2.2 - Critical assessment
Goal
The objective of this phase is to systematically identify and prioritize the elements of the application that are most crucial to the business operations and potentially vulnerable to attacks. This strategic prioritization is essential for directing initial security efforts towards protecting parts of the system that would cause the most significant impact if compromised.
How to Execute
- Identify Business-Critical Components
- Description: Determine which components are vital to the day-to-day and strategic operations of the business. These could include components that handle financial transactions, store sensitive customer information, or ensure operational capabilities.
- Tools/Techniques:
- Interviews with Business Stakeholders: Conduct discussions with key stakeholders to understand which components are critical to business operations.
- Review of Business Impact Analyses: Examine existing analyses to ascertain which components have the highest operational and financial impact.
- Make a guesstimate based on experience: Whenever stakeholders are not available for discussion use experience and assess the application yourself.
- Output: A prioritized list of business-critical components based on their importance and impact on business operations.
- Validate Criticality of Components
- Description: Confirm the criticality of each identified component through additional data collection and validation to ensure that the focus is correctly placed on truly essential parts.
- Tools/Techniques:
- Cross-Verification with IT and Business Units: Work collaboratively with IT and other business units to cross-verify the operational necessity and security posture of each component.
- Historical Incident Analysis: Review past security incidents and performance issues to help validate the criticality and vulnerability of components.
- Output: A verified list of components that are confirmed as critical, supported by data and business consensus.