Evaluating criticality of systems (and methodologies for doing it)

My boss has come to me asking me to find information for measuring the criticality of some of our systems within the development team.

The dev team are purchasing a SAN and need to decide which of their systems they wish to back up to it. The SAN is to provide a facility to rapidly back up some of their systems rapidly and they have come to the infosec team for help in deciding what goes on the network. The SAN is for additional backup over and above the standard tape backups.

I appreciate this is very vague. The info passed to me was similarly vague (me being new to infosec) and my risk assessment knowledge is just rising above zero.

Look into risk assessment and extract those portions that refer to the cost of data loss or downtime due to the unavailability of said data.

You should find some good stuff here

Aspman,

Can you give us anymore information about your hardware / network ? Seems you might be looking for a specific solution or resolution, a little more information and i think i've come across the same issue.

I'm not privvy to the details of the suppliers/contracts etc.

I've just been asked to help to provide a method which will give an objective assessment of which applications should be stored on the SAN. There not being enough space for everything.

In practice this should mean that after we run though the assessment we should be able to give a point score for each appication. If say we make a cut off of 28 points and application A scores 32 it will go on the SAN, Application B with 22 will not.

We need to be able to carry out a calculation based on the effect the loss of each application will have on the affected departments, the time taken to restore functionality and the numbers of workers affected.

Any actual equations and working examples of these sorts of assessments would be usfull.