(ii) Implementation specifications:
(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Tell Me More:
The Applications and Data Criticality Analysis implementation specification requires covered entities to assess the relative criticality of specific applications and data in support of other contingency plan components.
Not all information assets are equally critical. Not all business processes have the same requirements for recovery in the event of a disaster. Completing this analysis usually involves formal processes that take into account business impact, recovery time objectives (RTOs), recovery point objectives (RPOs) and potential data loss events.
Your organization should consider implementing a process to review the various computer and other electronic systems critical to the organization. Applications and data criticality analysis allows for a prioritization or ordering of the various systems. This allows for resources to focus on those systems and support processes most critical to the business first, should staff resources or ability be diminished due to a disaster or other negative event.
This is an entity’s assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits.
This procedure begins with an application and data inventory. This application and data inventory is required for identifying and categorizing the value of the company’s assets, for performing vulnerability and risk analyses, and for a variety of audit-related activities.
Questions to consider:
- Has the organization evaluated its systems and ranked them in order of importance to the ongoing operation of the organization?
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-12 chapter 11 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations