Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-14

criticality analysis

assessment objective:

Determine if the organization:

sa-14[1]

defines information systems, information  system components, or information system services requiring a criticality analysis to identify critical information system components and functions;

sa-14[2]

defines decision points in the system development life cycle when a criticality analysis is to be performed for organization-defined information systems, information system components, or information system services; and

sa-14[3]

identifies critical information system components and functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decisions points in the system development life cycle.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing criticality analysis requirements for information systems, security plan; contingency plan; list of information systems, information system components, or information system services requiring criticality analyses; list of critical information system components and functions identified by criticality analyses; criticality analysis documentation; business impact analysis documentation; system development life cycle documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibilities for performing criticality analysis for the information system].