 |
Longwood
University |
Policy 6126
BUSINESS IMPACT ANALYSIS/RISK ASSESSMENT POLICY
I. PURPOSE
This policy establishes the requirements to perform and document a periodic business impact analysis and risk assessment (BIA/RAs) throughout the University.
A. COV IRTM Information Technology Security Standards
1. Each Agency must conduct a business impact analysis and risk assessment throughout the Agency (to include relevant business partners) to identify various levels of sensitivity associated with the information resources as defined; to identify the potential security threats to those resources; and to determine the appropriate level of security to be implemented to safeguard those resources. The business impact analysis and risk assessment can be reviewed and updated as needed, but at minimum must be reviewed and updated every three years.
2. Security programs must include protective measures and procedures to ensure that the appropriate levels of confidentiality, integrity and availability of data, information, and systems are sustainable.
II. DEFINITIONS
A. Information assets: Any hardware, software, systems, services, personnel, information (printed and/or electronic) and any other related technology assets that are important to the University.
B. Sensitive assets: Information assets that require protection against unavailability, unauthorized access, or disclosure. Sensitive information assets may be confidential and/or critical.
1. Confidential – For example, the departmental assets may require protection under the “Government Data Collection and Dissemination Practices Act” (Code of Virginia § 2.2-3800), the federal Family Educational and Rights to Privacy Act (FERPA) or the federal Gramm-Leach- Bliley Act (GLBA)
2. Critical – The department cannot operate without this information asset even for a short period of time. For example, the unavailability of a database may adversely affect the ability of a department to function.
II. POLICY
A. Responsibilities:
1. Vice Presidents are responsible for the execution, development and implementation of remediation programs/safeguards for the information assets being assessed in their area. They are also responsible for appointing departmental representatives (Team Leaders) for their respective areas.
2. Team Leaders are expected to follow the instructions and format, approved by the Information Security Office, for conducting and completing their departmental BIA/RA. Team Leaders may also form teams to include other departmental individuals to assist in the process.
3. The Information Security Office (ISO) will assist and direct departmental Team Leaders in the development and completion of their BIA/RAs and provide information/training sessions. Completed and approved BIA/RAs submitted to the ISO will be kept and maintained by the ISO in a central location and auditable.
4. The Chief Information Officer (CIO) or his/her designee may request BIA/RAs to be conducted on any entity/department throughout the University (to include relevant business partners).
B. Requirements: The BIA/RA process must identify information assets that are sensitive to the University; and identify and evaluate the potential security threats, and associated risks, to those assets and determine the appropriate level of security to be implemented to safeguard the assets. The business impact analysis and risk assessment can be updated as needed, but at a minimum must be reviewed and updated every three years.