Hanover Research

November 2008

Business Impact Analyses in Higher Education: An Outline of Methodologies

In the following report, The Hanover Research Council reviews the performance of Business Impact Analyses (BIAs) in institutions of higher education along with some government agencies.

2008 The Hanover Research Council

Hanover Research

November 2008

Introduction
In the following pages, The Hanover Research Council provides background on the development and use of Business Impact Analyses (BIA) in institutions of higher education, governmental auditing agencies and the Information Technology industry. The methodologies and framework of BIA performance in a higher education setting, including scope, framework, approach, oversight, and governance are then reviewed in more detail. Information concerning BIA performance at the institutions studied in this report indicates that higher education institutions regardless of enrollment size follow BIA methodologies and frameworks that are similar to each other and to those recommended in best practice and industry literature. The report is organized as follows: Section One: Business Impact Analyses (BIA) Defined: In this section, we define BIAs, including the process, usage and importance of this type of analysis in business continuity and recovery planning for institutions of higher education, governmental agencies, and private business. Section Two: Methodologies of Business Impact Analyses: Initial Development: In this section, we review best practice literature concerning the developing and planning phases of Business Impact Analyses, with particular emphasis on the process of development and planning for data collection. Also reviewed are industry recommendations concerning the development of the BIA questionnaire and suggested components of the questionnaire. Section Three: Methodologies of Business Impact Analyses: Scope: In this section, we analyze the scope, purpose and any additional information concerning BIA performance in 14 institutions of higher education to determine common methodologies and best practices for BIA performance in higher education. Section Four: Methodologies of Business Impact Analyses: Framework: In this section, we review best practice literature and information concerning the BIA frameworks used in institutions of higher education and governmental agencies. BIA framework is discussed as a set of three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals. Section Five: Methodologies of Business Impact Analyses: Approach: In this section, we review best practice literature and the various approaches used in BIA performance in higher education settings to determine common approaches used in successful Business Impact Analyses.
2

2008 The Hanover Research Council

Hanover Research

November 2008

Section Six: Methodologies of Business Impact Analyses: Oversight: In this section, we review best practice literature and the individuals involved in overseeing the BIA performance and their associated responsibilities to determine commonalities and best practices in the oversight of Business Impact Analyses. Section Seven: Methodologies of Business Impact Analyses: Governance: In this section, we review the literature about the individuals involved in BIA governance and their associated responsibilities to determine commonalities and best practices in the governance process associated with Business Impact Analyses. Section Eight: Appendix: The Appendix includes a links to sample BIA templates from a variety of intuitions of higher education profiled in this report.

2008 The Hanover Research Council

Hanover Research

November 2008

Business Impact Analyses (BIA) Defined

As a part of the foundation of all business continuity planning,1 a Business Impact Analysis (BIA) identifies the operational (qualitative) and financial (quantitative) impact of an inoperable or inaccessible core process on a College/Departments ability to conduct its critical business processes.2 The BIAs analysis of the effect of different external and internal impacts on various components of an organization, with particular emphasis on the effect of negative impacts on critical business and Information Technology (IT) processes,3 makes it an important tool that enables organizations to respond and recover effectively and efficiently from a disruption to business.4 Additionally, a BIA provides management with essential information, including the identification of the most critical/time sensitive business departments; the most critical resources required by each department; the necessary availability of these resources; alternative business locations in the case of an unplanned disruption to work; and the reasons for the recovery of critical departments and resources.5 The analysiss identification of critical resources, functions or processes for a business is related to the BIAs ability to identify high availability services, defined as those critical resources, functions or processes whose negative operational impact as a result of a disruption to the service can be mitigated through the use of process or resource redundancy.6 The compilation of this information provides organizations with an analytic and economic basis for risk-based decision making and resource allocation that is separate from risk analysis. While risk analyses identify the most probable threats to an organization and analyze the related vulnerabilities of the organization to those threats,7 Business Impact Analyses involve the identification of critical business units,
The University of Arizona. University Information Technology Services: Business Impact Analysis. <http://web.arizona.edu/~ccit/index.php?id=974> 2 Northern Arizona University. Comptrollers Office: NAU Business Continuity and Disaster Recovery. <http://home.nau.edu/comptr/businesscontinuity.asp> 3 Global Information Assurance Certification (GIAC). Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP): Business Impact Analysis. <http://www.giac.org/resources/whitepaper/planning/122.php> 4 The University of Arizona. University Information Technology Services: Business Impact Analysis. Op.cit. 5 Connecticut Community Colleges. SunGard Availability Services: Business Impact Analysis (BIA). <http://64.233.169.104/search?q=cache:rI9oeuNbxPUJ:www.commnet.edu/IT/docs/BIA-Kickoff20050714.ppt+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=7&gl=us> 6 Stanford University. Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements. <http://stanford.edu/dept/itss/docs/oracle/10g/server.101/b10726/hadesign.htm>
1 7

Texas State Office of Risk Management. Business Continuity Impact Analysis.

2008 The Hanover Research Council

Hanover Research

November 2008

the quantitative costs - such as cash flow, replacement of equipment, salaries paid to catch up with work backlog, loss of profits - as well as the qualitative costs - such as impacts on safety, marketing, legal compliance, quality assurance and public image that are effected in the event of a disruption.8 The process of the BIA usually involves five steps:9 Project Planning, Data gathering, Data analysis, Documentation of the findings, and, Management review and signoff

While the management of a BIA may be completed either intra-organizationally or by an outside consulting agency, the key benefits derived from the performance of a BIA are uniform across industries, organizations and departments. A BIA is an essential piece of an organizations Understanding of the financial and intangible impacts of a disruption to business ability to review critical processes to the organization; Identification of vital resources and high availability services; and Development of business recovery/continuity strategies.10

<http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php> SearchStorage.com. Definitions: What is business impact analysis? a definition from Whatis.com. <http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci820947,00.html> 9Global Information Assurance Certification (GIAC), Op.cit. 10 Ibid.
8

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies of Business Impact Analyses: Initial Development

The development and planning phase that occurs prior to the performance of a BIA is particularly important given the high degree of inter and intra-organization communication and cooperation that is needed during the BIA process. Best practice literature concerning BIA performance recommends that the professional(s) responsible for the establishment of the BIA process and methodology, coordination and planning of data collection and analyses, and preparation and presentation of the BIA to management should be able to implement the following components of BIA development and planning during the initial phase of the BIA:11
Establish the Business Impact Analysis Process and Methodology 1. Identify and obtain a sponsor for the Business Impact Analysis (BIA) activity 2. Define objectives and scope for the BIA process 3. Identify, define and obtain management approval for criticality criteria a. Recommend and obtain agreement as to how potential financial and nonfinancial impact can be quantified and evaluated b. Identify and obtain agreement on requirements for non-quantifiable impact information c. Establish definition and criticality scale (e.g., high, medium, low) d. Negotiate with management for acceptance of criticality scale 4. Choose an appropriate BIA planning methodology/tool a. Develop questionnaire and instructions as required b. Determine data analysis methods (manual or computer) c. Data collection via questionnaires i. Understand the need for appropriate design and distribution of questionnaires, including explanation of purpose, to participating departmental managers and staff ii. Manage project kick-off meetings to distribute and explain the questionnaire iii. Support respondents during completion of questionnaires iv. Review completed questionnaires and identify those requiring follow-up interviews

11

The following information is quoted verbatim from: The Institute for Continuity Management. Business Impact Analysis. <https://www.drii.org/professional_prac/profprac_business_impact_analysis.html>

2008 The Hanover Research Council

Hanover Research

November 2008

v. Conduct follow-up discussions when clarification and/or additional data is required d. Data collection via interviews only i. Provide consistency with the structure of each interview being predefined and following a common format ii. Ensure the base information to be collected at each interview is predefined iii. Enable interviewee to review and verify all data gathered iv. Schedule follow-up interviews if initial analysis shows a need to clarify and/or add to the data already provided e. Data collection via workshop i. Set a clear agenda and set of objectives ii. Identify the appropriate level of workshop participants and obtain agreement from management iii. Choose appropriate venue, evaluating location, facilities and participant availability iv. Facilitate and lead the workshop v. Ensure workshop objectives are met vi. Ensure all outstanding issues at the end of the workshop are identified and appropriate follow-up conducted 5. Determine report format, content and obtain management approval for next steps 6. Obtain agreement for management on final time schedule and initiate the BIA process Plan and Coordinate Data Gathering and Analysis 1. Identify all Organization Functions a. Collect and review existing organizational charts b. Identify the major areas of the organization 2. Identify and Train Knowledgeable Functional Management Representatives a. Identify specific individuals to represent in the collection process b. Inform the selected individuals of the BIA process and its purpose c. Identify training requirements and establish a training schedule and undertake training as appropriate

As can be seen from the steps outlined above, best practice literature concerning BIA development focuses on the need for communications between the individuals/department responsible for administering the BIA and the
7

2008 The Hanover Research Council

Hanover Research

November 2008

individuals/departments from which BIA data are collected.12 Additionally, it is important that a sponsor from within the upper management ranks of the organization is identified prior to data collection in order to increase interdepartmental cooperation with the data collection process and to approve the BIA so that subsequent steps of the business continuity management process may be completed.13 A crucial component of this initial development phase is the creation of a BIA questionnaire that will be able to effectively identify critical processes and resources for the organization. Literature recommends that the BIA questionnaire include the following elements:14 Function Description: Includes a brief description of the function being performed by the department/individual. Dependencies: Includes a description of the dependencies of the function being performed, including components and processes necessary for function performance. Impact Profile: Determines if there is a specific time or period of time in which the described function would be more vulnerable to risk/exposure or in which the impact to business would be greater. Operational Impacts: Determines the operational impact of a disruption to the function and time at which the operational impact of a disruption would be felt. Financial Impacts: Determines the financial impact of a disruption to the function and time at which the financial impact of disruption would be felt. Work backlog: Determines the time at which the backlog of work as a result of a disruption will begin to impact business processes. Recovery Resources: Determines the resources needed to support the function, including quantity of resources and the point at which they are needed after a disruption. Technology Resources: Determines the software/applications necessary to support the business function. This includes the need for standalone PCs or workstations and local area networks (LAN) to functioning. Work-around procedures: Determines the availability of manual workaround procedures in place that would enable continued performance after a disruption to the function.
Ibid. Ibid. 14 Texas State Office of Risk Management. Business Continuity Impact Analysis. Op.cit.
12 13

2008 The Hanover Research Council

Hanover Research

November 2008

Work-at-home: Determines the ability of employees to perform the function at home. Workload shifting: Determines the options for shifting workload to another part of the organization to minimize the impact of a disruption. Business records: Determines the business records needed to perform the function and the frequency at which records are saved and/or replicated. Regulatory reporting: Determines what regulatory documents are created as a result of the function. Work inflows: Determines the internal or external inputs necessary to perform the function. Business disruption experience: Determines if previous disruptions to business have occurred. Competitive Analysis: Determines if a competitive impact would occur as a result of a disruption to the function, and if so, the time of impact and potential customer loss. Other issues: Determines if there are other issues relevant to the success of function performance. These elements of the BIA questionnaire are used to identify the effects of disruptions and assess the impact of these effects. The identified effects of disruptions may include the loss of key personnel and physical, informational, financial and intangible assets, the resulting discontinuity of service and operations, and any resulting violations to law/regulation and the effect of public perception. Questions should also identify the financial and business impact as well as quantitative (including property loss, revenue loss, fines, cash flow, accounts receivable/payable, legal liability, human resources, additional expenses) and qualitative (human resources, morale, stakeholder confidence, legal, social and corporate image, financial community credibility) impacts. The accumulation of this information can help to inform recovery objectives and vital resources or processes to the organization.15 The following sections of this report will provide a detailed review of the scope, approach, framework, oversight and governance of the BIA implementation and performance. The analysis of BIA methodologies in higher education settings includes a review of BIA process and performance of individual institutions that is supplemented with best practice literature from industry experts.
15

The Institute for Continuity Management. Business Impact Analysis. Op.cit.

2008 The Hanover Research Council

Hanover Research

November 2008

In order to provide a diverse cross-section for analysis and determine if BIA methodologies vary with institution size, the institutions profiled in this report vary in size as measured by enrollment (from 93,198 students enrolled in the Virginia Community Colleges System to 4,727 students enrolled in Longwood University).

10

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies of Business Impact Analyses: Scope

The Hanover Research Councils review of the scope of Business Impact Analyses performed by various institutions of higher education, including the Virginia Community College System, Pennsylvania State University, University of Texas at Austin, Texas A&M University, Michigan State University, Connecticut Community College System, University of Arizona, North Carolina State University, University of Nebraska Lincoln, Old Dominion University, Northern Arizona University, Stanford University, Georgia Institute of Technology, and Longwood University, revealed that the majority of BIA performed in a educational setting took place on a departmental level, and that Information Technology departments were particularly likely to undergo a BIA. While at many higher education institutions, multiple departments performed BIAs at the same time, the primary level of BIA administration and analysis was within individual departments rather than throughout the institution. The size of the institution did not appear to affect the scope or purpose of the BIA at any of the institutions profiled. Figure 1 below reviews the detailed scope of each intuitions BIA. Three of the institutions featured below, Virginia Community College System, Old Dominion University, and Longwood University, are located in Virginia and are required by law to perform a routine BIA to (1) define minimum requirements for the agency/organization/institutions information technology security program, (2) promote secure communications and protect information resources, and (3) facilitate the alignment and adaptation of security technology to the needs of business and Virginia.16 Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report (scope, framework, approach, oversight, and governance) concerning BIA performance. Despite this lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies.

16Commonwealth

of Virginia. Information Technology Resource Management Standard: Information Technology Security Standard. Pg.1. <http://www.vita.virginia.gov/uploadedFiles/Library/COVA_STMGT_Security_Std_REV.pdf >

11

2008 The Hanover Research Council

Hanover Research Figure 1: Scope of Business Impact Analyses Performed in Institutions of Higher Education
Institution Enrollment17 Participating Units Purpose
To identify critical business functions associated with the organizational units participating in the BIA in order to comply with Virginias COV ITRM Standard SEC200101.1.21

November 2008

Additional Information
For more information on Virginias COV ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf>

Virginia Community College (VCC) System 93,19818

Covers all System Office, VCC Utility and college business processes and supporting applications, however19, analysis takes place on a departmental level.20

Piloted in 2005 to the Academic Services and Emerging Technologies Dept., the Pennsylvania State University Consulting and Support Services Dept., the Approx. 90,00022 Digital Library Technologies Dept., the Teaching and Learning with Technology Dept., and the Telecommunications and Networking Services Dept.23 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Enrollment figure represents the Annualized FTE Enrollment, 2005-06. Figure from: The Virginia Community College System. Virginia Community College System Enrollment Report. Pg. 1. <http://www.schev.edu/Reportstats/EnrollmentReportApp/InstProfiles2007/VCCS.pdf> 19 Virginia Community College System. Technology Models: Business Impact Analysis. <http://system.vccs.edu/ITS/models/bia.htm> 20 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx > 21 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 22 Pennsylvania State University. Live: The Universitys Official News Source. <http://live.psu.edu/image/21894 > 23 Pennsylvania State University. Administrative Information Services Online Newsletter: November 2005. <http://ais.its.psu.edu/news/nov_2005.html> 24 Ibid.
17 18

Develop the necessary training and tools to assist with disaster recovery efforts.24

N/A

12

2008 The Hanover Research Council

Hanover Research
Institution
University of Texas at Austin

November 2008
Enrollment17 Participating Units Purpose
Identify critical processes within an 50, 170 All University departments.25 organization to determine the impact of a disruption to business and create ways to work around disruptions to processes.26 Texas A&M includes the BIA process as part of its Enterprise Risk Management program, an emerging model at institutions of higher education where risk management is integrated and coordinated across the university as a whole.29 Identify and prioritize critical systems. Use the information recovered from the BIA, such as the identification of common elements of N/A

Additional Information

Texas A&M University

Has a university-wide risk management and 46,542 business continuity plan in place that includes a BIA component.27

Identify events that may affect the organization and manage risks in order to aid business continuity and recovery objectives.28

Michigan State University

46,045

BIA conducted at University-Unit level.30

plausible disruptions that might disrupt critical units, the anticipation of the impact of these disruptions, and the development of contingent responses for a timely recovery, to form a Unit Disaster Recovery Planning Project.31

N/A

University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. <http://security.utexas.edu/risk/planning/ > 26 Ibid. 27 Texas A&M University . University Risk and Compliance: University-Wide Risk Management. <http://universityrisk.tamu.edu/moreRiskMgmtDefn.aspx> 28 Ibid. 29 Ibid. 30 Michigan State University. Michigan State University Unit Guide to Disaster Recovery Planning Overview. <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_lite.doc> 31 Ibid.
25

13

2008 The Hanover Research Council

Hanover Research
Institution Enrollment17 Participating Units
All Academic departments, Student Records department, Financial Aid Connecticut Community College System 43,33532 departments, Finance/Budget business units, Human Resources departments, Legal departments, Libraries, and Institutional Departments, as well as all Information Technology networks and applications.33 Enable the University to prepare for and University of Arizona 37,217 All University departments.35 respond to disruptions through the identification of priorities, strategies, and solutions for managing continuity/recovery.36 30 business units at the University North Carolina State University participated, including Administrative 31,802 Services, Budget Office, Controllers Office, and Enrollment Management Services.37
32

November 2008
Purpose Additional Information

Determine recovery objectives for critical business units based upon the business impact of units.34 N/A

N/A

For each business unit, identify university functions, functional area representatives, criticality criteria, RTOs, and RPOs, as well as present criticality criteria to an oversight committee.38 N/A

Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 33 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. <http://64.233.169.104/search?q=cache:rI9oeuNbxPUJ:www.commnet.edu/IT/docs/BIA-Kickoff20050714.ppt+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=7&gl=us > 34 Ibid. 35 The University of Arizona. University Information Technology Services: Business Impact Analysis, Op cit. 36 Ibid. 37 For a complete listing of participating business units, please see: North Carolina State University. BIA: OIT Organizational Resilience. <http://www.fis.ncsu.edu/or/history/history_funcreq_bia.htm >.

14

2008 The Hanover Research Council

Hanover Research
Institution Enrollment17 Participating Units
Critical services provided by Information University of Nebraska - Lincoln 22,973 Security (IS) to support the technology of the University. No systems external to IS are covered.39

November 2008
Purpose
Identify and prioritize critical services supported by IS and work with the coordinators of the services to review or develop a plan for each service to minimize the negative effects in the event of a disaster.40 For more information on Virginias COV Identify assets and associated risks within the ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf> Stanford has already undergone a BIA of its Determine vulnerabilities and dependencies financial systems conducted by IBM, however, the University believes that there is need for a larger scope to address other systems necessary to operations.44 University, determine the importance of these 22,287 University-wide administration assets and identify safeguards in compliance with Virginias COV ITRM Standard SEC200101.141 N/A

Additional Information

Old Dominion University

Stanford University

19,782

Focus on University financial systems.42

between core business processes to assist in the development of response and recovery plans. 43

Ibid. University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. <http://is.unl.edu/about/documents/Disaster%20Mitigation.PDF> 40 Ibid. 41 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. <http://64.233.169.104/search?q=cache:0wSgnLEwyjkJ:occs.odu.edu/security/risk/Risk_Assess_Us ers_Guide.doc+business+impact+analysis+site:.edu&hl=en&ct=clnk&cd=39&gl=us&client=firefox-a> 42 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. <http://facultysenate.stanford.edu/2005_2006/reports/SenD5790_emerg_prepare.pdf> 43 Ibid 44 Ibid.
38 39

15

2008 The Hanover Research Council

Hanover Research
Institution Enrollment17 Participating Units Purpose

November 2008
Additional Information
Department identified as relevant for risk assessments: Academic Departments (which collect financial data during payment of fees for affiliated programs), Accounts Payable, Admissions, Alumni, Aquatic Center, Athletics (including Summer Sports Camps), Bookstore, Central Ticket Office, Library, Dental Hygiene, Dining Services, Distributed Learning, Financial Aid Office, Health Center, High Altitude Sports Training Complex, IT Services, Inn at NAU, Mountain Campus Card Office, Office of the Bursar, Parking Services, Performing Arts (Including Summer Music Camps), Postal Services, Property Administration, Purchasing Services, Recreation Center, Registrar's Office, Residence Life, Skydome, Transportation Services, and University Advancement.47

To identify core business processes and to establish risk management and disaster recovery Northern Arizona University 21,347 All NAU College campuses and departments.45 planning processes to respond to business disruptions and risks associated with the Universitys loss of its ability to execute core processes.46

Enable all units to be able to uniformly assess All academic and administrative units, Georgia Tech 18,742 including Human Resources and Information Technology.48 and develop strategies for identification, assessment and mitigation of risks to Information Systems and to comply with regulatory requirements.49 N/A

Northern Arizona University. NAU Business Continuity and Disaster Recovery Site. <http://home.nau.edu/comptr/businesscontinuity.asp> 46 Ibid. 47 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110: Information Security Plan for Northern Arizona University. <http://www4.nau.edu/comptr/policies_procedures/com110.html> 48 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Business Analysis IT Risk Document. <http://www.risks.gatech.edu/Documents/SelfAssessment/Risk%20Assessment%20Process%20Rev727.PDF > 49 Ibid.
45

16

2008 The Hanover Research Council

Hanover Research
Institution Enrollment17 Participating Units Purpose
Identify assets and associated risks within the Longwood University University, determine the importance of these 4,727 University- wide administration.50 assets and identify safeguards in compliance with Virginias COV ITRM Standard SEC200101.1.51

November 2008
Additional Information
For more information on Virginias COV ITRM Standard SEC2001-01.1, a law providing protections for state institutions information technology resources, please see: <http://www.vita.virginia.gov/uploadedFiles /Library/COVA_STMGT_Security_Std_RE V.pdf>

Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. <http://www.longwood.edu/vpaf/final_policy_base/6000/6126.htm> 51 Ibid.
50

17

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies in Business Impact Analyses: Framework

While the identification of critical resources is no easy task, the development of an appropriate framework for the organizations BIA is a critical component of the successful completion of the analysis.52 A review of higher education institutions and government agencies reveals that although criticality definitions and assets vary among organizations, the general framework of Business Impact Analyses tends to be relatively uniform. For purposes of discussion, we have separated BIA framework into three major components: (1) Plan development, (2) Assessment and Analysis Processes, and (3) Outcomes and End Goals. Plan Development Plan development is the first step towards successful BIA completion, and reports from Iowa State University, Old Dominion University and Georgia Tech assert that the most important component of plan development is the commitment and involvement of management in the BIA process.53 Support from management enhances departmental-level cooperation with the BIA and increases compliance and completion of the BIA process, in part due to the selecting of Team Leaders and members who are able to effectively perform the needed tasks for BIA completion. 54 The specific positions of individuals involved in the BIA process and their responsibilities are discussed in later sections of this report, but a review of plan development across institutions reveals that the individuals assigned to perform the BIA tend to work within the unit/department in which the BIA is being performed and are highly knowledgeable of the department.55 Please see the Oversight and Governance sections of this report for a detailed review of the individuals and responsibilities involved in the BIA process in institutions of higher education. The plan development phase requires a high degree of inter and intra-departmental communication as the BIA questionnaire is developed, timetables for completion are

The Institute for Continuity Management. Business Impact Analysis. Op.cit. Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. and Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets General Information and Process Description. Op.cit. and Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 54 Ibid. 55 Pennsylvania State University. Administration Information Services: Recovery Planning Process. <http://ais.its.psu.edu/disaster_recovery/media/Recovery_Planning_Guide.pdf>
52 53

18

2008 The Hanover Research Council

Hanover Research

November 2008

established, and workshop/training sessions are hosted to inform all faculty and staff of the BIA process and goals.56 Assessment and Analysis Processes The next components of the BIA framework are the assessment and analysis processes, which begin with a determination of what will be assessed by the BIA. Because the what of the BIA assessment is the critical business functions/processes relative to the departments mission, it tends to vary by organization and within departments.57 While this process may include the development of criteria to guide the creation of a list of critical services,58 a list of all business activities (including academic activities, accounting activities, budget and planning activities, etc),59 or the determination of the core processes performed by each College or department and the flow of information, materials, and services through these core processes,60 there are many commonalities among these assessments. Similar characteristics of BIA assessment categories include their importance to the functioning of business and the threat to business operations if these critical services/activities/functions/resources are disturbed. Some institutions also include a risk assessment component to the BIA, which often involves the identification and evaluation of scenarios, risks, and internal and external threats, as well as the impact of these activities on the critical services/activities/ function/resources.61 In order to help departments obtain a basic understanding of their critical business processes, some higher education institutions provide Business Analysis Checklists for departments in the process of BIA performance. Checklists may include the purpose, overview and objective of the BIA, as well as questions meant to determine the exact function of the business process, the time period the process can function without information technology support, and any impacts associated with disruption

Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. Op.cit. 57 Texas A&M University. University Risk and Compliance: University-Wide Risk Management URC Business Continuity Checklist. < http://universityrisk.tamu.edu/DataFiles/BC-Checklist.doc> 58 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 59Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 60 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110 Op.cit. 61 Texas A&M University. University Risk and Compliance: University-Wide Risk Management. Op.cit.
56

19

2008 The Hanover Research Council

Hanover Research

November 2008

to the process.62 To view an example of one of these checklists, please follow the following link provided by the University of Arizona: BIA Checklist. Business processes must undergo an analysis process in which criticality and importance for the processes is defined and processes are prioritized or ranked. The level of detail of these definitions and criteria varies widely among institutions, although the definition of critical is generally accepted to encompass those functions which have a direct and immediate effect on the general campus community.63 Functions are defined as essential by multiple higher education institutions if the department could continue operations after a disruption to the function for days or even a week, but eventually would need the function again, and are defined as normal if the department can continue operations without the function for an extended period of time.64 Many institutions also consider extent of impact, costs of a failure, publicity, legal and ethical issues, and regulatory concerns in their determination of criticality criteria and definitions.65 While some higher education institutions, like the Virginia Community College System, use a relatively simple ranking scale that rates the importance of business activities on a scale of one to three, one being the most important and three being the least important,66 other institutions use more detailed ranking scales. The University of Arizona, for example, provides a scale that ranks critical functions on a scale of one to five, and criticality is denoted based on the extent of the time period between a disruption to the function and the point at which business processes will be impacted if the function is not resumed (in this case, the University of Arizona defines the most critical functions as those in which only 24 hours may pass before the function needs to be resumed).67 Iowa State University uses similar criteria to determine criticality by dividing impact rankings into high (cannot operate without resource even for a short period of
The University of Arizona. Business Analysis Checklist. <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/BIAChecklist.pdf> and Texas A&M University. University Risk and Compliance, Op.cit. 63 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. 64 See footnote 53. 65 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets General Information and Process Description. Op.cit. 66 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 67 University of Arizona. Critical Functions Assessment Survey. <http://web.arizona.edu/~ccit/fileadmin/templates/content/security/pdf/CFA_Survey.pdf >
62

20

2008 The Hanover Research Council

Hanover Research

November 2008

time), medium (could work around the loss of the resource for a few days or a week), and low (could operate without the resource for an extended period of time).68 The University of Texas also includes impact into its ranking criteria, defining resource importance through the following four impact levels:69
N: None There is no impact on any work function. An example would be a process that runs only intermittently; normal function would continue until the next interval that process is scheduled to run. M: Moderate The failure of the process results in minor or moderate disruption to the function of the department itself or to another department with a downstream dependency. S: Severe The failure of the process results in the department or another department with a downstream dependency being unable to function. C: Catastrophic The failure of the process results in a disruption of the universitys daily functioning.

It is also possible to incorporate recovery time objectives into criticality definitions, as shown in the figure provided by the Global Information Assurance Certification organization (GIAC). Figure 2: Criticality Levels Defined in Relation to Recovery Objectives and Method
Criticality Level Level 1: The business process must be available during all business hours. Level 2: Indicates that the business function can survive without normal business processes for a limited amount of time. Level 3: The business function can survive for one to three days with a data loss of one day. Level 4: Business unit can survive without the business function for an extended period of time. Recovery Objective < 2 hours 2 hours to 24 hours 24 to 72 hours Possible Recovery Method Data replication Data shadowing

Tape recovery at an offsite facility Low priority for tape recovery / 72 hours plus rebuild infrastructure / relocate operations to a new facility

Table provided by The Global Information Assurance Certification. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). <http://www.giac.org/resources/whitepaper/planning/122.php >

Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. 69 Impact levels are quoted verbatim from: The University of Texas at Austin. Information Security Office: Business Impact Analysis Instructions. <http://security.utexas.edu/risk/planning/bia-instructions.html>
68

21

2008 The Hanover Research Council

Hanover Research

November 2008

The BIA framework shown above, where recovery time is included in the ranking analysis, is called a high availability analysis framework.70 This type of framework allows the organization to define service level agreements in terms of high availability for the critical functions and processes defined in the BIA. Information from the BIA is then used to identify critical business functions/processes, and then to determine the appropriate amount of redundancy for these functions/processes to increase recovery time.71 The following shows an example of Stanford Universitys Oracle database categorization and ranking system for high availability services:72 Tier 1: Includes business processes with a maximum impact and the most stringent high availability requirements. The Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are often close to zero, and these processes require almost continuous supporting services. Tier 2: Includes business processes with fewer high availability requirements and longer RTO and RPO times. Tier 3: Includes business processes related to internal development and quality assurance but do not have rigorous high availability requirements. The high availability framework is similar to other BIA frameworks, differing only in its categorization of some services as high availability based on recovery time objectives, but using otherwise similar criticality criteria and ranking systems to determine the importance and impact of business processes to inform business recovery and continuity plans. Business Impact Analyses conducted at government agencies generally follow the same procedures and processes as those conducted in higher education settings, but the literature showed that government agencies use slightly different criteria to define the criticality level of functions. For example, both the Federal Emergency Management Agency and the National Institute of Standards and Technology Recommendations define the adverse impact of an event in terms of loss or degradation to the security goals of integrity, availability and confidentiality. 73 In

Stanford University. Oracle Database High Availability Architecture and Best Practices: Determining Your High Availability Requirements. Op.cit. 71 Ibid. 72 Ibid. 73 Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf> and Federal Emergency Management Agency. Emergency Management Guide for Business and Industry: A Step70

22

2008 The Hanover Research Council

Hanover Research

November 2008

these types of analyses, vulnerability and magnitude of impact are ranked on three levels, high, medium, and low, as in many higher education settings. The difference is that the three ranking levels are defined by the government agencies in terms of the assets vulnerability and the resulting levels of quantitative and qualitative costs to the organization.74 Although not strictly part of a BIA, some institutions include risk assessment in the BIA critical services/activities/functions/resources prioritization process. This includes ranking the risks or threats associated with critical services/activities/functions /resources by the probability of occurrence and then aligning this information with impact levels to help prioritize critical functions in terms of risk. Provided below is an example of this alignment of risk and impact level. Figure 3: Risk-Level Matrix
Threat Likelihood High (1.0) 10 x 1.0 = 10 Low Medium (0.5) 10 x 0.5 = 5 Low Low (0.1) 10 x 0.1 =1 50 x 0.1 = 5 Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10) 100 x 0.1 = 10 50 x 0.5 = 25 Low 100 x 0.5 = 50 Low 50 x 1.0 = 50 Medium 100 x 1.0 = 100 Medium Impact Medium (50) Medium

Low (10) Low

High (100) High

Figure from: Stoneburner, Gary, Goguen, Alice and Feringa, Alexis. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. Table 3-6. Risk-Level Matrix. National Institute of Standards and Technology.<http://csrc.nist.gov/publications/nistpubs/80030/sp800-30.pdf>

by-Step Approach to Emergency Planning, Response and Recovery for Companies of All Sizes. October 1993. <http://www.fema.gov/pdf/business/guide/bizindst.pdf> 74 Stoneburner, Goguen, and Feringa, Op.cit.

23

2008 The Hanover Research Council

Hanover Research Outcomes and End Goals

November 2008

While the identification of critical business functions and processes to the institution or departments mission is the primary goal of the impact analyses, most higher education institutions and government agencies use the BIA and the information obtained therein to inform a broader business recovery and continuity plan. Information concerning critical processes and the time period at which these processes can continue operations after a disruption to business was used as part of disaster mitigation and business recovery plan at the majority of the institutions surveyed, including Texas A&M University, the University of Nebraska Lincoln, the Connecticut Community College System, Northern Arizona University, the University of Arizona, the University of Texas at Austin, Michigan State University, Georgia Institute of Technology, Pennsylvania State University, and Iowa State University. Specific outcomes desired form the BIA include the determination of crossdependencies among departments within an organization, including the ability to define dependencies as upstream, or external processes that the process relies upon, and downstream, of external process that rely on the process and will be affected by its failure.75 Recovery Time Objectives, or the desired amount of time it should take to restore a service, and Recovery Point Objectives, or the maximum amount of data the organization can lose before a negative impact is felt, are also included as goal outcomes of the BIA.76

75 76

Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit. Ibid, The Global Information Assurance Certification, op.cit, and North Carolina State University. Policies, Regulations & Rules.: Developing Business Continuity and Disaster Recovery Plans. <http://www.ncsu.edu/policies/campus_environ/REG04.00.7.php>

24

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies in Business Impact Analyses: Approach

Best practice literature and industry standards list a number of different approaches to information gathering and data collection during the BIA process. The National Institute of Standards and Technology suggests that any of the following techniques are useful for data collection relevant to information technology systems and BIAs:77 Questionnaire: A questionnaire can be developed concerning the management and operational aspects of the department or information technology system. Questionnaires can be distributed to the applicable personnel or used during on-site visits and interviews. On-site Interviews: Interviews with information technology specialists and management personnel can help with data collection as well as allow BIA personnel to observe and gather information about the physical, environmental, and operational security of the IT system. Document Review: Policy documents (such as legislative documentation and directives), system documentation (such as system user guides and manuals), security-related documentation (such as previous audit reports and security policies), and previous risk assessment/BIA results, as well as organizational mission statements can be useful to help gain an understanding of organizational processes during the BIA. Use of an Automated Scanning Tool: Technical methods such as the use of network mapping tools can be used to collect system information efficiently. GIACs white paper Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) affirms suggestions from the National Institute of Standards and Technology and emphasizes the success of BIA data collection through face-to-face interviews, questionnaires, or conference calls.78 The vast majority of the higher education institutions profiled in Figure 4 below used a questionnaire to gather information for the BIA, and most use some sort of interview, whether one-on-one or in a training session/workshop, to supplement the BIA information collection process. Both Pennsylvania State University and the University of Arizona used Strohl Systems software to help guide the creation and analysis of the BIA questionnaire. Two of the institutions, Stanford University and Baylor University, hired an outside consulting group to develop and administer the
77 78

Stoneburner, Goguen, and Feringa, Op.cit. The Global Information Assurance Certification, Op.cit.

25

2008 The Hanover Research Council

Hanover Research

November 2008

BIA. Interestingly, both of these schools had smaller enrollment sizes then most the other profiled institutions (Stanford University has an enrollment of 19,872 students and Baylor University has an enrollment of 14,174 students). Please see Figure 4 below for details and the reports Appendix for links to BIA templates used by a selection of the higher education institutions profiled. Discontinuities between a few of the institutions profiled below and the institutions profiled in alternate sections of this report occur because not all institutions profiled provide information for each of the methodology areas highlighted in this report. Despite the lack of data, this report attempts to achieve as much overlap as possible concerning the institutions profiled and reviewed for best practice BIA methodologies. Figure 4: Approach Used in BIAs Performed in Institutions of Higher Education
Institution
Virginia Community College System

Enrollment79

93,198

Pennsylvania State University

Approx. 90,00081

University of Texas at Austin Texas A&M University

79 80

50,170

46,542

BIA Approach Used Three separate BIA forms are administered to departments. The first form identifies all business activities and ranks their importance, the second form determines all applications and manual processes for business activities ranked most highly in form 1. The third form described the systems ranked as critical on form 2.80 Provide training for BIA and Risk Assessment for Recovery Coordinator and Unit Managers. Recovery Coordinators distribute the BIAs to appropriate units and Unit Managers. BIA results are then reviewed for completeness by the Recovery Coordinator and reported to management.82 Strohl Systems BIA Professional software is used to help create the survey, collect and analyze data.83 Post on-line instructions84 to help business process units complete the posted Business Analysis Template.85 Questionnaire administered to departments. Training for personnel on business continuity plan after BIA administration.86

Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 81 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 82 Pennsylvania State University. Administrative Information Services: Recovery Planning Process. Op.cit. 83 Pennsylvania State University. PSU Business Continuity Blog: The Misunderstood Business Impact Analysis (BIA). <http://www.personal.psu.edu/psd5/blogs/Business_Continuity/2007/10/bia-and-the-rto.html> 84 University of Texas at Austin. Information Security Office: Risk Management Services Disaster Recovery Planning Instructions and Templates. Op.cit. 85 University of Texas at Austin. BIA Template. <http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.doc>

26

2008 The Hanover Research Council

Hanover Research
Institution
Michigan State University Connecticut Community College System University of Arizona Texas Tech University System Iowa State University Old Dominion University 26,160 28,260 37,217 43,33588

November 2008
BIA Approach Used Coordinator/project leader and functional unit administrators work to identify critical functions and processes, then interview information systems support personnel and business unit personnel. These results are then analyzed in order to complete a Risk Assessment.87 Use of a questionnaire and interview process, as well as a technical review of current capabilities and practices. Information used to determine recovery options.89 Used Strohl BIA software to help create a Critical Functions Assessment Survey and aid in the planning process.90 Hired an outside consultant to administer BIA.91 Team leader conducts the BIA process, which includes having departments/institution units fill out a BIA form.92 Team leader conducts the BIA process, which includes having departments/institution units fill out a BIA form.93 Review relevant documentation, including critical success factors, strategic plans, budget measurements, etc to build an understanding of organizational structure. Conduct interviews with College/Department leadership to gather data on operations, and compile the results of the interviews into business flows that describe core processes and flow of information/goods/services.94

Enrollment79 46,045

22,287

Northern Arizona University

21,347

Texas A&M University. University Risk and Compliance: University-Wide Risk Management URC Business Continuity Checklist. Op.cit. 87 Michigan State University. Disaster Recovery Planning: Planning Guide: Michigan State University Unit Guide to Disaster Recovery Planning Compete with Step by Step Guide and Forms and Sample Plan Template. <http://www.drp.msu.edu/Documentation/UnitGuideDisasterRecoveryPlanningVer3_complete.doc> 88 Enrollment figure represents Spring 2004 total enrollment (full-time and part-time students). Figure from: Connecticut Community Colleges. Spring 2004 Credit Enrollment Report February 23, 2004. Pg. 4. <http://www.commnet.edu/planning/Research/Enrollment/CreditEnrollment/Spring/Spring_2004.pdf> 89 Connecticut Community Colleges. Sungard Availability Services: Business Impact Analysis (BIA) Connecticut Community Colleges. Op.cit. 90 The University of Arizona. University Information Technology Services: Business Impact Analysis. Op.cit. 91 Texas Tech University System. Minutes: Board of Regents October 27,2006. <http://www.irs.ttu.edu/reports/statereports/SYSTEM/Minutes/BoardMinutes102706.pdf> 92 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources General Information and Process Description. Op.cit. 93 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets General Information and Process Description. Op.cit. 94 Northern Arizona University. Comptrollers Office Policies and Procedures Manual: CMP 110, Op.cit.
86

27

2008 The Hanover Research Council

Hanover Research
Institution
Stanford University Georgia Tech

November 2008
BIA Approach Used Hired an outside Consulting group (IBM).95 Use of trained BIA evaluators to administer a survey to each institution unit, and then develop a business continuity plan based on BIA results.96 Survey is a multiple choice self-assessment.97 Hired an outside consultant to administer BIA.98

Enrollment79 19,782

18,742

Baylor University

14,174

Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 96 Georgia Institute of Technology. Welcome to the Georgia Tech Risk Self Assessment Program. Op.cit. 97 Georgia Institute of Technology. Self-Assessment Questionnaire. <http://www.risks.gatech.edu/survey.htm > 98 Hanover Research Council Interview with Baylor University, November 4, 2008.
95

28

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies in Business Impact Analyses: Oversight

Business Impact Analysis literature asserts that the successful completion of a BIA depends on the level of management involvement in both the oversight and governance of the BIA, as well as their commitment to the project. 99 For the purposes of this report, oversight is defined as the management or supervision of the BIA process itself. Among the majority of the studied higher education institutions with documented information concerning BIA oversight processes, the governing body responsible for mandating the BIA and its processes appoints a BIA team from departmental personnel. It is this team that is then responsible for the actual organization, development, administration, timely completion, and analysis/assessment of the BIA, as well as for the reporting of the BIA results to upper management.100 This oversight process does not appear to vary with institution size as measured by enrollment. Figure 5 reviews the individuals responsible for BIA oversight and their associated responsibilities for each of the institutions studied. Figure 5: Oversight of Business Impact Analyses Performed in Institutions of Higher Education
Institution Enrollment101 Individual(s) Responsible for BIA oversight College Presidents and System Office Vice Chancellors conduct BIA, and a Risk Assessment Coordinator is appointed to help oversee the process.102 Team Leader selected by management and a team with a minimum of three individuals.104 BIA Oversight Responsibilities
Allocate resources to conduct a BIA and Risk Assessment. The Risk Assessment Coordinator coordinates the review of all business functions, but all are active in the BIA.103 Assure risks are reviewed and addressed, updates are made to the initial report, and a process is in place for periodic BIA and Risk Assessment.105

Virginia Community College System

93,198

Iowa State University

99

26,160

Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description, Op cit. 100 Ibid. 101 Enrollment data is taken from the NCES IPEDS database unless otherwise noted. 102 Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 103 Ibid. 104 Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit.

29

2008 The Hanover Research Council

Hanover Research
Individual(s) Responsible for BIA oversight Management Planning team, which includes the BIA sponsor, recovery coordinator and two unit managers who are knowledgeable of the recovery planning process and manage the critical service on a daily basis.107 A Business Continuity Coordinator is assigned within each department to coordinate the continuity plan, including the BIA, act as an interdepartmental liaison, and assemble a Departmental Continuity Committee.109 A BIA Coordinator/Project leader in conjunction with functional unit administrators such as chair persons, assistant directors, associate directors, department chairs or directors.111
Business Continuity and Disaster Recovery Oversight Committee composed of a cross section of academic and administrative leaders. Also included is a Cohort Coordinator.113

November 2008

Institution

Enrollment101

BIA Oversight Responsibilities

The sponsor must make decisions that can affect the organization, determine constraints and limitations for recovery planning, and ensure the project stays on focus. The Recovery Coordinator must be fluent in project management principles. The Unit Manager must manage the critical service on a daily basis.108 Act as a liaison between emergency operations center and departmental recovery team, coordinate the development of departmental plan, and maintain pre-determined departmental decisionmaking authority. Departmental Committee may seek faculty/staff representation and input on plan development and resource allocation.110 Organize the BIA by setting the scope, objectives, assumptions, timetable, draft of project plan; assigning task responsibilities; and obtain the Deans approval. Conducts BIA in conjunction with functional unit administrators.112 Review the annual work goals of the Department of Business Continuity, develop and review BIA and Risk Assessment Plans. The Cohort Coordinator ensures that each business unit within the cohort has completed the BIA or Risk Assessment and has developed a Business Continuity Plan.114

Pennsylvania State University

Approx. 90,000106

Texas A&M University

46,542

Michigan State University

46,045

North Carolina State University

31,802

Ibid. Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 107 Pennsylvania State University. Administration Information Services: Recovery Planning Process, Op cit. 108 Ibid. 109 Texas A&M University. University Risk and Compliance, Op.cit. 110 Ibid. 111 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. <http://www.drp.msu.edu/Documentation/StepbyStepGuide.htm> 112 Ibid. 113 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans. Op.cit. 114 Ibid.
105 106

30

2008 The Hanover Research Council

Hanover Research
Individual(s) Responsible for BIA oversight Individuals responsible for BIA oversight include a sponsor, project manager, management from the Information Services Executive Committee, and other stakeholders, including coordinators of Information Security Critical Services. The Project Team for the Disaster Mitigation Plan includes a communications and operations unit, an instructional technology group, and an enterprise information solutions component.115
The Office of Computing and Communications Services117

November 2008

Institution

Enrollment101

BIA Oversight Responsibilities

University of Nebraska Lincoln

22,973

Must hold weekly meetings or more with meeting minutes posted as IS intends. Responsible for completing the following deliverables: criteria to develop list of critical services, list of critical services, components and resources of critical services, redundancy of resources, and mitigation plan for each critical service.116

Old Dominion University

22,287

Ensure report is completed on time. Responsible for reporting the BIA to management. Must be able to use understanding of university operations and interaction of department with central systems and operations to enhance analysis.118 N/A Responsible for the timely completion of the BIA and for reporting the BIA to management. Also responsible for assuring risks are reviewed and addressed, updates are made to the initial report, and that a process is in place for an annual BIA performance. Responsible for forming a team to help with this maintenance process.121

Stanford University

19,782

IBM Consulting group119

Georgia Tech

18,742

Departmental personnel are selected to become part of the BIA/Risk Assessment Team.120

University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 116 Ibid. 117 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit. 118 Ibid. 119 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 120 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description. Op cit. 121 Ibid.
115

31

2008 The Hanover Research Council

Hanover Research
Individual(s) Responsible for BIA oversight
Outside consulting group.122 Departmental Team Leaders will be directed by the Information Security Office and provided with information and training sessions to aid in Team Leaders BIA completion.123

November 2008

Institution
Baylor University

Enrollment101
14,174

BIA Oversight Responsibilities

N/A Follow the Information Security Offices instructions and format for BIA, conduct and complete the BIA. The Team Leader may form teams to include departmental individuals to assist in the process.124

Longwood University

4,727

Hanover Research Council contact with Baylor University, November 4, 2008. Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 124 Ibid.
122 123

32

2008 The Hanover Research Council

Hanover Research

November 2008

Methodologies in Business Impact Analyses: Governance

As noted in the previous section of this report, management commitment and support for the BIA process is a crucial component in the successful completion of the analysis.125 For the purposes of this report, we define the upper levels of management associated with the BIA process as those individuals with duties associated with BIA governance. These duties include responsibilities concerning the policies, processes, mandates or decisions involved in at the macro level of higher education institution BIA performance. A review of the individuals and responsibilities involved in the governance process in higher education settings reveals that the institutions Business Continuity, Auditing, Information Security, or Risk Management Office (or office with a similar function) is generally the governing body responsible for the initiation of a BIA. The responsibilities involved in this position involve mandating the performance of Business Impact Analyses, reviewing the BIA, and providing final approval for the BIA. In some cases, the governing body also selects the team of individuals responsible for overseeing and conducting the BIA. The individuals involved in BIA governance and their associated responsibilities do not appear to vary by institution size as measured by enrollment. Figure 6 profiles the individuals responsible for BIA governance and their related responsibilities for twelve institutions of higher education.

125

Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit.

33

2008 The Hanover Research Council

Hanover Research

November 2008

Figure 6: Governance of Business Impact Analyses in Institutions of Higher Education

Institution
Virginia Community College System

Enrollment126 93,198

Individual(s) Responsible for BIA Governance College Presidents and System Office Vice Chancellors.127

BIA Governing Body Responsibilities Review all business functions and can initiate additional reviews to isolate specific business functions the governing bodys discretion.128 Must be able to make decisions that can affect the organization, determine constraints and limitations for organizational recovery planning, ensure the project stays on focus, and have an overall understanding of the organization and recovery planning process.131 Provides tools and resources for individuals who will complete or are completing BIAs and Risk Assessments.133 Dean must approve BIA,136 and the Client Advocacy Office coordinates the Disaster Recovery Planning Team.137

Pennsylvania State University

Approx. 90,000129

Sponsor.130

Texas A&M University Michigan State University

46,542

University Risk and Compliance Office.132 Dean of department134 and the Client Advocacy Office.135 Department Head, Dean or Vice Chancellor sign off on final BIA approval. Chancellor appoints Business Continuity and Disaster Recovery Oversight Committee.138

46,045

North Carolina State University

31,802

Reviews annual reports from Committee, must approve and sign off on BIA.139

Enrollment data is taken from the NCES IPEDS database unless otherwise noted. Virginia Community College System. Technology Models: Business Impact Analysis. Op.cit. 128 Ibid. 129 Pennsylvania State University. Live: The Universitys Official News Source. Op.cit. 130 Pennsylvania State University. Administration Information Services: Recovery Planning Process. Op.cit. 131 Ibid. 132 Texas A&M University. University Risk and Compliance: Business Continuity Planning. <http://universityrisk.tamu.edu/BusinessContinuityTools.aspx> 133 Ibid. 134 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit. 135 Michigan State University. Disaster Recovery Planning: About. <http://www.drp.msu.edu/about_the_site.htm> 136 Michigan State University. Step by Step Guide for Disaster Recovery Planning for Michigan State University Units. Op.cit. 137 Michigan State University. Disaster Recovery Planning: About. Op.cit. 138 North Carolina State University. Policies, Regulations and Rules: Developing Business Continuity and Disaster Recovery Plans. Op.cit.
126 127

34

2008 The Hanover Research Council

Hanover Research
Institution
Iowa State University

November 2008
Individual(s) Responsible for BIA Governance IT Security and Policies Department and the Chief Information Officer.140 BIA Governing Body Responsibilities Establishes policies to ensure the university has a secure information technology environment. CIO receives BIA report.141 The sponsor must attend one-on-one monthly meetings with the Project Manager, and the Executive Committee must attend meetings quarterly. The Project Manager must prepare an initial draft of the statement of work and communications plan for the BIA/Risk Assessment and submit the plan to stakeholders for their review.143 Required to mandate the performance of a BIA and a Risk Assessment at a minimum of every three years.145 Assessing the Universitys emergency management capabilities and initiating recovery planning activities such as BIA performance at its discretion.147 Host annual information sessions and provide a point of contact for departments completing the BIA process.149

Enrollment126

26,160

University of Nebraska Lincoln

22,973

Sponsor, Project Manager and the Information Services Executive Committee.142

Old Dominion University

22,287

Office of Computing and Communications Services and the Commonwealth of Virginia SEC2001-01.1.144 University Emergency Management program.146

Stanford University

19,782

Georgia Tech

18,742

Department of Internal Audits.

148

Ibid. Iowa State University. Business Impact Analysis and Risk Assessment for Information Resources: General Information and Process Description. Op.cit. 141 Ibid. 142 University of Nebraska Lincoln. Disaster Mitigation: Statement of Work: Prepare for Disaster Mitigation and University Continuity. Op.cit. 143 Ibid. 144 Old Dominion University. Business Impact Analysis/Risk Assessment for Information Assets: General Information and Process Description. Op.cit. 145 Ibid. 146 Stanford University. Stanford University Emergency Management Program: Presentation to Stanford University Cabinet. Op.cit 147 Ibid. 148 Georgia Institute of Technology. Business Impact Analysis and Risk Assessment for Information Assets: General Information and Process Description, Op cit. 149 Ibid.
139 140

35

2008 The Hanover Research Council

Hanover Research
Institution
Baylor University

November 2008
Individual(s) Responsible for BIA Governance Risk Management Department.150 BIA Governing Body Responsibilities Responsible for providing business continuity and risk management services.151 CIO or designee may initiate a BIA on any entity/department throughout the University. Vice Presidents are responsible for the execution, development and implementation of business remediation programs.153

Enrollment126 14,174

Longwood University

4,727

Chief Information Officer or designee. Vice Presidents of Colleges.152

Baylor University. Risk Management: Crisis Management. <http://www.baylor.edu/risk_management/index.php?id=49706> 151 Ibid. 152 Longwood University. Policy 6126: Business Impact Analysis/Risk Assessment Policy. Op.cit. 153 Ibid.
150

36

2008 The Hanover Research Council

Hanover Research

November 2008

Appendix
Links to BIA Templates
Institution
Northern Arizona University

Link
http://www4.nau.edu/comptr/docs/BCP%20Template.doc http://web.arizona.edu/~ccit/index.php?id=976 http://universityrisk.tamu.edu/DataFiles/BC-Plan-Template.doc

The University of Arizona

Texas A&M University

The University of Texas, Austin

http://security.utexas.edu/risk/planning/UT-Austin-BIA-Template.doc Form 1: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM1.doc

Virginia Community College System

Form 2: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM2.doc Form 3: http://system.vccs.edu/ITS/models/BUSINESS_IMPACT_ANALYSIS_FORM3.doc

New Jersey City University

http://www.njcu.edu/assoc/njcuitma/documents/addendums/Sample_BIA_Report.pdf

Harvard University Beth Israel Deaconess Medical Center

https://research.bidmc.harvard.edu/ost/download/Impact_Continuity.pdf BIA Template: http://www.drp.msu.edu/Documentation/Step2sampleBIA.htm

Michigan State University

Critical System Ranking Form: http://www.drp.msu.edu/Documentation/Step2sampleCriticalSystemRanking.htm

37

2008 The Hanover Research Council

Hanover Research

November 2008

Note
This brief was written to fulfill the specific request of an individual member of The Hanover Research Council. As such, it may not satisfy the needs of all members. We encourage any and all members who have additional questions about this topic or any other to contact us.

Caveat
The publisher and authors have used their best efforts in preparing this brief. The publisher and authors make no representations or warranties with respect to the accuracy or completeness of the contents of this brief and specifically disclaim any implied warranties of fitness for a particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by representatives of The Hanover Research Council or its marketing materials. The accuracy and completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every member. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Moreover, The Hanover Research Council is not engaged in rendering legal, accounting, or other professional services. Members requiring such services are advised to consult an appropriate professional.

38

2008 The Hanover Research Council