NC State University

Risk Assessment and Business Impact Analysis Version 7

Purpose:
The purpose of this questionnaire is to solicit information concerning the exposure and impacts that will result if your Functional Business Unit
Date Started:
experiences a significant outage. This information will be combined with that provided from other functional business units to assess the
overall financial exposures and operational impacts should a disruption in business activities occurs at NC State University. The financial and
Department/College:
operational impact information will be used to determine each unit's maximum tolerable downtime, which will be considered when determining
anBusiness
appropriate set of recover alternative solutions for each functional business unit.
Unit:

Department Head/Dean:

Building:

Campus Box:

Cohort Coordinator:

Coordinator Phone:

Coordinator Fax:

Person(s) Editing this Template:

Business Unit Mission Statement:

Review Date with Department of
Business Continuity
Date Completed:

Developed by the Department of Business Continuity (515-5201) Page 1 of 20

NC State University Business Unit Assessment Version 7

Assessment Yes/No/NA/Unk Explain

BUSINESS CONTINUITY PLANS
1 Your department has a business continuity plan.
2 Accountability for business continuity and disaster recovery
is assigned in your department.
3 Critical business processes and functions are identified and
prioritized.
4 Business continuity procedures and plans are documented
for all critical business processes and functions.
5 Departmental roles and responsibilities for recovery are
documented.
6 A central repository is used to store business continuity
plans.
7 Call Trees are updated quarterly.
8 Copies of reciprocal agreements, or service bureau or
hot/cold site are kept at an off-site location.
9 Are critical vendor lists and emergency telephone contact
numbers maintained?
10 Your customers are aware of your alternative process and
capabilities during an interruption of normal business
operations.
11 Your suppliers are aware of what must be done in terms of
alternative methods during an interruption of normal
business operations.
VITAL RECORDS (Critical Files, Manuals, Student or Research Records, Data)
12 A retention period has been established for all critical
records.
13 All critical records have been identified.
14 All critical records stored on-site are inventoried.
15 Historical records have been inventoried and stored off-site.
16 All irreplaceable records have been identified.
17 All critical computer files are stored off site on a regular
basis.
18 Critical operating documentation are stored off site.

Developed by the Department of Business Continuity (515-5201) Page 2 of 20

NC State University Business Unit Assessment Version 7

TRAINING AND TESTING

19 Regular scheduled training is conducted for key disaster
recovery personnel or recovery teams.
20 Business Continuity is discussed during new employee
orientation.
21 Business Continuity/Disaster Recovery Plans are tested
annually.
PHYSICAL SECURITY
25 Evacuation routes are posted throughout the building with
easy visibility.
26 Building entrances utilize security devices requiring keys,
pass-codes or magnetic badges.
27 Security policies/guidelines/procedures are published for
employee access.
28 Restricted areas are controlled and supervised.
29 Vendor personnel are required to show positive
identification.
30 Keys and badges and/or change codes are requested from
terminated employees.
ENVIRONMENTAL CONTROLS
31 Critical equipment is located above water grade.
32 Adequate water drainage (under raised floor, on floors
above, in adjacent areas)
33 Water detection devices located under raised floor
(equipment room)
34 Adequate water leak controls
35 Employees are informed of procedure to report water leak
or location of water pipe shut-off valves.
36 Equipment located away from sprinkler heads
37 Inoperable Windows
38 Covers for equipment in case of sprinkler release available
and located near equipment

Developed by the Department of Business Continuity (515-5201) Page 3 of 20

NC State University Business Unit Assessment Version 7

PERSONNEL CONSIDERATIONS
39 Adequate number of personnel to perform critical job
functions
40 Controls established for terminating/transferring employees
41 Alternate personnel have been identified to perform critical
functions.
42 A list of critical personnel and job functions are
documented.
INSURANCE
46 Your departments Business Continuity Plan reflects the
Insurance Contact person for your department.
RESEARCH, PLANT, OR LABORATORY CONSIDERATIONS
47 There is adequate storage for hazardous materials and
chemicals.
48 Safety plans are in place for all areas where hazardous
materials are used and hazardous processes are
conducted.
49 Adequate ventilation controls are in place.
50 Provisions have been made for storage of materials
requiring refrigeration.
51 Research projects that are contingent on electricity are
documented.
52 Select agents are secured.
53 Refrigerators in labs are secured.
54 Unauthorized individuals are restricted from access to labs.
55 Lab check-out procedures are followed when staff are no
longer assigned to a particular lab.
56 Campus IDs are required to be worn in labs by all staff,
faculty, and students.

Developed by the Department of Business Continuity (515-5201) Page 4 of 20

NC State University Business Unit Assessment Version 7

57 Lab Supervisors are aware of Laboratory Security and

Safety Guidelines.
58 The Supervisor Safety Inspection Checklist is completed
annually.
59 Procedures are in place for management of materials left
behind by Professors.
60 Functions are documented which are performed by critical
faculty/staff.
61 Procedures are in place for transitioning responsibilities to
new faculty/staff.
SPACE PLANNING
62 Interim/alternate space has been identified (office,
classroom, laboratory, etc.) to carry out critical departmental
functions?
63 Critical employees that will require interim office space has
been identified.
64 Critical employees that could use open office space
(cubicles) has been identified.
65 Critical employees that could work from home have been
identified.
66 Special equipment needs for space has been identified.
67 Functions in your department that must remain co-located
have been identified.
68 Functions in your department that must remain on campus
and which could temporarily be housed off campus have
been identified.
69 For Research Lab Space, equipment that should be
provided to stabilize or preserve research activities,
samples and material in the interim until fully functional
space can be provided (freezers, environmental or isolation
chambers, fume hoods, etc) has been identified.
70 For Research Lab Space, the number of research
faculty/staff that could share lab space with other
researchers doing similar work on an interim basis has
been identified.
71 Departmental space contacts are documented.
72 Floor plans are current, available, and kept off site.

Developed by the Department of Business Continuity (515-5201) Page 5 of 20

NC State University Business Unit Assessment Version 7

WORKING FROM HOME (Critical staff must have their own ISP)
73 Have critical staff ever accessed any campus application
remotely?
74 Do critical staff have the need to access any campus
applications remotely?
77 If your department is an NCS Customer and critical staff
may need to access their network home directory (H drive),
do these critical staff have Netdrive installed on their home
PC?
78 Does critical staff have the most recent virus protection files
on the staffs home pc and service packs?
79 Have critical staff tested dialing In successfully within the
past month (do they know their passwords or have they
expired?)
SOFTWARE CONSIDERATIONS
80 Departmental software is upgraded as needed to ensure
business functions can be performed.
81 Critical departmental software is backed up and the back-
ups are stored off site.
82 Software upgrades planned to minimize employee
disruption and job function disruption.
83 Master and backup copies of departmental software is
secured.
84 Departmental software documentation is secured.
85 Anti-virus software is installed and continuously enabled on
all departmental computers, laptops, networks.
86 Departmental databases are backed up. Explain how often.

Developed by the Department of Business Continuity (515-5201) Page 6 of 20

NC State University Business Unit Assessment Version 7

HARDWARE CONSIDERATIONS
87 Computers that are in open areas are secured.
88 Departmental computer drive keys are not left in the
machines, but are properly secured.
89 Departmental server recovery documentation is stored off-
site
90 Departmental CPUs are locked so that the cover cannot be
removed and internal boards removed.
91 Data storage media (tapes, disks, CD-ROM) are properly
secured.
92 An inventory (including serial and University equipment
tag#) of departmental computers, laptops and other
portable components is maintained.
93 Non-removable labels are attached to: computers, laptop,
laptop’s case.
94 Check out procedures are used for computers on loan.
95 Computers are sanitized before surplused.
OFF-SITE STORAGE (Alternate storage location of vital records external to your facility)
96 An Off-Site Storage location has been identified and utilized.
97 The facility is located at a sufficient distance from your office
such that a disaster would not impact both locations
similarly.
98 Your adminstrative and other records are either backed up
through CASS facilities which have this daily off campus file
storage or are otherwise backed up daily both on and off
campus.
99 The facility is accessible within a reasonable period of time
such that the records can be obtained quickly.
OUTSOURCING USING A THIRD PARTY VENDOR
100 Your department has verified that your service providers
have disaster recovery plans.
101 Results of the service provider’s DR Test have been verified
and the recovery time objectives are satisfactory.
102 The recovery priority is known by your department in
relationship to other service provider customers.

Developed by the Department of Business Continuity (515-5201) Page 7 of 20

 Risk Assessment 10/17/2008

Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm,
Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)

Weighted
Departmental IMPACT during Result
Probability
University Risks Risk? critical time of year Weight Factor (probability x
(1, 2, 3)
(YES/NO) (1, 2, 3) impact x weight
factor)
Air Conditioning Failure 0
Anticipated Loss of Key
0
Staff
Back-up tapes of the wrong
0
data
Bad Credit Rating with
0
Service Providers
Bombing 0
Cancellations of Events 0
Computer
Equipment/Hardware Failure 0

Construction incidents or
0
accidents
Contract Violations 0
Cooling Plant Failure 0
Corruption of database 0
Data Center Disruption 0
Declaration fees from
0
Service Provider
Decrease in enrollment 0
Departmental Server failure
0
Embezzlement 0
Epidemic 0
Equipment Failure 0
External Fire - Major 0

Developed the NC State University Department of Business Continuity and Disaster Recovery
 Risk Assessment 10/17/2008

Firewall
0
Corruption/Destruction
Flooding 0
Flooding not related to
0
Natural Disasters
Improper Use of Information 0
Inability to access backup
0
records/data
Inability to access off-site
0
storage area
Inability to access website 0
Inability to Make Deposits 0
Inability to Make Transfers 0
Infectious Animal Diseases 0
Internal Fire - Major 0
Late Payments 0
Law Suits 0
Loss of Grant 0
Loss of Revenue 0
Media Failure (Data Tapes) 0
Negative reporting in
0
Newspaper or Television
Nuclear Reactor
0
Malfunctioning
Operating System Failure 0
Overdraft Fees 0
Premium charges for
0
Purchases
Radioactive Contamination 0
Regulatory Incompliance 0
Repayment of Grant Funds 0
Robbery 0
Sabotage 0
Security Breaches
0
(Computer)

Developed the NC State University Department of Business Continuity and Disaster Recovery
 Risk Assessment 10/17/2008

Service Provider Business

0
Disruption
Software/Application Failure
0
Tainted public image 0
Tarnished brand image 0
Telecommunications Failure
0
- Data Network
Telecommunications Failure
0
- Voice
Terrorism 0
Train Derailment – Freight 0
Unavailability of Campus
0
Transportation
Vandalism 0
Virus Attacks 0
Water leaks 0
Workplace violence 0

Developed the NC State University Department of Business Continuity and Disaster Recovery
 Version 7
NC State University Critical Processes

Purpose of Process
(e.g. revenue generation,
RTO RTO RTO
List your Critical Business Processes administrative, customer Recovery Priority Time Critical
Power Facility Vital Records
service, support function,
ancillary function, etc)

Developed by the Department of Business Continuity (515-5201) Page 11 of 20

 Version 7
NC State University Critical Processes

Developed by the Department of Business Continuity (515-5201) Page 12 of 20

 Version 7
NC State University Critical Processes

Describe critical Equipment that

RTO RTO List critical Software Applications support this function Describe critical Supplies that
Telephone Computing and Network that support this function (e.g. Computer hardware, lab support this function
equipment)

Developed by the Department of Business Continuity (515-5201) Page 13 of 20

 Version 7
NC State University Critical Processes

Developed by the Department of Business Continuity (515-5201) Page 14 of 20

 Version 7
NC State University Critical Processes

Dependencies: Dependencies: Is this process supported by a Vendor? If so,

Operational Risks Techonology Risks
Who is supported by this process? Who gives support to this process? list the vendor.

Developed by the Department of Business Continuity (515-5201) Page 15 of 20

 Version 7
NC State University Critical Processes

Developed by the Department of Business Continuity (515-5201) Page 16 of 20

 Version 7
NC State University Critical Processes

Legal Risks Financial Risks Reputational Risks Market/Strategic Risks

Developed by the Department of Business Continuity (515-5201) Page 17 of 20

 Version 7
NC State University Critical Processes

Developed by the Department of Business Continuity (515-5201) Page 18 of 20

 Version 7
NC State University Critical Processes

ALTERNATIVE - Long Term Loss of Computing

ALTERNATIVE - FACILITY INACCESSIBLE ALTERNATIVE - Power Outage
and Networking
(Risk Mitigation Strategy) (Risk Mitigation Strategy)
(Risk Mitigation Strategy)

Developed by the Department of Business Continuity (515-5201) Page 19 of 20

 Version 7
NC State University Critical Processes

Developed by the Department of Business Continuity (515-5201) Page 20 of 20