How to define critical access: Frequency, risk, and urgency

October 29, 2021

Understanding critical information, critical access points, and how to best employ critical access management begins with three key aspects: frequency, risk, and urgency. 

What is frequency, risk, and urgency?

Understanding frequency, risk, and urgency starts with defining how those terms apply to access points and assets. 

  • Frequency: How often a point or asset is accessed.
  • Risk: The stakes for that access point or asset.
  • Urgency: How fast a user would need to access that point or asset for a critical job function.

Access to routine, everyday information is most likely high frequency, low risk, and, depending on the organization, low urgency. On the other side of the spectrum, access to information that is low frequency, high risk, and possibly high urgency, would be considered critical. The urgency factor is dependent on the industry or specific organization, so it’s not always an indicator of importance. A hospital would probably consider most, if not all, EMRs as urgent, but an energy company may only consider a sliver of their operations and information as such. Every single access point and asset will have a different spot on the matrix (see below), but the crucial step is evaluating every single point of access to employ critical access management properly.

Healthcare and critical access

When thinking about how to recognize frequency, risk, and urgency, the best example is a healthcare organization’s assets like EHRs. High risk? These assets are often regulated by HIPAA. Frequently accessed? Over 2.5 million times a day, per organization. Urgent? Getting the right information fast can literally save a life. What this example shows is that high-risk, low-frequency is a good rule of thumb for determining critical access points or assets. But, when it comes to protecting what’s most important, make sure each point is thoroughly examined. Because healthcare is so particular, it needs particular aspects of critical access management working together to keep crucial assets safe. Access control is a big part of this, but it all starts with recognizing the characteristics of those access points and assets.

Different assets need different controls

As stated above, there’s no one-size fits all when it comes to an organization’s most-important assets and entry points. There are guidelines, of course, and those are the best starting points. See the chart below to understand how frequency, risk, and urgency can dictate what kind of access controls and access monitoring should be put in place. Identifying frequency, risk, and urgency of an access point or asset is only the first step in implementing critical access management and securing what’s most important. Learn more about how to best secure your organization’s crucial access points and assets with our critical access management ebook