Business operations staff focus on the successful operations of the organization and are typically business/mission focused:

• Examples include: Finance, HR, and manufacturing.
• Looking at business operations is a key activity for properly understanding the following.
• What level of risk will a business unit be willing to accept as it relates to an information system:
  • An e-commerce business unit may be willing to accept a higher level of risk for an internal collaboration server versus its e-commerce website
  • A manufacturing business unit may place a high value on an internal collaboration server that contains highly sensitive proprietary information
• You must work with a given business unit to understand the criticality of the data that an information system is processing. Not all data needs to be protected at the same level:
  • An information system may contain publicly available and accessible information. While this information needs to be protected to ensure that its integrity and availability are maintained, the confidentiality concern is deemed low since the information must be accessible by the public.
  • A different information system that contains intellectual property may result in a high-risk rating because of the need to protect the information that it contains, and confidentiality, integrity, and availability.