Identify Critical Systems for Availability
As an important part of ongoing risk management and contractual compliance, the University is required to identify systems critical for availability on its distributed network for operational impact and stability of the Information Technology environment. System and data owners need to identify these systems to University Information Security (UIS) for incident response purposes.
Critical Systems Defined
Critical Systems for Availability include life-and-safety, mission-critical, and high-availability administrative systems and University network infrastructure, devices for which availability is of paramount operational or reputational importance. Availability is key here; systems identified as high security because of the data they handle may not qualify as critical for availability. It may be urgent that such systems be isolated from the network if they become compromised. Non-qualifying types of systems include, for example, low security level or low volume of users.
Incident Response and Critical Systems
UIS maintains a list of these systems so that we don’t take them offline without notice in case of a security incident. This used to be called the “Notify Before Takedown” list. UIS requires that departments with critical systems on the list fulfill certain responsibilities. See Information Security: Responsibilities of Department/Unit Security Contacts for general details; for critical systems, the following are also required:
Contacts must be available for 24x7 response, in addition to the other departmental contact responsibilities.
Critical systems must have an applicable up-to-date Gap Analysis and perform the Gap Analysis review annually.
If you have systems that you wish to identify as critical, please email [email protected]. UIS will follow up with next steps and requirements.