Information Technology Standard 07.1.0

Business Impact Analysis Standard

Date of Current Revision or Creation:��December 2023

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion 91��Ƶ Information Technology policies, other 91��Ƶ policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to provide the 91��Ƶ community with an understanding of the Business Impact Analysis (BIA) requirements.

Definitions

Business Impact Analysis (BIA) – Business Impact Analysis (BIA) is an information gathering process that identifies critical business functions and maps them to the technology services resources of an organization, prioritizes the technology services based on disaster recovery requirements and acts as the foundation for business continuity planning.

Continuity of Operations – A process of identifying the essential functions - including staff, systems, and procedures - that ensures the continuation of the 91��Ƶ’s ability to operate.

Data Compliance Owners - ��91��Ƶ employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data Compliance Owners understand the compliance requirements for their data, designate the compliance level of their data, and approve access to their data. 91��Ƶ Data Compliance Owners oversee compliance for data that is shared or leveraged across the 91��Ƶ, such as HR, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the 91��Ƶ Data Compliance Owners.

Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

Office of Emergency Management (OEM) – The office at Old Dominion 91��Ƶ responsible for the coordination of efforts to prepare for and carry out the functions to prevent, minimize, respond to, and recover from incidents caused by natural hazards, human-caused hazards, and acts of terrorism.

Risk Assessment is a managerial process used to determine the probability and impact of threats caused by the human and technological environment on 91��Ƶ assets.

System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a 91��Ƶ IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

Standards 91��Ƶment

The Business Impact Analysis (BIA) is an integral part of the 91��Ƶ’s Emergency Management Program.�� The BIA defines certain critical information needed to complete and complement the 91��Ƶ Continuity of Operations Plan.

System Compliance Owners, Data Compliance Owners and business stakeholders are required to participate in the assessment and development of Old Dominion 91��Ƶ’s Business Impact Analysis (BIA).

With the assistance of the Office of Emergency Management (OEM), Information Technology Services (ITS) is responsible for the management of the Business Impact Analysis.

BIA Requirements

The BIA must identify primary critical business functions, necessary supporting resources, acceptable downtime, and restoration goals and those secondary functions on which each essential function depends and on 91��Ƶ goals and objectives and the IT industry best practices.

The BIA must identify the resources that support each primary and secondary essential business function. ��For IT systems and/or data that support a primary or secondary essential business function, the BIA must specify to what extent the essential business function depends upon the specific IT system and/or data.

The BIA management team must produce a BIA report for which the IT component:

Documents the dependence of the ODU's primary and secondary essential business functions on specific IT systems and/or data;
Specifies the required recovery time objective (RTO) and recovery point objective (RPO) for the IT systems and/or data on which a primary or secondary essential business function depends and are based upon Old Dominion 91��Ƶ goals and objectives;
Documents the ITS resources needed for support of the essential business functions;
Documents the extent to which an essential business function depends upon the IT systems and/or data;
And defines a BIA rating of Immediate, Priority, or Routine for each business function.

The IT information documented in the BIA report will be used as a primary input to:

IT System and Data Sensitivity Classification
Risk Assessment
IT Contingency Planning

The BIA is reviewed and updated by business stakeholders triennially via formal assessment and comprehensive update with the assistance from OEM and other 91��Ƶ departments/units as needed.

Procedures, Guidelines & Other Related Information

History

Date	Responsible Party	Action
October 2008	ITAC/CIO	Created
October 2009	ITAC/CIO	Reaffirmed
October 2010	ITAC/CIO	Reaffirmed
October 2011	ITAC/CIO	Reaffirmed
October 2012	ITAC/CIO	Reaffirmed
December 2012	IT Policy Office	Minor rewording for clarity
August 2015	IT Policy Office/ISO	Three year review, alignment with 91��Ƶ Policy 1021, updated titles, links, and definitions.
August 2018	IT Policy Office	Definitions and links checked, minor rewording
October 2021	IT Policy Office	Definitions and links checked
December 2023	IT Policy Office	Definitions and links checked, minor rewording

��

91��Ƶ