Add to collection(s) Add to saved
  1. No category

Business Impact Analysis/Risk Assessment for Information Assets

advertisement 
Virginia Tech
Business Impact Analysis/Risk
Assessment for Information Assets
Area/Department Name
Risk Assessment Team Members
NAME
BIA/RA - 2011
TITLE
1
Introduction
This risk assessment template has been updated in November 2011 to reflect the changes
made in the risk assessment documentation. The main changes are in the way
information technology assets are recognized and how they correspond to what is in the
Continuity of Operations Plan (COOP). As in previous years the risk assessment can be
used for a single department or it can include several departments in a common area
(such as a Vice Presidential area or in a college).
Questions about this template may be addressed to riskassessment@vt.edu.
BIA/RA - 2011
2
General Information
Area/Department Name:
Area/Department Management:
Area/Departmental Team Leader(s):
Date Report Completed:
Date of Approval by Senior Management:
If more than one department is included in this specific business impact analysis/risk
assessment, all departments covered by this risk assessment should be listed below.

BIA/RA - 2011
3
General Comments
The general comments section is included to identify any special situations relating to the
process utilized, and to highlight any unique area/departmental characteristics. If this risk
assessment is for multiple departments, an explanation should be included in this section
to explain justification for completing the report in this manner.
If there are unique ways in which this risk assessment might relate to a COOP or other
documentation that can also be included in this section.
BIA/RA - 2011
4
Business Impact Analysis
This is a process of identifying an area/department’s major business functions and to
understand their reliance on information technology assets. Use this section to describe
any specific business function, process, research, or extension environment that might
involve the information technology assets defined for this college/department. It is also
recommended that if there are issues about specific data (for example, sensitive data) it
can be documented in this section along with any time sensitive issues.
The basic question being asked here is “what might be the impact if the department were
to lose access to supporting technology resources for a significant period of time” (that is,
more than a week)?
What is the immediate and long term impact of such information technology asset loss?
Do you have a short term alternative (within 24 hours of incident), a long term alternative
(within days to weeks of incident)?
NOTE: It is very important to complete this section in order to have a sense of what
would be the impact if information technology services/systems are not available.
BIA/RA - 2011
5
Area/Departmental Information Technology Assets
If one has prepared a COOP, this step may have already been completed. The only
reason to expand on this would be if there is a need to identify other assets that may not
be considered critical – this is a good reason as some departments have valid concerns to
protect other than just critical assets (systems/services).”
It is also important to remember at this point, what is defined as essential in the COOP,
would be critical in this risk assessment.
A list of area/departmental information technology assets (hardware, software, systems,
services, “data,” and related technology assets) is listed below in categories of critical,
essential, and normal.
Critical - The department cannot operate without this information asset
even for a short period of time.
NOTE: Because these are critical assets for the department, they are prioritized and
listed in the order of importance, that is, the most critical asset is listed first. Please add
to the tables as needed by simply doing an “Insert Rows” under the “Table” section.
Prioritized list of critical assets:
Priority
1
2
Critical Asset
Brief Description
Essential - The department could work around the loss of this
information asset for days or perhaps a week, but eventually the
information asset would have to be returned for use.
Essential
E
BIA/RA - 2011
Essential Asset
Brief Description
6
Normal - The department as a whole can operate without this information
asset for an extended (though perhaps finite) period of time during which
particular units or individuals may be inconvenienced and/or need to
identify alternatives.
Normal
N
BIA/RA - 2011
Normal Asset
Brief Description
7
Prioritized Area/Departmental Risks
Area/Departmental risks are identified and listed below according to their priorities (that
is, the one most likely to occur or the one expected to cause the greatest problem has the
highest priority (1)). This list can be derived from the list provided by at the risk
assessment website and/or risks identified specifically for the area/department.
Priority
1
Risk
Brief Description
2
3
BIA/RA - 2011
8
Reference Risks to Critical Assets
The critical assets are repeated on this form by priority, but the form also indicates which
specific risks are associated with that asset. Comments are included as deemed necessary.
Priority
1
Critical Asset
Related Risks (by number) and Comments
2
BIA/RA - 2011
9
Area/Departmental Recommendations
Requirements and/or protective measures necessary to reduce the impact of risks on
information technology assets are identified in this section. A summary report should be
provided while the following page may be duplicated as many times as needed to address
specific assets and solutions. The process of addressing solutions is ongoing, and as risks
are resolved (or at least addressed) they may be documented and added to the
departmental business impact analysis/risk assessment report.
Several issues are considered in applying a specific solution (feasibility, costs, labor, time
constraints, operating issues, and so on). The risk may be one that needs to be addressed
at the university level and that can be explained with reference to a responsible
area/department. Any supporting materials deemed necessary by the area/department are
included in this section with the specific risk.
BIA/RA - 2011
10
Documentation for Addressing Risk
Name of Information Technology Asset at Risk:
Risk and/or Problem:
Proposed Solution(s):
Justification for solution:
Implementation plan and any dates:
Date this report prepared:
BIA/RA - 2011
Responsible individual:
11
Related documents
Fund Tracking 20141031 Sheet1
Fund Tracking 20141031 Sheet1
BIA November 2014 ETF:Funds Sheet1
BIA November 2014 ETF:Funds Sheet1
Risk Management
Risk Management
Examples of Community Asset Mapping
Examples of Community Asset Mapping
Business Impact Analysis
Business Impact Analysis
Asset
Asset
Integrated Concurrent Asset Monitoring System in
Integrated Concurrent Asset Monitoring System in
Service Department Billing Policy
Service Department Billing Policy
Download
advertisement