Proposal for Determining application Criticality

							A Business Approach To Defining Relative Criticality of Information Assets What is most important? What is least important? It is a business decision.

June, 2005

Prepared by: UFHSC Security Program for the Information Computing Environment

Determining Relative Criticality of Information Assets Introduction Defining the relative criticality of information assets is an essential step in the disaster recovery and contingency planning process. In addition, the contingency plan standard in the HIPAA security regulation calls for us to “Assess the relative criticality of specific applications and data….”. If done well, it will save a significant amount of time in preparing the plan and more importantly, increase the likelihood of a solid execution of the plan when it is needed. Here are some things to consider before embarking on your information asset criticality effort. Determining the relative criticality of your information assets is nothing more than a business decision about what systems or applications are more important than others. In a disaster, you have limited resources with which to contain damage and to recover. You want to be able to give clear direction to those resources about what to recover first. If everything is equally critical, then everything will be recovered at the same time, but recovery time could be lengthier. Similarly, a criticality analysis yielding different levels of criticality will yield varying recovery times with most important information assets being recovered first and least important potentially last. However you chose to assign criticality, having it done in advance of a disaster saves precious time during the disaster. The relative criticality analysis is a team effort. Both the Information Security Administrator (ISA) and the Information Security Manager have an important role. The ISA should take the lead on this activity. An ISA is better poised in the organization to make a judgment about the relative business importance of an application/database or other information asset to their Unit, than an ISM. The ISM can simplify the process by providing a list of applications/databases used by the Unit, to the ISA. The list should be void of infrastructure and middleware assets and services. ISAs can do a better job looking at a list of information assets that they can relate to. ISAs should be able to tie an application/database to their business processes and therefore determine their relative importance to the business. However, if faced with a list of information assets that include things like the DHCP, the domain controller, the SUS, the BES, etc., their criticality analysis may become inaccurate. Underlying middleware and infrastructure assets and services take on the relative importance of the applications/databases that they run. Once the ISA has completed an assignment of relative criticality among the applications/databases used in his or her Unit, the ISM who better knows the components that run them, can assign the same criticality to the underlying infrastructure and middleware components. Finally, the criticality of information assets can also be applied outside of the disaster recovery and contingency planning process. Relative criticality assigned to all of the information assets of a Unit can make for a better design of your systems from an availability and protection standpoint. For example, the high cost of maintaining information assets that need to be highly available because they are highly critical to the Unit, or need to be strongly protected because they house restricted information, could be leveraged if systems were designed such that the highly critical and restricted information assets were placed in the same physical and technical environment. Criticality Analysis Goal The goal of a criticality analysis is to identify the relative criticality of information assets in order to appropriately apply the following standard recovery objectives:  Red = Design for continuous 24x7x365 operation, impervious to application component failures and human errors. Recoverability from environmental or natural disaster in 0-24 hours.

fc6b9040-b20d-4631-9d57-3bd723a8547a.doc

Page 2

2/11/2009

Determining Relative Criticality of Information Assets    Yellow = Recoverability from any application debilitating event such as component failure, human error, environmental or natural disaster within72 hours. Green = Recoverability from any application debilitating event such as component failure, human error, environmental or natural disaster within 120 hours. White = Recoverability from any application debilitating event such as component failure, human error, environmental or natural disaster can occur as resources are available.

Simple Subjective Approach Start with a subset of your information assets list or inventory, using only those information assets familiar to the ISA. The ISA should categorize the list in terms of relative importance based on his or her experience and knowledge of the business of their Unit. Again, infrastructure and middleware information assets will assume the criticality of the applications/databases they run, so the ISA does not need to see these items. Note also that an information asset that gets categorize as minimally significant may end up being recovered as quickly as a critical information asset simply because they reside on the same host or server. However, this fact does not make the minimally significant information asset a critical information asset. Red information assets list (0-24 hours)   Yellow information assets list (0-72 hours)     Green information assets list (0-120 hours)     White information assets list (as resources are avail)    If you find your list of information assets bunched near the top, you are venturing down an expensive contingency planning path. You should proceed with the objective approach to criticality analysis on the following pages to help you better differentiate the criticality of your information assets.

fc6b9040-b20d-4631-9d57-3bd723a8547a.doc

Page 3

2/11/2009

Determining Relative Criticality of Information Assets Objective Approach To determine the relative criticality of your information assets to your business, capture and record three data points about all the application/database software that is in the scope of your contingency plan: 1. Volume of users 2. Life Cycle Status 3. Priority of the application Volume of users Volume of users is an objective parameter. It can be obtained by having someone who has access to the user activity logs, do a query and determine the number of unique users who have logged into the application in the past 6 months. The volume of users can be captured in terms of the following ranges: 30 or less 31 – 100 101 – 250 251 – 400 401+ (considered enterprise wide) If the software does not retain when a user has last logged in, then the account administrator should just pull a count of all working logon ids to the application. Life Cycle Status The life cycle status should be a consideration in the methodology of determining the criticality of the application. An outage of a patient care delivery application that is in the development stage of it‟s life cycle may have financial impacts to the project, but no patient care impacts until it is in production. Development or purchasing Implementation Alpha/beta test Production Replacing Priority Prioritizing software can be subjective and agonizing. People are aware that prioritization is a means of assigning resources and therefore actively seek to justify a high priority. Your analysis should actively seek to differentiate software into the 4 levels of criticality described under the goal above. By accurately answering the „Function and Impact Questions‟ on the next page for each application, the relative criticality will manifest. Focus on applications and services evident to end users because they can be better aligned with business processes. Underlying servers and infrastructure services will take on the relative importance of the applications they run.

fc6b9040-b20d-4631-9d57-3bd723a8547a.doc

Page 4

2/11/2009

Determining Relative Criticality of Information Assets Function and Impact Questions This instance of the information asset is used for:  Delivery of urgent care  Delivery of care that is not urgent  Arranging for care or patient flow, but not delivery of care  Charge capture or billing/receivables  Communication (Instant – paging, telecom)  Quality improvement of patient care  Research  Grant Management          Student Registration/Records Student Financial Course Management On-line Education & Testing Administration (Finance, Purchasing, Accounting) Human Resources Management including payroll Education of workforce members Community Outreach Other

Is there an operational workaround or bypass process that would be used or followed if the information asset were unavailable? No. Yes. It would be effective for __________ hours before detrimental impacts set in. The HSC Unit could seriously harm or kill a patient if the information asset were unavailable. No, or remotely possible. Possible if the information asset were unavailable for _____________ hours. Likely if the information asset were unavailable for _____________hours. Certain if the information asset were unavailable for ____________ hours. The HSC Unit would not seriously harm or kill a patient, but delivery of patient care would be delayed or disrupted if the information asset were unavailable. No, or remotely possible. Possible if the information asset were unavailable for _____________ hours. Likely if the information asset were unavailable for _____________hours. Certain if the information asset were unavailable for ____________ hours. The HSC Unit would lose licensure or credentials or accreditation if the information asset were unavailable. No, or remotely possible. Possible if the information asset were unavailable for _____________ hours. Likely if the information asset were unavailable for _____________hours. Certain if the information asset were unavailable for ____________ hours. The HSC Unit would become involved in a potentially detrimental law suit if the information asset were unavailable. No, or remotely possible. Possible if the information asset were unavailable for _____________ hours. Likely if the information asset were unavailable for _____________hours. Certain if the information asset were unavailable for ____________ hours.

fc6b9040-b20d-4631-9d57-3bd723a8547a.doc

Page 5

2/11/2009

Determining Relative Criticality of Information Assets The HSC Unit would lose more than $500,000 <ISA should determine the $$ figure relevant to their Unit for this question> in revenue, fines or through other financial means if the information asset were unavailable. No, or remotely possible. Possible if the information asset were unavailable for _____________ hours. Likely if the information asset were unavailable for _____________hours. Certain if the information asset were unavailable for ____________ hours.

fc6b9040-b20d-4631-9d57-3bd723a8547a.doc

Page 6

2/11/2009