Your first question is likely "Security Critical?" It was mine!
Our cyber group wants to assess the business applications and have something akin to Business Criticality. Requirements aren't yet completely clear, but they were simply looking for an indicator that the application was critical TO cyber or critical due to the possible threat profile.
We could create a customization (noooo!) but without knowing any crossover between EA and GRC (we use both to varied degrees), is there a better way to provide cyber with a security profile of a business application?
If I go down the rabbit hole on this it might be better related to SAM since the business application could be a suite, or platform, and the assessment may be better done at a more granular level?
Thanks in advance for your perspectives!
Bruce
EDIT: I don't want to add Security Critical as a choice simply because Mission Critical and Business Critical override any other choice and we would then end up without a complete picture of apps that are "Security Critical."
