Wednesday, January 17, 2018
3 guests for today
1 new Member- Scott
Thoughts on dates- 9/11
Feelings on date: (no comments- but let JW know if any opinions)
Location: Batavia Downs
Facebook and LinkedIn - Thanks to those who are getting all of the access straightened out
ACP is a co-sponsor with Firestorm
BIA's & AIA What is the difference? How and When are they used? Questions asked in each?
John , Greg, Cory, Mike (presenters)
Greg (Paychex)- BIA
Who gets a BIA?
-Our org structure is similar to most companies in that we have multiple layers of professional and experiences management.
- Executive Officer Team, VP, Directors, Senior Managers, Mid-Level Managers, Functional Managers
Sue Miller- we do our BIAs by Business Lines (which is broken down into may departments)
John- from all the bank employees here, do you think the BIA function is similar across all banks
A BIA called an AIA
AIAs identify the criticality of individual applications
Why is this required?
-The criticality of apps is typically identified by the critical process which in turn are identified by the BIAs
-We do not have a well-defined BIA for every dept in the company so that process has gaps
-AIAs are created for each application as needed. The design architect, data owner and BU are interviewed to determine a criticality level of the applications
Jay Williams- is it the same for Medical fields?
-(Kathy- U of R guest) Similar but primary use AIA. We meet with App owners and reps for Business side and explain why we need this to work. During BIA we decide what the key resources needed to perform business function. Then we do a crosswalk of information.
-Create standards and requirements for BC including BIAs
-Implement a BCM tool
-Currently using RPX
-Identify depts and managers responsible for BC
-Train users on the tool as well as BIA process
-Assist depts in the creation of their BIAs
-Track compliance and results
John- do you find that quality is better than quantity when it comes to BIA? How do you know what makes a good quality questions.
Craig- the issue is that most people who are answering these questions don’t really know what the impact is to the company.
Michael- send them out interviews, write up something a scenario to have the read and then go ahead and ask them questions. Getting them in the mind set before you start asking questions
Additional Notes (Part 2)
-Essential employees we define (loosely) as people who are critical to a process, and yes they are identified in the BIA
- Understanding your business
- BC strategies
- Develop and implement BC response
- Building and embedding a Continuity culture
- Exercise, maintenance and audit
- BCM Program Management
Performed during an investigative process of acquiring an application or system- called the Tech, Arch Review Process
-Who meets: 16 people
-Managers representing: Info Sec, DBA, System Admin, BCP Network Services, Legal Arch
-There are 20 BCDR questions I created for the BC discipline
Sample AIA Questions
-Is this system supporting a critical business function?
-Is this system supporting critical business function for a BU as defined in a departmental BIA
-If the system is unavailable, do you have manual work arounds?
-What is the RTO for this system?
-What is the RPO for this system?
-Can the system achieve the RTO? If not, state why and what time it can meet.
-Can the system achieve the RPO? If not, state why and what time it can meet.
-Reviewed at least annually with each BU in a workshop, interview format
-Review critical functions of each BU and resources that support the functions
-Reponses and data feed into detailed Corporate BCP
-Each BU exercises their plans at least once a year at our BC-DR Facility
-Highly regulated and audited environment from internal and external audit teams
John- is your BC plan a direct output of your BIA?
Emy- it’s a way to identify how to prepare for an event. The BIA is focusing on the IT terminology and terms used.
Michael- AIA feed the information to the server recovery plan, database recovery plan, and application recovery plan. Separate plans.
Additional Notes (Part 2)
-Extension of Service NOW
-App conforms to ISO22301
Mike Weaver (M&T Bank)
-Last BIA was performed in 2014 in BIA professional
-It didn’t do dependencies
-It was campaign based
-The new tool will fix it all
-AIA was performed continuously in RSA Archer
-It wasn’t informed by the BIA
-It didn’t do dependencies either
-Did not integrate to planning tool
-Not enough buy in from management
-Process owners were not engaged
-No consequences to process owners who did not comply
-Trying to go from comically simple to overly complex does not improve data quality
-Not integrated in planning tool
-Still not informed by BIA
-Still in a tool we don’t control
-Still doesn’t do dependencies
John- where are the majority of the questions coming from? (group question)
-DRI had a lot of questions (15 years ago) that were generic
Note: chapter agrees that it might be a good idea to have a working session on question development
Chapter Business Session
Next meeting in March is at M&T Bank - Holtz Location. Guest speaker on Opioids