(ii) Implementation specifications:

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

Tell Me More:

The Applications and Data Criticality Analysis implementation specification requires covered entities to assess the relative criticality of specific applications and data in support of other contingency plan components.

Not all information assets are equally critical.  Not all business processes have the same requirements for recovery in the event of a disaster.  Completing this analysis usually involves formal processes that take into account business impact, recovery time objectives (RTOs), recovery point objectives (RPOs) and potential data loss events.

Your organization should consider implementing a process to review the various computer and other electronic systems critical to the organization. Applications and data criticality analysis allows for a prioritization or ordering of the various systems. This allows for resources to focus on those systems and support processes most critical to the business first, should staff resources or ability be diminished due to a disaster or other negative event.

This is an entity’s assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits.

This procedure begins with an application and data inventory. This application and data inventory is required for identifying and categorizing the value of the company’s assets, for performing vulnerability and risk analyses, and for a variety of audit-related activities.

Questions to consider:

  • Has the organization evaluated its systems and ranked them in order of importance to the ongoing operation of the organization?

References:

Series Navigation<< 164.308(b)(4) Standard: Business associate contracts – Written contract or other arrangement164.312(c)(2) Standard: Integrity – Mechanism to authenticate electronic protected health information >>