| A | B | C | D | E | F | G | H | I | |
|---|---|---|---|---|---|---|---|---|---|
1 |  | ||||||||
2 | |||||||||
3 | |||||||||
4 | Business Criticality Questionnaire | ||||||||
5 | Instructions | ||||||||
6 | Created by Kayla Williams, CISO, Devo | ||||||||
7 | This questionnaire is designed to create a custom Business Criticality Score based on your answers to each prompt provided. To start- Make a copy of this spreadsheet. Begin answering each prompt with your specific application in mind, paying attention to each guiding questions in italics. Tally up total score, creating your overall Business Criticality Score and context in order to prioritize any risk factors present. | ||||||||
8 | |||||||||
9 | |||||||||
10 | |||||||||
11 | |||||||||
12 | |||||||||
13 | Application Attributes | ||||||||
14 | |||||||||
15 | Is the application hosted at a Company data center/ Company office? | ||||||||
16 | Is the application hosted at a Company co-location/ cloud facility? If so provide details | ||||||||
17 | Is the application developed by Company or third-party? | ||||||||
18 | If third-party, has the vendor gone through the Security Risk Assurance Process? | ||||||||
19 | Are subcontractors used to develop any part of the application? | ||||||||
20 | Is open-source software or libraries used? If yes, explain in what capacity. | ||||||||
21 | Do Company customers interact with this application? | ||||||||
22 | Do users interface directly with the application (through a UI) ? | ||||||||
23 | Information Classification | ||||||||
24 | |||||||||
25 | Does the application process, store, or transmit any of the below data types? Add commentary where necessary. | ||||||||
26 | Personally Identifiable Information (PII) | <Select> | |||||||
27 | Personal Financial Information (PFI) | ||||||||
28 | Publicly Accessible Information? | ||||||||
29 | Customer information? | ||||||||
30 | Company Intellectual Property? | ||||||||
31 | Unpublished Company corporate information? | ||||||||
32 | |||||||||
33 | Assessed Information Classification: | ||||||||
34 | (see instructions tab) | ||||||||
35 | |||||||||
36 | Recovery Point Objective/ Recovery Time Objective | ||||||||
37 | |||||||||
38 | |||||||||
39 | Recovery Time Objective (RTO) in Minutes | The period of time following an incident within which: a product, service, or activity must be resumed, or when resources must be recovered. | |||||||
40 | Recovery Point Objective (RPO) in Minutes | Point to which information used by an activity must be restored to enable the activity to operate on resumption (aka “maximum data loss”) | |||||||
41 | |||||||||
42 | |||||||||
43 | Confidentiality | ||||||||
44 | Worst case scenario – what would be the impact of a breach in confidentiality of the data that is processed, stored, or transmitted by this application? | ||||||||
45 | Integrity | ||||||||
46 | Worst case scenario – what would be the impact of a compromise in integrity of the data that is processed, stored, or transmitted by this application? | ||||||||
47 | Availability | ||||||||
48 | Worst case scenario – what would be the impact of a lapse in the availability of the data that is processed, stored, or transmitted by this application? | ||||||||
49 | |||||||||
50 | Criticality Assessment | ||||||||
51 | |||||||||
52 | Confidentiality | Integrity | Availability | ||||||
53 | 1-3 hours | 4-6 hours | 1 day | 3 days | 1 week | ||||
54 | Financial Loss | ||||||||
55 | Reputational | ||||||||
56 | Customer/Client | ||||||||
57 | Information Security | ||||||||
58 | |||||||||
59 | Take the MAX risk rating assessed to get the total score for each section. | ||||||||
60 | Total Score | ||||||||
61 | |||||||||
62 | Confidentiality | <Select> | |||||||
63 | Integrity | <Select> | |||||||
64 | Availability | <Select> | |||||||
65 | |||||||||
66 | Overall Criticality Score | ||||||||
67 | |||||||||
68 | |||||||||
69 | |||||||||
70 | Criticality Scale | ||||||||
71 | Baseline | ||||||||
72 | Important | ||||||||
73 | Critical | ||||||||
74 | |||||||||
75 | |||||||||