Business Criticality

Results and Reports

The foundation of the Veracode rating system is the concept that more critical applications require higher security quality scores to be acceptable risks. Less business critical applications can tolerate lower security quality. The business criticality is dictated by the typical deployed environment and the value of data used by the application. Factors that determine business criticality are: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.

Business Criticality Description
Very High Mission critical for business/safety of life and limb on the line
High Exploitation causes serious brand damage and financial loss with long term business impact
Medium Applications connected to the internet that process financial or private customer information
Low Typically internal applications with non-critical business impact
Very Low Applications with no material business impact
Note: US. Govt. OMB Memorandum M-04-04; NIST FIPS Pub. 199

Business Criticality Definitions

Very High
This is typically an application where the safety of life or limb is dependent on the system; it is mission critical the application maintain 100% availability for the long term viability of the project or business. Examples are control software for industrial, transportation or medical equipment or critical business systems such as financial trading systems.
High
This is typically an important multi-user business application reachable from the internet and is critical that the application maintain high availability to accomplish its mission. Exploitation of high criticality applications cause serious brand damage and business/financial loss and could lead to long term business impact.
Medium
This is typically a multi-user application connected to the internet or any system that processes financial or private customer information. Exploitation of medium criticality applications typically result in material business impact resulting in some financial loss, brand damage or business liability. An example is a financial services company's internal 401K management system.
Low
This is typically an internal only application that requires low levels of application security such as authentication to protect access to non-critical business information and prevent IT disruptions. Exploitation of low criticality applications may lead to minor levels of inconvenience, distress or IT disruption. An example internal system is a conference room reservation or business card order system.
Very Low
Applications that have no material business impact should its confidentiality, data integrity and availability be affected. Code security analysis is not required for this assurance level and security spending should be directed to other higher criticality applications.