About Mission Critical Systems & Applications

A system or application is considered mission critical if loss or unavailability might cause one or more of the following conditions:

  • Risk to human or research-animal life or safety.
  • Significant negative impact on the university’s research, teaching and learning, administrative, or healthcare missions.
  • Significant legal, regulatory, financial, or reputational costs.
  • Serious impediment to a campus unit carrying out its critical business functions within the first 48 hours following an event. That 48-hour time limit is known as a Recovery Time Objective (RTO).
  • Loss of access to data with defined availability requirements.

Mission critical systems and applications can be defined at the enterprise or institution-wide level. Alternatively, a unit can determine that a unit-specific system or application meets the definition of mission critical and secure it to meet those requirements, including the development of a disaster recovery plan.

Loss of particular systems, applications, or data may be originally assessed as not mission-critical, but may become more critical after an extended period of unavailability. This should be considered when setting a Recovery Time Objective (RTO) for systems and data.

Critical operational and/or business support functions are those that cannot be interrupted or unavailable for more than a mandated or predetermined time frame without significantly jeopardizing U-M operations. 

Determining if a system or application is mission critical is an important initial step in identifying their minimum information security requirements.