Risk Assessment Template NCSU

NC State University
Risk Assessment and Business Impact Analysis
Version 7
Purpose:
The purpose of this questionnaire is to solicit information concerning the exposure and impacts that will result if your Functional Business Unit
Date Started:
experiences a significant outage. This information will be combined with that provided from other functional business units to assess the overall
financial
exposures and operational impacts should a disruption in business activities occurs at NC State University. The financial and
Department/College:
operational impact information will be used to determine each unit's maximum tolerable downtime, which will be considered when determining
anBusiness
appropriate
set of recover alternative solutions for each functional business unit.
Unit:
Department Head/Dean:
Building:
Campus Box:
Cohort Coordinator:
Coordinator Phone:
Coordinator Fax:
Person(s) Editing this Template:
Business Unit Mission Statement:
Review Date with Department of
Business Continuity
Date Completed:
Developed by the Department of Business Continuity (515-5201)
Page 1 of 79
NC State University
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Business Unit Assessment
Assessment
Yes/No/NA/Unk
BUSINESS CONTINUITY PLANS
Your department has a business continuity plan.
Accountability for business continuity and disaster recovery
is assigned in your department.
Critical business processes and functions are identified and
prioritized.
Business continuity procedures and plans are documented
for all critical business processes and functions.
Version 7
Explain
Departmental roles and responsibilities for recovery are

documented.
A central repository is used to store business continuity
plans.
Call Trees are updated quarterly.
Copies of reciprocal agreements, or service bureau or
hot/cold site are kept at an off-site location.
Are critical vendor lists and emergency telephone contact
numbers maintained?
Your customers are aware of your alternative process and
capabilities during an interruption of normal business
operations.
Your suppliers are aware of what must be done in terms of
alternative methods during an interruption of normal
business operations.
VITAL RECORDS (Critical Files, Manuals, Student or Research Records, Data)
A retention period has been established for all critical
records.
All critical records have been identified.
All critical records stored on-site are inventoried.
Historical records have been inventoried and stored off-site.
All irreplaceable records have been identified.
All critical computer files are stored off site on a regular
basis.
Critical operating documentation are stored off site.
Page 2 of 79
NC State University
19
20
21
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Assessment
Yes/No/NA/Unk
TRAINING AND TESTING
Regular scheduled training is conducted for key disaster
recovery personnel or recovery teams.
Business Continuity is discussed during new employee
orientation.
Business Continuity/Disaster Recovery Plans are tested
annually.
PHYSICAL SECURITY
Evacuation routes are posted throughout the building with
easy visibility.
Building entrances utilize security devices requiring keys,
pass-codes or magnetic badges.
Security policies/guidelines/procedures are published for
employee access.
Restricted areas are controlled and supervised.
Vendor personnel are required to show positive
identification.
Keys and badges and/or change codes are requested from
terminated employees.
ENVIRONMENTAL CONTROLS
Critical equipment is located above water grade.
Adequate water drainage (under raised floor, on floors
above, in adjacent areas)
Water detection devices located under raised floor
(equipment room)
Adequate water leak controls
Employees are informed of procedure to report water leak or
location of water pipe shut-off valves.
Equipment located away from sprinkler heads
Inoperable Windows
Covers for equipment in case of sprinkler release available
and located near equipment
Version 7
Explain
Page 3 of 79
NC State University
39
40
41
42
46
47
48
49
50
51
52
53
54
55
56
Assessment
PERSONNEL CONSIDERATIONS
Adequate number of personnel to perform critical job
functions
Controls established for terminating/transferring employees
Yes/No/NA/Unk
Version 7
Explain
Alternate personnel have been identified to perform critical

functions.
A list of critical personnel and job functions are documented.
INSURANCE
Your departments Business Continuity Plan reflects the
Insurance Contact person for your department.
RESEARCH, PLANT, OR LABORATORY CONSIDERATIONS
There is adequate storage for hazardous materials and
chemicals.
Safety plans are in place for all areas where hazardous
materials are used and hazardous processes are
conducted.
Adequate ventilation controls are in place.
Provisions have been made for storage of materials
requiring refrigeration.
Research projects that are contingent on electricity are
documented.
Select agents are secured.
Refrigerators in labs are secured.
Unauthorized individuals are restricted from access to labs.
Lab check-out procedures are followed when staff are no
longer assigned to a particular lab.
Campus IDs are required to be worn in labs by all staff,
faculty, and students.
Page 4 of 79
NC State University
57
58
59
60
61
62
63
64
65
66
67
68
69
Assessment
Yes/No/NA/Unk
Lab Supervisors are aware of Laboratory Security and
Safety Guidelines.
The Supervisor Safety Inspection Checklist is completed
annually.
Procedures are in place for management of materials left
behind by Professors.
Functions are documented which are performed by critical
faculty/staff.
Procedures are in place for transitioning responsibilities to
new faculty/staff.
SPACE PLANNING
Interim/alternate space has been identified (office,
classroom, laboratory, etc.) to carry out critical departmental
functions?
Critical employees that will require interim office space has
been identified.
Critical employees that could use open office space
(cubicles) has been identified.
Critical employees that could work from home have been
identified.
Special equipment needs for space has been identified.
Functions in your department that must remain co-located
have been identified.
Functions in your department that must remain on campus
and which could temporarily be housed off campus have
been identified.
For Research Lab Space, equipment that should be
provided to stabilize or preserve research activities, samples
and material in the interim until fully functional space can be
provided (freezers, environmental or isolation chambers,
fume hoods, etc) has been identified.
70
For Research Lab Space, the number of research

faculty/staff that could share lab space with other
researchers doing similar work on an interim basis has been
identified.
71
72
Departmental space contacts are documented.

Floor plans are current, available, and kept off site.
Version 7
Explain
Page 5 of 79
NC State University
73
74
77
78
79
80
81
82
83
84
85
86
Assessment
Yes/No/NA/Unk
WORKING FROM HOME (Critical staff must have their own ISP)
Have critical staff ever accessed any campus application
remotely?
Do critical staff have the need to access any campus
applications remotely?
If your department is an NCS Customer and critical staff
may need to access their network home directory (H drive),
do these critical staff have Netdrive installed on their home
PC?
Version 7
Explain
Does critical staff have the most recent virus protection files
on the staffs home pc and service packs?
Have critical staff tested dialing In successfully within the
past month (do they know their passwords or have they
expired?)
SOFTWARE CONSIDERATIONS
Departmental software is upgraded as needed to ensure
business functions can be performed.
Critical departmental software is backed up and the backups are stored off site.
Software upgrades planned to minimize employee
disruption and job function disruption.
Master and backup copies of departmental software is
secured.
Departmental software documentation is secured.
Anti-virus software is installed and continuously enabled on
all departmental computers, laptops, networks.
Departmental databases are backed up. Explain how often.
Page 6 of 79
NC State University
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
Version 7
Assessment
Yes/No/NA/Unk
Explain
HARDWARE CONSIDERATIONS
Computers that are in open areas are secured.
Departmental computer drive keys are not left in the
machines, but are properly secured.
Departmental server recovery documentation is stored offsite
Departmental CPUs are locked so that the cover cannot be
removed and internal boards removed.
Data storage media (tapes, disks, CD-ROM) are properly
secured.
An inventory (including serial and University equipment
tag#) of departmental computers, laptops and other portable
components is maintained.
Non-removable labels are attached to: computers, laptop,
laptops case.
Check out procedures are used for computers on loan.
Computers are sanitized before surplused.
OFF-SITE STORAGE (Alternate storage location of vital records external to your facility)
An Off-Site Storage location has been identified and utilized.
The facility is located at a sufficient distance from your office
such that a disaster would not impact both locations
similarly.
Your adminstrative and other records are either backed up
through CASS facilities which have this daily off campus file
storage or are otherwise backed up daily both on and off
campus.
The facility is accessible within a reasonable period of time
such that the records can be obtained quickly.
OUTSOURCING USING A THIRD PARTY VENDOR
Your department has verified that your service providers
have disaster recovery plans.
Results of the service providers DR Test have been verified
and the recovery time objectives are satisfactory.
The recovery priority is known by your department in
relationship to other service provider customers.
Page 7 of 79
Risk Assessment
04/27/2016
Risks may be a result of a threat. The below risks may be a result of the following threats: Natural Threats (Hurricane, Snow Storm,
Tornado,), Loss of Key Staff, Technology Disruptions, Temporary or Long term loss of facility, or Utility Disruption)
University Risks
Departmental
Risk?
(YES/NO)
Probability
(1, 2, 3)
IMPACT during
critical time of year
(1, 2, 3)
Air Conditioning Failure

Anticipated Loss of Key
Staff
Back-up tapes of the wrong
data
Bad Credit Rating with
Service Providers
Bombing
Cancellations of Events
Computer
Equipment/Hardware Failure
Construction incidents or
accidents
Contract Violations
Cooling Plant Failure
Corruption of database
Data Center Disruption
Declaration fees from
Service Provider
Decrease in enrollment
Departmental Server failure
Embezzlement
Epidemic
Equipment Failure
External Fire - Major
Developed the NC State University Department of Business Continuity and Disaster Recovery
Weight Factor
Weighted
Result
(probability x
impact x weight
factor)
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Risk Assessment
04/27/2016
University Risks
Departmental
Risk?
(YES/NO)
Probability
(1, 2, 3)
IMPACT during
(1, 2, 3)
Firewall
Corruption/Destruction
Flooding
Flooding not related to
Natural Disasters
Improper Use of Information
Inability to access backup
records/data
Inability to access off-site
storage area
Inability to access website
Inability to Make Deposits
Inability to Make Transfers
Infectious Animal Diseases
Internal Fire - Major
Late Payments
Law Suits
Loss of Grant
Loss of Revenue
Media Failure (Data Tapes)
Negative reporting in
Newspaper or Television
Nuclear Reactor
Malfunctioning
Operating System Failure
Weight Factor
Weighted
Result
(probability x
impact x weight
factor)
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Risk Assessment
04/27/2016
University Risks
Departmental
Risk?
(YES/NO)
Probability
(1, 2, 3)
IMPACT during
(1, 2, 3)
Weight Factor
Weighted
Result
(probability x
impact x weight
factor)
Overdraft Fees
Premium charges for
Purchases
Radioactive Contamination
Regulatory Incompliance
Repayment of Grant Funds
Robbery
Sabotage
Security Breaches
(Computer)
Service Provider Business
Disruption
Software/Application Failure
Tainted public image

Tarnished brand image
Telecommunications Failure
- Data Network
Telecommunications Failure
- Voice
Terrorism
Train Derailment Freight
Unavailability of Campus
Transportation
Vandalism
Virus Attacks
Water leaks
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Risk Assessment
04/27/2016
University Risks
Departmental
Risk?
(YES/NO)
Probability
(1, 2, 3)
IMPACT during
(1, 2, 3)
Workplace violence
Weight Factor
Weighted
Result
(probability x
impact x weight
factor)
0
List your Critical Business Processes
Version 7
Critical Processes
NC State University
Purpose of Process
(e.g. revenue generation,
administrative, customer
service, support function,
ancillary function, etc)
Recovery Priority
Time Critical
RTO
Power
RTO
Facility
Page 12 of 79
NC State University
Critical Processes
Version 7
Page 13 of 79
Version 7
Critical Processes
NC State University
RTO
Vital Records
RTO
Telephone
RTO
Computing and Network
List critical Software Applications

that support this function
Page 14 of 79
NC State University
Critical Processes
Version 7
Page 15 of 79
Version 7
Critical Processes
NC State University
Describe critical Equipment that

support this function
(e.g. Computer hardware, lab
equipment)
Describe critical Supplies that

support this function
Dependencies:
Who is supported by this process?
Page 16 of 79
NC State University
Critical Processes
Version 7
Page 17 of 79
Version 7
Critical Processes
NC State University
Dependencies:
Who gives support to this process?
Is this process supported by a Vendor? If so,

list the vendor.
Operational Risks
Page 18 of 79
NC State University
Critical Processes
Version 7
Page 19 of 79
Version 7
Critical Processes
NC State University
Techonology Risks
Legal Risks
Financial Risks
Page 20 of 79
NC State University
Critical Processes
Version 7
Page 21 of 79
Critical Processes
NC State University
Reputational Risks
Version 7
Market/Strategic Risks
Page 22 of 79
NC State University
Critical Processes
Version 7
Page 23 of 79
Version 7
Critical Processes
NC State University
ALTERNATIVE - FACILITY INACCESSIBLE

(Risk Mitigation Strategy)
ALTERNATIVE - Power Outage

Page 24 of 79
NC State University
Critical Processes
Version 7
Page 25 of 79
Critical Processes
NC State University
Version 7
ALTERNATIVE - Long Term Loss of Computing

and Networking
Page 26 of 79
NC State University
Critical Processes
Version 7
Page 27 of 79
NC State University
Critical Processes
Version 7
Page 28 of 79
NC State University
Critical Processes
Version 7
Page 29 of 79
NC State University
Critical Processes
Version 7
Page 30 of 79
NC State University
Critical Processes
Version 7
Page 31 of 79
NC State University
Critical Processes
Version 7
Page 32 of 79
NC State University
Critical Processes
Version 7
Page 33 of 79
NC State University
Critical Processes
Version 7
Page 34 of 79
NC State University
Critical Processes
Version 7
Page 35 of 79
NC State University
Critical Processes
Version 7
Page 36 of 79
NC State University
Critical Processes
Version 7
Page 37 of 79
NC State University
Critical Processes
Version 7
Page 38 of 79
NC State University
Critical Processes
Version 7
Page 39 of 79
NC State University
Critical Processes
Version 7
Page 40 of 79
NC State University
Critical Processes
Version 7
Page 41 of 79
NC State University
Critical Processes
Version 7
Page 42 of 79
NC State University
Critical Processes
Version 7
Page 43 of 79
NC State University
Critical Processes
Version 7
Page 44 of 79
NC State University
Critical Processes
Version 7
Page 45 of 79
NC State University
Critical Processes
Version 7
Page 46 of 79
NC State University
Critical Processes
Version 7
Page 47 of 79
NC State University
Critical Processes
Version 7
Page 48 of 79
NC State University
Critical Processes
Version 7
Page 49 of 79
NC State University
Critical Processes
Version 7
Page 50 of 79
NC State University
Critical Processes
Version 7
Page 51 of 79
NC State University
Critical Processes
Version 7
Page 52 of 79
NC State University
Critical Processes
Version 7
Page 53 of 79
NC State University
Critical Processes
Version 7
Page 54 of 79
NC State University
Critical Processes
Version 7
Page 55 of 79
NC State University
Critical Processes
Version 7
Page 56 of 79
NC State University
Critical Processes
Version 7
Page 57 of 79
NC State University
Critical Processes
Version 7
Page 58 of 79
NC State University
Critical Processes
Version 7
Page 59 of 79
NC State University
Critical Processes
Version 7
Page 60 of 79
NC State University
Critical Processes
Version 7
Page 61 of 79
NC State University
Critical Processes
Version 7
Page 62 of 79
NC State University
Critical Processes
Version 7
Page 63 of 79
NC State University
Critical Processes
Version 7
Page 64 of 79
NC State University
Critical Processes
Version 7
Page 65 of 79
NC State University
Critical Processes
Version 7
Page 66 of 79
NC State University
Critical Processes
Version 7
Page 67 of 79
NC State University
Critical Processes
Version 7
Page 68 of 79
NC State University
Critical Processes
Version 7
Page 69 of 79
NC State University
Critical Processes
Version 7
Page 70 of 79
NC State University
Critical Processes
Version 7
Page 71 of 79
NC State University
Critical Processes
Version 7
Page 72 of 79
NC State University
Critical Processes
Version 7
Page 73 of 79
NC State University
Critical Processes
Version 7
Page 74 of 79
NC State University
Critical Processes
Version 7
Page 75 of 79
NC State University
Critical Processes
Version 7
Page 76 of 79
NC State University
Critical Processes
Version 7
Page 77 of 79
NC State University
Critical Processes
Version 7
Page 78 of 79
NC State University
Critical Processes
Version 7
Page 79 of 79

Risk Assessment Template NCSU

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Risk Assessment Template NCSU

Hochgeladen von

Copyright:

Verfügbare Formate

NC State University

Risk Assessment and Business Impact Analysis

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

Departmental roles and responsibilities for recovery are

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

Alternate personnel have been identified to perform critical

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

For Research Lab Space, the number of research

Departmental space contacts are documented.

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

Developed by the Department of Business Continuity (515-5201)

Business Unit Assessment

Developed by the Department of Business Continuity (515-5201)

Air Conditioning Failure

Tainted public image

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

List critical Software Applications

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Describe critical Equipment that

Developed by the Department of Business Continuity (515-5201)

Describe critical Supplies that

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Is this process supported by a Vendor? If so,

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

ALTERNATIVE - FACILITY INACCESSIBLE

Developed by the Department of Business Continuity (515-5201)

ALTERNATIVE - Power Outage

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

ALTERNATIVE - Long Term Loss of Computing

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)

List your Critical Business Processes

Developed by the Department of Business Continuity (515-5201)

Developed by the Department of Business Continuity (515-5201)