RSAArcher 6.1 Business Impact Analysis Guide

RSA Archer GRC
Business Impact Analysis

Use Case Guide
6.1
RSA Archer GRC Business Impact Analysis
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax
numbers:https://community.rsa.com/community/rsa-customer-support.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC
Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA.
Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Note on Section 508 Compliance

The RSA Archer GRC is built on web technologies which can be used with assistive technologies, such as screen readers,
magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of
users of these technologies as part of our ongoing product road map for the RSA Archer GRC.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
2
Contents
Chapter 1: Business Impact Analysis 5

RSA Archer Business Impact Analysis 5
Get Started 6
Chapter 2: Business Impact Analysis Design 7

Architecture Diagram 7
Applications 7
Use Case Dashboard 8
Access Roles 8
Personas 9
Data Feeds 10
BIA Campaign Advanced Workflow 10
Chapter 3: Installing Business Impact Analysis 14

Step 1: Prepare for the Installation 14
Step 2: Update the License Key 14
Step 3: Install the Package 15
Step 4: Set Up Data Feeds 15
Step 5: Test the Installation 15
Installing the Business Impact Analysis Package 15
Step 1: Back Up Your Database 15
Step 2: Import the Package 16
Step 3: Map Objects in the Package 16
Step 4: Install the Package 19
Step 5: Review the Package Installation Log 20
Setting Up BIA Data Feeds 20
Data Feed Dependencies 20
Step 1: Import a Data Feed 21
Step 2: Schedule a Data Feed 21
Chapter 4: Managing a BIA Campaign 23

Step 1: Create a BIA Campaign 23
3
Step 2: Complete All Associated BIAs 24

Step 3: Review BIAs 25
Approve or Reject BIA record: Level 1 25
Updating BIA Campaigns 26
Manually Add a Business Process to the Campaign 26
(Optional) Manually Add a BIA Record to an Active Campaign 27
Add a BIA From a Business Process 27
View Archived Business Impact Analyses 28
View an Archived BIA 28
Appendix A: Package Installation Log Message Examples 29
4
Chapter 1: Business Impact Analysis

Senior management is continually challenged with keeping track of the constantly changing
landscape of business processes and their supporting infrastructure, such as their connections to IT
systems, third parties, locations and critical information. Another challenge is ensuring business
impact analyses (BIAs) have been performed for all business processes to understand their
criticality to the business. This criticality drives business continuity (BC) and IT disaster recovery
(DR) planning and related efforts.
In addition, investors, customers, regulators, and Boards are becoming more interested in
management's capability to continue operations through any disruption. However, the reason many
organizations fail do so is because they have not adequately assessed the criticality of their business
processes and planned accordingly. Now, more than ever, business process managers and business
continuity management (BCM) teams need to work together to perform BIAs to understand the key
impacts of a disruption to the organization’s strategic and financial objectives and reputation.
The challenge with BIAs for most companies is that they are not completed consistently or
frequently enough. They are often completed in spreadsheets and separate systems, and are done
differently throughout the organization. In addition, IT and the business complete separate BIAs.
RSA Archer Business Impact Analysis

RSA® Archer® Business Impact Analysis is designed to help you determine the criticality of
business processes. You can share information with interdependent teams across the organization
and enable business leaders to prioritize recovery strategies, recovery tasks, risk assessments, and
other activities crucial to the entire business’s operations and IT systems.
Key Features
l Includes the Business Process catalog and a pre-built Business Impact Analysis with workflow,
notifications and reference data to determine the criticality of all business processes.
l Business process owners or BCM teams can kick off a new or updated BIA depending on process
criticality rating, date of last BIA or other factors.
l BCM team can start a campaign to initiate BIAs for multiple business processes in a Business
Unit or that support certain Products or Services.
l Access roles are provided for business owners, BCM team and executives that easily drive their
BIA completion, review and approval workflow for each.
Key Benefits
With RSA Archer Business Impact Analysis, you will be able to:

l Deploy one consolidated system of record for all BIAs
l Use a single approach to complete BIAs with workflow, notifications, review and approval
processes
l Provide reports that show key metrics and reports to enable BCM teams, business unit managers,
and business process managers to manage their BIAs
Get Started
l Learn more about the use case design
l Install and set up the use case
l Use the use case

Chapter 2: Business Impact Analysis Design
Architecture Diagram
The following diagram shows the relationships between the applications that make up the Business
Impact Analysis use case.
Applications
Application Description
Business The Business Processes application captures the base data for a given process. A
Processes process may be assigned to a particular business unit or shared across multiple
business units. The application enables you to track the business processes
personnel, business impact, and ITIL category, and associate it with other aspects
of the enterprise infrastructure.
BIA The BIA Campaign application enables users to launch a campaign that first
Campaign searches the business process or business unit area to identify any area that does
not yet have a BIA. The system then creates a BIA for that business process.

Application Description
Business The Business Impact Analysis (BIA) application is designed to help organizations
Impact determine the criticality of processes with their Recovery Time Objective (RTO)
Analysis and Recovery Point Objective (RPO). The application allows you to share this
information with interdependent teams and enables business leaders to prioritize
BC/DR plans, recovery strategies and recovery tasks.
BIA Archive The BIA Archive application stores all completed and approved BIAs.
Company The Company application stores general, financial, and compliance information at
the company level. This application relates to the Division and Business Unit
application to support rollup reporting of governance, risk, and compliance
initiatives across the enterprise.
Business The Business Unit application provides a detailed view of all activities related to
Unit the specific business unit.
Division The Division application represents the intermediate unit within the business
hierarchy which is a layer below the high-level company and a layer above the
individual business unit. Utilizing this application, users can further document the
relationships within their business and measure the effectiveness and compliance
of individual divisions within the enterprise.
Use Case Dashboard

The BIA Use Case comes with one out-of-the-box dashboard. The Business Impact Analysis
dashboard contains the following iViews:
l Business Process Rating Summary
l My BIAs (Displays BIAs when the current user is either the BPM, Controller, or Compliance
Manager)
l BIAs Awaiting Reassessment
l BIAs by Status
l Past Due BIAs
Ac c e s s Ro le s
Access Roles
The following table describes the available access roles within the Business Impact Analysis use
case and any related permissions that the role requires.

Role Description
BIA: BCM l Creates BIAs campaigns for all business processes in organization, runs BIA
Program Lead campaigns, and initiates advanced workflows.
l Approves or rejects BIAs
BIA: l Owns business processes that must undergo a BIA.

Participant
l Reports to Business Unit Leader.
l Can complete their assigned questions on the BIA.
l Can approve or reject the completed BIA after the Controller and Compliance
Manger responds to and submits their part of the of BIA.
l Can view the status of all BIAs for their respective business processes.
l Responds to questions in the Strategic, Operational, Reputation, Information

Confidentiality, and Information Integrity sections of the BIA.
Personas
The Business Impact Analysis use case provides the following personas:
Access Role Persona Description
BIA: BCM BCM l Can create BIA Campaign and initiate advanced
Program Lead Program workflow.
reviewer
l Can approve or reject completed BIAs that have
been approved by BUM
BIA: Participant Business Can create BIAs for business processes that they own
access role Process and initiate workflow on owned BP BIAs
Manager
BIA: Participant Controller l Can complete the Finance section of the BIA.
l Can select cross-references in the Financial

Impact Category.
l Can submit the BIA.

Access Role Persona Description
BIA: Participant Compliance l Can complete Compliance-related questions on the

Manger BIA and submit the BIA.
l Can select cross-references in the Compliance

Impact Category
BIA: Participant Business Unit l Reviews completed BIA.

Manager
(BUM) l Can approve or reject a completed BIA or multiple
BIAs that have been approved by the BPM.
l Can see the status of all the BIAs for the business
processes in their Business Unit
Da ta fe e d s
Data Feeds
The use case provides the following data feeds.
Data Feed Description
Copy From When a BIA is initiated, the Copy From Business Process data feed populates
Business associated BIA records with Business Unit, GL Account, Information Assets, Loss
Process Events, and Product and Services information.
Business After all BIA records associated with a campaign have been approved by the BCM
Impact Program Lead, The Business Impact Analysis Archive data feed copies all
Analysis associated BIA records into the BIA Archive application.
Archive
BIA Ca mp a ig n Ad v a n c e d Wo r k flo w
BIA Campaign Advanced Workflow

This section describes the out-of-the-box workflow provided by the RSA Archer Business Impact
Analysis (BIA) use case. To learn more about using BIA, see Managing a BIA Campaign
Phase 1: Preparation Phase
During the first phase, you add a campaign record, assign review and assessment dates, and
determine the scoping methods. Depending on the scoping method you select, a campaign creates
BIAs based on the associated business processes, business units, or product and services. A BIA

record may be tied to more than one campaign at a time, but can only be tied to a single business
process. If a business process already has a BIA created, the system links the existing BIA record to
the new BIA campaign after the campaign starts. To start the campaign, users click Run Campaign.
This action enrolls the campaign record in advanced workflow. The system is prompted to create
new BIAs for business processes that do not have one, and link existing BIAs to the campaign. All
BIAs associated with a BIA campaign are listed in the Related Business Impact Analysis section of
the campaign record.
Note: There is no automatic enrollment option for a BIA campaign. All campaigns are created
manually.
Phase 2: Initial Response Period

After the campaign is created, users with the BIA Participant access role receive a notification that
informs them that they have a BIA to complete. The Controller, Compliance Manager, and Business
Unit Manager answer a set of questions that is based on their role in the organization. Users see
only questions that they must answer, and not questions intended for other users. Each user
completing a BIA must check out the record before editing it. A BIA record can only be checked out
by a single user at any given time. After all the questions have been answered by each of the
participants (Business Process Manager, Controller and Compliance Manager), the Business
Process Manager is be notified and the advanced workflow progresses to the next phase.

Phase 3: Review Phase

A BIA record undergoes three levels of review. The Business Process Manager (BPM) reviews the
BIA first. He or she can approve the records, or reject a record and send it back to the Controller or
Compliance Manager or both. If a BIA is rejected and sent back to a participant, they must update
the record and submit it for review again. After the BPM approves a BIA record, it advances to the
Business Unit Manager (BUM). The Business Unit Manager can reject a BIA to the BPM or can
approve a BIA record. If BIA is rejected by the BUM, the record is sent back to BPM, who must
update and resubmit the BIA. After the BUM approves the BIA record, it advances to the final level
of approval, where the BCM Program Lead is required to give the final sign-off on the BIA record.
After a BIA has been approved, the Actual Date of Completion date is populated, and the review
dates for the next assessment are set.
Note: The BIA use case does not currently support automatic re-enrollment. To re-enroll an existing
BIA in advanced workflow, a user with the BCM Business Process Role must select Run Campaign
from the BIA Campaign Record.

Phase 4: Next Assessment Date Evaluation and Archive

After the BCM Program Lead approves all BIA records associated with the campaign, the Business
Impact Analysis Archive data feed runs. This data feed copies the BIA records into the BIA
Archive application and clears the BIA records from the Related Business Impact Analysis section
of the campaign record.
Note: A campaign is complete after all associated BIA records are archived.

Chapter 3: Installing Business Impact Analysis

Complete the following tasks to install the RSA Archer Business Impact Analysis (BIA) use case.
Ste p 1 :P r e p a r e fo r th e in s ta la tio n
Step 1: Prepare for the Installation

1. Ensure that your RSA Archer GRC system meets the following requirements:
l RSA Archer GRC Platform version 6.1.
l Valid license for RSA Archer Business Impact Analysis 6.1.
l A user account on the Platform with access rights to the Data Feed Manager.
l User account on RSA Link to download the use case files.
2. Download the use case file(s) from the Archer Customer/Partner Community on RSA Link on
the "Archer GRC 6.1 Software and Documentation" page
(https://community.rsa.com/community/products/archer-grc/archer-61/downloads). The zip file
contains the install package and the data feeds.
3. Obtain the Data Dictionary for the use case by contacting your RSA Archer Account
Representative or calling 1-888-539-EGRC. The Data Dictionary contains the configuration
information for the use case.
4. Read and understand the Packaging Data section of the RSA Archer GRC Online
Documentation.
5. Review the Release Notes to understand any known issues before installing and configuring the
use case.
Ste p 2 :Up d a te th e lic e n s e k e y
Step 2: Update the License Key

You must update the license key if you are installing a new application, questionnaire, workspace, or
dashboard.
Note: All customers are required to get a new license key for 6.1. Ensure that you are using a valid
6.1 license key prior to installing packages.
The administrator (a web or database administrator) on the server on which the Archer Control
Panel resides must update the license key in the Archer Control Panel before the application
package is imported in order for the new items to be available for use.

1. Open the RSA Archer Control Panel.
2. From the Instance Management list, click to expand the Instances list.
3. Right-click the instance that you want to update, and click Update License Key.
4. Update the applicable information: Serial Number, Contact Info, and Activation Method.
5. Click Activate.
Important: If you do not update the license key prior to installing the package, you will not be able
to access workspaces, dashboards and applications in 6.1.
Ste p 3 :In s ta lth e p a c k a g e
Step 3: Install the Package

Installing a package requires that you import the package file, map the objects in the package to
objects in the target instance, and then install the package. See Installing the Business Impact
Analysis Package.
Ste p 4 :S e tu p d a ta fe e d s
Step 4: Set Up Data Feeds

You must import and schedule each use case data feed that you want to use. See Setting Up Data
Feeds.
Ste p 5 :T e s th e in s ta la tio n
Step 5: Test the Installation

Test the use case according to your company standards and procedures, to ensure that the use case
works with your existing processes.
Installing the Business Impact Analysis Package

Ste p 1 :Ba c k u p y o u r d a ta b a s e
Step 1: Back Up Your Database

There is no Undo function for a package installation. Packaging is a powerful feature that can make
significant changes to an instance. RSA strongly recommends backing up the instance database
before installing a package. This process enables a full restoration if necessary.
An alternate method for undoing a package installation is to create a package of the affected objects
in the target instance before installing the new package. This package provides a snapshot of the
instance before the new package is installed, which can be used to help undo the changes made by
the package installation. New objects created by the package installation must be manually deleted.

Ste p 2 :Imp o r th e p a c k a g e
Step 2: Import the Package

1.
Go to the Install Packages page.
a. From the menu bar, click .
b. Under Application Builder, click Install Packages.
2. In the Available Packages section, click Import.
3. Click Add New, then locate and select the package file that you want to import.
4. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.
Ste p 3 :Ma p o b je c ts in th e p a c k a g e
Step 3: Map Objects in the Package
1. In the Available Packages section, select the package you want to map.
2. In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically
matches the system IDs of the objects in the package with the objects in the target instances and
identifies objects from the package that are successfully mapped to objects in the target instance,
objects that are new or exist but are not mapped, and objects that do not exist (the object is in the
target but not in the source).
Note: This process can take several minutes or more, especially if the package is large, and may
time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings
set to less than 60 minutes.
When the analyzer is complete, the Advanced Package Mapping page lists the objects in the
package file and corresponding objects in the target instance. The objects are divided into tabs,
depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub-
forms, or Questionnaires.
3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each
object name to determine which objects require you to map them manually.

Icon Name Description
Awaiting Indicates that the system could not automatically match the object or
Mapping children of the object to a corresponding object in the target instance.
Review Objects marked with this symbol must be mapped manually through the
mapping process.
Important: New objects should not be mapped. This icon should remain
visible. The mapping process can proceed without mapping all the objects.
Note: You can execute the mapping process without mapping all the
objects. The icon is for informational purposes only.
Mapping Indicates that the object and all child objects are mapped to an object in
Completed the target instance. Nothing more needs to be done with these objects in
Advanced Package Mapping.
Do Not Indicates that the object does not exist in the target instance or the object
Map was not mapped through the Do Not Map option. These objects will not be
mapped through Advanced Package Mapping, and must be remedied
manually.
Undo Indicates that a mapped object can be unmapped. This icon is displayed in
the Actions column of a mapped object or object flagged as Do Not Map.
4. For each object that requires remediation, do one of the following:
l To map each item individually, on the Target column, select the object in the target instance
to which you want to map the source object. If an object is new or if you do not want to map
an object, select Do Not Map from the drop-down list.
Important: Ensure that you map all objects to their lowest level. When objects have child or
related objects, a drill-down link is provided on the parent object. Child objects must be
mapped before parent objects are mapped. For more details, see "Mapping Parent/Child
Objects" in the RSA Archer Online Documentation.
l To automatically map all objects in a tab that have different system IDs but the same object
name as an object in the target instance, do the following:
a. In the toolbar, click Auto Map.
b. Select an option for mapping objects by name.

Option Description
Ignore Select this option to match objects with similar names regardless of the case
case of the characters in the object names.
Ignore Select this option to match objects with similar names regardless of whether
spaces spaces exist in the object names.
c. Click OK.
The Confirmation dialog box opens with the total number of mappings performed. These
mappings have not been committed to the database yet and can be modified in the
Advanced Package Mapping page.
d. Click OK.
l To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.
Note: To undo the mapping settings for any individual object, click in the Actions column.
When all objects are mapped, the icon is displayed in the tab title. The icon is displayed
next to the object to indicate that the object will not be mapped.
5. Verify that all other objects are mapped correctly.
6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting
and Importing Mapping Settings" in the RSA Archer Online Documentation.
7. Once you have reviewed and mapped all objects, click .
8. Select I understand the implications of performing this operation and click OK.
The Advanced Package Mapping process updates the system IDs of the objects in the target
instance as defined on the Advanced Package Mapping page. When the mapping is complete, the
Import and Install Packages page is displayed.
Important: Advanced Package Mapping modifies the system IDs in the target instance. Any
Data Feeds and Web Service APIs that use these objects will need to be updated with the new
system IDs.

Ste p 4 :In s ta lth e p a c k a g e
Step 4: Install the Package

All objects from the source instance are installed in the target instance unless the object cannot be
found or is flagged to not be installed in the target instance. A list of conditions that may cause
objects not to be installed is provided in the Log Messages section. A log entry is displayed in the
Package Installation Log section.
1.
Go to the Install Packages page.
2. In the Available Packages section, locate the package file that you want to install, and click
Install.
3. In the Configuration section, select the components of the package that you want to install.
l To select all components, select the top-level checkbox.
l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.
Note: Items in the package that do not match an existing item in the target instance are selected
by default.
4. In the Configuration section, under Install Method, select an option for each selected component.
To use the same Install Method for all selected components, select a method from the top-level
drop-down list.
Note: If you have any existing components that you do not want to modify, select Create New
Only. You may have to modify those components after installing the package to use the changes
made by the package.
5. In the Configuration section, under Install Option, select an option for each selected component.
To use the same Install Option for all selected components, select an option from the top-level
drop-down list.
Note: If you have any custom fields or formatting in a component that you do not want to lose,
select Do not Override Layout. You may have to modify the layout after installing the package to
use the changes made by the package.
6. To deactivate target fields and data-driven events that are not in the package, in the Post-
Install Actions section, select the Deactivate target fields and data-driven events that are not in

the package checkbox. To rename the deactivated target fields and data-driven events with a
user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a
prefix. This can help you identify any fields or data-driven events that you may want to review
for cleanup post-install.
7. Click Install.
8. Click OK.
Ste p 5 :Re v ie wth e p a c k a g e in s ta la tio n lo g
Step 5: Review the Package Installation Log

1.
Go to the Package Installation Log tab of the Install Packages page.
c. Click the Package Installation Log tab.
2. Click the package that you want to view.
3. In the Package Installation Log page, in the Object Details section, click View All Warnings.
For a list of packaging installation log messages and remediation information for common
messages, see Package Installation Log Messages.
Setting Up BIA Data Feeds

Import the data feeds in the following order:
1. Business_Impact_Analysis_-_Business_Process_Copy_Feed.dxf5
2. Business_Impact_Analysis_-_Archive_Feed.dxf5
Da ta fe e d d e p e n d e n c ie s
Data Feed Dependencies

The data feeds included with the BIA use case reference applications that belong to use cases that
you may not have licensed. If you subsequently purchase a license for a use case that includes the
following applications, you must reinstall the data feed to ensure that it is correctly mapped.

Data feed Dependencies
Business_Impact_Analysis_-_ Business Unit, GL Account, Information Assets, Loss

Business_Process_Copy_Feed.dxf5 Events, and Product & Services
Business_Impact_Analysis_-_ Business Unit, GL Account, Information Assets, Loss

Archive_Feed.dxf5 Events, Product & Services, and Corporate Objectives
Step 1: Import a Data Feed
1. Click Administration > Integration > Manage Data Feeds.
2. In the Manage Data Feeds section, click Import.
3. Locate and select the .dfx5 file for the data feed.
4. From the General tab in the General Information section, in the Status field, select Active.
5. Click the Transport tab. Complete the fields in the Transport Configuration section as follows:
a. In the URL field, type: YourServerName/VirtualDirectoryName/ws/search.asmx
b. In the User Name and Password fields, type the username and password of the Platform user
that has API access and access to all of the records on the Platform instance (from which the
data feed is coming).
c. In the Instance field, type the name of the Platform instance from which the data feed is
coming (this is the instance name as you enter it on the Login window).
6. Verify that key field values are not missing from the data feed setup window.
7. Navigate to the Data Mapping tab to resolve any dependencies that you do not have licensed
8. Click Save.
Ste p 2 :S c h e d u le a d a ta fe e d
Step 2: Schedule a Data Feed
Important: A data feed must be active and valid to successfully run.
As you schedule your data feed, the Data Feed Manager validates the information. If any
information is invalid, an error message is displayed. You can save the data feed and correct the
errors later; but the data feed does not process until you make corrections.

1. Click Administration > Integration > Manage Data Feeds.
2. In the Name column, click the data feed that you want to edit.
3. Click the Schedule tab.
Note: The Schedule tab is available for both Standard and Transport-Only data feed types.
4. In the Frequency drop-down list, set the frequency for the data feed. For example, if you select
Minutely and specify 3 in the Every field, the data feed runs every 3 minutes.
5. (Optional) To configure a data feed to run immediately after another data feed, follow these
steps:
a. In the Frequency drop-down list, select Reference.
b. In the Reference Feed drop-down list, select the first data feed. Your current data feed
would run after this selected one.
6. (Optional) To override the data feed schedule and immediately run your data feed, in the Run
Data Feed Now section, click Start.
7. Click Save.

Chapter 4: Managing a BIA Campaign

RSA Archer Business Impact Analysis (BIA) provides a method and repository for you to collect
information on a business process and determine its criticality to the overall organization.
During the Creation phase of a BIA, users can create a manual BIA or opt to run a campaign.
During a campaign, initial details are set and the BIA is distributed to specified users who then must
complete their respective sections.
Ste p 1 : Cr e a te a BIA c a mp a ig n
Step 1: Create a BIA Campaign

While the campaign is In Process, new business processes can be added and the BIA Campaign can
be re-enrolled in Advanced Workflow. Once the campaign is complete it can no longer be re-
enrolled.
Persona: BCM Program Lead
1.
Go to the BIA Campaign record browser.
a. From the menu bar, click Business Resiliency.
b. Under Solutions, click Business Impact Analysis.
c. Under Applications, click BIA Campaign.
2. Click .
3. In the General section, do the following:
a. Enter a campaign name.
b. Allocate review and response period times.
l In the Response Period - Days field. enter a value for the number of days that participants
have to complete their responses.
Note: The Response Period Due Date field is populated in the BIA record based on the
value entered in the Response Period - Days field.
l In the Review Period - Days field, enter the number of days reviewers have to complete
their reviews.
Note: The Review Period Due Date field is populated in the BIA record based on the
value entered in the Review Period - Days field.

l The Campaign Actual Completion Date populates only after all associated BIAs are
approved and the campaign is complete.
4. In the Campaign Scoping section, do the following:
a. Select a scoping method:
l Business Process. Selects all business processes, beginning at the parent process, and
continuing until all sub-processes are selected.
l Business Unit. Selects the business unit, directly related business processes, and all
related sub-processes.
l Products & Services. Selects products and services, directly related business processes,
and sub-business processes.
Note: In order to select products and services, you must have a license for a use case that
contains the Products & Services application.
b. Select a business unit to target.
5. Click Run Campaign.
Note: You can select Run Campaign only after all the required fields have been completed.
Ste p 2 :Co mp le te a la s s o c ia te d BIAs
Step 2: Complete All Associated BIAs

Persona: BPM, Compliance Manager, Controller
In any BIA record, you have access to only the questions for which you are responsible for
answering. Only one user can have the BIA record checked out at a given time. Other users can see
when the record is being edited, and can make their edits after it has been checked back in.
1. From the Tasks widget of your task-driven landing screen, select the BIA assigned to you.
2. Click Check Out.
Note: You cannot check out a BIA record if another user already has it checked out.
3. (Optional) Add comments.
4. Apply risk ratings to the sections that apply to you.
5. Click Submit.

Step 3: Review BIAs
Step 3: Review BIAs

Each BIA record must go through three levels of approval before it is considered completed and can
exit the advanced workflow. Criticality ratings and Business Impact Analysis ratings are populated
only after all BIAs associated with a campaign have been approved.
Ap p r o v e o r Re je c tBIA r e c o r d : L e v e l1
Approve or Reject BIA record: Level 1

Persona: Business Process Manager
1. From the your task-driven landing screen, select the BIA that you need to review.
2. Review the completed BIA sections.
3. (Optional) Update your sections. You can update the sections you answered without clicking
Reject.
4. If updates need to be made to any sections, click one of the following:
l Reject to Compliance.
l Reject to Controller.
l Reject to Both.
Rejecting a BIA sends a notification to the appropriate stakeholder and allows them to update
and resubmit the record.
5. To approve the BIA, click Approve.

When approved, the record is sent to the Business Unit Manager.

Persona: Business Unit Manager
3. (Optional) Update your sections. You can update the sections you answered without clicking
Reject.

4. If updates need to be made to any sections, click one of the following:
l Reject to BU Manager
l Approve
Rejecting a BIA sends notification to the appropriate Business Unit Manager and allows him or
her to update and resubmit the record.

An approved BIA record is sent to the BCM Program Lead for final approval.

Persona: BCM Program Lead
After a record is approved by the BCM Program Lead, the Campaign Actual Completion Date and
the criticality ratings are populated. In addition, the Next Assessment Date field is populated in each
BIA record.
3. If updates need to be made to any sections, click Reject to Business Unit Manager.
Rejecting a BIA sends notification to the appropriate Business Process Manager and allows him
or her to update and resubmit the record.
Updating BIA Campaigns

Ma n u a ly a d d a b u s in e s s p r o c e s s to th e c a mp a ig n
Manually Add a Business Process to the Campaign

When the BIA campaign is in Process, you can add a business process for assessment and resubmit
the campaign. You cannot do this after a campaign is complete.
1. In the Related Business Impact Analysis section, click Add New.
2. Select a Business Unit to add to the BIA.
3. Click OK.
4. Click .

(Optional) Manually add a BIA record to an active campaign
(Optional) Manually Add a BIA Record to an Active Campaign

You can add a BIA record by manually adding a record while a campaign is enrolled in advanced
workflow. For example, you many want to manually add a BIA record if you think that a particular
business process is missing from the evaluation.
1. Access the BIA Campaign record that you want to update.
a. From the menu bar, select the Business Resiliency menu.
b. Under Solutions, click Business Impact Analysis.
c. Under Applications, click BIA Campaign.
d. Select your BIA Campaign record.
2. In the Related Business Impact Analyses section, click Add New.
3. In the General Information section, complete the required fields.
4. Click Initiate BIA to add the record to the campaign.
Add a BIA from a business process
Add a BIA From a Business Process

Persona: BPM Program Lead
You can add a BIA directly from a business process record.
1. From the menu bar, select the Business Resiliency menu.
2. Under Dashboards, click Business Impact Analysis.
3. From the list of dashboards, select Business Impact Analysis.
4. Under the Process Name row, select the business process to which you want to add a BIA.
5. Click Edit.
6. Click the Business Impact Analysis tab, and do the following:
a. Click Add New.
b. In the General Information section, select a Business Unit.
c. Click Initiate BIA.
d. In the Business Stakeholders section, from the BCM Program Lead dropdown, select a
reviewer.

7. Click Initiate BIA.
View Archived Business Impact Analyses

You can view the archived BIA at any time by navigating to the BIA Archive application.
View an Archived BIA

1.
Go to the BIA Archive application.
a. From the menu bar, select the Business Resiliency menu.
b. Under solutions, click Business Impact Analysis.
c. Under applications, click BIA Archive.
2. Select the BIA you want to view from the list of BIA archives.

Appendix A: Package Installation Log Message

Examples
When you install a use case package, certain error messages are expected, depending on which
other use cases you have licensed in your system. The following sections describe some of the most
common error messages that you may see. You may use these as guidelines, but you should review
your package installation log and determine any actions you need to take.
For information on the dependencies for each solution, see the Data Dictionary.
Object
Message Explanation Remediation
Type
Alias Object Name This message is an informational warning This message is only
Alias was indicating that the Alias was updated on potentially an issue if
changed from the object. There are two reasons for an the change occurs on a
Original Alias alias in the Target Instance to have been field that is utilized in
to New Alias updated: a Mail Merge
Template or Data
l Update was in the Source Package.
Publication Service. In
l Alias has to be unique in the Target that scenario, update
Instance. If the alias already exists in the DPS or the mail
merge template with
Target, packaging adds a unique
the new alias.
identifier to the end.
Field Field Name in This message is an informational warning Change the field to
the application notifying you that packaging does not public manually
Application change a private field in the target (optional).
Name cannot instance to a public field.
be changed
from a private
field to a
public field.

Object
Type
Field Field Field This message is seen when a cross- If the use case is not
Name could reference or related record field could not licensed, no action is
not be saved be created because the related application necessary.
due to inability does not exist in the target instance. This
to identify the message usually occurs because the field Note: If you later
related is part of a related use case that is not license a use case that
module. licensed or has not been updated in the contains that
target instance. application, you may
re-install the Use Case
Name package in order
to resolve this
warning.
If the use case has not

been updated, do the
following:
1. Install the package
for the use case
containing the
related application.
You must have a
license for the
2. Reapply the
original package to
resolve the
warning.
See the Data
Dictionary.

Object
Type
Field The calculated The formula in the calculated field is Do either of the
field Field incorrect. Most often, this message occurs following:
Name in the when the formula references a field in a
l Modify the formula
application related application and either the field or
Application the application does not exist in the target to remove the
Name cannot instance or is not licensed. This may be reference to the
be verified. because the application is in a related use unavailable field.
case that has not been updated.
l Install the package
for the use case
containing the
(You must have a
license for the
related application),
then reapply the
original package to
resolve the warning.
See the Data

Dictionary.

Object
Type
Field Field Field This warning may be seen on Inherited 1. Install the package
Name was not Record Permission fields, cross- for the use case
found and reference/related record fields (record
containing the
removed from lookup and grid display), or as a display
a collection. field in a report. The warning means that related application
the field could not be found in the target (to obtain the
instance and was not included in the missing field). You
package. This is usually because the field must have a
is part of an application in a related core
license for the
solution that has not been updated in the
target instance or is not licensed. related application.
2. Reapply the
original package to
resolve the
warning.
See the Data
Dictionary.
If you do not have a
license for the related
application, you may
ignore this message,
and the field remains
omitted from the
object.
Advanced The advanced All advanced workflows are installed as Go to the Advanced
Workflow workflow was inactive. You must review and activate the Workflow tab in the
installed, but is workflow. application or
inactive. questionnaire, review
Please review the workflow, then
and activate. click Activate.

Object
Type
Advanced Minor failure: This failure message may appear if certain 1. Verify that the
Workflow Advanced services were not running when you Advanced
workflow installed the package.
Workflow Service
HTTP request
error: 404 not and the Job Service
found. are running.
2. Reapply the
package.
Access Access rights The Module Name application or None.

Role to the questionnaire belongs to a use case that If you later license a
following page you have not licensed or does not exist in use case that contains
could not be the instance. that application, you
configured due may re-install the Use
to missing Case Name package in
module order to resolve this
Module Name warning.
Access The following Page Name belongs to an application in a None.

Role page use case that you have not licensed. If you later license a
referenced in a use case that contains
link cannot be that application, you
resolved: Page may re-install the Use
Name. Case Name package in
order to resolve this
warning.
Event Module This warning usually occurs when a cross- Review the DDE and
Action NameDDE reference or related record field is on the the layout and
Name was layout in the package but is not licensed or determine if any
updated but does not exist in the target instance. modifications should
has page Occurs on Apply Conditional Layout be made to the layout.
layout actions. If you later license a
discrepancies. use case that contains
that application, you
may re-install the Use
Case Name package in
warning.

Object
Type
Field Contained Field Name 1 references an application None.

Reference that does not exist in the target instance or If you later license a
field :Field is not licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package in
instance and order to resolve this
was removed warning.
from multi-
reference field
: Field Name
2.
Field Cross Field Name 1, configured to display in the No action is

Reference reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field : the other application
Field Name 1 by installing the
was not found package that the
in the target related application
instance and belongs to.
was removed
from field :
Field Name 2.
Field Related Field Name 1, configured to display in the No action is

Record reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field the other application
:Field Name 1 by installing the
was not found package that the
in the target related application
instance and belongs to.
was removed
from field :
Field Name 2

Object
Type
Field History Log This message usually occurs when a None.

Field Selection history log field includes a cross-reference If you later license a
field : Field or related record as a tracked field, but use case that contains
Name was not that cross-reference or related record that application, you
found in the could not be created because the related may re-install the Use
target instance application either does not exist in the Case Name package in
and was target or is not licensed. order to resolve this
removed from warning.
history log
field : History
Log.
Field Inherited Field Name 1 belongs to an application in None.

User/Group a use case that does not exist in the target If you later license a
field : Field or is not licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package in
instance and order to resolve this
was removed warning.
from field :
Field Name 2.
iView The following Page Name belongs to an application in a Modify the iView to
page use case that does not exist in the target or remove the unresolved
referenced in a is not licensed. link or delete the
link cannot be iView
resolved: Page If you later license a
Name use case that contains
warning.

Object
Type
Navigation Unable to Application Name belongs to an use case None.

Menu update that does not exist or is not licensed. If you later license a
Navigation use case that contains
Menu that application, you
Application may re-install the Use
Name. Field Case Name package in
Field Name order to resolve this
not found. warning.
Report Report Name Occurs when no display fields could be Need more
report could included in the report because the fields do information.
not be created. not exist in the target or are not licensed.
There are no This error is most common on statistics
display fields reports.
for this report.
Report Display field : Field Name belongs to an application in a If the report functions
Field Name use case that does not exist or that is not without that field, then
was not found licensed. no action is needed.
in the target Otherwise, modify the
instance and report or remove it.
was removed If you later license a
from report: use case that contains
Report Name. that application, you
warning.

Object
Type
Report Field : Field Field Name belongs to an application in a If the report functions
Name use case that does not exist or is not without that field, then
referenced by licensed. no action is needed.
a statistic step Otherwise, modify the
was not found report or remove it.
in the target If you later license a
instance and use case that contains
was removed that application, you
from report : may re-install the Use
Report Name. Case Name package in
warning.
Report Field : Field Field Name belongs to an application in a If the report functions
Name used for use case that does not exist or is not without that field, then
charting was licensed. no action is needed.
not found in Otherwise, modify the
the target report or remove it.
instance and If you later license a
was removed use case that contains
from report : that application, you
Report Name. may re-install the Use
warning.
Report Field : Field Occurs when a filter condition in a report If the report functions
Name was not is referencing an application that does not without that field, then
found in the exist or is not licensed. no action is needed.
target instance Otherwise, modify the
and the report or remove it.
condition was If you later license a
removed from use case that contains
the filter. that application, you
warning.

Object
Type
Report Module The Module Name application or If the report functions

Module Name questionnaire belongs to a use case that without that field, then
was not found you have not licensed. no action is needed.
and removed Otherwise, modify the
from a search report or remove it.
report. If you later license a
use case that contains
warning.
Report Module Occurs with n-tier reports when the report If the report functions
Module Name includes display fields from a related without that field, then
was not found. application that does not exist or is not no action is needed.
The licensed. Otherwise, modify the
relationship report or remove it.
and associated If you later license a
display fields use case that contains
were removed that application, you
from a search may re-install the Use
report. Case Name package in
warning.
Workspace The following The Module Name application or None.

module questionnaire belongs to a use case that If you later license a
referenced in does not exist or is not licensed. use case that contains
the Navigation that application, you
menu could not may re-install the Use
be resolved: Case Name package in
Module Name. order to resolve this
warning.

RSAArcher 6.1 Business Impact Analysis Guide

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

RSAArcher 6.1 Business Impact Analysis Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

RSA Archer GRC

Business Impact Analysis

Note on encryption technologies

Note on Section 508 Compliance

Chapter 1: Business Impact Analysis 5

Chapter 2: Business Impact Analysis Design 7

Chapter 3: Installing Business Impact Analysis 14

Chapter 4: Managing a BIA Campaign 23

Step 2: Complete All Associated BIAs 24

Appendix A: Package Installation Log Message Examples 29

Chapter 1: Business Impact Analysis

RSA Archer Business Impact Analysis

Chapter 1: Business Impact Analysis 5

l Deploy one consolidated system of record for all BIAs

l Install and set up the use case

l Use the use case

Chapter 1: Business Impact Analysis 6

Chapter 2: Business Impact Analysis Design

Chapter 2: Business Impact Analysis Design 7

Use Case Dashboard

l BIAs Awaiting Reassessment

l Past Due BIAs

Chapter 2: Business Impact Analysis Design 8

l Approves or rejects BIAs

BIA: l Owns business processes that must undergo a BIA.

l Can complete their assigned questions on the BIA.

l Responds to questions in the Strategic, Operational, Reputation, Information

Access Role Persona Description

l Can select cross-references in the Financial

l Can submit the BIA.

Chapter 2: Business Impact Analysis Design 9

Access Role Persona Description

BIA: Participant Compliance l Can complete Compliance-related questions on the

l Can select cross-references in the Compliance

BIA: Participant Business Unit l Reviews completed BIA.

Data Feed Description

BIA Campaign Advanced Workflow

Chapter 2: Business Impact Analysis Design 10

Phase 2: Initial Response Period

Chapter 2: Business Impact Analysis Design 11

Phase 3: Review Phase

Chapter 2: Business Impact Analysis Design 12

Phase 4: Next Assessment Date Evaluation and Archive

Chapter 2: Business Impact Analysis Design 13

Chapter 3: Installing Business Impact Analysis

Step 1: Prepare for the Installation

l Valid license for RSA Archer Business Impact Analysis 6.1.

l User account on RSA Link to download the use case files.

Step 2: Update the License Key

Chapter 3: Installing Business Impact Analysis 14

1. Open the RSA Archer Control Panel.

Ste p 3 :In s ta lth e p a c k a g e

Step 3: Install the Package

Step 4: Set Up Data Feeds

Step 5: Test the Installation

Installing the Business Impact Analysis Package

Step 1: Back Up Your Database

Chapter 3: Installing Business Impact Analysis 15

Step 2: Import the Package

a. From the menu bar, click .

b. Under Application Builder, click Install Packages.

2. In the Available Packages section, click Import.

Step 3: Map Objects in the Package

2. In the Actions column, click for that package.