Business Impact Analysis Standard
Date of Current Revision or Creation:ÌýNovember 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to provide the University community with an understanding of the Business Impact Analysis (BIA) requirements.
Definitions
Business Impact Analysis (BIA) - Business Impact Analysis (BIA) is an information gathering process that identifies critical functions and resources of an organization and acts as the foundation for business continuity planning.
Continuity of Operations - A process of identifying the essential functions - including staff, systems, and procedures - that ensures the continuation of the University's ability to operate.
Data Compliance Owners - University directors (typically at the level of Registrar, or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.
Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.
Office of Emergency Management (OEM) - The office at Â鶹´«Ã½ responsible for the coordination of efforts to prepare for and carry out the functions to prevent, minimize, respond to, and recover from incidents caused by natural hazards, human-caused hazards, and acts of terrorism.
Risk Assessment is a managerial process used to determine the probability and impact of threats caused by the human and technological environment on University assets.
System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview.
Standards Statement
The Business Impact Analysis (BIA) is an integral part of the University's Emergency Management Program. The BIA defines certain critical information needed to complete and complement the University Continuity of Operations Plan.
System Compliance Owners, Data Compliance Owners and business stakeholders are required to participate in the assessment and development of Â鶹´«Ã½'s Business Impact Analysis (BIA).
With the assistance of the Office of Emergency Management (OEM), Information Technology Services is responsible for the management of the Business Impact Analysis.
BIA Requirements
The BIA must identify primary critical business functions, necessary supporting resources, acceptable downtime, and restoration goals and those secondary functions on which each essential function depends and on University goals and objectives and the IT industry best practices.
The BIA must identify the resources that support each primary and secondary essential business function. For IT systems and/or data that support a primary or secondary essential business function, the BIA must specify to what extent the essential business function depends upon the specific IT system and/or data.
The BIA management team must produce a BIA report for which the IT component:
- Documents the dependence of the Â鶹´«Ã½'s primary and secondary essential business functions on specific IT systems and/or data;
- Specifies the required recovery time for the IT systems and/or data on which a primary or secondary essential business function depends and are based upon Â鶹´«Ã½ goals and objectives;
- And documents the extent to which an essential business function depends upon the IT systems and/or data.
The IT information documented in the BIA report will be used as a primary input to:
- IT System and Data Sensitivity Classification
- Risk Assessment
- IT Contingency Planning
The BIA is reviewed and updated by business stakeholders annually and is subject to a triennial formal assessment and comprehensive update with the assistance from OEM and other University departments/units as needed.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 1021 - Emergency Management Policy
- University Policy 3505 - Information Technology Security Policy
- IT Standard 07.2.0 Business Continuity and Disaster Recovery Plan Standard
- IT Standard 8.1.0 Risk Assessment Standard
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
October 2012 |
ITAC/CIO |
Reaffirmed |
December 2012 |
IT Policy Office |
Minor rewording for clarity |
August 2015 | IT Policy Office/ISO | Three year review, alignment with University Policy 1021, updated titles, links, and definitions. |
August 2018 | IT Policy Office | Definitions and links checked, minor rewording |
November 2021 | IT Policy Office | Definitions and links checked |