Upload
api-3801982
View
913
Download
5
Embed Size (px)
Citation preview
NC State University Risk Assessment and Business Impact Analysis Version 7
Developed by the Department of Business Continuity (515-5201) Page 1 of 79
Date Started:
Department/College:
Business Unit:
Department Head/Dean:
Building:
Campus Box:
Cohort Coordinator:
Coordinator Phone:
Coordinator Fax:
Person(s) Editing this Template:
Date Completed:
Purpose:The purpose of this questionnaire is to solicit information concerning the exposure and impacts that will result if your Functional Business Unit experiences a significant outage. This information will be combined with that provided from other functional business units to assess the overall financial exposures and operational impacts should a disruption in business activities occurs at NC State University. The financial and operational impact information will be used to determine each unit's maximum tolerable downtime, which will be considered when determining
Business Unit Mission Statement:Review Date with Department of Business Continuity
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 2 of 79
Assessment Yes/No/NA/Unk ExplainBUSINESS CONTINUITY PLANS
1 Your department has a business continuity plan.2
3
4
5
6
7 Call Trees are updated quarterly.8
9
10
11
VITAL RECORDS (Critical Files, Manuals, Student or Research Records, Data)12
13 All critical records have been identified.14 All critical records stored on-site are inventoried.15 Historical records have been inventoried and stored off-site.
16 All irreplaceable records have been identified.17
18 Critical operating documentation are stored off site.
Accountability for business continuity and disaster recovery is assigned in your department.Critical business processes and functions are identified and prioritized.Business continuity procedures and plans are documented for all critical business processes and functions.
Departmental roles and responsibilities for recovery are documented.A central repository is used to store business continuity plans.
Copies of reciprocal agreements, or service bureau or hot/cold site are kept at an off-site location.Are critical vendor lists and emergency telephone contact numbers maintained?Your customers are aware of your alternative process and capabilities during an interruption of normal business operations.
Your suppliers are aware of what must be done in terms of alternative methods during an interruption of normal business operations.
A retention period has been established for all critical records.
All critical computer files are stored off site on a regular basis.
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 3 of 79
Assessment Yes/No/NA/Unk ExplainTRAINING AND TESTING
19
20
21
PHYSICAL SECURITY25
26
27
28 Restricted areas are controlled and supervised.29
30
ENVIRONMENTAL CONTROLS31 Critical equipment is located above water grade.32
33
34 Adequate water leak controls35
36 Equipment located away from sprinkler heads37 Inoperable Windows38
Regular scheduled training is conducted for key disaster recovery personnel or recovery teams.Business Continuity is discussed during new employee orientation.Business Continuity/Disaster Recovery Plans are tested annually.
Evacuation routes are posted throughout the building with easy visibility.Building entrances utilize security devices requiring keys, pass-codes or magnetic badges.Security policies/guidelines/procedures are published for employee access.
Vendor personnel are required to show positive identification.Keys and badges and/or change codes are requested from terminated employees.
Adequate water drainage (under raised floor, on floors above, in adjacent areas)Water detection devices located under raised floor (equipment room)
Employees are informed of procedure to report water leak or location of water pipe shut-off valves.
Covers for equipment in case of sprinkler release available and located near equipment
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 4 of 79
Assessment Yes/No/NA/Unk ExplainPERSONNEL CONSIDERATIONS
39
40 Controls established for terminating/transferring employees
41
42 A list of critical personnel and job functions are documented.
INSURANCE46
RESEARCH, PLANT, OR LABORATORY CONSIDERATIONS47
48
49 Adequate ventilation controls are in place.50
51
52 Select agents are secured.53 Refrigerators in labs are secured.54 Unauthorized individuals are restricted from access to labs.
55
56
Adequate number of personnel to perform critical job functions
Alternate personnel have been identified to perform critical functions.
Your departments Business Continuity Plan reflects the Insurance Contact person for your department.
There is adequate storage for hazardous materials and chemicals.Safety plans are in place for all areas where hazardous materials are used and hazardous processes are conducted.
Provisions have been made for storage of materials requiring refrigeration.Research projects that are contingent on electricity are documented.
Lab check-out procedures are followed when staff are no longer assigned to a particular lab.Campus IDs are required to be worn in labs by all staff, faculty, and students.
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 5 of 79
Assessment Yes/No/NA/Unk Explain57
58
59
60
61
SPACE PLANNING62
63
64
65
66 Special equipment needs for space has been identified.67
68
69
70
71 Departmental space contacts are documented.72 Floor plans are current, available, and kept off site.
Lab Supervisors are aware of Laboratory Security and Safety Guidelines.The Supervisor Safety Inspection Checklist is completed annually.Procedures are in place for management of materials left behind by Professors.Functions are documented which are performed by critical faculty/staff.Procedures are in place for transitioning responsibilities to new faculty/staff.
Interim/alternate space has been identified (office, classroom, laboratory, etc.) to carry out critical departmental functions?
Critical employees that will require interim office space has been identified.Critical employees that could use open office space (cubicles) has been identified.Critical employees that could work from home have been identified.
Functions in your department that must remain co-located have been identified.Functions in your department that must remain on campus and which could temporarily be housed off campus have been identified.
For Research Lab Space, equipment that should be provided to stabilize or preserve research activities, samples and material in the interim until fully functional space can be provided (freezers, environmental or isolation chambers, fume hoods, etc) has been identified.
For Research Lab Space, the number of research faculty/staff that could share lab space with other researchers doing similar work on an interim basis has been identified.
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 6 of 79
Assessment Yes/No/NA/Unk Explain
73
74
77
78
79
SOFTWARE CONSIDERATIONS80
81
82
83
84 Departmental software documentation is secured.85
86 Departmental databases are backed up. Explain how often.
WORKING FROM HOME (Critical staff must have their own ISP)Have critical staff ever accessed any campus application remotely?Do critical staff have the need to access any campus applications remotely?If your department is an NCS Customer and critical staff may need to access their network home directory (H drive), do these critical staff have Netdrive installed on their home PC?
Does critical staff have the most recent virus protection files on the staffs home pc and service packs?Have critical staff tested dialing In successfully within the past month (do they know their passwords or have they expired?)
Departmental software is upgraded as needed to ensure business functions can be performed.Critical departmental software is backed up and the back-ups are stored off site.Software upgrades planned to minimize employee disruption and job function disruption.Master and backup copies of departmental software is secured.
Anti-virus software is installed and continuously enabled on all departmental computers, laptops, networks.
NC State University Business Unit Assessment Version 7
Developed by the Department of Business Continuity (515-5201) Page 7 of 79
Assessment Yes/No/NA/Unk ExplainHARDWARE CONSIDERATIONS
87 Computers that are in open areas are secured.88
89
90
91
92
93
94 Check out procedures are used for computers on loan.95 Computers are sanitized before surplused.
OFF-SITE STORAGE (Alternate storage location of vital records external to your facility)96 An Off-Site Storage location has been identified and utilized.
97
98
99
OUTSOURCING USING A THIRD PARTY VENDOR100
101
102
Departmental computer drive keys are not left in the machines, but are properly secured.Departmental server recovery documentation is stored off-siteDepartmental CPUs are locked so that the cover cannot be removed and internal boards removed.Data storage media (tapes, disks, CD-ROM) are properly secured.An inventory (including serial and University equipment tag#) of departmental computers, laptops and other portable components is maintained.
Non-removable labels are attached to: computers, laptop, laptop’s case.
The facility is located at a sufficient distance from your office such that a disaster would not impact both locations similarly.
Your adminstrative and other records are either backed up through CASS facilities which have this daily off campus file storage or are otherwise backed up daily both on and off campus.
The facility is accessible within a reasonable period of time such that the records can be obtained quickly.
Your department has verified that your service providers have disaster recovery plans.Results of the service provider’s DR Test have been verified and the recovery time objectives are satisfactory.The recovery priority is known by your department in relationship to other service provider customers.
Risk Assessment 04/08/2023
Developed the NC State University Department of Business Continuity and Disaster Recovery
University Risks Weight Factor
Air Conditioning Failure 0
0
0
0
Bombing 0Cancellations of Events 0
0
0
Contract Violations 0Cooling Plant Failure 0Corruption of database 0Data Center Disruption 0
0
Decrease in enrollment 0Departmental Server failure 0
Embezzlement 0Epidemic 0Equipment Failure 0External Fire - Major 0
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
Departmental Risk?
(YES/NO)
Probability(1, 2, 3)
IMPACT during critical time of year
(1, 2, 3)
Weighted Result
(probability x impact x weight
factor)
Anticipated Loss of Key Staff
Back-up tapes of the wrong data
Bad Credit Rating with Service Providers
Computer Equipment/Hardware Failure
Construction incidents or accidents
Declaration fees from Service Provider
Risk Assessment 04/08/2023
Developed the NC State University Department of Business Continuity and Disaster Recovery
University Risks Weight Factor
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
Departmental Risk?
(YES/NO)
Probability(1, 2, 3)
IMPACT during critical time of year
(1, 2, 3)
Weighted Result
(probability x impact x weight
factor)
0
Flooding 0
0
Improper Use of Information 0
0
0
Inability to access website 0Inability to Make Deposits 0Inability to Make Transfers 0Infectious Animal Diseases 0
Internal Fire - Major 0Late Payments 0Law Suits 0Loss of Grant 0Loss of Revenue 0Media Failure (Data Tapes) 0
0
0
Operating System Failure 0
Firewall Corruption/Destruction
Flooding not related to Natural Disasters
Inability to access backup records/data
Inability to access off-site storage area
Negative reporting in Newspaper or Television
Nuclear Reactor Malfunctioning
Risk Assessment 04/08/2023
Developed the NC State University Department of Business Continuity and Disaster Recovery
University Risks Weight Factor
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
Departmental Risk?
(YES/NO)
Probability(1, 2, 3)
IMPACT during critical time of year
(1, 2, 3)
Weighted Result
(probability x impact x weight
factor)
Overdraft Fees 0
0
Radioactive Contamination 0Regulatory Incompliance 0Repayment of Grant Funds 0Robbery 0Sabotage 0
0
0
Software/Application Failure 0
Tainted public image 0Tarnished brand image 0
0
0
Terrorism 0Train Derailment – Freight 0
0
Vandalism 0Virus Attacks 0Water leaks 0
Premium charges for Purchases
Security Breaches (Computer)
Service Provider Business Disruption
Telecommunications Failure - Data Network
Telecommunications Failure - Voice
Unavailability of Campus Transportation
Risk Assessment 04/08/2023
Developed the NC State University Department of Business Continuity and Disaster Recovery
University Risks Weight Factor
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
Departmental Risk?
(YES/NO)
Probability(1, 2, 3)
IMPACT during critical time of year
(1, 2, 3)
Weighted Result
(probability x impact x weight
factor)
Workplace violence 0
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 12 of 79
Recovery Priority Time CriticalList your Critical Business Processes
Purpose of Process (e.g. revenue generation, administrative, customer service, support function,
ancillary function, etc)
RTOPower
RTOFacility
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 13 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 14 of 79
List your Critical Business Processes RTOVital Records
RTOTelephone
RTOComputing and Network
List critical Software Applications that support this function
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 15 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 16 of 79
List your Critical Business ProcessesDescribe critical Equipment that
support this function(e.g. Computer hardware, lab equipment)
Describe critical Supplies that support this function
Dependencies: Who is supported by this process?
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 17 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 18 of 79
List your Critical Business Processes Operational RisksDependencies:Who gives support to this process?
Is this process supported by a Vendor? If so, list the vendor.
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 19 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 20 of 79
List your Critical Business Processes Techonology Risks Legal Risks Financial Risks
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 21 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 22 of 79
List your Critical Business Processes Reputational Risks Market/Strategic Risks
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 23 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 24 of 79
List your Critical Business Processes ALTERNATIVE - FACILITY INACCESSIBLE(Risk Mitigation Strategy)
ALTERNATIVE - Power Outage(Risk Mitigation Strategy)
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 25 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 26 of 79
List your Critical Business ProcessesALTERNATIVE - Long Term Loss of Computing
and Networking(Risk Mitigation Strategy)
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 27 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 28 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 29 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 30 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 31 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 32 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 33 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 34 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 35 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 36 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 37 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 38 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 39 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 40 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 41 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 42 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 43 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 44 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 45 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 46 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 47 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 48 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 49 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 50 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 51 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 52 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 53 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 54 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 55 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 56 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 57 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 58 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 59 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 60 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 61 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 62 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 63 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 64 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 65 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 66 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 67 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 68 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 69 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 70 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 71 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 72 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 73 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 74 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 75 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 76 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 77 of 79
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 78 of 79
List your Critical Business Processes
NC State University Critical Processes Version 7
Developed by the Department of Business Continuity (515-5201) Page 79 of 79