Specify priorities for mitigating threats to applications


Enterprise organizations typically have a large application portfolio, but not all applications have equal importance. Applications containing business-critical data regulated data and high business value, visibility, or criticality should be prioritized based on identification and classification to appropriately direct monitoring, time, and resources. You should also identify applications or systems with significant access, which might grant control over other critical systems or data.

Identify and classify applications

Ensure you have identified and classified the applications in your portfolio that are critical to business functions. Enterprise organizations typically have a large application portfolio, so prioritizing where to invest time and effort into manual and resource-intensive tasks like threat modeling can increase the effectiveness of your security program.

Identify applications with a high potential impact and, or a high potential exposure to threats.

Risk Mitigation Examples
High Potential Impact Identify applications that would have a significant impact on the business if compromised. Business critical data: Applications that process or store information, which would cause significant negative business or mission impact if assurance of confidentiality, integrity, or availability is lost.
Regulated data: Applications that handle monetary instruments and sensitive personal information are regulated by standards. For example, the payment card industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA).
Business critical availability: Applications whose functionality is critical to the organization's business mission, such as production lines generating revenue, devices or services critical to life and safety, and other critical functions.
Significant Access: Applications that have access to systems with a high potential impact through technical means such as Stored Credentials or Permissions granted via access control lists or other means.
High exposure to attacks Applications that are easily accessible to attackers, such as web applications on the open Internet.