DHHS POLICIES AND PROCEDURES
Privacy and Security
Business Impact Analysis Policy
Current Effective Date:
Original Effective Date:
To establish the requirements for evaluating the workflow and determining the criticality of
those operations and their associated information systems within the Department of Health
and Human Services (DHHS). The business impact analysis is to be an essential systematic
process that is used to gather and analyze information on their functional and operational
business units and processes.
The DHHS Privacy and Security Office (PSO) working with the DHHS Divisions/Offices
shall perform a Business Impact Analysis (BIA) on all information systems to determine the
criticality of these operations to the agency and to determine what the impacts are to the
organization if those operational functions and processes were interrupted.
Roles and Responsibilities
The DHHS PSO is responsible for developing enterprise-wide procedures and guidelines on
how to implement the BIA process.
The DHHS Division/Office Directors, Managers and Business Owners are responsible for
determining the criticality of their operations. Each DHHS Division/Office is responsible for
ensuring that contingency plans have been implemented. The BIA is used to accomplish this
objective and is used to analyze the service workflow, which typically consists of both
manual and automated (Information Technology Services (ITS)) components.
The DHHS PSO shall:
Provide implementation guidelines and support. Policy implementation shall be based
upon the use of management-approved security standards and follow requirements
established by IT Services.
Develop the BIA process to be followed by the divisions/offices and assist in
determining criticality and impact assessment.
Define a method of evaluating data. The BIA shall accomplish the following