseproviding protections for state institutions Longwood4,727 University- wide administration.50assets and identify safeguards in compliance information technology resources, please see: Universitywith Virginias COV ITRM Standard SEC2001- 50 Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. 51 Ibid.17 2008 The Hanover Research Council 18. Hanover ResearchNovember 2008 Methodologies in Business Impact Analyses: FrameworkWhile the identification of critical resources is no easy task, the development of an appropriate framework for the organizations BIA is a critical component of the successful completion of the analysis.52 A review of higher education institutions and government agencies reveals that although criticality definitions and assets vary among organizations, the general framework of Business Impact Analyses tends to be relatively uniform. For purposes of discussion, we have separated BIA framework into three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals.Plan DevelopmentPlan development is the first step towards successful BIA completion, and reports from Iowa State University, Old Dominion University and Georgia Tech assert that the most important component of plan development is the commitment and involvement of management in the BIA process.53 Support from management enhances departmental-level cooperation with the BIA and increases compliance and completion of the BIA process, in part due to the selecting of Team Leaders and members who are able to effectively perform the needed tasks for BIA completion. 54The specific positions of individuals involved in the BIA process and their responsibilities are discussed in later sections of this report, but a review of plan development across institutions reveals that the individuals assigned to perform the BIA tend to work within the unit/department in which the BIA is being performed and are highly knowledgeable of the department.55 Please see the Oversight and Governance sections of this report for a detailed review of the individuals and responsibilities involved in the BIA process in institutions of higher education. The plan development phase requires a high degree of inter and intra-departmental communication as the BIA questionnaire is developed, timetables for completion are 52 The Institute for Continuity Management. Business Impact Analysis. Op.cit. 53 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. and Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets General Information and Process Description. Op.cit. and Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 54 Ibid. 55 Pennsylvania State University. Administration Information Services: Recovery Planning Process. 18 2008 The Hanover Research Council 19. Hanover Research November 2008established, and workshop/training sessions are hosted to inform all faculty and staff of the BIA process and goals.56Assessment and Analysis ProcessesThe next components of the BIA framework are the assessment and analysis processes, which begin with a determination of what will be assessed by the BIA. Because the what of the BIA assessment is the critical business functions/processes relative to the departments mission, it tends to vary by organization and within departments.57 While this process may include the development of criteria to guide the creation of a list of critical services,58 a list of all business activities (including academic activities, accounting activities, budget and planning activities, etc),59 or the determination of the core processes performed by each College or department and the flow of information, materials, and services through these core processes,60 there are many commonalities among these assessments. Similar characteristics of BIA assessment categories include their importance to the functioning of business and the threat to business operations if these critical services/activities/functions/resources are disturbed. Some institutions also include a risk assessment component to the BIA, which often involves the identification and evaluation of scenarios, risks, and internal and external threats, as well as the impact of these activities on the critical services/activities/ function/resources.61In order to help departments obtain a basic understanding of their critical business processes, some higher education institutions provide Business Analysis Checklists for departments in the process of BIA performance. Checklists may include the purpose, overview and objective of the BIA, as well as questions meant to determine the exact function of the business process, the time period the process can function without information technology support, and any impacts associated with disruption 56 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. Op.cit. 57 Texas A&M University. University Risk and Compliance: University-Wide Risk Management URCBusiness Continuity Checklist. < http://universityrisk.tamu.edu/DataFiles/BC-Checklist.doc> 58 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigationand University Continuity. Op.cit. 59Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 60 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110 Op.cit. 61 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. Op.cit.19 2008 The Hanover Research Council 20. Hanover ResearchNovember 2008to the process.62 To view an example of one of these checklists, please follow the following link provided by the University of Arizona: BIA Checklist.Business processes must undergo an analysis process in which criticality and importance for the processes is defined and processes are prioritized or ranked. The level of detail of these definitions and criteria varies widely among institutions, although the definition of critical is generally accepted to encompass those functions which have a direct and immediate effect on the general campus community.63 Functions are defined as essential by multiple higher education institutions if the department could continue operations after a disruption to the function for days or even a week, but eventually would need the function again, and are defined as normal if the department can continue operations without the function for an extended period of time.64Many institutions also consider extent of impact, costs of a failure, publicity, legal and ethical issues, and regulatory concerns in their determination of criticality criteria and definitions.65While some higher education institutions, like the Virginia Community College System, use a relatively simple ranking scale that rates the importance of business activities on a scale of one to three, one being the most important and three being the least important,66 other institutions use more detailed ranking scales. The University of Arizona, for example, provides a scale that ranks critical functions on a scale of one to five, and criticality is denoted based on the extent of the time period between a disruption to the function and the point at which business processes will be impacted if the function is not resumed (in this case, the University of Arizona defines the most critical functions as those in which only 24 hours may pass before the function needs to be resumed).67Iowa State University uses similar criteria to determine criticality by dividing impact rankings into high (cannot operate without resource even for a short period of62 The University of Arizona. Business Analysis Checklist. and Texas A&M University. University Risk and Compliance, Op.cit. 63 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. 64 See footnote 53. 65 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 66 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 67 University of Arizona. Critical Functions Assessment Survey.20 2008 The Hanover Research Council 21. Hanover ResearchNovember 2008 time), medium (could work around the loss of the resource for a few days or aweek), and low (could operate without the resource for an extended period oftime).68 The University of Texas also includes impact into its ranking criteria,defining resource importance through the following four impact levels:69 N: None There is no impact on any work function. An example would be a process that runs only intermittently; normal function would continue until the next interval that process is scheduled to run. M: Moderate The failure of the process results in minor or moderate disruption to the function of the department itself or to another department with a downstream dependency. S: Severe The failure of the process results in the department or another department with a downstream dependency being unable to function. C: Catastrophic The failure of the process results in a disruption of the universitys daily functioning. It is also possible to incorporate recovery time objectives into criticality definitions, asshown in the figure provided by the Global Information Assurance Certificationorganization (GIAC). Figure 2: Criticality Levels Defined in Relation to Recovery Objectives andMethod Recovery Criticality LevelPossible Recovery MethodObjective Level 1: The business process must be available< 2 hoursData replication during all business hours. Level 2: Indicates that the business function can2 hours to 24 survive without normal business processes for a Data shadowing hourslimited amount of time.Level 3: The business function can survive for 24 to 72 Tape recovery at an offsite one to three days with a data loss of one day. hours facility Low priority for tape recovery /Level 4: Business unit can survive without the 72 hours plus rebuild infrastructure / relocate business function for an extended period of time. operations to a new facility Table provided by The Global Information Assurance Certification. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). 68 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit.69 Impact levels are quoted verbatim from: The University of Texas at Austin. Information Security Office:Business Impact Analysis Instructions. 21 2008 The Hanover Research Council 22. Hanover ResearchNovember 2008The BIA framework shown above, where recovery time is included in the ranking analysis, is called a high availability analysis framework.70 This type of framework allows the organization to define service level agreements in terms of high availability for the critical functions and processes defined in the BIA. Information from the BIA is then used to identify critical business functions/processes, and then to determine the appropriate amount of redundancy for these functions/processes to increase recovery time.71 The following shows an example of Stanford Universitys Oracle database categorization and ranking system for high availability services:72 Tier 1: Includes business processes with a maximum impact and the moststringent high availability requirements. The Recovery Time Objectives(RTO) and Recovery Point Objectives (RPO) are often close to zero, andthese processes require almost continuous supporting services. Tier 2: Includes business processes with fewer high availability requirementsand longer RTO and RPO times. Tier 3: Includes business processes related to internal development and qualityassurance but do not have rigorous high availability requirements.The high availability framework is similar to other BIA frameworks, differing only in its categorization of some services as high availability based on recovery time objectives, but using otherwise similar criticality criteria and ranking systems to determine the importance and impact of business processes to inform business recovery and continuity plans.Business Impact Analyses conducted at government agencies generally follow the same procedures and processes as those conducted in higher education settings, but the literature showed that government agencies use slightly different criteria to define the criticality level of functions. For example, both the Federal Emergency Management Agency and the National Institute of Standards and Technology Recommendations define the adverse impact of an event in terms of loss or degradation to the security goals of integrity, availability and confidentiality. 73 In 70 Stanford University. Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements. Op.cit. 71 Ibid. 72 Ibid. 73 Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for InformationTechnology Systems: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology. and Federal Emergency Management Agency. Emergency Management Guide for Business and Industry: A Step-22 2008 The Hanover Research Council 23. Hanover ResearchNovember 2008these types of analyses, vulnerability and magnitude of impact are ranked on three levels, high, medium, and low, as in many higher education settings. The difference is that the three ranking levels are defined by the government agencies in terms of the assets vulnerability and the resulting levels of quantitative and qualitative costs to the organization.74Although not strictly part of a BIA, some institutions include risk assessment in the BIA critical services/activities/functions/resources prioritization process. This includes rankingtherisks orthreatsassociated withcritical services/activities/functions /resources by the probability of occurrence and then aligning this information with impact levels to help prioritize critical functions in terms of risk. Provided below is an example of this alignment of risk and impact level.Figure 3: Risk-Level Matrix Impact Threat Likelihood Low (10) Medium (50)High (100) Low MediumHigh High (1.0) 10 x 1.0 = 1050 x 1.0 = 50 100 x 1.0 = 100 LowMedium Medium Medium (0.5)10 x 0.5 = 550 x 0.5 = 25100 x 0.5 = 50Low Low Low Low (0.1) 10 x 0.1 =150 x 0.1 = 5 100 x 0.1 = 10 Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10) Figure from: Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. Table 3-6. Risk-Level Matrix. National Institute of Standards and Technology.by-Step Approach to Emergency Planning, Response and Recovery for Companies of All Sizes.October 1993. 74 Stoneburner, Goguen, and Feringa, Op.cit.23 2008 The Hanover Research Council 24. Hanover ResearchNovember 2008Outcomes and End GoalsWhile the identification of critical business functions and processes to the institution or departments mission is the primary goal of the impact analyses, most higher education institutions and government agencies use the BIA and the information obtained therein to inform a broader business recovery and continuity plan. Information concerning critical processes and the time period at which these processes can continue operations after a disruption to business was used as part of disaster mitigation and business recovery plan at the majority of the institutions surveyed, including Texas A&M University, the University of Nebraska Lincoln, the Connecticut Community College System, Northern Arizona University, the University of Arizona, the University of Texas at Austin, Michigan State University, Georgia Institute of Technology, Pennsylvania State University, and Iowa State University.Specific outcomes desired form the BIA include the determination of cross- dependencies among departments within an organization, including the ability to define dependencies as upstream, or external processes that the process relies upon, and downstream, of external process that rely on the process and will be affected by its failure.75 Recovery Time Objectives, or the desired amount of time it should take to restore a service, and Recovery Point Objectives, or the maximum amount of data the organization can lose before a negative impact is felt, are also included as goal outcomes of the BIA.76 75 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. 76 Ibid, The Global Information Assurance Certification, op.cit, and North Carolina State University. Policies,Regulations & Rules.: Developing Business Continuity and Disaster Recovery Plans. 24 2008 The Hanover Research Council 25. Hanover ResearchNovember 2008Methodologies in Business Impact Analyses: ApproachBest practice literature and industry standards list a number of different approaches to information gathering and data collection during the BIA process. The National Institute of Standards and Technology suggests that any of the following techniques are useful for data collection relevant to information technology systems and BIAs:77 Questionnaire: A questionnaire can be developed concerning the managementand operational aspects of the department or information technology system.Questionnaires can be distributed to the applicable personnel or used duringon-site visits and interviews. On-site Interviews: Interviews with information technology specialists andmanagement personnel can help with data collection as well as allow BIApersonnel to observe and gather information about the physical,environmental, and operational security of the IT system. Document Review: Policy documents (such as legislative documentation anddirectives), system documentation (such as system user guides and manuals),security-related documentation (such as previous audit reports and securitypolicies), and previous risk assessment/BIA results, as well as organizationalmission statements can be useful to help gain an understanding oforganizational processes during the BIA. Use of an Automated Scanning Tool: Technical methods such as the use ofnetwork mapping tools can be used to collect system information efficiently.GIACs white paper Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) affirms suggestions from the National Institute of Standards and Technology and emphasizes the success of BIA data collection through face-to-face interviews, questionnaires, or conference calls.78The vast majority of the higher education institutions profiled in Figure 4 below used a questionnaire to gather information for the BIA, and most use some sort of interview, whether one-on-one or in a training session/workshop, to supplement the BIA information collection process. Both Pennsylvania State University and the University of Arizona used Strohl Systems software to help guide the creation and analysis of the BIA questionnaire. Two of the institutions, Stanford University and Baylor University, hired an outside consulting group to develop and administer the 77 Stoneburner, Goguen, and Feringa, Op.cit. 78 The Global Information Assurance Certification, Op.cit.25 2008 The Hanover Research Council 26. Hanover Research November 2008 BIA. Interestingly, both of these schools had smaller enrollment sizes then most theother profiled institutions (Stanford University has an enrollment of 19,872 studentsand Baylor University has an enrollment of 14,174 students). Please see Figure 4below for details and the reports Appendix for links to BIA templates used by aselection of the higher education institutions profiled. Discontinuities between a few of the institutions profiled below and the institutionsprofiled in alternate sections of this report occur because not all institutions profiledprovide information for each of the methodology areas highlighted in this report.Despite the lack of data, this report attempts to achieve as much overlap as possibleconcerning the institutions profiled and reviewed for best practice BIAmethodologies. Figure 4: Approach Used in BIAs Performed in Institutions of HigherEducationInstitution Enrollment79BIA Approach UsedThree separate BIA forms are administered to departments. The first formVirginiaidentifies all business activities and ranks their importance, the second formCommunity93,198 determines all applications and manual processes for business activities ranked College System most highly in form 1. The third form described the systems ranked as criticalon form 2.80Provide training for BIA and Risk Assessment for Recovery Coordinator andUnit Managers. Recovery Coordinators distribute the BIAs to appropriate unitsPennsylvaniaApprox.and Unit Managers. BIA results are then reviewed for completeness by the State University 90,00081Recovery Coordinator and reported to management.82 Strohl Systems BIAProfessional software is used to help create the survey, collect and analyze data.83University of Post on-line instructions84 to help business process units complete the posted 50,170 Texas at AustinBusiness Analysis Template.85Texas A&M Questionnaire administered to departments. Training for personnel on business 46,542 University continuity plan after BIA administration.86 79 Enrollment data is taken from the NCES IPEDS database unless otherwise noted.80 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit.81 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit.82 Pennsylvania State University. Administrative Information Services: Recovery Planning Process. Op.cit.83 Pennsylvania State University. PSU Business Continuity Blog: The Misunderstood Business Impact Analysis (BIA). 84 University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. Op.cit.85 University of Texas at Austin. BIA Template. 26 2008 The Hanover Research Council 27. Hanover ResearchNovember 2008 Institution Enrollment79BIA Approach UsedCoordinator/project leader and functional unit administrators work to identifyMichigan Statecritical functions and processes, then interview information systems support 46,045Universitypersonnel and business unit personnel. These results are then analyzed in orderto complete a Risk Assessment.87 ConnecticutUse of a questionnaire and interview process, as well as a technical review of Community 43,33588 current capabilities and practices. Information used to determine recoveryCollege Systemoptions.89 University ofUsed Strohl BIA software to help create a Critical Functions Assessment37,217 ArizonaSurvey and aid in the planning process.90 Texas TechUniversity28,260Hired an outside consultant to administer BIA.91 SystemIowa StateTeam leader conducts the BIA process, which includes having26,160Universitydepartments/institution units fill out a BIA form.92 Old DominionTeam leader conducts the BIA process, which includes having 22,287Universitydepartments/institution units fill out a BIA form.93Review relevant documentation, including critical success factors, strategic plans,budget measurements, etc to build an understanding of organizational structure. Northern Arizona21,347Conduct interviews with College/Department leadership to gather data onUniversityoperations, and compile the results of the interviews into business flows thatdescribe core processes and flow of information/goods/services.94 86 Texas A&M University. University Risk and Compliance: University-Wide Risk Management URC Business Continuity Checklist. Op.cit.87 Michigan State University. Disaster Recovery Planning: Planning Guide: Michigan State University UnitGuide to Disaster Recovery Planning Compete with Step by Step Guide and Forms and Sample Plan Template. 88 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4.89 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA)Connecticut Community Colleges. Op.cit.90 The University of Arizona. University Information Technology Services: Business Impact Analysis. Op.cit.91 Texas Tech University System. Minutes: Board of Regents October 27,2006.92 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources GeneralInformation and Process Description. Op.cit.93 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets GeneralInformation and Process Description. Op.cit.94 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit.27 2008 The Hanover Research Council 28. Hanover Research November 2008 Institution Enrollment79 BIA Approach Used Stanford 19,782 Hired an outside Consulting group (IBM).95UniversityUse of trained BIA evaluators to administer a survey to each institution unit, andGeorgia Tech 18,742 then develop a business continuity plan based on BIA results.96 Survey is amultiple choice self-assessment.97Baylor University 14,174 Hired an outside consultant to administer BIA.9895 Stanford University. Stanford University Emergency Management Program: Presentation to StanfordUniversity Cabinet. Op.cit96 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Op.cit.97 Georgia Institute of Technology. Self-Assessment Questionnaire. 98 Hanover Research Council Interview with Baylor University, November 4, 2008.28 2008 The Hanover Research Council 29. Hanover Research November 2008 Methodologies in Business Impact Analyses: OversightBusiness Impact Analysis literature asserts that the successful completion of a BIA depends on the level of management involvement in both the oversight and governance of the BIA, as well as their commitment to the project. 99 For the purposes of this report, oversight is defined as the management or supervision of the BIA process itself.Among the majority of the studied higher education institutions with documented information concerning BIA oversight processes, the governing body responsible for mandating the BIA and its processes appoints a BIA team from departmental personnel. It is this team that is then responsible for the actual organization, development, administration, timely completion, and analysis/assessment of the BIA, as well as for the reporting of the BIA results to upper management.100 This oversight process does not appear to vary with institution size as measured by enrollment.Figure 5 reviews the individuals responsible for BIA oversight and their associated responsibilities for each of the institutions studied. Figure 5: Oversight of Business Impact Analyses Performed in Institutions of Higher EducationIndividual(s) Responsible forInstitutionEnrollment101 BIA Oversight Responsibilities BIA oversightCollege Presidents and System Allocate resources to conduct a BIA and RiskVirginia Office Vice Chancellors conductAssessment. The Risk Assessment CoordinatorCommunity93,198BIA, and a Risk Assessmentcoordinates the review of all business functions, College SystemCoordinator is appointed to helpbut all are active in the BIA.103oversee the process.102 Team Leader selected byAssure risks are reviewed and addressed, updates Iowa State 26,160 management and a team with aare made to the initial report, and a process is in University minimum of three individuals.104place for periodic BIA and Risk Assessment.10599 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description, Op cit. 100 Ibid. 101 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 102 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 103 Ibid. 104 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: GeneralInformation and Process Description. Op.cit. 29 2008 The Hanover Research Council 30. Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment101BIA Oversight ResponsibilitiesBIA oversight Management Planning team, whichThe sponsor must make decisions that can affect includes the BIA sponsor, recoverythe organization, determine constraints and coordinator and two unit managerslimitations for recovery planning, and ensure thePennsylvaniaApprox. who are knowledgeable of theproject stays on focus. The Recovery Coordinator State University 90,000106 recovery planning process andmust be fluent in project management principles.manage the critical service on a The Unit Manager must manage the critical servicedaily basis.107 on a daily basis.108 A Business Continuity Coordinator Act as a liaison between emergency operations is assigned within each departmentcenter and departmental recovery team, coordinate to coordinate the continuity plan,the development of departmental plan, andTexas A&M46,542including the BIA, act as an inter- maintain pre-determined departmental decision- Universitydepartmental liaison, and assemblemaking authority. Departmental Committee may a Departmental Continuity seek faculty/staff representation and input on plan Committee.109 development and resource allocation.110A BIA Coordinator/Project leader Organize the BIA by setting the scope, objectives, in conjunction with functional unit assumptions, timetable, draft of project plan; Michigan State administrators such as chair46,045 assigning task responsibilities; and obtain the Universitypersons, assistant directors,Deans approval. Conducts BIA in conjunctionassociate directors, department with functional unit administrators.112chairs or directors.111 Review the annual work goals of the Department Business Continuity and Disasterof Business Continuity, develop and review BIARecovery Oversight Committeeand Risk Assessment Plans. The Cohort North Carolina composed of a cross section of31,802 Coordinator ensures that each business unit within State Universityacademic and administrative the cohort has completed the BIA or Riskleaders. Also included is a Cohort Assessment and has developed a Business Coordinator.113Continuity Plan.114105 Ibid. 106 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 107 Pennsylvania State University. Administration Information Services: Recovery Planning Process, Op cit. 108 Ibid. 109 Texas A&M University. University Risk and Compliance, Op.cit. 110 Ibid. 111 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan StateUniversity Units. 112 Ibid. 113 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity andDisaster Recovery Plans. Op.cit. 114 Ibid.30 2008 The Hanover Research Council 31. Hanover Research November 2008 Individual(s) Responsible forInstitution Enrollment101 BIA Oversight ResponsibilitiesBIA oversightIndividuals responsible for BIAoversight include a sponsor, projectmanager, management from theInformation Services ExecutiveMust hold weekly meetings or more with meetingCommittee, and other stakeholders,minutes posted as IS intends. Responsible for including coordinators of University ofcompleting the following deliverables: criteria to Information Security CriticalNebraska - 22,973develop list of critical services, list of criticalServices. The Project Team for the Lincolnservices, components and resources of criticalDisaster Mitigation Plan includes aservices, redundancy of resources, and mitigationcommunications and operationsplan for each critical service.116 unit, an instructional technologygroup, and an enterprise information solutions component.115 Ensure report is completed on time. Responsiblefor reporting the BIA to management. Must be Old DominionThe Office of Computing and 22,287 able to use understanding of university operationsUniversityCommunications Services117and interaction of department with central systemsand operations to enhance analysis.118 Stanford 19,782 IBM Consulting group119 N/AUniversityResponsible for the timely completion of the BIAand for reporting the BIA to management. Also Departmental personnel areresponsible for assuring risks are reviewed and Georgia Tech18,742 selected to become part of theaddressed, updates are made to the initial report,BIA/Risk Assessment Team.120 and that a process is in place for an annual BIAperformance. Responsible for forming a team to help with this maintenance process.121 115 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigationand University Continuity. Op.cit.116 Ibid.117 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit.118 Ibid.119 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit120 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description. Op cit.121 Ibid.31 2008 The Hanover Research Council 32. Hanover Research November 2008Individual(s) Responsible for Institution Enrollment101BIA Oversight Responsibilities BIA oversightBaylor University 14,174 Outside consulting group.122N/ADepartmental Team Leaders will Follow the Information Security Officesbe directed by the Informationinstructions and format for BIA, conduct andLongwood Security Office and provided with4,727complete the BIA. The Team Leader may formUniversity information and training sessionsteams to include departmental individuals to assistto aid in Team Leaders BIA in the process.124completion.123 122 Hanover Research Council contact with Baylor University, November 4, 2008. 123 Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 124 Ibid.32 2008 The Hanover Research Council 33. Hanover Research November 2008Methodologies in Business Impact Analyses: GovernanceAs noted in the previous section of this report, management commitment and support for the BIA process is a crucial component in the successful completion of the analysis.125 For the purposes of this report, we define the upper levels of management associated with the BIA process as those individuals with duties associated with BIA governance. These duties include responsibilities concerning the policies, processes, mandates or decisions involved in at the macro level of higher education institution BIA performance.A review of the individuals and responsibilities involved in the governance process in higher education settings reveals that the institutions Business Continuity, Auditing, Information Security, or Risk Management Office (or office with a similar function) is generally the governing body responsible for the initiation of a BIA. The responsibilities involved in this position involve mandating the performance of Business Impact Analyses, reviewing the BIA, and providing final approval for the BIA. In some cases, the governing body also selects the team of individuals responsible for overseeing and conducting the BIA. The individuals involved in BIA governance and their associated responsibilities do not appear to vary by institution size as measured by enrollment.Figure 6 profiles the individuals responsible for BIA governance and their related responsibilities for twelve institutions of higher education. 125 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit. 33 2008 The Hanover Research Council 34. Hanover Research November 2008 Figure 6: Governance of Business Impact Analyses in Institutions of HigherEducation Individual(s) Responsible for InstitutionEnrollment126 BIA Governing Body ResponsibilitiesBIA Governance Virginia Review all business functions and can initiateCollege Presidents and System Community 93,198 additional reviews to isolate specific business Office Vice Chancellors.127College System functions the governing bodys discretion.128Must be able to make decisions that canaffect the organization, determine constraints PennsylvaniaApprox.and limitations for organizational recoverySponsor.130State University 90,000129planning, ensure the project stays on focus, and have an overall understanding of theorganization and recovery planning process.131 Provides tools and resources for individuals Texas A&M University Risk and Compliance 46,542 who will complete or are completing BIAsUniversityOffice.132 and Risk Assessments.133Dean must approve BIA,136 and the ClientMichigan StateDean of department134 and the 46,045Advocacy Office coordinates the DisasterUniversity Client Advocacy Office.135 Recovery Planning Team.137 Department Head, Dean or Vice Chancellor sign off on final BIANorth Carolinaapproval. Chancellor appointsReviews annual reports from Committee, 31,802State University Business Continuity and Disaster must approve and sign off on BIA.139 Recovery OversightCommittee.138 126 Enrollment data is taken from the NCES IPEDS database unless otherwise noted.127 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit.128 Ibid.129 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit.130 Pennsylvania State University. Administration Information Services: Recovery Planning Process. Op.cit.131 Ibid.132 Texas A&M University. University Risk and Compliance: Business Continuity Planning. 133 Ibid.134 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit.135 Michigan State University. Disaster Recovery Planning: About. 136 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit.137 Michigan State University. Disaster Recovery Planning: About. Op.cit.138 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans. Op.cit.34 2008 The Hanover Research Council 35. Hanover Research November 2008 Individual(s) Responsible for InstitutionEnrollment126 BIA Governing Body ResponsibilitiesBIA Governance IT Security and PoliciesEstablishes policies to ensure the universityIowa State26,160Department and the Chiefhas a secure information technologyUniversity Information Officer.140 environment. CIO receives BIA report.141 The sponsor must attend one-on-onemonthly meetings with the Project Manager, and the Executive Committee must attend University ofSponsor, Project Manager and themeetings quarterly. The Project ManagerNebraska -22,973 Information Services Executivemust prepare an initial draft of the statement Lincoln Committee.142 of work and communications plan for theBIA/Risk Assessment and submit the plan tostakeholders for their review.143 Office of Computing and Required to mandate the performance of aOld DominionCommunications Services and the22,287BIA and a Risk Assessment at a minimum ofUniversityCommonwealth of Virginiaevery three years.145 SEC2001-01.1.144Assessing the Universitys emergency Stanford University Emergencymanagement capabilities and initiating19,782University Management program.146recovery planning activities such as BIA performance at its discretion.147Host annual information sessions and148 Georgia Tech 18,742Department of Internal Audits. provide a point of contact for departments completing the BIA process.149139 Ibid.140 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: GeneralInformation and Process Description. Op.cit.141 Ibid.142 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit.143 Ibid.144 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit.145 Ibid.146 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit147 Ibid.148 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description, Op cit.149 Ibid. 35 2008 The Hanover Research Council 36. Hanover Research November 2008 Individual(s) Responsible for Institution Enrollment126 BIA Governing Body ResponsibilitiesBIA GovernanceResponsible for providing business continuity Baylor University 14,174Risk Management Department.150and risk management services.151 CIO or designee may initiate a BIA on any Chief Information Officer orentity/department throughout the University.Longwood4,727designee. Vice Presidents ofVice Presidents are responsible for theUniversityColleges.152 execution, development and implementationof business remediation programs.153 150 Baylor University. Risk Management: Crisis Management. 151 Ibid. 152 Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 153 Ibid.36 2008 The Hanover Research Council 37. Hanover Research November 2008 Appendix Links to BIA Templates Institution Link Northern Arizona University http://www4.nau.edu/comptr/docs/BCP%20Template.doc The University of Arizonahttp://web.arizona.edu/~ccit/index.php?id=976 Texas A&M University http://universityrisk.tamu.edu/DataFiles/BC-Plan-Template.doc The University of Texas, Austin http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.docForm 1: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM1.doc Virginia Community College Form 2: Systemhttp://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM2.docForm 3: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM3.docNew Jersey City Universityhttp://www.njcu.edu/assoc/njcuitma/documents/addendums/Sample_BIA_Report.pdf Harvard University Beth Israel https://research.bidmc.harvard.edu/ost/download/Impact_Continuity.pdf Deaconess Medical CenterBIA Template: http://www.drp.msu.edu/Documentation/Step2sampleBIA.htm Michigan State University Critical System Ranking Form: http://www.drp.msu.edu/Documentation/Step2sampleCriticalSystemRanking.htm37 2008 The Hanover Research Council 38. Hanover Research November 2008 NoteThis brief was written to fulfill the specific request of an individual member of The Hanover Research Council. As such, it may not satisfy the needs of all members. We encourage any and all members who have additional questions about this topic or any other to contact us.CaveatThe publisher and authors have used their best efforts in preparing this brief. The publisher and authors make no representations or warranties with respect to the accuracy or completeness of the contents of this brief and specifically disclaim any implied warranties of fitness for a particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by representatives of The Hanover Research Council or its marketing materials. The accuracy and completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every member. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Moreover, The Hanover Research Council is not engaged in rendering legal, accounting, or other professional services. Members requiring such services are advised to consult an appropriate professional.38 2008 The Hanover Research Council

Documents

shawnee.edu/off/ri/New research/Business Impact Analyses in Hi