6. Data Criticality
Data criticality considers how important the data is to the operation of the organization. Data criticality differs from data availability somewhat since data availability measures damage based on the unavailability of data in a general sense. The ratings are high, medium, and low. Data criticality works best using numerical values rather than descriptive values. There are several factors to consider when determining data criticality.
- How long will it take for the damage to occur as assessed in the data availability category?
- How much data is your organization willing to lose if a threat is realized?
Recovery Time Objective
The first item is a measure of the Recovery Time Objective (RTO) for the data. Consider if a system goes off line, how long before your organization is affected seriously? This will help set the information technology priority in providing technologies which will prevent a system from damage and in providing technologies to bring the system or a redundant system back on line.
Recovery Point Objective
The second item, above, is a measure of the Recovery Point Objective (RPO) for the data. Consider whether your organization can lose a week's worth of data, a day's worth of data, an hour's worth of data, or any data before it is critical. This affects the information technology priority in providing backup capability to the data. As this amount of time shrinks, the technology to prevent data loss and provide backup becomes more sophisticated and expensive.