NC State University
Risk Assessment and Business Impact Analysis
Version 7
Purpose: The purpose of this questionnaire is to solicit information concerning the exposure and impacts that will result if your Functional Business Unit Date Started: experiences a significant outage. This information will be combined with that provided from other functional business units to assess the overall financial exposures and operational impacts should a disruption in business activities occurs at NC State University. The financial and Department/College: operational impact information will be used to determine each unit's maximum tolerable downtime, which will be considered when determining anBusiness appropriate set of recover alternative solutions for each functional business unit. Unit: Department Head/Dean: Building: Campus Box: Cohort Coordinator: Coordinator Phone: Coordinator Fax: Person(s) Editing this Template: Business Unit Mission Statement: Review Date with Department of Business Continuity Date Completed:
Developed by the Department of Business Continuity (515-5201)
Page 1 of 20
NC State University
1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18
Business Unit Assessment
Version 7
Assessment Yes/No/NA/Unk Explain BUSINESS CONTINUITY PLANS Your department has a business continuity plan. Accountability for business continuity and disaster recovery is assigned in your department. Critical business processes and functions are identified and prioritized. Business continuity procedures and plans are documented for all critical business processes and functions. Departmental roles and responsibilities for recovery are documented. A central repository is used to store business continuity plans. Call Trees are updated quarterly. Copies of reciprocal agreements, or service bureau or hot/cold site are kept at an off-site location. Are critical vendor lists and emergency telephone contact numbers maintained? Your customers are aware of your alternative process and capabilities during an interruption of normal business operations. Your suppliers are aware of what must be done in terms of alternative methods during an interruption of normal business operations. VITAL RECORDS (Critical Files, Manuals, Student or Research Records, Data) A retention period has been established for all critical records. All critical records have been identified. All critical records stored on-site are inventoried. Historical records have been inventoried and stored off-site. All irreplaceable records have been identified. All critical computer files are stored off site on a regular basis. Critical operating documentation are stored off site.
Developed by the Department of Business Continuity (515-5201)
Page 2 of 20
NC State University
19 20 21
25 26 27 28 29 30
31 32 33 34 35 36 37 38
Business Unit Assessment
Version 7
TRAINING AND TESTING Regular scheduled training is conducted for key disaster recovery personnel or recovery teams. Business Continuity is discussed during new employee orientation. Business Continuity/Disaster Recovery Plans are tested annually. PHYSICAL SECURITY Evacuation routes are posted throughout the building with easy visibility. Building entrances utilize security devices requiring keys, pass-codes or magnetic badges. Security policies/guidelines/procedures are published for employee access. Restricted areas are controlled and supervised. Vendor personnel are required to show positive identification. Keys and badges and/or change codes are requested from terminated employees. ENVIRONMENTAL CONTROLS Critical equipment is located above water grade. Adequate water drainage (under raised floor, on floors above, in adjacent areas) Water detection devices located under raised floor (equipment room) Adequate water leak controls Employees are informed of procedure to report water leak or location of water pipe shut-off valves. Equipment located away from sprinkler heads Inoperable Windows Covers for equipment in case of sprinkler release available and located near equipment
Developed by the Department of Business Continuity (515-5201)
Page 3 of 20
NC State University
39 40 41 42
46
47 48 49 50 51 52 53 54 55 56
Business Unit Assessment
Version 7
PERSONNEL CONSIDERATIONS Adequate number of personnel to perform critical job functions Controls established for terminating/transferring employees Alternate personnel have been identified to perform critical functions. A list of critical personnel and job functions are documented. INSURANCE Your departments Business Continuity Plan reflects the Insurance Contact person for your department. RESEARCH, PLANT, OR LABORATORY CONSIDERATIONS There is adequate storage for hazardous materials and chemicals. Safety plans are in place for all areas where hazardous materials are used and hazardous processes are conducted. Adequate ventilation controls are in place. Provisions have been made for storage of materials requiring refrigeration. Research projects that are contingent on electricity are documented. Select agents are secured. Refrigerators in labs are secured. Unauthorized individuals are restricted from access to labs. Lab check-out procedures are followed when staff are no longer assigned to a particular lab. Campus IDs are required to be worn in labs by all staff, faculty, and students.
Developed by the Department of Business Continuity (515-5201)
Page 4 of 20
NC State University
57 58 59 60 61
62 63 64 65 66 67 68 69
70
71 72
Business Unit Assessment
Version 7
Lab Supervisors are aware of Laboratory Security and Safety Guidelines. The Supervisor Safety Inspection Checklist is completed annually. Procedures are in place for management of materials left behind by Professors. Functions are documented which are performed by critical faculty/staff. Procedures are in place for transitioning responsibilities to new faculty/staff. SPACE PLANNING Interim/alternate space has been identified (office, classroom, laboratory, etc.) to carry out critical departmental functions? Critical employees that will require interim office space has been identified. Critical employees that could use open office space (cubicles) has been identified. Critical employees that could work from home have been identified. Special equipment needs for space has been identified. Functions in your department that must remain co-located have been identified. Functions in your department that must remain on campus and which could temporarily be housed off campus have been identified. For Research Lab Space, equipment that should be provided to stabilize or preserve research activities, samples and material in the interim until fully functional space can be provided (freezers, environmental or isolation chambers, fume hoods, etc) has been identified. For Research Lab Space, the number of research faculty/staff that could share lab space with other researchers doing similar work on an interim basis has been identified. Departmental space contacts are documented. Floor plans are current, available, and kept off site.
Developed by the Department of Business Continuity (515-5201)
Page 5 of 20
NC State University
73 74 77
78 79
80 81 82 83 84 85 86
Business Unit Assessment
Version 7
WORKING FROM HOME (Critical staff must have their own ISP) Have critical staff ever accessed any campus application remotely? Do critical staff have the need to access any campus applications remotely? If your department is an NCS Customer and critical staff may need to access their network home directory (H drive), do these critical staff have Netdrive installed on their home PC? Does critical staff have the most recent virus protection files on the staffs home pc and service packs? Have critical staff tested dialing In successfully within the past month (do they know their passwords or have they expired?) SOFTWARE CONSIDERATIONS Departmental software is upgraded as needed to ensure business functions can be performed. Critical departmental software is backed up and the backups are stored off site. Software upgrades planned to minimize employee disruption and job function disruption. Master and backup copies of departmental software is secured. Departmental software documentation is secured. Anti-virus software is installed and continuously enabled on all departmental computers, laptops, networks. Departmental databases are backed up. Explain how often.
Developed by the Department of Business Continuity (515-5201)
Page 6 of 20
NC State University
87 88 89 90 91 92 93 94 95 96 97 98
99
100 101 102
Business Unit Assessment
Version 7
HARDWARE CONSIDERATIONS Computers that are in open areas are secured. Departmental computer drive keys are not left in the machines, but are properly secured. Departmental server recovery documentation is stored offsite Departmental CPUs are locked so that the cover cannot be removed and internal boards removed. Data storage media (tapes, disks, CD-ROM) are properly secured. An inventory (including serial and University equipment tag#) of departmental computers, laptops and other portable components is maintained. Non-removable labels are attached to: computers, laptop, laptop’s case. Check out procedures are used for computers on loan. Computers are sanitized before surplused. OFF-SITE STORAGE (Alternate storage location of vital records external to your facility) An Off-Site Storage location has been identified and utilized. The facility is located at a sufficient distance from your office such that a disaster would not impact both locations similarly. Your adminstrative and other records are either backed up through CASS facilities which have this daily off campus file storage or are otherwise backed up daily both on and off campus. The facility is accessible within a reasonable period of time such that the records can be obtained quickly. OUTSOURCING USING A THIRD PARTY VENDOR Your department has verified that your service providers have disaster recovery plans. Results of the service provider’s DR Test have been verified and the recovery time objectives are satisfactory. The recovery priority is known by your department in relationship to other service provider customers.
Developed by the Department of Business Continuity (515-5201)
Page 7 of 20
Risk Assessment
10/17/2008
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
University Risks
Departmental Risk? (YES/NO)
Probability (1, 2, 3)
IMPACT during critical time of year (1, 2, 3)
Air Conditioning Failure Anticipated Loss of Key Staff Back-up tapes of the wrong data Bad Credit Rating with Service Providers Bombing Cancellations of Events Computer Equipment/Hardware Failure Construction incidents or accidents Contract Violations Cooling Plant Failure Corruption of database Data Center Disruption Declaration fees from Service Provider Decrease in enrollment Departmental Server failure Embezzlement Epidemic Equipment Failure External Fire - Major
Developed the NC State University Department of Business Continuity and Disaster Recovery
Weight Factor
Weighted Result (probability x impact x weight factor) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Risk Assessment Firewall Corruption/Destruction Flooding Flooding not related to Natural Disasters Improper Use of Information Inability to access backup records/data Inability to access off-site storage area Inability to access website Inability to Make Deposits Inability to Make Transfers Infectious Animal Diseases Internal Fire - Major Late Payments Law Suits Loss of Grant Loss of Revenue Media Failure (Data Tapes) Negative reporting in Newspaper or Television Nuclear Reactor Malfunctioning Operating System Failure Overdraft Fees Premium charges for Purchases Radioactive Contamination Regulatory Incompliance Repayment of Grant Funds Robbery Sabotage Security Breaches (Computer)
Developed the NC State University Department of Business Continuity and Disaster Recovery
10/17/2008
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Risk Assessment Service Provider Business Disruption Software/Application Failure Tainted public image Tarnished brand image Telecommunications Failure - Data Network Telecommunications Failure - Voice Terrorism Train Derailment – Freight Unavailability of Campus Transportation Vandalism Virus Attacks Water leaks Workplace violence
Developed the NC State University Department of Business Continuity and Disaster Recovery
10/17/2008
0 0 0 0 0 0 0 0 0 0 0 0 0
List your Critical Business Processes
Version 7
Critical Processes
NC State University
Purpose of Process (e.g. revenue generation, administrative, customer service, support function, ancillary function, etc)
Developed by the Department of Business Continuity (515-5201)
Recovery Priority
Time Critical
RTO Power
RTO Facility
RTO Vital Records
Page 11 of 20
NC State University
Developed by the Department of Business Continuity (515-5201)
Critical Processes
Version 7
Page 12 of 20
RTO Telephone
Version 7
Critical Processes
NC State University
RTO Computing and Network
List critical Software Applications that support this function
Developed by the Department of Business Continuity (515-5201)
Describe critical Equipment that support this function (e.g. Computer hardware, lab equipment)
Describe critical Supplies that support this function
Page 13 of 20
NC State University
Developed by the Department of Business Continuity (515-5201)
Critical Processes
Version 7
Page 14 of 20
Dependencies: Who is supported by this process?
Version 7
Critical Processes
NC State University
Dependencies: Who gives support to this process?
Developed by the Department of Business Continuity (515-5201)
Is this process supported by a Vendor? If so, list the vendor.
Operational Risks
Techonology Risks
Page 15 of 20
NC State University
Developed by the Department of Business Continuity (515-5201)
Critical Processes
Version 7
Page 16 of 20
Legal Risks
Version 7
Critical Processes
NC State University
Financial Risks
Developed by the Department of Business Continuity (515-5201)
Reputational Risks
Market/Strategic Risks
Page 17 of 20
NC State University
Developed by the Department of Business Continuity (515-5201)
Critical Processes
Version 7
Page 18 of 20
Critical Processes
NC State University
ALTERNATIVE - FACILITY INACCESSIBLE (Risk Mitigation Strategy)
ALTERNATIVE - Power Outage (Risk Mitigation Strategy)
Developed by the Department of Business Continuity (515-5201)
Version 7
ALTERNATIVE - Long Term Loss of Computing and Networking (Risk Mitigation Strategy)
Page 19 of 20
NC State University
Developed by the Department of Business Continuity (515-5201)
Critical Processes
Version 7
Page 20 of 20