Business Impact Analaysis

Business Impact Analysis
Business Impact Analysis of IT Services - Overview

This tool has been developed to assist units in meeting the requirements for Business Impact Analysis (BIA), as defined in the Texas A&M Information Security Controls Catalog. Contingency Plan (CP-2).
Questions on this tool can be directed to Peter Walsh at walshp@tamu.edu
All IT Services must be included in a Business Impact Analysis (see IT Services tab). The BIA can be completed at any level with in an organization (Division and College level is preferred).

While completing the BIA, each Information Resource Owner must determine if their IT Service is mission critical (see Mission Critical Flow Chart). The Information Resource Owner must also determine
the Recovery Time Objective, and the Recovery Point Objective for their IT Service.
Fields denoted with " * " are required all other fields are optional.
Data Collection by Tabs
1 Approval Tab
Version #*, Implemented By*, Revision Date*, Approved By*, Approval Date*, and Comment

2 Business Functions
3 Unit Level Assessments

IT Service Name*, Business Function or Group*, Essential IT Service*, Mission Critical*, RTO *, RPO*, Engineered Redundant, Recovery Tier, Priority for Restoration, and Comments

4 IT Services
IT Service Name , Business Function or Group , Description *, Service Owner*, Service Manager*, Application Support, VM Support, Hardware/OS Support, Customer Support, and Vendor(s)

5 Dependencies
IT Service Name, VM / Hardware Provider, Restoration Type, Equipment Type, Primary Locations*, Second Locations, Other Locations, Backup Copy Location*, Backup Service, Database Type, Database
Provider, Upstream Dependencies, Downstream Dependencies, and Primary Communication Channel
Essential IT Service and Mission Critical Definitions.

Additional definitions are located in the tab "Definitions". The below definitions are referenced above.
Essential IT Service
An information resource with an established Recovery Time Objective (RTO) of less than 12 hours which is required to support the university’s critical functions (as noted in Annex J of Texas A&M
University (TAMU) Emergency Operations Plan (EOP)).
Mission Critical Information - information that is defined by the information resource owner (or by the University for Essential IT Services) to be crucial to the continued performance of the mission of
the department/unit. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such
as:
significant financial loss,
institutional embarrassment / reputational harm,
failure to comply with regulations or legal obligations, or
closure of the department/unit.
1 of 11 01/12/2021
Business Impact Analysis Approval

Unit: Unit/Department Name
Mission: Unit/Department Mission
Version # * Implemented By * Revision Date * Approved By * Approval Date * Comment

1 <name, title> <mm/dd/yy> <name, title> <mm/dd/yy>
2
3
4
5
6
7
8
9
10
11
12
13
2 of 11 01/12/2021
Business Function List

Business Function * Manager / Information
Description *
(Group / Section Name) Resource Owner*
Business Function 1
Business Function 2
Business Function 3
Business Function 4
Business Function 5
Business Function 6
Business Function 7
Business Function 8
Business Function 9
Business Function 10
3 of 11 01/12/2021
Unit- Level Assessment
Unit-Level Assessment
IT Service ID IT Service Name * Business Function or Group * Essential IT Mission Confidental Information RTO * RPO * Engineered Recovery Priority for Comments
Service* Critical * Redundant? * Tier Restoration
1 A1 Business Function 1 Yes Yes Uses or Stores 0 Hours 0 Hours Yes 0 1
2 A2 Business Function 2 #N/A
4 of 11 01/12/2021
IT Services
IT Services
Service Details Contacts
Hardware/OS Support
IT Service ID IT Service Name * Business Function or Group * Description* Service Owner* Service Manager* Application Support VM Support Support Database Support Customer Support Vendor(s)
1 A1 Business Function 1
5 of 11 01/12/2021
Dependencies
Dependencies
IT Service Name Restoration Type Equipment Type Primary Second Locations Other Backup Copy Backup Service Database Type Upstream Dependencies Downstream Dependencies Primary Communication
IT Service ID Business Function or Group *
*
Locations Locations *
Location Channel
6 of 11 01/12/2021
Definitions
Definitions
Requi
red
Field Answers Description Notes

Additional Information Memo Field Assumptions used to determine Recovery Time
Objective.
Application Support Name The primary support person for the application
or service
Business Function Name A team or group of people and the tools they Department - Group - Section
use to carry out one or more Processes or Example: TAMU IT - ITSS - Database Team
Activities. For example the Service Desk. The
Business Function Description 255 Characters Brief
term description
Function alsoof has
the two
Business
otherFunction
meanings: An • Spell out any Acronyms.
(Short) intended purpose of a Configuration Item, • List Peak Times.
Person, Team, Process, or IT Service. For
Customer Support Name The person
example onewho manages
Function customer
of an support
Email Service may for
this
be toservice (optional)
store and forward outgoing mails, one
Function of a Business Process may be to
Dependencies, Downsteam IT List IT Services dispatch goods
In upstream andtodownstream
Customers; To perform the
relationships, See Upstream Notes
Service intended purpose
anything that correctly,
happens The computer
downstream is
can have
"Functioning " on upstream configuration
an adverse affect
items.
Dependencies, Upstream IT List IT Services In upstream and downstream relationships, An example of a relationship, if the virtual server sannnm-01 crashes, the
Service anything that happens downstream can have database instances and the web server upstream are adversely affected.
an adverse affect on upstream configuration Likewise, if the web server fails, the web site hosted on it goes down. The
items. CI record for the virtualized Windows server sannnm-01 with its upstream
and downstream relationships is shown below. The downstream
relationships show that this server is virtualized by VMware running on a
Windows server named sandb01. Our upstream relationships show a
MySQL instance, a SQL instance, and a web server running on sannnm-01.
Farther upstream, a web site is hosted on the web server.
http://wiki.servicenow.com/index.php?
title=Application_Dependency_Mapping#gsc.tab=0
* Essential IT Service Yes / No An information resource with an established Critical functions include physical assets whose incapacity or destruction
Recovery Time Objective (RTO) of less than 12 would have a debilitating impact on the economic, physical security, or
hours which is required to support the operations of the university. The CISO, in consultation with the CIO, may
university’s critical functions (as noted in Annex identity additional information resources that are to be included in the
J of Texas A&M University (TAMU) Emergency University-wide Contingency Plan.
Operations Plan (EOP)).
Engineered Redundant Yes / No Is this service engineered for automatic or Cloud-hosted services are assumed to be redundant, unless we have
manual failover a redundant site? information to the contrary.
* Information Resource Owner A person responsible for a business function

and for determining controls and access to
information resources supporting that business
function.
* IT Service Name IT service is made up of a combination of Short name for the service.
information technology, people, and processes.
A customer-facing IT service directly supports
the business processes of one or more
customers. Other IT services, called supporting
services, are not directly used by the business,
but are required by the service provider to
deliver customer-facing services.
7 of 11 01/12/2021
Definitions
Requi
red

* IT Service Description (Short) 255 Characters Brief description of the service • Spell out any Acronyms.
• How does this IT Service deliver value?
• Describe the type of End Users (faculty, staff, students, general public,
Department, College and / or Agency) or types of IT Services that utilize
this IT Service.
Location, Alternate Campus - Building Backup or secondary production location.

Number - Room
Location, Other Campus - Building List or describe other type of locations that
Number - Room have significant hardware installations.
* Location, Primary Campus - Building Production Location.

Number - Room
Maxium Allowable Down Time 0 Hours The amount of time mission/business process
1 Hour can be disrupted without causing significant
2 Hours harm to the organization’s mission.
4 Hours
8 Hours
12 Hours
24 Hours
48 Hours
72 Hours
1 Weeks (7d)
2 Weeks (7d)
3 Weeks (7d)
4 Weeks (7d)
5 Weeks (7d)
6 Weeks (7d)
* Mission Critical Yes / No An information that is defined by the An event causing the unavailability of mission critical information would
information resource owner (or by the result in consequences such as:
University for Essential IT Services) to be crucial • significant financial loss,
to the continued performance of the mission of • institutional embarrassment / reputational harm,
the department/unit. Unavailability of such • failure to comply with regulations or legal obligations, or
information would result in more than an • closure of the department/unit.
inconvenience.
* Recovery Point Objective Acceptable loss of data, measured in time. RPO is closely tied to backup frequency. The RPO is based on the last
(RPO) backup stored off-site. FY 2017 DR Planning assumption is the total loss of
the Teague Data Center. Data stored in Teague is considered
unrecoverable
8 of 11 01/12/2021
Definitions
Requi
red

* Recovery Time Objective 0 Hours The maximum time allowed for the recovery of In the context of this spreadsheet, RTO and RPO should represent current
(RTO) 1 Hour an IT service following an interruption. capabilities to recover the service. When an IT Service Owner assigns an
2 Hours RTO to an IT Service there are two factors to consider. First the RTO
4 Hours cannot be shorter than the time it would take to restore the service at an
8 Hours alternate site. Second the assigned RTO is determined by the
12 Hours requirements of the business function or IT Service that it supports. For
24 Hours example, a low priority IT Service would not be restored until it became
48 Hours critical to the operation of a business function or another IT Service. The
72 Hours RTO for an IT Service is thus driven by the RTO of dependent business
1 Weeks (7d) functions and other IT Services. This is due to the fact that during a “non-
2 Weeks (7d) business as usual event” there are both hardware and personnel
3 Weeks (7d) limitations that prevents the restoration of all IT Services at the same
4 Weeks (7d) time. The establishment of restoration priorities in the form of an RTO /
5 Weeks (7d) RPO ensures an orderly recovery of IT Services based on the established
6 Weeks (7d) needs of the Business Functions. In the event a business functions or
dependent IT Service’s RTO is different than the IT Service Owner’s
establish RTO, a Cost Benefit Analysis should be performed. A Cost Benefit
Analysis, then can be used to determine the cost of bringing the IT
Service’s RTO in alignment with the business function requirements. The
owner of the business function that is dependent on the IT Service is then
given the opportunity to fund the upgrade of the Service or to develop a
manual workaround and cutover procedure.
Service ID Dept-Group- Unique System ID used for the data Do not edit this field.
Number management.
* Service Manager Name The person who is mostly responsible for the
effective completion of task associated with
fulfilling the roles related to a specific service.
* Service Owner Name The person who is mostly accountable to

ensure the effective management of tasks
associated with fulfilling the roles related to a
specific service. In some cases, the Texas A&M
IT contact for the service is listed until we can
locate the owner. In some cases, the Texas
A&M IT contact for the service is listed until we
can locate the owner.
Vendor(S) Name Provide Company and Vendor Representative

contact information.
VM Support Name The primary contact person for hardware or
virtual machine issues for this service
Restoration Type Drop Down Denotes the restoration architecture of the IT Single Location, Active / Active, Active / Standby, Active / Test
Service. Envirnoment Hardware, Active / Passive, Active / Active / Passive, Active /
Active / Active, Hosted off campus (Cloud), Master / Slave VM, and
Multiple Locations
Priority for Restoration Number The order that an IT Service will be restored.
Active / Active Restoration Type Active VMs in one or more locations
Active / Passive Restoration Type Passive VM will require a manual intervention

to take over operations.
Active / Standby Restoration Type Standby VM will automatically take over if the
Active VM fails to respond
RTO Values Recovery Tiers and

Order
9 of 11 01/12/2021
Definitions
Requi
red
0 Hours 0
1 Hour 1.1
2 Hours 1.2
4 Hours 1.3
8 Hours 1.4
12 Hours 1.5
24 Hours 2.1
48 Hours 2.2
72 Hours 2.3
1 Weeks (7d) 2.4
2 Weeks (7d) 2.5
3 Weeks (7d) 3.1
4 Weeks (7d) 3.2
5 Weeks (7d) 3.3
6 Weeks (7d) 3.4
Priority Lookup Priority Value

Yes 0
No 1
VM / Hardware Provider Restoration Type Equipment Type
TAMU IT - SE Single Location VM

TAMU IT - Networking Active / Active Hardware
Library Active / Standby Mixed VM / Hardware
EIS Active / Test Envirnoment Hardware
ITS Active / Passive
UES Active / Active / Passive
UPD Active / Active / Active
SHS Hosted off campus (Cloud)
Master / Slave VM
Multiple Locations
Primary Locaitons Second Locations Additional Locations Backup Copy Location
Teague Teague Free Form Text Field Teague

Wehner Wehner Wehner
Dallas Dallas Dallas
Recovery Point Recovery Point Recovery Point
Backup Service Service Vendor Primary Communication Channel
10 of 11 01/12/2021
Definitions
Requi
red
TSM Twitter email

VEEAM Benbria email and Phone
Networking Backup IT Alert
ListServ
mobile.tamu.edu
www.tamu.edu
emergency.tamu.edu
IT.tamu.edu
library.tamu.edu/
Confidental Information Database Type Database Provider
Creates, Uses or Stores Internal Database TAMU - IT - ITSS

Uses or Stores MySQL TAMU - IT - SE
N/A Microsoft SQL Division of Finance
Oracle
Claim
ADABAS/Natural
11 of 11 01/12/2021

Business Impact Analaysis

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Impact Analaysis

Uploaded by

Copyright:

Available Formats

Business Impact Analysis

Business Impact Analysis of IT Services - Overview

3 Unit Level Assessments

Essential IT Service and Mission Critical Definitions.

Business Impact Analysis Approval

Mission: Unit/Department Mission

Version # * Implemented By * Revision Date * Approved By * Approval Date * Comment

Business Function List

Field Answers Description Notes

* Information Resource Owner A person responsible for a business function

Field Answers Description Notes

Location, Alternate Campus - Building Backup or secondary production location.

* Location, Primary Campus - Building Production Location.

Field Answers Description Notes

* Service Owner Name The person who is mostly accountable to

Vendor(S) Name Provide Company and Vendor Representative

Active / Active Restoration Type Active VMs in one or more locations

Active / Passive Restoration Type Passive VM will require a manual intervention

RTO Values Recovery Tiers and

Field Answers Description Notes

Priority Lookup Priority Value

VM / Hardware Provider Restoration Type Equipment Type

TAMU IT - SE Single Location VM

Primary Locaitons Second Locations Additional Locations Backup Copy Location

Teague Teague Free Form Text Field Teague

Backup Service Service Vendor Primary Communication Channel

Field Answers Description Notes

TSM Twitter email

Confidental Information Database Type Database Provider

Creates, Uses or Stores Internal Database TAMU - IT - ITSS

You might also like