Information classification: Criticality

Determine the criticality of the system to be run in the cloud, based on its importance or risk relative to goals and objectives of the unit, including uninterrupted operation and essential business functions. Criticality categories are used to determine the requirements for availability and integrity: mission critical, critical or moderate.

Mission critical systems handle information that is vital to the operational continuity or effectiveness of the unit. The consequences of loss of integrity or availability of mission critical information would be unacceptable and could include sustained loss of operational effectiveness. Mission critical information requires the most robust protection measures.

Critical systems handle information that is important to the operation of the unit. Loss of availability or integrity would present a hardship that could only be tolerated for a short time. The consequences could include delay or degradation in providing key services or project progress that may seriously impact operational effectiveness. Critical information requires additional safeguards beyond best practices.

Moderate systems handle information that is necessary for the conduct of day-to-day business, but does not materially affect operational effectiveness in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impact. The consequences could include the delay or degradation of services or operational effectiveness. Moderate systems require protective measures, techniques, or procedures generally commensurate with commercial best practices.

Consider the following factors when determining whether the cloud-based service would have a mission critical, critical or moderate importance to operations:

How critical is it for the cloud service to be available? What is the impact if it is unavailable for 4 hours? 8 hours? 3 days? What is the impact if the information is permanently lost or destroyed and cannot be recovered? Can copies of the data be kept on local disk images? How often can copies be made, and at whose direction? Does loss of availability pose a mission critical, critical, or moderate risk?

What is the impact if the information is incorrectly modified and cannot be recovered by the cloud service?  Does loss of integrity pose a mission critical, critical or moderate risk?

Intellectual property (IP) ownership rights
UD is frequently entrusted with the IP owned by others as part of collaborative research or in the course of conducting University business. How important are ownership (e.g., intellectual property) rights for the data to be processed or stored by the cloud service? Each cloud offering has its own terms and conditions, and may include ownership or control over the use and/or distribution of your data.  Does the loss of ownership rights pose a mission critical, critical, or moderate risk? Consult the University's Intellectual Property Guide for more information on IP or the Office of Economic Innovation & Partnerships.

Will your unit require timely comprehensive support to resolve issues?  Does the loss of support pose a mission critical, critical, or moderate risk?

Information sharing
If the cloud service includes the ability to share information, determine whether the information sharing feature is secure and consider the consequences if it isn’t (e.g., backdoors are discovered). Does the loss of security due to information sharing pose a mission critical, critical, or moderate risk?

For mission critical or critical information, a written contract is required and must include terms and conditions to satisfy all unit and/or University requirements. For moderately critical information (except classified) be sure to review the terms of use and privacy policy of the cloud provider (often presented as a ‘click-through’ agreement or a link on the Web page) to be sure the terms are agreeable. Confidential information, regardless of criticality, always requires a written contract. Please review information classification and other considerations to evaluate the information to be outsourced.

Next step: Confidentiality

If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.