IT Risk Management
Business Unit Assessment
BUSINESS CONTINUITY PLANS
1 Your department has a business continuity plan.
2 Accountability for business continuity and disaster recovery is assigned in your department.
3 Critical business processes and functions are identified and prioritized.
Business continuity procedures and plans are documented for all critical business processes and
5 Departmental roles and responsibilities for recovery are documented.
6 A central repository is used to store business continuity plans.
7 Call Trees are updated quarterly.
Copies of reciprocal agreements, or service bureau or hot/cold site are kept at an off-site location.
9 Are critical vendor lists and emergency telephone contact numbers maintained?
Your customers are aware of your alternative process and capabilities during an interruption of normal
10 business operations.
Your suppliers are aware of what must be done in terms of alternative methods during an interruption
11 of normal business operations.
VITAL RECORDS (Critical Files, Manuals, Student or Research Records, Data)
12 A retention period has been established for all critical records.
13 All critical records have been identified.
14 All critical records stored on-site are inventoried.
15 Historical records have been inventoried and stored off-site.
16 All irreplaceable records have been identified.
17 All critical computer files are stored off site on a regular basis.
18 Critical operating documentation are stored off site.
TRAINING AND TESTING
19 Regular scheduled training is conducted for key disaster recovery personnel or recovery teams.
20 Business Continuity is discussed during new employee orientation.
21 Business Continuity/Disaster Recovery Plans are tested annually.
25 Evacuation routes are posted throughout the building with easy visibility.
26 Building entrances utilize security devices requiring keys, pass-codes or magnetic badges.
27 Security policies/guidelines/procedures are published for employee access.
28 Restricted areas are controlled and supervised.
29 Vendor personnel are required to show positive identification.
30 Keys and badges and/or change codes are requested from terminated employees.
31 Critical equipment is located above water grade.
32 Adequate water drainage (under raised floor, on floors above, in adjacent areas)
33 Water detection devices located under raised floor (equipment room)
34 Adequate water leak controls
Employees are informed of procedure to report water leak or location of water pipe shut-off valves.
36 Equipment located away from sprinkler heads
37 Inoperable Windows
38 Covers for equipment in case of sprinkler release available and located near equipment
39 Adequate number of personnel to perform critical job functions
40 Controls established for terminating/transferring employees
41 Alternate personnel have been identified to perform critical functions.
42 A list of critical personnel and job functions are documented.
Your departments Business Continuity Plan reflects the Insurance Contact person for your
RESEARCH, PLANT, OR LABORATORY CONSIDERATIONS
47 There is adequate storage for hazardous materials and chemicals.
Safety plans are in place for all areas where hazardous materials are used and hazardous processes
48 are conducted.
49 Adequate ventilation controls are in place.
50 Provisions have been made for storage of materials requiring refrigeration.
51 Research projects that are contingent on electricity are documented.
52 Select agents are secured.
53 Refrigerators in labs are secured.
54 Unauthorized individuals are restricted from access to labs.
55 Lab check-out procedures are followed when staff are no longer assigned to a particular lab.
56 Campus IDs are required to be worn in labs by all staff, faculty, and students.
57 Lab Supervisors are aware of Laboratory Security and Safety Guidelines.
58 The Supervisor Safety Inspection Checklist is completed annually.
59 Procedures are in place for management of materials left behind by Professors.
60 Functions are documented which are performed by critical faculty/staff.
61 Procedures are in place for transitioning responsibilities to new faculty/staff.
Interim/alternate space has been identified (office, classroom, laboratory, etc.) to carry out critical
62 departmental functions?
63 Critical employees that will require interim office space has been identified.
64 Critical employees that could use open office space (cubicles) has been identified.
65 Critical employees that could work from home have been identified.
66 Special equipment needs for space has been identified.
67 Functions in your department that must remain co-located have been identified.
Functions in your department that must remain on campus and which could temporarily be housed off
68 campus have been identified.
For Research Lab Space, equipment that should be provided to stabilize or preserve research
activities, samples and material in the interim until fully functional space can be provided (freezers,
69 environmental or isolation chambers, fume hoods, etc) has been identified.
For Research Lab Space, the number of research faculty/staff that could share lab space with other
70 researchers doing similar work on an interim basis has been identified.
71 Departmental space contacts are documented.
72 Floor plans are current, available, and kept off site.
WORKING FROM HOME (Critical staff must have their own ISP)
73 Have critical staff ever accessed any campus application remotely?
74 Do critical staff have the need to access any campus applications remotely?
If your department is an NCS Customer and critical staff may need to access their network home
77 directory (H drive), do these critical staff have Netdrive installed on their home PC?
Does critical staff have the most recent virus protection files on the staffs home pc and service packs?
Have critical staff tested dialing In successfully within the past month (do they know their passwords or
79 have they expired?)
80 Departmental software is upgraded as needed to ensure business functions can be performed.
81 Critical departmental software is backed up and the back-ups are stored off site.
82 Software upgrades planned to minimize employee disruption and job function disruption.
83 Master and backup copies of departmental software is secured.
84 Departmental software documentation is secured.
Anti-virus software is installed and continuously enabled on all departmental computers, laptops,
86 Departmental databases are backed up. Explain how often.
87 Computers that are in open areas are secured.
88 Departmental computer drive keys are not left in the machines, but are properly secured.
89 Departmental server recovery documentation is stored off-site
Departmental CPUs are locked so that the cover cannot be removed and internal boards removed.
91 Data storage media (tapes, disks, CD-ROM) are properly secured.
An inventory (including serial and University equipment tag#) of departmental computers, laptops and
92 other portable components is maintained.
93 Non-removable labels are attached to: computers, laptop, laptop’s case.
94 Check out procedures are used for computers on loan.
95 Computers are sanitized before surplused.
OFF-SITE STORAGE (Alternate storage location of vital records external to your facility)
96 An Off-Site Storage location has been identified and utilized.
The facility is located at a sufficient distance from your office such that a disaster would not impact
97 both locations similarly.
Your adminstrative and other records are either backed up through CASS facilities which have this
98 daily off campus file storage or are otherwise backed up daily both on and off campus.
The facility is accessible within a reasonable period of time such that the records can be obtained
OUTSOURCING USING A THIRD PARTY VENDOR
100 Your department has verified that your service providers have disaster recovery plans.
Results of the service provider’s DR Test have been verified and the recovery time objectives are
The recovery priority is known by your department in relationship to other service provider customers.
IT Risk Management
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane,
Risk Departmental Probability
Risk? (1, 2, 3)
Air Conditioning Failure
Anticipated Loss of Key Staff
Back-up tapes of the wrong data
Bad Credit Rating with Service Providers
Cancellations of Events
Computer Equipment/Hardware Failure
Construction incidents or accidents
Cooling Plant Failure
Corruption of database
Data Center Disruption
Declaration fees from Service Provider
Decrease in enrollment
Departmental Server failure
External Fire - Major
Flooding not related to Natural Disasters
Improper Use of Information
Inability to access backup records/data
Inability to access off-site storage area
Inability to access website
Inability to Make Deposits
Inability to Make Transfers
Infectious Animal Diseases
Internal Fire - Major
Loss of Grant
Loss of Revenue
Media Failure (Data Tapes)
Negative reporting in Newspaper or Television
Nuclear Reactor Malfunctioning
Operating System Failure
Premium charges for Purchases
Repayment of Grant Funds
Security Breaches (Computer)
Service Provider Business Disruption
Tainted public image
Tarnished brand image
Telecommunications Failure - Data Network
Telecommunications Failure - Voice
Train Derailment – Freight
Unavailability of Campus Transportation
eats: Natural Threats (Hurricane, Snow Storm, Tornado,), Loss of
IMPACT during Weight Factor Weighted
critical time of Result
year (probability x
(1, 2, 3) impact x weight
IT Risk Management
List your Critical Business Purpose of Process Recovery Time Critical
Processes (e.g. revenue generation, Priority
administrative, customer service,
support function, ancillary function, etc)
Recovery Time Objective
RTO RTO RTO RTO RTO List critical Software
Power Facility Vital Records Telephone Computing Applications that support
and Network this function
Describe critical Equipment Describe critical Supplies Dependencies:
that support this function that support this function Who is supported by this
(e.g. Computer hardware, lab process?
Dependencies: Is this process Operational Risks Techonology Risks
Who gives support to this supported by a Vendor?
process? If so, list the vendor.
Legal Risks Financial Risks Reputational Risks Market/Strategic Risks
ALTERNATIVE - ALTERNATIVE - Power ALTERNATIVE - Long
FACILITY Outage Term Loss of
INACCESSIBLE (Risk Mitigation Computing and
(Risk Mitigation Strategy) Networking
Strategy) (Risk Mitigation