The organization defines a list of information system components for which mean time to failure rates should be considered to protect the information system from harm.