Body
Purpose
The Information Services Application Criticality Assessment (UO-ACA) provides a standardized, repeatable methodology for evaluating the criticality of applications used to support institutional missions. The assessment is designed to balance institutional impact and technical risk in a manner that is transparent, policy-aligned, and interpretable by both technical and non-technical stakeholders.
This methodology supports disaster recovery planning, resilience investments, service prioritization, and executive decision-making.
Assessment Dimensions
The UO-ACA evaluates applications across two independent dimensions:
|
Dimensions
|
Definition
|
| Impact |
The degree to which loss or degradation of the application affects the institution, including mission delivery, safety, compliance, financial operations, and reputation. |
| Technical Risk |
The likelihood that the application may experience disruption due to technical, architectural, security, or operational weaknesses. |
Each dimension uses its own scoring model and criteria, reflecting the different types of factors being measured.
Scoring Models
Raw Scoring
Impact and Risk are assessed separately using structured scoring models. Each model consists of multiple categories and criteria, each contributing points toward a raw total score for that dimension.
Because the Impact and Risk models may:
- Contain a different number of categories
- Use different point values
- Evolve independently over time
... their raw scores are not directly comparable without adjustments.
Scoring Normalization and Tiering Methodology
Normalization Approach
To ensure Impact and Risk can be combined fairly and consistently, raw scores are normalized prior to weighting.
- Impact normalization is calculated by dividing the raw Impact score by the
maximum possible Impact score.
- Technical risk normalization is calculated by dividing the raw Risk score by
the maximum possible Risk score.
The resulting normalized values represent the relative severity of Impact and Risk on a common scale, independent of the underlying point structures.
The maximum possible Impact and Risk scores may change as assessment criteria are refined. Normalization ensures these changes do not affect weighting or tier thresholds.
Weighting and Composite Tier Score
Once normalized:
- Impact contributes 60 percent to the overall Tier Score
- Risk contributes 40 percent to the overall Tier Score
The weighted values are combined to produce a Composite Tier Score ranging from 0 to 100. This score reflects both institutional impact and technical risk in accordance with policy intent.
Criticality Tier Assignment
The Composite Tier Score is used to assign each application to a criticality tier:
- Tier 1 - Mission Critical: Composite score of 65 or higher
- Tier 2 - Business Critical: Composite score between 40 and 64
- Tier 3 - Business Necessary: Composite score below 40
These tiers provide a clear, defensible basis for prioritization across disaster recovery, continuity planning, and resilience investments
Life and Safety Override
Any application that presents a life or physical safety risk if unavailable is automatically classified as Tier 1 - Mission Critical, regardless of Composite Tier Score.
This override reflects institutional policy that life and safety risks are non-negotiable and must not be diluted through scoring or averaging.
Top-Down Risk Scoring
Certain risk categories use a top-down scoring method, where the most significant condition present determines the score for that category
This approach is used when:
- A single high-severity weakness would meaningfully elevate overall risk
- Averaging or additive scoring could mask critical exposure
Top-down scoring ensures that high-severity weaknesses are not diluted by lower-risk characteristics and supports clear, auditable tiering decisions.
Rationale For This Approach
This methodology is intentionally designed to balance rigor, transparency, and durability.
Normalization ensures that:
- Declared weighting reflects policy intent, rather than artifacts of point scales
- Tier thresholds are mathematically valid and consistently reachable
- The model remains stable as scoring criteria evolve over time
- Tier assignments remain interpretable by technical and non-technical stakeholders
By separating scoring, normalizing results, and applying explicit weighting, the UO-ACA provides a defensible and repeatable framework suitable for governance, audit, and executive decision-making.
Governance and Use
The UO-ACA methodology is intended to be:
- Applied consistently across enterprise applications
- Documented and reviewable for audit and risk management purposes
- Updated periodically as institutional priorities, technologies, and threat landscapes evolve
Tier results inform, but do not replace, professional judgment and leadership decision-making.