[SSP] Required Updates to Business Impact Analysis (BIA)

[gary-fallon]

Product Outline

https://vfs.atlassian.net/wiki/spaces/ATO/overview

Download

Business Impact Analysis (BIA)

Description

The following is an example of how the Mission, Business Processes, Minor Applications, Services, and Resources may work together to form an accurate picture of the system and necessary services or workflows.

Section	Description	Definition	Example
3.1	Mission	Perform self-service interaction	VA.gov
3.1	Business Process (Major Application)	vets-api	backend API
3.1	Business Process (Major Application)	vets-website	frontend
3.2	Minor Application	VANotify	VFS application
3.3	Service	CI/CD	Jenkins and GitHub
3.3	Service	Auth	VFS Identity, any identified ISAs
3.3	Service	Monitoring	Datadog, AWS CloudWatch, AWS CloudTrail
3.4	Resource	vets-api	EC2 instances
3.4	Resource	vets-website	EC2 instances
3.4	Resource	data	RDS cluster
3.4	Resource	personnel	MPI, GH accounts, and AWS accounts

NOTE: This is not intended to be a complete description.

High Level User Story/ies

As a part of the ATO, we need the System Business Impact Analysis (BIA) updated by February 15th, 2023 to accurately reflect the system so we can maintain our compliance.

Hypothesis or Bet

Required for the maintenance of the VA.gov ATO.

OKR

Required for the maintenance of the VA.gov ATO.

Definition of done

Platform Security will review member contributions for accuracy and completeness prior to submitting the BIA to the ISSO for review and signature.

How to configure this issue

TBD

[little-oddball]

Adding @alyssagallion to help in tracking the Epic.

[gary-fallon]

The identified gaps have been added to this Epic as user stories.

[jhouse-solvd]

@gary-fallon - Once #53111 is complete (nearly there), which of the issue(s) below make sense to work on next, from a logical order and priority perspective?

1. 53063

2. 53073

3. 53074

4. 53094

From my understanding, 3 seems like a logical candidate to ensure sure we have the 'scope of the system and processes clearly defined before moving on to documenting resource requirements, recovery information, and established agreements.

Will you let me know if that aligns with your thinking as well? I'm happy to adjust the sequence of these issues based on your guidance.

cc: @alyssagallion

[jhouse-solvd]

Also, work being done on #53111 today

[gary-fallon]

@jhouse-solvd I am not sure if you're the right resource for #53063 or #53073. So, I agree that #53074 should be the next item.

53094 depends on #53885.

cc: @alyssagallion

[jhouse-solvd]

Cool. Agreed. Thank you, Gary! @gary-fallon

[gary-fallon]

I researched the BIA further and found the BIA manual and a few examples. I started tracking changes here.

I discussed minor applications with @fowusu2 and @ScottCutlip; will schedule a call for tomorrow to discuss in more detail.

[jhouse-solvd]

The team is working through the BIA documentation and making various updates this week. Please see individual sub-issues for details about specific pieces.

We'll update this issue with major updates later this week.

[gary-fallon]

Updated BIA document and reviewed with @jhouse-solvd.

[jhouse-solvd]

The updated BIA document has been sent to Chris Johnston for review.

Once his feedback has been incorporated, we’ll route it through eMASS for official approval.

[jhouse-solvd]

The BIA was completed and submitted for formal approval via eMASS. (See #284 for details).

This epic can be closed. :tada: