Business Impact Analysis

Purpose

The Business Impact Analysis (BIA) helps determine the systems critical to serving GitLab’s Customers. The output of the BIA is the designation of a Critical System Tier (CST) for a new system. The CST aids Security Compliance in Scoping and is also available to help business owners determine the prioritization of system restoration efforts in the event of a disruption.

Note: In adjacent to the BIA, questions may be asked to satisfy global privacy regulation requirements pertaining to a system’s Personal Data processing.

Scope

The BIA procedure covers all new systems to be added to GitLab’s Tech Stack.

Roles and Responsibilities

BIA Procedures

New Systems

All requisitions in Zip that involve the use of a new system to collect, store, or transmit GitLab data require a BIA.

When creating this type of requisition, the Business/Technical Owner is prompted to answer two BIA questions at minimum:

1. What is the impact of System disruption (System is unavailable)?
2. Please describe the potential impact of System disruption. Specify any GitLab team(s) affected.

The answers to these questions help the Security Risk Team designate a Critical System Tier for the new system during the TPRM Assessment process. Additional questions may be asked by Security Risk to validate the assignment of an appropriate CST.

Quality Reviews

The output of the BIA (designation of a Critical System Tier for a new system) is peer-reviewed by a member of Security Risk at the conclusion of the TPRM Assessment.

Reporting

The output of the BIA is reported when adding a new system to GitLab’s Tech Stack. The data field for reporting is: critical_system_tier.

Exceptions

System Proof of Concepts (POC), Proof of Values (POV), and Pilots are exempt from BIA procedures.

References

• Critical System Tiering Methodology
• Data Classification Standard

View page source - Edit this page - please contribute.