Analecta Cyber Company Blog: Identify Your Critical Services, Functions and Dependencies


Identify Your Critical Services, Functions and Dependencies

Identify your critical services, functions and dependencies - Analecta LLC Graphic Identify critical business services, functions and dependencies Banner - Analecta LLC Graphic Small and medium-sized businesses may still not see themselves as fantastic targets for hackers to exploit. However, hackers pursue targets that pose the least amount of risk to their operations, which often means targeting many smaller, less protected organizations. Businesses of all sizes need to identify their critical services and supporting critical functions and dependencies when planning their security strategy.

NIST Special Publication 800-53 explains that “criticality” is assessed in terms of the ability of a component to complete your company’s missions when faced with a function or component failure. Businesses need to perform a criticality analysis whenever an architecture or design is being developed or modified, including when you perform system upgrades.

Understand where technology meets business function

The entire concept plays into the idea that those designing cybersecurity solutions for your business need to understand the business in intimate detail. Approach this by outlining your business’s value chain and identify where technology meets business functions.

Many businesses are designed as shown below where “information security” falls under the IT department as a sub-task instead of incorporating it as a core business function.

critical business function - Accounting, research and development, production, IT department

Instead, treat information security as a core business function and integrate it at every opportunity and within every department:

critical business function

In order to do that, you must identify the critical services provided within each department and then further define the critical functions and dependencies that support each function.

For example, the accounting department would identify payroll as a critical service. As part of that critical service, a critical function could be calculating hourly wages. Critical dependencies would be the timecard systems, HR databases and so on.

Criticality tiers - Critical Services, Critical Functions, Dependencies - Analecta LLC Graphic

Cybersecurity supports critical services and functions

Those with malicious intent want what’s yours that has the most value. Identify these systems and data, giving them the strongest protection and the most frequent monitoring. Cybersecurity investment needs to be a key part of your company's operating budget, but it can be made more affordable when you accurately assess what function or service needs the most protection.

For example, if you are a roofing business and have a website to advertise or display recent projects, protecting your web server should be a lower priority when it comes to cybersecurity spending. However, for an e-commerce business, a web server is a critical component and your budget for protecting it should reflect its importance.

Members of each department within your business must understand why the department needs cybersecurity and identify what value it adds to their department. If all is going well, the need for additional cybersecurity could be due to the need to protect the growing business, but often it is identified due to a recent attack.

Know your systems

After you identify the critical services and functions, get specific about the critical dependencies that support these services and functions. As before, identify the infrastructure, software or other dependencies and protect them based on their criticality. Some data, systems and applications are more critical than others, like telecommunication or power equipment, because they are incorporated into other critical services and functions.

Some of your highly technical services and functions may need non-cyber related dependencies in case of emergencies – i.e., backup power generators. Your critical e-commerce web server and databases can be protected by the best firewall on the market, but if power fails and there isn’t a backup power source, you still lose money.

critical business functions, services and dependencies
Your business comprises critical services and functions; protect these items first when implementing a cybersecurity plan.

Putting it all together with your risk assessment

All of these considerations need to be recorded in your organization’s risk assessment. Some data systems and applications are naturally more exposed to risk (public facing web servers and databases), while others are more lucrative on the dark web if breached (databases holding personally identifiable information, health records, financial records, etc.). Your task is to figure out how your systems can be compromised and determine prioritization of how you plan to prevent those compromises.

Invest in deeper analysis – take time to look at your critical devices from an attacker’s point of view. If you do not have the in-house expertise, this is one area that may be good to outsource to experts in the field.

Analecta Cyber can help!

Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cybersecurity program to maximize protection. Email us at or visit our Cybersecurity website.

Here are some recent articles that can build up your knowledge of cybersecurity best practices!

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

No comments :

Post a Comment