The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this standard is to provide the University community with an understanding of the Business Impact Analysis (BIA) requirements.

2. Definitions

   Business Impact Analysis (BIA) - Business Impact Analysis (BIA) is an information gathering process that identifies critical functions and resources of an organization and acts as the foundation for business continuity planning.

   Continuity of Operations - A process of identifying the essential functions - including staff, systems, and procedures - that ensures the continuation of the University's ability to operate.

   Data Compliance Owners - University directors (typically at the level of Registrar, or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.

   Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

   Office of Emergency Management (OEM) - The office at Old Dominion University responsible for the coordination of efforts to prepare for and carry out the functions to prevent, minimize, respond to, and recover from incidents caused by natural hazards, human-caused hazards, and acts of terrorism.

   Risk Assessment is a managerial process used to determine the probability and impact of threats caused by the human and technological environment on University assets.

   System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview.

3. Standards Statement

   The Business Impact Analysis (BIA) is an integral part of the University's Emergency Management Program. The BIA defines certain critical information needed to complete and complement the University Continuity of Operations Plan.

   System Compliance Owners, Data Compliance Owners and business stakeholders are required to participate in the assessment and development of Old Dominion University's Business Impact Analysis (BIA).

   With the assistance of the Office of Emergency Management (OEM), Information Technology Services is responsible for the management of the Business Impact Analysis.

   BIA Requirements

   The BIA must identify primary critical business functions, necessary supporting resources, acceptable downtime, and restoration goals and those secondary functions on which each essential function depends and on University goals and objectives and the IT industry best practices.

   The BIA must identify the resources that support each primary and secondary essential business function. For IT systems and/or data that support a primary or secondary essential business function, the BIA must specify to what extent the essential business function depends upon the specific IT system and/or data.

   The BIA management team must produce a BIA report for which the IT component:

   1. Documents the dependence of the ODU's primary and secondary essential business functions on specific IT systems and/or data;
   2. Specifies the required recovery time for the IT systems and/or data on which a primary or secondary essential business function depends and are based upon Old Dominion University goals and objectives;
   3. And documents the extent to which an essential business function depends upon the IT systems and/or data.

   
   The IT information documented in the BIA report will be used as a primary input to:

   1. IT System and Data Sensitivity Classification
   2. Risk Assessment
   3. IT Contingency Planning

   
   The BIA is reviewed and updated by business stakeholders annually and is subject to a triennial formal assessment and comprehensive update with the assistance from OEM and other University departments/units as needed.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 1021 - Emergency Management Policy

   University Policy 3505 - Information Technology Security Policy

   IT Standard 07.2.0 Business Continuity and Disaster Recovery Plan Standard

   IT Standard 8.1.0 Risk Assessment Standard

5. History

   Date	Responsible Party	Action
   October 2008	ITAC/CIO	Created
   October 2009	ITAC/CIO	Reaffirmed
   October 2010	ITAC/CIO	Reaffirmed
   October 2011	ITAC/CIO	Reaffirmed
   October 2012	ITAC/CIO	Reaffirmed
   December 2012	IT Policy Office	Minor rewording for clarity
   August 2015	IT Policy Office/ISO	Three year review, alignment with University Policy 1021, updated titles, links, and definitions.
   August 2018	IT Policy Office	Definitions and links checked, minor rewording
   November 2021	IT Policy Office	Definitions and links checked