As you work to understand these concepts, ensure that you work closely with your business/mission stakeholders as this will provide you with context, allow you to prioritize what is important to the business, and allow you to respond accordingly. Based on business input, develop your list of the following:

• Business applications/databases: These are the applications that your business needs to function properly. A disruption in confidentiality, integrity, and availability will seriously disrupt the organization's ability to function.
• Critical users: Develop a list of users that are key to the successful operation of the organization. These users will typically cause a high negative impact on the organization if a threat actor causes them to perform an act against the organization:
  • VIPs—C-Suite and board-level employees
  • Key business users—individuals that have access to key organizational proprietary data and can cause that information to be released (comptroller and HR director)
  • IT administrators
• Critical network and system services: These are all the pieces of the enterprise network environment that are needed to provide the availability requirements for business data and applications.