Professional Documents
Culture Documents
2010-10-12+Educause+Presentation
2010-10-12+Educause+Presentation
2010-10-12+Educause+Presentation
Marc Scarborough
Information Security Officer
Rice University
marcs@rice.edu
Agenda
Business Impact Analysis (BIA)
Walk Through a Basic Template
Example
General Notes
Questions
Links
Why BIA?
From NIST (your tax dollars at work):
◦ “The purpose of the BIA is to identify and prioritize
system components by correlating them to the
mission/business process(es) the system supports,
and using this information to characterize the
impact on the process(es) if the system were
unavailable.”
Why BIA?
Inventory
◦ When is the last time you had a good inventory of
the systems performing your mission critical work?
Documentation
◦ In an emergency situation do people know what to
do?
Prioritization
◦ Knowing what is integral in supporting critical
University functions and its mission before
something happens is good to know.
Example BIA Template
Service Description
Outage Impact
Maximum Tolerable Downtime
Recovery Time Objectives
Resource Requirements
Recovery Priorities for System Resources
Service Description
A primary focus of the BIA is to identify
systems that support services critical to the
University.
The Service Description should include as
you do:
◦ Identify and prioritize
◦ Help with both continuity and recovery planning
The template I use is based on NIST
guidelines, but each University will most
likely need to create or modify one that works
for them.
Thank you
Questions?
Links
NIST
◦ http://csrc.nist.gov/publications/nistpubs/800-
34-rev1/sp800-34-rev1.pdf