The Business Impact Analysis (BIA) is a key step in the contingency management process. The BIA enables the Contingency Planning Coordinator to characterize fully the system requirements, processes, and interdependencies and use this information to determine contingency requirements and priorities.

The BIA process must have the support from the highest level of management and involve all functional business unit representatives. The BIA is conducted to identify all business processes or job tasks, correlate business functions with specific internal and external information technology components, and the services they provide, and based on that information, characterize the impact on the VCCS and/or college when specific business functions fail due to the disruption of one or more of these system components. The Contingency Planning Coordinator must prepare a report which summarizes the data found in the BIA. Results from the BIA may be used to support other VCCS or college plans (COOP for example). Information documented in the BIA will be used as primary input to the IT System and Data Sensitivity Classification, IT System Inventory and Definition, and Risk Assessment processes, and development of the IT Contingency Management Plan.

The Business Impact Analysis Standard of the Contingency Planning and Business Recovery Program covers all VCCS and college business processes and the related Information Technology infrastructure. 

The Business Impact Analysis Standard is applicable to the System Office and all Colleges.

STANDARD

The BIA is the critical initial step in the contingency management process and will allow identification of system restoration requirements and order of restoration. The Contingency Planning Coordinator will coordinate the Business Impact Analysis process to comply with the following requirements.

A Program Planning Coordinator is appointed to serve as the focal point for the Contingency Planning and Business Recovery Program. The person selected should be a senior member of the college management team and who is knowledgeable of the college business applications and processes. While information technology personnel will contribute to the processes within the plan, these personnel should not be assigned the role of Planning Coordinator. This appointment is intended to provide the required senior management support, resources, and cooperation that is critical to a successful plan. This person will serve as a single point of contact to ensure the Contingency Planning and Business Recovery Program and associated plans are completed, tested, and maintained.

The Contingency Planning Coordinator may be expected to do the following:

• Assist all personnel in completing worksheet one of the Business Impact Analysis Template.
• Coordinate the distribution, completion and collection of worksheets and questionnaires to appropriate business unit personnel.
• Compile findings and recommendations into the Executive Summary.
• Present the Executive Summary to the Chancellor or College President for approval.

• Identify ALL business functions. This includes academic activities, financial activities, and planning activities, etc.
• Identify the activity owner of each business functions. This is generally a business unit management or supervisor position with overall responsibility of the business unit. For example, the business manager, human resource officer, or registrar or similar subject matter expert knowledgeable of the processes within their business unit. This person may assist the Contingency Planning Coordinator in subsequent steps of the BIA process.
• Rank the importance of the above processes to the agency in regards to the mission and recovery priority requirements. When ranking processes, the analysis should assume the worst-case scenario and focus on a peak time period; such as registration or fiscal year end activities for example. Importance in regards to mission include impacts that result in damage to the VCCS or college reputation, assets, or financial position and the degree of impact to various constituents. The ranking guidelines are as follows and are also included in the Business Impact Analysis Template.

While the activity owner and their employees will most likely contribute to the initial listing and ranking, it is recommended that the ranking be verified by administrative personnel (the College President and their immediate administrative staff for example) in conjunction with the Contingency Planning Coordinator. Worksheet one of the Business Impact Analysis Template may be used to list and rank all business processes. Example business activities are listed in a separate worksheet within this template. Instructions are included at the top of the worksheet to assist in this process.

This step of the Business Impact Analysis involves identifying applications or manual resources for all business processes, assigning acceptable down times, assigning a data owner, classifying IT system and data sensitivity, and determining other regulatory requirements. This information will be used to assist in identifying resources required to support the VCCS and College mission and business functions.

• Identify the resources (applications or manual processes) for each business process or function.
• Determine the acceptable down time for each business process or function.
• Identify the data owner. This is generally an agency manager responsible for the policy and practice decisions regarding application or data.
• Indicate if the data handled is subject to other regulatory requirements such as the Health Insurance Portability and Accountability Act of 1996 (HIPPA); the Privacy Act of 1974; and similar regulatory requirements.
• Determine the potential damages to the VCCS or College if a compromise of confidentiality, integrity or availability were experienced.
• Reference the IT System and Data Sensitivity Classification Standard for additional guidance on classifying it system and data sensitivity.

It is recommended that the information above be compiled by the Contingency Planning Coordinator in conjunction with the appropriate individual business unit personnel. For example, the activity owner may provide the acceptable down time while the data owner should provide the sensitivity classification. In some cases this may be the same person. Worksheet two of the Business Impact Analysis Template may be used for this process. Additional information may also be found in the IT System and Data Sensitivity Classification Standard.

In this step an application profile of all IT systems classified as critical or sensitive is completed to identify the boundaries and detailed information that constitute the system. The critical or sensitive values are derived from worksheet one and two. This analysis will give a thorough understanding of the system’s environment and will assist in the next phase of the project; the risk assessment process.

It is recommended that the information above be compiled by the Contingency Planning Coordinator in coordination with the IT personnel. The individual units may also contribute to this worksheet. Worksheet three of the Business Impact Analysis Template may be used for this process. Additional information may also be found in the IT System Inventory and Definition Standard.

The Contingency Planning Coordinator will produce an Executive Summary report that analyzes and documents all business activities that have been identified as being critical to the ongoing operation of the VCCS or college.

Information from each step should be summarized; tables may be used to assist in the summary and may reference various categories (mainframe, WAN, LAN, PC, and manual statistics). An example is shown below.

The Business Impact Analysis Template will assist in obtaining the required reporting information. The information documented in these steps will be used as the primary input to the risk management and contingency planning processes.

In conjunction with the Business Impact Analysis Template completion, a BIA User Questionnaire is helpful in further assessing existing safeguards and preventive controls that should be examined to determine what the business unit is doing to mitigate loss or deter specific threats, and what response mechanisms are in place in the event a disruption occurs. The results of the BIA User Questionnaire can also be used to gather information as the college develops its contingency plan and implements security awareness training.

The BIA User Questionnaire collects information from users and activity owners of information technology resources on security procedures and practices for accessing critical or sensitive information technology systems and applications. The Contingency Planning Coordinator may use the template provided or create a more environment appropriate questionnaire. The information should be tabulated as a component of the Business Impact Analysis Executive Summary.

The College President or Vice Chancellor must review and approve the results prior to completing and signing the Annual Statement of Compliance. Copies of all templates, questionnaires, forms and the BIA report must be kept at the VCCS or college for audit review.