Académique Documents
Professionnel Documents
Culture Documents
November 2008
Hanover Research
November 2008
Introduction
In the following pages, The Hanover Research Council provides background on the development and use of Business Impact Analyses (BIA) in institutions of higher education, governmental auditing agencies and the Information Technology industry. The methodologies and framework of BIA performance in a higher education setting, including scope, framework, approach, oversight, and governance are then reviewed in more detail. Information concerning BIA performance at the institutions studied in this report indicates that higher education institutions regardless of enrollment size follow BIA methodologies and frameworks that are similar to each other and to those recommended in best practice and industry literature. The report is organized as follows: Section One: Business Impact Analyses (BIA) Defined: In this section, we define BIAs, including the process, usage and importance of this type of analysis in business continuity and recovery planning for institutions of higher education, governmental agencies, and private business. Section Two: Methodologies of Business Impact Analyses: Initial Development: In this section, we review best practice literature concerning the developing and planning phases of Business Impact Analyses, with particular emphasis on the process of development and planning for data collection. Also reviewed are industry recommendations concerning the development of the BIA questionnaire and suggested components of the questionnaire. Section Three: Methodologies of Business Impact Analyses: Scope: In this section, we analyze the scope, purpose and any additional information concerning BIA performance in 14 institutions of higher education to determine common methodologies and best practices for BIA performance in higher education. Section Four: Methodologies of Business Impact Analyses: Framework: In this section, we review best practice literature and information concerning the BIA frameworks used in institutions of higher education and governmental agencies. BIA framework is discussed as a set of three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals. Section Five: Methodologies of Business Impact Analyses: Approach: In this section, we review best practice literature and the various approaches used in BIA performance in higher education settings to determine common approaches used in successful Business Impact Analyses.
2
Hanover Research
November 2008
Section Six: Methodologies of Business Impact Analyses: Oversight: In this section, we review best practice literature and the individuals involved in overseeing the BIA performance and their associated responsibilities to determine commonalities and best practices in the oversight of Business Impact Analyses. Section Seven: Methodologies of Business Impact Analyses: Governance: In this section, we review the literature about the individuals involved in BIA governance and their associated responsibilities to determine commonalities and best practices in the governance process associated with Business Impact Analyses. Section Eight: Appendix: The Appendix includes a links to sample BIA templates from a variety of intuitions of higher education profiled in this report.
Hanover Research
November 2008
Hanover Research
November 2008
the quantitative costs - such as cash flow, replacement of equipment, salaries paid to catch up with work backlog, loss of profits - as well as the qualitative costs - such as impacts on safety, marketing, legal compliance, quality assurance and public image that are effected in the event of a disruption.8 The process of the BIA usually involves five steps:9 Project Planning, Data gathering, Data analysis, Documentation of the findings, and, Management review and signoff
While the management of a BIA may be completed either intra-organizationally or by an outside consulting agency, the key benefits derived from the performance of a BIA are uniform across industries, organizations and departments. A BIA is an essential piece of an organizations Understanding of the financial and intangible impacts of a disruption to business ability to review critical processes to the organization; Identification of vital resources and high availability services; and Development of business recovery/continuity strategies.10
<http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php> SearchStorage.com. Definitions: What is business impact analysis? a definition from Whatis.com. <http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci820947,00.html> 9Global Information Assurance Certification (GIAC), Op.cit. 10 Ibid.
8
Hanover Research
November 2008
11
The following information is quoted verbatim from: The Institute for Continuity Management. Business Impact Analysis. <https://www.drii.org/professional_prac/profprac_business_impact_analysis.html>
Hanover Research
November 2008
v. Conduct follow-up discussions when clarification and/or additional data is required d. Data collection via interviews only i. Provide consistency with the structure of each interview being predefined and following a common format ii. Ensure the base information to be collected at each interview is predefined iii. Enable interviewee to review and verify all data gathered iv. Schedule follow-up interviews if initial analysis shows a need to clarify and/or add to the data already provided e. Data collection via workshop i. Set a clear agenda and set of objectives ii. Identify the appropriate level of workshop participants and obtain agreement from management iii. Choose appropriate venue, evaluating location, facilities and participant availability iv. Facilitate and lead the workshop v. Ensure workshop objectives are met vi. Ensure all outstanding issues at the end of the workshop are identified and appropriate follow-up conducted 5. Determine report format, content and obtain management approval for next steps 6. Obtain agreement for management on final time schedule and initiate the BIA process Plan and Coordinate Data Gathering and Analysis 1. Identify all Organization Functions a. Collect and review existing organizational charts b. Identify the major areas of the organization 2. Identify and Train Knowledgeable Functional Management Representatives a. Identify specific individuals to represent in the collection process b. Inform the selected individuals of the BIA process and its purpose c. Identify training requirements and establish a training schedule and undertake training as appropriate
As can be seen from the steps outlined above, best practice literature concerning BIA development focuses on the need for communications between the individuals/department responsible for administering the BIA and the
7
Hanover Research
November 2008
individuals/departments from which BIA data are collected.12 Additionally, it is important that a sponsor from within the upper management ranks of the organization is identified prior to data collection in order to increase interdepartmental cooperation with the data collection process and to approve the BIA so that subsequent steps of the business continuity management process may be completed.13 A crucial component of this initial development phase is the creation of a BIA questionnaire that will be able to effectively identify critical processes and resources for the organization. Literature recommends that the BIA questionnaire include the following elements:14 Function Description: Includes a brief description of the function being performed by the department/individual. Dependencies: Includes a description of the dependencies of the function being performed, including components and processes necessary for function performance. Impact Profile: Determines if there is a specific time or period of time in which the described function would be more vulnerable to risk/exposure or in which the impact to business would be greater. Operational Impacts: Determines the operational impact of a disruption to the function and time at which the operational impact of a disruption would be felt. Financial Impacts: Determines the financial impact of a disruption to the function and time at which the financial impact of disruption would be felt. Work backlog: Determines the time at which the backlog of work as a result of a disruption will begin to impact business processes. Recovery Resources: Determines the resources needed to support the function, including quantity of resources and the point at which they are needed after a disruption. Technology Resources: Determines the software/applications necessary to support the business function. This includes the need for standalone PCs or workstations and local area networks (LAN) to functioning. Work-around procedures: Determines the availability of manual workaround procedures in place that would enable continued performance after a disruption to the function.
Ibid. Ibid. 14 Texas State Office of Risk Management. Business Continuity Impact Analysis. Op.cit.
12 13
Hanover Research
November 2008
Work-at-home: Determines the ability of employees to perform the function at home. Workload shifting: Determines the options for shifting workload to another part of the organization to minimize the impact of a disruption. Business records: Determines the business records needed to perform the function and the frequency at which records are saved and/or replicated. Regulatory reporting: Determines what regulatory documents are created as a result of the function. Work inflows: Determines the internal or external inputs necessary to perform the function. Business disruption experience: Determines if previous disruptions to business have occurred. Competitive Analysis: Determines if a competitive impact would occur as a result of a disruption to the function, and if so, the time of impact and potential customer loss. Other issues: Determines if there are other issues relevant to the success of function performance. These elements of the BIA questionnaire are used to identify the effects of disruptions and assess the impact of these effects. The identified effects of disruptions may include the loss of key personnel and physical, informational, financial and intangible assets, the resulting discontinuity of service and operations, and any resulting violations to law/regulation and the effect of public perception. Questions should also identify the financial and business impact as well as quantitative (including property loss, revenue loss, fines, cash flow, accounts receivable/payable, legal liability, human resources, additional expenses) and qualitative (human resources, morale, stakeholder confidence, legal, social and corporate image, financial community credibility) impacts. The accumulation of this information can help to inform recovery objectives and vital resources or processes to the organization.15 The following sections of this report will provide a detailed review of the scope, approach, framework, oversight and governance of the BIA implementation and performance. The analysis of BIA methodologies in higher education settings includes a review of BIA process and performance of individual institutions that is supplemented with best practice literature from industry experts.
15
Hanover Research
November 2008
In order to provide a diverse cross-section for analysis and determine if BIA methodologies vary with institution size, the institutions profiled in this report vary in size as measured by enrollment (from 93,198 students enrolled in the Virginia Community Colleges System to 4,727 students enrolled in Longwood University).
10
Hanover Research
November 2008
16Commonwealth
of Virginia. Information Technology Resource Management Standard: Information Technology Security Standard. Pg.1. <http://www.vita.virginia.gov/uploadedFiles/Library/COVA_STMGT_Security_Std_REV.pdf >
11
Hanover Research Figure 1: Scope of Business Impact Analyses Performed in Institutions of Higher Education
Institution Enrollment17 Participating Units Purpose
To identify critical business functions associated with the organizational units participating in the BIA in order to comply with Virginias COV ITRM Standard SEC200101.1.21
November 2008
Additional Information
For more information on Virginias COV ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf>
Covers all System Office, VCC Utility and college business processes and supporting applications, however19, analysis takes place on a departmental level.20
Piloted in 2005 to the Academic Services and Emerging Technologies Dept., the Pennsylvania State University Consulting and Support Services Dept., the Approx. 90,00022 Digital Library Technologies Dept., the Teaching and Learning with Technology Dept., and the Telecommunications and Networking Services Dept.23 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Enrollment figure represents the Annualized FTE Enrollment, 2005-06. Figure from: The Virginia Community College System. Virginia Community College System Enrollment Report. Pg. 1. <http://www.schev.edu/Reportstats/EnrollmentReportApp/InstProfiles2007/VCCS.pdf> 19 Virginia Community College System. Technology Models: Business Impact Analysis. <http://system.vccs.edu/ITS/models/bia.htm> 20 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx > 21 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 22 Pennsylvania State University. Live: The Universitys Official News Source. <http://live.psu.edu/image/21894 > 23 Pennsylvania State University. Administrative Information Services Online Newsletter: November 2005. <http://ais.its.psu.edu/news/nov_2005.html> 24 Ibid.
17 18
Develop the necessary training and tools to assist with disaster recovery efforts.24
N/A
12
Hanover Research
Institution
University of Texas at Austin
November 2008
Enrollment17 Participating Units Purpose
Identify critical processes within an 50, 170 All University departments.25 organization to determine the impact of a disruption to business and create ways to work around disruptions to processes.26 Texas A&M includes the BIA process as part of its Enterprise Risk Management program, an emerging model at institutions of higher education where risk management is integrated and coordinated across the university as a whole.29 Identify and prioritize critical systems. Use the information recovered from the BIA, such as the identification of common elements of N/A
Additional Information
Has a university-wide risk management and 46,542 business continuity plan in place that includes a BIA component.27
Identify events that may affect the organization and manage risks in order to aid business continuity and recovery objectives.28
46,045
plausible disruptions that might disrupt critical units, the anticipation of the impact of these disruptions, and the development of contingent responses for a timely recovery, to form a Unit Disaster Recovery Planning Project.31
N/A
University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. <http://security.utexas.edu/risk/planning/ > 26 Ibid. 27 Texas A&M University . University Risk and Compliance: University-Wide Risk Management. <http://universityrisk.tamu.edu/moreRiskMgmtDefn.aspx> 28 Ibid. 29 Ibid. 30 Michigan State University. Michigan State University Unit Guide to Disaster Recovery Planning Overview. <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_lite.doc> 31 Ibid.
25
13
Hanover Research
Institution Enrollment17 Participating Units
All Academic departments, Student Records department, Financial Aid Connecticut Community College System 43,33532 departments, Finance/Budget business units, Human Resources departments, Legal departments, Libraries, and Institutional Departments, as well as all Information Technology networks and applications.33 Enable the University to prepare for and University of Arizona 37,217 All University departments.35 respond to disruptions through the identification of priorities, strategies, and solutions for managing continuity/recovery.36 30 business units at the University North Carolina State University participated, including Administrative 31,802 Services, Budget Office, Controllers Office, and Enrollment Management Services.37
32
November 2008
Purpose Additional Information
Determine recovery objectives for critical business units based upon the business impact of units.34 N/A
N/A
For each business unit, identify university functions, functional area representatives, criticality criteria, RTOs, and RPOs, as well as present criticality criteria to an oversight committee.38 N/A
Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 33 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. <http://64.233.169.104/search?q=cache:rI9oeuNbxPUJ:www.commnet.edu/IT/docs/BIA-Kickoff20050714.ppt+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=7&gl=us > 34 Ibid. 35 The University of Arizona. University Information Technology Services: Business Impact Analysis, Op cit. 36 Ibid. 37 For a complete listing of participating business units, please see: North Carolina State University. BIA: OIT Organizational Resilience. <http://www.fis.ncsu.edu/or/history/history_funcreq_bia.htm >.
14
Hanover Research
Institution Enrollment17 Participating Units
Critical services provided by Information University of Nebraska - Lincoln 22,973 Security (IS) to support the technology of the University. No systems external to IS are covered.39
November 2008
Purpose
Identify and prioritize critical services supported by IS and work with the coordinators of the services to review or develop a plan for each service to minimize the negative effects in the event of a disaster.40 For more information on Virginias COV Identify assets and associated risks within the ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf> Stanford has already undergone a BIA of its Determine vulnerabilities and dependencies financial systems conducted by IBM, however, the University believes that there is need for a larger scope to address other systems necessary to operations.44 University, determine the importance of these 22,287 University-wide administration assets and identify safeguards in compliance with Virginias COV ITRM Standard SEC200101.141 N/A
Additional Information
Stanford University
19,782
between core business processes to assist in the development of response and recovery plans. 43
Ibid. University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. <http://is.unl.edu/about/documents/Disaster%20Mitigation.PDF> 40 Ibid. 41 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. <http://64.233.169.104/search?q=cache:0wSgnLEwyjkJ:occs.odu.edu/security/risk/Risk_Assess_Us ers_Guide.doc+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=39&gl=us&client=firefox-a> 42 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. <http://facultysenate.stanford.edu/2005_2006/reports/SenD5790_emerg_prepare.pdf> 43 Ibid 44 Ibid.
38 39
15
Hanover Research
Institution Enrollment17 Participating Units Purpose
November 2008
Additional Information
Department identified as relevant for risk assessments: Academic Departments (which collect financial data during payment of fees for affiliated programs), Accounts Payable, Admissions, Alumni, Aquatic Center, Athletics (including Summer Sports Camps), Bookstore, Central Ticket Office, Library, Dental Hygiene, Dining Services, Distributed Learning, Financial Aid Office, Health Center, High Altitude Sports Training Complex, IT Services, Inn at NAU, Mountain Campus Card Office, Office of the Bursar, Parking Services, Performing Arts (Including Summer Music Camps), Postal Services, Property Administration, Purchasing Services, Recreation Center, Registrar's Office, Residence Life, Skydome, Transportation Services, and University Advancement.47
To identify core business processes and to establish risk management and disaster recovery Northern Arizona University 21,347 All NAU College campuses and departments.45 planning processes to respond to business disruptions and risks associated with the Universitys loss of its ability to execute core processes.46
Enable all units to be able to uniformly assess All academic and administrative units, Georgia Tech 18,742 including Human Resources and Information Technology.48 and develop strategies for identification, assessment and mitigation of risks to Information Systems and to comply with regulatory requirements.49 N/A
Northern Arizona University. NAU Business Continuity and Disaster Recovery Site. <http://home.nau.edu/comptr/businesscontinuity.asp> 46 Ibid. 47 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110: Information Security Plan for Northern Arizona University. <http://www4.nau.edu/comptr/policies_procedures/com110.html> 48 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Business Analysis IT Risk Document. <http://www.risks.gatech.edu/Documents/SelfAssessment/Risk%20Assessment%20Process%20Rev727.PDF > 49 Ibid.
45
16
Hanover Research
Institution Enrollment17 Participating Units Purpose
Identify assets and associated risks within the Longwood University University, determine the importance of these 4,727 University- wide administration.50 assets and identify safeguards in compliance with Virginias COV ITRM Standard SEC200101.1.51
November 2008
Additional Information
For more information on Virginias COV ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf>
Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. <http://www.longwood.edu/vpaf/final_policy_base/6000/6126.htm> 51 Ibid.
50
17
Hanover Research
November 2008
The Institute for Continuity Management. Business Impact Analysis. Op.cit. Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. and Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets General Information and Process Description. Op.cit. and Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 54 Ibid. 55 Pennsylvania State University. Administration Information Services: Recovery Planning Process. <http://ais.its.psu.edu/disaster_recovery/media/Recovery_Planning_Guide.pdf>
52 53
18
Hanover Research
November 2008
established, and workshop/training sessions are hosted to inform all faculty and staff of the BIA process and goals.56 Assessment and Analysis Processes The next components of the BIA framework are the assessment and analysis processes, which begin with a determination of what will be assessed by the BIA. Because the what of the BIA assessment is the critical business functions/processes relative to the departments mission, it tends to vary by organization and within departments.57 While this process may include the development of criteria to guide the creation of a list of critical services,58 a list of all business activities (including academic activities, accounting activities, budget and planning activities, etc),59 or the determination of the core processes performed by each College or department and the flow of information, materials, and services through these core processes,60 there are many commonalities among these assessments. Similar characteristics of BIA assessment categories include their importance to the functioning of business and the threat to business operations if these critical services/activities/functions/resources are disturbed. Some institutions also include a risk assessment component to the BIA, which often involves the identification and evaluation of scenarios, risks, and internal and external threats, as well as the impact of these activities on the critical services/activities/ function/resources.61 In order to help departments obtain a basic understanding of their critical business processes, some higher education institutions provide Business Analysis Checklists for departments in the process of BIA performance. Checklists may include the purpose, overview and objective of the BIA, as well as questions meant to determine the exact function of the business process, the time period the process can function without information technology support, and any impacts associated with disruption
Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. Op.cit. 57 Texas A&M University. University Risk and Compliance: University-Wide Risk Management URC Business Continuity Checklist. < http://universityrisk.tamu.edu/DataFiles/BC-Checklist.doc> 58 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 59Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 60 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110 Op.cit. 61 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. Op.cit.
56
19
Hanover Research
November 2008
to the process.62 To view an example of one of these checklists, please follow the following link provided by the University of Arizona: BIA Checklist. Business processes must undergo an analysis process in which criticality and importance for the processes is defined and processes are prioritized or ranked. The level of detail of these definitions and criteria varies widely among institutions, although the definition of critical is generally accepted to encompass those functions which have a direct and immediate effect on the general campus community.63 Functions are defined as essential by multiple higher education institutions if the department could continue operations after a disruption to the function for days or even a week, but eventually would need the function again, and are defined as normal if the department can continue operations without the function for an extended period of time.64 Many institutions also consider extent of impact, costs of a failure, publicity, legal and ethical issues, and regulatory concerns in their determination of criticality criteria and definitions.65 While some higher education institutions, like the Virginia Community College System, use a relatively simple ranking scale that rates the importance of business activities on a scale of one to three, one being the most important and three being the least important,66 other institutions use more detailed ranking scales. The University of Arizona, for example, provides a scale that ranks critical functions on a scale of one to five, and criticality is denoted based on the extent of the time period between a disruption to the function and the point at which business processes will be impacted if the function is not resumed (in this case, the University of Arizona defines the most critical functions as those in which only 24 hours may pass before the function needs to be resumed).67 Iowa State University uses similar criteria to determine criticality by dividing impact rankings into high (cannot operate without resource even for a short period of
The University of Arizona. Business Analysis Checklist. <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/BIAChecklist.pdf> and Texas A&M University. University Risk and Compliance, Op.cit. 63 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. 64 See footnote 53. 65 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 66 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 67 University of Arizona. Critical Functions Assessment Survey. <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/CFA_Survey.pdf >
62
20
Hanover Research
November 2008
time), medium (could work around the loss of the resource for a few days or a week), and low (could operate without the resource for an extended period of time).68 The University of Texas also includes impact into its ranking criteria, defining resource importance through the following four impact levels:69
N: None There is no impact on any work function. An example would be a process that runs only intermittently; normal function would continue until the next interval that process is scheduled to run. M: Moderate The failure of the process results in minor or moderate disruption to the function of the department itself or to another department with a downstream dependency. S: Severe The failure of the process results in the department or another department with a downstream dependency being unable to function. C: Catastrophic The failure of the process results in a disruption of the universitys daily functioning.
It is also possible to incorporate recovery time objectives into criticality definitions, as shown in the figure provided by the Global Information Assurance Certification organization (GIAC). Figure 2: Criticality Levels Defined in Relation to Recovery Objectives and Method
Criticality Level Level 1: The business process must be available during all business hours. Level 2: Indicates that the business function can survive without normal business processes for a limited amount of time. Level 3: The business function can survive for one to three days with a data loss of one day. Level 4: Business unit can survive without the business function for an extended period of time. Recovery Objective < 2 hours 2 hours to 24 hours 24 to 72 hours Possible Recovery Method Data replication Data shadowing
Tape recovery at an offsite facility Low priority for tape recovery / 72 hours plus rebuild infrastructure / relocate operations to a new facility
Table provided by The Global Information Assurance Certification. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). <http://www.giac.org/resources/whitepaper/planning/122.php >
Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. 69 Impact levels are quoted verbatim from: The University of Texas at Austin. Information Security Office: Business Impact Analysis Instructions. <http://security.utexas.edu/risk/planning/bia-instructions.html>
68
21
Hanover Research
November 2008
The BIA framework shown above, where recovery time is included in the ranking analysis, is called a high availability analysis framework.70 This type of framework allows the organization to define service level agreements in terms of high availability for the critical functions and processes defined in the BIA. Information from the BIA is then used to identify critical business functions/processes, and then to determine the appropriate amount of redundancy for these functions/processes to increase recovery time.71 The following shows an example of Stanford Universitys Oracle database categorization and ranking system for high availability services:72 Tier 1: Includes business processes with a maximum impact and the most stringent high availability requirements. The Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are often close to zero, and these processes require almost continuous supporting services. Tier 2: Includes business processes with fewer high availability requirements and longer RTO and RPO times. Tier 3: Includes business processes related to internal development and quality assurance but do not have rigorous high availability requirements. The high availability framework is similar to other BIA frameworks, differing only in its categorization of some services as high availability based on recovery time objectives, but using otherwise similar criticality criteria and ranking systems to determine the importance and impact of business processes to inform business recovery and continuity plans. Business Impact Analyses conducted at government agencies generally follow the same procedures and processes as those conducted in higher education settings, but the literature showed that government agencies use slightly different criteria to define the criticality level of functions. For example, both the Federal Emergency Management Agency and the National Institute of Standards and Technology Recommendations define the adverse impact of an event in terms of loss or degradation to the security goals of integrity, availability and confidentiality. 73 In
Stanford University. Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements. Op.cit. 71 Ibid. 72 Ibid. 73 Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf> and Federal Emergency Management Agency. Emergency Management Guide for Business and Industry: A Step70
22
Hanover Research
November 2008
these types of analyses, vulnerability and magnitude of impact are ranked on three levels, high, medium, and low, as in many higher education settings. The difference is that the three ranking levels are defined by the government agencies in terms of the assets vulnerability and the resulting levels of quantitative and qualitative costs to the organization.74 Although not strictly part of a BIA, some institutions include risk assessment in the BIA critical services/activities/functions/resources prioritization process. This includes ranking the risks or threats associated with critical services/activities/functions /resources by the probability of occurrence and then aligning this information with impact levels to help prioritize critical functions in terms of risk. Provided below is an example of this alignment of risk and impact level. Figure 3: Risk-Level Matrix
Threat Likelihood High (1.0) 10 x 1.0 = 10 Low Medium (0.5) 10 x 0.5 = 5 Low Low (0.1) 10 x 0.1 =1 50 x 0.1 = 5 Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10) 100 x 0.1 = 10 50 x 0.5 = 25 Low 100 x 0.5 = 50 Low 50 x 1.0 = 50 Medium 100 x 1.0 = 100 Medium Impact Medium (50) Medium
Figure from: Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. Table 3-6. Risk-Level Matrix. National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/80030/sp800-30.pdf>
by-Step Approach to Emergency Planning, Response and Recovery for Companies of All Sizes. October 1993. <http://www.fema.gov/pdf/business/guide/bizindst.pdf> 74 Stoneburner, Goguen, and Feringa, Op.cit.
23
November 2008
While the identification of critical business functions and processes to the institution or departments mission is the primary goal of the impact analyses, most higher education institutions and government agencies use the BIA and the information obtained therein to inform a broader business recovery and continuity plan. Information concerning critical processes and the time period at which these processes can continue operations after a disruption to business was used as part of disaster mitigation and business recovery plan at the majority of the institutions surveyed, including Texas A&M University, the University of Nebraska Lincoln, the Connecticut Community College System, Northern Arizona University, the University of Arizona, the University of Texas at Austin, Michigan State University, Georgia Institute of Technology, Pennsylvania State University, and Iowa State University. Specific outcomes desired form the BIA include the determination of crossdependencies among departments within an organization, including the ability to define dependencies as upstream, or external processes that the process relies upon, and downstream, of external process that rely on the process and will be affected by its failure.75 Recovery Time Objectives, or the desired amount of time it should take to restore a service, and Recovery Point Objectives, or the maximum amount of data the organization can lose before a negative impact is felt, are also included as goal outcomes of the BIA.76
75 76
Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. Ibid, The Global Information Assurance Certification, op.cit, and North Carolina State University. Policies, Regulations & Rules.: Developing Business Continuity and Disaster Recovery Plans. <http://www.ncsu.edu/policies/campus_environ/REG04.00.7.php>
24
Hanover Research
November 2008
Stoneburner, Goguen, and Feringa, Op.cit. The Global Information Assurance Certification, Op.cit.
25
Hanover Research
November 2008
BIA. Interestingly, both of these schools had smaller enrollment sizes then most the other profiled institutions (Stanford University has an enrollment of 19,872 students and Baylor University has an enrollment of 14,174 students). Please see Figure 4 below for details and the reports Appendix for links to BIA templates used by a selection of the higher education institutions profiled. Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report. Despite the lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies. Figure 4: Approach Used in BIAs Performed in Institutions of Higher Education
Institution
Virginia Community College System
Enrollment79
93,198
Approx. 90,00081
50,170
46,542
BIA Approach Used Three separate BIA forms are administered to departments. The first form identifies all business activities and ranks their importance, the second form determines all applications and manual processes for business activities ranked most highly in form 1. The third form described the systems ranked as critical on form 2.80 Provide training for BIA and Risk Assessment for Recovery Coordinator and Unit Managers. Recovery Coordinators distribute the BIAs to appropriate units and Unit Managers. BIA results are then reviewed for completeness by the Recovery Coordinator and reported to management.82 Strohl Systems BIA Professional software is used to help create the survey, collect and analyze data.83 Post on-line instructions84 to help business process units complete the posted Business Analysis Template.85 Questionnaire administered to departments. Training for personnel on business continuity plan after BIA administration.86
Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 81 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 82 Pennsylvania State University. Administrative Information Services: Recovery Planning Process. Op.cit. 83 Pennsylvania State University. PSU Business Continuity Blog: The Misunderstood Business Impact Analysis (BIA). <http://www.personal.psu.edu/psd5/blogs/Business_Continuity/2007/10/bia-and-the-rto.html> 84 University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. Op.cit. 85 University of Texas at Austin. BIA Template. <http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.doc>
26
Hanover Research
Institution
Michigan State University Connecticut Community College System University of Arizona Texas Tech University System Iowa State University Old Dominion University 26,160 28,260 37,217 43,33588
November 2008
BIA Approach Used Coordinator/project leader and functional unit administrators work to identify critical functions and processes, then interview information systems support personnel and business unit personnel. These results are then analyzed in order to complete a Risk Assessment.87 Use of a questionnaire and interview process, as well as a technical review of current capabilities and practices. Information used to determine recovery options.89 Used Strohl BIA software to help create a Critical Functions Assessment Survey and aid in the planning process.90 Hired an outside consultant to administer BIA.91 Team leader conducts the BIA process, which includes having departments/institution units fill out a BIA form.92 Team leader conducts the BIA process, which includes having departments/institution units fill out a BIA form.93 Review relevant documentation, including critical success factors, strategic plans, budget measurements, etc to build an understanding of organizational structure. Conduct interviews with College/Department leadership to gather data on operations, and compile the results of the interviews into business flows that describe core processes and flow of information/goods/services.94
Enrollment79 46,045
22,287
21,347
Texas A&M University. University Risk and Compliance: University-Wide Risk Management URC Business Continuity Checklist. Op.cit. 87 Michigan State University. Disaster Recovery Planning: Planning Guide: Michigan State University Unit Guide to Disaster Recovery Planning Compete with Step by Step Guide and Forms and Sample Plan Template. <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_complete.doc> 88 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 89 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. Op.cit. 90 The University of Arizona. University Information Technology Services: Business Impact Analysis. Op.cit. 91 Texas Tech University System. Minutes: Board of Regents October 27,2006. <http://www.irs.ttu.edu/reports/statereports/SYSTEM/Minutes/BoardMinutes102706.pdf> 92 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. 93 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets General Information and Process Description. Op.cit. 94 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit.
86
27
Hanover Research
Institution
Stanford University Georgia Tech
November 2008
BIA Approach Used Hired an outside Consulting group (IBM).95 Use of trained BIA evaluators to administer a survey to each institution unit, and then develop a business continuity plan based on BIA results.96 Survey is a multiple choice self-assessment.97 Hired an outside consultant to administer BIA.98
Enrollment79 19,782
18,742
Baylor University
14,174
Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 96 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Op.cit. 97 Georgia Institute of Technology. Self-Assessment Questionnaire. <http://www.risks.gatech.edu/survey.htm > 98 Hanover Research Council Interview with Baylor University, November 4, 2008.
95
28
Hanover Research
November 2008
93,198
26,160
Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description, Op cit. 100 Ibid. 101 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 102 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 103 Ibid. 104 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit.
29
Hanover Research
Individual(s) Responsible for BIA oversight Management Planning team, which includes the BIA sponsor, recovery coordinator and two unit managers who are knowledgeable of the recovery planning process and manage the critical service on a daily basis.107 A Business Continuity Coordinator is assigned within each department to coordinate the continuity plan, including the BIA, act as an interdepartmental liaison, and assemble a Departmental Continuity Committee.109 A BIA Coordinator/Project leader in conjunction with functional unit administrators such as chair persons, assistant directors, associate directors, department chairs or directors.111
Business Continuity and Disaster Recovery Oversight Committee composed of a cross section of academic and administrative leaders. Also included is a Cohort Coordinator.113
November 2008
Institution
Enrollment101
Approx. 90,000106
46,542
46,045
31,802
Ibid. Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 107 Pennsylvania State University. Administration Information Services: Recovery Planning Process, Op cit. 108 Ibid. 109 Texas A&M University. University Risk and Compliance, Op.cit. 110 Ibid. 111 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. <http://www.drp.msu.edu/Documentation/StepbyStepGuide.htm> 112 Ibid. 113 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans. Op.cit. 114 Ibid.
105 106
30
Hanover Research
Individual(s) Responsible for BIA oversight Individuals responsible for BIA oversight include a sponsor, project manager, management from the Information Services Executive Committee, and other stakeholders, including coordinators of Information Security Critical Services. The Project Team for the Disaster Mitigation Plan includes a communications and operations unit, an instructional technology group, and an enterprise information solutions component.115
The Office of Computing and Communications Services117
November 2008
Institution
Enrollment101
22,973
Must hold weekly meetings or more with meeting minutes posted as IS intends. Responsible for completing the following deliverables: criteria to develop list of critical services, list of critical services, components and resources of critical services, redundancy of resources, and mitigation plan for each critical service.116
22,287
Ensure report is completed on time. Responsible for reporting the BIA to management. Must be able to use understanding of university operations and interaction of department with central systems and operations to enhance analysis.118 N/A Responsible for the timely completion of the BIA and for reporting the BIA to management. Also responsible for assuring risks are reviewed and addressed, updates are made to the initial report, and that a process is in place for an annual BIA performance. Responsible for forming a team to help with this maintenance process.121
Stanford University
19,782
Georgia Tech
18,742
Departmental personnel are selected to become part of the BIA/Risk Assessment Team.120
University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 116 Ibid. 117 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit. 118 Ibid. 119 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 120 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description. Op cit. 121 Ibid.
115
31
Hanover Research
Individual(s) Responsible for BIA oversight
Outside consulting group.122 Departmental Team Leaders will be directed by the Information Security Office and provided with information and training sessions to aid in Team Leaders BIA completion.123
November 2008
Institution
Baylor University
Enrollment101
14,174
Longwood University
4,727
Hanover Research Council contact with Baylor University, November 4, 2008. Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 124 Ibid.
122 123
32
Hanover Research
November 2008
125
Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit.
33
Hanover Research
November 2008
Enrollment126 93,198
Individual(s) Responsible for BIA Governance College Presidents and System Office Vice Chancellors.127
BIA Governing Body Responsibilities Review all business functions and can initiate additional reviews to isolate specific business functions the governing bodys discretion.128 Must be able to make decisions that can affect the organization, determine constraints and limitations for organizational recovery planning, ensure the project stays on focus, and have an overall understanding of the organization and recovery planning process.131 Provides tools and resources for individuals who will complete or are completing BIAs and Risk Assessments.133 Dean must approve BIA,136 and the Client Advocacy Office coordinates the Disaster Recovery Planning Team.137
Approx. 90,000129
Sponsor.130
46,542
University Risk and Compliance Office.132 Dean of department134 and the Client Advocacy Office.135 Department Head, Dean or Vice Chancellor sign off on final BIA approval. Chancellor appoints Business Continuity and Disaster Recovery Oversight Committee.138
46,045
31,802
Reviews annual reports from Committee, must approve and sign off on BIA.139
Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 128 Ibid. 129 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 130 Pennsylvania State University. Administration Information Services: Recovery Planning Process. Op.cit. 131 Ibid. 132 Texas A&M University. University Risk and Compliance: Business Continuity Planning. <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx> 133 Ibid. 134 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit. 135 Michigan State University. Disaster Recovery Planning: About. <http://www.drp.msu.edu/about_the_site.htm> 136 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit. 137 Michigan State University. Disaster Recovery Planning: About. Op.cit. 138 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans. Op.cit.
126 127
34
Hanover Research
Institution
Iowa State University
November 2008
Individual(s) Responsible for BIA Governance IT Security and Policies Department and the Chief Information Officer.140 BIA Governing Body Responsibilities Establishes policies to ensure the university has a secure information technology environment. CIO receives BIA report.141 The sponsor must attend one-on-one monthly meetings with the Project Manager, and the Executive Committee must attend meetings quarterly. The Project Manager must prepare an initial draft of the statement of work and communications plan for the BIA/Risk Assessment and submit the plan to stakeholders for their review.143 Required to mandate the performance of a BIA and a Risk Assessment at a minimum of every three years.145 Assessing the Universitys emergency management capabilities and initiating recovery planning activities such as BIA performance at its discretion.147 Host annual information sessions and provide a point of contact for departments completing the BIA process.149
Enrollment126
26,160
22,973
22,287
Office of Computing and Communications Services and the Commonwealth of Virginia SEC2001-01.1.144 University Emergency Management program.146
Stanford University
19,782
Georgia Tech
18,742
148
Ibid. Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit. 141 Ibid. 142 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 143 Ibid. 144 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit. 145 Ibid. 146 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 147 Ibid. 148 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description, Op cit. 149 Ibid.
139 140
35
Hanover Research
Institution
Baylor University
November 2008
Individual(s) Responsible for BIA Governance Risk Management Department.150 BIA Governing Body Responsibilities Responsible for providing business continuity and risk management services.151 CIO or designee may initiate a BIA on any entity/department throughout the University. Vice Presidents are responsible for the execution, development and implementation of business remediation programs.153
Enrollment126 14,174
Longwood University
4,727
Baylor University. Risk Management: Crisis Management. <http://www.baylor.edu/risk_management/index.php?id=49706> 151 Ibid. 152 Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 153 Ibid.
150
36
Hanover Research
November 2008
Appendix
Links to BIA Templates
Institution
Northern Arizona University
Link
http://www4.nau.edu/comptr/docs/BCP%20Template.doc http://web.arizona.edu/~ccit/index.php?id=976 http://universityrisk.tamu.edu/DataFiles/BC-Plan-Template.doc
http://www.njcu.edu/assoc/njcuitma/documents/addendums/Sample_BIA_Report.pdf
37
Hanover Research
November 2008
Note
This brief was written to fulfill the specific request of an individual member of The Hanover Research Council. As such, it may not satisfy the needs of all members. We encourage any and all members who have additional questions about this topic or any other to contact us.
Caveat
The publisher and authors have used their best efforts in preparing this brief. The publisher and authors make no representations or warranties with respect to the accuracy or completeness of the contents of this brief and specifically disclaim any implied warranties of fitness for a particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by representatives of The Hanover Research Council or its marketing materials. The accuracy and completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every member. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Moreover, The Hanover Research Council is not engaged in rendering legal, accounting, or other professional services. Members requiring such services are advised to consult an appropriate professional.
38