Business Critical versus Security Critical

Bruce MacDonald · 3 weeks ago

Your first question is likely "Security Critical?" It was mine!

Our cyber group wants to assess the business applications and have something akin to Business Criticality. Requirements aren't yet completely clear, but they were simply looking for an indicator that the application was critical TO cyber or critical due to the possible threat profile.

We could create a customization (noooo!) but without knowing any crossover between EA and GRC (we use both to varied degrees), is there a better way to provide cyber with a security profile of a business application?

If I go down the rabbit hole on this it might be better related to SAM since the business application could be a suite, or platform, and the assessment may be better done at a more granular level?

Thanks in advance for your perspectives!

Bruce

EDIT: I don't want to add Security Critical as a choice simply because Mission Critical and Business Critical override any other choice and we would then end up without a complete picture of apps that are "Security Critical."

Mathew Hillyard · 3 weeks ago

Hi @Bruce MacDonald

If Cyber want to use it, what do they want to do with this information? How does Cyber identify a Business Application as "Security Critical"?

If they can define this as one or more values on the Business Application, and especially if they want to manage risk or compliance, then create a "Security Critical Business Applications" Entity type in GRC and set the Entity filter to that combination of values. You can then assign any GRC object to that Entity type - Risk Statements, Control Objectives, Privacy Assessments etc.

If they can't define what makes a Business Application Security Critical then they don't have a usable process, so need to define it! 🙂

I hope this helps!

Mat

Bruce MacDonald · 2 weeks ago

Hi Mat,

They have a few perspectives on this and I will look closer at the entity type to see if this will meet their needs.

Thanks for the suggestion!

Bruce