Policy for Review

Policy #4108 is presented here for your review. Please send send all comments, suggestions, and questions to

Title: SVHEC Business Impact Analysis Policy
Responsible Oversight Director:  Executive Director
Author: SVHEC ISO
Original Policy Creation Date: February 8, 2024
Date of Current Revision:  NEW POLICY (February 8, 2024)

PURPOSE

The purpose of this policy is to create a prescriptive set of processes and procedures, aligned with applicable COV IT security policy and standards, to ensure that the Southern Virginia Higher Education Center (SVHEC) develops, disseminates, and updates the Business Impact Analysis (BIA). This policy establishes the minimum requirements for the Business Impact Analysis.

This policy is intended to meet the requirements outlined in (COV VITA’s) SEC501, Section 3 Business Impact Analysis.

AUTHORITY

Virginia Code Section 23.1-3120 through 23.1-3124, as amended, grants authority to the Board of Trustees to establish rules and regulations for the institution. Section VIII (E) of the Board of Trustees Bylaws grants authority to the Executive Director to implement the policies and procedures of the Board relating to the SVHEC operations. Virginia Public Records Act (VPRA) and Virginia Code Section § 42.1-76-§ 42.1-91 requires the SVHEC to implement a sound records management program which includes Library of Virginia-approved records retention and disposition schedules, document destruction of scheduled records, train employees, and create and disseminate records management procedures.

The policies of the SVHEC fall within the following framework and hierarchy and therefore, are subject to compliance with laws and regulations instituted by higher levels of authority:

  1. Federal laws and regulations
  2. State laws and regulations
  3. Board of Trustees policies
  4. SVHEC policies
  5. Departmental policies and procedures

In the event of a conflict between different levels in 1 through 5 above, the lower numerical heading shall take precedence over a higher numerical heading.

DEFINITIONS

ACRONYMS

  • BIA:       Business Impact Analysis
  • CIO:       Chief Information Officer
  • COV:      Commonwealth of Virginia
  • CSRM:   Commonwealth Security and Risk Management
  • MEF:      Mission Essential Function
  • ISO:        Information Security Officer
  • IT:           Information Technology
  • ITRM:     Information Technology Resource Management
  • PBF:        Primary Business Function
  • RPO:       Recovery Point Objectives
  • RTO:       Recovery Time Objective
  • SEC501:  Information Security Standard 501
  • SVHEC:   Southern Virginia Higher Education Center

DEFINITIONS

See COV ITRM Glossary

See VITA’s website: vita.virginia.gov

SCOPE

This policy applies to all SVHEC employees (full-time, part-time, and contractual), and authorized agents of the SVHEC and its affiliates.

BACKGROUND

The Business Impact Analysis Policy at SVHEC is intended to facilitate the effective implementation of the processes necessary to meet the Business Impact Analysis requirements as stipulated by the COV ITRM Security Standard SEC501 and security best practices.  This policy directs SVHEC to meet those requirements for all IT systems.

Preparing for business interruptions is required by the Commonwealth of Virginia for all agencies. Business interruption preparation activities are formalized by executing a well-defined business continuity process. This process consists of several steps leading to an effective restoration solution for SVHEC’s mission essential and primary business functions and their supporting processes and resources that may be affected by a business interruption.

The BIA addresses the first step in SVHEC’s business continuity process. The BIA identifies each business function executed by the organization, determines the impact of its failure on the organization, in both tangible and non-tangible terms, identifies the resources that will be required to restore the business function, and in the case of multiple failures, prioritizes the order by which business functions will be restored.

ROLES & RESPONSIBILITY

This section will provide a summary of the roles and responsibilities as described in the Policy Statement section.  The following Roles and Responsibility Matrix describes four activities:

  1.   Responsible (R) – Person working on activity
  2.   Accountable (A) – Person with decision authority and one who delegates the work
  3.   Consulted (C) – Key stakeholder or subject matter expert who should be included in decision or work activity        
  4.  Informed (I) – Person who needs to know of decision or action
RolesAgency HeadInformation Security OfficerSVHEC Business Owners  Data and System Owners
Tasks    
Designate SVHEC’s Business OwnersA/RI  
Coordinate bia ARR
Develop a list of all business functions IAR
Create mef’s and pbf’s IAR
Determine resources for mef’s and pbf’s IAR
Document rto and rpo for mef’s and pbf’s IAR
Produce bia A R
Review bia on an annual basis ACC
Review and approve biaA/RC  

POLICY STATEMENT                                                                                                                                                                                                                                                                                      

In accordance with SEC501, SVHEC shall identify their business functions that are essential to its mission, and identify the resources that are required to support these business functions by performing a Business Impact Analysis (BIA).  SVHEC shall create a single BIA that meets the requirements of SEC501 and can be used to develop an IT Disaster Recovery Plan, if applicable.

BUSINESS IMPACT ANALYSIS

The Information Security Officer shall collaborate with SVHEC’s Business Owners (as designated by SVHEC’s Executive Director) to develop the SVHEC’s BIA.

Each SVHEC’s Business Owners shall develop a list of all business functions that it executes on a routine, occasional, or periodic basis. The documentation shall include, at a minimum:

  1. The primary objectives, customers, and applications of the business function.
    1. Any sensitive data used in or produced by the business function.
    1. The potential harm that would occur if the business function were not performed.

[Note: A Business Function Information Template to document this information will be provided by the Commonwealth Security and Risk Management Directorate. The SVHEC’s BIA will be uploaded into CRSM’s Archer Application].

The SVHEC’s ISO will compile the information from the Business Function Information Templates to create a prioritized list of business functions. Identified business functions shall be classified as:

  1. Mission essential functions (MEF); or
    1. MEFs are functions that cannot be deferred during an emergency or disaster.
    1. Dependent and supporting functions, known as primary business functions (PBF), on which each mission essential function depends.

For each MEF and PBF, the SVHEC’s Business Owners will:

  1. Determine the resources required by the function. Examples for resources may include offices and furniture, data center facilities, utilities, phone and fax services, IT systems (hardware and software), data communications services, transportation and fueling services, personnel, periodic maintenance services, etc.
  2. Assess whether the function depends on an IT system. If the business function is dependent on IT resources, the SVHEC ISO will determine, in consultation with the SVHEC’s Business Owners, the extent to which the business function depends on the IT resources. Each IT system that is required to recover a MEF or PBF shall be considered sensitive relative to availability.  For each such system, the SVHEC ISO will determine, in consultation with the SVHEC’s Business Owners:
    1. Document the Recovery Time Objective.
    1. Document the Recovery Point Objectives.

The SVHEC’s ISO will use this information to identify the minimum number of types and quantities of resources that must be restored at an alternate site to provide an acceptable level of service during a business interruption.

  1. Some resources may be shared by several business processes and may have different priority levels depending on their criticality. In such cases, the resource priority designation for restoration purposes shall be the highest priority assigned.

The SVHEC ISO, with the participation of System and Data Owners, will produce a BIA report that:

  1. Documents the dependence of the SVHEC’s mission essential and primary business

functions on business processes and resources, including specific IT systems and/or data; and

  • Specifies the required recovery time for each process and resource, including IT systems and/or data, on which mission essential and primary business functions depends, based on:
    • Agency and COV goals and objectives; and
    • The extent to which mission essential and primary business functions depend upon the specific resource, including IT systems and/or data.

The SVHEC’s ISO will provide the BIA report to the SVHEC’s System Owners, and Data Owners, for use in IT system and data sensitivity classification and risk assessment and will use the BIA report in IT contingency planning.

The SVHEC’s ISO and SVHEC’s Business Owners will conduct an annual review of the BIA to determine its currency, and will facilitate updating the BIA, as necessary, and no less than once every three years.

The SVHEC’s Executive Director will review and approve the BIA after initial completion and following subsequent updates.

RELATED INFORMATION

REFERENCE          

      ITRM Information Security Policy (SEC519)

      ITRM Information Security Standard (SEC501)