Step 1: IT Mission Impact Analysis

[Jun 28, 2008 8:06] Email phishing scam targeting WebMail users has been reported. More Information

The purpose of an information technology impact analysis is to identify IT-related departmental assets (e.g., information, people, software, hardware, facilities, etc.) and determine which of those assets are most critical to protect. As a general rule, an asset is critical when its disclosure, modification, destruction, or misuse will cause harmful consequences to the department’s — or the University’s — goals and mission, or will provide an undesired and unintended benefit to someone. If an asset has any of the characteristics listed in Table 1, it should likely be deemed critical.

Table 1: Critical Asset Criteria
The asset is required to perform functions that result in life or death to University community members or the general public.
The asset is required to perform functions that provide public safety and other social services to University community members or the general public.
The asset is required to support local, state or national Homeland Security efforts.
The asset is required to support patient care services.
The asset is required to support instruction.
The asset is required to support research grants.
The asset is required to provide central University business and support functions.
The asset is required to provide services on which multiple University departments or other institutions or agencies depend.
The asset is required to support a vice-presidentially designated critical function area.
The asset concerns data to which access is legally restricted or in other ways limited.
The asset is required to perform state or federally regulated functions.
The asset is required to perform other functions essential to a department’s mission.

As you can see from Table 1, for purposes of this process the definition of “critical” goes well beyond the medical sense of “life and death.” Based on your mission, what functions do you perform with safety or legal ramifications? What do you do that is important to the University as a whole or to other departments? What’s important for your department to get its job done? What failure don’t you want to end up on a vice-president’s desk?

The process of mission impact analysis requires the input of both the administrative leaders and information technology experts in each department. It is important to understand, for example, that a mission-critical departmental function may depend on multiple IT assets, or that a single IT asset may be critical to multiple departmental functions. IT personnel and administrators have both been known to underestimate the complexity and misunderstand the nature of the other’s function.

Below is the template for doing a Mission Impact Analysis. (A copy of this template, as well as all the other templates required to complete your department’s report on the ITS-RM process, is available in Word format here and Adobe PDF format here.) Determine your department’s critical assets (hardware, software, information and people) based on Table 1 above and your department’s mission. (Information on centrally-supported assets is available in Appendices B and C.)

Unit Name: ___________________    Sub-Unit Name: ___________________

Mission Impact Analysis Questions

The identification of information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.

1. What’s your department’s mission?

See related list in Table 1


  

2. What are the key functions your department performs to implement your mission?


 

3. What IT hardware infrastructure and assets are critical to the performance of those key functions? Please list these assets and prioritize them based on their criticality to the functions identified above. Be sure to include individual, departmental, central U.Va. and external (e.g., vendor) assets as appropriate, and list a system administrator, model number and operating system, where applicable, for each asset.

Examples:

  • Servers (including those hosted by others)
  • Desktops/laptops/PDAs that host critical or protected data

  

4. What IT software and data assets are critical to the performance of those key functions? Please list these assets and prioritize them based on their criticality to the functions identified above. Be sure to include individual, departmental, central U.Va. and external (e.g., vendor, federal and state data swapping) assets as appropriate.

Examples:

  • Academic: instructional resources, student data, databases necessary to maintain a given research program
  • Administrative: protected student or financial data necessary for business operations and student services
  • Health-related: protected patient data, both clinical and research
  • External data provider

  

5. What IT personnel are critical to the performance of those key functions? Please list the job roles and the incumbents’ names and prioritize them based on their criticality to the functions identified above. Be sure to include individual, departmental, central U.Va. and external (e.g. vendor) personnel as appropriate.

Examples:

  • Server administrators
  • Local Support Partner (LSP) or Associate (LSA)
  • Database administrators

  

Prepared by: Administrative contact

Name:   __________________________
Signature:   _______________________
Title:   __________________________
Date:   __________________________

Prepared by: Technical contact

Name:________________________
Signature:_____________________
Title: ________________________
Date:_________________________

Approved by: Unit head

          Name:   __________________________                Signature:    __________________________
             Title:   __________________________                        Date:    __________________________

 

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.