Cost and funding was not discussed except briefly highlighted in the administrative responsibilities overview and the testing the DRP section (Texas A&M University, 14, 56). These mentions only state to make sure plan is “cost effective” yet the DRP fails to designate how to do so. The lack of discussion of cost may have something to do with the lack of strategic decisions based on the BIA. The lack of business impact analysis is troublesome being that the entire DRP rests on its evaluation of the system and its criticality. According to the NIST document, the BIA is the primary source for determining resiliency and contingency planning strategies (Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). The results of the BIA determines the amount of impact of loss could have on the university, determines the backup type and frequency, the type of alternative facility needed, and the need for mirroring of data (Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). To effectively mitigate IT risks a complete RA and/or BIA should be available that includes an awareness of the wide range of potential risks to critical business/university systems. To properly mitigate risk there should be an organized method that is created to implement effective risk …show more content…
Having a solid and complete BCP/DRP not only ensures that the university establishes and maintains clients’, customers’, and suppliers’ trust in the security of their intellectual property and private data but it also facilitates legal compliance and privacy obligations for a more stable business future. It is imperative to identify, protect, and maintain security of the universities online systems from everyday internal and external digital threats. To do this there must be proper and up-to-date policies, procedures, and codes of conduct in place to ensure corruption of systems does not occur. There was a lack of attention to possible human error that could cause disastrous effect to the university and its IT systems. Personnel must be efficiently trained and supported in these critical IT processes and risk strategies to ensure that they do not unknowingly contribute to intrusions of systems and if so, what actions should be taken in the occurrence of a security breach. Security threats or breaches are bound to occur at some point in the universities lifespan; this is when insurance becomes a crucial measure in the planning of IT risk and recovery procedures. This business insurance should be maintained and updated to ensure coverage of new and emerging threats to the business landscape.