Information Technology Standard 07.1.0

Business Impact Analysis Standard


Date of Current Revision or Creation:ÌýNovember 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to provide the University community with an understanding of the Business Impact Analysis (BIA) requirements.

Definitions

Business Impact Analysis (BIA) - Business Impact Analysis (BIA) is an information gathering process that identifies critical functions and resources of an organization and acts as the foundation for business continuity planning.

Continuity of Operations - A process of identifying the essential functions - including staff, systems, and procedures - that ensures the continuation of the University's ability to operate.

Data Compliance Owners - University directors (typically at the level of Registrar, or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.

Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

Office of Emergency Management (OEM) - The office at Â鶹´«Ã½ responsible for the coordination of efforts to prepare for and carry out the functions to prevent, minimize, respond to, and recover from incidents caused by natural hazards, human-caused hazards, and acts of terrorism.

Risk Assessment is a managerial process used to determine the probability and impact of threats caused by the human and technological environment on University assets.

System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview.

Standards Statement

The Business Impact Analysis (BIA) is an integral part of the University's Emergency Management Program. The BIA defines certain critical information needed to complete and complement the University Continuity of Operations Plan.

System Compliance Owners, Data Compliance Owners and business stakeholders are required to participate in the assessment and development of Â鶹´«Ã½'s Business Impact Analysis (BIA).

With the assistance of the Office of Emergency Management (OEM), Information Technology Services is responsible for the management of the Business Impact Analysis.

BIA Requirements

The BIA must identify primary critical business functions, necessary supporting resources, acceptable downtime, and restoration goals and those secondary functions on which each essential function depends and on University goals and objectives and the IT industry best practices.

The BIA must identify the resources that support each primary and secondary essential business function. For IT systems and/or data that support a primary or secondary essential business function, the BIA must specify to what extent the essential business function depends upon the specific IT system and/or data.

The BIA management team must produce a BIA report for which the IT component:

  1. Documents the dependence of the Â鶹´«Ã½'s primary and secondary essential business functions on specific IT systems and/or data;
  2. Specifies the required recovery time for the IT systems and/or data on which a primary or secondary essential business function depends and are based upon Â鶹´«Ã½ goals and objectives;
  3. And documents the extent to which an essential business function depends upon the IT systems and/or data.

The IT information documented in the BIA report will be used as a primary input to:

  1. IT System and Data Sensitivity Classification
  2. Risk Assessment
  3. IT Contingency Planning

The BIA is reviewed and updated by business stakeholders annually and is subject to a triennial formal assessment and comprehensive update with the assistance from OEM and other University departments/units as needed.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

October 2012

ITAC/CIO

Reaffirmed

December 2012

IT Policy Office

Minor rewording for clarity

August 2015 IT Policy Office/ISO Three year review, alignment with University Policy 1021, updated titles, links, and definitions.
August 2018 IT Policy Office Definitions and links checked, minor rewording
November 2021 IT Policy Office Definitions and links checked
Ìý