A system or application is considered mission critical if loss or unavailability might cause one or more of the following conditions:
- Risk to human or research-animal life or safety.
- Significant negative impact on the university’s research, teaching and learning, administrative, or healthcare missions.
- Significant legal, regulatory, financial, or reputational costs.
- Serious impediment to a campus unit carrying out its critical business functions within the first 48 hours following an event. That 48-hour time limit is known as a Recovery Time Objective (RTO).
- Loss of access to data with defined availability requirements.
Mission critical systems and applications can be defined at the enterprise or institution-wide level. Alternatively, a unit can determine that a unit-specific system or application meets the definition of mission critical and secure it to meet those requirements, including the development of a disaster recovery plan.
Loss of particular systems, applications, or data may be originally assessed as not mission-critical, but may become more critical after an extended period of unavailability. This should be considered when setting a Recovery Time Objective (RTO) for systems and data.
Critical operational and/or business support functions are those that cannot be interrupted or unavailable for more than a mandated or predetermined time frame without significantly jeopardizing U-M operations.
Determining if a system or application is mission critical is an important initial step in identifying their minimum information security requirements.