General
Who provides application dependency reports?
The Business Continuity Management Office will annually provide the gap report of operational need versus systems and applications (dependencies) recovery capability. NOTE: This data is not to be used to set RTO’s and RPO’s.
Why does BCM need to assess application dependencies?
The Business Owner of an IT Application, in consultation with the Information Technology team (typically during the Systems Development Lifecycle), establishes an acceptable RTO/RPO for Business Application(s) prior to production release. Application data, over time, integrate into business operations forming new, and sometimes complex, dependency relationships. BCM tracks this expansion/contraction of use and assesses gaps (Business “need” vs IT recovery “capability”) that may require further business risk mitigation/continuity planning effort.
What is an application dependency?
The reliance or interaction, directly or indirectly, to an application or system to support a critical business function or process required during a disruption.
When are application dependencies identified?
During the BIA process application dependencies and “needs” are identified from all business areas that consider any application critical to their operation. The “need” is then compared to the existing IT Disaster Recovery “capability” to determine gaps.
Who provides or sets the RPO?
The Business sets the RPO during the BIA process.
The IT Application Owner initially sets the RPO during the Systems Development Lifecycle prior to production release. It is reviewed and updated, as needed, during the System Development Lifecycle.
What is a Recovery Point Objective (RPO)?
The RPO indicates how much data the business can lose before it is unacceptable. (For example, the business has a manual process that will allow two days [48 hours] of work to get re-entered into the system resulting in an RPO of 48 hours. Anything beyond 48 hours of lost data would be unacceptable to business operations.)
The RPO is also how much data is expected to be lost by IT systems and applications during an IT disruption or due to an Information Technology Disaster. (For example, application data is backed up nightly resulting in an RPO of 24 hours, so the business can expect to lose up to 24 hours of data when the system is restored to operations).
When is the Recovery Time Objective (RTO) set?
The business function RTO is initially set during the BIA process. The IT system application and system RTO is initially set during the Systems Development Lifecycle prior to production release.
What is a Recovery Time Objective (RTO)?
The Recovery Time Objective (RTO) is the period of time following an incident or disruption within which a critical function and/or process and application and/or system must be resumed, recovered or restored to avoid unacceptable risks or consequences.
What is meant by critical function?
Process or function that cannot be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing the university mission.
What is a disruption?
An event that interrupts normal business functions and operations, whether anticipated (e.g., flood, tornado) or unanticipated (e.g., blackout, technology failure).